From b48f08ea8e1b19e1c05096e6187b4bfb56567e47 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 8 Dec 2021 15:59:59 +0100 Subject: ci: buildbot-classic -> buildbot; cleanup --- krebs/2configs/buildbot-stockholm.nix | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 43a38a9f8..9fc6a79e5 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -6,11 +6,13 @@ enable = true; virtualHosts.build = { serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; - ''; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.buildbot-master.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_read_timeout 3600s; + ''; + }; }; }; krebs.ci = { @@ -18,25 +20,20 @@ repos = { disko.urls = [ "http://cgit.gum.r/disko" - "http://cgit.hotdog.r/disko" "http://cgit.ni.r/disko" "http://cgit.prism.r/disko" ]; krops.urls = [ - "http://cgit.hotdog.r/krops" "http://cgit.ni.r/krops" "http://cgit.prism.r/krops" "https://github.com/krebs/krops.git" ]; nix_writers.urls = [ - "http://cgit.hotdog.r/nix-writers" "http://cgit.ni.r/nix-writers" "http://cgit.prism.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.enklave.r/stockholm" "http://cgit.gum.r/stockholm" - "http://cgit.hotdog.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.prism.r/stockholm" ]; -- cgit v1.2.3 From 3f6219e251aba6a67cbfea14a070e746c9320162 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 8 Dec 2021 08:50:32 +0100 Subject: users: add xkey ssh key, use for logging into puyak --- krebs/2configs/shack/ssh-keys.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/shack/ssh-keys.nix b/krebs/2configs/shack/ssh-keys.nix index 50bb93809..80957f3a5 100644 --- a/krebs/2configs/shack/ssh-keys.nix +++ b/krebs/2configs/shack/ssh-keys.nix @@ -7,6 +7,7 @@ config.krebs.users.raute.pubkey config.krebs.users.ulrich.pubkey config.krebs.users.xq.pubkey + config.krebs.users.xkey.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDb9NPa2Hf51afcG1H13UPbE5E02J8aC9a1sGCRls592wAVlQbmojYR1jWDPA2m32Bsyv0ztqi81zDyndWWZPQVJVBk00VjYBcgk6D5ifqoAuWLzfuHJPWZGOvBf/U74/LNFNUkj1ywjneK7HYTRPXrRBBfBSQNmQzkvue7s599L2vdueZKyjNsMpx2m6nm2SchaMuDskSQut/168JgU1l4M8BeT68Bo4WdelhBYnhSI1a59FGkgdu2SCjyighLQRy2sOH3ksnkHWENPkA+wwQOlKl7R3DsEybrNd4NU9FSwFDyDmdhfv5gJp8UGSFdjAwx43+8zM5t5ruZ25J0LnVb0PuTuRA00UsW83MkLxFpDQLrQV08tlsY6iGrqxP67C3VJ6t4v6oTp7/vaRLhEFc1PhOLh+sZ18o8MLO+e2rGmHGHQnSKfBOLUvDMGa4jb01XBGjdnIXLOkVo79YR5jZn7jJb2gTZ95OD6bWSDADoURSuwuLa7kh4ti1ItAKuhkIvbuky3rRVvQEc92kJ6aNUswIUXJa0K2ibbIY6ycKAA3Ljksl3Mm9KzOn6yc/i/lSF+SOrTGhabPJigKkIoqKIwnV5IU3gkfsxPQJOBMPqHDGAOeYQe3WpWedEPYuhQEczw4exMb9TkNE96F71PzuQPJDl5sPAWyPLeMKpy5XbfRiF2by4nxN3ZIQvjtoyVkjNV+qM0q0yKBzLxuRAEQOZ2yCEaBudZQkQiwHD97H2vu4SRQ/2aOie1XiOnmdbQRDZSO3BsoDK569K1w+gDfSnqY7zVUMj6tw+uKx6Gstck5lbvYMtdWKsfPv/pDM8eyIVFLL93dKTX+ertcQj6xDwLfOiNubE5ayFXhYkjwImV6NgfBuq+3hLK0URP2rPlOZbbZTQ0WlKD6CCRZPMSZCU9oD2zYfqpvRArBUcdkAwGePezORkfJQLE6mYEJp6pdFkJ/IeFLbO6M0lZVlfnpzAC9kjjkMCRofZUETcFSppyTImCbgo3+ok59/PkNU5oavBXyW80ue2tWHr08HX/QALNte3UITmIIlU6SFMCPMWJqadK1eDPWfJ4H4iDXRNn3D5wqN++iMloKvpaj0wieqXLY4+YfvNTNr177OU48GEWW8DnoEkbpwsCbjPxznGDQhdDqdYyMY/fDgRQReKITvKYGHRzesGysw5cKsp9LEfXD0R6WE2TeiiENla5AWzTgXJB0AyZEcOiIfqOgT9Nr9S8q5gc/BdA7P+jhGGJgEHhV3dVlfIZ7pmZc27Yu7UTQ0lbAKWqcMSTOdne+QL6ILzbvLrQwdvax4tQdm5opfU16SrOox1AMwAbkdq84z6uJqYVx3cUXfMJgTyDNrVv3or root@plattenschwein" # for backup "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Lx5MKtVjB/Ef6LpEiIAgVwY5xKQFdHuLQR+odQO4cAgxj1QaIXGN0moixY52DebVQhAtiCNiFZ83uJyOj8kmu30yuXwtSOQeqziA859qMJKZ4ZcYdKvbXwnf2Chm5Ck/0FvtpjTWHIZAogwP1wQto/lcqHOjrTAnZeJfQuHTswYUSnmUU5zdsEZ9HidDPUc2Gv0wkBNd+KMQyOZl0HkaxHWvn0h4KK4hYZisOpeTfXJxD87bo+Eg4LL2vvnHW6dF6Ygrbd/0XRMsRRI8OAReVBUoJn7IE1wwAl/FpblNmhaF9hlL7g7hR1ADvaWMMw0e8SSzW6Y+oIa8qFQL6wR1 gitlab-builder" # for being deployed by gitlab ci ]; -- cgit v1.2.3 From e5fc654f50e2b99bcae186962b29c8754f382f3b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Dec 2021 11:21:06 +0100 Subject: add ACME ca via ca.r --- krebs/2configs/acme.nix | 65 ++++++++++++++++++++++++++++++++++++++++++++++ krebs/2configs/default.nix | 3 +++ 2 files changed, 68 insertions(+) create mode 100644 krebs/2configs/acme.nix (limited to 'krebs/2configs') diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix new file mode 100644 index 000000000..b5e51a1a2 --- /dev/null +++ b/krebs/2configs/acme.nix @@ -0,0 +1,65 @@ +# generate intermediate certificate with generate-krebs-intermediate-ca +{ config, lib, pkgs, ... }: let + domain = "ca.r"; +in { + security.acme = { + acceptTerms = true; # kinda pointless since we never use upstream + email = "spam@krebsco.de"; + certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "https://localhost:1443"; + }; + }; + }; + krebs.secret.files.krebsAcme = { + path = "/var/lib/step-ca/intermediate_ca.key"; + owner.name = "root"; + mode = "1444"; + source-path = builtins.toString + "/acme_ca.key"; + }; + services.step-ca = { + enable = true; + intermediatePasswordFile = "/dev/null"; + address = "0.0.0.0"; + port = 1443; + settings = { + root = pkgs.writeText "root.crt" config.krebs.ssl.rootCA; + crt = pkgs.writeText "intermediate.crt" config.krebs.ssl.intermediateCA; + key = "/var/lib/step-ca/intermediate_ca.key"; + dnsNames = [ domain ]; + logger.format = "text"; + db = { + type = "badger"; + dataSource = "/var/lib/step-ca/db"; + }; + authority = { + provisioners = [{ + type = "ACME"; + name = "acme"; + forceCN = true; + }]; + claims = { + maxTLSCertDuration = "2160h"; + defaultTLSCertDuration = "2160h"; + }; + backdate = "1m0s"; + }; + tls = { + cipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" + ]; + minVersion = 1.2; + maxVersion = 1.3; + renegotiation = false; + }; + }; + }; +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 8a84d4465..ad77e6581 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -16,6 +16,9 @@ with import ; krebs.enable = true; krebs.tinc.retiolum.enable = mkDefault true; + # trust krebs ACME CA + krebs.ssl.trustIntermediate = true; + krebs.build.user = mkDefault config.krebs.users.krebs; networking.hostName = config.krebs.build.host.name; -- cgit v1.2.3 From 8e66a4ff652a28851b13c798f3b69248b029ac7e Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Dec 2021 11:26:57 +0100 Subject: wiki: add host proxy_header --- krebs/2configs/wiki.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/2configs') diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index 9a18b8dff..9952ed394 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -46,6 +46,7 @@ in locations."/".extraConfig = '' proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; proxy_pass http://127.0.0.1:${toString config.services.gollum.port}; ''; }; -- cgit v1.2.3 From 08cdf8a6d50da48bf87f7bb7a40bbb4d94c9c7df Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Dec 2021 14:12:03 +0100 Subject: remove hardcoded ca-bundle --- krebs/2configs/default.nix | 7 ------- 1 file changed, 7 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index ad77e6581..9200d41fe 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -4,13 +4,6 @@ with import ; { imports = [ ./backup.nix - (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { - environment.variables = { - CURL_CA_BUNDLE = ca-bundle; - GIT_SSL_CAINFO = ca-bundle; - SSL_CERT_FILE = ca-bundle; - }; - }) ]; krebs.announce-activation.enable = true; krebs.enable = true; -- cgit v1.2.3 From fba330ab36ed3f0c5f5b01a1c434ed9e8281846a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Dec 2021 14:30:25 +0100 Subject: wiki.r: add acme ssl config --- krebs/2configs/wiki.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index 9952ed394..e7faca1f4 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -38,11 +38,13 @@ in systemd.services.gollum.environment.LC_ALL = "en_US.UTF-8"; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.certs."wiki.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; - virtualHosts.wiki = { - serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ]; + virtualHosts."wiki.r" = { + enableACME = true; + addSSL = true; locations."/".extraConfig = '' proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; -- cgit v1.2.3 From abd82c4faf8a882c72f4f19125a280d8d14f852f Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Dec 2021 14:52:35 +0100 Subject: ca.r: serve ca.crt via nginx --- krebs/2configs/acme.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index b5e51a1a2..056aa7ae4 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -7,15 +7,17 @@ in { email = "spam@krebsco.de"; certs.${domain}.server = "https://${domain}:1443/acme/acme/directory"; # use 1443 here cause bootstrapping loop }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts.${domain} = { - forceSSL = true; + addSSL = true; enableACME = true; locations."/" = { proxyPass = "https://localhost:1443"; }; + locations."= /ca.crt".alias = ../6assets/krebsAcmeCA.crt; }; }; krebs.secret.files.krebsAcme = { -- cgit v1.2.3 From 9841e402e2692a6eb37d5a5b89a53474168af590 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 10:13:49 +0100 Subject: wiki.r: listen on localhost, fix http redirect --- krebs/2configs/wiki.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index e7faca1f4..aa6948269 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,6 +29,7 @@ in { services.gollum = { enable = true; + address = "::"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -45,12 +46,13 @@ in virtualHosts."wiki.r" = { enableACME = true; addSSL = true; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.services.gollum.port}; - ''; + locations."/" = { + proxyPass = "http://[::]:${toString config.services.gollum.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; }; }; -- cgit v1.2.3 From 6b59b7972a901dcbb3cb5c1aeac4616a5a94ba7b Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 18:09:44 +0100 Subject: wiki: listen gollum on localhost only --- krebs/2configs/wiki.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'krebs/2configs') diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index aa6948269..40d946f7d 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,7 +29,7 @@ in { services.gollum = { enable = true; - address = "::"; + address = "::1"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -47,7 +47,7 @@ in enableACME = true; addSSL = true; locations."/" = { - proxyPass = "http://[::]:${toString config.services.gollum.port}"; + proxyPass = "http://[::1]:${toString config.services.gollum.port}"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host $host; -- cgit v1.2.3