9 files changed, 104 insertions, 158 deletions

diff --git a/krebs/1systems/arcadeomat/config.nix b/krebs/1systems/arcadeomat/config.nix
deleted file mode 100644
index cdeaae18..00000000
--- a/krebs/1systems/arcadeomat/config.nix
+++ /dev/null
@@ -1,82 +0,0 @@
-{ config,lib, pkgs, ... }:
-let
-  shack-ip = config.krebs.build.host.nets.shack.ip4.addr;
-  ext-if = "et0";
-  external-mac = "52:54:b0:0b:af:fe";
-  mainUser = "krebs";
-
-in
-{
-  imports = [
-    ./hw.nix
-    <stockholm/krebs>
-    <stockholm/krebs/2configs>
-
-    #<stockholm/krebs/2configs/binary-cache/nixos.nix>
-    #<stockholm/krebs/2configs/binary-cache/prism.nix>
-
-    <stockholm/krebs/2configs/shack/ssh-keys.nix>
-    <stockholm/krebs/2configs/save-diskspace.nix>
-    <stockholm/krebs/2configs/shack/prometheus/node.nix>
-
-  ];
-  # use your own binary cache, fallback use cache.nixos.org (which is used by
-  # apt-cacher-ng in first place)
-
-  # local discovery in shackspace
-  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-  krebs.tinc.retiolum.extraConfig = "TCPOnly = yes";
-
-
-  #networking = {
-  #  firewall.enable = false;
-  #  firewall.allowedTCPPorts = [ 8088 8086 8083 ];
-  #  interfaces."${ext-if}".ipv4.addresses = [
-  #    {
-  #      address = shack-ip;
-  #      prefixLength = 20;
-  #    }
-  #  ];
-
-  #  defaultGateway = "10.42.0.1";
-  #  nameservers = [ "10.42.0.100" "10.42.0.200" ];
-  #};
-
-  #####################
-  # uninteresting stuff
-  #####################
-  krebs.build.host = config.krebs.hosts.arcadeomat;
-  users.users."${mainUser}" = {
-    uid = 9001;
-    extraGroups = [ "audio" "video" ];
-    isNormalUser = true;
-  };
-
-
-  time.timeZone = "Europe/Berlin";
-
-  # avahi
-  services.avahi = {
-    enable = true;
-    wideArea = false;
-  };
-  environment.systemPackages = with pkgs;[ glxinfo sdlmame ];
-  nixpkgs.config.allowUnfree = true;
-  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340;
-  boot.kernelPackages = pkgs.linuxPackages_5_4;
-
-  services.xserver = {
-    videoDrivers = [ "nvidia" ];
-    enable = true;
-    windowManager = {
-      awesome.enable = true;
-      awesome.noArgb = true;
-      awesome.luaModules = [ pkgs.luaPackages.vicious ];
-    };
-    displayManager.defaultSession = lib.mkDefault "none+awesome";
-    displayManager.autoLogin = {
-      enable = true;
-      user = mainUser;
-    };
-  };
-}
diff --git a/krebs/1systems/arcadeomat/hw.nix b/krebs/1systems/arcadeomat/hw.nix
deleted file mode 100644
index b24deeec..00000000
--- a/krebs/1systems/arcadeomat/hw.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/0aae456e-0548-4917-a282-11d5d4e403cf";
-      fsType = "ext4";
-    };
-
-  swapDevices = [ ];
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
-  boot.loader.grub.copyKernels = true;
-
-}
diff --git a/krebs/1systems/filebitch/config.nix b/krebs/1systems/filebitch/config.nix
index e27d036c..254306ec 100644
--- a/krebs/1systems/filebitch/config.nix
+++ b/krebs/1systems/filebitch/config.nix
@@ -5,16 +5,16 @@ in
 {
   imports = [
     ./hardware-configuration.nix
-    <stockholm/krebs>
-    <stockholm/krebs/2configs>
-    # <stockholm/krebs/2configs/secret-passwords.nix>
+    ../../../krebs
+    ../../../krebs/2configs
+    # ../../../krebs/2configs/secret-passwords.nix
 
-    # <stockholm/krebs/2configs/binary-cache/nixos.nix>
-    # <stockholm/krebs/2configs/binary-cache/prism.nix>
-    <stockholm/krebs/2configs/shack/ssh-keys.nix>
-    <stockholm/krebs/2configs/shack/prometheus/node.nix>
+    # ../../../krebs/2configs/binary-cache/nixos.nix
+    # ../../../krebs/2configs/binary-cache/prism.nix
+    ../../../krebs/2configs/shack/ssh-keys.nix
+    ../../../krebs/2configs/shack/prometheus/node.nix
     # provides access to /home/share for smbuser via smb
-    <stockholm/krebs/2configs/shack/share.nix>
+    ../../../krebs/2configs/shack/share.nix
     {
       fileSystems."/home/share" =
         { device = "/serve";
@@ -23,8 +23,8 @@ in
     }
 
     ## Collect local statistics via collectd and send to collectd
-    # <stockholm/krebs/2configs/stats/shack-client.nix>
-    # <stockholm/krebs/2configs/stats/shack-debugging.nix>
+    # ../../../krebs/2configs/stats/shack-client.nix
+    # ../../../krebs/2configs/stats/shack-debugging.nix
   ];
 
   krebs.build.host = config.krebs.hosts.filebitch;
@@ -35,12 +35,13 @@ in
   '';
   networking = {
     firewall.enable = true;
-    interfaces.et0.ipv4.addresses = [
-      {
-        address = shack-ip;
-        prefixLength = 20;
-      }
-    ];
+    interfaces.et0.useDHCP = true;
+    #interfaces.et0.ipv4.addresses = [
+    #  {
+    #    address = shack-ip;
+    #    prefixLength = 20;
+    #  }
+    #];
 
     defaultGateway = "10.42.0.1";
     nameservers = [ "10.42.0.100" "10.42.0.200" ];
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index cf07d3b4..0a103ed1 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -2,24 +2,34 @@
 
 {
   imports = [
-    <stockholm/krebs>
-    <stockholm/krebs/2configs>
+    ../../../krebs
+    ../../../krebs/2configs
+    ../../../krebs/2configs/nginx.nix
 
-    <stockholm/krebs/2configs/buildbot-stockholm.nix>
-    <stockholm/krebs/2configs/binary-cache/nixos.nix>
-    <stockholm/krebs/2configs/ircd.nix>
-    <stockholm/krebs/2configs/reaktor2.nix>
-    <stockholm/krebs/2configs/wiki.nix>
-    <stockholm/krebs/2configs/acme.nix>
-    <stockholm/krebs/2configs/mud.nix>
+    ../../../krebs/2configs/buildbot-stockholm.nix
+    ../../../krebs/2configs/binary-cache/nixos.nix
+    ../../../krebs/2configs/ircd.nix
+    ../../../krebs/2configs/reaktor2.nix
+    ../../../krebs/2configs/wiki.nix
+    ../../../krebs/2configs/acme.nix
+    ../../../krebs/2configs/mud.nix
+    ../../../krebs/2configs/repo-sync.nix
 
-    ## shackie irc bot
-    <stockholm/krebs/2configs/shack/reaktor.nix>
+    ../../../krebs/2configs/cal.nix
+    ../../../krebs/2configs/mastodon.nix
+
+    ## (shackie irc bot
+    ../../../krebs/2configs/shack/reaktor.nix
   ];
 
   krebs.build.host = config.krebs.hosts.hotdog;
-  krebs.github-hosts-sync.enable = true;
+  krebs.hosts.hotdog.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
+  krebs.pages.enable = true;
 
   boot.isContainer = true;
   networking.useDHCP = false;
+  krebs.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM20tYHHvwIgrJZzR35ATzH9AlTrM1enNKEQJ7IP6lBh";
+  };
 }
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index 79946dad..290870fc 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -2,28 +2,24 @@
 
 {
   imports = [
-    <stockholm/krebs>
-    <stockholm/krebs/2configs>
+    ../../../krebs
+    ../../../krebs/2configs
 
-    <stockholm/krebs/2configs/ircd.nix>
-    <stockholm/krebs/2configs/go.nix>
+    ../../../krebs/2configs/ircd.nix
+    ../../../krebs/2configs/go.nix
 
     #### NEWS ####
-    <stockholm/krebs/2configs/ircd.nix>
-    <stockholm/krebs/2configs/news.nix>
+    ../../../krebs/2configs/ircd.nix
+    ../../../krebs/2configs/news.nix
   ];
 
   krebs.build.host = config.krebs.hosts.news;
+  krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
 
   boot.isContainer = true;
-  networking.useDHCP = false;
-  krebs.bindfs = {
-    "/var/lib/brockman" = {
-      source = "/var/state/brockman";
-      options = [
-        "-m ${toString config.users.users.brockman.uid}:${toString config.users.users.nginx.uid}"
-      ];
-      clearTarget = true;
-    };
+  networking.useDHCP = lib.mkForce true;
+  krebs.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBVZomw68WDQy0HsHhNbWK1KpzaR5aRUG1oioE7IgCv";
   };
 }
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 8250ebad..8bb14d51 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -5,7 +5,49 @@
     <stockholm/krebs>
     <stockholm/krebs/2configs>
     <stockholm/krebs/2configs/matterbridge.nix>
+    <stockholm/krebs/2configs/nameserver.nix>
   ];
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.logRefusedConnections = false;
+  networking.firewall.logRefusedUnicastsOnly = false;
+
+  # Move Internet-facing SSH port to reduce logspam.
+  networking.firewall.extraCommands = let
+    host = config.krebs.build.host;
+  in /* sh */ ''
+    iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT
+    iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+
+    ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT
+    ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+  '';
+
   krebs.build.host = config.krebs.hosts.ponte;
+
+  krebs.pages.enable = true;
+  krebs.pages.nginx.addSSL = true;
+  krebs.pages.nginx.useACMEHost = "krebsco.de";
+
+  security.acme.acceptTerms = true;
+  security.acme.certs."krebsco.de" = {
+    domain = "krebsco.de";
+    extraDomainNames = [
+      "*.krebsco.de"
+    ];
+    email = "spam@krebsco.de";
+    reloadServices = [
+      "knsupdate-krebsco.de.service"
+      "nginx.service"
+    ];
+    keyType = "ec384";
+    dnsProvider = "rfc2136";
+    credentialsFile = "/var/src/secrets/acme-credentials";
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
 }
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index f4bd472a..d3891af8 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
   imports = [
     ./net.nix
@@ -23,7 +23,6 @@
 
     <stockholm/krebs/2configs/container-networking.nix>
     <stockholm/krebs/2configs/syncthing.nix>
-    <stockholm/krebs/2configs/news-host.nix>
 
     ### shackspace ###
     # handle the worlddomination map via coap
@@ -46,10 +45,8 @@
     # light.shack web-ui
     <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack
 
-    # powerraw usb serial to mqtt and raw socket
-    <stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack
-    # send power stats to s3
-    <stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available
+    # fetch the u300 power stats
+    <stockholm/krebs/2configs/shack/power/u300-power.nix>
 
 
     { # do not log to /var/spool/log
@@ -76,6 +73,7 @@
 
     # hass.shack
     <stockholm/krebs/2configs/shack/glados>
+    <stockholm/krebs/2configs/shack/esphome.nix>
 
     # connect to git.shackspace.de as group runner for rz
     <stockholm/krebs/2configs/shack/gitlab-runner.nix>
@@ -110,10 +108,13 @@
     <stockholm/krebs/2configs/shack/prometheus/server.nix>
     <stockholm/krebs/2configs/shack/prometheus/blackbox.nix>
     #<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
-    <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
+    # TODO: alertmanager 0.24+ supports telegram
+    # <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.puyak;
+  krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
+
   sound.enable = false;
   boot = {
     loader.systemd-boot.enable = true;
@@ -170,4 +171,5 @@
     isNormalUser = true;
     shell = "/run/current-system/sw/bin/zsh";
   };
+  system.stateVersion = lib.mkForce "24.05";
 }
diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix
index a46a2495..fe2fd238 100644
--- a/krebs/1systems/puyak/net.nix
+++ b/krebs/1systems/puyak/net.nix
@@ -7,13 +7,14 @@ in {
     SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
     SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}"
   '';
+  networking.wireless.enable = true;
   networking = {
     firewall.enable = true;
     firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ];
     interfaces."${ext-if}".ipv4.addresses = [
       {
         address = shack-ip;
-        prefixLength = 22;
+        prefixLength = 20;
       }
     ];
 
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
index 12ce4db3..6ff280f7 100644
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@@ -51,6 +51,7 @@ in
   # uninteresting stuff
   #####################
   krebs.build.host = config.krebs.hosts.wolf;
+  krebs.hosts.wolf.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
 
   boot.initrd.availableKernelModules = [
     "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk"