diff options
| author | tv <tv@krebsco.de> | 2021-01-25 11:28:26 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2021-01-25 11:28:26 +0100 |
| commit | a0ca091cbf4e9ca41390ad9d54844c9eb2660406 (patch) | |
| tree | aae89f223f953a81da400d6f7deac1d5ae5d240e | |
| parent | 1cd73df0c8694f491d40f93a796ea58f150e88dc (diff) | |
| parent | 71206dc6a2852dd69664e85aa6dcb49676ec1f6e (diff) | |
Merge remote-tracking branch 'prism/master'
68 files changed, 774 insertions, 669 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index c0fa3828..a100e414 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -1,7 +1,3 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - { config, lib, pkgs, ... }: { diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix new file mode 100644 index 00000000..e4059e57 --- /dev/null +++ b/krebs/1systems/news/config.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + + <stockholm/krebs/2configs/ircd.nix> + <stockholm/krebs/2configs/go.nix> + + #### NEWS #### + <stockholm/krebs/2configs/ircd.nix> + <stockholm/krebs/2configs/news.nix> + ]; + + krebs.build.host = config.krebs.hosts.news; + + boot.isContainer = true; + networking.useDHCP = false; + krebs.bindfs = { + "/var/lib/htgen-go" = { + source = "/var/state/htgen-go"; + options = [ + "-M ${toString config.users.users.htgen-go.uid}" + ]; + clearTarget = true; + }; + "/var/lib/brockman" = { + source = "/var/state/brockman"; + options = [ + "-M ${toString config.users.users.brockman.uid}" + ]; + clearTarget = true; + }; + }; +} diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 19cf2228..1e0687ba 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -19,14 +19,6 @@ <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> - ### Krebs ### - <stockholm/krebs/2configs/go.nix> - - #### NEWS #### - <stockholm/krebs/2configs/ircd.nix> - <stockholm/krebs/2configs/news.nix> - - ### shackspace ### # handle the worlddomination map via coap <stockholm/krebs/2configs/shack/worlddomination.nix> diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix new file mode 100644 index 00000000..82360a67 --- /dev/null +++ b/krebs/2configs/news-host.nix @@ -0,0 +1,12 @@ +{ + krebs.sync-containers.containers.news = { + peers = [ + "shodan" + "mors" + "styx" + ]; + hostIp = "10.233.2.101"; + localIp = "10.233.2.102"; + format = "plain"; + }; +} diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index f40997f8..a492b078 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { services.rss-bridge = { @@ -22,7 +22,6 @@ "d /var/lib/brockman 1750 brockman nginx -" ]; - systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; krebs.brockman = { enable = true; config = { @@ -36,4 +35,54 @@ bots = {}; }; }; + + krebs.reaktor2.news = { + hostname = "localhost"; + port = "6667"; + nick = "brockman-helper"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#all" + "#aluhut" + "#news" + ]; + }; + } + { + plugin = "system"; + config = { + hooks.PRIVMSG = [ + { + activate = "match"; + pattern = "^(?:.*\\s)?\\s*brockman-helper:\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$"; + command = 1; + arguments = [2]; + commands = { + add-telegram.filename = pkgs.writeDash "add-telegram" '' + if [ "$#" -ne 1 ]; then + echo 'usage: brockman-helper: add-telegram $telegramname' + echo "$#" + exit 1 + fi + echo "brockman: add t_$1 http://rss.r/?action=display&bridge=Telegram&username=$1&format=Mrss" + ''; + search.filename = pkgs.writeDash "search" '' + if [ "$#" -ne 1 ]; then + echo 'usage: brockman-helper: search $searchterm' + echo "$#" + exit 1 + fi + ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$1&info=true&favicon=false" | + ${pkgs.jq}/bin/jq '.[].url' + ''; + }; + } + ]; + }; + } + ]; + }; } diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix new file mode 100644 index 00000000..31e33ad5 --- /dev/null +++ b/krebs/2configs/syncthing.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: with import <stockholm/lib>; let + mk_peers = mapAttrs (n: v: { id = v.syncthing.id; }); + + all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts; + used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.declarative.folders)); + used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers; +in { + services.syncthing = { + enable = true; + configDir = "/var/lib/syncthing"; + declarative = { + devices = mk_peers used_peers; + }; + }; +} diff --git a/lass/3modules/bindfs.nix b/krebs/3modules/bindfs.nix index 5c8df8dc..7e3730e8 100644 --- a/lass/3modules/bindfs.nix +++ b/krebs/3modules/bindfs.nix @@ -1,9 +1,9 @@ with import <stockholm/lib>; { config, pkgs, ... }: let - cfg = config.lass.bindfs; + cfg = config.krebs.bindfs; in { - options.lass.bindfs = mkOption { + options.krebs.bindfs = mkOption { type = types.attrsOf (types.submodule ({ config, ... }: { options = { target = mkOption { @@ -28,6 +28,13 @@ in { type = types.listOf types.str; default = []; }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; }; })); default = {}; @@ -41,6 +48,9 @@ in { path = [ pkgs.coreutils ]; serviceConfig = { ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} mkdir -p '${mount.source}' mkdir -p '${mount.target}' ''; diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index 55e8255b..32aa3489 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -1,5 +1,5 @@ -{ pkgs, lib, config, ... }: -with lib; +{ pkgs, config, ... }: +with import <stockholm/lib>; let cfg = config.krebs.brockman; in { @@ -13,6 +13,7 @@ in { home = "/var/lib/brockman"; createHome = true; isNormalUser = false; + uid = genid_uint31 "brockman"; }; systemd.services.brockman = { diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 8c620a4e..e7d04ead 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,7 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix + ./bindfs.nix ./brockman.nix ./buildbot/master.nix ./buildbot/slave.nix @@ -51,6 +52,7 @@ let ./secret.nix ./setuid.nix ./shadow.nix + ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix ./urlwatch.nix @@ -90,8 +92,10 @@ let @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) IN NS ns19.ovh.net. IN NS dns19.ovh.net. - IN A 192.30.252.154 - IN A 192.30.252.153 + IN A 185.199.108.153 + IN A 185.199.109.153 + IN A 185.199.110.153 + IN A 185.199.111.153 ''; }; }; diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index d0648418..4a1b5608 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -92,6 +92,37 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp"; }; + news = { + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.0.5"; + aliases = [ + "news.r" + "go.r" + "rss.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc + cgPezX8yGmA0nuTyCUPtXbWyWee9HnzYqekzJYvBHwgBDvZ8UhLZTCXD15agDfaf + cbzd4uM5bCDgqI8sezzD95tqj7mzvIEurIShDXYSWC6YRat1h1Opp86JngBJRvHZ + Gb6NAyfnr4v2eyMrmH9/j+sECxjCAaC5QLpJWyoDPilFU8dXBarmiZNYYlXQt1pn + yxZSF5pElmrdiZ6vlKlnEHwFtExm1gv63ZjAlusrXM+bKMvdVKRnhahq76A5VXjc + kbOhQi+wYGaVK4jB2a1UilmKYh1wKLE7HULoHDRrqEe4jemNZg+JOBPTU+jM/JzM + XdPy0KAMxHOUZCe8IX0LgF1snVaMF05Qkoe3QKr0YJ3KTD7UdsJpa1Br216Z/w2f + koz+cRn/Z/8TO8SIRKvy5TfXeH+ra6rp/CvwryNlNL4FB+25LFDkJtLIZGqAsz3G + vRXUiGN4l1FR4TbX7XaK2rvIlA/+4isJ02bBdnZhe7kmuuBeECyPaR1+Ui6pElXe + ZamnxTAmj86Q8pDx6Wn2cg8YAJlVV3UCfhda34DZokJmmmKucGupg/6Xt0Bhm9d5 + exNrTIDG3lXTxmg2mfiZJeg/fsnalvtN0j/VB+NmmKzie+ZohMK4nUfslq8o5CO9 + j7ZLmZzm062GzX0RenxNkwUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo "; + }; onebutton = { cores = 1; nets = { @@ -131,8 +162,6 @@ in { "brockman.r" "build.puyak.r" "cgit.puyak.r" - "go.r" - "rss.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index a4586bed..c5cf5cb1 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -44,6 +44,7 @@ in { matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; @@ -685,6 +686,7 @@ in { }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU "; + syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN"; }; }; users = rec { @@ -699,6 +701,11 @@ in { pubkey = builtins.readFile ./ssh/blue.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp; }; + lass-green = { + mail = "lass@green.r"; + pubkey = builtins.readFile ./ssh/green.ed25519; + pgp.pubkeys.default = builtins.readFile ./pgp/green.pgp; + }; lass-mors = { mail = "lass@mors.r"; pubkey = builtins.readFile ./ssh/mors.rsa; diff --git a/krebs/3modules/lass/pgp/green.pgp b/krebs/3modules/lass/pgp/green.pgp new file mode 100644 index 00000000..96b2b38e --- /dev/null +++ b/krebs/3modules/lass/pgp/green.pgp @@ -0,0 +1,40 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBGAMS3EBDACzbsaP9nhJ8GrAk5JLlz+ruDbEGuvJXvh+spVq9i9TCCGAraPo +z8Tmgsw6SJhJMW/170OZJ+GMMEDRpRbvh8tLZ0jsTIwINasRjC68tF9dgjjPZdNN +cVOpFw4Wf4ueMmoEG/9Xyehm+YEJFTj5wul2uJtfj5NJB43daDn4e3ieGExd+zE0 +FTP4yAmxVMbN4BiyZPX7CxeTzJS0g4aVnMq9RqtYbxd1Uv++LmPh1ZkEyNNKItfC +nRFeZzjhnmD7LvwsixE2ENnbiL9Ho7Mc4C7kRKSJ+LvXH6ChJJtDy9ApVA+u90i5 +Rd7y9rdzFY+NCHusWg0/U/t2FoLc/hRa0eLE1KFtzWzH35TMl8R/7NrPztTwT/fH +xt3qSiwMUvH9X9TGvh5N0WwqgtEe6mpZvpq+4gyOiyA+EwE73rnxG2DzmM6CFHyo +Qm/OOfjuFH+l0PkAqti+f41SqlEOiOAAFzgz7gaTdJ8gXs8piOGxk4U5EK/p1OTW +4e6DrxqcxmHgoAUAEQEAAbQMbGFzc0BncmVlbi5yiQHUBBMBCAA+FiEE6Ed5jGI3 +gop09K1NMwheLc2Sjz0FAmAMS3ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC +HgECF4AACgkQMwheLc2Sjz0otwv+I8Sw0ENqy6SsrZSGDtmhAouCeTIUseRQ66tp +UFnxDVPYhhdM2ubTtIqOfx20Xdy/7N/POyYMJ5VR+IaFcB9wUlrhdjwUlCtoUipx +EycZloccMPGySxAxR3Kcy/SFzUKWwQ10/mfSQg/4+vYayZNuSvEpviMEZn0prpmw +jwFJcHOu0NL+7eYULMdit1BDaZfBaAu/otKn18878+0hVimyjW27564uXtJYnbf1 +hUVGvPLaSo74XBFra+kujcA3zIjWiPn6dRA5dzLrRRkb30Unl1+0a9QwY3wd3vCV +UHWSgDNaV+o7yPTuxoMsfrxHPAc3JlaKM6ka/EdK04tbgMH/N7FHXqDqCEIBWML4 +1/+HxkP2UW59zLefQwvBqWcF6bA7kgHGhIDkg1yg7ygP0t2mH6ktuEAYYr24BFx7 +b8nK/jhK+rp3LomLTLQ6e/6mikfoDr636sB1/Bc+pTdWsJnuQTzaWBDloVEr/2hz +/K5+wH2kgSKaWYUtaR6wiMbVKq3HuQGNBGAMS3EBDAC1xQNCJD3hlnihHBv7jxfH +CI5HdnUEh1eP8mUKjSE+Z0xGEMq8Z9sbTHQxtDdmC4ZOq1Kkt2LmtQQQAIH+Qnu6 +RYFOAPRmegouIxg4S3eTPZhZRo1ZqCphqbL2mQ9ifNrG3VVvQGXNvjo3Cuwj0uzx +EDtOilKEtHZhG0cfehGV+nO1n/g50EQMC7JkFWnryxVL8i4l3KstOdj+LcIT6c27 +EE2fzOUekeltBHGRFSM1Yzmn2lxruuK4I8zoiqak2St1788ay//F9tiZPfhWRb6+ +DF+JgRLCXatqTJppPpkui1irw6jN5ZabjyS7GBtH+5wpnvuMEMr484OXEg17VnCd +Tx/RTLyjfffDtTkC4M7oiAr5SUbkJjVkEuwjxp1N19epD8gzrBQC2W7XKM3z+mtG +ZLJtiW5hM+QylMv7VWxbQ21ObJmUqBQUZLPlpl3dlGU/ILw3U4urBibD9oPT2QAX +J6Db/STyl6w0bzRbMJmaEM4P0FcdEKTuw7tOpl5zBUkAEQEAAYkBtgQYAQgAIBYh +BOhHeYxiN4KKdPStTTMIXi3Nko89BQJgDEtxAhsMAAoJEDMIXi3Nko89yc8MAJKg +M5lbA/PJYlIju/qWKWt7yZbsIGuDfmuKfYftjXDOqskEqDyYgr31Txd43bWM6Ec7 +gb5JVmtzvLull0/KRwMcKAFNTXIYcb3jKpanwWRgHQlt/D6zlQula73WxwNUlZWl +Q8FCWjGa2hC8oKlTbtzm5osdcK+YhlpTpK5y4Mrg0f9Rcd297ygFQSDInpGq7ILY +sFat3HU7w9oPp9Q5RS8/EmrvAx1kFj9mZRs4L9inJJnHFpb1R6snojcKPwEyIWBi ++PFZ6ns296FjW9C+Ci7C+aaAzVDM7NAwU0/EhWeDKKHITU3Zaz4gnShesKBiVxhI +JQNFCjWlnc+o3RqbAhDQhlwFrCZWUxQi1qWy4U88IYqR9hxV0eNtGSRmwnGCT9RV +Nxb6CjtmHpgUmzyvwBpBJya8bLYu5tCKnUodtFiq/poxEfI5WrP6pu5l648AwuPa +ioovprweDWs38Q8wd/SuoaUtIoj378UDXq8acFvHHnOS/bBBfAE9tutY1ycJdg== +=Fg3f +-----END PGP PUBLIC KEY BLOCK----- diff --git a/krebs/3modules/lass/ssh/green.ed25519 b/krebs/3modules/lass/ssh/green.ed25519 new file mode 100644 index 00000000..1aa7b180 --- /dev/null +++ b/krebs/3modules/lass/ssh/green.ed25519 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOJfTJ37hWYTYLWY6egshmvigPfRF0Sa4N11gmphMLm lass@green diff --git a/lass/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index ca81458a..d31022d3 100644 --- a/lass/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -1,6 +1,6 @@ with import <stockholm/lib>; { config, pkgs, ... }: let - cfg = config.lass.sync-containers; + cfg = config.krebs.sync-containers; paths = cname: { plain = "/var/lib/containers/${cname}/var/state"; ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; @@ -8,6 +8,7 @@ with import <stockholm/lib>; }; start = cname: { plain = '' + : ''; ecryptfs = '' if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then @@ -28,6 +29,7 @@ with import <stockholm/lib>; }; stop = cname: { plain = '' + : ''; ecryptfs = '' ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state @@ -37,7 +39,7 @@ with import <stockholm/lib>; ''; }; in { - options.lass.sync-containers = { + options.krebs.sync-containers = { dataLocation = mkOption { description = '' location where the encrypted sync-container lie around @@ -90,6 +92,10 @@ in { config = mkIf (cfg.containers != {}) { programs.fuse.userAllowOther = true; + # allow syncthing to enter /var/lib/containers + system.activationScripts.syncthing-home = '' + ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers + ''; services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ devices = ctr.peers; @@ -153,6 +159,8 @@ in { if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I |