summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kartei/lass/aergia.nix39
-rw-r--r--kartei/lass/neoprism.nix16
-rw-r--r--kartei/lass/orange.nix38
-rw-r--r--kartei/lass/ubik.nix38
-rw-r--r--kartei/lass/yellow.nix1
-rw-r--r--kartei/mic92/default.nix34
-rw-r--r--kartei/tv/hosts/ru.nix24
-rw-r--r--krebs/2configs/reaktor2.nix4
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/github/known-hosts.nix3
-rwxr-xr-xkrebs/3modules/github/update15
-rw-r--r--krebs/3modules/sync-containers3.nix (renamed from lass/3modules/sync-containers3.nix)34
-rw-r--r--krebs/3modules/tinc.nix18
-rw-r--r--krebs/5pkgs/simple/syncthing-device-id.nix5
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rw-r--r--lass/1systems/aergia/config.nix76
-rw-r--r--lass/1systems/aergia/disk.nix64
-rw-r--r--lass/1systems/aergia/install.sh3
-rw-r--r--lass/1systems/aergia/physical.nix86
-rw-r--r--lass/1systems/aergia/source.nix21
-rw-r--r--lass/1systems/green/config.nix2
-rw-r--r--lass/1systems/hilum/disk.nix53
-rwxr-xr-xlass/1systems/hilum/flash-stick.sh37
-rw-r--r--lass/1systems/hilum/physical.nix43
-rw-r--r--lass/1systems/neoprism/config.nix6
-rw-r--r--lass/1systems/orange/config.nix21
-rw-r--r--lass/1systems/orange/physical.nix7
-rw-r--r--lass/1systems/radio/config.nix2
-rw-r--r--lass/1systems/ubik/config.nix33
-rw-r--r--lass/1systems/ubik/physical.nix7
-rw-r--r--lass/1systems/yellow/config.nix11
-rw-r--r--lass/2configs/gg23.nix30
-rw-r--r--lass/2configs/green-host.nix6
-rw-r--r--lass/2configs/mail.nix66
-rw-r--r--lass/2configs/orange-host.nix15
-rw-r--r--lass/2configs/radio/container-host.nix2
-rw-r--r--lass/2configs/red-host.nix2
-rw-r--r--lass/2configs/riot.nix14
-rw-r--r--lass/2configs/ubik-host.nix26
-rw-r--r--lass/2configs/xmonad.nix11
-rw-r--r--lass/2configs/yellow-host.nix2
-rw-r--r--lass/2configs/yubikey.nix10
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/5pkgs/install-system/default.nix19
-rw-r--r--lass/5pkgs/unimenu/default.nix91
-rw-r--r--tv/1systems/bu/config.nix2
-rw-r--r--tv/1systems/nomic/config.nix2
-rw-r--r--tv/2configs/bash/default.nix4
-rw-r--r--tv/2configs/br.nix4
-rw-r--r--tv/2configs/default.nix21
-rw-r--r--tv/2configs/hw/AO753.nix4
-rw-r--r--tv/2configs/hw/winmax2.nix32
-rw-r--r--tv/2configs/nix.nix9
-rw-r--r--tv/2configs/urxvt.nix24
-rw-r--r--tv/2configs/vim.nix67
-rw-r--r--tv/3modules/default.nix3
-rw-r--r--tv/3modules/iptables.nix33
-rw-r--r--tv/3modules/lidControl.nix45
-rw-r--r--tv/3modules/systemd.nix47
-rw-r--r--tv/3modules/wwan.nix181
-rw-r--r--tv/5pkgs/haskell/xmonad-tv/src/Build.hs24
-rw-r--r--tv/5pkgs/haskell/xmonad-tv/src/THEnv/JSON.hs18
-rw-r--r--tv/5pkgs/haskell/xmonad-tv/src/main.hs85
-rw-r--r--tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal3
-rw-r--r--tv/5pkgs/override/alacritty.nix14
-rw-r--r--tv/5pkgs/override/uqmi.nix10
-rw-r--r--tv/5pkgs/simple/alacritty-tv.nix100
-rwxr-xr-xtv/5pkgs/simple/fzmenu/bin/otpmenu2
-rwxr-xr-xtv/5pkgs/simple/fzmenu/bin/passmenu2
-rw-r--r--tv/5pkgs/simple/fzmenu/default.nix14
-rw-r--r--tv/5pkgs/simple/iosevka-tv-1.nix18
-rw-r--r--tv/5pkgs/vim/fzf.nix6
-rw-r--r--tv/5pkgs/vim/hack.nix3
-rw-r--r--tv/5pkgs/vim/tv.nix11
75 files changed, 1568 insertions, 273 deletions
diff --git a/kartei/lass/aergia.nix b/kartei/lass/aergia.nix
new file mode 100644
index 000000000..d186f912c
--- /dev/null
+++ b/kartei/lass/aergia.nix
@@ -0,0 +1,39 @@
+{ r6, w6, ... }:
+{
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.1";
+ ip6.addr = r6 "ae12";
+ aliases = [
+ "aergia.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAqLtEUExq0qmXbi3aykdoW1WIneePfmm1SnFxCVcEBecJ1z326cNl
+ EIhYFSzhctwui0vG1dscmNMXHJ0rRQ0QHks1kp/x2MNMlun3Wl8Md9PQrTRGqZOf
+ ltdlNKzn8QbqcQQa9BYMgnFRzhbzzsSO3q5xqncJJ8qSxxWy/boIR9fO+OI/aUfe
+ rVLVHj/i5TTAmov5johqQZOyb7ydEbLiTbaaPSo1H/I/as0iv2jaDRdoVBL5/r+q
+ JvYFfhcdePjpwjRVNohdRwPquyM2ut91e2UyxD5N5eUoQBn+Xr18f6CQlyfJmMrc
+ /oGL+DScrDzFQ/ezCzks3O02dWAmgJsU6odUyNqtdU2x+0lhSqTRH0IXfdkj5n3k
+ K5U340/84e8Bn/1BJQoaGpBZJbK8RHdZd/0r+9+aXcI5tm2YAGaPPYzgLUYg06NZ
+ fMES28iByiCecIPci4vUZ50oOQFGQYaBNA12JC4TRbL/EfLlaax9bRAaUQr7qIXS
+ OBmKrC8eN9QO53T2d2w8Llk5d1rwq0TE3lyJEFLt7sqrHvlBFJ4fpeC+JqZAObqf
+ AJlCvFrqDYXBPzuNC2cZQX9QJ4FlGBpOObGg5KtkY0hPUyBO96OMxIDQ2+Jqc7F0
+ isAUVvn23h6i3m77jRE1AGFyIC/ReMaCH70/83AJQxRpTkzKcF98xU8CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "Jb8RJkm+ufh8o0acM31P2BolEUneYFB4xbtyoLQywLG";
+ };
+ wiregrill = {
+ ip6.addr = w6 "ae12";
+ aliases = [
+ "aergia.w"
+ ];
+ wireguard.pubkey = ''
+ h2GFkqW1ThHpDiALrLkJEsR5NU1lXHvwk0Kers1vIxg=
+ '';
+ };
+ };
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAGcqlL5fcxT3iCTlOm5rNPGKZmx1SEDWS71d3Tvbs/";
+ syncthing.id = "K5G46ZC-AKEG3WE-MQTG6MB-PC3ZA7O-C2BOKW6-KCXTSEW-RWHKP4B-Q7FCRQ7";
+}
diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix
index 74b8aca3c..9538c3003 100644
--- a/kartei/lass/neoprism.nix
+++ b/kartei/lass/neoprism.nix
@@ -1,6 +1,20 @@
{ r6, w6, ... }:
{
- nets = {
+ nets = rec {
+ internet = {
+ ip4 = rec {
+ addr = "95.217.192.59";
+ prefix = "${addr}/32";
+ };
+ ip6 = rec {
+ addr = "2a01:4f9:4a:4f1a::1";
+ prefix = "${addr}/64";
+ };
+ aliases = [
+ "neoprism.i"
+ ];
+ ssh.port = 45621;
+ };
retiolum = {
ip4.addr = "10.243.0.99";
ip6.addr = r6 "99";
diff --git a/kartei/lass/orange.nix b/kartei/lass/orange.nix
new file mode 100644
index 000000000..7f656c260
--- /dev/null
+++ b/kartei/lass/orange.nix
@@ -0,0 +1,38 @@
+{ r6, w6, ... }:
+{
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.15";
+ ip6.addr = r6 "012a";
+ aliases = [
+ "orange.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAlnHedIf4f3/6Wfl5PSSz+7KvdIMkygp5m/U270sdPBh46MqYa8cn
+ OfPq40LcbWIZqAVex7mP+fK7vq8LTIr+sCKvzY46o3ZLbQQ7cCtQi02GFnSAPhVT
+ 4XEmPn9dX/nRmI8xQqzh5jRMpgeOKE+xY6QfgkERD9mflkJi5dGYCOVW1UUK7pHR
+ 7giCrUiLuQbUeIz+G7KOeIRHxU8dwD8it1Jk6KxdM3MW6HwFsuqZu0qjbBPKhTEe
+ fgzSTDtZEGmcQw5vA/RwjxoRvKYThbK/lLoVJItFAhUCWUJA8bJuIanwzPfOF0JO
+ xWkxiY3ntvn5ykbvhF6LoHE+kEfcBJzBfRFRSXV5qU5wW1FC4AQylUDrest/qXQh
+ DY8boUqK/hi/MlC2ciPH+DlBOi5wduWty8F0KqNzjg1IIEOk8H+z9hgBDbdJnYHH
+ MBjYOZ3MFpoNb2VCJTE7dlIarVdH1OOO2KkzX/GGW7wGQK94iqLHjBcGl15GcGOz
+ EOivq+783VOtzZGS4jd8D0OcCo725FzhuWi6KR5QTljwrd5C1gGFoAW7RCsUiveZ
+ 0by9aB+G2DWmSRWZsmPnnbYo6yPvp+WR2yfPu1pKwjyNsmAgTYm4bkwRIvODb6Xk
+ ShgawP5V8RDp+hUmr27KgJvUJnQbVeJf9SO1pT7IfNOjLwHv26iOo7UCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "dVIOgHjuKLDJ+QB+sDjL9Pk3pXs8wKo+gemGvNG3z1H";
+ };
+ wiregrill = {
+ ip6.addr = w6 "012a";
+ aliases = [
+ "orange.w"
+ ];
+ wireguard.pubkey = ''
+ NP8zM9+ocwsHhY9Rn6tFqIU1FR8JidqtDs7IKpl3yU8=
+ '';
+ };
+ };
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnHnTPPwMW1Oy3DBuaT4fG5ryhWmVS9Y8Sw0ezUGuLn";
+}
diff --git a/kartei/lass/ubik.nix b/kartei/lass/ubik.nix
new file mode 100644
index 000000000..94a4a8b05
--- /dev/null
+++ b/kartei/lass/ubik.nix
@@ -0,0 +1,38 @@
+{ r6, w6, ... }:
+{
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.12";
+ ip6.addr = r6 "0b1c";
+ aliases = [
+ "ubik.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAnWJKDrDmmGZbwVeaBhvOdTR4nsumo1yzOR2Iu+SMTOH6fbgJM5cW
+ WtlgPhrdOMrBYR956SBiBNkvsdczRrOF7F6hvXyDwwoGdWGsZXzaTMJlNAYjP5Y4
+ fbJlDq8/QV/SvVFGeu4XP3g2yuU/aNu/4FkU4jlysX+8wo9qGpIFPLpLvqfuU247
+ jHCatNzHfLK60fx7yt57iDhuX2plyFfQVX7xPTxudfGZKD7rEDEnKX4Ghd5dUkOA
+ z0lr0B1AOrkZgrnajU0ZmkjnNy8lrylCWDOnEPhJdao53gL4XFmUcZaR4uFsWuS7
+ V1VM+VivuMTAXRUnJScyLap2mo6dcr9h11kas70c/R7tI2pGmxlNk9t2uYy/jQnC
+ WmyzNCcqpPSfKikx5sRVAVIuv2wtAKYDuZg+1D4YEfeklA0+ZZlHO43NnRnIoKeO
+ Za0SNUE6vtd/EPoiifMkOWtHaO0LppgOxMTk8OgUxR6dcTmbuL0Roz3aY0rSW3EG
+ +li3yjS3YAtMtvhQwuqooVrkBFrcGQLjTnAfCeUHbCjZidGAHnqhESA+Aj+LKx32
+ 0ALQY439xAs6Vf3rICs93cO4Yxa8W1F5sHE6ANOGU+jCmSkCWI2hdHGbckD3L0AQ
+ NBJ+jyXm0kFfVgqRS2i17JPz2ZZxhAHw3KH13Ef1KI4tMdzCvFSayW0CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "BcbZOID7dipWNH0/uowqCF7Ivqm4QktMoz11Yv249tG";
+ };
+ wiregrill = {
+ ip6.addr = w6 "0b1c";
+ aliases = [
+ "ubik.w"
+ ];
+ wireguard.pubkey = ''
+ JakWwg7Rq76jjzLFWPBQJPpzRHbIEbb46VLsSUOKI2I=
+ '';
+ };
+ };
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlqW8zqJpjbva0NTty9Ex7R/Jk2emDxHJNpaM3WPt5L";
+}
diff --git a/kartei/lass/yellow.nix b/kartei/lass/yellow.nix
index bb0b1f09b..b9dcb008c 100644
--- a/kartei/lass/yellow.nix
+++ b/kartei/lass/yellow.nix
@@ -9,6 +9,7 @@
"jelly.r"
"radar.r"
"sonar.r"
+ "transmission.r"
];
tinc = {
pubkey = ''
diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix
index 6eacb4a27..178cf27a2 100644
--- a/kartei/mic92/default.nix
+++ b/kartei/mic92/default.nix
@@ -502,6 +502,40 @@ in {
};
};
+ doctor = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ internet = {
+ # monitoring.dse.in.tum.de
+ ip4.addr = "131.159.102.4";
+ ip6.addr = "2a09:80c0:102::4";
+ aliases = [ "doctor.i" ];
+ };
+ retiolum = {
+ via = internet;
+ aliases = [
+ "doctor.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAuXYfR5PRMcJkJG6yjxw0tQvjtzRwZI/k2ks1SBgVhtCh1TcMFraq
+ /u367B6E9BrGHhPZNtTcceMunC+Tow1+JIAHQPQU1+l1w+6n3esNgYUvakv0C/Dj
+ opOh5mWzS81UL1r+ifXKdEs4/u561GPUdhhScxnk2lsudh0fem0Rn7yDXuGofrIo
+ kAD49TLV0ZEflCQLe9/ck+qvzM8yPOnDsCZlCdCZJVpOW0Aq1cfghI6BiStVkDDU
+ DaBj74m3eK0wtPJlj0flebF91VNMsmQ4XSmFZeDtdx/xOJmqzB29C7tTynuPD5FV
+ zREKo5wxgvaf/J3da5K5nCP/sOBIishlYVBNZeJqwQiTze405ycdglNiYVISpYaF
+ 8ikv0w19E9nI3GVjwm6mYH29eKbHuEJSou5J/7lS2tlyVaGI9opGRLV+X7GLwE1D
+ 01uaQsyTYB7mK33broIABp5Mu/Il1+Mi3uwMKzCL/ciPMMFoSbR+zth2QoU1wRUz
+ A6OK3t6w5//ufq9bKGcZ3rhU/rYzfk8nHY1F/5QBPM95WTGZZ7CjAMPzyc6Is/CL
+ +7jtPZPrT05yc9HKPqG2RPWP3dziw4l1TX6NXstMzizyaayeF0yPQ6chNTqgvfFJ
+ s3ABq1R8UV0LUBmdDAxeyKOOEqrqBcShHFxWmEzk95ghdT6P5XSMMCUCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "StFqqnSArvIfK07//ejbxkP3V4nnXsj8vu5km8LcM/P";
+ };
+ };
+ };
+
eva = {
owner = config.krebs.users.mic92;
nets = rec {
diff --git a/kartei/tv/hosts/ru.nix b/kartei/tv/hosts/ru.nix
new file mode 100644
index 000000000..334df5d07
--- /dev/null
+++ b/kartei/tv/hosts/ru.nix
@@ -0,0 +1,24 @@
+{
+ ci = true;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.13.42";
+ aliases = [
+ "ru.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAr4xgpXPr/OGrLO5vwur35esesbAwREwShGJf9btt65UQXst090tD
+ GWev8Yfi3Mr241r1TG7zpW3Idh5nth2yhzVvqGc9m6QmK27v2MKpb+ppjOKab7RL
+ 1KfdBAwjdrWdL2xO3XAYOUljxWoIV4VKX8kEBvjJEDOwl/u+g5mB3yLWebtIT7Wk
+ EneMU6wvCVKhOPeqyXmbqO/+j6+bqxkKP2/5hHcX3a91+15YbR3SvREK2rUm9stx
+ Rc3kmGUO/DiGK6MmUmt+qieGo/4vheK8hij57dY0uXFIC7U680QzV7jsUmtlKGBL
+ PoK/Xn6TLLG6nozgmF+q8esYyaYQFrwU2QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "Eg9l+RxFSNrQ9RkTd8tSkoTIG2m7zhQpjUJBWJRft1J";
+ };
+ };
+ secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcNClgsey79WzdEQs/8qkLMHzc1SCU/MqyMerPcUi8X root@ru";
+}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 11aaf876a..39039cc11 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -52,7 +52,7 @@ let
};
confuse = {
- pattern = "^!confuse (.*)$";
+ pattern = "!confuse (.*)$";
activate = "match";
arguments = [1];
command = {
@@ -90,7 +90,7 @@ let
};
confuse_hackint = {
- pattern = "^!confuse (.*)$";
+ pattern = "!confuse (.*)$";
activate = "match";
arguments = [1];
command = {
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index bff7e135f..6d763afed 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -53,6 +53,7 @@ let
./sitemap.nix
./ssl.nix
./sync-containers.nix
+ ./sync-containers3.nix
./systemd.nix
./tinc.nix
./tinc_graphs.nix
diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix
index f2705caa4..c0d0b588a 100644
--- a/krebs/3modules/github/known-hosts.nix
+++ b/krebs/3modules/github/known-hosts.nix
@@ -3,8 +3,7 @@
hostNames =
["github.com"]
++
- # List generated with (IPv6 addresses are currently ignored):
- # curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | nix-shell -p cidr2glob --run cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json
+ # update known-hosts.json using ./update
lib.importJSON ./known-hosts.json
;
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
diff --git a/krebs/3modules/github/update b/krebs/3modules/github/update
new file mode 100755
index 000000000..3952dabae
--- /dev/null
+++ b/krebs/3modules/github/update
@@ -0,0 +1,15 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p cidr2glob curl git jq
+
+# update known-hosts.json
+#
+# usage: ./update
+
+set -efu
+
+# XXX IPv6 addresses are currently ignored
+curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json
+
+if git diff --exit-code known-hosts.json; then
+ echo known-hosts.json is up to date: nothing to do >&2
+fi
diff --git a/lass/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index 86aa40f03..4a00b23ab 100644
--- a/lass/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: let
- cfg = config.lass.sync-containers3;
+ cfg = config.krebs.sync-containers3;
slib = pkgs.stockholm.lib;
in {
- options.lass.sync-containers3 = {
+ options.krebs.sync-containers3 = {
inContainer = {
enable = lib.mkEnableOption "container config for syncing";
pubkey = lib.mkOption {
@@ -104,9 +104,8 @@ in {
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
set -efux
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
- touch "$HOME"/incomplete
- rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
- rm "$HOME"/incomplete
+ nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk
+ rm -f "$HOME"/incomplete
fi
''}
'';
@@ -218,10 +217,6 @@ in {
exit 0
;;
esac
- if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
- echo 'data is inconistent, start aborted'
- exit 1
- fi
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
set -efu
@@ -230,8 +225,8 @@ in {
mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
/run/current-system/sw/bin/nixos-container start ${ctr.name}
# wait for system to become reachable for the first time
- retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
systemctl start ${ctr.name}_watcher.service
+ retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
sleep 10
@@ -240,6 +235,13 @@ in {
'';
};
}; }
+ { "container@${ctr.name}" = lib.mkIf ctr.runContainer {
+ serviceConfig = {
+ ExecStop = pkgs.writers.writeDash "remove_interface" ''
+ ${pkgs.iproute2}/bin/ip link del vb-${ctr.name}
+ '';
+ };
+ }; }
]) (lib.attrValues cfg.containers)));
systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" {
@@ -280,14 +282,19 @@ in {
})
(lib.mkIf (cfg.containers != {}) {
# networking
+
+ # needed because otherwise we lose local dns
+ environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
+
+ boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
systemd.network.networks.ctr0 = {
name = "ctr0";
address = [
"10.233.0.1/24"
];
networkConfig = {
- IPForward = "yes";
- IPMasquerade = "both";
+ # IPForward = "yes";
+ # IPMasquerade = "both";
ConfigureWithoutCarrier = true;
DHCPServer = "yes";
};
@@ -304,6 +311,9 @@ in {
{ predicate = "-i ctr0"; target = "ACCEPT"; }
{ predicate = "-o ctr0"; target = "ACCEPT"; }
];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; }
+ ];
})
(lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {};
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 0babc448a..f6727e4d4 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -125,17 +125,13 @@ with import <stockholm/lib>;
hostsPackage = mkOption {
type = types.package;
- default = pkgs.stdenv.mkDerivation {
- name = "${tinc.config.netname}-tinc-hosts";
- phases = [ "installPhase" ];
- installPhase = ''
- mkdir $out
- ${concatStrings (mapAttrsToList (_: host: ''
- echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
- > $out/${shell.escape host.name}
- '') tinc.config.hosts)}
- '';
- };
+ default =
+ pkgs.write "${tinc.config.netname}-tinc-hosts"
+ (mapAttrs'
+ (_: host: (nameValuePair "/${host.name}" {
+ text = host.nets.${tinc.config.netname}.tinc.config;
+ }))
+ tinc.config.hosts);
defaultText = "‹netname›-tinc-hosts"