Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
9b553ebec7
|
@ -18,11 +18,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693844670,
|
"lastModified": 1702151865,
|
||||||
"narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=",
|
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1",
|
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -87,7 +87,6 @@ in {
|
||||||
"irc.r"
|
"irc.r"
|
||||||
"wiki.r"
|
"wiki.r"
|
||||||
];
|
];
|
||||||
tinc.port = 0;
|
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
|
MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
|
||||||
|
@ -114,7 +113,6 @@ in {
|
||||||
"go.r"
|
"go.r"
|
||||||
"rss.r"
|
"rss.r"
|
||||||
];
|
];
|
||||||
tinc.port = 0;
|
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
|
||||||
|
@ -225,7 +223,6 @@ in {
|
||||||
"build.puyak.r"
|
"build.puyak.r"
|
||||||
"cgit.puyak.r"
|
"cgit.puyak.r"
|
||||||
];
|
];
|
||||||
tinc.port = 0;
|
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
|
MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
|
||||||
|
|
|
@ -692,15 +692,15 @@ in {
|
||||||
aliases = [ "adelaide.r" ];
|
aliases = [ "adelaide.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAzxKKd1dV+XDUV8pHqkAtbLcwEZVsf0kK+y5X/zbZcXEZhQQv6/dY
|
MIIBCgKCAQEAp17cmCeFBu+WLKuhQQmYy3iVm/Vd42T7WA+WPaMDpejpf4hNFl8D
|
||||||
YJRoNG3lo8+7FMwYO2b2uyIkO1PopsORMAA2vIFaKJ2Qnt7byuIQ6n9CafIADx1M
|
MYtLjEo44oOHKE95UK+CfEKjvY+XIYgr/TfXPXPbTfeUNlhwy/anK9Aek4tX/V3z
|
||||||
dVf+cwUhY8IVIX2ndz9pIAY8NhmzEcjG5vGKxRqev1zNwa1LtsLDLObhkKYznM6y
|
dkS139Tp9ffDq8jUkiITaIXBpMzWC8Pc+hvAUwOyq80YII2Xp+K7+vhpdXKP6Zo0
|
||||||
HV5F92GONMeNOovHCxIYsSJ8jLn8BB60toADzocgzKvCiEw4IwKnzL/au9RGY4Xi
|
eFd15nCWBhx2LBxnFSE+JT/bpuC4GdGhzAsafjnoR9Jl8kJ/wjIhI/b3j4l6udFq
|
||||||
25YXBzF5ai84e+HyaGGGD/qa4SqL9/jCkDB7QAwRqb01wGhtTLty+ubjzh1HF3am
|
Pn+/1z8mmb2LGkTg4cEUDWd86CCtkYVQW5/E0fHWFzUWStl/f1hEOENU4Cqy7GaD
|
||||||
zpizPVNwBTqHW1S3W1i/yi5a5w4D/zdrRQIDAQAB
|
ytioO8RI0ENZOdHZiy6vFnhPFG5Er2t4jQIDAQAB
|
||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
tinc.pubkey_ed25519 = "YzB5BqgIQ4f209B2KhpdHu6gRYj5IS64zy1wneq/yiG";
|
tinc.pubkey_ed25519 = "FBuLCjr31Z8ijUNAgzMHeuzyKUP9zvHLijtQKBouxPO";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -993,15 +993,15 @@ in {
|
||||||
aliases = [ "vislor.r" ];
|
aliases = [ "vislor.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIIBCgKCAQEAnAIEtqtJzQmhAOLMDOp6LvlMoElNezeFarvZ6LshbZbLPL7Mv2Iy
|
MIIBCgKCAQEAzMOrwiMFgDbITQEnXBJev4bSprV2Hg04xuEUmdoMJB4OJdBrWY7G
|
||||||
buEoduzGNlqUbqEypsv7pQBSqw4Kqn9jMnpk8EpPiLiqIaBJeGqS1eIHi4DdRIyC
|
71aHXtAjBqJqRYbvSoRPa+jQcpqRHNdNctfE1wq3nUkOYSM0OHGoFwb3kfybh+vu
|
||||||
wwOgAqbc0e55LGSRyLS2GgbzD3kHh0UgVF2/MM01r4l53w8ftSJwR5dL6tpKnfgm
|
flmAY75ZlVRz3srITjMADpHeiuAEOmGPmlbLiUY09I2qjcaSzYYsTiGnyWSp95tL
|
||||||
wjc8hwQtxen+zym2RJV7E+YPKg2t/ZGTJZbgk54/19l5Eeb18xxfTyxBNdUWBBCo
|
g3CRqiC4kj4fM0B7lCp/dz/iXDvqWEgoGEQH34x4xIIToA+DkHX5/2NAl4aaiq9m
|
||||||
vnR/h2gfCZnmsj4UiSor+z+00eaDyespfjLw3X7XQkCdlfgx0BVfhXH2RGOtdH+P
|
JQ8YCz5qBox3nD6W6bwwsEyG4vOHNcCLHBdVLEbfUFHM8XDjF3dJZ+RjCYxdiEjM
|
||||||
AdnLFg7OfGh9V8zAiOC7jyuCrlbh0q0QoQIDAQAB
|
dZUckPeLf/8XDkNMZm1eKMIJBvcH3UESLQIDAQAB
|
||||||
-----END RSA PUBLIC KEY-----
|
-----END RSA PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
tinc.pubkey_ed25519 = "PqpTiIldNgPTKQVnouiGNo8mX0wqSVtg9al6ve/sj2E";
|
tinc.pubkey_ed25519 = "ZMFZ4fd75fh2OLg/SuiTsavs013E2tUaCDqX76LPI6K";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
24
kartei/tv/hosts/fu.nix
Normal file
24
kartei/tv/hosts/fu.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.44";
|
||||||
|
aliases = [
|
||||||
|
"fu.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEA7zwE/2k+c14PkDPaDF4Ss4oxIvb99kcim9qHHhHanZKS0SG0pEOB
|
||||||
|
UthaL8ZC3ww278eh6J1hLsaqJsznEs7TAFYZtH94lbXyxsGq3hdlpMhXKdgeHuei
|
||||||
|
ZpNj/gyo1REsHz4k4Xj3XmtqWoAteQviccl2zi+KcC0U9hxvbnXIY3CGYgNsCFb4
|
||||||
|
2EJtFXi2nDoHXicso2+bUufIhNGjxEkye9dEkChEGM27fxSr61yVlLARpm67jfEY
|
||||||
|
kTW2OXOYz1yJ6Akr4yvQaS3FN6sEQ3YbE57Xju46VHn5kOmpYVMGyktmdOZwHnaO
|
||||||
|
iaTLEzuYBEAJuyEt/2/XmiCGjlxrIGkyZQIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = "a2nUW601al1Sp1owDC4D3ukDesHThXeabMzhUckUL1O";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu";
|
||||||
|
syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ";
|
||||||
|
}
|
24
kartei/tv/hosts/leg.nix
Normal file
24
kartei/tv/hosts/leg.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.13.43";
|
||||||
|
aliases = [
|
||||||
|
"leg.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAsfL4VK3WbgbWVYsOA0TJ3iswRrvfE/z/TbNTtzULGPSA6bTG8QXO
|
||||||
|
f2cm6aY6UriMktJL6GB3XNYlDZDKi74bNOXP+O/p7dTr5g9PWjYeqLFiLFr0pwWi
|
||||||
|
pooKxrAcPEJ8khhCI7eXVGL1baiHZsPCZLmPXm+c3qke6uY/48zmt0SG3WwjybF/
|
||||||
|
JMbxE7XTMrsO28PiOZgWrXqZJgLhKygcz9WGMkQ9CcjnHobKIoTRWHILIsEPjR2s
|
||||||
|
/vNeGTa6v9/SpDQtHlfiELNxQAHUXU0//hJvEyH4dMS+vJKNQlL9z84fQqhZGfh0
|
||||||
|
nN++k9cHwSPDusbMqB2ncpx6v8ieUpCsewIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
tinc.pubkey_ed25519 = " qmxNtjkjzXP4QCIJwXLncYFrIfU7royMlQNSVvR3XKH";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secure = true;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg";
|
||||||
|
syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU";
|
||||||
|
}
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.13.43";
|
ip4.addr = "10.243.13.45";
|
||||||
aliases = [
|
aliases = [
|
||||||
"zoppo.r"
|
"zoppo.r"
|
||||||
];
|
];
|
||||||
|
|
1
kartei/tv/wiregrill/fu.pub
Normal file
1
kartei/tv/wiregrill/fu.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Nds8Gja25t9xlQqr9zQIUAXXidt42cEIjq9VxUHkBQw=
|
1
kartei/tv/wiregrill/leg.pub
Normal file
1
kartei/tv/wiregrill/leg.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
tlGh9gpV09TspLVV/9+Z5T5fhMAQcz5c5L3KNvR/d1I=
|
|
@ -4,6 +4,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
../../../krebs
|
../../../krebs
|
||||||
../../../krebs/2configs
|
../../../krebs/2configs
|
||||||
|
../../../krebs/2configs/nginx.nix
|
||||||
|
|
||||||
../../../krebs/2configs/buildbot-stockholm.nix
|
../../../krebs/2configs/buildbot-stockholm.nix
|
||||||
../../../krebs/2configs/binary-cache/nixos.nix
|
../../../krebs/2configs/binary-cache/nixos.nix
|
||||||
|
|
|
@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; };
|
||||||
];
|
];
|
||||||
krebs.announce-activation.enable = true;
|
krebs.announce-activation.enable = true;
|
||||||
krebs.enable = true;
|
krebs.enable = true;
|
||||||
krebs.tinc.retiolum.enable = mkDefault true;
|
|
||||||
|
# retiolum
|
||||||
|
krebs.tinc.retiolum = {
|
||||||
|
enable = mkDefault true;
|
||||||
|
extraConfig = ''
|
||||||
|
AutoConnect = yes
|
||||||
|
LocalDiscovery = yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
networking.firewall.allowedTCPPorts = [ 655 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 655 ];
|
||||||
|
|
||||||
# trust krebs ACME CA
|
# trust krebs ACME CA
|
||||||
krebs.ssl.trustIntermediate = true;
|
krebs.ssl.trustIntermediate = true;
|
||||||
|
@ -52,6 +62,7 @@ with import ../../lib/pure.nix { inherit lib; };
|
||||||
config.krebs.users.makefu.pubkey
|
config.krebs.users.makefu.pubkey
|
||||||
config.krebs.users.tv.pubkey
|
config.krebs.users.tv.pubkey
|
||||||
config.krebs.users.kmein.pubkey
|
config.krebs.users.kmein.pubkey
|
||||||
|
config.krebs.users.mic92.pubkey
|
||||||
];
|
];
|
||||||
|
|
||||||
# The NixOS release to be compatible with for stateful data such as databases.
|
# The NixOS release to be compatible with for stateful data such as databases.
|
||||||
|
|
|
@ -5,19 +5,12 @@
|
||||||
virtualHosts."social.krebsco.de" = {
|
virtualHosts."social.krebsco.de" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
acmeFallbackHost = "hotdog.r";
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
# TODO use this in 22.11
|
# TODO use this in 22.11
|
||||||
# recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
proxyPass = "http://hotdog.r";
|
proxyPass = "https://hotdog.r";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
extraConfig = ''
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $host;
|
|
||||||
proxy_set_header X-Forwarded-Server $host;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
|
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||||
package = pkgs.postgresql_11;
|
package = pkgs.postgresql_16;
|
||||||
};
|
};
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /var/state/postgresql 0700 postgres postgres -"
|
"d /var/state/postgresql 0700 postgres postgres -"
|
||||||
|
@ -13,23 +13,17 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
localDomain = "social.krebsco.de";
|
localDomain = "social.krebsco.de";
|
||||||
configureNginx = true;
|
configureNginx = true;
|
||||||
|
streamingProcesses = 3;
|
||||||
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
|
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
|
||||||
smtp.createLocally = false;
|
smtp.createLocally = false;
|
||||||
smtp.fromAddress = "derp";
|
smtp.fromAddress = "derp";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
|
security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
forceSSL = lib.mkForce false;
|
|
||||||
enableACME = lib.mkForce false;
|
|
||||||
locations."@proxy".extraConfig = ''
|
|
||||||
proxy_redirect off;
|
|
||||||
proxy_pass_header Server;
|
|
||||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
80
|
80
|
||||||
|
443
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
|
24
krebs/2configs/nginx.nix
Normal file
24
krebs/2configs/nginx.nix
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
security.acme.acceptTerms = true;
|
||||||
|
security.acme.defaults.email = "spam@krebsco.de";
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
enableReload = true;
|
||||||
|
|
||||||
|
virtualHosts.default = {
|
||||||
|
default = true;
|
||||||
|
locations."= /etc/os-release".extraConfig = ''
|
||||||
|
default_type text/plain;
|
||||||
|
alias /etc/os-release;
|
||||||
|
'';
|
||||||
|
# needed for acmeFallback in sync-containers, or other machines not reachable globally
|
||||||
|
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -526,6 +526,8 @@ in {
|
||||||
add_header 'Access-Control-Allow-Origin' '*';
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||||
'';
|
'';
|
||||||
|
# needed for acmeFallback in sync-containers, or other machines not reachable globally
|
||||||
|
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."bedge.r" = {
|
services.nginx.virtualHosts."bedge.r" = {
|
||||||
|
|
|
@ -80,13 +80,25 @@ let
|
||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
|
systemd.services."krebs.setuid" = {
|
||||||
(concatMapStringsSep "\n"
|
wantedBy = [ "suid-sgid-wrappers.service" ];
|
||||||
(cfg: /* sh */ ''
|
after = [ "suid-sgid-wrappers.service" ];
|
||||||
${cfg.activate}
|
path = [
|
||||||
rm -f ${cfg.wrapperDir}/${cfg.name}.real
|
pkgs.coreutils
|
||||||
'')
|
];
|
||||||
(attrValues config.krebs.setuid));
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
|
||||||
|
${concatMapStringsSep "\n"
|
||||||
|
(getAttr "activate")
|
||||||
|
(attrValues config.krebs.setuid)
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
unitConfig = {
|
||||||
|
DefaultDependencies = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
in out
|
in out
|
||||||
|
|
|
@ -58,6 +58,8 @@ in {
|
||||||
pkgs.jq
|
pkgs.jq
|
||||||
];
|
];
|
||||||
networking.useDHCP = lib.mkForce true;
|
networking.useDHCP = lib.mkForce true;
|
||||||
|
networking.useHostResolvConf = false;
|
||||||
|
services.resolved.enable = true;
|
||||||
systemd.services.autoswitch = {
|
systemd.services.autoswitch = {
|
||||||
environment = {
|
environment = {
|
||||||
NIX_REMOTE = "daemon";
|
NIX_REMOTE = "daemon";
|
||||||
|
@ -155,7 +157,7 @@ in {
|
||||||
# echo 'container is reachable, continueing'
|
# echo 'container is reachable, continueing'
|
||||||
continue
|
continue
|
||||||
else
|
else
|
||||||
# echo 'container seems dead, killing'
|
echo 'container seems dead, killing'
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -246,6 +248,9 @@ in {
|
||||||
}; }
|
}; }
|
||||||
{ "container@${ctr.name}" = lib.mkIf ctr.runContainer {
|
{ "container@${ctr.name}" = lib.mkIf ctr.runContainer {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
|
ExecStop = pkgs.writers.writeDash "remove_interface" ''
|
||||||
|
${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
|
||||||
|
'';
|
||||||
ExecStartPost = [
|
ExecStartPost = [
|
||||||
(pkgs.writers.writeDash "bind-to-bridge" ''
|
(pkgs.writers.writeDash "bind-to-bridge" ''
|
||||||
${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
|
${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
|
||||||
|
@ -294,9 +299,6 @@ in {
|
||||||
(lib.mkIf (cfg.containers != {}) {
|
(lib.mkIf (cfg.containers != {}) {
|
||||||
# networking
|
# networking
|
||||||
|
|
||||||
# needed because otherwise we lose local dns
|
|
||||||
environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
|
|
||||||
|
|
||||||
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
|
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
|
||||||
systemd.network.networks.ctr0 = {
|
systemd.network.networks.ctr0 = {
|
||||||
name = "ctr0";
|
name = "ctr0";
|
||||||
|
@ -309,6 +311,9 @@ in {
|
||||||
ConfigureWithoutCarrier = true;
|
ConfigureWithoutCarrier = true;
|
||||||
DHCPServer = "yes";
|
DHCPServer = "yes";
|
||||||
};
|
};
|
||||||
|
dhcpServerConfig = {
|
||||||
|
DNS = "9.9.9.9";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
systemd.network.netdevs.ctr0.netdevConfig = {
|
systemd.network.netdevs.ctr0.netdevConfig = {
|
||||||
Kind = "bridge";
|
Kind = "bridge";
|
||||||
|
@ -341,6 +346,12 @@ in {
|
||||||
|
|
||||||
networking.useHostResolvConf = false;
|
networking.useHostResolvConf = false;
|
||||||
networking.useNetworkd = true;
|
networking.useNetworkd = true;
|
||||||
|
services.resolved = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = ''
|
||||||
|
Domains=~.
|
||||||
|
'';
|
||||||
|
};
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
networks.eth0 = {
|
networks.eth0 = {
|
||||||
|
|
|
@ -1,15 +1,15 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB
|
MIICWjCCAcOgAwIBAgIRAOACUgvw++4VwgQ7Iu1/iRkwDQYJKoZIhvcNAQELBQAw
|
||||||
gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
|
gYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3MxEDAOBgNVBAoMB0ty
|
||||||
YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
|
ZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBSb290IENBMScwJQYJ
|
||||||
hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2
|
KoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUwHhcNMjMxMjA2MjAy
|
||||||
MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
|
NTI1WhcNMjQxMjA1MjAyNTI1WjAYMRYwFAYDVQQDEw1LcmVicyBBQ01FIENBMFkw
|
||||||
BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr
|
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHiqfjJYhLvY9pBWVi5gwDmZQ65F5KGV
|
||||||
qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD
|
GSkOprlw4TJguHr6ToSC9MErHhDb80kyidcjWDi2WTJX1zg/OmTv2qOBgDB+MA4G
|
||||||
VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj
|
A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTSCUQO
|
||||||
SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
|
B5ICY1kqFPQ299+Kn6zr8TAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGV
|
||||||
MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt
|
LzAYBgNVHR4BAf8EDjAMoAowA4IBcjADggF3MA0GCSqGSIb3DQEBCwUAA4GBAMY3
|
||||||
XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4
|
hXVyUAYfNw+sb5NLZKkp5/Uu9ehcmVJV/CkWm5BKyEFsdCJ3PL5rnpockxNrOTy1
|
||||||
20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9
|
/y0IWZ4UaV2jqVibKOTt3FWax1BHXuTBMSirAIKYdUnT969KTTs0atrDYYh1bBzy
|
||||||
MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc=
|
YIxiIU+Be343LFI5HTNewAyK2SYUO0QP0BkGUUGD
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
|
|
@ -10,8 +10,8 @@
|
||||||
krebs-source = { test ? false }: rec {
|
krebs-source = { test ? false }: rec {
|
||||||
nixpkgs = if test then {
|
nixpkgs = if test then {
|
||||||
derivation = let
|
derivation = let
|
||||||
rev = (lib.importJSON ./nixpkgs.json).rev;
|
rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
|
||||||
sha256 = (lib.importJSON ./nixpkgs.json).sha256;
|
sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash;
|
||||||
in ''
|
in ''
|
||||||
with import (builtins.fetchTarball {
|
with import (builtins.fetchTarball {
|
||||||
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
|
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
|
||||||
|
@ -26,8 +26,8 @@
|
||||||
'';
|
'';
|
||||||
} else {
|
} else {
|
||||||
git = {
|
git = {
|
||||||
ref = (lib.importJSON ./nixpkgs.json).rev;
|
ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
|
||||||
url = https://github.com/NixOS/nixpkgs;
|
url = "https://github.com/NixOS/nixpkgs";
|
||||||
shallow = true;
|
shallow = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
{
|
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
|
||||||
"rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b",
|
|
||||||
"date": "2023-09-01T18:51:16+08:00",
|
|
||||||
"path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs",
|
|
||||||
"sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9",
|
|
||||||
"hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=",
|
|
||||||
"fetchLFS": false,
|
|
||||||
"fetchSubmodules": false,
|
|
||||||
"deepClone": false,
|
|
||||||
"leaveDotGit": false
|
|
||||||
}
|
|
|
@ -1,12 +0,0 @@
|
||||||
{
|
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
|
||||||
"rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1",
|
|
||||||
"date": "2023-09-02T08:28:47+02:00",
|
|
||||||
"path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs",
|
|
||||||
"sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36",
|
|
||||||
"hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=",
|
|
||||||
"fetchLFS": false,
|
|
||||||
"fetchSubmodules": false,
|
|
||||||
"deepClone": false,
|
|
||||||
"leaveDotGit": false
|
|
||||||
}
|
|
|
@ -1,9 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
dir=$(dirname $0)
|
|
||||||
oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
|
||||||
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
|
|
||||||
--url https://github.com/NixOS/nixpkgs \
|
|
||||||
--rev refs/heads/nixos-unstable' \
|
|
||||||
> $dir/nixpkgs-unstable.json
|
|
||||||
newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
|
||||||
git commit $dir/nixpkgs-unstable.json -m "nixpkgs-unstable: $oldrev -> $newrev"
|
|
|
@ -1,9 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
dir=$(dirname $0)
|
|
||||||
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
|
||||||
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
|
|
||||||
--url https://github.com/NixOS/nixpkgs \
|
|
||||||
--rev refs/heads/nixos-23.05' \
|
|
||||||
> $dir/nixpkgs.json
|
|
||||||
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
|
|
||||||
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"
|
|
|
@ -23,7 +23,6 @@ let
|
||||||
git = import ./git.nix { inherit (stockholm) lib; };
|
git = import ./git.nix { inherit (stockholm) lib; };
|
||||||
haskell = import ./haskell.nix { inherit (stockholm) lib; };
|
haskell = import ./haskell.nix { inherit (stockholm) lib; };
|
||||||
krebs = import ./krebs stockholm.lib;
|
krebs = import ./krebs stockholm.lib;
|
||||||
krops = import ../submodules/krops/lib;
|
|
||||||
shell = import ./shell.nix { inherit (stockholm) lib; };
|
shell = import ./shell.nix { inherit (stockholm) lib; };
|
||||||
systemd = {
|
systemd = {
|
||||||
encodeName = replaceStrings ["/"] ["\\x2f"];
|
encodeName = replaceStrings ["/"] ["\\x2f"];
|
||||||
|
|
Loading…
Reference in a new issue