diff options
author | tv <tv@krebsco.de> | 2024-01-06 12:38:08 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2024-01-06 12:38:08 +0100 |
commit | 1e1e751fa4ed5380b2458263ed24b01a08847291 (patch) | |
tree | 7ba8a0125fe1824c70a5df6a78fdb713818ebc4b /krebs | |
parent | 191ee037480e0837091c0dbc7bf8ec42dd7f93b4 (diff) | |
parent | 04f538164ce11ce977a851b6de2a9d2c5f7a9adb (diff) |
Merge remote-tracking branch 'orange/master'
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/1systems/hotdog/config.nix | 1 | ||||
-rw-r--r-- | krebs/1systems/news/config.nix | 1 | ||||
-rw-r--r-- | krebs/2configs/default.nix | 13 | ||||
-rw-r--r-- | krebs/2configs/mastodon-proxy.nix | 13 | ||||
-rw-r--r-- | krebs/2configs/mastodon.nix | 14 | ||||
-rw-r--r-- | krebs/2configs/nginx.nix | 24 | ||||
-rw-r--r-- | krebs/2configs/reaktor2.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/sync-containers3.nix | 7 | ||||
-rw-r--r-- | krebs/6assets/krebsAcmeCA.crt | 26 | ||||
-rw-r--r-- | krebs/krops.nix | 8 | ||||
-rw-r--r-- | krebs/nixpkgs-unstable.json | 12 | ||||
-rw-r--r-- | krebs/nixpkgs.json | 12 | ||||
-rwxr-xr-x | krebs/update-nixpkgs-unstable.sh | 9 | ||||
-rwxr-xr-x | krebs/update-nixpkgs.sh | 9 |
14 files changed, 70 insertions, 81 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 75a8a0da1..0a103ed1a 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -4,6 +4,7 @@ imports = [ ../../../krebs ../../../krebs/2configs + ../../../krebs/2configs/nginx.nix ../../../krebs/2configs/buildbot-stockholm.nix ../../../krebs/2configs/binary-cache/nixos.nix diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index b5a2b21ba..290870fce 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -14,6 +14,7 @@ ]; krebs.build.host = config.krebs.hosts.news; + krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; boot.isContainer = true; networking.useDHCP = lib.mkForce true; diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 905eaaef7..5d64555c8 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; }; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = mkDefault true; + + # retiolum + krebs.tinc.retiolum = { + enable = mkDefault true; + extraConfig = '' + AutoConnect = yes + LocalDiscovery = yes + ''; + }; + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; # trust krebs ACME CA krebs.ssl.trustIntermediate = true; @@ -52,6 +62,7 @@ with import ../../lib/pure.nix { inherit lib; }; config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey config.krebs.users.kmein.pubkey + config.krebs.users.mic92.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix index 4d359c3fe..b579a5031 100644 --- a/krebs/2configs/mastodon-proxy.nix +++ b/krebs/2configs/mastodon-proxy.nix @@ -5,19 +5,12 @@ virtualHosts."social.krebsco.de" = { forceSSL = true; enableACME = true; + acmeFallbackHost = "hotdog.r"; locations."/" = { # TODO use this in 22.11 - # recommendedProxySettings = true; - proxyPass = "http://hotdog.r"; + recommendedProxySettings = true; + proxyPass = "https://hotdog.r"; proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - ''; }; }; }; diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index af308b2c7..ebc4207a0 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -3,7 +3,7 @@ services.postgresql = { enable = true; dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; - package = pkgs.postgresql_11; + package = pkgs.postgresql_16; }; systemd.tmpfiles.rules = [ "d /var/state/postgresql 0700 postgres postgres -" @@ -13,23 +13,17 @@ enable = true; localDomain = "social.krebsco.de"; configureNginx = true; + streamingProcesses = 3; trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; smtp.createLocally = false; smtp.fromAddress = "derp"; }; - services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { - forceSSL = lib.mkForce false; - enableACME = lib.mkForce false; - locations."@proxy".extraConfig = '' - proxy_redirect off; - proxy_pass_header Server; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - ''; - }; + security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; networking.firewall.allowedTCPPorts = [ 80 + 443 ]; environment.systemPackages = [ diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix new file mode 100644 index 000000000..812093a7e --- /dev/null +++ b/krebs/2configs/nginx.nix @@ -0,0 +1,24 @@ +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme.acceptTerms = true; + security.acme.defaults.email = "spam@krebsco.de"; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + enableReload = true; + + virtualHosts.default = { + default = true; + locations."= /etc/os-release".extraConfig = '' + default_type text/plain; + alias /etc/os-release; + ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; + }; + }; +} diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index db7b794f4..e84827656 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -526,6 +526,8 @@ in { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; ''; + # needed for acmeFallback in sync-containers, or other machines not reachable globally + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; }; services.nginx.virtualHosts."bedge.r" = { diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 7bec27b0f..d3a65bd4c 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -155,7 +155,7 @@ in { # echo 'container is reachable, continueing' continue else - # echo 'container seems dead, killing' + echo 'container seems dead, killing' break fi else @@ -249,6 +249,11 @@ in { ExecStop = pkgs.writers.writeDash "remove_interface" '' ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} ''; + ExecStartPost = [ + (pkgs.writers.writeDash "bind-to-bridge" '' + ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0 + '') + ]; }; }; } ]) (lib.attrValues cfg.containers))); diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt index bf05b44f4..6f659d905 100644 --- a/krebs/6assets/krebsAcmeCA.crt +++ b/krebs/6assets/krebsAcmeCA.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB -gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl -YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq -hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2 -MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT -BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr -qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD -VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj -SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv -MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt -XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4 -20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9 -MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc= +MIICWjCCAcOgAwIBAgIRAOACUgvw++4VwgQ7Iu1/iRkwDQYJKoZIhvcNAQELBQAw +gYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3MxEDAOBgNVBAoMB0ty +ZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBSb290IENBMScwJQYJ +KoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUwHhcNMjMxMjA2MjAy +NTI1WhcNMjQxMjA1MjAyNTI1WjAYMRYwFAYDVQQDEw1LcmVicyBBQ01FIENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHiqfjJYhLvY9pBWVi5gwDmZQ65F5KGV +GSkOprlw4TJguHr6ToSC9MErHhDb80kyidcjWDi2WTJX1zg/OmTv2qOBgDB+MA4G +A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTSCUQO +B5ICY1kqFPQ299+Kn6zr8TAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGV +LzAYBgNVHR4BAf8EDjAMoAowA4IBcjADggF3MA0GCSqGSIb3DQEBCwUAA4GBAMY3 +hXVyUAYfNw+sb5NLZKkp5/Uu9ehcmVJV/CkWm5BKyEFsdCJ3PL5rnpockxNrOTy1 +/y0IWZ4UaV2jqVibKOTt3FWax1BHXuTBMSirAIKYdUnT969KTTs0atrDYYh1bBzy +YIxiIU+Be343LFI5HTNewAyK2SYUO0QP0BkGUUGD -----END CERTIFICATE----- diff --git a/krebs/krops.nix b/krebs/krops.nix index aeb2413a4..eba966b4f 100644 --- a/krebs/krops.nix +++ b/krebs/krops.nix @@ -10,8 +10,8 @@ krebs-source = { test ? false }: rec { nixpkgs = if test then { derivation = let - rev = (lib.importJSON ./nixpkgs.json).rev; - sha256 = (lib.importJSON ./nixpkgs.json).sha256; + rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; + sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash; in '' with import (builtins.fetchTarball { url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; @@ -26,8 +26,8 @@ ''; } else { git = { - ref = (lib.importJSON ./nixpkgs.json).rev; - url = https://github.com/NixOS/nixpkgs; + ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev; + url = "https://github.com/NixOS/nixpkgs"; shallow = true; }; }; diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json deleted file mode 100644 index 2233cd20b..000000000 --- a/krebs/nixpkgs-unstable.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "url": "https://github.com/NixOS/nixpkgs", - "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", - "date": "2023-09-01T18:51:16+08:00", - "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", - "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", - "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", - "fetchLFS": false, - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json deleted file mode 100644 index 0b6021ed0..000000000 --- a/krebs/nixpkgs.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "url": "https://github.com/NixOS/nixpkgs", - "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", - "date": "2023-09-02T08:28:47+02:00", - "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", - "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", - "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", - "fetchLFS": false, - "fetchSubmodules": false, - "deepClone": false, - "leaveDotGit": false -} diff --git a/krebs/update-nixpkgs-unstable.sh b/krebs/update-nixpkgs-unstable.sh deleted file mode 100755 index ab04914c1..000000000 --- a/krebs/update-nixpkgs-unstable.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -dir=$(dirname $0) -oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ - --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-unstable' \ -> $dir/nixpkgs-unstable.json -newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -git commit $dir/nixpkgs-unstable.json -m "nixpkgs-unstable: $oldrev -> $newrev" diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh deleted file mode 100755 index 465548f44..000000000 --- a/krebs/update-nixpkgs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -dir=$(dirname $0) -oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ - --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-23.05' \ -> $dir/nixpkgs.json -newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') -git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" |