diff options
author | tv <tv@krebsco.de> | 2018-01-09 19:06:50 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2018-01-09 19:06:50 +0100 |
commit | 8ff5c5e992ebafeca5edb2b22a0ab700edc715a5 (patch) | |
tree | e141f28bca4e5494669282d41c1c8dbbc96b4ce8 | |
parent | fb0bbec70ae1a0dd4fdc3c9bc9ed47f2a8573fd9 (diff) | |
parent | 5ef3a2c6caa2f018c2adf795de992e0487dd2413 (diff) |
Merge remote-tracking branch 'prism/master'
39 files changed, 466 insertions, 71 deletions
diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix index 901970e81..873c0fa3d 100644 --- a/jeschli/1systems/bln/config.nix +++ b/jeschli/1systems/bln/config.nix @@ -38,7 +38,7 @@ networking.hostName = "BLN02NB0154"; # Define your hostname. networking.networkmanager.enable = true; - #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # Select internationalisation properties. # i18n = { @@ -54,7 +54,11 @@ # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget nixpkgs.config.allowUnfree = true; - environment.shellAliases = { n = "nix-shell"; }; + environment.shellAliases = { + n = "nix-shell"; + gd = "cd /home/markus/go/src/gitlab.dcso.lolcat"; + gh = "cd /home/markus/go/src/github.com"; + }; environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; }; environment.systemPackages = with pkgs; [ # system helper @@ -62,6 +66,7 @@ copyq dmenu git + tig i3lock keepass networkmanagerapplet @@ -72,6 +77,8 @@ rxvt_unicode # editors emacs + # databases + sqlite # internet thunderbird hipchat @@ -91,6 +98,7 @@ jetbrains.pycharm-professional jetbrains.webstorm jetbrains.goland + jetbrains.datagrip texlive.combined.scheme-full pandoc redis diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix index 171a002da..2dec45795 100644 --- a/jeschli/1systems/brauerei/config.nix +++ b/jeschli/1systems/brauerei/config.nix @@ -96,7 +96,7 @@ # Enable the X11 windowing system. services.xserver.enable = true; - # services.xserver.layout = "us"; + services.xserver.layout = "us"; # services.xserver.xkbOptions = "eurosign:e"; # Enable touchpad support. diff --git a/jeschli/2configs/urxvt.nix b/jeschli/2configs/urxvt.nix index a2e02de35..69811eb0a 100644 --- a/jeschli/2configs/urxvt.nix +++ b/jeschli/2configs/urxvt.nix @@ -28,7 +28,7 @@ with import <stockholm/lib>; URxvt*scrollBar: false URxvt*urgentOnBell: true - URxvt*font: xft:DejaVu Sans Mono:pixelsize=20 + URxvt*font: xft:DejaVu Sans Mono:pixelsize=12 URXvt*faceSize: 12 ''; } diff --git a/jeschli/source.nix b/jeschli/source.nix index d1b64b0ed..ae9e1e72e 100644 --- a/jeschli/source.nix +++ b/jeschli/source.nix @@ -10,7 +10,7 @@ in nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix"; nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "f9390d6"; + ref = "d83c808"; }; secrets.file = getAttr builder { buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>; diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 73b5377bd..98fb88702 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -20,10 +20,5 @@ boot.isContainer = true; networking.useDHCP = false; - krebs.repo-sync.repos.stockholm.timerConfig = { - OnBootSec = "5min"; - OnUnitInactiveSec = "2min"; - RandomizedDelaySec = "2min"; - }; krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm"; } diff --git a/krebs/2configs/buildbot-all.nix b/krebs/2configs/buildbot-all.nix index ca994e996..5ea78f227 100644 --- a/krebs/2configs/buildbot-all.nix +++ b/krebs/2configs/buildbot-all.nix @@ -1,10 +1,6 @@ with import <stockholm/lib>; { lib, config, pkgs, ... }: { - imports = [ - <stockholm/krebs/2configs/repo-sync.nix> - ]; - networking.firewall.allowedTCPPorts = [ 80 8010 9989 ]; krebs.ci.enable = true; krebs.ci.treeStableTimer = 1; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 0af553c5d..fba585448 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -161,7 +161,7 @@ let ExecStartPre = pkgs.writeDash "buildbot-master-init" '' set -efux #remove garbage from old versions - rm -r ${workdir} + rm -rf ${workdir} mkdir -p ${workdir}/info cp ${buildbot-slave-init} ${workdir}/buildbot.tac echo ${contact} > ${workdir}/info/admin diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix index aab568352..1a0999b8d 100644 --- a/krebs/3modules/nin/default.nix +++ b/krebs/3modules/nin/default.nix @@ -32,6 +32,47 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; }; + axon= { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.134.66"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379"; + aliases = [ + "axon.retiolum" + "axon.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo + glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj + KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH + L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j + VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY + PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN + X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh + m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp + OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT + LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H + /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK + MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w + 7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm + ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3 + 1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF + 29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt + 4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj + FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl + buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p + hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG + yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi + ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc"; + }; onondaga = { cores = 1; nets = { @@ -63,6 +104,10 @@ with import <stockholm/lib>; }; users = { nin = { + mail = "nin@axon.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon"; + }; + nin_h = { mail = "nin@hiawatha.retiolum"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha"; }; diff --git a/krebs/5pkgs/simple/internetarchive/default.nix b/krebs/5pkgs/simple/internetarchive/default.nix index f5e1bbff3..2f55e6f42 100644 --- a/krebs/5pkgs/simple/internetarchive/default.nix +++ b/krebs/5pkgs/simple/internetarchive/default.nix @@ -1,38 +1,39 @@ -{ pkgs, fetchFromGitHub, ... }: +{ stdenv, pkgs, fetchPypi, ... }: with pkgs.python3Packages; buildPythonPackage rec { pname = "internetarchive"; version = "1.7.3"; name = "${pname}-${version}"; + + src = fetchPypi { + inherit pname version; + sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g"; + }; + propagatedBuildInputs = [ requests - jsonpatch - docopt - clint - six - schema - backports_csv + jsonpatch + docopt + clint + six + schema + backports_csv ]; -# check only works when cloned from git repo + # check only works when cloned from git repo doCheck = false; + checkInputs = [ pytest - responses + responses ]; prePatch = '' sed -i "s/'schema.*'/'schema>=0.4.0'/" setup.py - ''; - - src = fetchPypi { - inherit pname version; - sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g"; - }; + ''; meta = with stdenv.lib; { description = "python library and cli for uploading files to internet archive"; license = licenses.agpl3; }; - } diff --git a/krebs/source.nix b/krebs/source.nix index 8fbdce284..b952aa2a2 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -17,6 +17,6 @@ in stockholm.file = toString <stockholm>; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13 + ref = "0b30c1dd4c638e318957fc6a9198cf2429e38cb5"; # nixos-17.09 @ 2018-01-04 }; } diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 6674b3db5..8ec744584 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -41,6 +41,7 @@ with import <stockholm/lib>; skype wine ]; + nixpkgs.config.firefox.enableAdobeFlash = true; services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; services.xserver.desktopManager.plasma5.enable = true; diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix index 416edeb82..7993c763e 100644 --- a/lass/1systems/dishfire/config.nix +++ b/lass/1systems/dishfire/config.nix @@ -43,6 +43,7 @@ networking.dhcpcd.allowInterfaces = [ "enp*" "eth*" + "ens*" ]; } { diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index ad133802f..c231a0b10 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -30,6 +30,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/c-base.nix> <stockholm/lass/2configs/br.nix> + <stockholm/lass/2configs/ableton.nix> { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ @@ -70,10 +71,6 @@ with import <stockholm/lib>; ]; } { - #ps vita stuff - boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - } - { services.tor = { enable = true; client.enable = true; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 593a1fc9c..03e9f6eeb 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -184,14 +184,17 @@ in { } { #hotdog + systemd.services."container@hotdog".reloadIfChanged = mkForce false; containers.hotdog = { config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; environment.systemPackages = [ pkgs.git ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey ]; }; + autoStart = true; enableTun = true; privateNetwork = true; hostAddress = "10.233.2.1"; @@ -200,8 +203,10 @@ in { } { #kaepsele + systemd.services."container@kaepsele".reloadIfChanged = mkForce false; containers.kaepsele = { config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; environment.systemPackages = [ pkgs.git ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ @@ -209,6 +214,7 @@ in { tv.pubkey ]; }; + autoStart = true; enableTun = true; privateNetwork = true; hostAddress = "10.233.2.3"; @@ -217,8 +223,10 @@ in { } { #onondaga + systemd.services."container@onondaga".reloadIfChanged = mkForce false; containers.onondaga = { config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; environment.systemPackages = [ pkgs.git ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ @@ -226,6 +234,7 @@ in { config.krebs.users.nin.pubkey ]; }; + autoStart = true; enableTun = true; privateNetwork = true; hostAddress = "10.233.2.5"; @@ -302,6 +311,13 @@ in { } ]; } + { + krebs.repo-sync.repos.stockholm.timerConfig = { + OnBootSec = "5min"; + OnUnitInactiveSec = "2min"; + RandomizedDelaySec = "2min"; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix index b94cb0634..51512955e 100644 --- a/lass/2configs/IM.nix +++ b/lass/2configs/IM.nix @@ -20,6 +20,17 @@ let ''; in { + services.bitlbee = { + enable = true; + portNumber = 6666; + plugins = [ + pkgs.bitlbee-facebook + pkgs.bitlbee-steam + pkgs.bitlbee-discord + ]; + libpurple_plugins = [ pkgs.telegram-purple ]; + }; + users.extraUsers.chat = { home = "/home/chat"; uid = genid "chat"; @@ -46,6 +57,10 @@ in { restartIfChanged = false; + path = [ + pkgs.rxvt_unicode.terminfo + ]; + serviceConfig = { User = "chat"; RemainAfterExit = true; diff --git a/lass/2configs/ableton.nix b/lass/2configs/ableton.nix new file mode 100644 index 000000000..9d6f481b0 --- /dev/null +++ b/lass/2configs/ableton.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: let + mainUser = config.users.extraUsers.mainUser; +in { + users.users= { + ableton = { + isNormalUser = true; + extraGroups = [ + "audio" + "video" + ]; + packages = [ + pkgs.wine + pkgs.winetricks + ]; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(ableton) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix index 411b07503..cbcce8df9 100644 --- a/lass/2configs/dns-stuff.nix +++ b/lass/2configs/dns-stuff.nix @@ -11,24 +11,6 @@ with import <stockholm/lib>; key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; }; }; - services.dnsmasq = { - enable = true; - resolveLocalQueries = false; - extraConfig = '' - server=127.1.0.1 - #no-resolv - cache-size=1000 - min-cache-ttl=3600 - bind-dynamic - all-servers - dnssec - trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - rebind-domain-ok=/onion/ - server=/.onion/127.0.0.1#9053 - port=53 - ''; - }; - networking.extraResolvconfConf = '' - name_servers='127.0.0.1' - ''; + services.resolved.enable = true; + services.resolved.fallbackDns = [ "127.1.0.1" ]; } diff --git a/lass/2configs/rebuild-on-boot.nix b/lass/2configs/rebuild-on-boot.nix new file mode 100644 index 000000000..60198be7b --- /dev/null +++ b/lass/2configs/rebuild-on-boot.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +{ + systemd.services.rebuild-on-boot = { + wantedBy = [ "multi-user.target" ]; + environment = { + NIX_REMOTE = "daemon"; + HOME = "/var/empty"; + }; + serviceConfig = { + ExecStart = pkgs.writeScript "rebuild" '' + #!${pkgs.bash}/bin/bash + (/run/current-system/sw/bin/nixos-rebuild -I /var/src switch) & + ''; + ExecStop = "${pkgs.coreutils}/bin/sleep 10"; + }; + }; +} diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix index 537c8a59b..c3d07d5fe 100644 --- a/lass/2configs/security-workarounds.nix +++ b/lass/2configs/security-workarounds.nix @@ -5,4 +5,6 @@ with import <stockholm/lib>; boot.extraModprobeConfig = '' install dccp /run/current-system/sw/bin/false ''; + + boot.kernelPackages = pkgs.linuxPackages_latest; } diff --git a/lass/source.nix b/lass/source.nix index 473dd2cf2..46c6d31dc 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -10,7 +10,7 @@ in nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "3aec59c"; + ref = "d202e30"; }; secrets = getAttr builder { buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>; diff --git a/makefu/1systems/filepimp/config.nix b/makefu/1systems/filepimp/config.nix index e9058ec85..30ba61a9b 100644 --- a/makefu/1systems/filepimp/config.nix +++ b/makefu/1systems/filepimp/config.nix @@ -71,7 +71,10 @@ in { '') allDisks); fileSystems = let xfsmount = name: dev: - { "/media/${name}" = { device = dev; fsType = "xfs"; }; }; + { "/media/${name}" = { + device = dev; fsType = "xfs"; + options = [ "nofail" ]; + }; }; in # (xfsmount "j0" (part1 jDisk0)) // (xfsmount "j1" (part1 jDisk1)) // diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 1fe0b62f9..6e5f3c2d4 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -108,16 +108,35 @@ in { # }; #} { # wireguard server - networking.firewall.allowedUDPPorts = [ 51820 ]; + + # TODO: networking.nat + + # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + # conf.all.proxy_arp =1 + networking.firewall = { + allowedUDPPorts = [ 51820 ]; + extraCommands = '' + iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE + ''; + }; + networking.wireguard.interfaces.wg0 = { ips = [ "10.244.0.1/24" ]; + listenPort = 51820; privateKeyFile = (toString <secrets>) + "/wireguard.key"; allowedIPsAsRoutes = true; - peers = [{ - # allowedIPs = [ "0.0.0.0/0" "::/0" ]; + peers = [ + { + # x allowedIPs = [ "10.244.0.2/32" ]; publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; - }]; + } + { + # vbob + allowedIPs = [ "10.244.0.3/32" ]; + publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; + } + ]; }; } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index aaecebadc..ce3ffbcf3 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -143,7 +143,10 @@ in { ]; fileSystems = let cryptMount = name: - { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; + { "/media/${name}" = { + device = "/dev/mapper/${name}"; fsType = "xfs"; + options = [ "nofail" ]; + };}; in cryptMount "crypt0" // cryptMount "crypt1" // cryptMount "crypt2" diff --git a/makefu/1systems/vbob/config.nix b/makefu/1systems/vbob/config.nix index f318c0e61..ffd9deaee 100644 --- a/makefu/1systems/vbob/config.nix +++ b/makefu/1systems/vbob/config.nix @@ -7,7 +7,8 @@ <stockholm/makefu> { imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ]; - boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.device = "/dev/sda"; + virtualisation.virtualbox.guest.enable = true; } # { # imports = [ @@ -49,6 +50,27 @@ # environment <stockholm/makefu/2configs/tinc/retiolum.nix> + (let + gum-ip = config.krebs.hosts.gum.nets.internet.ip4.addr; + gateway = "10.0.2.2"; + in { + # make sure the route to gum gets added after the network is online + systemd.services.wireguard-wg0.after = [ "network-online.target" ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.0.3/24" ]; + privateKeyFile = (toString <secrets>) + "/wireguard.key"; + # explicit route via eth0 to gum + preSetup = ["${pkgs.iproute}/bin/ip route add ${gum-ip} via ${gateway}"]; + peers = [ + { # gum + endpoint = "${gum-ip}:51820"; + allowedIPs = [ "0.0.0.0/0" "10.244.0.0/24" ]; + publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo="; + persistentKeepalive = 25; + } + ]; + }; + }) ]; networking.extraHosts = import (toString <secrets/extra-hosts.nix>); @@ -90,5 +112,5 @@ 8010 ]; - + systemd.services."serial-getty@ttyS0".enable = true; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 25f9f63bf..0a89d2023 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -11,6 +11,9 @@ with import <stockholm/lib>; ./vim.nix ./binary-cache/nixos.nix ]; + + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; + programs.command-not-found.enable = false; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unra |