Merge remote-tracking branch 'cd/master'

This commit is contained in:
lassulus 2016-04-09 00:49:56 +02:00
commit e57841421b
42 changed files with 623 additions and 325 deletions

View file

@ -8,15 +8,15 @@ with config.krebs.lib;
cores = 4;
nets = rec {
internet = {
addrs4 = ["144.76.172.188"];
ip4.addr = "144.76.172.188";
aliases = [
"dishfire.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.133.99"];
addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"];
ip4.addr = "10.243.133.99";
ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233";
aliases = [
"dishfire.retiolum"
"dishfire.r"
@ -40,15 +40,15 @@ with config.krebs.lib;
cores = 2;
nets = rec {
internet = {
addrs4 = ["162.252.241.33"];
ip4.addr = "162.252.241.33";
aliases = [
"echelon.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.206.103"];
addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f763"];
ip4.addr = "10.243.206.103";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [
"echelon.retiolum"
"echelon.r"
@ -75,15 +75,15 @@ with config.krebs.lib;
cores = 4;
nets = rec {
internet = {
addrs4 = ["213.239.205.240"];
ip4.addr = "213.239.205.240";
aliases = [
"prism.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.0.103"];
addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"];
ip4.addr = "10.243.0.103";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab";
aliases = [
"prism.retiolum"
"prism.r"
@ -107,15 +107,15 @@ with config.krebs.lib;
fastpoke = {
nets = rec {
internet = {
addrs4 = ["193.22.164.36"];
ip4.addr = "193.22.164.36";
aliases = [
"fastpoke.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.253.152"];
addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"];
ip4.addr = "10.243.253.152";
ip6.addr = "42:422a:194f:ff3b:e196:2f82:5cf5:bc00";
aliases = [
"fastpoke.retiolum"
"fastpoke.r"
@ -139,15 +139,15 @@ with config.krebs.lib;
cores = 1;
nets = rec {
internet = {
addrs4 = ["104.167.113.104"];
ip4.addr = "104.167.113.104";
aliases = [
"cloudkrebs.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.206.102"];
addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"];
ip4.addr = "10.243.206.102";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f762";
aliases = [
"cloudkrebs.retiolum"
"cloudkrebs.r"
@ -172,12 +172,12 @@ with config.krebs.lib;
cores = 1;
nets = {
gg23 = {
addrs4 = ["10.23.1.12"];
ip4.addr = "10.23.1.12";
aliases = ["uriel.gg23"];
};
retiolum = {
addrs4 = ["10.243.81.176"];
addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"];
ip4.addr = "10.243.81.176";
ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56";
aliases = [
"uriel.retiolum"
"uriel.r"
@ -203,12 +203,12 @@ with config.krebs.lib;
cores = 2;
nets = {
gg23 = {
addrs4 = ["10.23.1.11"];
ip4.addr = "10.23.1.11";
aliases = ["mors.gg23"];
};
retiolum = {
addrs4 = ["10.243.0.2"];
addrs6 = ["42:0:0:0:0:0:0:dea7"];
ip4.addr = "10.243.0.2";
ip6.addr = "42:0:0:0:0:0:0:dea7";
aliases = [
"mors.retiolum"
"mors.r"
@ -234,8 +234,8 @@ with config.krebs.lib;
cores = 2;
nets = {
retiolum = {
addrs4 = ["10.243.0.3"];
addrs6 = ["42:0:0:0:0:0:0:7105"];
ip4.addr = "10.243.0.3";
ip6.addr = "42:0:0:0:0:0:0:7105";
aliases = [
"helios.retiolum"
"helios.r"

View file

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.0.210"];
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"];
ip4.addr = "10.243.0.210";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001";
aliases = [
"pnp.retiolum"
"cgit.pnp.retiolum"
@ -31,8 +31,8 @@ with config.krebs.lib;
cores = 4;
nets = {
retiolum = {
addrs4 = ["10.243.0.84"];
addrs6 = ["42:ff6b:5f0b:460d:2cee:4d05:73f7:5566"];
ip4.addr = "10.243.0.84";
ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566";
aliases = [
"darth.retiolum"
"darth.r"
@ -54,8 +54,8 @@ with config.krebs.lib;
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.0.212"];
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"];
ip4.addr = "10.243.0.212";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002";
aliases = [
"tsp.retiolum"
];
@ -81,8 +81,8 @@ with config.krebs.lib;
cores = 2;
nets = {
retiolum = {
addrs4 = ["10.243.0.91"];
addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"];
ip4.addr = "10.243.0.91";
ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
aliases = [
"pornocauster.retiolum"
"pornocauster.r"
@ -108,8 +108,8 @@ with config.krebs.lib;
cores = 2;
nets = {
retiolum = {
addrs4 = ["10.243.1.91"];
addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"];
ip4.addr = "10.243.1.91";
ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400";
aliases = [
"vbob.retiolum"
];
@ -135,22 +135,22 @@ with config.krebs.lib;
extraZones = {
"krebsco.de" = ''
euer IN MX 1 aspmx.l.google.com.
pigstarter IN A ${head nets.internet.addrs4}
gold IN A ${head nets.internet.addrs4}
boot IN A ${head nets.internet.addrs4}
pigstarter IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
boot IN A ${nets.internet.ip4.addr}
'';
};
nets = {
internet = {
addrs4 = ["192.40.56.122"];
addrs6 = ["2604:2880::841f:72c"];
ip4.addr = "192.40.56.122";
ip6.addr = "2604:2880::841f:72c";
aliases = [
"pigstarter.internet"
];
};
retiolum = {
addrs4 = ["10.243.0.153"];
addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"];
ip4.addr = "10.243.0.153";
ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110";
aliases = [
"pigstarter.retiolum"
];
@ -171,18 +171,18 @@ with config.krebs.lib;
cores = 1;
extraZones = {
"krebsco.de" = ''
euer IN A ${head nets.internet.addrs4}
wiki.euer IN A ${head nets.internet.addrs4}
wry IN A ${head nets.internet.addrs4}
euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de.
graphs IN A ${head nets.internet.addrs4}
paste 60 IN A ${head nets.internet.addrs4}
tinc IN A ${head nets.internet.addrs4}
graphs IN A ${nets.internet.ip4.addr}
paste 60 IN A ${nets.internet.ip4.addr}
tinc IN A ${nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
addrs4 = ["104.233.87.86"];
ip4.addr = "104.233.87.86";
aliases = [
"wry.internet"
"paste.internet"
@ -190,8 +190,8 @@ with config.krebs.lib;
};
retiolum = {
via = internet;
addrs4 = ["10.243.29.169"];
addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"];
ip4.addr = "10.243.29.169";
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [
"graphs.wry.retiolum"
"graphs.retiolum"
@ -228,8 +228,8 @@ with config.krebs.lib;
nets = {
retiolum = {
addrs4 = ["10.243.153.102"];
addrs6 = ["42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"];
ip4.addr = "10.243.153.102";
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [
"filepimp.retiolum"
];
@ -252,8 +252,8 @@ with config.krebs.lib;
nets = {
retiolum = {
addrs4 = ["10.243.0.89"];
addrs6 = ["42:f9f0::10"];
ip4.addr = "10.243.0.89";
ip6.addr = "42:f9f0::10";
aliases = [
"omo.retiolum"
"omo.r"
@ -277,8 +277,8 @@ with config.krebs.lib;
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.214.15"];
addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"];
ip4.addr = "10.243.214.15";
ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [
"wbob.retiolum"
];
@ -301,24 +301,24 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
extraZones = {
"krebsco.de" = ''
share.euer IN A ${head nets.internet.addrs4}
mattermost.euer IN A ${head nets.internet.addrs4}
git.euer IN A ${head nets.internet.addrs4}
gum IN A ${head nets.internet.addrs4}
cgit.euer IN A ${head nets.internet.addrs4}
share.euer IN A ${nets.internet.ip4.addr}
mattermost.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
addrs4 = ["195.154.108.70"];
ip4.addr = "195.154.108.70";
aliases = [
"gum.internet"
];
};
retiolum = {
via = internet;
addrs4 = ["10.243.0.211"];
addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"];
ip4.addr = "10.243.0.211";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2";
aliases = [
"gum.r"
"gum.retiolum"
@ -346,20 +346,20 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
extraZones = {
"krebsco.de" = ''
mediengewitter IN A ${head nets.internet.addrs4}
flap IN A ${head nets.internet.addrs4}
mediengewitter IN A ${nets.internet.ip4.addr}
flap IN A ${nets.internet.ip4.addr}
'';
};
nets = {
internet = {
addrs4 = ["162.248.11.162"];
ip4.addr = "162.248.11.162";
aliases = [
"flap.internet"
];
};
retiolum = {
addrs4 = ["10.243.211.172"];
addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"];
ip4.addr = "10.243.211.172";
ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d";
aliases = [
"flap.retiolum"
"flap.r"
@ -382,8 +382,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.231.219"];
addrs6 = ["42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72"];
ip4.addr = "10.243.231.219";
ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72";
aliases = [
"nukular.r"
];
@ -405,8 +405,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.124.21"];
addrs6 = ["42:9898:a8be:ce56:0ee3:b99c:42c5:109e"];
ip4.addr = "10.243.124.21";
ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [
"heidi.r"
];
@ -428,7 +428,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.69.184"];
ip4.addr = "10.243.69.184";
aliases = [
"soundflower.r"
];
@ -450,7 +450,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.120.19"];
ip4.addr = "10.243.120.19";
aliases = [
"falk.r"
];
@ -472,8 +472,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 4;
nets = {
retiolum = {
addrs4 = ["10.243.189.130"];
addrs6 = ["42:c64e:011f:9755:31e1:c3e6:73c0:af2d"];
ip4.addr = "10.243.189.130";
ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d";
aliases = [
"filebitch.r"
];
@ -495,8 +495,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.26.29"];
addrs6 = ["42:927a:3d59:1cb3:29d6:1a08:78d3:812e"];
ip4.addr = "10.243.26.29";
ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e";
aliases = [
"excobridge.r"
];
@ -518,14 +518,14 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cores = 1;
nets = {
internet = {
addrs4 = ["148.251.47.69"];
ip4.addr = "148.251.47.69";
aliases = [
"wooki.internet"
];
};
retiolum = {
addrs4 = ["10.243.57.85"];
addrs6 = ["42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"];
ip4.addr = "10.243.57.85";
ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731";
aliases = [
"wooki.r"
];
@ -543,18 +543,41 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
senderechner = rec {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.0.163";
ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda";
aliases = [
"senderechner.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0zCc5aLVRO6NuxUoR6BVzq2PQ/U5AEjYTdGkQufRot42N29MhxY7
lJBfPfkw/yg2FOzmAzTi62QyrLWSaF1x54rKu+JeNSsOAX+BorGhM67N45DGvJ0X
rakIL0BrVoV7Kxssq3DscGVbjbNS5B5c+IvTp97me/MpuDrfYqUyZk5mS9nB0oDL
inao/A5AtOO4sdqN5BNE9/KisN/9dD359Gz2ZGGq6Ki7o4HBdBj5vi0f4fTofZxT
BJH4BxbWaHwXMC0HYGlhQS0Y7tKYT6h3ChxoLDuW2Ox2IF5AQ/O4t4PIBDp1XaAO
OK8SsmsiD6ZZm6q/nLWBkYH08geYfq0BhQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
muhbaasu = rec {
cores = 1;
nets = {
internet = {
addrs4 = ["217.160.206.154"];
ip4.addr = "217.160.206.154";
aliases = [
"muhbaasu.internet"
];
};
retiolum = {
addrs4 = ["10.243.139.184"];
addrs6 = ["42:d568:6106:ba30:753b:0f2a:8225:b1fb"];
ip4.addr = "10.243.139.184";
ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb";
aliases = [
"muhbaasu.r"
];

View file

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 4;
nets = {
retiolum = {
addrs4 = ["10.243.111.112"];
addrs6 = ["42:0:0:0:0:0:111:112"];
ip4.addr = "10.243.111.112";
ip6.addr = "42:0:0:0:0:0:111:112";
aliases = [
"bobby.retiolum"
"cgit.bobby.retiolum"

View file

@ -8,8 +8,8 @@ with config.krebs.lib;
cores = 4;
nets = {
retiolum = {
addrs4 = ["10.243.111.111"];
addrs6 = ["42:0:0:0:0:0:111:111"];
ip4.addr = "10.243.111.111";
ip6.addr = "42:0:0:0:0:0:111:111";
aliases = [
"stro.retiolum"
"cgit.stro.retiolum"

View file

@ -117,28 +117,24 @@ let
}
'';
to-server = { server-names, listen, locations, extraConfig, ssl, ... }:
let
_extraConfig = if ssl.enable then
extraConfig + ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
''
else
extraConfig
;
in ''
server {
${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")}
server_name ${toString server-names};
${indent _extraConfig}
${indent (concatMapStrings to-location locations)}
}
'';
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
server {
server_name ${toString server-names};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
${optionalString ssl.enable (indent ''
listen 443 ssl;
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
${optionalString ssl.prefer_server_ciphers ''
ssl_prefer_server_ciphers On;
''}
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
${indent extraConfig}
${indent (concatMapStrings to-location locations)}
}
'';
in
out

View file

@ -11,26 +11,13 @@ let
api = {
enable = mkEnableOption "krebs.retiolum";
name = mkOption {
type = types.str;
default = config.networking.hostName;
# Description stolen from tinc.conf(5).
description = ''
This is the name which identifies this tinc daemon. It must
be unique for the virtual private network this daemon will
connect to. The Name may only consist of alphanumeric and
underscore characters. If Name starts with a $, then the
contents of the environment variable that follows will be
used. In that case, invalid characters will be converted to
underscores. If Name is $HOST, but no such environment
variable exist, the hostname will be read using the
gethostnname() system call This is the name which identifies
the this tinc daemon.
'';
host = mkOption {
type = types.host;
default = config.krebs.build.host;
};
netname = mkOption {
type = types.str;
type = types.enum (attrNames cfg.host.nets);
default = "retiolum";
description = ''
The tinc network name.
@ -99,17 +86,13 @@ let
description = "Iproute2 package to use.";
};
privateKeyFile = mkOption {
# TODO if it's types.path then it gets copied to /nix/store with
# bad unsafe permissions...
type = types.str;
default = toString <secrets/retiolum.rsa_key.priv>;
description = ''
Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to
<secrets/retiolum.rsa_key.priv>.
'';
privkey = mkOption {
type = types.secret-file;
default = {
path = "${cfg.user.home}/tinc.rsa_key.priv";
owner = cfg.user;
source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv";
};
};
connectTo = mkOption {
@ -122,81 +105,67 @@ let
'';
};
user = mkOption {
type = types.user;
default = {
name = cfg.netname;
home = "/var/lib/${cfg.user.name}";
};
};
};
imp = {
krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey;
environment.systemPackages = [ tinc iproute ];
systemd.services.retiolum = {
systemd.services.${cfg.netname} = {
description = "Tinc daemon for Retiolum";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
path = [ tinc iproute ];
serviceConfig = rec {
PermissionsStartOnly = "true";
PrivateTmp = "true";
Restart = "always";
# TODO we cannot chroot (-R) b/c we use symlinks to hosts
# and the private key.
ExecStartPre = pkgs.writeScript "retiolum-init" ''
#! /bin/sh
install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv
'';
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
SyslogIdentifier = "retiolum";
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
SyslogIdentifier = cfg.netname;
};
};
users.extraUsers = singleton {
inherit (user) name uid;
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
};
};
user = rec {
name = "retiolum";
uid = genid name;
};
net = cfg.host.nets.${cfg.netname};
tinc = cfg.tincPackage;
iproute = cfg.iproutePackage;
confDir = pkgs.runCommand "retiolum" {
# TODO text
executable = true;
preferLocalBuild = true;
} ''
set -euf
mkdir -p $out
ln -s ${cfg.hostsPackage} $out/hosts
cat > $out/tinc.conf <<EOF
Name = ${cfg.name}
Device = /dev/net/tun
Interface = ${cfg.netname}
${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
PrivateKeyFile = /tmp/retiolum-rsa_key.priv
${cfg.extraConfig}
EOF
# source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
cat > $out/tinc-up <<EOF
host=$out/hosts/${cfg.name}
${iproute}/sbin/ip link set \$INTERFACE up
addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
if [ -n "\$addr4" ];then
${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
fi
addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
EOF
chmod +x $out/tinc-up
'';
confDir = let
namePathPair = name: path: { inherit name path; };
in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair {
"hosts" = cfg.hostsPackage;
"tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
Name = ${cfg.host.name}
Interface = ${cfg.netname}
${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
PrivateKeyFile = ${cfg.privkey.path}
${cfg.extraConfig}
'';
"tinc-up" = pkgs.writeScript "${cfg.netname}-tinc-up" ''
${iproute}/sbin/ip link set ${cfg.netname} up
${optionalString (net.ip4 != null) ''
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
''}
${optionalString (net.ip6 != null) ''
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
''}
'';
});
in out

View file

@ -12,8 +12,8 @@ let
cores = 1;
nets = {
retiolum = {
addrs4 = ["10.243.111.111"];
addrs6 = ["42:0:0:0:0:0:0:7357"];
ip4.addr = "10.243.111.111";
ip6.addr = "42:0:0:0:0:0:0:7357";
aliases = [
"test.r"
"test.retiolum"
@ -36,7 +36,7 @@ in {
wolf = {
nets = {
shack = {
addrs4 = [ "10.42.2.150" ];
ip4.addr = "10.42.2.150" ;
aliases = [
"wolf.shack"
"graphite.shack"
@ -45,8 +45,8 @@ in {
];
};
retiolum = {
addrs4 = ["10.243.77.1"];
addrs6 = ["42:0:0:0:0:0:77:1"];
ip4.addr = "10.243.77.1";
ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [
"wolf.retiolum"
"cgit.wolf.retiolum"

View file

@ -13,15 +13,15 @@ with config.krebs.lib;
# TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = ''
krebsco.de. 60 IN MX 5 mx23
mx23 60 IN A ${elemAt nets.internet.addrs4 0}
cd 60 IN A ${elemAt nets.internet.addrs4 0}
cgit 60 IN A ${elemAt nets.internet.addrs4 0}
cgit.cd 60 IN A ${elemAt nets.internet.addrs4 0}
mx23 60 IN A ${nets.internet.ip4.addr}
cd 60 IN A ${nets.internet.ip4.addr}
cgit 60 IN A ${nets.internet.ip4.addr}
cgit.cd 60 IN A ${nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
addrs4 = ["162.219.7.216"];
ip4.addr = "162.219.7.216";
aliases = [
"cd.i"
"cd.internet"
@ -34,8 +34,8 @@ with config.krebs.lib;
};
retiolum = {
via = internet;
addrs4 = ["10.243.113.222"];
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"];
ip4.addr = "10.243.113.222";
ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af3";
aliases = [
"cd.r"
"cd.retiolum"
@ -62,11 +62,46 @@ with config.krebs.lib;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6";
};
doppelbock = rec {
cores = 2;
nets = rec {
internet = {
ip4.addr = "45.62.237.203";
aliases = [
"doppelbock.i"
"doppelbock.internet"
];
};
retiolum = {
via = internet;
ip4.addr = "10.243.113.224";
ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5";
aliases = [
"doppelbock.r"
"doppelbock.retiolum"
"cgit.doppelbock.r"
"cgit.doppelbock.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAq/luvzH4CQX5qRuucUqR3aLwXtzsRmBOdd2hvrPG1z8ML2kKV+IG
0aBfyJmQ8csfeGhOj0y0LEBv4bkEjEtYObs+LJfdWZC5e39eAVUE0z8QbSPOx4di
/7Bo+9sFRELP1kYb47eLR8quiIkslMWQMbTLM5RHoXJ5jE8fQSitfp4WUZYiSPDF
d5F7RU/ZQfTZuh8gv7RmSn/6N6bXAQWrueK6ZqMuImIjBrmYyXUWxgsDnpeHxR5j
j/0F2Bda5lyp+Qzv24PREdPT8FazUfmIQwZTTArXHxiqLq+SEVT21E4WEf2sJRan
dti9yVUW3eiqpu8b9BRpvxOB3YdkyqlrGwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLhrVTEmbtuTsgRTHHxsLrq7ai1Yt7+oKFevr1gzktCQqHuyucXzxn60F00kuNDkNiKIF5fHmWy6ajU+6PKD3TfiFMagT9ah0x0RSB0+0tevxnlOp6VdHhrdM5YrBduWMiELmOiI1lvYhRqKd/ZE7b2mra6KYe5VtTi9UX3wQp8qN+bI01KCxv0p6ciUgEO8fnwLKDBUuFJ2UfE7Ais9XrXFIBFXB+MKcpLnIXvrV6dSXdUEiaswg8wo0Q0Y3tMaQ0dNJdH2yp3FVn1aiX3E/vVnffmDKMWYWqn78klujdEdmLm8/8NkXnc/jpgu8ZlSpQHECO2ZUJzd35yRnVKALv";
};
mkdir = rec {
cores = 1;
nets = rec {
internet = {
addrs4 = ["104.167.114.142"];
ip4.addr = "104.167.114.142";
aliases = [
"mkdir.i"
"mkdir.internet"
@ -74,8 +109,8 @@ with config.krebs.lib;
};
retiolum = {
via = internet;
addrs4 = ["10.243.113.223"];
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"];
ip4.addr = "10.243.113.223";
ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af4";
aliases = [
"mkdir.r"
"mkdir.retiolum"
@ -101,12 +136,12 @@ with config.krebs.lib;
extraZones = {
# TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = ''
ire 60 IN A ${elemAt nets.internet.addrs4 0}
ire 60 IN A ${nets.internet.ip4.addr}
'';
};
nets = rec {
internet = {
addrs4 = ["198.147.22.115"];
ip4.addr = "198.147.22.115";
aliases = [
"ire.i"
"ire.internet"
@ -116,8 +151,8 @@ with config.krebs.lib;
};
retiolum = {
via = internet;
addrs4 = ["10.243.231.66"];
addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
ip4.addr = "10.243.231.66";
ip6.addr = "42:b912:0f42:a82d:0d27:8610:e89b:490c";
aliases = [
"ire.r"
"ire.retiolum"
@ -140,7 +175,7 @@ with config.krebs.lib;
kaepsele = {
nets = {
internet = {
addrs4 = ["92.222.10.169"];
ip4.addr = "92.222.10.169";
aliases = [
"kaepsele.i"
"kaepsele.internet"
@ -148,8 +183,8 @@ with config.krebs.lib;
];
};
retiolum = {
addrs4 = ["10.243.166.2"];
addrs6 = ["42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d"];
ip4.addr = "10.243.166.2";
ip6.addr = "42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d";
aliases = [
"kaepsele.r"
"kaepsele.retiolum"
@ -169,10 +204,11 @@ with config.krebs.lib;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA9cDUg7qm37uOhQpdKSgpnJPWao9VZR6LFNphVcJQ++gYvVgWu6WMhigiy7DcGQSStUlXkZc4HZBBugwwNWcf7aAF6ijBuG5rVwb9AFQmSexpTOfWap33iA5f+LXYFHe7iv4Pt9TYO1ga1Ryl4EGKb7ol2h5vbKC+JiGaDejB0WqhBAyrTg4tTWO8k2JT11CrlTjNVctqV0IVAMtTc/hcJcNusnoGD4ic0QGSzEMYxcIGRNvIgWmxhI6GHeaHxXWH5fv4b0OpLlDfVUsIvEo9KVozoLGm/wgLBG/tQXKaF9qVMVgOYi9sX/hDLwhRrcD2cyAlq9djo2pMARYiriXF";
};
mu = {
cores = 2;
nets = {
retiolum = {
addrs4 = ["10.243.20.1"];
addrs6 = ["42:0:0:0:0:0:0:2001"];
ip4.addr = "10.243.20.1";
ip6.addr = "42:0:0:0:0:0:0:2001";
aliases = [
"mu.r"
"mu.retiolum"
@ -189,18 +225,20 @@ with config.krebs.lib;
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
};
nomic = {
cores = 2;
nets = rec {
gg23 = {
addrs4 = ["10.23.1.110"];
ip4.addr = "10.23.1.110";
aliases = ["nomic.gg23"];
ssh.port = 11423;
};
retiolum = {
addrs4 = ["10.243.0.110"];
addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"];
ip4.addr = "10.243.0.110";
ip6.addr = "42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec";
aliases = [
"nomic.r"
"nomic.retiolum"
@ -226,7 +264,7 @@ with config.krebs.lib;
ok = {
nets = {
gg23 = {
addrs4 = ["10.23.1.1"];
ip4.addr = "10.23.1.1";
aliases = ["ok.gg23"];
};
};
@ -235,7 +273,7 @@ with config.krebs.lib;
cores = 1;
nets = rec {
internet = {
addrs4 = ["167.88.34.182"];
ip4.addr = "167.88.34.182";
aliases = [
"rmdir.i"
"rmdir.internet"
@ -243,8 +281,8 @@ with config.krebs.lib;
};
retiolum = {
via = internet;
addrs4 = ["10.243.113.224"];
addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"];
ip4.addr = "10.243.113.224";
ip6.addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5";
aliases = [
"rmdir.r"
"rmdir.retiolum"
@ -269,7 +307,7 @@ with config.krebs.lib;
schnabeldrucker = {
nets = {
gg23 = {
addrs4 = ["10.23.1.21"];
ip4.addr = "10.23.1.21";
aliases = ["schnabeldrucker.gg23"];
};
};
@ -277,7 +315,7 @@ with config.krebs.lib;
schnabelscanner = {
nets = {
gg23 = {
addrs4 = ["10.23.1.22"];
ip4.addr = "10.23.1.22";
aliases = ["schnabelscanner.gg23"];
};
};
@ -286,7 +324,7 @@ with config.krebs.lib;
cores = 4;
nets = {
gg23 = {
addrs4 = ["10.23.1.37"];
ip4.addr = "10.23.1.37";
aliases = [
"wu.gg23"
"cache.wu.gg23"
@ -294,8 +332,8 @@ with config.krebs.lib;
ssh.port = 11423;
};
retiolum = {
addrs4 = ["10.243.13.37"];
addrs6 = ["42:0:0:0:0:0:0:1337"];
ip4.addr = "10.243.13.37";
ip6.addr = "42:0:0:0:0:0:0:1337";
aliases = [
"wu.r"
"wu.retiolum"
@ -322,13 +360,13 @@ with config.krebs.lib;
cores = 4;
nets = {
gg23 = {
addrs4 = ["10.23.1.38"];
ip4.addr = "10.23.1.38";
aliases = ["xu.gg23"];
ssh.port = 11423;
};
retiolum = {
addrs4 = ["10.243.13.38"];
addrs6 = ["42:0:0:0:0:0:0:1338"];
ip4.addr = "10.243.13.38";
ip6.addr = "42:0:0:0:0:0:0:1338";
aliases = [
"xu.r"
"xu.retiolum"
@ -387,7 +425,7 @@ with config.krebs.lib;
-----END PGP PUBLIC KEY BLOCK-----
'';
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu";
uid = 1337; # TODO use default
uid = 1337; # TODO use default and document what has to be done (for vv)
};
tv-nomic = {
inherit (tv) mail;
@ -397,5 +435,9 @@ with config.krebs.lib;
inherit (tv) mail;
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/3nkqxe8YrDVt615n96A7iC3vvwsiqgpsBYC/bhwfBHu1bAtBmTWVqSKDIdwg7p8TQpIKtAgZ3IJT3BlrnVTeR4RIviLjHjYWW1NBhm+nXi+heThgi5fLciE3lVLVsy5X9Kc1ZPLgLa1In0REOanwbueOD0ESN1yKIDwUUdczw/o3dLDMzanqFHKuSSN4o9Ex2x+MRj9eLsb706s4VSYMo3lirRCJeAOGv1C7Xg1cuepdhIeJsq9aF7vSy15c0nCkWwr8zdY7pbMPYCe5zvIEymZ0UowZ5HQ3NmIZnYDxa4E1PFjDczHdQbVmmGMI80grNwMsHzQ6bynHSPXDoLf4WodXlhS0+9Ju5QavDT6uqZ9uhDBuWC8QNgWUMIJnEaTBFyA0OI1akl8Q2RLC+qnNf5IwItSq+GDwEsB2ZJNW3kOk1kNiCUrBafRYpPaFeP97wzzP4uYlBKAr2SOLrrkf7NFEdw2ihxhDMNnps/ErRJ8U0zdpmalw8mItGyqRULpHjk/wN00rYOdBIhW3G3QJuVgtGnWtGCBG5x70EfMiSEXPD3YSsVVsgKD+v8qr+YiilRRD+N3gaHhiOWA6HgxRNul/P4llk0ktTpb9LoHk2+oooTH5ZuuT/8yF8J4stZt7EIOH+mSOAXG1z0BwnEkQu7pVKwu/oOZpGJTvBrGwww== tv@xu";
};
vv = {
mail = "vv@mu.r";
uid = 2000; # TODO use default
};
};
}

View file

@ -63,28 +63,56 @@ types // rec {
net = submodule ({ config, ... }: {
options = {
name = mkOption {
type = label;
default = config._module.args.name;
};
via = mkOption {
type = nullOr net;
default = null;
};
addrs = mkOption {
type = listOf addr;
default = config.addrs4 ++ config.addrs6;
# TODO only default addrs make sense
};
addrs4 = mkOption {
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
default =
optional (config.ip4 != null) config.ip4.addr ++
optional (config.ip6 != null) config.ip6.addr;
readOnly = true;
};
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
default = [];
};
ip4 = mkOption {
type = nullOr (submodule {
options = {
addr = mkOption {
type = addr4;
};
prefix = mkOption ({
type = str; # TODO routing prefix (CIDR)
} // optionalAttrs (config.name == "retiolum") {
default = "10.243.0.0/16";
});
};
});
default = null;
};
ip6 = mkOption {
type = nullOr (submodule {
options = {
addr = mkOption {
type = addr6;
};
prefix = mkOption ({
type = str; # TODO routing prefix (CIDR)
} // optionalAttrs (config.name == "retiolum") {
default = "42::/16";
});
};
});
default = null;
};
ssh = mkOption {
type = submodule {
options = {
@ -186,10 +214,23 @@ types // rec {
};
});
# TODO
addr = str;
addr4 = str;
addr6 = str;
addr = either addr4 addr6;
addr4 = mkOptionType {
name = "IPv4 address";
check = let
IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in
concatMapStringsSep "." (const d) (range 1 4);
in x: match IPv4address x != null;
merge = mergeOneOption;
};
addr6 = mkOptionType {
name = "IPv6 address";
check = let
# TODO check IPv6 address harder
IPv6address = "[0-9a-f.:]+";
in x: match IPv6address x != null;
merge = mergeOneOption;
};
pgp-pubkey = str;

View file

@ -1,11 +1,11 @@
{ coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }:
stdenv.mkDerivation rec {
name = "exim-4.86.2";
name = "exim-4.87";
src = fetchurl {
url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2";
sha256 = "1cvfcc1hi60lydv8h3a2rxlfc0v2nflwpvzjj7h7cdsqs2pxwmkp";
sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl";
};
buildInputs = [ coreutils db openssl pcre perl pkgconfig ];

View file

@ -2,9 +2,8 @@
let
inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway;
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4);
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
../.

View file

@ -2,9 +2,8 @@
let
inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway;
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4);
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
../.

View file

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) head;
ip = (head config.krebs.build.host.nets.internet.addrs4);
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
../.

View file

@ -1,8 +1,7 @@
{ config, lib, ... }:
let
r_ip = (head config.krebs.build.host.nets.retiolum.addrs4);
inherit (lib) head;
r_ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
imports = [

View file

@ -54,7 +54,7 @@ let
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ssl, ... }: {

View file

@ -10,15 +10,27 @@ let
allDisks = [ rootDisk auxDisk ];
in {
imports = [
../.
../2configs/fs/single-partition-ext4.nix
../2configs/zsh-user.nix
../2configs/smart-monitor.nix
../.
../2configs/fs/single-partition-ext4.nix
../2configs/zsh-user.nix
../2configs/smart-monitor.nix
../2configs/exim-retiolum.nix
../2configs/virtualization.nix
];
networking.firewall.allowedUDPPorts = [ 80 655 67 ];
networking.firewall.allowedTCPPorts = [ 80 655 ];
networking.firewall.checkReversePath = false;
#networking.firewall.enable = false;
# virtualisation.nova.enableSingleNode = true;
krebs.retiolum.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
networking.wireless.enable = true;
# TODO smartd omo darth gum all-in-one
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
zramSwap.enable = true;

View file

@ -2,8 +2,8 @@
with config.krebs.lib;
let
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
imports = [
../.

View file

@ -44,16 +44,21 @@ in {
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/graphite-standalone.nix
../2configs/omo-share.nix
];
krebs.retiolum.enable = true;
networking.firewall.trustedInterfaces = [ "enp3s0" ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files
# tcp:655 udp:655 - tinc
# tcp:8080 - sabnzbd
# tcp:8111 - graphite
# tcp:9090 - sabnzbd
# tcp:9200 - elasticsearch
# tcp:5601 - kibana
networking.firewall.allowedUDPPorts = [ 655 ];
networking.firewall.allowedTCPPorts = [ 80 655 8080 ];
networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 9200 9090 ];
# services.openssh.allowSFTP = false;

View file

@ -15,11 +15,6 @@
];
nixpkgs.config.allowUnfree = true;
krebs.build.source.upstream-nixpkgs = {
url = https://github.com/makefu/nixpkgs;
# HTTP Everywhere + libredir
rev = "8239ac6";
};
fileSystems."/nix" = {
device ="/dev/disk/by-label/nixstore";
fsType = "ext4";

View file

@ -3,8 +3,8 @@
with config.krebs.lib;
let
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
imports = [
../.

View file

@ -10,16 +10,6 @@
#
# if this is not enough, check out main-laptop.nix
## TODO: .Xdefaults:
# URxvt*termName: rxvt
# URxvt.scrollBar : false
# URxvt*scrollBar_right: false
# URxvt*borderLess: false
# URxvt.foreground: white
# URxvt.background: black
# URxvt.urgentOnBell: true
# URxvt.visualBell: false
# URxvt.font : xft:Terminus
with config.krebs.lib;
let
@ -83,7 +73,9 @@ in
XTerm*FaceName : Terminus:pixelsize=14
URxvt*termName: rxvt
URxvt.scrollBar : False
URxvt*saveLines: 10000
URxvt*loginShell: false
URxvt.scrollBar : false
URxvt*scrollBar_right: false
URxvt*borderLess: false
URxvt.foreground: white

View file

@ -3,7 +3,7 @@
with config.krebs.lib;
let
hostname = config.krebs.build.host.name;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock";
in {
services.redis.enable = true;

View file

@ -19,7 +19,7 @@ with config.krebs.lib;
"/home" = {
device = "/dev/mapper/main-home";
fsType = "ext4";
options="defaults,discard";
options = [ "defaults" "discard" ];
};
};
}

View file

@ -18,12 +18,12 @@ with config.krebs.lib;
"/" = {
device = "/dev/mapper/luksroot";
fsType = "ext4";
options="defaults,discard";
options = [ "defaults" "discard" ];
};
"/boot" = {
device = "/dev/disk/by-label/nixboot";
fsType = "ext4";
options="defaults,discard";
options = [ "defaults" "discard" ];
};
};
}

View file

@ -23,6 +23,7 @@ with config.krebs.lib;
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
STOP_CHARGE_THRESH_BAT0=95
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand

View file

@ -10,7 +10,7 @@ in {
enable = true;
domain = domain;
ip = "172.16.10.1/24";
extraConfig = "-P ${pw} -l ${pkgs.lib.head config.krebs.build.host.nets.internet.addrs4}";
extraConfig = "-P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
};
}

View file

@ -7,7 +7,7 @@ with config.krebs.lib;
gnupg
imapfilter
msmtp
mutt-kz
mutt
notmuch
offlineimap
openssl

View file

@ -8,8 +8,8 @@ let
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
base-dir = "/var/www/blog.euer";
in {
# Prepare Blog directory

View file

@ -5,8 +5,8 @@ let
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
krebs.nginx = {
enable = mkDefault true;

View file

@ -18,8 +18,8 @@ let
# user1 = pass1
# userN = passN
tw-pass-file = "${sec}/tw-pass.ini";
external-ip = head config.krebs.build.host.nets.internet.addrs4;
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
services.phpfpm = {
# phpfpm does not have an enable option

View file

@ -0,0 +1,15 @@
{ config, lib, ... }:
with config.krebs.lib;
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
autoindex on;
'')
];
};
}

View file

@ -3,7 +3,7 @@
with config.krebs.lib;
let
hostname = config.krebs.build.host.name;
external-ip = head config.krebs.build.host.nets.internet.addrs4;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
krebs.nginx = {
enable = mkDefault true;

View file

@ -5,7 +5,7 @@ let
hostname = config.krebs.build.host.name;
# TODO local-ip from the nets config
local-ip = "192.168.1.11";
# local-ip = head config.krebs.build.host.nets.retiolum.addrs4;
# local-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
krebs.nginx = {
enable = mkDefault true;
@ -48,6 +48,13 @@ in {
browseable = "yes";
"guest ok" = "yes";
};
emu = {
path = "/media/crypt1/emu";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};
usenet = {
path = "/media/crypt0/usenet/dst";
"read only" = "yes";

30
makefu/4lib/default.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }:
with lib;
let
addDefaultTime = bku-entry: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
startAt = "5:23";
} bku-entry;
backup-host = config.krebs.hosts.omo;
backup-path = "/media/backup";
in {
bku = {
inherit addDefaultTime;
simplePath = addDefaultTime (path: {
method = "pull";
src = { host = config.krebs.build.host; inherit path; };
dst = {
host = backup-host;
path = backup-path ++ config.krebs.build.host.name
++ builtins.replaceStrings ["/"] ["-"] path;
};
});
};
}

View file

@ -10,8 +10,8 @@ with pkgs.pythonPackages;buildPythonPackage rec {
src = fetchFromGitHub {
owner = "makefu";
repo = "mycube-flask";
rev = "5f5260a";
sha256 = "1jx0h81nlmi1xry2vw46rvsanq0sdca6hlq31lhh7klqrg885hgh";
rev = "48dc6857";
sha256 = "1ax1vz6m5982l1mmp9vmywn9nw9p9h4m3ss74zazyspxq1wjim0v";
};
meta = {
homepage = https://github.com/makefu/mycube-flask;

View file

@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }:
let
shack-ip = lib.head config.krebs.build.host.nets.shack.addrs4;
internal-ip = lib.head config.krebs.build.host.nets.retiolum.addrs4;
shack-ip = config.krebs.build.host.nets.shack.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in
{
imports = [

View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
{
krebs.build.host = config.krebs.hosts.doppelbock;
imports = [
../.
../2configs/hw/CAC-Developer-2.nix
../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/retiolum.nix
];
networking = {
interfaces.enp2s1.ip4 = singleton {
address = let
addr = "45.62.237.203";
in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr;
prefixLength = 24;
};
defaultGateway = "45.62.237.1";
nameservers = ["8.8.8.8"];
};
}

View file

@ -7,12 +7,7 @@ let
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr;
in
{
@ -55,10 +50,6 @@ in
address = primary-addr4;
prefixLength = 24;
}
#{
# address = secondary-addr4;
# prefixLength = 24;
#}
];
# TODO define gateway in krebs/3modules/default.nix

169
tv/1systems/mu.nix Normal file
View file

@ -0,0 +1,169 @@
{ config, pkgs, ... }:
with config.krebs.lib;
{
imports = [
../../krebs
../2configs
../3modules
../2configs/exim-retiolum.nix
../2configs/retiolum.nix
];
krebs.build.host = config.krebs.hosts.mu;
krebs.build.user = mkForce config.krebs.users.vv;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
# for jack
KERNEL=="rtc0", GROUP="audio"
KERNEL=="hpet", GROUP="audio"
'';
# hardware configuration
boot.initrd.luks.devices = [
{ name = "vgmu1"; device = "/dev/sda2"; }
];
boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ];
boot.initrd.availableKernelModules = [ "ahci" ];
boot.kernelModules = [ "fbcon" "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.extraModprobeConfig = ''
options kvm_intel nested=1
'';
fileSystems = {
"/" = {
device = "/dev/vgmu1/nixroot";
fsType = "ext4";
options = [ "defaults" "noatime" ];
};
"/home" = {
device = "/dev/vgmu1/home";
options = [ "defaults" "noatime" ];
};
"/boot" = {
device = "/dev/sda1";
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = [ "nosuid" "nodev" "noatime" ];
};
};
swapDevices =[ ];
nixpkgs.config.firefox.enableAdobeFlash = true;
nixpkgs.config.chromium.enablePepperFlash = true;
nixpkgs.config.allowUnfree = true;
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true;
hardware.enableAllFirmware = true;
boot.loader.gummiboot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.networkmanager.enable = true;
environment.systemPackages = with pkgs; [
slock
tinc
iptables
vim
gimp
xsane
firefoxWrapper
chromiumDev
skype
libreoffice
kde4.l10n.de
kde4.plasma-nm
pidgin-with-plugins
pidginotr
kde4.print_manager
#foomatic_filters
#gutenprint
#cups_pdf_filter
#ghostscript
];
i18n.defaultLocale = "de_DE.UTF-8";
programs.ssh.startAgent = false;
security.setuidPrograms = [
"sendmail" # for cron
"slock"
];
security.pam.loginLimits = [
# for jack
{ domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; }
{ domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; }
];
fonts.fonts = [
pkgs.xlibs.fontschumachermisc
];
# Enable CUPS to print documents.
services.printing = {
enable = true;
#drivers = [
# #pkgs.foomatic_filters
# #pkgs.gutenprint
# #pkgs.cups_pdf_filter
# #pkgs.ghostscript
#];
#cupsdConf = ''
# LogLevel debug2
#'';
};
services.xserver.enable = true;
services.xserver.layout = "de";
services.xserver.xkbOptions = "eurosign:e";
# TODO this is host specific
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
};
services.xserver.desktopManager.kde4.enable = true;
services.xserver.displayManager.auto = {
enable = true;
user = "vv";
};
users.users.vv = {
inherit (config.krebs.users.vv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# see tmpfiles.d(5)
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" # does this work with mounted /tmp?
];
}

View file

@ -7,12 +7,7 @@ let
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
primary-addr4 = config.krebs.build.host.nets.internet.ip4.addr;
in
{

View file

@ -13,7 +13,7 @@ with config.krebs.lib;
"shackspace.de"
"viljetic.de"
];
relay_from_hosts = concatMap (host: host.nets.retiolum.addrs4) [
relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
config.krebs.hosts.nomic
config.krebs.hosts.wu
config.krebs.hosts.xu

View file

@ -56,9 +56,9 @@ in toFile "charybdis.conf" ''
/* On multi-homed hosts you may need the following. These define
* the addresses we connect from to other servers. */
/* for IPv4 */
vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4};
vhost = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
/* for IPv6 */
vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6};
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */
ssl_private_key = ${toJSON cfg.ssl_private_key.path};
@ -160,10 +160,7 @@ in toFile "charybdis.conf" ''
/* If you want to listen on a specific IP only, specify host.
* host definitions apply only to the following port line.
*/
# XXX This is stupid because only one host is allowed[?]
#host = ''${concatMapStringsSep ", " toJSON (
# config.krebs.build.host.nets.retiolum.addrs
#)};
#host = ${toJSON config.krebs.build.host.nets.retiolum.ip4.addr};
port = ${toString cfg.port};
sslport = ${toString cfg.sslport};
};