From 85816b60c2002ea3ea68e51523b9fc2490f0a8e5 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 14:06:03 +0200 Subject: zones: import misplaced options from ssh --- krebs/3modules/ssh.nix | 23 ----------------------- krebs/3modules/zones.nix | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index 58f3a3c10..aba825c29 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -4,32 +4,9 @@ let cfg = config.krebs; out = { - options.krebs = api; config = lib.mkIf cfg.enable imp; }; - api = { - zone-head-config = mkOption { - type = with types; attrsOf str; - description = '' - The zone configuration head which is being used to create the - zone files. The string for each key is pre-pended to the zone file. - ''; - # TODO: configure the default somewhere else, - # maybe use krebs.dns.providers - default = { - - # github.io -> 192.30.252.154 - "krebsco.de" = '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - IN NS ns19.ovh.net. - IN NS dns19.ovh.net. - ''; - }; - }; - }; - imp = lib.mkMerge [ { services.openssh.hostKeys = diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 7771d3b51..a7bd867f5 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,6 +1,22 @@ { config, pkgs, lib, ... }: with lib; { + options.krebs.zone-head-config = mkOption { + type = lib.types.attrsOf lib.types.str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + default = { + "krebsco.de" = /* bindzone */ '' + $TTL 86400 + @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) + @ IN NS ns19.ovh.net. + @ IN NS dns19.ovh.net. + ''; + }; + }; + config = { environment.etc = mapAttrs' -- cgit v1.2.3 From d3ace17ebd02624fcf38c3c0b0e0f4fb08f4beb6 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:20:51 +0200 Subject: kartei ponte: assign ns1.krebsco.de --- kartei/krebs/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index e48b3e32a..6c4ac8e80 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -166,6 +166,7 @@ in { extraZones = { "krebsco.de" = /* bindzone */ '' krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} + ns1 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ''; }; nets = rec { -- cgit v1.2.3 From dc6575069609f0065c5ec3bd186a41fc0d1e9631 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:22:00 +0200 Subject: kartei ponte: simplify krebsco.de record --- kartei/krebs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 6c4ac8e80..0525b4c85 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -165,7 +165,7 @@ in { owner = config.krebs.users.krebs; extraZones = { "krebsco.de" = /* bindzone */ '' - krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} + @ IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ns1 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ''; }; -- cgit v1.2.3 From 3a86105cef21b0397ba399ab44b2290f743f22d1 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:22:16 +0200 Subject: kartei ponte: add intranet --- kartei/krebs/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 0525b4c85..bbf6a74f8 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -179,6 +179,12 @@ in { "ponte.i" ]; }; + intranet = { + ip4 = rec { + addr = "10.0.0.234"; + prefix = "${addr}/24"; + }; + }; retiolum = { via = internet; ip4.addr = "10.243.4.43"; -- cgit v1.2.3 From 99e21a074648d2586fd608d800e1a106a72986da Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:26:14 +0200 Subject: nameserver config: init --- krebs/2configs/nameserver.nix | 150 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 krebs/2configs/nameserver.nix diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix new file mode 100644 index 000000000..4b205a13d --- /dev/null +++ b/krebs/2configs/nameserver.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: let + acmeChallenge = + { domain + , nameserver + , adminEmail + , serial ? 0 + , refresh ? 3600 + , retry ? 900 + , expire ? 604800 + , minimum ? 180 + }: + pkgs.writeText "${domain}.zone" /* bindzone */ '' + $TTL 60 + @ IN SOA ${lib.concatStringsSep " " [ + "${nameserver}." + "${lib.replaceStrings ["@"] ["."] adminEmail}." + (toString serial) + (toString refresh) + (toString retry) + (toString expire) + (toString minimum) + ]} + @ IN NS ${nameserver}. + ''; +in { + networking.firewall.allowedTCPPorts = [ + 53 # domain for AXFR + ]; + networking.firewall.allowedUDPPorts = [ + 53 # domain + ]; + + krebs.systemd.services.knot.restartIfCredentialsChange = true; + systemd.services.knot.serviceConfig.LoadCredential = [ + "keys.conf:/var/src/secrets/knot-keys.conf" + ]; + + services.knot = { + enable = true; + keyFiles = [ + "/run/credentials/knot.service/keys.conf" + ]; + extraConfig = /* yaml */ '' + server: + udp-max-payload: 4096 + listen: [ 127.0.0.53@2, ${ + lib.concatMapStringsSep ", " + (addr: "${addr}@53") + ( + config.krebs.build.host.nets.internet.addrs or [] + ++ + # This is required for hosts at OCI because the default route + # provided by DHCP is using the private address. + config.krebs.build.host.nets.intranet.addrs or [] + ) + } ] + + log: + - target: syslog + any: debug + + remote: + + acl: + - id: acme_acl + key: acme + action: update + + - id: dane_acl + key: dane + action: update + + mod-rrl: + - id: default + rate-limit: 200 # Allow 200 resp/s for each flow + slip: 2 # Every other response slips + + policy: + - id: rsa2k + algorithm: rsasha256 + ksk-size: 4096 + zsk-size: 2048 + + template: + - id: default + global-module: mod-rrl/default + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: krebsco.de + file: ${pkgs.krebs.zones."krebsco.de"} + dnssec-signing: on + dnssec-policy: rsa2k + acl: dane_acl + + - domain: _acme-challenge.krebsco.de + file: ${acmeChallenge { + domain = "_acme-challenge.krebsco.de"; + nameserver = "ns1.krebsco.de"; + adminEmail = "spam@krebsco.de"; + }} + acl: acme_acl + + - domain: r + file: ${pkgs.krebs.zones.r} + + - domain: w + file: ${pkgs.krebs.zones.w} + ''; + }; + + systemd.services."knsupdate-krebsco.de" = { + serviceConfig = { + Type = "oneshot"; + SyslogIdentifier = "knsupdate-krebsco.de"; + ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' + set -efu + + mk_certificate_association_data() { + ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" | + ${pkgs.coreutils}/bin/cut -d= -f2 | + ${pkgs.coreutils}/bin/tr -d : + } + + certfile=/var/lib/acme/krebsco.de/cert.pem + certificate_association_data=$(mk_certificate_association_data "$certfile") + keyfile=/var/src/secrets/dane.tsig + + script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX) + trap 'rm "$script"' EXIT + ( + exec >"$script" + echo server krebsco.de. + echo zone krebsco.de. + echo origin krebsco.de. + echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo show + echo send + echo answer + echo quit + ) + ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script" + ''; + }; + }; +} -- cgit v1.2.3 From b63f7920b5bce1670692e6278eb87db52b1ba0af Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:09 +0200 Subject: zones: update default head config --- krebs/3modules/zones.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index a7bd867f5..1d63548b8 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -9,10 +9,9 @@ with lib; { ''; default = { "krebsco.de" = /* bindzone */ '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - @ IN NS ns19.ovh.net. - @ IN NS dns19.ovh.net. + $TTL 60 + @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 ''; }; }; -- cgit v1.2.3 From 068fbd791257b3f3dc4cab7e11716171a8ef39fb Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:59 +0200 Subject: ponte: add nameserver config --- krebs/1systems/ponte/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 2f55995cf..0b9b1c563 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -5,6 +5,7 @@ + ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; -- cgit v1.2.3 From 73a64cc57af95a876168151654f06277f91a2243 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:29:42 +0200 Subject: ponte: use DNS-01 challenge --- krebs/1systems/ponte/config.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 0b9b1c563..8bb14d517 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -31,8 +31,23 @@ krebs.pages.enable = true; krebs.pages.nginx.addSSL = true; - krebs.pages.nginx.enableACME = true; + krebs.pages.nginx.useACMEHost = "krebsco.de"; security.acme.acceptTerms = true; - security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; + security.acme.certs."krebsco.de" = { + domain = "krebsco.de"; + extraDomainNames = [ + "*.krebsco.de" + ]; + email = "spam@krebsco.de"; + reloadServices = [ + "knsupdate-krebsco.de.service" + "nginx.service" + ]; + keyType = "ec384"; + dnsProvider = "rfc2136"; + credentialsFile = "/var/src/secrets/acme-credentials"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } -- cgit v1.2.3 From 7cd50a3c07e788fa0b4ab53c78b9dea10ff30b2d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 11:39:33 +0200 Subject: nameserver config: add ni as secondary --- krebs/2configs/nameserver.nix | 9 +++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 10 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4b205a13d..a4c4b5f05 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key acl: - id: acme_acl @@ -70,6 +73,10 @@ in { key: dane action: update + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + mod-rrl: - id: default rate-limit: 200 # Allow 200 resp/s for each flow @@ -94,6 +101,8 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: krebscode_ni + acl: transfer_to_krebscode_secondary acl: dane_acl - domain: _acme-challenge.krebsco.de diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 1d63548b8..bf904a268 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -12,6 +12,7 @@ with lib; { $TTL 60 @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 + @ 3600 IN NS ni ''; }; }; -- cgit v1.2.3 From 6bd5f06770f0b16ae6ec6fd906402883bd6e75b6 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 12:37:18 +0200 Subject: kartei feliks: fix ahuatangata's aliases --- kartei/feliks/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kartei/feliks/default.nix b/kartei/feliks/default.nix index 96c20f602..953f1a7ee 100644 --- a/kartei/feliks/default.nix +++ b/kartei/feliks/default.nix @@ -93,7 +93,10 @@ in { ahuatangata = { nets.wiregrill = { ip4.addr = "10.244.10.246"; - aliases = [ "ahuatangata" "ndrd.feliks.r" ]; + aliases = [ + "ahuatangata.w" + "ndrd.feliks.w" + ]; wireguard.pubkey = "QPDGBEYJ1znqUdjy6JWZJ+cqPMcU67dHlOX5beTM6TA="; }; }; -- cgit v1.2.3 From 193baa8f2f64a4909e38069d4f21ac6c46d2796b Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 15:53:27 +0200 Subject: nameserver config: add he.net as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 2 ++ 2 files changed, 12 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index a4c4b5f05..4c6b95516 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: henet_ns1 + address: 216.218.130.2 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -73,6 +76,11 @@ in { key: dane action: update + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -101,7 +109,9 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: henet_ns1 notify: krebscode_ni + acl: transfer_to_henet_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index bf904a268..8cb68c4f7 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -13,6 +13,8 @@ with lib; { @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 @ 3600 IN NS ni + @ 3600 IN NS ns2.he.net. + @ 3600 IN NS ns3.he.net. ''; }; }; -- cgit v1.2.3 From 7e98588f8e626c4e2800e1238ea8a1df1f5c8f7a Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 17:42:32 +0200 Subject: nameserver config: add hosting.de as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 11 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4c6b95516..633f6f5d5 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -63,6 +63,9 @@ in { - id: henet_ns1 address: 216.218.130.2 + - id: hostingde_ns1 + address: 134.0.30.178 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -81,6 +84,11 @@ in { address: [ 216.218.133.2, 2001:470:600::2 ] action: transfer + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -110,8 +118,10 @@ in { dnssec-signing: on dnssec-policy: rsa2k notify: henet_ns1 + notify: hostingde_ns1 notify: krebscode_ni acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 8cb68c4f7..e68482d77 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -15,6 +15,7 @@ with lib; { @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. @ 3600 IN NS ns3.he.net. + @ 3600 IN NS ns2.hosting.de. ''; }; }; -- cgit v1.2.3 From 363b381eeca12c54c83b4841198d189d470d345e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 18:14:32 +0200 Subject: krebszones: RIP --- krebs/5pkgs/simple/krebszones/default.nix | 13 ------------- lass/2configs/programs.nix | 6 ------ tv/1systems/xu/config.nix | 1 - 3 files changed, 20 deletions(-) delete mode 100644 krebs/5pkgs/simple/krebszones/default.nix diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix deleted file mode 100644 index 32608e7fa..000000000 --- a/krebs/5pkgs/simple/krebszones/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeDashBin "krebszones" '' - set -efu - export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf} - case $* in - import) - set -- import /etc/zones/krebsco.de krebsco.de - echo "+ krebszones $*" >&2 - ;; - esac - exec ${pkgs.ovh-zone}/bin/ovh-zone "$@" -'' diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 0997b41a8..4361ec747 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -35,12 +35,6 @@ export SYSTEM="$1" $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) '') - (pkgs.writeDashBin "krebsco.de" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" - '') (pkgs.writeDashBin "lassul.us" '' TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix index 80d16e686..83e17e1bd 100644 --- a/tv/1systems/xu/config.nix +++ b/tv/1systems/xu/config.nix @@ -37,7 +37,6 @@ with import ./lib; gnupg1compat haskellPackages.hledger jq - krebszones mkpasswd netcat netcup -- cgit v1.2.3 From 947dd631235359a22993ed213828266f0fc60313 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 Aug 2023 11:21:52 +0200 Subject: nixpkgs-unstable: 66aedfd -> 8353344 --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 0dcb20e9a..c31b7f708 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "66aedfd010204949cb225cf749be08cb13ce1813", - "date": "2023-08-02T21:56:37+02:00", - "path": "/nix/store/wwmgy3p8svf9ag2s6fimr3fpz5v40mya-nixpkgs", - "sha256": "1jspq3g1wzdfgmnp4wzzrwh2cfn9q2w86b25bgwr7ygdcdap3fqd", - "hash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", + "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", + "date": "2023-08-15T09:25:12+02:00", + "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", + "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", + "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 03f86e7faa67f953b3829b96402f752b1df19c9d Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:06:13 +0200 Subject: vicuna-chat: update model name --- krebs/5pkgs/simple/vicuna-chat/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/simple/vicuna-chat/default.nix b/krebs/5pkgs/simple/vicuna-chat/default.nix index 11a11aabe..db15899d6 100644 --- a/krebs/5pkgs/simple/vicuna-chat/default.nix +++ b/krebs/5pkgs/simple/vicuna-chat/default.nix @@ -23,7 +23,7 @@ pkgs.writers.writeDashBin "vicuna-chat" '' add_to_context "{\"role\": \"user\", \"content\": \"$PROMPT\"}" response=$( jq -nc --slurpfile context "$CONTEXT" '{ - model: "vicuna-13b", + model: "vicuna-13b-v1.5-16k", messages: $context[0], }' | curl -Ss http://vicuna.r/v1/chat/completions -H 'Content-Type: application/json' -d @- -- cgit v1.2.3 From 4acff6e9e977352a1e6ec7a86f0b060a9234f248 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:07:31 +0200 Subject: l prism.r: make bootable again --- lass/1systems/prism/physical.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index ebc80411b..d4dd88382 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -9,6 +9,7 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; + boot.swraid.enable = true; fileSystems."/" = { device = "rpool/root/nixos"; @@ -80,7 +81,7 @@ # we don't pay for power there and this might solve a problem we observed at least once # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben - boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; + boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ]; networking.dhcpcd.enable = false; -- cgit v1.2.3 From 36eaa0d88d631905e9d439a6b2b7ae6e6df84919 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:24:47 +0200 Subject: mastodon: add clear-cache command --- krebs/2configs/mastodon.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383ed..af308b2c7 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu -- cgit v1.2.3 From 666a2b0a8a7941768077a7774d6ca7732d8e8c24 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:36:05 +0200 Subject: l matrix: remove deprecated pkg override --- lass/2configs/matrix.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index cdcbe7ab0..1d6a8663e 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -2,24 +2,6 @@ with import ; { services.matrix-synapse = { - # synapse 1.60.0 errors during startup with: - # https://github.com/matrix-org/synapse/issues/15809 - package = pkgs.matrix-synapse.overrideAttrs (oldAttrs: rec { - version = "1.85.2"; - name = "matrix-synapse-${version}"; - src = pkgs.fetchFromGitHub { - owner = "matrix-org"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-pFafBsisBPfpDnFYWcimUuBgfFVPZzLna3yHeqIBAAE="; - }; - cargoDeps = pkgs.rustPlatform.fetchCargoTarball { - inherit src; - name = "matrix-synapse-${version}"; - hash = "sha256-dnno+5Ma0YNYpmj3oZ5UG22uAanKwVT67BwQW+mHoFc="; - }; - doCheck = false; - }); enable = true; settings = { server_name = "lassul.us"; -- cgit v1.2.3 From 6592341dc31c6f26422ec3a9fed2e601ab985cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 31 Aug 2023 11:44:53 +0200 Subject: prism: add backup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Thalheim --- lass/2configs/codimd.nix | 71 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 4 deletions(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index ccca49fac..0927788a7 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -2,7 +2,8 @@ with import ; let domain = "pad.lassul.us"; -in { +in +{ # redirect legacy domain to new one services.nginx.virtualHosts."codi.lassul.us" = { @@ -25,13 +26,77 @@ in { security.dhparams = { enable = true; - params.hedgedoc = {}; + params.hedgedoc = { }; }; systemd.services.hedgedoc.environment = { CMD_COOKIE_POLICY = "none"; CMD_CSP_ALLOW_FRAMING = "true"; }; + + systemd.services.hedgedoc-backup = { + startAt = "daily"; + serviceConfig = { + ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; + Type = "oneshot"; + }; + }; + + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/home" + "/etc" + "/var" + "/root" + ]; + exclude = [ + "*.pyc" + "/home/*/.direnv" + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.npm" + "/home/*/.m2" + "/home/*/.gradle" + "/home/*/.opam" + "/home/*/.clangd" + "/var/lib/containerd" + # already included in database backup + "/var/lib/postgresql" + # not so important + "/var/lib/docker/" + "/var/log/journal" + "/var/cache" + "/var/tmp" + "/var/log" + ]; + repo = "u348918@u348918.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Thu, 31 Aug 2023 17:47:17 +0200 Subject: l prism.r: add backups --- lass/1systems/prism/backup.nix | 37 ++++++++++++++++++++++++++ lass/1systems/prism/config.nix | 1 + lass/2configs/codimd.nix | 56 +-------------------------------------- lass/2configs/websites/domsen.nix | 28 +++++++++++++++++++- 4 files changed, 66 insertions(+), 56 deletions(-) create mode 100644 lass/1systems/prism/backup.nix diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix new file mode 100644 index 000000000..52b4142b9 --- /dev/null +++ b/lass/1systems/prism/backup.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/var/backup" + ]; + exclude = [ + "*.pyc" + ]; + repo = "u364341@u364341.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${toString + "/borgbackup.ssh.id25519"}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service <; { imports = [ + ./backup.nix diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 0927788a7..f8880dbdc 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,6 +34,7 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; + services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { @@ -42,61 +43,6 @@ in }; }; - services.postgresqlBackup.enable = true; - - systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; - - services.borgbackup.jobs.hetzner = { - paths = [ - "/home" - "/etc" - "/var" - "/root" - ]; - exclude = [ - "*.pyc" - "/home/*/.direnv" - "/home/*/.cache" - "/home/*/.cargo" - "/home/*/.npm" - "/home/*/.m2" - "/home/*/.gradle" - "/home/*/.opam" - "/home/*/.clangd" - "/var/lib/containerd" - # already included in database backup - "/var/lib/postgresql" - # not so important - "/var/lib/docker/" - "/var/log/journal" - "/var/cache" - "/var/tmp" - "/var/log" - ]; - repo = "u348918@u348918.your-storagebox.de:/./hetzner"; - encryption.mode = "none"; - compression = "auto,zstd"; - startAt = "daily"; - # TODO: change backup key - environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; - preHook = '' - set -x - ''; - - postHook = '' - cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Sat, 2 Sep 2023 11:36:38 +0200 Subject: l codimd: backup statedir --- lass/2configs/codimd.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index f8880dbdc..d0ba8912c 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,7 +34,10 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; - services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; + services.borgbackup.jobs.hetzner.paths = [ + "/var/backup" + "/var/lib/hedgedoc" + ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { -- cgit v1.2.3 From 046651c48c43b366900d3f3cd46c6413b93e8d01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:24:33 +0200 Subject: nixpkgs: bd836ac -> 9075cba --- krebs/nixpkgs.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index cd0714cf3..0b6021ed0 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", - "date": "2023-08-02T00:11:43+02:00", - "path": "/nix/store/qj37rmkpa5spmxsr3vb5hrwkahnsn4pm-nixpkgs", - "sha256": "1xcg07nmzz74s99ln079rqzlxyiv2gzzz9g71h5337jf4il0560g", - "hash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", + "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", + "date": "2023-09-02T08:28:47+02:00", + "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", + "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", + "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 40db172916f1b328d0d03f3753500b3ee2a41c7f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:25:12 +0200 Subject: nixpkgs-unstable: 8353344 -> aa8aa7e --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index c31b7f708..2233cd20b 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", - "date": "2023-08-15T09:25:12+02:00", - "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", - "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", - "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", + "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", + "date": "2023-09-01T18:51:16+08:00", + "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", + "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", + "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 3bb70cd5c28ebcf8ddee9ef7ad05cc86a2c841af Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 10:59:51 +0200 Subject: l aergia.r: fix mounting with new disko --- lass/1systems/aergia/disk.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 848157729..233b320e4 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -45,9 +45,11 @@ # Mountpoints inferred from subvolume name "/home" = { mountOptions = []; + mountpoint = "/home"; }; "/nix" = { mountOptions = []; + mountpoint = "/nix"; }; }; }; -- cgit v1.2.3 From 521dd6afa5518f19a1ba7772a036363d5604441b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:23:46 +0200 Subject: l aergia.r: more hardware settings --- lass/1systems/aergia/physical.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 9f06dccdc..e76460d20 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -16,7 +16,7 @@ efiInstallAsRemovable = true; }; - boot.kernelPackages = pkgs.linuxPackages_latest; + # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ # use less power with pstate @@ -70,8 +70,6 @@ }; users.users.mainUser.extraGroups = [ "corectrl" ]; - # use newer ryzenadj - # keyboard quirks services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert @@ -102,9 +100,16 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + # systemd.sleep.extraConfig = '' + # HibernateDelaySec=1800 + # ''; # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + + # enable thunderbolt + services.hardware.bolt.enable = true; + # reinit usb after docking station connect services.udev.extraRules = '' SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" -- cgit v1.2.3 From c1656131473f63e415baae35e99507dbb1c780a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:43:01 +0200 Subject: l prism.r: remove xanf disk --- lass/1systems/prism/physical.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index d4dd88382..2260aa648 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -61,11 +61,6 @@ fsType = "zfs"; }; - fileSystems."/home/xanf" = { - device = "/dev/disk/by-id/wwn-0x500a07511becb076"; - fsType = "ext4"; - }; - # silence mdmonitor.service failures # https://github.com/NixOS/nixpkgs/issues/72394 environment.etc."mdadm.conf".text = '' -- cgit v1.2.3 From b7fba1c6ba5379cbad60728541259538df5096ec Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:45:42 +0200 Subject: l shodan.r: remove containers, add trusted users --- lass/1systems/shodan/config.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 5e48c216a..0bea37e5c 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,13 +13,9 @@ - - - - ]; @@ -27,4 +23,6 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; + nix.trustedUsers = [ "root" "lass" ]; + system.stateVersion = "22.05"; } -- cgit v1.2.3 From f3f5adc4b67c3fff7af571df8a6e395896c93fea Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:09 +0200 Subject: l skynet.r: better fileSystems syntax --- lass/1systems/skynet/physical.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix index e3451293f..1ac9708c7 100644 --- a/lass/1systems/skynet/physical.nix +++ b/lass/1systems/skynet/physical.nix @@ -12,15 +12,15 @@ networking.hostId = "06442b9a"; - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root"; + fsType = "zfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0876-B308"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0876-B308"; + fsType = "vfat"; + }; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" -- cgit v1.2.3 From 1fa53c704e22534219ef85e804eef1feb4643131 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:56 +0200 Subject: l styx.r: disable syncthing, add consul --- lass/1systems/styx/config.nix | 2 +- lass/1systems/styx/physical.nix | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 6c054abfe..988cbca75 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -22,11 +22,11 @@ with import ; - # + ]; krebs.build.host = config.krebs.hosts.styx; diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index ae0cdf489..284bbb333 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -16,7 +16,6 @@ boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514"; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = { device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4"; fsType = "ext4"; -- cgit v1.2.3 From a53b28f0d6b0a6e7523ee38ce56d3c1afeee660f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:47:18 +0200 Subject: l wizard.r: add nm-dmenu --- lass/1systems/wizard/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index e158fa728..5e69171ce 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -183,7 +183,7 @@ in { #style most - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo #monitoring tools htop @@ -192,6 +192,7 @@ in { #network iptables iftop + nm-dmenu #stuff for dl aria2 -- cgit v1.2.3 From 72be85e30bbdd658d100b70efc7deafa2a925267 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:15 +0200 Subject: l neoprism.r: disable initrd ssh --- lass/1systems/neoprism/physical.nix | 39 ++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index f2092d9aa..cc7734f39 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -13,7 +13,10 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.loader.grub.devices = [ + config.disko.devices.disk."/dev/nvme0n1".device + config.disko.devices.disk."/dev/nvme1n1".device + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -56,21 +59,21 @@ }; networking.useDHCP = false; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = [ config.krebs.users.lass.pubkey ]; - port = 2222; - hostKeys = [ - (toString ) - (toString ) - ]; - }; - }; - boot.kernelParams = [ - "net.ifnames=0" - "ip=dhcp" - "boot.trace" - ]; + # boot.initrd.network = { + # enable = true; + # ssh = { + # enable = true; + # authorizedKeys = [ config.krebs.users.lass.pubkey ]; + # port = 2222; + # hostKeys = [ + # () + # () + # ]; + # }; + # }; + # boot.kernelParams = [ + # "net.ifnames=0" + # "ip=dhcp" + # "boot.trace" + # ]; } -- cgit v1.2.3 From f58eceedb1ce03b17b75b2cb033a6722f9d72a72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:59 +0200 Subject: l xerxes.r: disable some stuff --- lass/1systems/xerxes/config.nix | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 6972567d7..d1ee4cf71 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -7,16 +7,15 @@ + - - ]; @@ -60,24 +59,6 @@ services.logind.lidSwitch = "suspend"; lass.screenlock.enable = lib.mkForce false; - systemd.services.suspend-again = { - after = [ "suspend.target" ]; - requiredBy = [ "suspend.target" ]; - # environment = { - # DISPLAY = ":${toString config.services.xserver.display}"; - # }; - serviceConfig = { - ExecStart = pkgs.writeDash "suspend-again" '' - ${pkgs.gnugrep}/bin/grep -q closed /proc/acpi/button/lid/LID0/state - if [ "$?" -eq 0 ]; then - echo 'wakeup with closed lid' - ${pkgs.systemd}/bin/systemctl suspend - fi - ''; - Type = "simple"; - }; - }; - hardware.bluetooth = { enable = true; powerOnBoot = true; -- cgit v1.2.3 From be170d796f8520b88102a0f540f028d0fa395a55 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:56:59 +0200 Subject: l binary-cache: disable nix-serve-ng --- lass/2configs/binary-cache/server.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index bdd568c15..490601641 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ...}: { - nixpkgs.config.packageOverrides = p: { - nix-serve = p.haskellPackages.nix-serve-ng; - }; + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; # generate private key with: # nix-store --generate-binary-cache-key my-secret-key my-public-key services.nix-serve = { -- cgit v1.2.3 From 32bac4e0549b6b41aa6062aee48f1aa7eb493a3f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:19 +0200 Subject: l green-hosts: add different implementations --- lass/2configs/green-hosts/cryfs.nix | 95 ++++++++++++++++++++++++++ lass/2configs/green-hosts/ecryptfs.nix | 99 +++++++++++++++++++++++++++ lass/2configs/green-hosts/plain-bindfs.nix | 90 +++++++++++++++++++++++++ lass/2configs/green-hosts/plain-permown.nix | 88 ++++++++++++++++++++++++ lass/2configs/green-hosts/plain.nix | 87 ++++++++++++++++++++++++ lass/2configs/green-hosts/securefs.nix | 101 ++++++++++++++++++++++++++++ 6 files changed, 560 insertions(+) create mode 100644 lass/2configs/green-hosts/cryfs.nix create mode 100644 lass/2configs/green-hosts/ecryptfs.nix create mode 100644 lass/2configs/green-hosts/plain-bindfs.nix create mode 100644 lass/2configs/green-hosts/plain-permown.nix create mode 100644 lass/2configs/green-hosts/plain.nix create mode 100644 lass/2configs/green-hosts/securefs.nix diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix new file mode 100644 index 000000000..d60dc5951 --- /dev/null +++ b/lass/2configs/green-hosts/cryfs.nix @@ -0,0 +1,95 @@ +# seems to work, very slow though + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-cryfs"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { + source = "/var/lib/sync-containers/${cname}/cryfs"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "init-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/sync-containers/${cname}/cryfs + '') + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix new file mode 100644 index 000000000..2c335f6f2 --- /dev/null +++ b/lass/2configs/green-hosts/ecryptfs.nix @@ -0,0 +1,99 @@ + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + pkgs.ecryptfs + pkgs.keyutils + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix new file mode 100644 index 000000000..81d8f20c2 --- /dev/null +++ b/lass/2configs/green-hosts/plain-bindfs.nix @@ -0,0 +1,90 @@ +# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/containers/${cname}/var/state" = { + source = "/var/lib/containers/${cname}/var/state"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix new file mode 100644 index 000000000..21a7d0085 --- /dev/null +++ b/lass/2configs/green-hosts/plain-permown.nix @@ -0,0 +1,88 @@ +# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing + + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix new file mode 100644 index 000000000..58f54b748 --- /dev/null +++ b/lass/2configs/green-hosts/plain.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ]