diff options
Diffstat (limited to 'krebs')
34 files changed, 347 insertions, 49 deletions
diff --git a/krebs/1systems/arcadeomat/config.nix b/krebs/1systems/arcadeomat/config.nix new file mode 100644 index 000000000..cdeaae180 --- /dev/null +++ b/krebs/1systems/arcadeomat/config.nix @@ -0,0 +1,82 @@ +{ config,lib, pkgs, ... }: +let + shack-ip = config.krebs.build.host.nets.shack.ip4.addr; + ext-if = "et0"; + external-mac = "52:54:b0:0b:af:fe"; + mainUser = "krebs"; + +in +{ + imports = [ + ./hw.nix + <stockholm/krebs> + <stockholm/krebs/2configs> + + #<stockholm/krebs/2configs/binary-cache/nixos.nix> + #<stockholm/krebs/2configs/binary-cache/prism.nix> + + <stockholm/krebs/2configs/shack/ssh-keys.nix> + <stockholm/krebs/2configs/save-diskspace.nix> + <stockholm/krebs/2configs/shack/prometheus/node.nix> + + ]; + # use your own binary cache, fallback use cache.nixos.org (which is used by + # apt-cacher-ng in first place) + + # local discovery in shackspace + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; + + + #networking = { + # firewall.enable = false; + # firewall.allowedTCPPorts = [ 8088 8086 8083 ]; + # interfaces."${ext-if}".ipv4.addresses = [ + # { + # address = shack-ip; + # prefixLength = 20; + # } + # ]; + + # defaultGateway = "10.42.0.1"; + # nameservers = [ "10.42.0.100" "10.42.0.200" ]; + #}; + + ##################### + # uninteresting stuff + ##################### + krebs.build.host = config.krebs.hosts.arcadeomat; + users.users."${mainUser}" = { + uid = 9001; + extraGroups = [ "audio" "video" ]; + isNormalUser = true; + }; + + + time.timeZone = "Europe/Berlin"; + + # avahi + services.avahi = { + enable = true; + wideArea = false; + }; + environment.systemPackages = with pkgs;[ glxinfo sdlmame ]; + nixpkgs.config.allowUnfree = true; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340; + boot.kernelPackages = pkgs.linuxPackages_5_4; + + services.xserver = { + videoDrivers = [ "nvidia" ]; + enable = true; + windowManager = { + awesome.enable = true; + awesome.noArgb = true; + awesome.luaModules = [ pkgs.luaPackages.vicious ]; + }; + displayManager.defaultSession = lib.mkDefault "none+awesome"; + displayManager.autoLogin = { + enable = true; + user = mainUser; + }; + }; +} diff --git a/krebs/1systems/arcadeomat/hw.nix b/krebs/1systems/arcadeomat/hw.nix new file mode 100644 index 000000000..b24deeecb --- /dev/null +++ b/krebs/1systems/arcadeomat/hw.nix @@ -0,0 +1,25 @@ + +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "ohci_pci" "ehci_pci" "pata_atiixp" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/0aae456e-0548-4917-a282-11d5d4e403cf"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.copyKernels = true; + +} diff --git a/krebs/1systems/filebitch/config.nix b/krebs/1systems/filebitch/config.nix index 9c6a9da08..e27d036c8 100644 --- a/krebs/1systems/filebitch/config.nix +++ b/krebs/1systems/filebitch/config.nix @@ -23,8 +23,8 @@ in } ## Collect local statistics via collectd and send to collectd - <stockholm/krebs/2configs/stats/shack-client.nix> - <stockholm/krebs/2configs/stats/shack-debugging.nix> + # <stockholm/krebs/2configs/stats/shack-client.nix> + # <stockholm/krebs/2configs/stats/shack-debugging.nix> ]; krebs.build.host = config.krebs.hosts.filebitch; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 5ed946aca..f4bd472a4 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -92,8 +92,8 @@ <stockholm/krebs/2configs/shack/influx.nix> ## Collect local statistics via collectd and send to collectd - <stockholm/krebs/2configs/stats/shack-client.nix> - <stockholm/krebs/2configs/stats/shack-debugging.nix> + # <stockholm/krebs/2configs/stats/shack-client.nix> + # <stockholm/krebs/2configs/stats/shack-debugging.nix> ## netbox.shack: Netbox is disabled as nobody seems to be using it anyway # <stockholm/krebs/2configs/shack/netbox.nix> @@ -111,10 +111,6 @@ <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> #<stockholm/krebs/2configs/shack/prometheus/unifi.nix> <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> - - ## Collect local statistics via collectd and send to collectd - <stockholm/krebs/2configs/stats/shack-client.nix> - <stockholm/krebs/2configs/stats/shack-debugging.nix> ]; krebs.build.host = config.krebs.hosts.puyak; diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 25e7c5f06..12ce4db3e 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -52,12 +52,6 @@ in ##################### krebs.build.host = config.krebs.hosts.wolf; - boot.kernel.sysctl = { - # Enable IPv6 Privacy Extensions - "net.ipv6.conf.all.use_tempaddr" = 2; - "net.ipv6.conf.default.use_tempaddr" = 2; - }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 4c25bc963..369b750b7 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -45,6 +45,13 @@ with import <stockholm/lib>; services.cron.enable = false; services.ntp.enable = false; + # limit journald size + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + Storage=persistent + ''; + users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.jeschli-brauerei.pubkey diff --git a/krebs/2configs/shack/glados/automation/ampel.nix b/krebs/2configs/shack/glados/automation/ampel.nix new file mode 100644 index 000000000..4be92a328 --- /dev/null +++ b/krebs/2configs/shack/glados/automation/ampel.nix @@ -0,0 +1,23 @@ +# needs: +# binary_sensor.lounge_ampel_status +# light.lounge_ampel_licht_rot + +let + glados = import ../lib; +in +{ + services.home-assistant.config.automation = + [ + { + alias = "Ampel Rotes Licht"; + initial_state = true; + trigger = { + platform = "state"; + entity_id = "binary_sensor.lounge_ampel_status"; + }; + action = { service = "light.turn_on"; + data.entity_id = "light.lounge_ampel_licht_rot"; + }; + } + ]; +} diff --git a/krebs/2configs/shack/glados/default.nix b/krebs/2configs/shack/glados/default.nix index 51c2ad94f..e7860338c 100644 --- a/krebs/2configs/shack/glados/default.nix +++ b/krebs/2configs/shack/glados/default.nix @@ -40,6 +40,7 @@ in { ./automation/shack-startup.nix ./automation/party-time.nix ./automation/hass-restart.nix + ./automation/ampel.nix ]; services.home-assistant = diff --git a/krebs/2configs/shack/mqtt.nix b/krebs/2configs/shack/mqtt.nix index e78f0f974..8ace42383 100644 --- a/krebs/2configs/shack/mqtt.nix +++ b/krebs/2configs/shack/mqtt.nix @@ -1,15 +1,21 @@ -# hostname: mqtt.shack +{ ... }: { networking.firewall.allowedTCPPorts = [ 1883 ]; networking.firewall.allowedUDPPorts = [ 1883 ]; services.mosquitto = { enable = true; - host = "0.0.0.0"; - users = {}; - # TODO: secure that shit - aclExtraConf = '' - pattern readwrite # - ''; - allowAnonymous = true; + persistence = false; + settings.max_keepalive = 60; + listeners = [ + { + port = 1883; + omitPasswordAuth = true; + users = {}; + settings = { + allow_anonymous = true; + }; + acl = [ "topic readwrite #" "pattern readwrite #" ]; + } + ]; }; } diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix index 9308c7b13..2a8c92e46 100644 --- a/krebs/2configs/shack/muell_mail.nix +++ b/krebs/2configs/shack/muell_mail.nix @@ -15,7 +15,9 @@ in { inherit home; isSystemUser = true; createHome = true; + group = "muell_mail"; }; + users.groups.muell_mail = {}; systemd.services.muell_mail = { description = "muell_mail"; wantedBy = [ "multi-user.target" ]; diff --git a/krebs/2configs/shack/muellshack.nix b/krebs/2configs/shack/muellshack.nix index cabe72b40..abec3b4d6 100644 --- a/krebs/2configs/shack/muellshack.nix +++ b/krebs/2configs/shack/muellshack.nix @@ -16,7 +16,9 @@ in { inherit home; isSystemUser = true; createHome = true; + group = "muellshack"; }; + users.groups.muellshack = {}; services.nginx.virtualHosts."muell.shack" = { locations."/" = { proxyPass = "http://localhost:${port}/muellshack/"; diff --git a/krebs/2configs/shack/node-light.nix b/krebs/2configs/shack/node-light.nix index 7a648d4ee..1124d969f 100644 --- a/krebs/2configs/shack/node-light.nix +++ b/krebs/2configs/shack/node-light.nix @@ -17,7 +17,9 @@ in { inherit home; isSystemUser = true; createHome = true; + group = "node-light"; }; + users.groups.node-light = {}; services.nginx.virtualHosts."lounge.light.shack" = { locations."/" = { proxyPass = "http://localhost:${port}/lounge/"; diff --git a/krebs/2configs/shack/powerraw.nix b/krebs/2configs/shack/powerraw.nix index 64e1911cf..79ba567b6 100644 --- a/krebs/2configs/shack/powerraw.nix +++ b/krebs/2configs/shack/powerraw.nix @@ -19,7 +19,9 @@ in { users.users.powermeter = { extraGroups = [ "dialout" ]; isSystemUser = true; + group = "powermeter"; }; + users.groups.powermeter = {}; # we make sure that usb-ttl has the correct permissions # creates /dev/powerraw diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix index bed98d860..d8033f1e2 100644 --- a/krebs/2configs/shack/s3-power.nix +++ b/krebs/2configs/shack/s3-power.nix @@ -16,7 +16,9 @@ in { inherit home; createHome = true; isSystemUser = true; + group = "s3_power"; }; + users.groups.shackDNS = {}; systemd.services.s3-power = { startAt = "daily"; description = "s3-power"; diff --git a/krebs/2configs/shack/shackDNS.nix b/krebs/2configs/shack/shackDNS.nix index 00f79abc4..4e73023aa 100644 --- a/krebs/2configs/shack/shackDNS.nix +++ b/krebs/2configs/shack/shackDNS.nix @@ -30,9 +30,11 @@ in { users.users.shackDNS = { inherit home; + group = "nogroup"; createHome = true; isSystemUser = true; }; + users.groups.shackDNS = {}; services.nginx.virtualHosts."leases.shack" = { locations."/" = { proxyPass = "http://localhost:${port}/"; diff --git a/krebs/2configs/shack/share.nix b/krebs/2configs/shack/share.nix index 3eb30964e..bc483e8d0 100644 --- a/krebs/2configs/shack/share.nix +++ b/krebs/2configs/shack/share.nix @@ -7,6 +7,7 @@ home = "/home/share"; createHome = true; }; + users.groups.share = {}; networking.firewall.allowedTCPPorts = [ 139 445 # samba diff --git a/krebs/3modules/airdcpp.nix b/krebs/3modules/airdcpp.nix index 4ac6e30ee..259f613cc 100644 --- a/krebs/3modules/airdcpp.nix +++ b/krebs/3modules/airdcpp.nix @@ -269,6 +269,7 @@ let home = cfg.stateDir; createHome = true; isSystemUser = true; + group = "airdcpp"; inherit (cfg) extraGroups; }; groups.airdcpp.gid = genid "airdcpp"; diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index 7a78880ea..8427ca50b 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -11,10 +11,12 @@ in { config = mkIf cfg.enable { users.extraUsers.brockman = { home = "/var/lib/brockman"; + group = "brockman"; createHome = true; isSystemUser = true; uid = genid_uint31 "brockman"; }; + users.groups.brockman = {}; systemd.services.brockman = { description = "RSS to IRC broadcaster"; diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index e55bd95ea..c30f31e31 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -319,6 +319,7 @@ let users.extraUsers.buildbotMaster = { uid = genid "buildbotMaster"; + group = "buildbotMaster"; description = "Buildbot Master"; home = cfg.workDir; createHome = false; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index d877b9911..f97b50def 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -128,6 +128,7 @@ let users.extraUsers.buildbotSlave = { uid = genid "buildbotSlave"; + group = "buildbotSlave"; description = "Buildbot Slave"; home = cfg.workDir; createHome = false; diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 7c896e90a..d919c8129 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -207,18 +207,45 @@ in { aliases = [ "qubasa.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEA65g1Xql+S+Dd90uDpSVxzGRTL8n4DHc1p9T8u9h7ioytC9B+e2dQ - RU/y3gdJ0gXxrbth36MhTANuUonnqpHvsWwUDCQRbxLEFh8avlzLsecWvwrIt3zL - 102EaVurRySUa83D6TK8ZsDa2+ADY7tEzfFMJhT53g7MpBNIeOquB0rR6hVYBbHc - 3B+QtwdM8dx1gO/5+FsPYhJbR7ARczYHsj7Eyb8NbdzthEO0ICDgwzmcXTJfVHGR - qfT7DUolXsu7uSPMLB+Pe/leI7XcQ2VFukpVGP0fZv0mSMxavFlcFVkLgdbAEd2H - DPEBEcJpLR4Hw3HlO1kPPufaUdoeNhUmTkIp76mkCbanS1P/aFNFFcVB+a/+tpdK - z5pG8K3qANg5txp6sAatPchvkeQelIg11lvT9luc+nFsTEW6Ky5nDLo60luZVFnn - i1bdVeOojXR0u7M2gMqQZcSuscvy8APe48S8vPsqoiob1l/r77B7iNrWDwH8IutW - u8fpC64CbhlR76Orp3xTZPmJQCRT8XYpKDDoq5Z7prdlAEz3U6wEfVckVv+f1dmU - odG0zDTsmyKhkWWmZbPgPrOEUvAVoSpSLSQQxPR+UHArlgYe+2dAf8IHYqrgmhuO - D4Lga4nNwTyVbCZ8vUu5b/lnGCLpNcVj22WVQTdAJzNsCVTdIM2V5hcCAwEAAQ== + MIICCgKCAgEAwEaIkC/JxEI6mAnA2lnoNYRSVAVOggtm7XBAX2tTq9OCnwgh6Nnr + Bv8S6j8HBybMqZHKBlfFUo+Trm7Ig/g8KI8xwm2ThO83GnXLyu5qoIFLgjAtvx9w + uh/ZGIn2MKHy0aZ6J/HqDEbsr6XC/YpLb3mA3C5Msaiand0zmAh1oYQVvNJMLgLA + HgBr7a14ngyndwGiBoFDoHu2gtPXTallruv/eopnOVaidkyNRDlMhbqr/Xkxlwov + E2pewl+IKvt5WnGzCHDFvHYCDpeKX9ZAiBBJQ5tgGhxScN5rJ4Omx7iVbnjjPMzs + 1VSRgOqR1xPk5aMa0ByV2P978mNJL6MwIEhnGjg6Dyr1hvmjFxKjj+Pd8IWAeli9 + G3Xq4xJ8+vRbFBoqzBuxcUOTN/V1i1XECGMxEg5cE+9tp+2mvOSpiChkpxeGA42Y + KbcVR7df2bjIQ+8IQzgPkpGnpG/XwC8JKsy+2jiiXOWrwUDfEFrkFaqGNareTeST + ynkbl+y8PgtoHloubckKoXqyY/zHTG3gDDW7SLfr/OpHqyq8MtITyojwMB/Ijyzo + 6mAPiTLI7oFYpWIP0UiM7u4o6iDW9S8G9l+vLZJyEmhEUZJUkWoXRy2Ibd6ix0L3 + eA6izpRuehl1OLePY4HNkuqOgXiEf1mgNcoGnyx3kzKYa1cUlMP0ve8CAwEAAQ== -----END RSA PUBLIC KEY----- + Ed25519PublicKey = dqJq+qESCNakC3p9duc5LrG26D1scj58Hy1S5kPGtME + ''; + }; + }; + }; + + keller = { + owner = config.krebs.users.qubasa; + nets = { + retiolum = { + ip4.addr = "10.243.30.2"; + aliases = [ "kelle.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA3jJgnaEJnKiBILtdtIROVfJJ1IgQSdfAw83aNE8xinkIFkP8lSFS + Nd1C9pRI2r8Tjut/MB0b7MRlwOS2FWP1COcKzZGR4gKSiwK9oWGy6Vf5Qvrsd5M+ + 0roUsf6Km/muJgqhWYY4OOaDK3LSp4mAo8H9+pibH9GuMuhu/Ebe0gtwnoOuuQs5 + GeHtaBrtpiGX2WvIU2S1TwDw0cmheEbqyaQ9COSqdOW1ldbfAbh7Zv38iUzMNXJ2 + yAWUfT5eYsIWlQc55JzEABuxIZEFj7BiR2vQYjVa+sIjsb+vI/6SFK4uiuqPP0dW + xFAQyRuQbW0gyooMLXnZ6ByD/t4mFpk7Eo1Sxiv8CdgDI/lELZ1h7jTYKrcuPHYc + P9m2Ut9FxuFMl+s2etkVUVGba2Kz9b9iwvvAZUtU85UrsQCkrghIT0Hm0SIdYQHO + +WyCw46okk5xLicXEd+RgwlWWq+AJeo0LKof3uoRnjQq1kkU5E0nGX/YqRa3YIxV + qmShTnQSTGUe6qVz1uAoh+ljTEUWWgW5UKuHPn1gdqFcIJ+4DSkJgiQ/cbSXtyp0 + 35bQuqjpFe/bwW1PuK6YspMRK2hQrYkypQNrvjcz0RJJc/1ULILTl0NaZEMtCcj2 + t7KpA6wY6WIz5+uTVBnc3vQrcBebfSWzl0IWxjaSufp8ojq5B7mz8s0CAwEAAQ== + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = HeSMxgGaB9alyS0n766TJ3qA2fAwvJmMyLPFbYhfZdJ ''; }; }; @@ -633,8 +660,10 @@ in { }; hydrogen = { owner = config.krebs.users.sandro; - nets = { + nets = rec { + internet.addrs = [ "hydrogen.supersandro.de" ]; retiolum = { + via = internet; ip4.addr = "10.243.54.54"; aliases = [ "hydrogen.r" ]; tinc.pubkey = '' diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b4e046303..0e6812a35 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -224,10 +224,8 @@ in { retiolum = { via = internet; addrs = [ - config.krebs.hosts.eve.nets.retiolum.ip4.addr config.krebs.hosts.eve.nets.retiolum.ip6.addr ]; - ip4.addr = "10.243.29.174"; aliases = [ "eve.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -451,6 +449,7 @@ in { nets = rec { internet = { ip4.addr = "129.215.165.75"; + ip6.addr = "2001:630:3c1:164:d65d:64ff:feb0:e8a8"; aliases = [ "sauron.i" ]; }; retiolum = { @@ -707,8 +706,8 @@ in { nets = rec { internet = { # eva.thalheim.io - ip4.addr = "157.90.232.92"; - ip6.addr = "2a01:4f8:1c1c:9a9::1"; + ip4.addr = "131.159.102.4"; + ip6.addr = "2a09:80c0:102::4"; aliases = [ "eva.i" ]; }; retiolum = { @@ -798,7 +797,14 @@ in { ryan = { owner = config.krebs.users.mic92; nets = rec { + internet = { + # ryan.dse.in.tum.de + ip4.addr = "131.159.102.8"; + ip6.addr = "2a09:80c0:102::8"; + aliases = [ "ryan.i" ]; + }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.ryan.nets.retiolum.ip4.addr config.krebs.hosts.ryan.nets.retiolum.ip6.addr @@ -823,7 +829,14 @@ in { graham = { owner = config.krebs.users.mic92; nets = rec { + internet = { + # graham.dse.in.tum.de + ip4.addr = "131.159.102.9"; + ip6.addr = "2a09:80c0:102::9"; + aliases = [ "graham.i" ]; + }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.graham.nets.retiolum.ip4.addr config.krebs.hosts.graham.nets.retiolum.ip6.addr diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 9421576df..71eed6c69 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -66,11 +66,14 @@ let users.users.${user.name} = { inherit (user) uid; + group = user.name; home = cfg.dataDir; isSystemUser = true; }; }; + users.groups.${user.name} = {}; + user = rec { mail = "${name}@${config.krebs.build.host.name}"; name = "github-hosts-sync"; diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 517dad76f..4221703ec 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -69,10 +69,13 @@ let users.users = mapAttrs' (name: htgen: nameValuePair htgen.user.name { inherit (htgen.user) home name uid; + group = htgen.user.name; createHome = true; isSystemUser = true; } ) cfg; + users.groups = mapAttrs (_: _: {}) cfg; + }; in out diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 776b893f5..f796f0323 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -187,6 +187,30 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY"; syncthing.id = "DK5CEE2-PNUXYCE-Q42H2HP-623GART-B7KS4VK-HU2RBGQ-EK6QPUP-HUL3PAR"; }; + arcadeomat = { + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.77.67"; + aliases = [ + "arcadeomat.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzpXyEATt8+ElxPq650/fkboEC9RvTWqN6UIAl/R4Zu+uDhAZ2ekb + HBjoSbRxu/0w2I37nwWUhEOemxGm4PXCgWrtO0jeRF4nVNYu3ZBppA3vuVALUWq7 + apxRUEL9FdsWQlXGo4PVd20dGaDTi8M/Ggo755MStVTY0rRLluxyPq6VAa015sNg + 4NOFuWm0NDn4e+qrahTCTiSjbCU8rWixm0GktV40kdg0QAiFbEcRhuXF1s9/yojk + 7JT/nFg6LELjWUSSNZnioj5oSfVbThDRelIld9VaAKBAZZ5/zy6T2XSeDfoepytH + 8aw6itEuTCy1M1DTiTG+12SPPw+ubG+NqQIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = n/HMlgTTyLa0fcXqSBO/G6sVOUYh2yZ5PfU4vLI9CJO + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOu6EVN3928qWiWszqBUzOjeQJRvFozTBl4xAhBP/Ymc"; + }; wolf = { ci = true; nets = { diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 2475a0d5a..280021347 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -14,7 +14,47 @@ in { dns.providers = { "lassul.us" = "zones"; }; - hosts = mapAttrs hostDefaults { + hosts = mapAttrs (_: recursiveUpdate { + owner = config.krebs.users.lass; + ci = true; + monitoring = true; + }) { + dishfire = { + cores = 4; + nets = rec { + internet = { + ip4 = rec { + addr = "157.90.232.92"; + prefix = "${addr}/32"; + }; + aliases = [ + "dishfire.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.133.99"; + ip6.addr = r6 "d15f:1233"; + aliases = [ + "dishfire.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs + Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 + uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK + R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd + vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U + HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.port = 655; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; + }; prism = rec { cores = 4; extraZones = { @@ -31,6 +71,7 @@ in { 60 IN NS ns16.ovh.net. 60 IN NS dns16.ovh.net. 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} IN MX 5 lassul.us. 60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) @@ -58,6 +99,10 @@ in { addr = "95.216.1.150"; prefix = "0.0.0.0/0"; }; + ip6 = { + addr = "2a01:4f9:2a:1e9::1"; |