diff options
| author | jeschli <jeschli@gmail.com> | 2019-06-25 22:43:02 +0200 |
|---|---|---|
| committer | jeschli <jeschli@gmail.com> | 2019-06-25 22:43:02 +0200 |
| commit | 1cfc265bbfa14b7d9fc6479bcd9cf541e7cdd5eb (patch) | |
| tree | 18b95faba964f8072d23afcadcadda4f3eb276af /krebs/3modules | |
| parent | 8079877eee34d0a658e8419adfa8987e648388a8 (diff) | |
| parent | 1d23dceb5d2c536790a00fcde30743b958f1018f (diff) | |
Merge branch 'master' of prism.r:stockholm
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/exim-retiolum.nix | 92 | ||||
| -rw-r--r-- | krebs/3modules/exim-smarthost.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/exim.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/external/default.nix | 187 | ||||
| -rw-r--r-- | krebs/3modules/external/palo.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/external/ssh/0x4a6f.pub | 1 | ||||
| -rw-r--r-- | krebs/3modules/external/tinc/horisa.pub | 8 | ||||
| -rw-r--r-- | krebs/3modules/github-hosts-sync.nix | 28 | ||||
| -rw-r--r-- | krebs/3modules/github-known-hosts.nix | 10 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 24 | ||||
| -rw-r--r-- | krebs/3modules/makefu/wiregrill/gum.pub | 2 | ||||
| -rw-r--r-- | krebs/3modules/makefu/wiregrill/rockit.pub | 1 | ||||
| -rw-r--r-- | krebs/3modules/syncthing.nix | 99 |
14 files changed, 366 insertions, 101 deletions
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index e08024977..118a8b2d5 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,15 +1,17 @@ -{ config, pkgs, lib, ... }: - with import <stockholm/lib>; -let +{ config, pkgs, lib, ... }: let cfg = config.krebs.exim-retiolum; - out = { - options.krebs.exim-retiolum = api; - config = lib.mkIf cfg.enable imp; - }; + # Due to improvements to the JSON notation, braces around top-level objects + # are not necessary^Wsupported by rspamd's parser when including files: + # https://github.com/rspamd/rspamd/issues/2674 + toMostlyJSON = value: + assert typeOf value == "set"; + (s: substring 1 (stringLength s - 2) s) + (toJSON value); - api = { +in { + options.krebs.exim-retiolum = { enable = mkEnableOption "krebs.exim-retiolum"; local_domains = mkOption { type = with types; listOf hostname; @@ -28,22 +30,70 @@ let "*.r" ]; }; + rspamd = { + enable = mkEnableOption "krebs.exim-retiolum.rspamd" // { + default = false; + }; + locals = { + logging = { + level = mkOption { + type = types.enum [ + "error" + "warning" + "notice" + "info" + "debug" + "silent" + ]; + default = "notice"; + }; + }; + options = { + local_networks = mkOption { + type = types.listOf types.cidr; + default = [ + config.krebs.build.host.nets.retiolum.ip4.prefix + config.krebs.build.host.nets.retiolum.ip6.prefix + ]; + }; + }; + }; + }; }; - - imp = { + imports = [ + { + config = lib.mkIf cfg.rspamd.enable { + services.rspamd.enable = true; + services.rspamd.locals = + mapAttrs' + (name: value: nameValuePair "${name}.inc" { + text = toMostlyJSON value; + }) + cfg.rspamd.locals; + users.users.${config.krebs.exim.user.name}.extraGroups = [ + config.services.rspamd.group + ]; + }; + } + ]; + config = lib.mkIf cfg.enable { krebs.exim = { enable = true; config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration assert config.krebs.tinc.retiolum.enable; - '' + /* exim */ '' keep_environment = primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} + ${optionalString cfg.rspamd.enable /* exim */ '' + spamd_address = /run/rspamd/rspamd.sock variant=rspamd + ''} + acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -72,6 +122,24 @@ let acl_check_data: + ${optionalString cfg.rspamd.enable /* exim */ '' + accept condition = ''${if eq{$interface_port}{587}} + + warn remove_header = ${concatStringsSep " : " [ + "x-spam" + "x-spam-report" + "x-spam-score" + ]} + + warn + spam = nobody:true + + warn + condition = ''${if !eq{$spam_action}{no action}} + add_header = X-Spam: Yes + add_header = X-Spam-Report: $spam_report + add_header = X-Spam-Score: $spam_score + ''} accept @@ -118,4 +186,4 @@ let ''; }; }; -in out +} diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 5f93ae937..e988fb563 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -121,7 +121,7 @@ let }; krebs.exim = { enable = true; - config = '' + config = /* exim */ '' keep_environment = primary_hostname = ${cfg.primary_hostname} @@ -233,7 +233,7 @@ let remote_smtp: driver = smtp - ${optionalString (cfg.dkim != []) (indent '' + ${optionalString (cfg.dkim != []) (indent /* exim */ '' dkim_canon = relaxed dkim_domain = $sender_address_domain dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} @@ -262,7 +262,7 @@ let begin rewrite begin authenticators - ${concatStringsSep "\n" (mapAttrsToList (name: text: '' + ${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ '' ${name}: ${indent text} '') cfg.authenticators)} diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index cfcbbc438..83d88cb0d 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -37,7 +37,7 @@ in { }; config = lib.mkIf cfg.enable { environment = { - etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" '' + etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ '' exim_user = ${cfg.user.name} exim_group = ${cfg.group.name} exim_path = /run/wrappers/bin/exim diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 9bfc920a3..1720811d9 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -43,6 +43,31 @@ in { }; }; }; + wilde = { + owner = config.krebs.users.kmein; + nets = { + retiolum = { + ip4.addr = "10.243.2.4"; + aliases = [ "wilde.r" ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk + g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg + 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay + uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L + a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo + IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM + C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q + sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq + 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo + 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57 + lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0 + QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + }; dpdkm = { owner = config.krebs.users.Mic92; nets = rec { @@ -167,6 +192,20 @@ in { }; }; }; + horisa = { + cores = 2; + owner = config.krebs.users.ulrich; # main laptop + nets = { + retiolum = { + ip4.addr = "10.243.226.213"; + ip6.addr = "42:0:e644:9099:4f8:b9aa:3856:4e85"; + aliases = [ + "horisa.r" + ]; + tinc.pubkey = tinc-for "horisa"; + }; + }; + }; idontcare = { owner = config.krebs.users.Mic92; nets = rec { @@ -190,6 +229,35 @@ in { }; }; }; + inspector = { + owner = config.krebs.users.Mic92; + nets = rec { + internet = { + ip4.addr = "141.76.44.154"; + aliases = [ "inspector.i" ]; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.29.172"; + aliases = [ "inspector.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG + EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ + 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF + m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw + WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd + eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 + OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau + ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x + B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG + q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj + 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; justraute = { owner = config.krebs.users.raute; # laptop nets = { @@ -202,6 +270,30 @@ in { }; }; }; + matchbox = { + owner = config.krebs.users.Mic92; + nets = { + retiolum = { + ip4.addr = "10.243.29.176"; + aliases = [ "matchbox.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m + VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w + nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u + TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE + TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1 + yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO + 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4 + Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/ + bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4 + nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR + /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; qubasa = { owner = config.krebs.users.qubasa; nets = { @@ -227,6 +319,13 @@ in { }; }; }; + rilke = { + owner = config.krebs.users.kmein; + nets.wiregrill = { + aliases = [ "rilke.w" ]; + wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ="; + }; + }; rock = { owner = config.krebs.users.Mic92; nets = { @@ -365,56 +464,53 @@ in { }; }; }; - inspector = { - owner = config.krebs.users.Mic92; - nets = rec { - internet = { - ip4.addr = "141.76.44.154"; - aliases = [ "inspector.i" ]; - }; + uppreisn = { + owner = config.krebs.users.ilmu; + nets = { retiolum = { - via = internet; - ip4.addr = "10.243.29.172"; - aliases = [ "inspector.r" ]; + ip4.addr = "10.243.42.13"; + aliases = [ "ilmu.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG - EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ - 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF - m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw - WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd - eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 - OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau - ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x - B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG - q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj - 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== - -----END RSA PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax + BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt + gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea + gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv + qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j + ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b + WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei + STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI + d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0 + fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo + 9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq + lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ== + -----END PUBLIC KEY----- ''; }; }; }; - matchbox = { - owner = config.krebs.users.Mic92; + unnamed = { + owner = config.krebs.users.pie_; nets = { retiolum = { - ip4.addr = "10.243.29.176"; - aliases = [ "matchbox.r" ]; + ip4.addr = "10.243.3.14"; + aliases = [ "unnamed.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m - VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w - nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u - TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE - TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1 - yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO - 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4 - Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/ - bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4 - nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR - /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ + 2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx + ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH + GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW + X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y + 5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD + PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct + 3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY + gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M + jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a + MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm + OxwCRYLtEweku7HLhUVTnDkCAwEAAQ== + -----END PUBLIC KEY----- + ''; }; }; }; @@ -449,6 +545,9 @@ in { mail = "dickbutt@excogitation.de"; pubkey = ssh-for "exco"; }; + ilmu = { + mail = "ilmu@rishi.is"; + }; jan = { mail = "jan.heidbrink@posteo.de"; }; @@ -473,10 +572,14 @@ in { mail = "shackspace.de@myvdr.de"; pubkey = ssh-for "ulrich"; }; + "0x4a6f" = { + mail = "0x4a6f@shackspace.de"; + pubkey = ssh-for "0x4a6f"; + }; miaoski = { }; filly = { }; + pie_ = {}; }; } - diff --git a/krebs/3modules/external/palo.nix b/krebs/3modules/external/palo.nix index cefac0959..05808714c 100644 --- a/krebs/3modules/external/palo.nix +++ b/krebs/3modules/external/palo.nix @@ -34,7 +34,10 @@ in { retiolum = { ip4.addr = "10.243.23.3"; tinc.port = 720; - aliases = [ "kruck.r" ]; + aliases = [ + "kruck.r" + "video.kruck.r" + ]; tinc.pubkey = tinc-for "palo"; }; }; @@ -49,6 +52,7 @@ in { tinc.pubkey = tinc-for "palo"; }; }; + syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ"; }; workhorse = { owner = config.krebs.users.palo; diff --git a/krebs/3modules/external/ssh/0x4a6f.pub b/krebs/3modules/external/ssh/0x4a6f.pub new file mode 100644 index 000000000..1ea084bad --- /dev/null +++ b/krebs/3modules/external/ssh/0x4a6f.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMoQSUz0wcV8tnTKsYO3sO6XG6EHap8R63ihfMHkxPS diff --git a/krebs/3modules/external/tinc/horisa.pub b/krebs/3modules/external/tinc/horisa.pub new file mode 100644 index 000000000..06d686ce3 --- /dev/null +++ b/krebs/3modules/external/tinc/horisa.pub @@ -0,0 +1,8 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEA1hhBqCku98gimv0yXr6DFwE2HUemigyqX8o7IsPOW5XT/K8o+V40 +Oxk3r0+c7IYREvug/raxoullf5TMJFzTzqzX4njgsiTs25V8D7hVT4jcRKTcXmBn +XpjtD+tIeDW1E6dIMMDbxKCyfd/qaeg83G7gPobeFYr4JNqQLXrnotlWMO9S13UT ++EgSP2pixv/dGIqX8WRg23YumO8jZKbso/sKKFMIEOJvnh/5EcWb24+q2sDRCitP +sWJ5j/9M1Naec/Zl27Ac2HyMWRk39F9Oo+iSbc47QvjKTEmn37P4bBg3hY9FSSFo +M90wG/NRbw1Voz6BgGlwOAoA+Ln0rVKqDQIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 3b626dc46..0b7d56098 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -11,17 +11,25 @@ let api = { enable = mkEnableOption "krebs.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; dataDir = mkOption { type = types.str; # TODO path (but not just into store) default = "/var/lib/github-hosts-sync"; }; + srcDir = mkOption { + type = types.str; + default = "${config.krebs.tinc.retiolum.confDir}/hosts"; + }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString <secrets/github-hosts-sync.ssh.id_rsa>; + default = toString <secrets/github-hosts-sync.ssh.id_ed25519>; + }; + url = mkOption { + type = types.str; + default = "git@github.com:krebs/hosts.git"; + }; + workTree = mkOption { + type = types.absolute-pathname; + default = "${cfg.dataDir}/cache"; }; }; @@ -30,13 +38,18 @@ let after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { - port = toString cfg.port; + GITHUB_HOST_SYNC_USER_MAIL = user.mail; + GITHUB_HOST_SYNC_USER_NAME = user.name; + GITHUB_HOST_SYNC_SRCDIR = cfg.srcDir; + GITHUB_HOST_SYNC_WORKTREE = cfg.workTree; + GITHUB_HOST_SYNC_URL = cfg.url; }; serviceConfig = { PermissionsStartOnly = "true"; SyslogIdentifier = "github-hosts-sync"; User = user.name; - Restart = "always"; + Type = "oneshot"; + RemainAfterExit = true; ExecStartPre = pkgs.writeDash "github-hosts-sync-init" '' set -euf install -m 0711 -o ${user.name} -d ${cfg.dataDir} @@ -56,6 +69,7 @@ let }; user = rec { + mail = "${name}@${config.krebs.build.host.name}"; name = "github-hosts-sync"; uid = genid_uint31 name; }; diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix index def06f17a..bae8b96bf 100644 --- a/krebs/3modules/github-known-hosts.nix +++ b/krebs/3modules/github-known-hosts.nix @@ -28,12 +28,22 @@ "140.82.125.*" "140.82.126.*" "140.82.127.*" + "13.114.40.48" "13.229.188.59" + "13.234.176.102" + "13.234.210.38" + "13.236.229.21" + "13.237.44.5" "13.250.177.223" + "15.164.81.167" "18.194.104.89" "18.195.85.27" "35.159.8.160" + "52.192.72.89" + "52.64.108.95" + "52.69.186.44" "52.74.223.119" + "52.78.231.108" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; }; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 41f3852b9..f4c8f5c6a 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -35,6 +35,7 @@ in { default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index b38c9104f..601762b93 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -143,11 +143,19 @@ in { ci = true; cores = 4; nets = { + lan = { + ip4.addr = "192.168.8.11"; + aliases = [ + "wbob.lan" + "log.wbob.lan" + ]; + }; retiolum = { ip4.addr = "10.243.214.15"; aliases = [ "wbob.r" "hydra.wbob.r" + "log.wbob.r" ]; }; }; @@ -182,6 +190,7 @@ in { wiki.euer IN A ${nets.internet.ip4.addr} wikisearch IN A ${nets.internet.ip4.addr} io IN NS gum.krebsco.de. + mediengewitter IN CNAME over.dose.io. ''; }; cores = 8; @@ -196,13 +205,13 @@ in { }; wiregrill = { via = internet; + ip4.addr = "10.244.245.1"; ip6.addr = w6 "1"; - wireguard = { - subnets = [ - (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR + wireguard.port = 51821; + wireguard.subnets = [ (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR - ]; - }; + "10.244.245.0/24" # required for routing directly to gum via rockit + ]; }; retiolum = { via = internet; @@ -247,7 +256,6 @@ in { cores = 1; extraZones = { "krebsco.de" = '' - mediengewitter IN A ${nets.internet.ip4.addr} flap IN A ${nets.internet.ip4.addr} ''; }; @@ -281,6 +289,10 @@ in { }; }; }; + rockit = rec { # router@home + cores = 1; + nets.wiregrill.ip4.addr = "10.244.245.2"; + }; senderechner = rec { cores = 2; diff --git a/krebs/3modules/makefu/wiregrill/gum.pub b/krebs/3modules/makefu/wiregrill/gum.pub index 4a5f666cc..67d6c7216 100644 --- a/krebs/3modules/makefu/wiregrill/gum.pub +++ b/krebs/3modules/makefu/wiregrill/gum.pub @@ -1 +1 @@ -yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo= +A7UPKSUaCZaJ9hXv6X4jvcZ+5X+PlS1EmCwxlLBAKH0= diff --git a/krebs/3modules/makefu/wiregrill/rockit.pub b/krebs/3modules/makefu/wiregrill/rockit.pub new file mode 100644 index 000000000..6cb0d960d --- /dev/null +++ b/krebs/3modules/makefu/wiregrill/rockit.pub @@ -0,0 +1 @@ +YmvTL4c13WS6f88ZAz2m/2deL2pnPXI0Ay3edCPE1Qc= diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix index 897ba1e7f..939c8fddf 100644 --- a/krebs/3modules/syncthing.nix +++ b/krebs/3modules/syncthing.nix @@ -2,40 +2,69 @@ let - cfg = config.krebs.syncthing; + kcfg = config.krebs.syncthing; + scfg = config.services.syncthing; devices = mapAttrsToList (name: peer: { name = name; deviceID = peer.id; addresses = peer.addresses; - }) cfg.peers; + }) kcfg.peers; folders = mapAttrsToList ( _: folder: { inherit (folder) path id type; - devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers; + devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers; rescanIntervalS = folder.rescanInterval; fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; + ignoreDelete = folder.ignoreDelete; ignorePerms = folder.ignorePerms; - }) cfg.folders; + }) kcfg.folders; getApiKey = pkgs.writeDash "getAPIKey" '' ${pkgs.libxml2}/bin/xmllint \ --xpath 'string(configuration/gui/apikey)'\ - ${config.services.syncthing.dataDir}/config.xml + ${scfg.configDir}/config.xml ''; updateConfig = pkgs.writeDash "merge-syncthing-config" '' set -efu + + # XXX this assumes the GUI address to be "IPv4 address and port" + host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)} + port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)} + # wait for service to restart - ${pkgs.untilport}/bin/untilport localhost 8384 + ${pkgs.untilport}/bin/untilport "$host" "$port" + API_KEY=$(${getApiKey}) - CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config) - echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] * { - "devices": ${builtins.toJSON devices}, - "folders": ${builtins.toJSON folders} - }' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @- - ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST + + _curl() { + ${pkgs.curl}/bin/curl \ + -Ss \ + -H "X-API-Key: $API_KEY" \ + "http://$host:$port/rest""$@" + } + + old_config=$(_curl /system/config) + new_config=${shell.escape (toJSON { + inherit devices folders; + })} + new_config=$(${pkgs.jq}/bin/jq -en \ + --argjson old_config "$old_config" \ + --argjson new_config "$new_config" \ + ' + $old_config * $new_config + ${optionalString (!kcfg.overridePeers) '' + * { devices: $old_config.devices } + ''} + ${optionalString (!kcfg.overrideFolders) '' + * { folders: $old_config.folders } + ''} + ' + ) + echo $new_config | _curl /system/config -d @- + _curl /system/restart -X POST ''; in @@ -45,11 +74,6 @@ in enable = mkEnableOption "syncthing-init"; - id = mkOption { - type = types.str; - default = config.krebs.build.host.name; - }; - cert = mkOption { type = types.nullOr types.absolute-pathname; default = null; @@ -60,6 +84,13 @@ in default = null; }; + overridePeers = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the peers which are not configured via the peers option + ''; + }; peers = mkOption { default = {}; type = types.attrsOf (types.submodule ({ @@ -80,6 +111,13 @@ in })); }; + overrideFolders = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the folders which are not configured via the peers option + ''; + }; folders = mkOption { default = {}; type = types.attrsOf (types.submodule ({ config, ... }: { @@ -120,6 +158,11 @@ in default = 10; }; + ignoreDelete = mkOption { + type = types.bool; + default = false; + }; + ignorePerms = mkOption { type = types.bool; default = true; @@ -130,19 +173,19 @@ in }; }; - config = (mkIf cfg.enable) { + config = mkIf kcfg.enable { - systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) { + systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) { preStart = '' - ${optionalString (cfg.cert != null) '' - cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem - chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem - chmod 400 ${config.services.syncthing.dataDir}/cert.pem + ${optionalString (kcfg.cert != null) '' + cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem + chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem + chmod 400 ${scfg.configDir}/cert.pem ''} - ${optionalString (cfg.key != null) '' - cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem - chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/key.pem - chmod 400 ${config.services.syncthing.dataDir}/key.pem + ${optionalString (kcfg.key != null) '' + cp ${toString kcfg.key} ${scfg.configDir}/key.pem + chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem + chmod 400 ${scfg.configDir}/key.pem ''} ''; }; @@ -152,7 +195,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { - User = config.services.syncthing.user; + User = scfg.user; RemainAfterExit = true; Type = "oneshot"; ExecStart = updateConfig; |