diff options
author | makefu <github@syntax-fehler.de> | 2020-09-16 21:55:09 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2020-09-16 21:55:09 +0200 |
commit | c64fb07027b49a3825b6f0814ebeb17782b8266a (patch) | |
tree | e1b4681fd93a4d3257b556dd8d579464d653ef77 | |
parent | 1394ae1bd4bc3dcfb77b0daee996e75f8092fc5b (diff) | |
parent | 88a9183d1d36424977b0cd8ed513109433b779b2 (diff) |
Merge remote-tracking branch 'lass/master'
36 files changed, 550 insertions, 144 deletions
diff --git a/krebs/0tests/data/secrets/gollum.id_ed25519 b/krebs/0tests/data/secrets/gollum.id_ed25519 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/gollum.id_ed25519 diff --git a/krebs/0tests/data/secrets/shack/telegram_bot.env b/krebs/0tests/data/secrets/shack/telegram_bot.env new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/shack/telegram_bot.env diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 8b30dfef9..08a3392bd 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -85,7 +85,7 @@ ''; users.users.joerg = { - openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ]; + openssh.authorizedKeys.keys = [ config.krebs.users.mic92.pubkey ]; isNormalUser = true; shell = "/run/current-system/sw/bin/zsh"; }; diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix index f4c1290c2..c39b08a8e 100644 --- a/krebs/2configs/go.nix +++ b/krebs/2configs/go.nix @@ -13,7 +13,7 @@ with import <stockholm/lib>; enable = true; virtualHosts.go = { locations."/".extraConfig = '' - proxy_set_header Host go; + proxy_set_header Host go.r; proxy_pass http://localhost:1337; ''; serverAliases = [ diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 72eff176b..061dc9ab9 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -76,7 +76,7 @@ let }; } { - pattern = ''^([\w-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$''; + pattern = ''^([\H-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$''; activate = "match"; arguments = [1 2 3]; command = { diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index 2350e711e..e4f05a6e6 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -1,9 +1,41 @@ -{ config, ... }: +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + setupGit = '' + export PATH=${makeBinPath [ pkgs.git ]} + export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519' + repo='git@localhost:wiki' + cd ${config.krebs.gollum.stateDir} + if ! url=$(git config remote.origin.url); then + git remote add origin "$repo" + elif test "$url" != "$repo"; then + git remote set-url origin "$repo" + fi + ''; + + pushGollum = pkgs.writeDash "push_gollum" '' + ${setupGit} + git fetch origin + git merge --ff-only origin/master + ''; + + pushCgit = pkgs.writeDash "push_cgit" '' + ${setupGit} + git push origin master + ''; + +in { - services.gollum = { + krebs.gollum = { enable = true; + extraConfig = '' + Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| + system('${pushCgit}') + end + ''; }; + networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { enable = true; @@ -16,4 +48,51 @@ ''; }; }; + + krebs.git = { + enable = true; + cgit.settings = { + root-title = "krebs repos"; + }; + rules = with git; [ + { + user = [ + { + name = "gollum"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXbjDnQWg8EECsNRZZWezocMIiuENhCSQFcFUXcsOQ6"; + } + ] ++ (attrValues config.krebs.users); + repo = [ config.krebs.git.repos.wiki ]; + perm = push ''refs/heads/master'' [ create merge ]; + } + ]; + repos.wiki = { + public = true; + name = "wiki"; + hooks = { + post-receive = '' + ${pkgs.git-hooks.irc-announce { + channel = "#xxx"; + refs = [ + "refs/heads/master" + ]; + nick = config.networking.hostName; + server = "irc.r"; + verbose = true; + }} + /run/wrappers/bin/sudo -S -u gollum ${pushGollum} + ''; + }; + }; + }; + + krebs.secret.files.gollum = { + path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519"; + owner = { name = "gollum"; }; + source-path = "${<secrets/gollum.id_ed25519>}"; + }; + + security.sudo.extraConfig = '' + git ALL=(gollum) NOPASSWD: ${pushGollum} + ''; } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index f3180722d..bd6bab376 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -27,6 +27,7 @@ let ./github-known-hosts.nix ./git.nix ./go.nix + ./gollum.nix ./hidden-ssh.nix ./hosts.nix ./htgen.nix @@ -108,7 +109,6 @@ let { krebs.dns.providers = { "krebsco.de" = "zones"; - gg23 = "hosts"; shack = "hosts"; i = "hosts"; r = "hosts"; @@ -152,9 +152,11 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.dns.search-domain}") - (filter (hasSuffix ".${cfg.dns.search-domain}") - longs); + optionals + (cfg.dns.search-domain != null) + (map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") + longs)); add-port = a: if net.ssh.port != 22 then "[${a}]:${toString net.ssh.port}" @@ -177,7 +179,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index b7e2a2cbb..8acc4ccd8 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -6,7 +6,7 @@ with import <stockholm/lib>; }; krebs.dns.search-domain = mkOption { - type = types.hostname; + type = types.nullOr types.hostname; }; }; } diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 082dfd80f..e1667cb68 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -465,9 +465,9 @@ in { mail = "kieran.meinhardt@gmail.com"; pubkey = ssh-for "kmein"; }; - Mic92 = { + mic92 = { mail = "joerg@thalheim.io"; - pubkey = ssh-for "Mic92"; + pubkey = ssh-for "mic92"; }; qubasa = { mail = "luis.nixos@gmail.com"; diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b8aaf9900..5a766664f 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -11,7 +11,7 @@ with import <stockholm/lib>; in { hosts = mapAttrs hostDefaults { amy = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "129.215.165.57"; @@ -44,7 +44,7 @@ in { }; }; clara = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "129.215.165.58"; @@ -77,7 +77,7 @@ in { }; }; dimitrios = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = { retiolum = { ip4.addr = "10.243.29.183"; @@ -98,7 +98,7 @@ in { }; }; donna = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "129.215.165.54"; @@ -132,7 +132,7 @@ in { }; }; dpdkm = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { retiolum = { ip4.addr = "10.243.29.173"; @@ -156,7 +156,7 @@ in { }; }; herbert = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { retiolum = { addrs = [ @@ -179,7 +179,7 @@ in { }; }; inspector = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "141.76.44.154"; @@ -208,7 +208,7 @@ in { }; }; eddie = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { # eddie.thalheim.io @@ -242,7 +242,7 @@ in { }; }; eve = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { # eve.thalheim.io @@ -273,13 +273,17 @@ in { Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ== -----END RSA PUBLIC KEY----- ''; - # ohorn lan - tinc.subnets = [ "fd42:4492:6a6d:500:8526:2adf:7451:8bbb" ]; + tinc.subnets = [ + # ohorn lan + "fd42:4492:6a6d:500:8526:2adf:7451:8bbb" + # docker network + "42:0000:002b:1605:3::/80" + ]; }; }; }; martha = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "129.215.165.53"; @@ -313,7 +317,7 @@ in { }; }; matchbox = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = { retiolum = { ip4.addr = "10.243.29.176"; @@ -339,31 +343,32 @@ in { }; }; rock = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = { retiolum = { ip4.addr = "10.243.29.171"; aliases = [ "rock.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM - DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7 - HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh - mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf - Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M - Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD - 91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4 - fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv - 3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav - ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q - cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ== - -----END RSA PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0uhNk3XXVxQcIVhD1Ime + 9PY3QBIcXvwDlOrd3oUwyWTvZpUeO7yzIXdouAe4s0ohPIVq7Cmruj4ZrOGUCKyB + oJpOziYSbL/IiCpXyOzWMLEwu0AoeFfbxig+5oZfwQ9epM2j902CgsUipJBLIg48 + BC9oOD+/iYEwsFPqQ/S0kETyQK5Ad+qv0lbU6/Kmify8Qplvpv/8DRdjsdLki1fU + a6MAEw12OtHe6IWtlitPjFMBykTP6kkSp/eg0G2KZFVuEulwHGf9QT/eT4fZTMCC + 2V5Vp4rIr/hawmj+h4NIxniBSQcPAAIGNwZVC4uYYV1nd4iaI/T04rDJwte5WKHf + EVxtlYt9RU1I/XdNRSj9gYyneVcVlDVos8Z93oUv1hIGZYFtNmGVna6lggOBPf/t + BZ1MT6FKA4QX9JI8bQoNs18s8ffzyb07psNbH6YhpCygnhf9C7NR/CeI8BtpzJza + 1Qk731Z6bk6xRFKMuY2tRKlNCqPHULj44oTHB3Ki2B/bMlkguqSChfFzKIRASYO1 + SASSgddexjkjKLslxcLWhIqYrZhuhYlFyoeoMI3qQsey/4X5PUmQDxxhTT80+qvE + thBNPg46joyLTq9E9ddf7t/0C6oD2DXY88N9bkztuK5dtYHmjajUbePuaTJtrKhI + 7MnLboZCEiSyvkVTTx0Yjf0CAwEAAQ== + -----END PUBLIC KEY----- ''; }; }; }; rose = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = rec { internet = { ip4.addr = "129.215.165.52"; @@ -397,7 +402,7 @@ in { }; }; turingmachine = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = { retiolum = { ip4.addr = "10.243.29.168"; @@ -425,7 +430,7 @@ in { }; }; harsha = { - owner = config.krebs.users.Mic92; + owner = config.krebs.users.mic92; nets = { retiolum = { ip4.addr = "10.243.29.184"; @@ -446,22 +451,36 @@ in { }; }; eva = { - owner = config.krebs.users.Mic92; - nets = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # eva.thalheim.io + ip4.addr = "52.59.172.193"; + ip6.addr = "2a05:d014:301:a601:ef0e:5434:d814:b8ed"; + aliases = [ "eva.i" ]; + }; retiolum = { + via = internet; ip4.addr = "10.243.29.185"; aliases = [ "eva.r" + "prometheus.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv - 3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC - pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r - NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44 - 9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd - WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB - -----END RSA PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyHptaExEcSUjEJ+RH33h + uRK0Ttq8mJLDosWFYcoQkcL9S54aO9kF1gRJAKPBHoOt/IGeOxg2LNYWK6UjWfUy + LB9c42EQ1wWZ2jSJ0LJgYzjR9cp3dlo9aHSa//O6p6eLpXRo9QLf8+aIWhNW5+BG + sLIMR5b6Ngc2l8xQS+wvMmvTWJt3LyfQ6AKiKwCjeyrUFiuw0VWSn1I6n7H+CZBZ + f/UvSxLucy1e0rvbHoTITOflIAfA84iCHsHsZjVqrx1iyOMdPtY2sBPmWhtVemDo + duwzUpIuaJnWS7JOB4jsYWm672/KfzK7yAivqxD19OwqfZ3nNQ7sEDb3p4udw2Lf + 0dqHwZ5Hoj21vs3XiXX/SHcSf5QLzpj1MWBkV3r1D8I8v3P5qUbLunCofp3d9GxE + N0gK06gqbLNonJvC/WD7lxeY32Rh1wYXbzbD/X6aWe/oD8WMIl312hH4cHQHOnVT + t76NISlYTPxwX5mfFsBm8t0GjnnWY2jLwaefk7N/CwoDaKhkhmw1oeAZMuRcDRvE + 0ecpO4CZ6CcYERLxoYHgEAj3cMkSrQ8dT6XS4b9EO4hW4zCQ3RK9xDz71+uaihuB + 6uuTTsn7s0PYBJDNdccOf1Qt8fqPPgzqUKqeUciHojYDDPTC5KQh5m2PBv4I4iIR + LnKOqNUX7UCqbdaE/tfFRG0CAwEAAQ== + -----END PUBLIC KEY----- ''; }; }; diff --git a/krebs/3modules/external/ssh/Mic92.pub b/krebs/3modules/external/ssh/mic92.pub index 600709c78..600709c78 100644 --- a/krebs/3modules/external/ssh/Mic92.pub +++ b/krebs/3modules/external/ssh/mic92.pub diff --git a/krebs/3modules/gollum.nix b/krebs/3modules/gollum.nix new file mode 100644 index 000000000..4b4e04d16 --- /dev/null +++ b/krebs/3modules/gollum.nix @@ -0,0 +1,112 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.krebs.gollum; +in + +{ + options.krebs.gollum = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the Gollum service."; + }; + + address = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "IP address on which the web server will listen."; + }; + + port = mkOption { + type = types.int; + default = 4567; + description = "Port on which the web server will run."; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + description = "Content of the configuration file"; + }; + + mathjax = mkOption { + type = types.bool; + default = false; + description = "Enable support for math rendering using MathJax"; + }; + + allowUploads = mkOption { + type = types.nullOr (types.enum [ "dir" "page" ]); + default = null; + description = "Enable uploads of external files"; + }; + + emoji = mkOption { + type = types.bool; + default = false; + description = "Parse and interpret emoji tags"; + }; + + branch = mkOption { + type = types.str; + default = "master"; + example = "develop"; + description = "Git branch to serve"; + }; + + stateDir = mkOption { + type = types.path; + default = "/var/lib/gollum"; + description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup."; + }; + + }; + + config = mkIf cfg.enable { + + users.users.gollum = { + group = config.users.users.gollum.name; + description = "Gollum user"; + home = cfg.stateDir; + createHome = false; + isSystemUser = true; + }; + + users.groups.gollum = { }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -" + ]; + + systemd.services.gollum = { + description = "Gollum wiki"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.git ]; + + preStart = '' + # This is safe to be run on an existing repo + git init ${cfg.stateDir} + ''; + + serviceConfig = { + User = config.users.users.gollum.name; + Group = config.users.groups.gollum.name; + ExecStart = '' + ${pkgs.gollum}/bin/gollum \ + --port ${toString cfg.port} \ + --host ${cfg.address} \ + --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \ + --ref ${cfg.branch} \ + ${optionalString cfg.mathjax "--mathjax"} \ + ${optionalString cfg.emoji "--emoji"} \ + ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \ + ${cfg.stateDir} + ''; + }; + }; + }; +} diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 7fe01a769..ae0136303 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -24,7 +24,11 @@ in { aliases = longs ++ shorts; longs = filter check net.aliases; shorts = let s = ".${config.krebs.dns.search-domain}"; in - map (removeSuffix s) (filter (hasSuffix s) longs); + optionals + (config.krebs.dns.search-domain != null) + (map (removeSuffix s) + (filter (hasSuffix s) + longs)); in map (addr: { ${addr} = aliases; }) net.addrs) (attrValues host.nets)) @@ -44,7 +48,9 @@ in { hostNetAliases = host: mapAttrs (_: net: filter (x: x.name != null && x.value != []) [ { name = net.ip4.addr or null; value = net.aliases; } + { name = net.ip4.addr or null; value = (map (alias: "4.${alias}") net.aliases); } { name = net.ip6.addr or null; value = net.aliases; } + { name = net.ip6.addr or null; value = (map (alias: "6.${alias}") net.aliases); } ]) host.nets; # netAliases : { ${netname} : [addrAliases] } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index fe293810c..ca81e2ea5 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -18,6 +18,15 @@ with import <stockholm/lib>; default = null; type = types.nullOr types.groupname; }; + keepGoing = mkOption { + default = false; + type = types.bool; + description = '' + Whether to keep going when chowning or chmodding fails. + If set to false, then errors will cause the service to restart + instead. + ''; + }; owner = mkOption { type = types.username; }; @@ -43,7 +52,12 @@ with import <stockholm/lib>; ''; in concatMapStrings mkdir plans; - systemd.services = genAttrs' plans (plan: { + systemd.services = genAttrs' plans (plan: let + continuable = command: + if plan.keepGoing + then /* sh */ "{ ${command}; } || :" + else command; + in { name = "permown.${replaceStrings ["/"] ["_"] plan.path}"; value = { environment = { @@ -82,9 +96,9 @@ with import <stockholm/lib>; cleanup exec "$0" "$@" fi - chown -h "$OWNER_GROUP" "$path" + ${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''} if test -f "$path"; then - chmod "$FILE_MODE" "$path" + ${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''} fi done < "$paths" ''; diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index bf2c62cc9..67454d1f7 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -22,7 +22,7 @@ in { wantedBy = ["multi-user.target"]; serviceConfig = { Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ${shell.escape file.service}"; }; }) cfg.files diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 1fca7de5c..0f5e1aa83 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -29,6 +29,9 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} + ${optionalString (tinc.config.privkey_ed25519 != null) + "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" + } PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} @@ -165,6 +168,17 @@ let }; }; + privkey_ed25519 = mkOption { + type = types.nullOr types.secret-file; + default = + if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { + name = "${tinc.config.netname}.ed25519_key.priv"; + path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; + owner = tinc.config.user; + source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + }; + }; + connectTo = mkOption { type = types.listOf types.str; ${if tinc.config.netname == "retiolum" then "default" else null} = [ @@ -198,8 +212,23 @@ let # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, # avoid conflicts in environment if the packages differ - krebs.secret.files = mapAttrs' (netname: cfg: - nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + krebs.secret.files = + let + ed25519_keys = + filterAttrs + (_: key: key != null) + (mapAttrs' + (netname: cfg: + nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 + ) + config.krebs.tinc); + + rsa_keys = + mapAttrs' + (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) + config.krebs.tinc; + in + ed25519_keys // rsa_keys; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { @@ -221,11 +250,15 @@ let in { description = "Tinc daemon for ${netname}"; after = [ - config.krebs.secret.files."${netname}.rsa_key.priv".service "network.target" + config.krebs.secret.files."${netname}.rsa_key.priv".service |