From 3a35c4c0594c04fb7fa2ec157e9a342e2ffd9fee Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 Nov 2022 22:57:52 +0100 Subject: l: init massulus.r --- krebs/3modules/lass/default.nix | 50 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 6 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3e58fee1..bb5b1613 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,12 +1,6 @@ with import ; { config, ... }: let - hostDefaults = hostName: host: flip recursiveUpdate host { - ci = true; - monitoring = true; - owner = config.krebs.users.lass; - }; - r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; @@ -592,6 +586,50 @@ in { syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM"; }; + massulus = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.113"; + ip6.addr = r6 "113"; + aliases = [ + "massulus.r" + ]; + tinc = { + pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt + ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN + ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K + zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3 + F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e + v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd + kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF + LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW + EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb + KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl + oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00 + yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM"; + port = 1655; + }; + }; + wiregrill = { + ip6.addr = w6 "113"; + aliases = [ + "massulus.w" + ]; + wireguard.pubkey = '' + 4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ= + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 "; + }; + phone = { nets = { wiregrill = { -- cgit v1.2.3 From 25a384254b15433dfeb67ec03ef7416b1baef5df Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 15 Nov 2022 00:02:44 +0100 Subject: l massulus.r: disable ci --- krebs/3modules/lass/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index bb5b1613..dd516428 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -588,6 +588,7 @@ in { massulus = { cores = 1; + ci = false; nets = { retiolum = { ip4.addr = "10.243.0.113"; -- cgit v1.2.3 From 1db7318c3f4e8a50f07e45ae458ab8fcca6686cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 15 Nov 2022 15:48:15 +0100 Subject: lib.host: add consul option --- krebs/3modules/lass/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index dd516428..ca0c757a 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -10,6 +10,7 @@ in { }; hosts = mapAttrs (_: recursiveUpdate { owner = config.krebs.users.lass; + consul = true; ci = true; monitoring = true; }) { @@ -412,6 +413,7 @@ in { }; xerxes = { cores = 2; + consul = false; nets = rec { retiolum = { ip4.addr = "10.243.1.3"; @@ -632,6 +634,7 @@ in { }; phone = { + consul = false; nets = { wiregrill = { ip4.addr = "10.244.1.13"; @@ -647,6 +650,7 @@ in { syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; }; tablet = { + consul = false; nets = { wiregrill = { ip4.addr = "10.244.1.14"; @@ -661,6 +665,7 @@ in { ci = false; }; hilum = { + consul = false; cores = 1; nets = { retiolum = { @@ -836,6 +841,7 @@ in { }; lasspi = { + consul = false; cores = 1; nets = { retiolum = { @@ -879,6 +885,7 @@ in { }; domsen-pixel = { + consul = false; nets = { wiregrill = { ip4.addr = "10.244.1.17"; -- cgit v1.2.3 From b25095866d498c0447801dc68e83a40c95df1a3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 20 Nov 2022 21:09:11 +0100 Subject: mic92: add host ruby --- krebs/3modules/external/mic92.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 35e72ec2..2a3604b2 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -929,5 +929,30 @@ in { }; }; }; + + ruby = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "ruby.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh + M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr + x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu + GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c + QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0 + Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf + Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44 + kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx + OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO + ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj + w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ"; + }; + }; + }; }; } -- cgit v1.2.3 From ad40a2e283f35a80b958bf33ce1635a1b5e4874d Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 Nov 2022 15:04:30 +0100 Subject: ergo: use ergochat package --- krebs/3modules/ergo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 50c5ab62..d5f167e7 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -122,7 +122,7 @@ # reloadIfChanged = true; restartTriggers = [ configFile ]; serviceConfig = { - ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; + ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; -- cgit v1.2.3 From e533961536b6b41f4758c0db117240eb551dc892 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 Nov 2022 23:34:30 +0100 Subject: l: rotate yubikey pubkey --- krebs/3modules/lass/pgp/yubikey.pgp | 144 ++++++++++++++++++++++++------------ 1 file changed, 96 insertions(+), 48 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/lass/pgp/yubikey.pgp b/krebs/3modules/lass/pgp/yubikey.pgp index d7b3c29c..be105404 100644 --- a/krebs/3modules/lass/pgp/yubikey.pgp +++ b/krebs/3modules/lass/pgp/yubikey.pgp @@ -58,52 +58,100 @@ D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ 5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31 ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG -5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML -yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS -lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am -ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd -e/UcxBL/zYx8tCBy2F4ep6Anx02HOauTwaqk4KLhB9IcdS8sJQHFY7iEVWNcovwF -8luGEGPJOdOPTMZz4jD4aWFqbT6ragWaG8tisLEe9UhET2LL3r/4DIgAJY4bwg5T -ZyK/1j+Nj1IyYkQ9A6YF96Y5XCi9DF0MYq9NytWNnMCT8F4QCCDRWhgql714/Er/ -qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk -5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A -ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo -VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW -kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW -IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds -D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc -OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+ -NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz -0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN -kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE -saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4 -6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw -73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc -MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL -pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx -WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97 -rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV -qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk -L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a -6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAceQQYAqIrlu8F5y1AQVWHjtyCPee1z/8l -PNnPg40lSbXozg5kQDP965Pge6XReUoUVVRcgeiSUfkHdYPIkh/tkFy1MtzTNize -buadqE41Ds6BD1maO5cpGc5iFnf+YY01vWIhwvgPMbAsUKrPOw/RyvYSwOrnWegh -pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV -X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh -81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN -6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO -Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh -BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP -+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/ -Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X -qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG -qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb -YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt -Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq -eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt -Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k -nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt -Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC -QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7 -=h9fX +5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLiJBGwEGAEKACACGwIW +IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCY1E8SAJAwXQgBBkBCgAdFiEEVAotn4qI +hqe83vdsfheGip18nM8FAl2iTZIACgkQfheGip18nM9DVxAAuqX7iztddbttkIfN +65R5XJPjz7NRg0AI8G+1qnkvF3c2ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA +/JM782D6lDfSZltW4YBBqkJZdtiPElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhy +l+0RdBuSvR0+KOXXBfoNmsyQM4/hUKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxg +tXyiXU/VxvUWI7cH6I7daRDTFR3L4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6 +eKkn/gt/T7qYxnhcG5guS2DwIay5c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7 +/6hsw2e6TBcn295fEekvBupYVwazefBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTa +TglOeNtRnYGRwHwE/tiJ0G0uwGfvaI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7m +z8MrRNMjtR+Es8gzuw7hNErmbh0SLZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99 +jYjdDDm5lsxCZKLSX4r9Mp236K6DMGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9M +cg5HgeXTdxan6QP35ygDtmNldJGEP+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQ +qnldvrtajUzUegvJUstLS5B1TFQJEGZXvoqNHugHrtcP+waicH+WhpbvPoHJW//U +c7IwcrsOpWNuh0gKV1+LvBV9dGzGZDlhwsncMeNzT8tnxDwhD1CiJ1uzO2H1m+yX +CeljVnYFlP0sl9IT/AiV8NNiuaIpOc5RjRY1yvOZ017/J7Hyhnaw0iap1vNDNOwH +t7tzB1PvM3p6an4Jh0AJZF5adReQTbi9Zw7MW2Yf0XHTT4rFX+Mn5gcuvsV9n39d +6U3k5G6Hf1bSROsXNVwOwF6VbO8NvBm6ehgNyRcGsino/f82HRwvnQPhJgEakZ1h +WWUUnakK14mRRMUns8CMNfFh+50ciK1Q8kAVgYLVA1H1NXM0+68YZMl5CiiaD3pM +17flwcWUdkIu3uWAvc3hSCNw6i9F4Kx1yD/ZdiT0vBapa3ehUXIo5g79NcFl9xnQ +fnYG+nnl2bLZSHP8b+LZsGivOEZuBHoR2ComeTqqJxeT8ZsEdtLcloaSaf2Em2xf +b9OfhGOC7hKfS4HAlLFbEydWuZuA8EpTXd6eqINCFbOb9BjpKvSCCLs5S3s7T4WE +FQB7yHXQQgB1EzYaJxFZstkiD8exu/hiWfwVLaho09QbtPmt2u1lvbxiSxtCdphi +hoKc6wjhD8F9YM5xxitcF7iAV7oEDZ/1JVkvi/1gWFgW0UmEKuy2KN/Eb/mr41NJ +bMauCCfjnCbAzoW6dhHpbO45uQINBF2iTdYBEADTC8saHpJxpU7ZBuuNFD+WZFBK +I8F8ZZ4t79naVhGhCTvcqr5BCwlrpuaUc/og86AxUpVD5z92ClRZC2wJZOemmyAE +OlSu8JDkhwsNRey5QmPN9G0ZIBifP2/LrPSqRE+gJnouzhmFbajQVKHRCYul5B+a +vUS0HlUfu8p7dC0wMTv5jBWHN54XHK4Wnbm4Yea03Xv1HMQS/82MfLQgctheHqeg +J8dNhzmrk8GqpOCi4QfSHHUvLCUBxWO4hFVjXKL8BfJbhhBjyTnTj0zGc+Iw+Glh +am0+q2oFmhvLYrCxHvVIRE9iy96/+AyIACWOG8IOU2civ9Y/jY9SMmJEPQOmBfem +OVwovQxdDGKvTcrVjZzAk/BeEAgg0VoYKpe9ePxK/6n8J09jOpvD+DktbAB7+bww +2F3swdFqyTbLWL4bR4YuHLbqJQbsDm+58iAZWaL4ZOf+iABZqFKa3xhzrrbRHD00 +Qxr+9+3EdXGGs+UDLs9rLzVN4ryP7WHyEMDAI7/OAGTdsJet0JIIWKP3ZvWuRMe/ +AjcGQ/8+xzhN8w/kXdAvf4Vy6VVYTdJipg84CRz1KFQ5P/z92IMzPnbVFljydRX2 +k89ueN1fTMFVlCUI9AyIJeJ6Cx198JHf3eIGBgIZVpAcZG0DyeDU+xCgRZOOH2ug +1bhjhmrQQMSkKtRn7QARAQABiQI8BBgBCgAmAhsMFiEE2811eEYGmzkuqUAdZle+ +io0e6AcFAl+Jdg8FCQWpjzkACgkQZle+io0e6Afw7A//ekxnx2ugVtb9pFMh1Cpq +XZOtlIWc+PZ07DrtSXjCNnAzC5Cmj8nii7Eac1dqnDqBtXWpe3YI7cyrFnc9B8a6 +2xLNKwSTuMTpoNdkr/X7bU6HE7dm0DHt3dtFYoW4vjQxMdj3sp3GLpQ3fDzXw5If +L1lCUKE4aopl6FQEcCjbh9qA8rRnHiKfgWSzh/B0c9BEh/ZwgBsN4FV+r0D7Y2zI +KCFxwJwCZCHtm6MslB7tmZg+gho8RkkiAjM0oXA7zZHMjyhuQWzhkaW3oWjHDjoh +h9DbLnVDzrMsULfdGz/1Plhz4bzkxpND6hmjn/EAxLGhpQoXd8FSvrghpetLM3MU +LG4M5REFVBt7U1uEBn8y91yuWx77ho9N1W+OdNOWOOlAlD+GZBGA7MNR65+W5Dzj +/z3PEs9TELfp8NVN0F2xy8S2/HwfNgeqAzGpBz4GsO9x8WMG2lw7MAW+gVU3POkZ +l0R9fkrTmw4iafodehKnbEsqdebUjPNBkX9SmjSsXDAODe/4u4/TP89nylk+70wB +nXIPL4WR9DA0Pb0ZmLLkGbaDYnmVV58kPyCwID4Yi6Xcj330FdAaVinevAvJBIaD +D9A94elI/PGTrmqcjgr7Kwb0e0kDlYfi/ijI4dV4MVrzybqFOCaMeKIPOfxs9FIv +BETmMh4Ocqj6rAQZs+ofBe6JAjYEGAEKACACGwwWIQTbzXV4RgabOS6pQB1mV76K +jR7oBwUCY1E8SAAKCRBmV76KjR7oBwM+D/0evufvIWftzdge63hol1k4LdZSiSD9 +bh+h8fb/Mm+2HIS8RweHr1+CS8CW/Om9MJoW0ZDsCmC0vU44/vLL3JzbP4+BDuVF +dky1XX/9Z73Fn/LpakITyXd6YJMsknzAA4ZEzhe4uModNSH5IU818I+/Vyvbe1nX +Hfg2FYva4zVn9E5Gd4vpHBF7D99dGg0vUINtux06WKfdsDB59MiZxCSWfqty+yTM +XWwh5fuFIxwjlkKVdrb45101MnUtzJDmxwPxjOpF+z2tJ0qIvs6Zu6FDEh7fcaJM +mKAPtVXKRxTYaS6j7fpNk5ACFgiHDb+0mI60fH0eiQSqp9Q7cyYbt1yiW2bKY4Pg +qDOtcLT+uIYYVmxBHTLx38gT3Gp83O7WqNZ9ouctIXAXHWwTNsKzMhwgaEmmPbkP +7VO8oZZ9hVphirmijgNO1Oz7Qqh5ORYwsGdvYtbPXD4ZUSpqFT5bTMHS5TKPHf70 +5alkwYuwYfLs4m2zYsKadQ+vq12ZX7Z6+DbjfzWAEhzqLP2Y8yGnFSBSmULsALnj +Zg3RN5sxJe3fhTze09Fm8OTopTLoDH5fR91VPhRLGHahvV1Sm/H4ZdtAXTPsHP20 +phAc8mK2DgEM0k7vDO5RtV4xTLjBopiciXIBL+TzCKGmDRX2+9nTyF3Kx9qjN52H +EFFJ1mTed/J7VrkCDQRdok4KARAAyG97rjKhP8Uie1i/16SekDo+GkpodBmvhrZi +Zdwg75YxriHhgioe2AKKmQItOdZOY+mVqMA63FmByDlPodHmQnrIAn/gr7p5V3lM ++l0oVTI8maPO39iT7Nh6W/rv4ni8eMBkL6P2cPPaTpcv76qWl/WcMiEflPNSAFax +yIapq04rafthcIILWmOBbQ+liMn9YT7a6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAc +eQQYAqIrlu8F5y1AQVWHjtyCPee1z/8lPNnPg40lSbXozg5kQDP965Pge6XReUoU +VVRcgeiSUfkHdYPIkh/tkFy1MtzTNizebuadqE41Ds6BD1maO5cpGc5iFnf+YY01 +vWIhwvgPMbAsUKrPOw/RyvYSwOrnWeghpKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm +64rKyYS8RIilqTCmIHnpoSIq3n1wOlMVX4sB4N4CfAZRAbI9LZfx1QEYn0dst9+m +CDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1 +MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BP +g6qZH7JeMnlOZXXOg8K5VcLkiGuL1brOHlg94Axha8ffMmqjsde6XOAgvSl5P9k4 +7SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJf +iXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP+gJ01mSEs3+0jriWqg7V+Q59rulMVrUd +V2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOicz +GClK+yWSm/CM02+HATFws66umAl4GQ4XqAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCA +dn55u4pf+B1rmkA3cWhN51SvAriA/YcGqmyJZgXO+qZOPWNHxNUdgq9lVEO132dh +DzH1b9ufnvQMDxF2V681fQ7E3zWEJZZbYLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU1 +61jSawblBTcIRXK9c4hv178xQWAInMjtHst4YCpvclG26ypZLCzvw6swfnXf3A6Q +4A8pZQVvogWZ01dlgofwHm8qlYxT7wSqeicOu3FkSHD8vNwkXnMLqxwkFr4BcSef +zCiXulyMcb3h67ZfXAYAFGrrR581vGEtXy+xfXK5PqBX7CWEl3Vs2an9whEncZuv +1I9iyXDUmGP7Y373JjqNtpS2GMMPA73knB7eI/zpVS5qoxUlqw35Pldvt+L4E3hv +rvE7iZE3w4lB9WUyY1OnSRDU10l2rqWtPtyk3LE2ed5hz5I+gy8/RsXrAooMBXIG +V/GJrhye45wf5F/XQqPulnj38sKhmrQCQTubPgJwG/kTpNdrA3YukE3E7T5ejaGT +T2n5nKat6bj7iQI2BBgBCgAgAhsgFiEE2811eEYGmzkuqUAdZle+io0e6AcFAmNR +PEgACgkQZle+io0e6AfQpg/+K0gD0WVyXYLOEM6jCvtz5/f9nDQnqj90ck9VfpuN +QG+cMSK/u3T4ya0k3UDWxEyRih0BzChOlmwnaupBwN7ZbYAzxM0sglwseSdAPpCE +s63RTnaAxpSWFocsUxtJngSoPnnmD1fVbWL3/j9j6jZkT4NB/l2ekDngMyRqt104 +BmabaLdz44X1VDgg0tXyACkZ8c/8ISBOoPSFg2n9FuCmhI9Atu6hjCFQZOA/youA +fXzeUxU3iFw5UhyNP084jZ9AK2xwp+rB3JzvzMdiqO3OBFemuiU4/ZKQKFg5a/n4 +UAZtO8V2DGe76o1N9uFUvQ41RSAXolPUOTXiZvP4GfiGIhJUXV96QaPHhKWybKlr +4MWG5PpwfuWnGoP8vXtLmz2TDRUfEBOQBzYRBRvXmzekq8nFQCM7dGofLLEchMRv +lYHab2fquGmXiY3LfzyQX+vS3FO9/m2POJcdXcQvSq4MXIzOEzXnJKw5HemfZ3ae +/AlTTfE4og/AYLwacECY6CZqUFOYtQeVx9hSXV97XnoKotde66D4RyFgzFbsIBM/ +bA5qyvdpKb60hqjpj/rhXjlnhH8KwAwOlaPVgI1cgnW8uJTElJEtqHPhuRkU6y9f +au4EZ+tsmaxJ0whuziG1/3LJ62AIM9ZpixDEj4GQYaRdkFrx/1IKiUOlw5GQC3y2 +zxs= +=MmP2 -----END PGP PUBLIC KEY BLOCK----- -- cgit v1.2.3 From e185a086eb87c9a66ccdd53d20762862380c9bf9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 22 Nov 2022 09:08:20 +0100 Subject: sync-containers(1): use dhcpcd, support luksfile --- krebs/3modules/sync-containers.nix | 140 +++++++++++++++++++++++++++---------- 1 file changed, 104 insertions(+), 36 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index e2caa083..60ca993e 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -5,27 +5,55 @@ with import ; plain = "/var/lib/containers/${cname}/var/state"; ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; securefs = "${cfg.dataLocation}/${cname}/securefs"; + luksfile = "${cfg.dataLocation}/${cname}/luksfile"; + }; + init = cname: { + plain = '' + echo 'no need for init' + ''; + ecryptfs = '' + ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + ''; + securefs = '' + ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs + ''; + luksfile = '' + ${pkgs.coreutils}/bin/truncate -s 10G '${(paths cname).luksfile}/fs.luks' + ${pkgs.cryptsetup}/bin/cryptsetup luksFormat '${(paths cname).luksfile}/fs.luks' + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}' + ${pkgs.xfsprogs}/bin/mkfs.xfs '/dev/mapper/luksfile-${cname}' + ''; }; start = cname: { plain = '' : ''; ecryptfs = '' - if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then - if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then + + if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then + if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - else - ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state fi + else + echo 'please run init-${cname} first' + exit 1 fi ''; securefs = '' - ## TODO init file systems if it does not exist - # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs + ## check if FS was initialized first if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions fi ''; + luksfile = '' + mkdir -p /var/lib/containers/${cname}/var/state + if ! test -e /dev/mapper/luksfile-${cname}; then + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}' + fi + if ! ${pkgs.mount}/bin/mount | grep -q '^/dev/mapper/luksfile-${cname} on /var/lib/containers/${cname}/var/state'; then + mount '/dev/mapper/luksfile-${cname}' '/var/lib/containers/${cname}/var/state' + fi + ''; }; stop = cname: { plain = '' @@ -37,12 +65,16 @@ with import ; securefs = '' umount /var/lib/containers/${cname}/var/state ''; + luksfile = '' + umount /var/lib/containers/${cname}/var/state + ${pkgs.cryptsetup}/bin/cryptsetup luksClose luksfile-${cname} + ''; }; in { options.krebs.sync-containers = { dataLocation = mkOption { description = '' - location where the encrypted sync-container lie around + location where the encrypted sync-containers lie around ''; default = "/var/lib/sync-containers"; type = types.absolute-pathname; @@ -64,25 +96,11 @@ in { default = []; type = types.listOf types.str; }; - hostIp = mkOption { # TODO find this automatically - description = '' - hostAddress of the privateNetwork - ''; - example = "10.233.2.15"; - type = types.str; - }; - localIp = mkOption { # TODO find this automatically - description = '' - localAddress of the privateNetwork - ''; - example = "10.233.2.16"; - type = types.str; - }; format = mkOption { description = '' file system encrption format of the container ''; - type = types.enum [ "plain" "ecryptfs" "securefs" ]; + type = types.enum [ "plain" "ecryptfs" "securefs" "luksfile" ]; }; }; })); @@ -102,12 +120,11 @@ in { ignorePerms = false; })) cfg.containers); - krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - })) cfg.containers); + krebs.acl = mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" { + "u:syncthing:rX".parents = true; + "u:syncthing:rwX" = {}; + }) cfg.containers; + systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ reloadIfChanged = mkForce false; @@ -116,8 +133,11 @@ in { containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ config = { ... }: { environment.systemPackages = [ + pkgs.dhcpcd pkgs.git + pkgs.jq ]; + networking.useDHCP = mkForce true; system.activationScripts.fuse = { text = '' ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 @@ -131,11 +151,57 @@ in { autoStart = false; enableTun = true; privateNetwork = true; - hostAddress = ctr.hostIp; - localAddress = ctr.localIp; + hostBridge = "ctr0"; })) cfg.containers; - environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ + networking.networkmanager.unmanaged = [ "ctr0" ]; + networking.bridges.ctr0.interfaces = []; + networking.interfaces.ctr0.ipv4.addresses = [{ + address = "10.233.0.1"; + prefixLength = 24; + }]; + # networking.nat = { + # enable = true; + # externalInterface = lib.mkDefault "et0"; + # internalInterfaces = [ "ctr0" ]; + # }; + services.dhcpd4 = { + enable = true; + interfaces = [ "ctr0" ]; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers 10.233.0.1; + # option domain-name-servers 8.8.8.8; # TODO configure dns server + subnet 10.233.0.0 netmask 255.255.255.0 { + range 10.233.0.10 10.233.0.250; + } + ''; + }; + + users.users.root.packages = flatten (mapAttrsToList (n: ctr: [ + (pkgs.writeDashBin "init-${ctr.name}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${ctr.name}/var/state + STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name}) + if [ "$STATE" = 'up' ]; then + /run/current-system/sw/bin/nixos-container stop ${ctr.name} + fi + ${(init ctr.name).${ctr.format}} + ${(start ctr.name).${ctr.format}} + /run/current-system/sw/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + target_ip=$(/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ip -j a s eth0 | jq -r '.[].addr_info[] | select(.family=="inet") | .local') + + echo "deploy to $target_ip" + '') (pkgs.writeDashBin "start-${ctr.name}" '' set -euf set -x @@ -144,12 +210,12 @@ in { ${(start ctr.name).${ctr.format}} - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) + STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name}) if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container start ${ctr.name} fi - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' set -x mkdir -p /var/state/var_src @@ -158,15 +224,17 @@ in { ''} if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch else + echo 'no nixos config, or target already online, bailing out' ${(stop ctr.name).${ctr.format}} + /run/current-system/sw/bin/nixos-container stop ${ctr.name} fi '') (pkgs.writeDashBin "stop-${ctr.name}" '' set -euf - ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} + /run/current-system/sw/bin/nixos-container stop ${ctr.name} ${(stop ctr.name).${ctr.format}} '') ]) cfg.containers); -- cgit v1.2.3 From 8f4dd6fb595bb14be37fd69320bad4aa9a51a9db Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 22 Nov 2022 09:17:56 +0100 Subject: ci: raise timeout to 1h --- krebs/3modules/ci/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 0f85b27c..022da588 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -115,6 +115,7 @@ let build_name = stage, build_script = stages[stage], ), + timeout = 3600, command="${pkgs.writeDash "build.sh" '' set -xefu profile=${shell.escape profileRoot}/$build_name -- cgit v1.2.3