diff options
author | tv <tv@krebsco.de> | 2016-03-16 00:13:58 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-03-16 00:13:58 +0100 |
commit | 2452d211737e0544e9cc92ae44da69940632a750 (patch) | |
tree | ecb0e2d9932805a6b40be7e09ab5206201e7aba7 /krebs/3modules | |
parent | 13df24f8f09469c32077ded463d99033042e25ee (diff) | |
parent | 03a72ef958055c958992c4fbde618c1e68bfff6e (diff) |
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'krebs/3modules')
-rw-r--r-- | krebs/3modules/makefu/default.nix | 295 | ||||
-rw-r--r-- | krebs/3modules/nginx.nix | 29 | ||||
-rw-r--r-- | krebs/3modules/retiolum.nix | 2 |
3 files changed, 283 insertions, 43 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 1fcf07b1e..d6ae9f12f 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -23,7 +23,30 @@ with config.krebs.lib; TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB -----END RSA PUBLIC KEY----- - ''; + ''; + }; + }; + }; + darth = { + cores = 4; + nets = { + retiolum = { + addrs4 = ["10.243.0.84"]; + addrs6 = ["42:ff6b:5f0b:460d:2cee:4d05:73f7:5566/128"]; + aliases = [ + "darth.retiolum" + "darth.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA1pWNU+FY9XpQxw6srUb5mvGFgqSyJQAelFoufZng6EFeTnAzQOdq + qT7IWN+o3kSbQQsC2tQUnRYFoPagsgFP610D+LGwmeJlNgAf23gBI9ar1agUAvYX + yzYBj7R9OgGXHm6ECKwsxUJoGxM4L0l6mk/rTMVFnzgYPbpVJk1o6NPmiZhW8xIi + 3BfxJUSt8rEQ1OudCirvdSr9uYv/WMR5B538wg4JeQK715yKEYbYi8bqOPnTvGD8 + q5HRwXszWzCYYnqrdlmXzoCA1fT4vQdtov+63CvHT2RV7o42ruGZbHy7JIX9X3IE + u0nA8nZhZ5byhWGCpDyr6bTkvwJpltJypQIDAQAB + -----END RSA PUBLIC KEY----- + ''; }; }; }; @@ -62,6 +85,7 @@ with config.krebs.lib; addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; aliases = [ "pornocauster.retiolum" + "pornocauster.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -110,41 +134,6 @@ with config.krebs.lib; ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPLTMl+thSq77cjYa2XF7lz5fA7JMftrLo8Dy/OBXSg root@nixos"; }; - flap = rec { - cores = 1; - - extraZones = { - "krebsco.de" = '' - mediengewitter IN A ${head nets.internet.addrs4} - flap IN A ${head nets.internet.addrs4} - ''; - }; - nets = { - internet = { - addrs4 = ["162.248.11.162"]; - aliases = [ - "flap.internet" - ]; - }; - retiolum = { - addrs4 = ["10.243.211.172"]; - addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"]; - aliases = [ - "flap.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwtLD+sgTQGO+eh2Ipq2r54J1I0byvfkaTBeBwhtUmWst+lUQUoGy - 2fGReRYsb4ThDLeyK439jZuQBeXSc5r2g0IHBJCSWj3pVxc1HRTa8LASY7QuprQM - 8rSQa2XUtx/KpfM2eVX0yIvLuPTxBoOf/AwklIf+NmL7WCfN7sfZssoakD5a1LGn - 3EtZ2M/4GyoXJy34+B8v7LugeClnW3WDqUBZnNfUnsNWvoldMucxsl4fAhvEehrL - hGgQMjHFOdKaLyatZOx6Pq4jAna+kiJoq3mVDsB4rcjLuz8XkAUZmVpe5fXAG4hr - Ig8l/SI6ilu0zCWNSJ/v3wUzksm0P9AJkwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; pigstarter = rec { cores = 1; @@ -336,6 +325,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB addrs4 = ["10.243.0.211"]; addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"]; aliases = [ + "gum.r" "gum.retiolum" "cgit.gum.retiolum" ]; @@ -354,6 +344,239 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; }; + + # non-stockholm + + flap = rec { + cores = 1; + extraZones = { + "krebsco.de" = '' + mediengewitter IN A ${head nets.internet.addrs4} + flap IN A ${head nets.internet.addrs4} + ''; + }; + nets = { + internet = { + addrs4 = ["162.248.11.162"]; + aliases = [ + "flap.internet" + ]; + }; + retiolum = { + addrs4 = ["10.243.211.172"]; + addrs6 = ["42:472a:3d01:bbe4:4425:567e:592b:065d"]; + aliases = [ + "flap.retiolum" + "flap.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwtLD+sgTQGO+eh2Ipq2r54J1I0byvfkaTBeBwhtUmWst+lUQUoGy + 2fGReRYsb4ThDLeyK439jZuQBeXSc5r2g0IHBJCSWj3pVxc1HRTa8LASY7QuprQM + 8rSQa2XUtx/KpfM2eVX0yIvLuPTxBoOf/AwklIf+NmL7WCfN7sfZssoakD5a1LGn + 3EtZ2M/4GyoXJy34+B8v7LugeClnW3WDqUBZnNfUnsNWvoldMucxsl4fAhvEehrL + hGgQMjHFOdKaLyatZOx6Pq4jAna+kiJoq3mVDsB4rcjLuz8XkAUZmVpe5fXAG4hr + Ig8l/SI6ilu0zCWNSJ/v3wUzksm0P9AJkwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + nukular = rec { + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.231.219"]; + addrs6 = ["42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72/128"]; + aliases = [ + "nukular.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAnt/d9Ys9gmQMGEPzPydAs0Etp9aPb5PreogzVilvazFCZ8HiQHl/ + gRGlNBImcPPAPGgLjQ49TZ6V1s0bX0GMlu9gJxqU7Nz/TPbAaDJSmEDPkXnaMC97 + gLoluwJHURKPP6+0VNQuK/IOjjDLzLjRDiVeIg6NR0nFAQPlxUhrCN/PhxqNV5WP + H1nR+a4UDoLcKbtgQP+4Eu09iEm+H6o5eCFTX2Ov9Ok2m948Jm0rAqUbPAISf9m4 + tOOhhUhn0xvQy5iNHI72ndLvogQ968rnFwBpZM7HF1FsiaQfOF9Nhf11rHCJod3P + meq9GsIUyppZmEKecnTtVfG1oUHMbt1GxQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + heidi = rec { + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.124.21"]; + addrs6 = ["42:9898:a8be:ce56:0ee3:b99c:42c5:109e"]; + aliases = [ + "heidi.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAqRLnAJNZ1OoO1bTS58DQgxi1VKgITHIuTW0fVGDvbXnsjPUB3cgx + 1GEVtLc0LN6R9wrPKDaqHS6mkiRSDVScaW/FqkdFhTDaBJy8LfomL9ZmkU9DzkvQ + jncDjr0WoR+49rJHYsUULp1fe98Ev+y3VwVdJOOH92pAj1CAAUdtfG7XcGyHznYY + ZNLriGZe3l1AwsWMEflzHLeXcKQ/ZPOrjZ4EFVvfGfdQdJ24UUF3r4sBypYnasmA + q8lCw9rCrFh1OS6mHLC9qsvGfal6X4x2/xKc5VxZD4MQ/Bp7pBi1kwfHpKoREFKo + w/Jr3oG/uDxMGIzphGX185ObIkZ1wl/9DwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + soundflower = rec { + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.69.184"]; + aliases = [ + "soundflower.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0a0oenAy9MDa2M6NoLtB8elduGgc3oLtUwsm3iUu6w8L+Je5TndN + H8dPn3sByUk1Jkd8tGGRk/vSFj/mtUn7xXKCnFXfKDqVowu/0KS3Q+6o4mcoATeb + Ax7e6Cz1YH5+qhQjR7apuase9X9Dzp56//5VW2gaScvWevvzrij2x7eNvJRF+W/l + FDXc8zBPkFW5TLFHOizRoLl4mK1hz2NrUiqcq5Ghs2yPsFxl/o5+e2MOwtdI49T6 + lMkeshAeNOSMKYfP9nmHZoKI/MIpGak0EF3ZQtLvyv+tM2Q0nuwH3RvxlK/Xf6U+ + 8SoQu4yRIeK+pMiLEHhFPzBpk+sblUlG7QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + falk = rec { + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.120.19"]; + aliases = [ + "falk.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA961eCQE562VPYjuZtd0+FNRfUghvD2ccjUlihMjzg46GAK+duqK+ + 4peWklGOL4eRYQBg6G2VDzWiU2MxXVbXUZaMrxh7fTc3G3LdbqTxzAv3GQKR/6iA + 9bGUf6u4ztVNAcj2mrY3mfs4gMlBQyQ2wcM0ZUpiAMaRB4cdq7I4GVHbYTFYfQuI + 2zdnr0w8AjlMpFFcD0ExsWeppiJsE7iiME/S2VVfh2NrEpAKQbLH9fKrfkiJA/+9 + 0VIH9wLLIYngUtQKbvEQ5xgx6ybrg0vO8ZqZ1ZGXYxOQZzWzPP0tvDU0QHSKYSWb + FjcOf1lWSWjsjHxMl/Gh57hjNJFCbs8yjQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + filebitch = rec { + cores = 4; + nets = { + retiolum = { + addrs4 = ["10.243.189.130"]; + addrs6 = ["42:c64e:011f:9755:31e1:c3e6:73c0:af2d"]; + aliases = [ + "filebitch.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA961eCQE562VPYjuZtd0+FNRfUghvD2ccjUlihMjzg46GAK+duqK+ + 4peWklGOL4eRYQBg6G2VDzWiU2MxXVbXUZaMrxh7fTc3G3LdbqTxzAv3GQKR/6iA + 9bGUf6u4ztVNAcj2mrY3mfs4gMlBQyQ2wcM0ZUpiAMaRB4cdq7I4GVHbYTFYfQuI + 2zdnr0w8AjlMpFFcD0ExsWeppiJsE7iiME/S2VVfh2NrEpAKQbLH9fKrfkiJA/+9 + 0VIH9wLLIYngUtQKbvEQ5xgx6ybrg0vO8ZqZ1ZGXYxOQZzWzPP0tvDU0QHSKYSWb + FjcOf1lWSWjsjHxMl/Gh57hjNJFCbs8yjQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + bridge = rec { + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.26.29"]; + addrs6 = ["42:927a:3d59:1cb3:29d6:1a08:78d3:812e"]; + aliases = [ + "excobridge.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEApeeMSYMuXg4o/fNHnG2ftp2WskZLrt63zhRag7U1HqYUnuPqY60d + VVy9MBTawm6N02nC2Svm3V07ZXaRp/XsXQLx+evZcDjPjnDYgl2ZGX0ir5Cn50bm + UzhJiMW6/J7AYvucgeAaVJ0YmIwRw6ndYGcxmXWi4TK0jSzhuSLgookWM6iJfbdB + oaYsjiXisEvNxt7rBlCfacaHMlPhz3gr1gc4IDCwF+RAMM29NUN3OinI+/f56d7b + /hLZWbimiwtvGVsGLiA2EIcfxQ7aD/LINu+XXMaq7f8QByXj/Lzi7456tDi3pdJg + lyg9yqRJYt4Zle5PVejn08qiofTUmlEhnwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + tahoe = rec { + cores = 1; + nets = { + internet = { + addrs4 = ["148.251.47.69"]; + aliases = [ + "wooki.internet" + ]; + }; + retiolum = { + addrs4 = ["10.243.57.85"]; + addrs6 = ["42:2f06:b899:a3b5:1dcf:51a4:a02b:8731"]; + aliases = [ + "wooki.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAx6R+CuJu4Bql+DgGPpE7wI+iasRY6ltxW0/L04uW9XiOKiEjx66y + QMMaW18bcb0SOfTE8qYo8pOsZ5E9FFPY6cKH4DGi8g1FpaODle9V8RrVg3F7RuZ8 + dXDXeZxvYvJ2LwPBvlr1aisqJqgxAwF2ipPPX97rAYbp46a/vkgU5bPF1OFlTDaH + 9jjThuidiEwY4EMtJGKisnTGx8yS5iQibDMqzrcRpCxCLcl68FgFNKCTtSIj1mo6 + hgO1ZKmHw73ysmrL2tImmalHYcqDJnq/KInG2ZkCZI/2ZqfJyrRSTk86t5ubfD6p + egC5N0Y5dQHJd66AytNwXxymiAcWuYth9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + + muhbaasu = rec { + cores = 1; + nets = { + internet = { + addrs4 = ["217.160.206.154"]; + aliases = [ + "muhbaasu.internet" + ]; + }; + retiolum = { + addrs4 = ["10.243.139.184"]; + addrs6 = ["42:d568:6106:ba30:753b:0f2a:8225:b1fb"]; + aliases = [ + "muhbaasu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0f4C4xKXpnyV1ig03O2Kef8ag+/5WGkW90uxEBb/h5NY9barex+Z + KqVbkPdHhwoCIINuCVcOnJXzeo0FZtSEq3zVhscVm0PVdNfjct8a9KMsK0iUmuul + 5WD9Glh5/1wkEmbRfVxDErhssz1b8YmFOAGQn+ujO/Znn3BLv36uKQvpqU2y5bzb + +rVnq3eE1bCSeuj41bgEve8+vxpforjLO6gbE91mwp3Ol6nkkp6CjpG+aFTuLCAj + YR0MIl2gGwskOGSI38QxlLouOlIGwus5f+KfC94ZP0pMwu5pT45UOUkVnlBXuZ9E + igNHG2Vtm76nB3yYHndOvuDTOufatX61dQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; users = rec { makefu = { diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 2aa023443..8d0704e8c 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -12,6 +12,20 @@ let api = { enable = mkEnableOption "krebs.nginx"; + default404 = mkOption { + type = types.bool; + default = true; + description = '' + By default all requests not directed to an explicit hostname are + replied with a 404 error to avoid accidental exposition of nginx + services. + + Set this value to `false` to disable this behavior - you will then be + able to configure a new `default_server` in the listen address entries + again. + ''; + }; + servers = mkOption { type = types.attrsOf (types.submodule { options = { @@ -20,6 +34,7 @@ let # TODO use identity default = [ "${config.networking.hostName}" + "${config.networking.hostName}.r" "${config.networking.hostName}.retiolum" ]; }; @@ -53,17 +68,19 @@ let sendfile on; keepalive_timeout 65; gzip on; - server { - listen 80 default_server; - server_name _; - return 404; - } + + ${optionalString cfg.default404 '' + server { + listen 80 default_server; + server_name _; + return 404; + }''} + ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} ''; }; }; - indent = replaceChars ["\n"] ["\n "]; to-location = { name, value }: '' diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index d0162eae9..61b4473e1 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -114,7 +114,7 @@ let connectTo = mkOption { type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "gum" ]; + default = [ "fastpoke" "cd" "prism" "gum" ]; description = '' The list of hosts in the network which the client will try to connect to. These hosts should have an 'Address' configured which points to a |