summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authorjeschli <jeschli@gmail.com>2018-12-04 19:27:27 +0100
committerjeschli <jeschli@gmail.com>2018-12-04 19:27:27 +0100
commit5030b74cc5c578bb82619a24592504a6008f1a10 (patch)
tree0551e3ddb94353b7438bec02174bf3379bc89b87 /krebs
parent78b289201987675844aa37abeb4279eb4051ebe0 (diff)
parent82988de84c177c247ebbe80940c4d50b9f073b4e (diff)
Merge branch 'master' of prism.r:stockholm
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/hotdog/config.nix1
-rw-r--r--krebs/2configs/cache.nsupdate.info.nix33
-rw-r--r--krebs/2configs/ircd.nix2
-rw-r--r--krebs/3modules/airdcpp.nix2
-rw-r--r--krebs/3modules/buildbot/master.nix2
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/cachecache.nix171
-rw-r--r--krebs/3modules/charybdis.nix110
-rw-r--r--krebs/3modules/ci.nix36
-rw-r--r--krebs/3modules/default.nix4
-rw-r--r--krebs/3modules/fetchWallpaper.nix9
-rw-r--r--krebs/3modules/github-hosts-sync.nix2
-rw-r--r--krebs/3modules/lass/default.nix80
-rw-r--r--krebs/3modules/makefu/default.nix99
-rw-r--r--krebs/3modules/nin/default.nix111
-rw-r--r--krebs/3modules/realwallpaper.nix185
-rw-r--r--krebs/3modules/tinc.nix6
-rw-r--r--krebs/3modules/urlwatch.nix2
-rw-r--r--krebs/5pkgs/haskell/default.nix9
-rw-r--r--krebs/5pkgs/haskell/xmonad-stockholm.nix13
-rw-r--r--krebs/5pkgs/simple/default.nix8
-rw-r--r--krebs/5pkgs/simple/ejabberd/default.nix122
-rw-r--r--krebs/5pkgs/simple/ejabberd/ejabberdctl.patch32
-rw-r--r--krebs/5pkgs/simple/realwallpaper/default.nix24
-rw-r--r--krebs/default.nix16
-rw-r--r--krebs/krops.nix44
-rw-r--r--krebs/nixpkgs.json6
27 files changed, 660 insertions, 471 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 0a848426c..cf72e0d73 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -10,7 +10,6 @@
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/buildbot-stockholm.nix>
- <stockholm/krebs/2configs/gitlab-runner-shackspace.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor-retiolum.nix>
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
new file mode 100644
index 000000000..056667d8c
--- /dev/null
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -0,0 +1,33 @@
+{lib, ... }:
+with lib;
+let
+ domain = "cache.nsupdate.info";
+in {
+ # This only works for a single domain for nsupdate.info as multiple usernames
+ # and passwords are required for multiple domains
+ services.ddclient = {
+ enable = true;
+ server = "ipv4.nsupdate.info";
+ username = domain;
+ password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+ domains = [ domain ];
+ use= "if, if=et0";
+ # use = "web, web=http://ipv4.nsupdate.info/myip";
+
+ };
+ krebs.cachecache = {
+ enable = true;
+ enableSSL = false; # disable letsencrypt for testing
+ cacheDir = "/var/cache/nix-cache-cache";
+ maxSize = "10g";
+
+ # assumes that the domain is reachable from the internet
+ virtualHost = domain;
+ };
+
+ boot.kernelModules = [ "tcp_bbr" ];
+
+ boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
+ boot.kernel.sysctl."net.core.default_qdisc" = "fq";
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 962dbf49c..65972aacc 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -5,7 +5,7 @@
6667 6669
];
- services.charybdis = {
+ krebs.charybdis = {
enable = true;
motd = ''
hello
diff --git a/krebs/3modules/airdcpp.nix b/krebs/3modules/airdcpp.nix
index 1633840f7..56fb31795 100644
--- a/krebs/3modules/airdcpp.nix
+++ b/krebs/3modules/airdcpp.nix
@@ -243,7 +243,7 @@ let
in {
systemd.services.airdcpp = {
description = "airdcpp webui";
- after = [ "network.target" ];
+ after = [ "network.target" "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
serviceConfig = {
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 209dbe980..8995753ac 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 544f9c4e0..c15169fba 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
new file mode 100644
index 000000000..989320480
--- /dev/null
+++ b/krebs/3modules/cachecache.nix
@@ -0,0 +1,171 @@
+{ config, lib, ... }:
+
+
+# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
+# related: https://github.com/nh2/nix-binary-cache-proxy
+
+with lib;
+
+let
+
+ cfg = config.krebs.cachecache;
+
+ nginxCfg = config.services.nginx;
+
+ cacheFallbackConfig = {
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ # Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
+ proxy_http_version 1.1;
+
+ # Remove the Connection header if the client sends it, it could
+ # be "close" to close a keepalive connection
+ proxy_set_header Connection "";
+
+ # Needed for CloudFront.
+ proxy_ssl_server_name on;
+
+ proxy_set_header Host $proxy_host;
+ proxy_cache nix_cache_cache;
+ proxy_cache_valid 200 302 60m;
+ proxy_cache_valid 404 1m;
+
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+ '';
+ };
+
+in
+
+{
+ options = {
+ krebs.cachecache = {
+ enable = mkEnableOption "Nix binary cache cache";
+
+ virtualHost = mkOption {
+ type = types.str;
+ default = "nix-cache";
+ description = ''
+ Name of the nginx virtualhost to use and setup. If null, do
+ not setup any virtualhost.
+ '';
+ };
+ enableSSL = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ enable SSL via letsencrypt. Requires working dns resolution and open
+ internet tls port.
+ '';
+ };
+
+ # webRoot = mkOption {
+ # type = types.str;
+ # default = "/";
+ # description = ''
+ # Directory on virtual host that serves the cache. Must end in
+ # <literal>/</literal>.
+ # '';
+ # };
+
+ resolver = mkOption {
+ type = types.str;
+ description = "Address of DNS resolver.";
+ default = "8.8.8.8 ipv6=off";
+ example = "127.0.0.1 ipv6=off";
+ };
+
+ cacheDir = mkOption {
+ type = types.str;
+ default = "/var/cache/nix-cache-cache";
+ description = ''
+ Where nginx should store cached data.
+ '';
+ };
+
+ maxSize = mkOption {
+ type = types.str;
+ default = "50g";
+ description = "Maximum cache size.";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+
+ systemd.services.nginx.preStart = ''
+ mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chown ${nginxCfg.user}:${nginxCfg.group} \
+ ${cfg.cacheDir} /srv/www/nix-cache-cache
+ '';
+
+ services.nginx = {
+ enable = true;
+
+ appendHttpConfig = ''
+ proxy_cache_path ${cfg.cacheDir}
+ levels=1:2
+ keys_zone=nix_cache_cache:100m
+ max_size=${cfg.maxSize}
+ inactive=365d
+ use_temp_path=off;
+
+ # Cache only success status codes; in particular we don't want
+ # to cache 404s. See https://serverfault.com/a/690258/128321.
+ map $status $nix_cache_cache_header {
+ 200 "public";
+ 302 "public";
+ default "no-cache";
+ }
+ '';
+
+ virtualHosts.${cfg.virtualHost} = {
+ addSSL = cfg.enableSSL;
+ enableACME = cfg.enableSSL;
+ extraConfig = ''
+ # Using a variable for the upstream endpoint to ensure that it is
+ # resolved at runtime as opposed to once when the config file is loaded
+ # and then cached forever (we don't want that):
+ # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+ # This fixes errors like
+ #
+ # nginx: [emerg] host not found in upstream "upstream.example.com"
+ #
+ # when the upstream host is not reachable for a short time when
+ # nginx is started.
+ resolver ${cfg.resolver} valid=10s;
+ set $upstream_endpoint https://cache.nixos.org;
+ '';
+
+ locations."/" =
+ {
+ root = "/srv/www/nix-cache-cache";
+ extraConfig = ''
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+
+ # Ask the upstream server if a file isn't available
+ # locally.
+ error_page 404 = @fallback;
+
+ # Don't bother logging the above 404.
+ log_not_found off;
+ '';
+ };
+
+ locations."@fallback" = cacheFallbackConfig;
+
+ # We always want to copy cache.nixos.org's nix-cache-info
+ # file, and ignore our own, because `nix-push` by default
+ # generates one without `Priority` field, and thus that file
+ # by default has priority 50 (compared to cache.nixos.org's
+ # `Priority: 40`), which will make download clients prefer
+ # `cache.nixos.org` over our binary cache.
+ locations."= /nix-cache-info" = cacheFallbackConfig;
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/charybdis.nix b/krebs/3modules/charybdis.nix
new file mode 100644
index 000000000..f4a7c1313
--- /dev/null
+++ b/krebs/3modules/charybdis.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) mkEnableOption mkIf mkOption singleton types;
+ inherit (pkgs) coreutils charybdis;
+ cfg = config.krebs.charybdis;
+
+ configFile = pkgs.writeText "charybdis.conf" ''
+ ${cfg.config}
+ '';
+in
+
+{
+
+ ###### interface
+
+ options = {
+
+ krebs.charybdis = {
+
+ enable = mkEnableOption "Charybdis IRC daemon";
+
+ config = mkOption {
+ type = types.string;
+ description = ''
+ Charybdis IRC daemon configuration file.
+ '';
+ };
+
+ statedir = mkOption {
+ type = types.string;
+ default = "/var/lib/charybdis";
+ description = ''
+ Location of the state directory of charybdis.
+ '';
+ };
+
+ user = mkOption {
+ type = types.string;
+ default = "ircd";
+ description = ''
+ Charybdis IRC daemon user.
+ '';
+ };
+
+ group = mkOption {
+ type = types.string;
+ default = "ircd";
+ description = ''
+ Charybdis IRC daemon group.
+ '';
+ };
+
+ motd = mkOption {
+ type = types.nullOr types.lines;
+ default = null;
+ description = ''
+ Charybdis MOTD text.
+
+ Charybdis will read its MOTD from /etc/charybdis/ircd.motd .
+ If set, the value of this option will be written to this path.
+ '';
+ };
+
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = mkIf cfg.enable (lib.mkMerge [
+ {
+ users.users = singleton {
+ name = cfg.user;
+ description = "Charybdis IRC daemon user";
+ uid = config.ids.uids.ircd;
+ group = cfg.group;
+ };
+
+ users.groups = singleton {
+ name = cfg.group;
+ gid = config.ids.gids.ircd;
+ };
+
+ systemd.services.charybdis = {
+ description = "Charybdis IRC daemon";
+ wantedBy = [ "multi-user.target" ];
+ environment = {
+ BANDB_DBPATH = "${cfg.statedir}/ban.db";
+ };
+ serviceConfig = {
+ ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}";
+ Group = cfg.group;
+ User = cfg.user;
+ PermissionsStartOnly = true; # preStart needs to run with root permissions
+ };
+ preStart = ''
+ ${coreutils}/bin/mkdir -p ${cfg.statedir}
+ ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
+ '';
+ };
+
+ }
+
+ (mkIf (cfg.motd != null) {
+ environment.etc."charybdis/ircd.motd".text = cfg.motd;
+ })
+ ]);
+}
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index 16c6d4315..a47dbe611 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -26,10 +26,19 @@ let
hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" ''
- nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
- nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
+ set -efu
+ ${pkgs.nix}/bin/nix-build --no-out-link --quiet -Q ./ci.nix >&2
+ json="$(${pkgs.nix}/bin/nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
+ echo "$json" | ${pkgs.jq}/bin/jq -r 'to_entries[] | [.key, .value] | @tsv' \
+ | while read -r host builder; do
+ gcroot=${shell.escape profileRoot}/$host-builder
+ ${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
+ done
+ echo "$json"
'';
+ profileRoot = "/nix/var/nix/profiles/ci";
+
imp = {
krebs.buildbot.master = {
slaves = {
@@ -98,9 +107,16 @@ let
self.addBuildSteps([steps.ShellCommand(
name=str(new_step),
command=[
- new_steps[new_step]
+ "${pkgs.writeDash "build-stepper.sh" ''
+ set -efu
+ profile=${shell.escape profileRoot}/$build_name
+ result=$("$build_script")
+ ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+ ''}"
],
env={
+ "build_name": new_step,
+ "build_script": new_steps[new_step],
"NIX_REMOTE": "daemon",
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
},
@@ -163,6 +179,20 @@ let
password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate gnutar lzma gzip ];
};
+
+ system.activationScripts.buildbots-nix-profile = ''
+ ${pkgs.coreutils}/bin/mkdir -p ${shell.escape profileRoot}
+ ${pkgs.coreutils}/bin/chmod 0770 ${shell.escape profileRoot}
+ ${pkgs.coreutils}/bin/chgrp buildbots ${shell.escape profileRoot}
+ '';
+
+ users = {
+ groups.buildbots.gid = genid "buildbots";
+ users = {
+ buildbotMaster.extraGroups = [ "buildbots" ];
+ buildbotSlave.extraGroups = [ "buildbots" ];
+ };
+ };
};
in out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 6307649e3..24cbd9cc9 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,8 @@ let
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
+ ./cachecache.nix
+ ./charybdis.nix
./ci.nix
./current.nix
./exim.nix
@@ -111,7 +113,6 @@ let
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; }
- { krebs = import ./nin { inherit config; }; }
{ krebs = import ./tv { inherit config; }; }
{
krebs.dns.providers = {
@@ -201,6 +202,7 @@ let
"cfp@eloop.org" = eloop-ml;
"kontakt@eloop.org" = eloop-ml;
"root@eloop.org" = eloop-ml;
+ "youtube@eloop.org" = eloop-ml;
"eloop2016@krebsco.de" = eloop-ml;
"eloop2017@krebsco.de" = eloop-ml;
"postmaster@krebsco.de" = spam-ml; # RFC 822
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index f67188122..5a5065565 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -38,11 +38,6 @@ let
'';
default = {};
};
- maxTime = mkOption {
- type = types.int;
- default = 0;
- description = "Time to wait before download is aborted";
- };
};
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir}
- (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
- feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
+ (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
+ feh --no-fehbg --bg-scale wallpaper
'';
imp = {
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index e6db3aa42..3b626dc46 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -57,7 +57,7 @@ let
user = rec {
name = "github-hosts-sync";
- uid = genid name;
+ uid = genid_uint31 name;
};
# TODO move to lib?
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 9b9f052a5..12345a20a 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -15,8 +15,9 @@ with import <stockholm/lib>;
cores = 4;
extraZones = {
"krebsco.de" = ''
- prism IN A ${nets.internet.ip4.addr}
+ cache IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr}
+ prism IN A ${nets.internet.ip4.addr}
'';
"lassul.us" = ''
$TTL 3600
@@ -27,12 +28,13 @@ with import <stockholm/lib>;
60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
+ cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
- paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
@@ -642,47 +644,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
};
- cabal = {
- cores = 2;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.1.4";
- ip6.addr = "42::1:4";
- aliases = [
- "cabal.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIECgKCBAEAukXm8xPpC6/F+wssYqQbqt1QDwsPrF3TJ9ToLFcN1WgDlhDhjM3A
- SuRDMNjRT1fvVTuXyplH5g16eokW/yLOpNnznMS3/VR372pLPEOqfuRf7wAy18jj
- rZkW3EO7nyZ8KMb+SXA8Q0KIpHY50Ezh+tqGoTZDICwoK6N5dKLgAZShS55JXwwK
- qRG3vyzV3mDjgVyT0FNfyL1/BN1qvJ+tQQ40lEbkcQauMunMzNbH058kAd6H2/0e
- LK4JkxI9XpZHE6Pf1epXyClHW7vT7APFRp9gL9tZS/XMC18+aEMFfQrNW9jb3FIq
- rU5MfJ7aubboe7dT6CRaRSWpduiKLVzY/JCoGvUziyvmR7qHsQWTEjtNuQX9joc3
- 6iq1o+gmLV0G8Xwq8cEcg5USlLxNsGBQPwYnTG6iTPPHqOv7BKucekE/opnVZseE
- fSNCGl1+tGwa3soSMI97LkpQTZxdeqf+jWZve0RbSa2Ihyod91ldFCqi1+PZx68v
- yBI0PJamlt+dBx6WQKbPngWYeD8hXo7tg0XVRVa3ZQyX+Mq6uCCb2GM8ewMUPl+A
- kcY1osFt6+sdkFGdiv3FMyijAiZumPoPprXC/4SGIsMnkoI4JfSAbTpHi2QuesqR
- KMeairdB7XGUYlMvWpDLKN2dbMdRc+l3kDUKT7hALjKeyWS/27WYeK/STxvZXEXi
- TZGHopvOFv6wcrb6nI49vIJo5mDLFamAPN3ZjeR20wP95UP7cUUSaTYX49M4lX6U
- oL5BaFrcLn2PTvS84pUxcXKAp70FgTpvGJbaWwETgDjW+H+qlGmI/BTejpL7flVs
- TOtaP/uCMxhVZSFv9bzo0ih10o+4gtU8lqxfJsVxlf2K7LVZ++LQba/u+XxRY+xw
- 3IFBfg34tnO6zYlV8XgAiJ6IUOHUZANsuBD4iMoFSVOig6t5eIOkgXR6GEkP8FBD
- rkroRMmxcu4lTCOzWIuAVOxCd4XXguoGQ4HAzpGd5ccdcb8Ev4RYEvNJY7B5tIQZ
- 4J0F9ECzJuSu1HvWTL+T6a36d2MDTkXU2IJ2tSHciXqiP+QMMF7p9Ux0tiAq4mtf
- luA94uKWg3cSyTyEM/jF66CgO6Ts3AivNE0MRNupV6AbUdr+TjzotGn9rxi168py
- w/49OVbpR9EIGC2wxx7qcSEk5chFOcgvNQMRqgIx51bbOL7JYb0f4XuA38GUqLkG
- 09PXmPeyqGzR9HsV2XZDprZdD3Dy4ojdexw0+YILg9bHaAxLHYs6WFZvzfaLLsf1
- K2I39vvrEEOy8tHi4jvMk7oVX6RWG+DOZMeXTvyUCaBHyYkA0eDlC6NeKOHxnW/g
- ZtN1W93UdklEqc5okM0/ZIke1HDRt3ZLdQIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- secure = true;
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
- };
red = {
monitoring = false;
cores = 1;
@@ -714,6 +675,36 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
+ yellow = {
+ cores = 1;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.14";
+ ip6.addr = "42:0:0:0:0:0:0:14";
+ aliases = [
+ "yellow.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
+ MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
+ b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
+ Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
+ OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
+ vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
+ C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
+ Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
+ 52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
+ zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
+ DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
+ Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
+ };
blue = {
cores = 1;
nets = {
@@ -787,9 +778,6 @@ with import <stockholm/lib>;
mail = "lass@daedalus.r";
pubkey = builtins.readFile ./ssh/daedalus.rsa;
};
- fritz = {
- pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
- };
prism-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe";
mail = "lass@prism.r";
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index e2152ea1a..188fbc461 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -60,7 +60,7 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGaV5Ga5R8RTrA+nclxw6uy5Z+hPBLitQTfuXdsmbVW6 crapi";
};
drop = rec {
- ci = true;
+ ci = false;
cores = 1;
nets = {
retiolum = {
@@ -83,7 +83,7 @@ in {
};
};
studio = rec {
- ci = true;
+ ci = false;
cores = 4;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqBR5gjJkR1TEIs2yx6JRoIOA7+/LJA6kjju8yCauFa studio";
@@ -109,7 +109,7 @@ in {
};
fileleech = rec {
- ci = true;
+ ci = false;
cores = 4;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech";
@@ -134,7 +134,7 @@ in {
};
};
latte = rec {
- ci = true;
+ ci = false;
cores = 1;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
# ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
@@ -166,7 +166,7 @@ in {
};
pnp = {
- ci = true;
+ ci = false;
cores = 1;
nets = {
retiolum = {
@@ -190,7 +190,7 @@ in {
};
};
darth = {
- ci = true;
+ ci = false;
cores = 4;
nets = {
retiolum = {
@@ -404,7 +404,7 @@ in {
};
};
wry = rec {
- ci = true;
+ ci = false;
cores = 1;
extraZones = {
"krebsco.de" = ''
@@ -449,7 +449,7 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4Tjx9qK6uWtxT1HCpeC0XvDZKO/kaPygyKatpAqU6I root@wry";
};
filepimp = rec {
- ci = true;
+ ci = false;
cores = 1;
nets = {
lan = {
@@ -494,6 +494,8 @@ in {
ip6.addr = "42:f9f0::10";
aliases = [
"omo.r"
+ "dcpp.omo.r"
+ "torrent.omo.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -554,7 +556,7 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr";
};
- nextgum = rec {
+ gum = rec {
ci = true;
extraZones = {
"krebsco.de" = ''
@@ -563,6 +565,23 @@ in {
graph IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
+ wg.euer IN A ${nets.internet.ip4.addr}
+ photostore IN A ${nets.internet.ip4.addr}
+ o.euer IN A ${nets.internet.ip4.addr}
+ mon.euer IN A ${nets.internet.ip4.addr}
+ boot.euer IN A ${nets.internet.ip4.addr}
+ wiki.euer IN A ${nets.internet.ip4.addr}
+ pigstarter IN A ${nets.internet.ip4.addr}
+ cgit.euer IN A ${nets.internet.ip4.addr}
+ git.euer IN A ${nets.internet.ip4.addr}
+ euer IN A ${nets.internet.ip4.addr}
+ share.euer IN A ${nets.internet.ip4.addr}
+ gum