4 files changed, 87 insertions, 9 deletions

diff --git a/krebs/3modules/announce-activation.nix b/krebs/3modules/announce-activation.nix
index 76eb4b13..a40ae8ce 100644
--- a/krebs/3modules/announce-activation.nix
+++ b/krebs/3modules/announce-activation.nix
@@ -9,6 +9,7 @@ with import <stockholm/lib>;
         ${shell.escape (toString cfg.irc.port)} \
         ${shell.escape cfg.irc.nick} \
         ${shell.escape cfg.irc.channel} \
+        ${escapeShellArg cfg.irc.tls} \
         "$message"
   '';
   default-get-message = pkgs.writeDash "announce-activation-get-message" ''
@@ -50,6 +51,10 @@ in {
         default = "irc.r";
         type = types.hostname;
       };
+      tls = mkOption {
+        default = false;
+        type = types.bool;
+      };
     };
   };
   config = mkIf cfg.enable {
diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix
index 1e56e62f..acbe717d 100644
--- a/krebs/3modules/hidden-ssh.nix
+++ b/krebs/3modules/hidden-ssh.nix
@@ -19,6 +19,14 @@ let
       type = types.str;
       default = "irc.hackint.org";
     };
+    port = mkOption {
+      type = types.int;
+      default = 6697;
+    };
+    tls = mkOption {
+      type = types.bool;
+      default = true;
+    };
     message = mkOption {
       type = types.str;
       default = "SSH Hidden Service at ";
@@ -27,14 +35,17 @@ let
 
   imp = let
     torDirectory = "/var/lib/tor"; # from tor.nix
-    hiddenServiceDir = torDirectory + "/ssh-announce-service";
+    hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
   in {
     services.tor = {
       enable = true;
-      extraConfig = ''
-        HiddenServiceDir ${hiddenServiceDir}
-        HiddenServicePort 22 127.0.0.1:22
-      '';
+      relay.onionServices.hidden-ssh = {
+        version = 3;
+        map = [{
+          port = 22;
+          target.port = 22;
+        }];
+      };
       client.enable = true;
     };
     systemd.services.hidden-ssh-announce = {
@@ -50,10 +61,14 @@ let
             echo "still waiting for ${hiddenServiceDir}/hostname"
             sleep 1
           done
-          ${pkgs.untilport}/bin/untilport ${cfg.server} 6667 && \
-            ${pkgs.irc-announce}/bin/irc-announce \
-            ${cfg.server} 6667 ${config.krebs.build.host.name}-ssh \
-            \${cfg.channel} \
+          ${pkgs.untilport}/bin/untilport ${escapeShellArg cfg.server} ${toString cfg.port}
+
+          ${pkgs.irc-announce}/bin/irc-announce \
+            ${escapeShellArg cfg.server} \
+            ${toString cfg.port} \
+            "${config.krebs.build.host.name}-ssh" \
+            ${escapeShellArg cfg.channel} \
+            ${escapeShellArg cfg.tls} \
             "${cfg.message}$(cat ${hiddenServiceDir}/hostname)"
         '';
         PrivateTmp = "true";
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index b19e2e6f..3419d806 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -47,6 +47,7 @@ in {
           radio               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           jitsi               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           streaming           60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          mumble              60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
         '';
       };
       nets = rec {
@@ -783,6 +784,62 @@ in {
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
+      syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ";
+    };
+
+    lasspi = {
+      cores = 1;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.1.89";
+          ip6.addr = r6 "189";
+          aliases = [
+            "lasspi.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1
+            JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F
+            CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl
+            oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P
+            Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS
+            BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC
+            VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8
+            +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs
+            QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP
+            zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP
+            6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc
+            287nChBcbY+HlshTe0lZdrkCAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+        wiregrill = {
+          ip6.addr = w6 "189";
+          aliases = [
+            "lasspi.w"
+          ];
+          wireguard.pubkey = ''
+            IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw=
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB";
+    };
+
+    domsen-pixel = {
+      nets = {
+        wiregrill = {
+          ip4.addr = "10.244.1.17";
+          ip6.addr = w6 "d0";
+          aliases = [
+            "domsen-pixel.w"
+          ];
+          wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY=";
+        };
+      };
+      external = true;
+      ci = false;
     };
 
   };
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 76f33396..1fa6012c 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -51,6 +51,7 @@ let
 
       serviceConfig = {
         Type = "simple";
+        Restart = "on-failure";
         ExecStart = "${pkgs.realwallpaper}/bin/generate-wallpaper";
         User = "realwallpaper";
       };