Merge remote-tracking branch 'lass/master'

11 files changed, 40 insertions, 124 deletions

diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index b5a2b21ba..290870fce 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -14,6 +14,7 @@
   ];
 
   krebs.build.host = config.krebs.hosts.news;
+  krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519";
 
   boot.isContainer = true;
   networking.useDHCP = lib.mkForce true;
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index bd4f36cbe..905eaaef7 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -48,9 +48,7 @@ with import ../../lib/pure.nix { inherit lib; };
 
   users.mutableUsers = false;
   users.extraUsers.root.openssh.authorizedKeys.keys = [
-    config.krebs.users.jeschli-brauerei.pubkey
     config.krebs.users.lass.pubkey
-    config.krebs.users.lass-mors.pubkey
     config.krebs.users.makefu.pubkey
     config.krebs.users.tv.pubkey
     config.krebs.users.kmein.pubkey
diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix
index 21c46a0a7..768439734 100644
--- a/krebs/2configs/tor/initrd.nix
+++ b/krebs/2configs/tor/initrd.nix
@@ -7,9 +7,7 @@
     enable = true;
     port = 22;
     authorizedKeys = [
-      config.krebs.users.jeschli-brauerei.pubkey
       config.krebs.users.lass.pubkey
-      config.krebs.users.lass-mors.pubkey
       config.krebs.users.makefu.pubkey
       config.krebs.users.tv.pubkey
     ];
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5d12ea7af..27c3da2e6 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -17,7 +17,6 @@
     ./exim-retiolum.nix
     ./exim-smarthost.nix
     ./exim.nix
-    ./fetchWallpaper.nix
     ./git.nix
     ./github
     ./go.nix
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
index 917a8e5a4..583fd07b1 100644
--- a/krebs/3modules/exim.nix
+++ b/krebs/3modules/exim.nix
@@ -50,14 +50,18 @@ in {
       '';
       systemPackages = [ pkgs.exim ];
     };
-    krebs.setuid = {
+    security.wrappers = {
       exim = {
-        filename = "${pkgs.exim}/bin/exim";
-        mode = "4111";
+        source = "${pkgs.exim}/bin/exim";
+        owner = "root";
+        group = "root";
+        setuid = true;
       };
       sendmail = {
-        filename = "${pkgs.exim}/bin/exim";
-        mode = "4111";
+        source = "${pkgs.exim}/bin/exim";
+        owner = "root";
+        group = "root";
+        setuid = true;
       };
     };
     systemd.services.exim = {
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
deleted file mode 100644
index 0d67120fd..000000000
--- a/krebs/3modules/fetchWallpaper.nix
+++ /dev/null
@@ -1,95 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import ../../lib/pure.nix { inherit lib; };
-
-let
-  cfg = config.krebs.fetchWallpaper;
-
-  out = {
-    options.krebs.fetchWallpaper = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "fetch wallpaper";
-    url = mkOption {
-      type = types.str;
-    };
-    timerConfig = mkOption {
-      type = types.unspecified;
-      default = {
-        OnCalendar = "*:00,10,20,30,40,50";
-      };
-    };
-    stateDir = mkOption {
-      type = types.str;
-      default = "/var/lib/wallpaper";
-    };
-    display = mkOption {
-      type = types.str;
-      default = ":${toString config.services.xserver.display}";
-    };
-    unitConfig = mkOption {
-      type = types.attrsOf types.str;
-      description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit";
-      example = literalExample ''
-        # do not start when running on umts
-        { ConditionPathExists = "!/var/run/ppp0.pid"; }
-      '';
-      default = {};
-    };
-  };
-
-  fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" ''
-    set -euf
-
-    mkdir -p ${cfg.stateDir}
-    chmod o+rx ${cfg.stateDir}
-    cd ${cfg.stateDir}
-    (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
-    feh --no-fehbg --bg-scale wallpaper
-  '';
-
-  imp = {
-    users.users.fetchWallpaper = {
-      name = "fetchWallpaper";
-      uid = genid_uint31 "fetchWallpaper";
-      description = "fetchWallpaper user";
-      group = "fetchWallpaper";
-      home = cfg.stateDir;
-      createHome = true;
-      isSystemUser = true;
-    };
-    users.groups.fetchWallpaper = {};
-
-    systemd.timers.fetchWallpaper = {
-      description = "fetch wallpaper timer";
-      wantedBy = [ "timers.target" ];
-
-      timerConfig = cfg.timerConfig;
-    };
-    systemd.services.fetchWallpaper = {
-      description = "fetch wallpaper";
-      after = [ "network.target" ];
-
-      path = with pkgs; [
-        curl
-        feh
-      ];
-
-      environment = {
-        URL = cfg.url;
-        DISPLAY = cfg.display;
-      };
-      restartIfChanged = true;
-
-      serviceConfig = {
-        Type = "simple";
-        ExecStart = fetchWallpaperScript;
-        User = "fetchWallpaper";
-      };
-
-      unitConfig = cfg.unitConfig;
-    };
-  };
-in out
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 1ec216f62..347a2c32b 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -376,6 +376,7 @@ let
                      (filter (user: isString user.pubkey)
                              (concatMap (getAttr "user") cfg.rules))));
     };
+    users.groups.${cfg.cgit.fcgiwrap.group.name} = {};
   };
 
   cgit-imp = {
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 53fed0e36..fdb96c8ba 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -80,7 +80,7 @@ let
   };
 
   imp = {
-    system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ]
+    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
       (concatMapStringsSep "\n"
         (cfg: /* sh */ ''
           ${cfg.activate}
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index c88dd5919..58446c82b 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -32,6 +32,17 @@ in {
             type = lib.types.bool;
             default = true;
           };
+          startCommand = lib.mkOption {
+            type = lib.types.str;
+            default = ''
+              set -efu
+              mkdir -p /var/state/var_src
+              ln -Tfrs /var/state/var_src /var/src
+              if test -e /var/src/nixos-config; then
+                /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+              fi
+            '';
+          };
         };
       }));
     };
@@ -52,14 +63,7 @@ in {
               NIX_REMOTE = "daemon";
             };
             wantedBy = [ "multi-user.target" ];
-            serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
-              set -efu
-              mkdir -p /var/state/var_src
-              ln -Tfrs /var/state/var_src /var/src
-              if test -e /var/src/nixos-config; then
-                /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
-              fi
-            '';
+            serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ctr.startCommand;
             unitConfig.X-StopOnRemoval = false;
           };
         };
@@ -84,6 +88,7 @@ in {
         { "${ctr.name}_syncer" = {
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             rsync
             openssh
@@ -103,7 +108,7 @@ in {
               set -efux
               consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
                 set -efux
-                if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
+                if ping -c 1 ${ctr.name}.r; then
                   nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync
                   touch "$HOME"/incomplete
                   nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk
@@ -116,6 +121,7 @@ in {
         { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer {
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             cryptsetup
             curl
@@ -145,7 +151,7 @@ in {
                     export payload
                     if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
                       # echo 'we are the host, trying to reach container'
-                      if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
+                      if $(retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null); then
                         # echo 'container is reachable, continueing'
                         continue
                       else
@@ -173,6 +179,7 @@ in {
           wantedBy = [ "multi-user.target" ];
           path = with pkgs; [
             coreutils
+            inetutils
             consul
             cryptsetup
             mount
@@ -228,8 +235,8 @@ in {
                 /run/current-system/sw/bin/nixos-container start ${ctr.name}
                 # wait for system to become reachable for the first time
                 systemctl start ${ctr.name}_watcher.service
-                retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
-                while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
+                retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null
+                while systemctl is-active container@${ctr.name}.service >/devnull && ping -q -c 3 ${ctr.name}.r >/dev/null; do
                   consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
                   sleep 10
                 done
@@ -239,9 +246,11 @@ in {
         }; }
         { "container@${ctr.name}" = lib.mkIf ctr.runContainer {
           serviceConfig = {
-            ExecStop = pkgs.writers.writeDash "remove_interface" ''
-              ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
-            '';
+            ExecStartPost = [
+              (pkgs.writers.writeDash "bind-to-bridge" ''
+                ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0
+              '')
+            ];
           };
         }; }
       ]) (lib.attrValues cfg.containers)));
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 9df368cfb..d73d5ca61 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -208,10 +208,9 @@ with import ../../lib/pure.nix { inherit lib; }; {
       description = "Tinc daemon for ${netname}";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      # Restart the service in a single step in order to prevent potential
-      # connection timeouts and subsequent issues while deploying via tinc.
-      stopIfChanged = false;
+      reloadIfChanged = true;
       serviceConfig = {
+        ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
         Restart = "always";
         LoadCredential = filter (x: x != "") [
           (optionalString (cfg.privkey_ed25519 != null)
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index 29c0b0f23..7a9cf5be1 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -17,6 +17,8 @@ with lib; {
         @ 3600 IN NS ns3.he.net.
         @ 3600 IN NS ns2.hosting.de.
 
+        _acme-challenge IN NS ns1
+
         panda NS panda
         panda A 130.61.237.100
       '';