119 files changed, 530 insertions, 365 deletions

diff --git a/kartei/kmein/default.nix b/kartei/kmein/default.nix
index 39125e35c..1a5a57d1a 100644
--- a/kartei/kmein/default.nix
+++ b/kartei/kmein/default.nix
@@ -82,6 +82,8 @@ in
           "makanek.r"
           "makanek.kmein.r"
           "grafana.kmein.r"
+          "alertmanager.kmein.r"
+          "prometheus.kmein.r"
           "names.kmein.r"
           "graph.r"
           "rrm.r"
diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix
index 6da73ff83..e5626d923 100644
--- a/kartei/krebs/default.nix
+++ b/kartei/krebs/default.nix
@@ -165,12 +165,20 @@ in {
     ponte = {
       cores = 1;
       owner = config.krebs.users.krebs;
+      extraZones = {
+        "krebsco.de" = /* bindzone */ ''
+          krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr}
+        '';
+      };
       nets = rec {
         internet = {
-          ip4 = {
+          ip4 = rec {
             addr = "141.147.36.79";
-            prefix = "0.0.0.0/0";
+            prefix = "${addr}/32";
           };
+          aliases = [
+            "ponte.i"
+          ];
         };
         retiolum = {
           via = internet;
diff --git a/kartei/tv/default.nix b/kartei/tv/default.nix
index 428e1c3b9..f7e86c598 100644
--- a/kartei/tv/default.nix
+++ b/kartei/tv/default.nix
@@ -198,6 +198,7 @@ in {
           aliases = [
             "ni.r"
             "cgit.ni.r"
+            "krebs.ni.r"
             "search.ni.r"
           ];
           tinc.pubkey = ''
@@ -319,7 +320,6 @@ in {
           aliases = [
             "xu.r"
             "cgit.xu.r"
-            "krebs.xu.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -369,7 +369,7 @@ in {
     "http://cgit.krebsco.de" = {
       desc = "Git repositories";
     };
-    "http://krebs.xu.r" = {
+    "http://krebs.ni.r" = {
       desc = "krebs-pages mirror";
     };
   };
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index a34df4bdc..9849937d5 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -22,6 +22,7 @@
 
   krebs.build.host = config.krebs.hosts.hotdog;
   krebs.github-hosts-sync.enable = true;
+  krebs.pages.enable = true;
 
   boot.isContainer = true;
   networking.useDHCP = false;
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 8250ebad9..2f55995cf 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -7,5 +7,31 @@
     <stockholm/krebs/2configs/matterbridge.nix>
   ];
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.logRefusedConnections = false;
+  networking.firewall.logRefusedUnicastsOnly = false;
+
+  # Move Internet-facing SSH port to reduce logspam.
+  networking.firewall.extraCommands = let
+    host = config.krebs.build.host;
+  in /* sh */ ''
+    iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT
+    iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+
+    ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT
+    ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+  '';
+
   krebs.build.host = config.krebs.hosts.ponte;
+
+  krebs.pages.enable = true;
+  krebs.pages.nginx.addSSL = true;
+  krebs.pages.nginx.enableACME = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
 }
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 0ac8cb743..6babac72e 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -34,6 +34,7 @@ let
       ./iptables.nix
       ./kapacitor.nix
       ./konsens.nix
+      ./krebs-pages.nix
       ./monit.nix
       ./nixpkgs.nix
       ./on-failure.nix
@@ -83,10 +84,6 @@ let
           @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
                                 IN NS     ns19.ovh.net.
                                 IN NS     dns19.ovh.net.
-                                IN A      185.199.108.153
-                                IN A      185.199.109.153
-                                IN A      185.199.110.153
-                                IN A      185.199.111.153
         '';
       };
     };
diff --git a/krebs/3modules/krebs-pages.nix b/krebs/3modules/krebs-pages.nix
new file mode 100644
index 000000000..a2a5b723e
--- /dev/null
+++ b/krebs/3modules/krebs-pages.nix
@@ -0,0 +1,44 @@
+{ config, modulesPath, pkgs, ... }: let
+  cfg = config.krebs.pages;
+  lib = import ../../lib;
+  extraTypes.nginx-vhost = lib.types.submodule (
+    lib.recursiveUpdate