Merge remote-tracking branch 'orange/master'

This commit is contained in:
tv 2024-01-06 12:38:08 +01:00
commit 1e1e751fa4
18 changed files with 90 additions and 102 deletions

View file

@ -18,11 +18,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1693844670, "lastModified": 1702151865,
"narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -16,9 +16,11 @@
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs.stockholm = self; specialArgs.stockholm = self;
specialArgs.nix-writers = nix-writers; specialArgs.nix-writers = nix-writers;
specialArgs.secrets = nixpkgs.lib.mkDefault (toString ./krebs/0tests/data/secrets);
modules = [ modules = [
./krebs/1systems/${machineName}/config.nix ./krebs/1systems/${machineName}/config.nix
{
krebs.secret.directory = "/var/src/secrets";
}
]; ];
}) (builtins.readDir ./krebs/1systems); }) (builtins.readDir ./krebs/1systems);

View file

@ -87,7 +87,6 @@ in {
"irc.r" "irc.r"
"wiki.r" "wiki.r"
]; ];
tinc.port = 0;
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
@ -114,7 +113,6 @@ in {
"go.r" "go.r"
"rss.r" "rss.r"
]; ];
tinc.port = 0;
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN PUBLIC KEY----- -----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
@ -225,7 +223,6 @@ in {
"build.puyak.r" "build.puyak.r"
"cgit.puyak.r" "cgit.puyak.r"
]; ];
tinc.port = 0;
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955 MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955

View file

@ -692,15 +692,15 @@ in {
aliases = [ "adelaide.r" ]; aliases = [ "adelaide.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzxKKd1dV+XDUV8pHqkAtbLcwEZVsf0kK+y5X/zbZcXEZhQQv6/dY MIIBCgKCAQEAp17cmCeFBu+WLKuhQQmYy3iVm/Vd42T7WA+WPaMDpejpf4hNFl8D
YJRoNG3lo8+7FMwYO2b2uyIkO1PopsORMAA2vIFaKJ2Qnt7byuIQ6n9CafIADx1M MYtLjEo44oOHKE95UK+CfEKjvY+XIYgr/TfXPXPbTfeUNlhwy/anK9Aek4tX/V3z
dVf+cwUhY8IVIX2ndz9pIAY8NhmzEcjG5vGKxRqev1zNwa1LtsLDLObhkKYznM6y dkS139Tp9ffDq8jUkiITaIXBpMzWC8Pc+hvAUwOyq80YII2Xp+K7+vhpdXKP6Zo0
HV5F92GONMeNOovHCxIYsSJ8jLn8BB60toADzocgzKvCiEw4IwKnzL/au9RGY4Xi eFd15nCWBhx2LBxnFSE+JT/bpuC4GdGhzAsafjnoR9Jl8kJ/wjIhI/b3j4l6udFq
25YXBzF5ai84e+HyaGGGD/qa4SqL9/jCkDB7QAwRqb01wGhtTLty+ubjzh1HF3am Pn+/1z8mmb2LGkTg4cEUDWd86CCtkYVQW5/E0fHWFzUWStl/f1hEOENU4Cqy7GaD
zpizPVNwBTqHW1S3W1i/yi5a5w4D/zdrRQIDAQAB ytioO8RI0ENZOdHZiy6vFnhPFG5Er2t4jQIDAQAB
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
tinc.pubkey_ed25519 = "YzB5BqgIQ4f209B2KhpdHu6gRYj5IS64zy1wneq/yiG"; tinc.pubkey_ed25519 = "FBuLCjr31Z8ijUNAgzMHeuzyKUP9zvHLijtQKBouxPO";
}; };
}; };
}; };
@ -993,15 +993,15 @@ in {
aliases = [ "vislor.r" ]; aliases = [ "vislor.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy MIIBCgKCAQEAzMOrwiMFgDbITQEnXBJev4bSprV2Hg04xuEUmdoMJB4OJdBrWY7G
buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC 71aHXtAjBqJqRYbvSoRPa+jQcpqRHNdNctfE1wq3nUkOYSM0OHGoFwb3kfybh+vu
wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm flmAY75ZlVRz3srITjMADpHeiuAEOmGPmlbLiUY09I2qjcaSzYYsTiGnyWSp95tL
wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo g3CRqiC4kj4fM0B7lCp/dz/iXDvqWEgoGEQH34x4xIIToA+DkHX5/2NAl4aaiq9m
vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P JQ8YCz5qBox3nD6W6bwwsEyG4vOHNcCLHBdVLEbfUFHM8XDjF3dJZ+RjCYxdiEjM
AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB dZUckPeLf/8XDkNMZm1eKMIJBvcH3UESLQIDAQAB
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E"; tinc.pubkey_ed25519 = "ZMFZ4fd75fh2OLg/SuiTsavs013E2tUaCDqX76LPI6K";
}; };
}; };
}; };

View file

@ -4,6 +4,7 @@
imports = [ imports = [
../../../krebs ../../../krebs
../../../krebs/2configs ../../../krebs/2configs
../../../krebs/2configs/nginx.nix
../../../krebs/2configs/buildbot-stockholm.nix ../../../krebs/2configs/buildbot-stockholm.nix
../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/binary-cache/nixos.nix

View file

@ -14,6 +14,7 @@
]; ];
krebs.build.host = config.krebs.hosts.news; krebs.build.host = config.krebs.hosts.news;
krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = lib.mkForce true; networking.useDHCP = lib.mkForce true;

View file

@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; };
]; ];
krebs.announce-activation.enable = true; krebs.announce-activation.enable = true;
krebs.enable = true; krebs.enable = true;
krebs.tinc.retiolum.enable = mkDefault true;
# retiolum
krebs.tinc.retiolum = {
enable = mkDefault true;
extraConfig = ''
AutoConnect = yes
LocalDiscovery = yes
'';
};
networking.firewall.allowedTCPPorts = [ 655 ];
networking.firewall.allowedUDPPorts = [ 655 ];
# trust krebs ACME CA # trust krebs ACME CA
krebs.ssl.trustIntermediate = true; krebs.ssl.trustIntermediate = true;
@ -52,6 +62,7 @@ with import ../../lib/pure.nix { inherit lib; };
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey config.krebs.users.tv.pubkey
config.krebs.users.kmein.pubkey config.krebs.users.kmein.pubkey
config.krebs.users.mic92.pubkey
]; ];
# The NixOS release to be compatible with for stateful data such as databases. # The NixOS release to be compatible with for stateful data such as databases.

View file

@ -5,19 +5,12 @@
virtualHosts."social.krebsco.de" = { virtualHosts."social.krebsco.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
acmeFallbackHost = "hotdog.r";
locations."/" = { locations."/" = {
# TODO use this in 22.11 # TODO use this in 22.11
# recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://hotdog.r"; proxyPass = "https://hotdog.r";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
}; };
}; };
}; };

View file

@ -3,7 +3,7 @@
services.postgresql = { services.postgresql = {
enable = true; enable = true;
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
package = pkgs.postgresql_11; package = pkgs.postgresql_16;
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/state/postgresql 0700 postgres postgres -" "d /var/state/postgresql 0700 postgres postgres -"
@ -13,23 +13,17 @@
enable = true; enable = true;
localDomain = "social.krebsco.de"; localDomain = "social.krebsco.de";
configureNginx = true; configureNginx = true;
streamingProcesses = 3;
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
smtp.createLocally = false; smtp.createLocally = false;
smtp.fromAddress = "derp"; smtp.fromAddress = "derp";
}; };
services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
forceSSL = lib.mkForce false;
enableACME = lib.mkForce false;
locations."@proxy".extraConfig = ''
proxy_redirect off;
proxy_pass_header Server;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
'';
};
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443
]; ];
environment.systemPackages = [ environment.systemPackages = [

24
krebs/2configs/nginx.nix Normal file
View file

@ -0,0 +1,24 @@
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "spam@krebsco.de";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
enableReload = true;
virtualHosts.default = {
default = true;
locations."= /etc/os-release".extraConfig = ''
default_type text/plain;
alias /etc/os-release;
'';
# needed for acmeFallback in sync-containers, or other machines not reachable globally
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
};
};
}

View file

@ -526,6 +526,8 @@ in {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
''; '';
# needed for acmeFallback in sync-containers, or other machines not reachable globally
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
}; };
services.nginx.virtualHosts."bedge.r" = { services.nginx.virtualHosts."bedge.r" = {

View file

@ -155,7 +155,7 @@ in {
# echo 'container is reachable, continueing' # echo 'container is reachable, continueing'
continue continue
else else
# echo 'container seems dead, killing' echo 'container seems dead, killing'
break break
fi fi
else else
@ -249,6 +249,11 @@ in {
ExecStop = pkgs.writers.writeDash "remove_interface" '' ExecStop = pkgs.writers.writeDash "remove_interface" ''
${pkgs.iproute2}/bin/ip link del vb-${ctr.name} ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
''; '';
ExecStartPost = [
(pkgs.writers.writeDash "bind-to-bridge" ''
${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
'')
];
}; };
}; } }; }
]) (lib.attrValues cfg.containers))); ]) (lib.attrValues cfg.containers)));

View file

@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB MIICWjCCAcOgAwIBAgIRAOACUgvw++4VwgQ7Iu1/iRkwDQYJKoZIhvcNAQELBQAw
gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl gYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3MxEDAOBgNVBAoMB0ty
YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq ZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBSb290IENBMScwJQYJ
hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2 KoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUwHhcNMjMxMjA2MjAy
MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT NTI1WhcNMjQxMjA1MjAyNTI1WjAYMRYwFAYDVQQDEw1LcmVicyBBQ01FIENBMFkw
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHiqfjJYhLvY9pBWVi5gwDmZQ65F5KGV
qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD GSkOprlw4TJguHr6ToSC9MErHhDb80kyidcjWDi2WTJX1zg/OmTv2qOBgDB+MA4G
VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTSCUQO
SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv B5ICY1kqFPQ299+Kn6zr8TAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGV
MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt LzAYBgNVHR4BAf8EDjAMoAowA4IBcjADggF3MA0GCSqGSIb3DQEBCwUAA4GBAMY3
XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4 hXVyUAYfNw+sb5NLZKkp5/Uu9ehcmVJV/CkWm5BKyEFsdCJ3PL5rnpockxNrOTy1
20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9 /y0IWZ4UaV2jqVibKOTt3FWax1BHXuTBMSirAIKYdUnT969KTTs0atrDYYh1bBzy
MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc= YIxiIU+Be343LFI5HTNewAyK2SYUO0QP0BkGUUGD
-----END CERTIFICATE----- -----END CERTIFICATE-----

View file

@ -10,8 +10,8 @@
krebs-source = { test ? false }: rec { krebs-source = { test ? false }: rec {
nixpkgs = if test then { nixpkgs = if test then {
derivation = let derivation = let
rev = (lib.importJSON ./nixpkgs.json).rev; rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
sha256 = (lib.importJSON ./nixpkgs.json).sha256; sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash;
in '' in ''
with import (builtins.fetchTarball { with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
@ -26,8 +26,8 @@
''; '';
} else { } else {
git = { git = {
ref = (lib.importJSON ./nixpkgs.json).rev; ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
url = https://github.com/NixOS/nixpkgs; url = "https://github.com/NixOS/nixpkgs";
shallow = true; shallow = true;
}; };
}; };

View file

@ -1,12 +0,0 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b",
"date": "2023-09-01T18:51:16+08:00",
"path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs",
"sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9",
"hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false
}

View file

@ -1,12 +0,0 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1",
"date": "2023-09-02T08:28:47+02:00",
"path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs",
"sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36",
"hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false
}

View file

@ -1,9 +0,0 @@
#!/bin/sh
dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs \
--rev refs/heads/nixos-unstable' \
> $dir/nixpkgs-unstable.json
newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs-unstable.json -m "nixpkgs-unstable: $oldrev -> $newrev"

View file

@ -1,9 +0,0 @@
#!/bin/sh
dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs \
--rev refs/heads/nixos-23.05' \
> $dir/nixpkgs.json
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"