summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-01-25 11:28:26 +0100
committertv <tv@krebsco.de>2021-01-25 11:28:26 +0100
commita0ca091cbf4e9ca41390ad9d54844c9eb2660406 (patch)
treeaae89f223f953a81da400d6f7deac1d5ae5d240e
parent1cd73df0c8694f491d40f93a796ea58f150e88dc (diff)
parent71206dc6a2852dd69664e85aa6dcb49676ec1f6e (diff)
Merge remote-tracking branch 'prism/master'
-rw-r--r--krebs/1systems/hotdog/config.nix4
-rw-r--r--krebs/1systems/news/config.nix36
-rw-r--r--krebs/1systems/puyak/config.nix8
-rw-r--r--krebs/2configs/news-host.nix12
-rw-r--r--krebs/2configs/news.nix53
-rw-r--r--krebs/2configs/syncthing.nix15
-rw-r--r--krebs/3modules/bindfs.nix (renamed from lass/3modules/bindfs.nix)14
-rw-r--r--krebs/3modules/brockman.nix5
-rw-r--r--krebs/3modules/default.nix8
-rw-r--r--krebs/3modules/krebs/default.nix33
-rw-r--r--krebs/3modules/lass/default.nix7
-rw-r--r--krebs/3modules/lass/pgp/green.pgp40
-rw-r--r--krebs/3modules/lass/ssh/green.ed255191
-rw-r--r--krebs/3modules/sync-containers.nix (renamed from lass/3modules/sync-containers.nix)12
-rw-r--r--krebs/5pkgs/haskell/brockman.nix18
-rw-r--r--krebs/5pkgs/simple/ecrypt/default.nix111
-rw-r--r--krebs/5pkgs/simple/realwallpaper/default.nix46
-rw-r--r--krebs/krops.nix8
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rw-r--r--lass/1systems/archprism/config.nix54
-rw-r--r--lass/1systems/archprism/physical.nix77
-rw-r--r--lass/1systems/blue/config.nix2
-rw-r--r--lass/1systems/daedalus/config.nix1
-rw-r--r--lass/1systems/green/config.nix71
-rw-r--r--lass/1systems/icarus/physical.nix8
-rw-r--r--lass/1systems/littleT/config.nix1
-rw-r--r--lass/1systems/morpheus/config.nix3
-rw-r--r--lass/1systems/mors/config.nix16
-rw-r--r--lass/1systems/prism/config.nix63
-rw-r--r--lass/1systems/shodan/config.nix9
-rw-r--r--lass/1systems/skynet/config.nix1
-rw-r--r--lass/1systems/styx/config.nix13
-rw-r--r--lass/1systems/styx/physical.nix5
-rw-r--r--lass/1systems/xerxes/config.nix1
-rw-r--r--lass/1systems/yellow/config.nix20
-rw-r--r--lass/2configs/IM.nix45
-rw-r--r--lass/2configs/backup.nix14
-rw-r--r--lass/2configs/binary-cache/server.nix1
-rw-r--r--lass/2configs/bitlbee.nix6
-rw-r--r--lass/2configs/browsers.nix1
-rw-r--r--lass/2configs/codimd.nix3
-rw-r--r--lass/2configs/default.nix3
-rw-r--r--lass/2configs/exim-retiolum.nix7
-rw-r--r--lass/2configs/git.nix11
-rw-r--r--lass/2configs/green-host.nix12
-rw-r--r--lass/2configs/hass/default.nix4
-rw-r--r--lass/2configs/hass/lib.nix25
-rw-r--r--lass/2configs/hass/rooms/bett.nix2
-rw-r--r--lass/2configs/hass/rooms/essen.nix4
-rw-r--r--lass/2configs/hass/rooms/nass.nix4
-rw-r--r--lass/2configs/mail.nix23
-rw-r--r--lass/2configs/muchsync.nix40
-rw-r--r--lass/2configs/nfs-dl.nix2
-rw-r--r--lass/2configs/ppp/umts-stick.nix33
-rw-r--r--lass/2configs/ppp/x220-modem.nix (renamed from lass/2configs/ppp.nix)4
-rw-r--r--lass/2configs/radio.nix6
-rw-r--r--lass/2configs/realwallpaper.nix3
-rw-r--r--lass/2configs/sync/sync.nix13
-rw-r--r--lass/2configs/sync/weechat.nix2
-rw-r--r--lass/2configs/syncthing.nix23
-rw-r--r--lass/2configs/tv.nix88
-rw-r--r--lass/2configs/websites/domsen.nix1
-rw-r--r--lass/3modules/default.nix3
-rw-r--r--lass/3modules/ejabberd/config.nix128
-rw-r--r--lass/3modules/ejabberd/default.nix103
-rw-r--r--lass/5pkgs/l-gen-secrets/default.nix4
-rw-r--r--lass/5pkgs/tdlib-purple/default.nix33
68 files changed, 774 insertions, 669 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index c0fa38284..a100e414d 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -1,7 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
{ config, lib, pkgs, ... }:
{
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
new file mode 100644
index 000000000..e4059e579
--- /dev/null
+++ b/krebs/1systems/news/config.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+
+ <stockholm/krebs/2configs/ircd.nix>
+ <stockholm/krebs/2configs/go.nix>
+
+ #### NEWS ####
+ <stockholm/krebs/2configs/ircd.nix>
+ <stockholm/krebs/2configs/news.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.news;
+
+ boot.isContainer = true;
+ networking.useDHCP = false;
+ krebs.bindfs = {
+ "/var/lib/htgen-go" = {
+ source = "/var/state/htgen-go";
+ options = [
+ "-M ${toString config.users.users.htgen-go.uid}"
+ ];
+ clearTarget = true;
+ };
+ "/var/lib/brockman" = {
+ source = "/var/state/brockman";
+ options = [
+ "-M ${toString config.users.users.brockman.uid}"
+ ];
+ clearTarget = true;
+ };
+ };
+}
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 19cf22280..1e0687ba7 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -19,14 +19,6 @@
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
- ### Krebs ###
- <stockholm/krebs/2configs/go.nix>
-
- #### NEWS ####
- <stockholm/krebs/2configs/ircd.nix>
- <stockholm/krebs/2configs/news.nix>
-
-
### shackspace ###
# handle the worlddomination map via coap
<stockholm/krebs/2configs/shack/worlddomination.nix>
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
new file mode 100644
index 000000000..82360a670
--- /dev/null
+++ b/krebs/2configs/news-host.nix
@@ -0,0 +1,12 @@
+{
+ krebs.sync-containers.containers.news = {
+ peers = [
+ "shodan"
+ "mors"
+ "styx"
+ ];
+ hostIp = "10.233.2.101";
+ localIp = "10.233.2.102";
+ format = "plain";
+ };
+}
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index f40997f82..a492b0782 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
{
services.rss-bridge = {
@@ -22,7 +22,6 @@
"d /var/lib/brockman 1750 brockman nginx -"
];
- systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = {
enable = true;
config = {
@@ -36,4 +35,54 @@
bots = {};
};
};
+
+ krebs.reaktor2.news = {
+ hostname = "localhost";
+ port = "6667";
+ nick = "brockman-helper";
+ plugins = [
+ {
+ plugin = "register";
+ config = {
+ channels = [
+ "#all"
+ "#aluhut"
+ "#news"
+ ];
+ };
+ }
+ {
+ plugin = "system";
+ config = {
+ hooks.PRIVMSG = [
+ {
+ activate = "match";
+ pattern = "^(?:.*\\s)?\\s*brockman-helper:\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$";
+ command = 1;
+ arguments = [2];
+ commands = {
+ add-telegram.filename = pkgs.writeDash "add-telegram" ''
+ if [ "$#" -ne 1 ]; then
+ echo 'usage: brockman-helper: add-telegram $telegramname'
+ echo "$#"
+ exit 1
+ fi
+ echo "brockman: add t_$1 http://rss.r/?action=display&bridge=Telegram&username=$1&format=Mrss"
+ '';
+ search.filename = pkgs.writeDash "search" ''
+ if [ "$#" -ne 1 ]; then
+ echo 'usage: brockman-helper: search $searchterm'
+ echo "$#"
+ exit 1
+ fi
+ ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$1&info=true&favicon=false" |
+ ${pkgs.jq}/bin/jq '.[].url'
+ '';
+ };
+ }
+ ];
+ };
+ }
+ ];
+ };
}
diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix
new file mode 100644
index 000000000..31e33ad5e
--- /dev/null
+++ b/krebs/2configs/syncthing.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }: with import <stockholm/lib>; let
+ mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });
+
+ all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
+ used_peer_names = unique (flatten (mapAttrsToList (n: v: v.devices) config.services.syncthing.declarative.folders));
+ used_peers = filterAttrs (n: v: elem n used_peer_names) all_peers;
+in {
+ services.syncthing = {
+ enable = true;
+ configDir = "/var/lib/syncthing";
+ declarative = {
+ devices = mk_peers used_peers;
+ };
+ };
+}
diff --git a/lass/3modules/bindfs.nix b/krebs/3modules/bindfs.nix
index 5c8df8dc5..7e3730e86 100644
--- a/lass/3modules/bindfs.nix
+++ b/krebs/3modules/bindfs.nix
@@ -1,9 +1,9 @@
with import <stockholm/lib>;
{ config, pkgs, ... }:
let
- cfg = config.lass.bindfs;
+ cfg = config.krebs.bindfs;
in {
- options.lass.bindfs = mkOption {
+ options.krebs.bindfs = mkOption {
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
target = mkOption {
@@ -28,6 +28,13 @@ in {
type = types.listOf types.str;
default = [];
};
+ clearTarget = mkOption {
+ description = ''
+ whether to clear the target folder before mounting
+ '';
+ type = types.bool;
+ default = false;
+ };
};
}));
default = {};
@@ -41,6 +48,9 @@ in {
path = [ pkgs.coreutils ];
serviceConfig = {
ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
+ ${optionalString mount.clearTarget ''
+ rm -rf '${mount.target}'
+ ''}
mkdir -p '${mount.source}'
mkdir -p '${mount.target}'
'';
diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix
index 55e8255b4..32aa3489b 100644
--- a/krebs/3modules/brockman.nix
+++ b/krebs/3modules/brockman.nix
@@ -1,5 +1,5 @@
-{ pkgs, lib, config, ... }:
-with lib;
+{ pkgs, config, ... }:
+with import <stockholm/lib>;
let
cfg = config.krebs.brockman;
in {
@@ -13,6 +13,7 @@ in {
home = "/var/lib/brockman";
createHome = true;
isNormalUser = false;
+ uid = genid_uint31 "brockman";
};
systemd.services.brockman = {
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 8c620a4e2..e7d04ead8 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -11,6 +11,7 @@ let
./apt-cacher-ng.nix
./backup.nix
./bepasty-server.nix
+ ./bindfs.nix
./brockman.nix
./buildbot/master.nix
./buildbot/slave.nix
@@ -51,6 +52,7 @@ let
./secret.nix
./setuid.nix
./shadow.nix
+ ./sync-containers.nix
./tinc.nix
./tinc_graphs.nix
./urlwatch.nix
@@ -90,8 +92,10 @@ let
@ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
IN NS ns19.ovh.net.
IN NS dns19.ovh.net.
- IN A 192.30.252.154
- IN A 192.30.252.153
+ IN A 185.199.108.153
+ IN A 185.199.109.153
+ IN A 185.199.110.153
+ IN A 185.199.111.153
'';
};
};
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index d0648418f..4a1b56084 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -92,6 +92,37 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
};
+ news = {
+ ci = true;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.5";
+ aliases = [
+ "news.r"
+ "go.r"
+ "rss.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
+ cgPezX8yGmA0nuTyCUPtXbWyWee9HnzYqekzJYvBHwgBDvZ8UhLZTCXD15agDfaf
+ cbzd4uM5bCDgqI8sezzD95tqj7mzvIEurIShDXYSWC6YRat1h1Opp86JngBJRvHZ
+ Gb6NAyfnr4v2eyMrmH9/j+sECxjCAaC5QLpJWyoDPilFU8dXBarmiZNYYlXQt1pn
+ yxZSF5pElmrdiZ6vlKlnEHwFtExm1gv63ZjAlusrXM+bKMvdVKRnhahq76A5VXjc
+ kbOhQi+wYGaVK4jB2a1UilmKYh1wKLE7HULoHDRrqEe4jemNZg+JOBPTU+jM/JzM
+ XdPy0KAMxHOUZCe8IX0LgF1snVaMF05Qkoe3QKr0YJ3KTD7UdsJpa1Br216Z/w2f
+ koz+cRn/Z/8TO8SIRKvy5TfXeH+ra6rp/CvwryNlNL4FB+25LFDkJtLIZGqAsz3G
+ vRXUiGN4l1FR4TbX7XaK2rvIlA/+4isJ02bBdnZhe7kmuuBeECyPaR1+Ui6pElXe
+ ZamnxTAmj86Q8pDx6Wn2cg8YAJlVV3UCfhda34DZokJmmmKucGupg/6Xt0Bhm9d5
+ exNrTIDG3lXTxmg2mfiZJeg/fsnalvtN0j/VB+NmmKzie+ZohMK4nUfslq8o5CO9
+ j7ZLmZzm062GzX0RenxNkwUCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl5cDF9QheXyMlNYIX17ILbgd94K50fZy7w0fDLvZlo ";
+ };
onebutton = {
cores = 1;
nets = {
@@ -131,8 +162,6 @@ in {
"brockman.r"
"build.puyak.r"
"cgit.puyak.r"
- "go.r"
- "rss.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index a4586bed4..c5cf5cb15 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -44,6 +44,7 @@ in {
matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
@@ -685,6 +686,7 @@ in {
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3OpzRB3382d7c2apdHC+U/R0ZlaWxXZa3GFAj54ZhU ";
+ syncthing.id = "JAVJ6ON-WLCWOA3-YB7EHPX-VGIN4XF-635NIVZ-WZ4HN4M-QRMLT4N-5PL5MQN";
};
};
users = rec {
@@ -699,6 +701,11 @@ in {
pubkey = builtins.readFile ./ssh/blue.rsa;
pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp;
};
+ lass-green = {
+ mail = "lass@green.r";
+ pubkey = builtins.readFile ./ssh/green.ed25519;
+ pgp.pubkeys.default = builtins.readFile ./pgp/green.pgp;
+ };
lass-mors = {
mail = "lass@mors.r";
pubkey = builtins.readFile ./ssh/mors.rsa;
diff --git a/krebs/3modules/lass/pgp/green.pgp b/krebs/3modules/lass/pgp/green.pgp
new file mode 100644
index 000000000..96b2b38e4
--- /dev/null
+++ b/krebs/3modules/lass/pgp/green.pgp
@@ -0,0 +1,40 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGAMS3EBDACzbsaP9nhJ8GrAk5JLlz+ruDbEGuvJXvh+spVq9i9TCCGAraPo
+z8Tmgsw6SJhJMW/170OZJ+GMMEDRpRbvh8tLZ0jsTIwINasRjC68tF9dgjjPZdNN
+cVOpFw4Wf4ueMmoEG/9Xyehm+YEJFTj5wul2uJtfj5NJB43daDn4e3ieGExd+zE0
+FTP4yAmxVMbN4BiyZPX7CxeTzJS0g4aVnMq9RqtYbxd1Uv++LmPh1ZkEyNNKItfC
+nRFeZzjhnmD7LvwsixE2ENnbiL9Ho7Mc4C7kRKSJ+LvXH6ChJJtDy9ApVA+u90i5
+Rd7y9rdzFY+NCHusWg0/U/t2FoLc/hRa0eLE1KFtzWzH35TMl8R/7NrPztTwT/fH
+xt3qSiwMUvH9X9TGvh5N0WwqgtEe6mpZvpq+4gyOiyA+EwE73rnxG2DzmM6CFHyo
+Qm/OOfjuFH+l0PkAqti+f41SqlEOiOAAFzgz7gaTdJ8gXs8piOGxk4U5EK/p1OTW
+4e6DrxqcxmHgoAUAEQEAAbQMbGFzc0BncmVlbi5yiQHUBBMBCAA+FiEE6Ed5jGI3
+gop09K1NMwheLc2Sjz0FAmAMS3ECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC
+HgECF4AACgkQMwheLc2Sjz0otwv+I8Sw0ENqy6SsrZSGDtmhAouCeTIUseRQ66tp
+UFnxDVPYhhdM2ubTtIqOfx20Xdy/7N/POyYMJ5VR+IaFcB9wUlrhdjwUlCtoUipx
+EycZloccMPGySxAxR3Kcy/SFzUKWwQ10/mfSQg/4+vYayZNuSvEpviMEZn0prpmw
+jwFJcHOu0NL+7eYULMdit1BDaZfBaAu/otKn18878+0hVimyjW27564uXtJYnbf1
+hUVGvPLaSo74XBFra+kujcA3zIjWiPn6dRA5dzLrRRkb30Unl1+0a9QwY3wd3vCV
+UHWSgDNaV+o7yPTuxoMsfrxHPAc3JlaKM6ka/EdK04tbgMH/N7FHXqDqCEIBWML4
+1/+HxkP2UW59zLefQwvBqWcF6bA7kgHGhIDkg1yg7ygP0t2mH6ktuEAYYr24BFx7
+b8nK/jhK+rp3LomLTLQ6e/6mikfoDr636sB1/Bc+pTdWsJnuQTzaWBDloVEr/2hz
+/K5+wH2kgSKaWYUtaR6wiMbVKq3HuQGNBGAMS3EBDAC1xQNCJD3hlnihHBv7jxfH
+CI5HdnUEh1eP8mUKjSE+Z0xGEMq8Z9sbTHQxtDdmC4ZOq1Kkt2LmtQQQAIH+Qnu6
+RYFOAPRmegouIxg4S3eTPZhZRo1ZqCphqbL2mQ9ifNrG3VVvQGXNvjo3Cuwj0uzx
+EDtOilKEtHZhG0cfehGV+nO1n/g50EQMC7JkFWnryxVL8i4l3KstOdj+LcIT6c27
+EE2fzOUekeltBHGRFSM1Yzmn2lxruuK4I8zoiqak2St1788ay//F9tiZPfhWRb6+
+DF+JgRLCXatqTJppPpkui1irw6jN5ZabjyS7GBtH+5wpnvuMEMr484OXEg17VnCd
+Tx/RTLyjfffDtTkC4M7oiAr5SUbkJjVkEuwjxp1N19epD8gzrBQC2W7XKM3z+mtG
+ZLJtiW5hM+QylMv7VWxbQ21ObJmUqBQUZLPlpl3dlGU/ILw3U4urBibD9oPT2QAX
+J6Db/STyl6w0bzRbMJmaEM4P0FcdEKTuw7tOpl5zBUkAEQEAAYkBtgQYAQgAIBYh
+BOhHeYxiN4KKdPStTTMIXi3Nko89BQJgDEtxAhsMAAoJEDMIXi3Nko89yc8MAJKg
+M5lbA/PJYlIju/qWKWt7yZbsIGuDfmuKfYftjXDOqskEqDyYgr31Txd43bWM6Ec7
+gb5JVmtzvLull0/KRwMcKAFNTXIYcb3jKpanwWRgHQlt/D6zlQula73WxwNUlZWl
+Q8FCWjGa2hC8oKlTbtzm5osdcK+YhlpTpK5y4Mrg0f9Rcd297ygFQSDInpGq7ILY
+sFat3HU7w9oPp9Q5RS8/EmrvAx1kFj9mZRs4L9inJJnHFpb1R6snojcKPwEyIWBi
++PFZ6ns296FjW9C+Ci7C+aaAzVDM7NAwU0/EhWeDKKHITU3Zaz4gnShesKBiVxhI
+JQNFCjWlnc+o3RqbAhDQhlwFrCZWUxQi1qWy4U88IYqR9hxV0eNtGSRmwnGCT9RV
+Nxb6CjtmHpgUmzyvwBpBJya8bLYu5tCKnUodtFiq/poxEfI5WrP6pu5l648AwuPa
+ioovprweDWs38Q8wd/SuoaUtIoj378UDXq8acFvHHnOS/bBBfAE9tutY1ycJdg==
+=Fg3f
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/krebs/3modules/lass/ssh/green.ed25519 b/krebs/3modules/lass/ssh/green.ed25519
new file mode 100644
index 000000000..1aa7b1801
--- /dev/null
+++ b/krebs/3modules/lass/ssh/green.ed25519
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOJfTJ37hWYTYLWY6egshmvigPfRF0Sa4N11gmphMLm lass@green
diff --git a/lass/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index ca81458a9..d31022d3a 100644
--- a/lass/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -1,6 +1,6 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
- cfg = config.lass.sync-containers;
+ cfg = config.krebs.sync-containers;
paths = cname: {
plain = "/var/lib/containers/${cname}/var/state";
ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
@@ -8,6 +8,7 @@ with import <stockholm/lib>;
};
start = cname: {
plain = ''
+ :
'';
ecryptfs = ''
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
@@ -28,6 +29,7 @@ with import <stockholm/lib>;
};
stop = cname: {
plain = ''
+ :
'';
ecryptfs = ''
${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
@@ -37,7 +39,7 @@ with import <stockholm/lib>;
'';
};
in {
- options.lass.sync-containers = {
+ options.krebs.sync-containers = {
dataLocation = mkOption {
description = ''
location where the encrypted sync-container lie around
@@ -90,6 +92,10 @@ in {
config = mkIf (cfg.containers != {}) {
programs.fuse.userAllowOther = true;
+ # allow syncthing to enter /var/lib/containers
+ system.activationScripts.syncthing-home = ''
+ ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
+ '';
services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
devices = ctr.peers;
@@ -153,6 +159,8 @@ in {
if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -