From dba3ca21f28dbb213d6dc44cfc301a958f87a623 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 18 Jan 2021 21:00:08 +0100
Subject: update krebsco.de A records

---
 krebs/3modules/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 8c620a4e..0b3d2c79 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -90,8 +90,10 @@ let
           @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
                                 IN NS     ns19.ovh.net.
                                 IN NS     dns19.ovh.net.
-                                IN A      192.30.252.154
-                                IN A      192.30.252.153
+                                IN A      185.199.108.153
+                                IN A      185.199.109.153
+                                IN A      185.199.110.153
+                                IN A      185.199.111.153
         '';
         };
     };
-- 
cgit v1.2.3


From 8d6a964c86d7a556cce6180a77a4828d4a93fe90 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 20 Jan 2021 19:55:52 +0100
Subject: brockman: 3.0.0 -> 3.2.0

---
 krebs/5pkgs/haskell/brockman.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'krebs')

diff --git a/krebs/5pkgs/haskell/brockman.nix b/krebs/5pkgs/haskell/brockman.nix
index c6d01edc..798adeee 100644
--- a/krebs/5pkgs/haskell/brockman.nix
+++ b/krebs/5pkgs/haskell/brockman.nix
@@ -1,24 +1,26 @@
 { mkDerivation, aeson, aeson-pretty, base, bloomfilter, bytestring
 , conduit, containers, directory, feed, filepath, hslogger
 , html-entity, http-client, irc-conduit, lens, network
-, optparse-applicative, random, safe, stdenv, text, wreq
+, optparse-applicative, random, safe, stdenv, text, time, timerep
+, wreq
 , fetchFromGitHub
 }:
 mkDerivation rec {
   pname = "brockman";
-  version = "3.0.0";
+  version = "3.2.0";
   src = fetchFromGitHub {
     owner = "kmein";
     repo = "brockman";
     rev = version;
-    sha256 = "08yla9q2mjd7znpasfwsdqzc3dp2vcvg53x9p4vlx4g7jr3dw3yp";
+    sha256 = "0vvps5czl6qcpfyrm2a6vj00hdh941wj4zb2bd9jlgf9mfikqm77";
   };
   isLibrary = false;
   isExecutable = true;
   executableHaskellDepends = [
     aeson aeson-pretty base bloomfilter bytestring conduit containers
     directory feed filepath hslogger html-entity http-client
-    irc-conduit lens network optparse-applicative random safe text wreq
+    irc-conduit lens network optparse-applicative random safe text time
+    timerep wreq
   ];
   license = stdenv.lib.licenses.mit;
 }
-- 
cgit v1.2.3


From f4846c2f93df980944ef583e8e593639f8ce3964 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 21 Jan 2021 17:58:27 +0100
Subject: news: add brockman-helper reaktor2 bot

---
 krebs/2configs/news.nix | 53 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 51 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index f40997f8..04a84392 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
   services.rss-bridge = {
@@ -22,7 +22,6 @@
     "d /var/lib/brockman 1750 brockman nginx -"
   ];
 
-  systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
   krebs.brockman = {
     enable = true;
     config = {
@@ -36,4 +35,54 @@
       bots = {};
     };
   };
+
+  krebs.reaktor2.news = {
+    hostname = "localhost";
+    port = "6667";
+    nick = "brockman-helper";
+    plugins = [
+      {
+        plugin = "register";
+        config = {
+          channels = [
+            "#all"
+            "#aluhut"
+            "#news"
+          ];
+        };
+      }
+      {
+        plugin = "system";
+        config = {
+          hooks.PRIVMSG = [
+            {
+              activate = "match";
+              pattern = "^(?:.*\\s)?\\s*brockman-helper:\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$";
+              command = 1;
+              arguments = [2];
+              commands = {
+                add-telegram.filename = pkgs.writeDash "add-telegram" ''
+                  if [ "$#" -ne 1 ]; then
+                    echo 'usage: brockman-helper: add-telegram $telegramname'
+                    echo "$#"
+                    exit 1
+                  fi
+                  echo "brockman: add t_$1 http://rss.r/?action=display&bridge=Telegram&username=$1&format=Mrss"
+                '';
+                search.filename = pkgs.writeDash "search" ''
+                  if [ "$#" -ne 1 ]; then
+                    echo 'usage: brockman-helper: search $searchterm'
+                    echo "$#"
+                    exit 1
+                  fi
+                  ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$1&info=true&favicon=false" | \
+                    ${pkgs.jq}/bin/jq '.[].url'
+                '';
+              };
+            }
+          ];
+        };
+      }
+    ];
+  };
 }
-- 
cgit v1.2.3


From 5c669397dac74d4c63281a7c785465569e93643e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 14:11:16 +0100
Subject: brockman: 3.2.0 -> 3.2.3

---
 krebs/5pkgs/haskell/brockman.nix | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'krebs')

diff --git a/krebs/5pkgs/haskell/brockman.nix b/krebs/5pkgs/haskell/brockman.nix
index 798adeee..5f1166a2 100644
--- a/krebs/5pkgs/haskell/brockman.nix
+++ b/krebs/5pkgs/haskell/brockman.nix
@@ -1,26 +1,26 @@
 { mkDerivation, aeson, aeson-pretty, base, bloomfilter, bytestring
-, conduit, containers, directory, feed, filepath, hslogger
-, html-entity, http-client, irc-conduit, lens, network
+, case-insensitive, conduit, containers, directory, feed, filepath
+, hslogger, html-entity, http-client, irc-conduit, lens, network
 , optparse-applicative, random, safe, stdenv, text, time, timerep
 , wreq
 , fetchFromGitHub
 }:
 mkDerivation rec {
   pname = "brockman";
-  version = "3.2.0";
+  version = "3.2.3";
   src = fetchFromGitHub {
     owner = "kmein";
     repo = "brockman";
     rev = version;
-    sha256 = "0vvps5czl6qcpfyrm2a6vj00hdh941wj4zb2bd9jlgf9mfikqm77";
+    sha256 = "1qbjbf0l1ikfzmvky4cnvv7nlcwi2in4afliifh618j0a4f7j427";
   };
   isLibrary = false;
   isExecutable = true;
   executableHaskellDepends = [
-    aeson aeson-pretty base bloomfilter bytestring conduit containers
-    directory feed filepath hslogger html-entity http-client
-    irc-conduit lens network optparse-applicative random safe text time
-    timerep wreq
+    aeson aeson-pretty base bloomfilter bytestring case-insensitive
+    conduit containers directory feed filepath hslogger html-entity
+    http-client irc-conduit lens network optparse-applicative random
+    safe text time timerep wreq
   ];
   license = stdenv.lib.licenses.mit;
 }
-- 
cgit v1.2.3


From 034185780670fc7466cce8a839b59abd849e3f89 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 14:11:48 +0100
Subject: realwallpaper: add wallpaper with markers but without krebs

---
 krebs/5pkgs/simple/realwallpaper/default.nix | 46 ++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 12 deletions(-)

(limited to 'krebs')

diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 56a7dfb9..e55454a0 100644
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@@ -192,18 +192,15 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
     fi
 
     # create marker file from json
-    if [ -s marker.json ]; then
-      jq -r 'to_entries[] | @json "\(.value.latitude) \(.value.longitude) image=krebs.png"' marker.json > marker_file
-      echo 'position=sun image=sun.png' >> marker_file
-      echo 'position=moon image=moon.png' >> marker_file
-      echo 'position=mercury image=mercury.png' >> marker_file
-      echo 'position=venus image=venus.png' >> marker_file
-      echo 'position=mars image=mars.png' >> marker_file
-      echo 'position=jupiter image=jupiter.png' >> marker_file
-      echo 'position=saturn image=saturn.png' >> marker_file
-      echo 'position=uranus image=uranus.png' >> marker_file
-      echo 'position=neptune image=neptune.png' >> marker_file
-    fi
+    echo 'position=sun image=sun.png' > marker_file
+    echo 'position=moon image=moon.png' >> marker_file
+    echo 'position=mercury image=mercury.png' >> marker_file
+    echo 'position=venus image=venus.png' >> marker_file
+    echo 'position=mars image=mars.png' >> marker_file
+    echo 'position=jupiter image=jupiter.png' >> marker_file
+    echo 'position=saturn image=saturn.png' >> marker_file
+    echo 'position=uranus image=uranus.png' >> marker_file
+    echo 'position=neptune image=neptune.png' >> marker_file
 
     # generate moon
     xplanet -body moon --num_times 1 -origin earth \
@@ -227,6 +224,24 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
         shade=15
       ''}
 
+    xplanet --num_times 1 --geometry $xplanet_out_size \
+      --output xplanet-marker-output.png --projection merc \
+      -config ${pkgs.writeText "xplanet-marker.config" ''
+        [earth]
+        "Earth"
+        map=daymap-final.png
+        night_map=nightmap-final.png
+        cloud_map=clouds.png
+        cloud_threshold=1
+        cloud_gamma=10
+        marker_file=marker_file
+        shade=15
+      ''}
+
+    if [ -s marker.json ]; then
+      jq -r 'to_entries[] | @json "\(.value.latitude) \(.value.longitude) image=krebs.png"' marker.json >> marker_file
+    fi
+
     xplanet --num_times 1 --geometry $xplanet_out_size \
       --output xplanet-krebs-output.png --projection merc \
       -config ${pkgs.writeText "xplanet-krebs.config" ''
@@ -248,6 +263,13 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
         mv realwallpaper-tmp.png realwallpaper.png
     fi
 
+    # trim xplanet output
+    if needs_rebuild realwallpaper-marker.png xplanet-marker-output.png; then
+      convert xplanet-marker-output.png -crop $out_geometry \
+        realwallpaper-marker-tmp.png
+        mv realwallpaper-marker-tmp.png realwallpaper-marker.png
+    fi
+
     if needs_rebuild realwallpaper-krebs.png xplanet-krebs-output.png; then
       convert xplanet-krebs-output.png -crop $out_geometry \
         realwallpaper-krebs-tmp.png
-- 
cgit v1.2.3


From 4484a3e5fc3181ae5ec8cc5056a23947756ff558 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 17:33:17 +0100
Subject: l: add lass-green user

---
 krebs/3modules/lass/default.nix       |  5 +++++
 krebs/3modules/lass/pgp/green.pgp     | 40 +++++++++++++++++++++++++++++++++++
 krebs/3modules/lass/ssh/green.ed25519 |  1 +
 3 files changed, 46 insertions(+)
 create mode 100644 krebs/3modules/lass/pgp/green.pgp
 create mode 100644 krebs/3modules/lass/ssh/green.ed25519

(limited to 'krebs')

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index a4586bed..6d31bffd 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -699,6 +699,11 @@ in {
       pubkey = builtins.readFile ./ssh/blue.rsa;
       pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp;
     };
+    lass-green = {
+      mail = "lass@green.r";
+      pubkey = builtins.readFile ./ssh/green.ed25519;
+      pgp.pubkeys.default = builtins.readFile ./pgp/green.pgp;
+    };
     lass-mors = {
       mail = "lass@mors.r";
       pubkey = builtins.readFile ./ssh/mors.rsa;
diff --git a/krebs/3modules/lass/pgp/green.pgp b/krebs/3modules/lass/pgp/green.pgp
new file mode 100644
index 00000000..96b2b38e
--- /dev/null
+++ b/krebs/3modules/lass/pgp/green.pgp
@@ -0,0 +1,40 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGAMS3EBDACzbsaP9nhJ8GrAk5JLlz+ruDbEGuvJXvh+spVq9i9TCCGAraPo
+z8Tmgsw6SJhJMW/170OZJ+GMMEDRpRbvh8tLZ0jsTIwINasRjC68tF9dgjjPZdNN
+cVOpFw4Wf4ueMmoEG/9Xyehm+YEJFTj5wul2uJtfj5NJB43daDn4e3ieGExd+zE0
+FTP4yAmxVMbN4BiyZPX7CxeTzJS0g4aVnMq9RqtYbxd1Uv++LmPh1ZkEyNNKItfC
+nRFeZzjhnmD7LvwsixE2ENnbiL9Ho7Mc4C7kRKSJ+LvXH6ChJJtDy9ApVA+u90i5
+Rd7y9rdzFY+NCHusWg0/U/t2FoLc/hRa0eLE1KFtzWzH35TMl8R/7NrPztTwT/fH
+xt3qSiwMUvH9X9TGvh5N0WwqgtEe6mpZvpq+4gyOiyA+EwE73rnxG2DzmM6CFHyo
+Qm/OOfjuFH+l0PkAqti+f41SqlEOiOAAFzgz7gaTdJ8gXs8piOGxk4U5EK/p1OTW
+4e6DrxqcxmHgoAUAEQEAAbQMbGFzc0BncmVlbi5yiQHUBBMBCAA+FiEE6Ed5jGI3
+gop09K1NMwheLc2Sjz0FAmAMS3ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQMwheLc2Sjz0otwv+I8Sw0ENqy6SsrZSGDtmhAouCeTIUseRQ66tp
+UFnxDVPYhhdM2ubTtIqOfx20Xdy/7N/POyYMJ5VR+IaFcB9wUlrhdjwUlCtoUipx
+EycZloccMPGySxAxR3Kcy/SFzUKWwQ10/mfSQg/4+vYayZNuSvEpviMEZn0prpmw
+jwFJcHOu0NL+7eYULMdit1BDaZfBaAu/otKn18878+0hVimyjW27564uXtJYnbf1
+hUVGvPLaSo74XBFra+kujcA3zIjWiPn6dRA5dzLrRRkb30Unl1+0a9QwY3wd3vCV
+UHWSgDNaV+o7yPTuxoMsfrxHPAc3JlaKM6ka/EdK04tbgMH/N7FHXqDqCEIBWML4
+1/+HxkP2UW59zLefQwvBqWcF6bA7kgHGhIDkg1yg7ygP0t2mH6ktuEAYYr24BFx7
+b8nK/jhK+rp3LomLTLQ6e/6mikfoDr636sB1/Bc+pTdWsJnuQTzaWBDloVEr/2hz
+/K5+wH2kgSKaWYUtaR6wiMbVKq3HuQGNBGAMS3EBDAC1xQNCJD3hlnihHBv7jxfH
+CI5HdnUEh1eP8mUKjSE+Z0xGEMq8Z9sbTHQxtDdmC4ZOq1Kkt2LmtQQQAIH+Qnu6
+RYFOAPRmegouIxg4S3eTPZhZRo1ZqCphqbL2mQ9ifNrG3VVvQGXNvjo3Cuwj0uzx
+EDtOilKEtHZhG0cfehGV+nO1n/g50EQMC7JkFWnryxVL8i4l3KstOdj+LcIT6c27
+EE2fzOUekeltBHGRFSM1Yzmn2lxruuK4I8zoiqak2St1788ay//F9tiZPfhWRb6+
+DF+JgRLCXatqTJppPpkui1irw6jN5ZabjyS7GBtH+5wpnvuMEMr484OXEg17VnCd
+Tx/RTLyjfffDtTkC4M7oiAr5SUbkJjVkEuwjxp1N19epD8gzrBQC2W7XKM3z+mtG
+ZLJtiW5hM+QylMv7VWxbQ21ObJmUqBQUZLPlpl3dlGU/ILw3U4urBibD9oPT2QAX
+J6Db/STyl6w0bzRbMJmaEM4P0FcdEKTuw7tOpl5zBUkAEQEAAYkBtgQYAQgAIBYh
+BOhHeYxiN4KKdPStTTMIXi3Nko89BQJgDEtxAhsMAAoJEDMIXi3Nko89yc8MAJKg
+M5lbA/PJYlIju/qWKWt7yZbsIGuDfmuKfYftjXDOqskEqDyYgr31Txd43bWM6Ec7
+gb5JVmtzvLull0/KRwMcKAFNTXIYcb3jKpanwWRgHQlt/D6zlQula73WxwNUlZWl
+Q8FCWjGa2hC8oKlTbtzm5osdcK+YhlpTpK5y4Mrg0f9Rcd297ygFQSDInpGq7ILY
+sFat3HU7w9oPp9Q5RS8/EmrvAx1kFj9mZRs4L9inJJnHFpb1R6snojcKPwEyIWBi
++PFZ6ns296FjW9C+Ci7C+aaAzVDM7NAwU0/EhWeDKKHITU3Zaz4gnShesKBiVxhI
+JQNFCjWlnc+o3RqbAhDQhlwFrCZWUxQi1qWy4U88IYqR9hxV0eNtGSRmwnGCT9RV
+Nxb6CjtmHpgUmzyvwBpBJya8bLYu5tCKnUodtFiq/poxEfI5WrP6pu5l648AwuPa
+ioovprweDWs38Q8wd/SuoaUtIoj378UDXq8acFvHHnOS/bBBfAE9tutY1ycJdg==
+=Fg3f
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/krebs/3modules/lass/ssh/green.ed25519 b/krebs/3modules/lass/ssh/green.ed25519
new file mode 100644
index 00000000..1aa7b180
--- /dev/null
+++ b/krebs/3modules/lass/ssh/green.ed25519
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOJfTJ37hWYTYLWY6egshmvigPfRF0Sa4N11gmphMLm lass@green
-- 
cgit v1.2.3


From 4dfe7ef01ecc7a7db7cb37ac227fa842fee250fc Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 17:34:08 +0100
Subject: l: add jitsi.lassul.us to record

---
 krebs/3modules/lass/default.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs')

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 6d31bffd..f9e4c6fe 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -44,6 +44,7 @@ in {
           matrix              60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           paste               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           radio               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          jitsi               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           streaming           60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
         '';
       };
-- 
cgit v1.2.3


From dd90d71a7f0dface27455e2138d712d0a8fa61ce Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 17:37:52 +0100
Subject: l styx.r: add syncthing.id

---
 krebs/3modules/lass/default.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs')

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index f9e4c6fe..c5cf5cb1 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -686,6 +686,7 @@ in {
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU ";
+      syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN";
     };
   };
   users = rec {
-- 
cgit v1.2.3


From 1238cd66f7982cfa2e4d069be83eff37ee42afc8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 23 Jan 2021 21:27:10 +0100
Subject: news: remove unneded \

---
 krebs/2configs/news.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 04a84392..a492b078 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -75,7 +75,7 @@
                     echo "$#"
                     exit 1
                   fi
-                  ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$1&info=true&favicon=false" | \
+                  ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$1&info=true&favicon=false" |
                     ${pkgs.jq}/bin/jq '.[].url'
                 '';
               };
-- 
cgit v1.2.3


From 293fa449e1d69d2d070f6990e414c76409c4913d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 10:30:47 +0100
Subject: ecrypt: l -> krebs

---
 krebs/5pkgs/simple/ecrypt/default.nix | 111 ++++++++++++++++++++++++++++++++++
 1 file changed, 111 insertions(+)
 create mode 100644 krebs/5pkgs/simple/ecrypt/default.nix

(limited to 'krebs')

diff --git a/krebs/5pkgs/simple/ecrypt/default.nix b/krebs/5pkgs/simple/ecrypt/default.nix
new file mode 100644
index 00000000..f83f8cfe
--- /dev/null
+++ b/krebs/5pkgs/simple/ecrypt/default.nix
@@ -0,0 +1,111 @@
+{ pkgs, lib }:
+
+#usage: ecrypt mount /var/crypted /var/unencrypted
+pkgs.writers.writeDashBin "ecrypt" ''
+  set -euf
+
+  PATH=${lib.makeBinPath (with pkgs; [
+    coreutils
+    ecryptfs
+    gnused
+    gnugrep
+    jq
+    mount
+    keyutils
+    umount
+  ])}
+
+  # turn echo back on if killed
+  trap 'stty echo' INT
+
+  case "$1" in
+    init)
+      shift
+      mkdir -p "$1" "$2"
+
+      # abort if src or dest are not empty
+      if [ -e "$1"/.cfg.json ]; then
+        echo 'source dir is already configured, aborting'
+        exit 1
+      elif ls -1qA "$2" | grep -q .; then
+        echo 'destination dir is not empty, aborting'
+        exit 1
+      else
+        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+        echo 4 | ecryptfs-manager
+        stty -echo
+        printf "passphrase: "
+        read  passphrase
+        stty echo
+        sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
+        mount -t ecryptfs \
+          -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
+          "$1" "$2"
+
+        # add sig to json state file
+        jq -n --arg sig "$sig" '{ "sig": $sig }' > "$1"/.cfg.json
+      fi
+      ;;
+
+    mount)
+      shift
+      if ! [ -e "$1"/.cfg.json ]; then
+        echo '.cfg.json missing in src'
+        exit 1
+      fi
+      old_sig=$(cat "$1"/.cfg.json | jq -r .sig)
+
+      # check if key is already in keyring, otherwise add it
+      
+      if keyctl list @u | grep -q "$old_sig"; then
+        echo 'pw already saved'
+      else
+        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
+        echo 4 | ecryptfs-manager
+        stty -echo
+        printf "passphrase: "
+        read  passphrase
+        stty echo
+        new_sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
+
+        # check if passphrase matches sig
+        if [ "$old_sig" != "$new_sig" ]; then
+          echo 'passphrase does not match sig, bailing out'
+          new_keyid=$(keyctl list @u | grep "$new_sig" | sed 's/\([0-9]*\).*/\1/')
+          keyctl revoke "$new_keyid"
+          keyctl unlink "$new_keyid"
+          exit 1
+        fi
+      fi
+
+      sig=$old_sig
+      keyid=$(keyctl list @u | grep "$sig" | sed 's/\([0-9]*\).*/\1/')
+      if (ls -1qA "$2" | grep -q .); then
+        echo 'destination is not empty, bailing out'
+        exit 1
+      else
+        mount -i -t ecryptfs \
+          -o ecryptfs_passthrough=no,verbose=no,ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
+          "$1" "$2"
+      fi
+      ;;
+
+    unmount)
+      shift
+
+      sig=$(cat "$1"/.cfg.json | jq -r .sig)
+      keyid=$(keyctl list @u | grep "$sig" | sed 's/\s*\([0-9]*\).*/\1/')
+
+      umount "$2" || :
+      keyctl revoke "$keyid"
+      keyctl unlink "$keyid"
+      ;;
+
+    *)
+      echo 'usage:
+        ecrypt init /tmp/src/ /tmp/dst/
+        ecrypt mount /tmp/src/ /tmp/dst/
+        ecrypt unmount /tmp/src/ /tmp/dst/
+      '
+  esac
+''
-- 
cgit v1.2.3


From ea0b43654e20ee3cbe85c154a35d5363baaaca97 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 10:41:47 +0100
Subject: sync-containers: lass -> krebs

---
 krebs/3modules/default.nix         |   1 +
 krebs/3modules/sync-containers.nix | 168 +++++++++++++++++++++++++++++++++++++
 2 files changed, 169 insertions(+)
 create mode 100644 krebs/3modules/sync-containers.nix

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 0b3d2c79..285db40f 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -51,6 +51,7 @@ let
       ./secret.nix
       ./setuid.nix
       ./shadow.nix
+      ./sync-containers.nix
       ./tinc.nix
       ./tinc_graphs.nix
       ./urlwatch.nix
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
new file mode 100644
index 00000000..81316fb0
--- /dev/null
+++ b/krebs/3modules/sync-containers.nix
@@ -0,0 +1,168 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+  cfg = config.krebs.sync-containers;
+  paths = cname: {
+    plain = "/var/lib/containers/${cname}/var/state";
+    ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
+    securefs = "${cfg.dataLocation}/${cname}/securefs";
+  };
+  start = cname: {
+    plain = ''
+    '';
+    ecryptfs = ''
+      if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+        if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+          ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        else
+          ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        fi
+      fi
+    '';
+    securefs = ''
+      ## TODO init file systems if it does not exist
+      # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+      if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
+        ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
+      fi
+    '';
+  };
+  stop = cname: {
+    plain = ''
+    '';
+    ecryptfs = ''
+      ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+    '';
+    securefs = ''
+      umount /var/lib/containers/${cname}/var/state
+    '';
+  };
+in {
+  options.krebs.sync-containers = {
+    dataLocation = mkOption {
+      description = ''
+        location where the encrypted sync-container lie around
+      '';
+      default = "/var/lib/sync-containers";
+      type = types.absolute-pathname;
+    };
+    containers = mkOption {
+      type = types.attrsOf (types.submodule ({ config, ... }: {
+        options = {
+          name = mkOption {
+            description = ''
+              name of the container
+            '';
+            default = config._module.args.name;
+            type = types.str;
+          };
+          peers = mkOption {
+            description = ''
+              syncthing peers to share this container with
+            '';
+            default = [];
+            type = types.listOf types.str;
+          };
+          hostIp = mkOption { # TODO find this automatically
+            description = ''
+              hostAddress of the privateNetwork
+            '';
+            example = "10.233.2.15";
+            type = types.str;
+          };
+          localIp = mkOption { # TODO find this automatically
+            description = ''
+              localAddress of the privateNetwork
+            '';
+            example = "10.233.2.16";
+            type = types.str;
+          };
+          format = mkOption {
+            description = ''
+              file system encrption format of the container
+            '';
+            type = types.enum [ "plain" "ecryptfs" "securefs" ];
+          };
+        };
+      }));
+      default = {};
+    };
+  };
+
+  config = mkIf (cfg.containers != {}) {
+    programs.fuse.userAllowOther = true;
+
+    services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      devices = ctr.peers;
+      ignorePerms = false;
+    })) cfg.containers);
+
+    krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      file-mode = "u+rw";
+      directory-mode = "u+rwx";
+      owner = "syncthing";
+      keepGoing = false;
+    })) cfg.containers);
+
+    systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
+      reloadIfChanged = mkForce false;
+    })) cfg.containers;
+
+    containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
+      config = { ... }: {
+        environment.systemPackages = [
+          pkgs.git
+        ];
+        system.activationScripts.fuse = {
+          text = ''
+            ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+          '';
+          deps = [];
+        };
+      };
+      allowedDevices = [
+        { modifier = "rwm"; node = "/dev/fuse"; }
+      ];
+      autoStart = false;
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress = ctr.hostIp;
+      localAddress = ctr.localIp;
+    })) cfg.containers;
+
+    environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
+      (pkgs.writeDashBin "start-${ctr.name}" ''
+        set -euf
+        set -x
+
+        mkdir -p /var/lib/containers/${ctr.name}/var/state
+
+        ${(start ctr.name).${ctr.format}}
+
+        STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
+        if [ "$STATE" = 'down' ]; then
+          ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
+        fi
+
+        ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+          set -x
+
+          mkdir -p /var/state/var_src
+          ln -sfTr /var/state/var_src /var/src
+          touch /etc/NIXOS
+        ''}
+
+        if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
+          ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
+        else
+          ${(stop ctr.name).${ctr.format}}
+        fi
+      '')
+      (pkgs.writeDashBin "stop-${ctr.name}" ''
+        set -euf
+
+        ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
+        ${(stop ctr.name).${ctr.format}}
+      '')
+    ]) cfg.containers);
+  };
+}
-- 
cgit v1.2.3


From cefb50f5f1509c06f92453e09fb63ad71a746fe0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 11:26:39 +0100
Subject: bindfs: l -> krebs

---
 krebs/3modules/bindfs.nix  | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 krebs/3modules/default.nix |  1 +
 2 files changed, 62 insertions(+)
 create mode 100644 krebs/3modules/bindfs.nix

(limited to 'krebs')

diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix
new file mode 100644
index 00000000..7e3730e8
--- /dev/null
+++ b/krebs/3modules/bindfs.nix
@@ -0,0 +1,61 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }:
+let
+  cfg = config.krebs.bindfs;
+in {
+  options.krebs.bindfs = mkOption {
+    type = types.attrsOf (types.submodule ({ config, ... }: {
+      options = {
+        target = mkOption {
+          description = ''
+            destination where bindfs mounts to.
+            second positional argument to bindfs.
+          '';
+          default = config._module.args.name;
+          type = types.absolute-pathname;
+        };
+        source = mkOption {
+          description = ''
+            source folder where the mounted directory is originally.
+            first positional argument to bindfs.
+          '';
+          type = types.absolute-pathname;
+        };
+        options = mkOption {
+          description = ''
+            additional arguments to bindfs
+          '';
+          type = types.listOf types.str;
+          default = [];
+        };
+        clearTarget = mkOption {
+          description = ''
+            whether to clear the target folder before mounting
+          '';
+          type = types.bool;
+          default = false;
+        };
+      };
+    }));
+    default = {};
+  };
+
+  config = mkIf (cfg != {}) {
+    systemd.services = mapAttrs' (n: mount: let
+      name = replaceStrings [ "/" ] [ "_" ] n;
+    in nameValuePair "bindfs-${name}" {
+      wantedBy = [ "local-fs.target" ];
+      path = [ pkgs.coreutils ];
+      serviceConfig = {
+        ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
+          ${optionalString mount.clearTarget ''
+            rm -rf '${mount.target}'
+          ''}
+          mkdir -p '${mount.source}'
+          mkdir -p '${mount.target}'
+        '';
+        ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}";
+      };
+    }) cfg;
+  };
+}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 285db40f..e7d04ead 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -11,6 +11,7 @@ let
       ./apt-cacher-ng.nix
       ./backup.nix
       ./bepasty-server.nix
+      ./bindfs.nix
       ./brockman.nix
       ./buildbot/master.nix
       ./buildbot/slave.nix
-- 
cgit v1.2.3


From 550b502628a6e9567fb210c5dba38e9468481efb Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 15:06:54 +0100
Subject: syncthing: split into l and krebs

---
 krebs/2configs/syncthing.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 krebs/2configs/syncthing.nix

(limited to 'krebs')

diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix
new file mode 100644
index 00000000..31e33ad5
--- /dev/null
+++ b/krebs/2configs/syncthing.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }: with import <stockholm/lib>; let
+  mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });
+
+  all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
+  used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.declarative.folders));
+  used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
+in {
+  services.syncthing = {
+    enable = true;
+    configDir = "/var/lib/syncthing";
+    declarative = {
+      devices = mk_peers used_peers;
+    };
+  };
+}
-- 
cgit v1.2.3


From f4206a60810014cb23ca6eb882398a4739b7b780 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 15:54:05 +0100
Subject: sync-containers: add noop to plain container scripts

---
 krebs/3modules/sync-containers.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'krebs')

diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index 81316fb0..7c7db4c3 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -8,6 +8,7 @@ with import <stockholm/lib>;
   };
   start = cname: {
     plain = ''
+      :
     '';
     ecryptfs = ''
       if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
@@ -28,6 +29,7 @@ with import <stockholm/lib>;
   };
   stop = cname: {
     plain = ''
+      :
     '';
     ecryptfs = ''
       ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
-- 
cgit v1.2.3


From 5d24d8e8c2e1493020ff79193bb8480ed882bb03 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 15:58:14 +0100
Subject: krops: clone nixpkgs shallow

---
 krebs/krops.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs')

diff --git a/krebs/krops.nix b/krebs/krops.nix
index 608e46df..5e5a3d5e 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -28,6 +28,7 @@
       git = {
         ref = (lib.importJSON ./nixpkgs.json).rev;
         url = https://github.com/NixOS/nixpkgs;
+        shallow = true;
       };
     };
     stockholm.file = toString ../.;
-- 
cgit v1.2.3


From 1bbeb1e45c155c4d9822d40db1b39995e861c292 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 15:58:25 +0100
Subject: krops: add populate command

---
 krebs/krops.nix | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'krebs')

diff --git a/krebs/krops.nix b/krebs/krops.nix
index 5e5a3d5e..aeb2413a 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -68,6 +68,13 @@
     target = "root@${target}/var/src";
   };
 
+  # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
+  populate = { target, force ? false }: pkgs.populate {
+    inherit force;
+    source = source { test = false; };
+    target = lib.mkTarget target;
+  };
+
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target }: pkgs.krops.writeTest "${name}-test" {
     force = true;
-- 
cgit v1.2.3


From f6e8e690bb8a95dfcf9302996f93baa5fa94f1ba Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 16:06:25 +0100
Subject: l puyak.r: remove news services

---
 krebs/1systems/hotdog/config.nix | 4 ----
 krebs/1systems/puyak/config.nix  | 8 --------
 2 files changed, 12 deletions(-)

(limited to 'krebs')

diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index c0fa3828..a100e414 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -1,7 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
 { config, lib, pkgs, ... }:
 
 {
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 19cf2228..1e0687ba 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -19,14 +19,6 @@
     <stockholm/krebs/2configs/binary-cache/nixos.nix>
     <stockholm/krebs/2configs/binary-cache/prism.nix>
 
-    ### Krebs ###
-    <stockholm/krebs/2configs/go.nix>
-
-    #### NEWS ####
-    <stockholm/krebs/2configs/ircd.nix>
-    <stockholm/krebs/2configs/news.nix>
-
-
     ### shackspace ###
     # handle the worlddomination map via coap
     <stockholm/krebs/2configs/shack/worlddomination.nix>
-- 
cgit v1.2.3


From ec9c2defae862a2ba57c7d94b5697c93d5910536 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 16:29:40 +0100
Subject: brockman: use genid for uid

---
 krebs/3modules/brockman.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix
index 55e8255b..32aa3489 100644
--- a/krebs/3modules/brockman.nix
+++ b/krebs/3modules/brockman.nix
@@ -1,5 +1,5 @@
-{ pkgs, lib, config, ... }:
-with lib;
+{ pkgs, config, ... }:
+with import <stockholm/lib>;
 let
   cfg = config.krebs.brockman;
 in {
@@ -13,6 +13,7 @@ in {
       home = "/var/lib/brockman";
       createHome = true;
       isNormalUser = false;
+      uid = genid_uint31 "brockman";
     };
 
     systemd.services.brockman = {
-- 
cgit v1.2.3


From ce8b0541ea9ef7c07ee8c71b9c0a8307ed821d76 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 16:32:30 +0100
Subject: init news.r

---
 krebs/1systems/news/config.nix   | 36 ++++++++++++++++++++++++++++++++++++
 krebs/2configs/news-host.nix     | 12 ++++++++++++
 krebs/3modules/krebs/default.nix | 34 ++++++++++++++++++++++++++++++++--
 3 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 krebs/1systems/news/config.nix
 create mode 100644 krebs/2configs/news-host.nix

(limited to 'krebs')

diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
new file mode 100644
index 00000000..e4059e57
--- /dev/null
+++ b/krebs/1systems/news/config.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+
+    <stockholm/krebs/2configs/ircd.nix>
+    <stockholm/krebs/2configs/go.nix>
+
+    #### NEWS ####
+    <stockholm/krebs/2configs/ircd.nix>
+    <stockholm/krebs/2configs/news.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.news;
+
+  boot.isContainer = true;
+  networking.useDHCP = false;
+  krebs.bindfs = {
+    "/var/lib/htgen-go" = {
+      source = "/var/state/htgen-go";
+      options = [
+        "-M ${toString config.users.users.htgen-go.uid}"
+      ];
+      clearTarget = true;
+    };
+    "/var/lib/brockman" = {
+      source = "/var/state/brockman";
+      options = [
+        "-M ${toString config.users.users.brockman.uid}"
+      ];
+      clearTarget = true;
+    };
+  };
+}
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
new file mode 100644
index 00000000..82360a67
--- /dev/null
+++ b/krebs/2configs/news-host.nix
@@ -0,0 +1,12 @@
+{
+  krebs.sync-containers.containers.news = {
+    peers = [
+      "shodan"
+      "mors"
+      "styx"
+    ];
+    hostIp = "10.233.2.101";
+    localIp = "10.233.2.102";
+    format = "plain";
+  };
+}
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index d0648418..434ac1df 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -92,6 +92,38 @@ in {
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
     };
+    news = {
+      cores = 1;
+      owner = config.krebs.users.krebs;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.0.5";
+          aliases = [
+            "news.r"
+            "go.r"
+            "rss.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
+            cgPezX8yGmA0nuTyCUPtXbWyWee9HnzYqekzJYvBHwgBDvZ8UhLZTCXD15agDfaf
+            cbzd4uM5bCDgqI8sezzD95tqj7mzvIEurIShDXYSWC6YRat1h1Opp86JngBJRvHZ
+            Gb6NAyfnr4v2eyMrmH9/j+sECxjCAaC5QLpJWyoDPilFU8dXBarmiZNYYlXQt1pn
+            yxZSF5pElmrdiZ6vlKlnEHwFtExm1gv63ZjAlusrXM+bKMvdVKRnhahq76A5VXjc
+            kbOhQi+wYGaVK4jB2a1UilmKYh1wKLE7HULoHDRrqEe4jemNZg+JOBPTU+jM/JzM
+            XdPy0KAMxHOUZCe8IX0LgF1snVaMF05Qkoe3QKr0YJ3KTD7UdsJpa1Br216Z/w2f
+            koz+cRn/Z/8TO8SIRKvy5TfXeH+ra6rp/CvwryNlNL4FB+25LFDkJtLIZGqAsz3G
+            vRXUiGN4l1FR4TbX7XaK2rvIlA/+4isJ02bBdnZhe7kmuuBeECyPaR1+Ui6pElXe
+            ZamnxTAmj86Q8pDx6Wn2cg8YAJlVV3UCfhda34DZokJmmmKucGupg/6Xt0Bhm9d5
+            exNrTIDG3lXTxmg2mfiZJeg/fsnalvtN0j/VB+NmmKzie+ZohMK4nUfslq8o5CO9
+            j7ZLmZzm062GzX0RenxNkwUCAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo ";
+    };
     onebutton = {
       cores = 1;
       nets = {
@@ -131,8 +163,6 @@ in {
             "brockman.r"
             "build.puyak.r"
             "cgit.puyak.r"
-            "go.r"
-            "rss.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
-- 
cgit v1.2.3


From 5fe4e57a620abd3bed8e1ad4e7158439e4e075e1 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 16:45:12 +0100
Subject: news.r: enable ci

---
 krebs/3modules/krebs/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'krebs')

diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 434ac1df..4a1b5608 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -93,8 +93,7 @@ in {
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
     };
     news = {
-      cores = 1;
-      owner = config.krebs.users.krebs;
+      ci = true;
       nets = {
         retiolum = {
           ip4.addr = "10.243.0.5";
-- 
cgit v1.2.3


From cf63e2c3ad3b0a780b7a595c9e34de3559808834 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 16:58:22 +0100
Subject: sync-containers: allow syncthing to enter /var/lib/containers

---
 krebs/3modules/sync-containers.nix | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'krebs')

diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index 7c7db4c3..d31022d3 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -92,6 +92,10 @@ in {
 
   config = mkIf (cfg.containers != {}) {
     programs.fuse.userAllowOther = true;
+    # allow syncthing to enter /var/lib/containers
+    system.activationScripts.syncthing-home = ''
+      ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
+    '';
 
     services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
       devices = ctr.peers;
-- 
cgit v1.2.3


From c7b7e4b22f4569a666b532a65701a726b3d39706 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 18:36:57 +0100
Subject: nixpkgs: 0cfd08f -> a058d00

---
 krebs/nixpkgs.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'krebs')

diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 9c450582..97afb10f 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
 {
   "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "0cfd08f4881bbfdaa57e68835b923d4290588d98",
-  "date": "2021-01-08T17:43:56+01:00",
-  "path": "/nix/store/c3rhsa326ylk4hm146nmfrfmxcpqflyb-nixpkgs",
-  "sha256": "1srd9p37jmrsxgvrxvlibmscphz5p42244285yc5piacvrz1rdcc",
+  "rev": "a058d005b3cbb370bf171ebce01839dd6ff52222",
+  "date": "2021-01-23T17:41:51-05:00",
+  "path": "/nix/store/6ps307ghgrp10q3mwgw4lq143pmz0h25-nixpkgs",
+  "sha256": "154mpqw0ya31hzgz9hggg1rb26yx8d00rsj9l90ndsdldrssgvbb",
   "fetchSubmodules": false,
   "deepClone": false,
   "leaveDotGit": false
-- 
cgit v1.2.3


From b4e00e705f0b2d9a3e3899928e579dc87f769da7 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 24 Jan 2021 18:37:21 +0100
Subject: nixpkgs-unstable: f211631 -> f217c0e

---
 krebs/nixpkgs-unstable.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'krebs')

diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index e478709b..321fafac 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
 {
   "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "f211631c1cb3e94828c7650b5d12c1e5a89e0e16",
-  "date": "2021-01-07T19:50:35+02:00",
-  "path": "/nix/store/2zymxp9iq6xvxy5wjc411iws2kk3c8z4-nixpkgs",
-  "sha256": "0r085j42991qcbzx4l0hnwlsxw016y4b7r821s4qxvqnvwr9lxar",
+  "rev": "f217c0ea7c148ddc0103347051555c7c252dcafb",
+  "date": "2021-01-21T09:50:34+01:00",
+  "path": "/nix/store/8srlzkkvbvlg4g585g9iyzd3ryiilm8a-nixpkgs",
+  "sha256": "0cyksxg2lnzxd0pss09rmmk2c2axz0lf9wvgvfng59nwf8dpq2kf",
   "fetchSubmodules": false,
   "deepClone": false,
   "leaveDotGit": false
-- 
cgit v1.2.3