Merge remote-tracking branch 'prism/master'

8 files changed, 323 insertions, 6 deletions

diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix
new file mode 100644
index 00000000..7e3730e8
--- /dev/null
+++ b/krebs/3modules/bindfs.nix
@@ -0,0 +1,61 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }:
+let
+  cfg = config.krebs.bindfs;
+in {
+  options.krebs.bindfs = mkOption {
+    type = types.attrsOf (types.submodule ({ config, ... }: {
+      options = {
+        target = mkOption {
+          description = ''
+            destination where bindfs mounts to.
+            second positional argument to bindfs.
+          '';
+          default = config._module.args.name;
+          type = types.absolute-pathname;
+        };
+        source = mkOption {
+          description = ''
+            source folder where the mounted directory is originally.
+            first positional argument to bindfs.
+          '';
+          type = types.absolute-pathname;
+        };
+        options = mkOption {
+          description = ''
+            additional arguments to bindfs
+          '';
+          type = types.listOf types.str;
+          default = [];
+        };
+        clearTarget = mkOption {
+          description = ''
+            whether to clear the target folder before mounting
+          '';
+          type = types.bool;
+          default = false;
+        };
+      };
+    }));
+    default = {};
+  };
+
+  config = mkIf (cfg != {}) {
+    systemd.services = mapAttrs' (n: mount: let
+      name = replaceStrings [ "/" ] [ "_" ] n;
+    in nameValuePair "bindfs-${name}" {
+      wantedBy = [ "local-fs.target" ];
+      path = [ pkgs.coreutils ];
+      serviceConfig = {
+        ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
+          ${optionalString mount.clearTarget ''
+            rm -rf '${mount.target}'
+          ''}
+          mkdir -p '${mount.source}'
+          mkdir -p '${mount.target}'
+        '';
+        ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}";
+      };
+    }) cfg;
+  };
+}
diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix
index 55e8255b..32aa3489 100644
--- a/krebs/3modules/brockman.nix
+++ b/krebs/3modules/brockman.nix
@@ -1,5 +1,5 @@
-{ pkgs, lib, config, ... }:
-with lib;
+{ pkgs, config, ... }:
+with import <stockholm/lib>;
 let
   cfg = config.krebs.brockman;
 in {
@@ -13,6 +13,7 @@ in {
       home = "/var/lib/brockman";
       createHome = true;
       isNormalUser = false;
+      uid = genid_uint31 "brockman";
     };
 
     systemd.services.brockman = {
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 8c620a4e..e7d04ead 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -11,6 +11,7 @@ let
       ./apt-cacher-ng.nix
       ./backup.nix
       ./bepasty-server.nix
+      ./bindfs.nix
       ./brockman.nix
       ./buildbot/master.nix
       ./buildbot/slave.nix
@@ -51,6 +52,7 @@ let
       ./secret.nix
       ./setuid.nix
       ./shadow.nix
+      ./sync-containers.nix
       ./tinc.nix
       ./tinc_graphs.nix
       ./urlwatch.nix
@@ -90,8 +92,10 @@ let
           @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
                                 IN NS     ns19.ovh.net.
                                 IN NS     dns19.ovh.net.
-                                IN A      192.30.252.154
-                                IN A      192.30.252.153
+                                IN A      185.199.108.153
+                                IN A      185.199.109.153
+                                IN A      185.199.110.153
+                                IN A      185.199.111.153
         '';
         };
     };
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index d0648418..4a1b5608 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -92,6 +92,37 @@ in {
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
     };
+    news = {
+      ci = true;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.0.5";
+          aliases = [
+            "news.r"
+            "go.r"
+            "rss.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
+            cgPezX8yGmA0nuTyCUPtXbWyWee9HnzYqekzJYvBHwgBDvZ8UhLZTCXD15agDfaf
+            cbzd4uM5bCDgqI8sezzD95tqj7mzvIEurIShDXYSWC6YRat1h1Opp86JngBJRvHZ
+            Gb6NAyfnr4v2eyMrmH9/j+sECxjCAaC5QLpJWyoDPilFU8dXBarmiZNYYlXQt1pn
+            yxZSF5pElmrdiZ6vlKlnEHwFtExm1gv63ZjAlusrXM+bKMvdVKRnhahq76A5VXjc
+            kbOhQi+wYGaVK4jB2a1UilmKYh1wKLE7HULoHDRrqEe4jemNZg+JOBPTU+jM/JzM
+            XdPy0KAMxHOUZCe8IX0LgF1snVaMF05Qkoe3QKr0YJ3KTD7UdsJpa1Br216Z/w2f
+            koz+cRn/Z/8TO8SIRKvy5TfXeH+ra6rp/CvwryNlNL4FB+25LFDkJtLIZGqAsz3G
+            vRXUiGN4l1FR4TbX7XaK2rvIlA/+4isJ02bBdnZhe7kmuuBeECyPaR1+Ui6pElXe
+            ZamnxTAmj86Q8pDx6Wn2cg8YAJlVV3UCfhda34DZokJmmmKucGupg/6Xt0Bhm9d5
+            exNrTIDG3lXTxmg2mfiZJeg/fsnalvtN0j/VB+NmmKzie+ZohMK4nUfslq8o5CO9
+            j7ZLmZzm062GzX0RenxNkwUCAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo ";
+    };
     onebutton = {
       cores = 1;
       nets = {
@@ -131,8 +162,6 @@ in {
             "brockman.r"
             "build.puyak.r"
             "cgit.puyak.r"
-            "go.r"
-            "rss.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index a4586bed..c5cf5cb1 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -44,6 +44,7 @@ in {
           matrix              60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           paste               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           radio               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          jitsi               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           streaming           60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
         '';
       };
@@ -685,6 +686,7 @@ in {
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU ";
+      syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN";
     };
   };
   users = rec {
@@ -699,6 +701,11 @@ in {
       pubkey = builtins.readFile ./ssh/blue.rsa;
       pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp;
     };
+    lass-green = {
+      mail = "lass@green.r";
+      pubkey = builtins.readFile ./ssh/green.ed25519;
+      pgp.pubkeys.default = builtins.readFile ./pgp/green.pgp;
+    };
     lass-mors = {
       mail = "lass@mors.r";
       pubkey = builtins.readFile ./ssh/mors.rsa;
diff --git a/krebs/3modules/lass/pgp/green.pgp b/krebs/3modules/lass/pgp/green.pgp
new file mode 100644
index 00000000..96b2b38e
--- /dev/null
+++ b/krebs/3modules/lass/pgp/green.pgp
@@ -0,0 +1,40 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGAMS3EBDACzbsaP9nhJ8GrAk5JLlz+ruDbEGuvJXvh+spVq9i9TCCGAraPo
+z8Tmgsw6SJhJMW/170OZJ+GMMEDRpRbvh8tLZ0jsTIwINasRjC68tF9dgjjPZdNN
+cVOpFw4Wf4ueMmoEG/9Xyehm+YEJFTj5wul2uJtfj5NJB43daDn4e3ieGExd+zE0
+FTP4yAmxVMbN4BiyZPX7CxeTzJS0g4aVnMq9RqtYbxd1Uv++LmPh1ZkEyNNKItfC
+nRFeZzjhnmD7LvwsixE2ENnbiL9Ho7Mc4C7kRKSJ+LvXH6ChJJtDy9ApVA+u90i5
+Rd7y9rdzFY+NCHusWg0/U/t2FoLc/hRa0eLE1KFtzWzH35TMl8R/7NrPztTwT/fH
+xt3qSiwMUvH9X9TGvh5N0WwqgtEe6mpZvpq+4gyOiyA+EwE73rnxG2DzmM6CFHyo
+Qm/OOfjuFH+l0PkAqti+f41SqlEOiOAAFzgz7gaTdJ8gXs8piOGxk4U5EK/p1OTW
+4e6DrxqcxmHgoAUAEQEAAbQMbGFzc0BncmVlbi5yiQHUBBMBCAA+FiEE6Ed5jGI3
+gop09K1NMwheLc2Sjz0FAmAMS3ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQMwheLc2Sjz0otwv+I8Sw0ENqy6SsrZSGDtmhAouCeTIUseRQ66tp
+UFnxDVPYhhdM2ubTtIqOfx20Xdy/7N/POyYMJ5VR+IaFcB9wUlrhdjwUlCtoUipx
+EycZloccMPGySxAxR3Kcy/SFzUKWwQ10/mfSQg/4+vYayZNuSvEpviMEZn0prpmw
+jwFJcHOu0NL+7eYULMdit1BDaZfBaAu/otKn18878+0hVimyjW27564uXtJYnbf1
+hUVGvPLaSo74XBFra+kujcA3zIjWiPn6dRA5dzLrRRkb30Unl1+0a9QwY3wd3vCV
+UHWSgDNaV+o7yPTuxoMsfrxHPAc3JlaKM6ka/EdK04tbgMH/N7FHXqDqCEIBWML4
+1/+HxkP2UW59zLefQwvBqWcF6bA7kgHGhIDkg1yg7ygP0t2mH6ktuEAYYr24BFx7
+b8nK/jhK+rp3LomLTLQ6e/6mikfoDr636sB1/Bc+pTdWsJnuQTzaWBDloVEr/2hz
+/K5+wH2kgSKaWYUtaR6wiMbVKq3HuQGNBGAMS3EBDAC1xQNCJD3hlnihHBv7jxfH
+CI5HdnUEh1eP8mUKjSE+Z0xGEMq8Z9sbTHQxtDdmC4ZOq1Kkt2LmtQQQAIH+Qnu6
+RYFOAPRmegouIxg4S3eTPZhZRo1ZqCphqbL2mQ9ifNrG3VVvQGXNvjo3Cuwj0uzx
+EDtOilKEtHZhG0cfehGV+nO1n/g50EQMC7JkFWnryxVL8i4l3KstOdj+LcIT6c27
+EE2fzOUekeltBHGRFSM1Yzmn2lxruuK4I8zoiqak2St1788ay//F9tiZPfhWRb6+
+DF+JgRLCXatqTJppPpkui1irw6jN5ZabjyS7GBtH+5wpnvuMEMr484OXEg17VnCd
+Tx/RTLyjfffDtTkC4M7oiAr5SUbkJjVkEuwjxp1N19epD8gzrBQC2W7XKM3z+mtG
+ZLJtiW5hM+QylMv7VWxbQ21ObJmUqBQUZLPlpl3dlGU/ILw3U4urBibD9oPT2QAX
+J6Db/STyl6w0bzRbMJmaEM4P0FcdEKTuw7tOpl5zBUkAEQEAAYkBtgQYAQgAIBYh
+BOhHeYxiN4KKdPStTTMIXi3Nko89BQJgDEtxAhsMAAoJEDMIXi3Nko89yc8MAJKg
+M5lbA/PJYlIju/qWKWt7yZbsIGuDfmuKfYftjXDOqskEqDyYgr31Txd43bWM6Ec7
+gb5JVmtzvLull0/KRwMcKAFNTXIYcb3jKpanwWRgHQlt/D6zlQula73WxwNUlZWl
+Q8FCWjGa2hC8oKlTbtzm5osdcK+YhlpTpK5y4Mrg0f9Rcd297ygFQSDInpGq7ILY
+sFat3HU7w9oPp9Q5RS8/EmrvAx1kFj9mZRs4L9inJJnHFpb1R6snojcKPwEyIWBi
++PFZ6ns296FjW9C+Ci7C+aaAzVDM7NAwU0/EhWeDKKHITU3Zaz4gnShesKBiVxhI
+JQNFCjWlnc+o3RqbAhDQhlwFrCZWUxQi1qWy4U88IYqR9hxV0eNtGSRmwnGCT9RV
+Nxb6CjtmHpgUmzyvwBpBJya8bLYu5tCKnUodtFiq/poxEfI5WrP6pu5l648AwuPa
+ioovprweDWs38Q8wd/SuoaUtIoj378UDXq8acFvHHnOS/bBBfAE9tutY1ycJdg==
+=Fg3f
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/krebs/3modules/lass/ssh/green.ed25519 b/krebs/3modules/lass/ssh/green.ed25519
new file mode 100644
index 00000000..1aa7b180
--- /dev/null
+++ b/krebs/3modules/lass/ssh/green.ed25519
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOJfTJ37hWYTYLWY6egshmvigPfRF0Sa4N11gmphMLm lass@green
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
new file mode 100644
index 00000000..d31022d3
--- /dev/null
+++ b/krebs/3modules/sync-containers.nix
@@ -0,0 +1,174 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+  cfg = config.krebs.sync-containers;
+  paths = cname: {
+    plain = "/var/lib/containers/${cname}/var/state";
+    ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
+    securefs = "${cfg.dataLocation}/${cname}/securefs";
+  };
+  start = cname: {
+    plain = ''
+      :
+    '';
+    ecryptfs = ''
+      if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+        if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+          ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        else
+          ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        fi
+      fi
+    '';
+    securefs = ''
+      ## TODO init file systems if it does not exist
+      # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+      if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
+        ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
+      fi
+    '';
+  };
+  stop = cname: {
+    plain = ''
+      :
+    '';
+    ecryptfs = ''
+      ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+    '';
+    securefs = ''
+      umount /var/lib/containers/${cname}/var/state
+    '';
+  };
+in {
+  options.krebs.sync-containers = {
+    dataLocation = mkOption {
+      description = ''
+        location where the encrypted sync-container lie around
+      '';
+      default = "/var/lib/sync-containers";
+      type = types.absolute-pathname;
+    };
+    containers = mkOption {
+      type = types.attrsOf (types.submodule ({ config, ... }: {
+        options = {
+          name = mkOption {
+            description = ''
+              name of the container
+            '';
+            default = config._module.args.name;
+            type = types.str;
+          };
+          peers = mkOption {
+            description = ''
+              syncthing peers to share this container with
+            '';
+            default = [];
+            type = types.listOf types.str;
+          };
+          hostIp = mkOption { # TODO find this automatically
+            description = ''
+              hostAddress of the privateNetwork
+            '';
+            example = "10.233.2.15";
+            type = types.str;
+          };
+          localIp = mkOption { # TODO find this automatically
+            description = ''
+              localAddress of the privateNetwork
+            '';
+            example = "10.233.2.16";
+            type = types.str;
+          };
+          format = mkOption {
+            description = ''
+              file system encrption format of the container
+            '';
+            type = types.enum [ "plain" "ecryptfs" "securefs" ];
+          };
+        };
+      }));
+      default = {};
+    };
+  };
+
+  config = mkIf (cfg.containers != {}) {
+    programs.fuse.userAllowOther = true;
+    # allow syncthing to enter /var/lib/containers
+    system.activationScripts.syncthing-home = ''
+      ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
+    '';
+
+    services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      devices = ctr.peers;
+      ignorePerms = false;
+    })) cfg.containers);
+
+    krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      file-mode = "u+rw";
+      directory-mode = "u+rwx";
+      owner = "syncthing";
+      keepGoing = false;
+    })) cfg.containers);
+
+    systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
+      reloadIfChanged = mkForce false;
+    })) cfg.containers;
+
+    containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
+      config = { ... }: {
+        environment.systemPackages = [
+          pkgs.git
+        ];
+        system.activationScripts.fuse = {
+          text = ''
+            ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+          '';
+          deps = [];
+        };
+      };
+      allowedDevices = [
+        { modifier = "rwm"; node = "/dev/fuse"; }
+      ];
+      autoStart = false;
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress = ctr.hostIp;
+      localAddress = ctr.localIp;
+    })) cfg.containers;
+
+    environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
+      (pkgs.writeDashBin "start-${ctr.name}" ''
+        set -euf
+        set -x
+
+        mkdir -p /var/lib/containers/${ctr.name}/var/state
+
+        ${(start ctr.name).${ctr.format}}
+
+        STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
+        if [ "$STATE" = 'down' ]; then
+          ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
+        fi
+
+        ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+          set -x
+
+          mkdir -p /var/state/var_src
+          ln -sfTr /var/state/var_src /var/src
+          touch /etc/NIXOS
+        ''}
+
+        if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
+          ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
+        else
+          ${(stop ctr.name).${ctr.format}}
+        fi
+      '')
+      (pkgs.writeDashBin "stop-${ctr.name}" ''
+        set -euf
+
+        ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
+        ${(stop ctr.name).${ctr.format}}
+      '')
+    ]) cfg.containers);
+  };
+}