diff options
Diffstat (limited to 'krebs/1systems')
-rw-r--r-- | krebs/1systems/arcadeomat/config.nix | 82 | ||||
-rw-r--r-- | krebs/1systems/arcadeomat/hw.nix | 25 | ||||
-rw-r--r-- | krebs/1systems/filebitch/config.nix | 33 | ||||
-rw-r--r-- | krebs/1systems/hotdog/config.nix | 34 | ||||
-rw-r--r-- | krebs/1systems/news/config.nix | 26 | ||||
-rw-r--r-- | krebs/1systems/ponte/config.nix | 42 | ||||
-rw-r--r-- | krebs/1systems/puyak/config.nix | 16 | ||||
-rw-r--r-- | krebs/1systems/puyak/net.nix | 3 | ||||
-rw-r--r-- | krebs/1systems/wolf/config.nix | 1 |
9 files changed, 104 insertions, 158 deletions
diff --git a/krebs/1systems/arcadeomat/config.nix b/krebs/1systems/arcadeomat/config.nix deleted file mode 100644 index cdeaae18..00000000 --- a/krebs/1systems/arcadeomat/config.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config,lib, pkgs, ... }: -let - shack-ip = config.krebs.build.host.nets.shack.ip4.addr; - ext-if = "et0"; - external-mac = "52:54:b0:0b:af:fe"; - mainUser = "krebs"; - -in -{ - imports = [ - ./hw.nix - <stockholm/krebs> - <stockholm/krebs/2configs> - - #<stockholm/krebs/2configs/binary-cache/nixos.nix> - #<stockholm/krebs/2configs/binary-cache/prism.nix> - - <stockholm/krebs/2configs/shack/ssh-keys.nix> - <stockholm/krebs/2configs/save-diskspace.nix> - <stockholm/krebs/2configs/shack/prometheus/node.nix> - - ]; - # use your own binary cache, fallback use cache.nixos.org (which is used by - # apt-cacher-ng in first place) - - # local discovery in shackspace - nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; - krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; - - - #networking = { - # firewall.enable = false; - # firewall.allowedTCPPorts = [ 8088 8086 8083 ]; - # interfaces."${ext-if}".ipv4.addresses = [ - # { - # address = shack-ip; - # prefixLength = 20; - # } - # ]; - - # defaultGateway = "10.42.0.1"; - # nameservers = [ "10.42.0.100" "10.42.0.200" ]; - #}; - - ##################### - # uninteresting stuff - ##################### - krebs.build.host = config.krebs.hosts.arcadeomat; - users.users."${mainUser}" = { - uid = 9001; - extraGroups = [ "audio" "video" ]; - isNormalUser = true; - }; - - - time.timeZone = "Europe/Berlin"; - - # avahi - services.avahi = { - enable = true; - wideArea = false; - }; - environment.systemPackages = with pkgs;[ glxinfo sdlmame ]; - nixpkgs.config.allowUnfree = true; - hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340; - boot.kernelPackages = pkgs.linuxPackages_5_4; - - services.xserver = { - videoDrivers = [ "nvidia" ]; - enable = true; - windowManager = { - awesome.enable = true; - awesome.noArgb = true; - awesome.luaModules = [ pkgs.luaPackages.vicious ]; - }; - displayManager.defaultSession = lib.mkDefault "none+awesome"; - displayManager.autoLogin = { - enable = true; - user = mainUser; - }; - }; -} diff --git a/krebs/1systems/arcadeomat/hw.nix b/krebs/1systems/arcadeomat/hw.nix deleted file mode 100644 index b24deeec..00000000 --- a/krebs/1systems/arcadeomat/hw.nix +++ /dev/null @@ -1,25 +0,0 @@ - -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/0aae456e-0548-4917-a282-11d5d4e403cf"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.copyKernels = true; - -} diff --git a/krebs/1systems/filebitch/config.nix b/krebs/1systems/filebitch/config.nix index e27d036c..254306ec 100644 --- a/krebs/1systems/filebitch/config.nix +++ b/krebs/1systems/filebitch/config.nix @@ -5,16 +5,16 @@ in { imports = [ ./hardware-configuration.nix - <stockholm/krebs> - <stockholm/krebs/2configs> - # <stockholm/krebs/2configs/secret-passwords.nix> + ../../../krebs + ../../../krebs/2configs + # ../../../krebs/2configs/secret-passwords.nix - # <stockholm/krebs/2configs/binary-cache/nixos.nix> - # <stockholm/krebs/2configs/binary-cache/prism.nix> - <stockholm/krebs/2configs/shack/ssh-keys.nix> - <stockholm/krebs/2configs/shack/prometheus/node.nix> + # ../../../krebs/2configs/binary-cache/nixos.nix + # ../../../krebs/2configs/binary-cache/prism.nix + ../../../krebs/2configs/shack/ssh-keys.nix + ../../../krebs/2configs/shack/prometheus/node.nix # provides access to /home/share for smbuser via smb - <stockholm/krebs/2configs/shack/share.nix> + ../../../krebs/2configs/shack/share.nix { fileSystems."/home/share" = { device = "/serve"; @@ -23,8 +23,8 @@ in } ## Collect local statistics via collectd and send to collectd - # <stockholm/krebs/2configs/stats/shack-client.nix> - # <stockholm/krebs/2configs/stats/shack-debugging.nix> + # ../../../krebs/2configs/stats/shack-client.nix + # ../../../krebs/2configs/stats/shack-debugging.nix ]; krebs.build.host = config.krebs.hosts.filebitch; @@ -35,12 +35,13 @@ in ''; networking = { firewall.enable = true; - interfaces.et0.ipv4.addresses = [ - { - address = shack-ip; - prefixLength = 20; - } - ]; + interfaces.et0.useDHCP = true; + #interfaces.et0.ipv4.addresses = [ + # { + # address = shack-ip; + # prefixLength = 20; + # } + #]; defaultGateway = "10.42.0.1"; nameservers = [ "10.42.0.100" "10.42.0.200" ]; diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index cf07d3b4..0a103ed1 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -2,24 +2,34 @@ { imports = [ - <stockholm/krebs> - <stockholm/krebs/2configs> + ../../../krebs + ../../../krebs/2configs + ../../../krebs/2configs/nginx.nix - <stockholm/krebs/2configs/buildbot-stockholm.nix> - <stockholm/krebs/2configs/binary-cache/nixos.nix> - <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/reaktor2.nix> - <stockholm/krebs/2configs/wiki.nix> - <stockholm/krebs/2configs/acme.nix> - <stockholm/krebs/2configs/mud.nix> + ../../../krebs/2configs/buildbot-stockholm.nix + ../../../krebs/2configs/binary-cache/nixos.nix + ../../../krebs/2configs/ircd.nix + ../../../krebs/2configs/reaktor2.nix + ../../../krebs/2configs/wiki.nix + ../../../krebs/2configs/acme.nix + ../../../krebs/2configs/mud.nix + ../../../krebs/2configs/repo-sync.nix - ## shackie irc bot - <stockholm/krebs/2configs/shack/reaktor.nix> + ../../../krebs/2configs/cal.nix + ../../../krebs/2configs/mastodon.nix + + ## (shackie irc bot + ../../../krebs/2configs/shack/reaktor.nix ]; krebs.build.host = config.krebs.hosts.hotdog; - krebs.github-hosts-sync.enable = true; + krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; + krebs.pages.enable = true; boot.isContainer = true; networking.useDHCP = false; + krebs.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM20tYHHvwIgrJZzR35ATzH9AlTrM1enNKEQJ7IP6lBh"; + }; } diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 79946dad..290870fc 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -2,28 +2,24 @@ { imports = [ - <stockholm/krebs> - <stockholm/krebs/2configs> + ../../../krebs + ../../../krebs/2configs - <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/go.nix> + ../../../krebs/2configs/ircd.nix + ../../../krebs/2configs/go.nix #### NEWS #### - <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/news.nix> + ../../../krebs/2configs/ircd.nix + ../../../krebs/2configs/news.nix ]; krebs.build.host = config.krebs.hosts.news; + krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.isContainer = true; - networking.useDHCP = false; - krebs.bindfs = { - "/var/lib/brockman" = { - source = "/var/state/brockman"; - options = [ - "-m ${toString config.users.users.brockman.uid}:${toString config.users.users.nginx.uid}" - ]; - clearTarget = true; - }; + networking.useDHCP = lib.mkForce true; + krebs.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBVZomw68WDQy0HsHhNbWK1KpzaR5aRUG1oioE7IgCv"; }; } diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8250ebad..8bb14d51 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -5,7 +5,49 @@ <stockholm/krebs> <stockholm/krebs/2configs> <stockholm/krebs/2configs/matterbridge.nix> + <stockholm/krebs/2configs/nameserver.nix> ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.logRefusedConnections = false; + networking.firewall.logRefusedUnicastsOnly = false; + + # Move Internet-facing SSH port to reduce logspam. + networking.firewall.extraCommands = let + host = config.krebs.build.host; + in /* sh */ '' + iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT + iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + + ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22 + ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT + ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0 + ''; + krebs.build.host = config.krebs.hosts.ponte; + + krebs.pages.enable = true; + krebs.pages.nginx.addSSL = true; + krebs.pages.nginx.useACMEHost = "krebsco.de"; + + security.acme.acceptTerms = true; + security.acme.certs."krebsco.de" = { + domain = "krebsco.de"; + extraDomainNames = [ + "*.krebsco.de" + ]; + email = "spam@krebsco.de"; + reloadServices = [ + "knsupdate-krebsco.de.service" + "nginx.service" + ]; + keyType = "ec384"; + dnsProvider = "rfc2136"; + credentialsFile = "/var/src/secrets/acme-credentials"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index f4bd472a..d3891af8 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = [ ./net.nix @@ -23,7 +23,6 @@ <stockholm/krebs/2configs/container-networking.nix> <stockholm/krebs/2configs/syncthing.nix> - <stockholm/krebs/2configs/news-host.nix> ### shackspace ### # handle the worlddomination map via coap @@ -46,10 +45,8 @@ # light.shack web-ui <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack - # powerraw usb serial to mqtt and raw socket - <stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack - # send power stats to s3 - <stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available + # fetch the u300 power stats + <stockholm/krebs/2configs/shack/power/u300-power.nix> { # do not log to /var/spool/log @@ -76,6 +73,7 @@ # hass.shack <stockholm/krebs/2configs/shack/glados> + <stockholm/krebs/2configs/shack/esphome.nix> # connect to git.shackspace.de as group runner for rz <stockholm/krebs/2configs/shack/gitlab-runner.nix> @@ -110,10 +108,13 @@ <stockholm/krebs/2configs/shack/prometheus/server.nix> <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> #<stockholm/krebs/2configs/shack/prometheus/unifi.nix> - <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> + # TODO: alertmanager 0.24+ supports telegram + # <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> ]; krebs.build.host = config.krebs.hosts.puyak; + krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; + sound.enable = false; boot = { loader.systemd-boot.enable = true; @@ -170,4 +171,5 @@ isNormalUser = true; shell = "/run/current-system/sw/bin/zsh"; }; + system.stateVersion = lib.mkForce "24.05"; } diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix index a46a2495..fe2fd238 100644 --- a/krebs/1systems/puyak/net.nix +++ b/krebs/1systems/puyak/net.nix @@ -7,13 +7,14 @@ in { SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}" ''; + networking.wireless.enable = true; networking = { firewall.enable = true; firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ]; interfaces."${ext-if}".ipv4.addresses = [ { address = shack-ip; - prefixLength = 22; + prefixLength = 20; } ]; diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 12ce4db3..6ff280f7 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -51,6 +51,7 @@ in # uninteresting stuff ##################### krebs.build.host = config.krebs.hosts.wolf; + krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" |