summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2024-01-06 12:38:08 +0100
committertv <tv@krebsco.de>2024-01-06 12:38:08 +0100
commit1e1e751fa4ed5380b2458263ed24b01a08847291 (patch)
tree7ba8a0125fe1824c70a5df6a78fdb713818ebc4b /krebs
parent191ee037480e0837091c0dbc7bf8ec42dd7f93b4 (diff)
parent04f538164ce11ce977a851b6de2a9d2c5f7a9adb (diff)
Merge remote-tracking branch 'orange/master'
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/hotdog/config.nix1
-rw-r--r--krebs/1systems/news/config.nix1
-rw-r--r--krebs/2configs/default.nix13
-rw-r--r--krebs/2configs/mastodon-proxy.nix13
-rw-r--r--krebs/2configs/mastodon.nix14
-rw-r--r--krebs/2configs/nginx.nix24
-rw-r--r--krebs/2configs/reaktor2.nix2
-rw-r--r--krebs/3modules/sync-containers3.nix7
-rw-r--r--krebs/6assets/krebsAcmeCA.crt26
-rw-r--r--krebs/krops.nix8
-rw-r--r--krebs/nixpkgs-unstable.json12
-rw-r--r--krebs/nixpkgs.json12
-rwxr-xr-xkrebs/update-nixpkgs-unstable.sh9
-rwxr-xr-xkrebs/update-nixpkgs.sh9
14 files changed, 70 insertions, 81 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 75a8a0da1..0a103ed1a 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -4,6 +4,7 @@
imports = [
../../../krebs
../../../krebs/2configs
+ ../../../krebs/2configs/nginx.nix
../../../krebs/2configs/buildbot-stockholm.nix
../../../krebs/2configs/binary-cache/nixos.nix
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index b5a2b21ba..290870fce 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -14,6 +14,7 @@
];
krebs.build.host = config.krebs.hosts.news;
+ krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
boot.isContainer = true;
networking.useDHCP = lib.mkForce true;
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 905eaaef7..5d64555c8 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; };
];
krebs.announce-activation.enable = true;
krebs.enable = true;
- krebs.tinc.retiolum.enable = mkDefault true;
+
+ # retiolum
+ krebs.tinc.retiolum = {
+ enable = mkDefault true;
+ extraConfig = ''
+ AutoConnect = yes
+ LocalDiscovery = yes
+ '';
+ };
+ networking.firewall.allowedTCPPorts = [ 655 ];
+ networking.firewall.allowedUDPPorts = [ 655 ];
# trust krebs ACME CA
krebs.ssl.trustIntermediate = true;
@@ -52,6 +62,7 @@ with import ../../lib/pure.nix { inherit lib; };
config.krebs.users.makefu.pubkey
config.krebs.users.tv.pubkey
config.krebs.users.kmein.pubkey
+ config.krebs.users.mic92.pubkey
];
# The NixOS release to be compatible with for stateful data such as databases.
diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix
index 4d359c3fe..b579a5031 100644
--- a/krebs/2configs/mastodon-proxy.nix
+++ b/krebs/2configs/mastodon-proxy.nix
@@ -5,19 +5,12 @@
virtualHosts."social.krebsco.de" = {
forceSSL = true;
enableACME = true;
+ acmeFallbackHost = "hotdog.r";
locations."/" = {
# TODO use this in 22.11
- # recommendedProxySettings = true;
- proxyPass = "http://hotdog.r";
+ recommendedProxySettings = true;
+ proxyPass = "https://hotdog.r";
proxyWebsockets = true;
- extraConfig = ''
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Server $host;
- '';
};
};
};
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index af308b2c7..ebc4207a0 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -3,7 +3,7 @@
services.postgresql = {
enable = true;
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
- package = pkgs.postgresql_11;
+ package = pkgs.postgresql_16;
};
systemd.tmpfiles.rules = [
"d /var/state/postgresql 0700 postgres postgres -"
@@ -13,23 +13,17 @@
enable = true;
localDomain = "social.krebsco.de";
configureNginx = true;
+ streamingProcesses = 3;
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
smtp.createLocally = false;
smtp.fromAddress = "derp";
};
- services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
- forceSSL = lib.mkForce false;
- enableACME = lib.mkForce false;
- locations."@proxy".extraConfig = ''
- proxy_redirect off;
- proxy_pass_header Server;
- proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
- '';
- };
+ security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
networking.firewall.allowedTCPPorts = [
80
+ 443
];
environment.systemPackages = [
diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix
new file mode 100644
index 000000000..812093a7e
--- /dev/null
+++ b/krebs/2configs/nginx.nix
@@ -0,0 +1,24 @@
+{
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ security.acme.acceptTerms = true;
+ security.acme.defaults.email = "spam@krebsco.de";
+
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+
+ enableReload = true;
+
+ virtualHosts.default = {
+ default = true;
+ locations."= /etc/os-release".extraConfig = ''
+ default_type text/plain;
+ alias /etc/os-release;
+ '';
+ # needed for acmeFallback in sync-containers, or other machines not reachable globally
+ locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
+ };
+ };
+}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index db7b794f4..e84827656 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -526,6 +526,8 @@ in {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
'';
+ # needed for acmeFallback in sync-containers, or other machines not reachable globally
+ locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
};
services.nginx.virtualHosts."bedge.r" = {
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index 7bec27b0f..d3a65bd4c 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -155,7 +155,7 @@ in {
# echo 'container is reachable, continueing'
continue
else
- # echo 'container seems dead, killing'
+ echo 'container seems dead, killing'
break
fi
else
@@ -249,6 +249,11 @@ in {
ExecStop = pkgs.writers.writeDash "remove_interface" ''
${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
'';
+ ExecStartPost = [
+ (pkgs.writers.writeDash "bind-to-bridge" ''
+ ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
+ '')
+ ];
};
}; }
]) (lib.attrValues cfg.containers)));
diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt
index bf05b44f4..6f659d905 100644
--- a/krebs/6assets/krebsAcmeCA.crt
+++ b/krebs/6assets/krebsAcmeCA.crt
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE-----
-MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
-YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
-hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2
-MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
-BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr
-qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD
-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj
-SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
-MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt
-XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4
-20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9
-MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc=
+MIICWjCCAcOgAwIBAgIRAOACUgvw++4VwgQ7Iu1/iRkwDQYJKoZIhvcNAQELBQAw
+gYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3MxEDAOBgNVBAoMB0ty
+ZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBSb290IENBMScwJQYJ
+KoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUwHhcNMjMxMjA2MjAy
+NTI1WhcNMjQxMjA1MjAyNTI1WjAYMRYwFAYDVQQDEw1LcmVicyBBQ01FIENBMFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHiqfjJYhLvY9pBWVi5gwDmZQ65F5KGV
+GSkOprlw4TJguHr6ToSC9MErHhDb80kyidcjWDi2WTJX1zg/OmTv2qOBgDB+MA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTSCUQO
+B5ICY1kqFPQ299+Kn6zr8TAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGV
+LzAYBgNVHR4BAf8EDjAMoAowA4IBcjADggF3MA0GCSqGSIb3DQEBCwUAA4GBAMY3
+hXVyUAYfNw+sb5NLZKkp5/Uu9ehcmVJV/CkWm5BKyEFsdCJ3PL5rnpockxNrOTy1
+/y0IWZ4UaV2jqVibKOTt3FWax1BHXuTBMSirAIKYdUnT969KTTs0atrDYYh1bBzy
+YIxiIU+Be343LFI5HTNewAyK2SYUO0QP0BkGUUGD
-----END CERTIFICATE-----
diff --git a/krebs/krops.nix b/krebs/krops.nix
index aeb2413a4..eba966b4f 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -10,8 +10,8 @@
krebs-source = { test ? false }: rec {
nixpkgs = if test then {
derivation = let
- rev = (lib.importJSON ./nixpkgs.json).rev;
- sha256 = (lib.importJSON ./nixpkgs.json).sha256;
+ rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
+ sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash;
in ''
with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
@@ -26,8 +26,8 @@
'';
} else {
git = {
- ref = (lib.importJSON ./nixpkgs.json).rev;
- url = https://github.com/NixOS/nixpkgs;
+ ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
+ url = "https://github.com/NixOS/nixpkgs";
shallow = true;
};
};
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
deleted file mode 100644
index 2233cd20b..000000000
--- a/krebs/nixpkgs-unstable.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "url": "https://github.com/NixOS/nixpkgs",
- "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b",
- "date": "2023-09-01T18:51:16+08:00",
- "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs",
- "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9",
- "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=",
- "fetchLFS": false,
- "fetchSubmodules": false,
- "deepClone": false,
- "leaveDotGit": false
-}
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
deleted file mode 100644
index 0b6021ed0..000000000
--- a/krebs/nixpkgs.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "url": "https://github.com/NixOS/nixpkgs",
- "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1",
- "date": "2023-09-02T08:28:47+02:00",
- "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs",
- "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36",
- "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=",
- "fetchLFS": false,
- "fetchSubmodules": false,
- "deepClone": false,
- "leaveDotGit": false
-}
diff --git a/krebs/update-nixpkgs-unstable.sh b/krebs/update-nixpkgs-unstable.sh
deleted file mode 100755
index ab04914c1..000000000
--- a/krebs/update-nixpkgs-unstable.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/sh
-dir=$(dirname $0)
-oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
-nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
- --url https://github.com/NixOS/nixpkgs \
- --rev refs/heads/nixos-unstable' \
-> $dir/nixpkgs-unstable.json
-newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
-git commit $dir/nixpkgs-unstable.json -m "nixpkgs-unstable: $oldrev -> $newrev"
diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh
deleted file mode 100755
index 465548f44..000000000
--- a/krebs/update-nixpkgs.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/sh
-dir=$(dirname $0)
-oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
-nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
- --url https://github.com/NixOS/nixpkgs \
- --rev refs/heads/nixos-23.05' \
-> $dir/nixpkgs.json
-newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
-git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"