diff options
75 files changed, 1568 insertions, 273 deletions
diff --git a/kartei/lass/aergia.nix b/kartei/lass/aergia.nix new file mode 100644 index 000000000..d186f912c --- /dev/null +++ b/kartei/lass/aergia.nix @@ -0,0 +1,39 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.1"; + ip6.addr = r6 "ae12"; + aliases = [ + "aergia.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAqLtEUExq0qmXbi3aykdoW1WIneePfmm1SnFxCVcEBecJ1z326cNl + EIhYFSzhctwui0vG1dscmNMXHJ0rRQ0QHks1kp/x2MNMlun3Wl8Md9PQrTRGqZOf + ltdlNKzn8QbqcQQa9BYMgnFRzhbzzsSO3q5xqncJJ8qSxxWy/boIR9fO+OI/aUfe + rVLVHj/i5TTAmov5johqQZOyb7ydEbLiTbaaPSo1H/I/as0iv2jaDRdoVBL5/r+q + JvYFfhcdePjpwjRVNohdRwPquyM2ut91e2UyxD5N5eUoQBn+Xr18f6CQlyfJmMrc + /oGL+DScrDzFQ/ezCzks3O02dWAmgJsU6odUyNqtdU2x+0lhSqTRH0IXfdkj5n3k + K5U340/84e8Bn/1BJQoaGpBZJbK8RHdZd/0r+9+aXcI5tm2YAGaPPYzgLUYg06NZ + fMES28iByiCecIPci4vUZ50oOQFGQYaBNA12JC4TRbL/EfLlaax9bRAaUQr7qIXS + OBmKrC8eN9QO53T2d2w8Llk5d1rwq0TE3lyJEFLt7sqrHvlBFJ4fpeC+JqZAObqf + AJlCvFrqDYXBPzuNC2cZQX9QJ4FlGBpOObGg5KtkY0hPUyBO96OMxIDQ2+Jqc7F0 + isAUVvn23h6i3m77jRE1AGFyIC/ReMaCH70/83AJQxRpTkzKcF98xU8CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "Jb8RJkm+ufh8o0acM31P2BolEUneYFB4xbtyoLQywLG"; + }; + wiregrill = { + ip6.addr = w6 "ae12"; + aliases = [ + "aergia.w" + ]; + wireguard.pubkey = '' + h2GFkqW1ThHpDiALrLkJEsR5NU1lXHvwk0Kers1vIxg= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAGcqlL5fcxT3iCTlOm5rNPGKZmx1SEDWS71d3Tvbs/"; + syncthing.id = "K5G46ZC-AKEG3WE-MQTG6MB-PC3ZA7O-C2BOKW6-KCXTSEW-RWHKP4B-Q7FCRQ7"; +} diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix index 74b8aca3c..9538c3003 100644 --- a/kartei/lass/neoprism.nix +++ b/kartei/lass/neoprism.nix @@ -1,6 +1,20 @@ { r6, w6, ... }: { - nets = { + nets = rec { + internet = { + ip4 = rec { + addr = "95.217.192.59"; + prefix = "${addr}/32"; + }; + ip6 = rec { + addr = "2a01:4f9:4a:4f1a::1"; + prefix = "${addr}/64"; + }; + aliases = [ + "neoprism.i" + ]; + ssh.port = 45621; + }; retiolum = { ip4.addr = "10.243.0.99"; ip6.addr = r6 "99"; diff --git a/kartei/lass/orange.nix b/kartei/lass/orange.nix new file mode 100644 index 000000000..7f656c260 --- /dev/null +++ b/kartei/lass/orange.nix @@ -0,0 +1,38 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.15"; + ip6.addr = r6 "012a"; + aliases = [ + "orange.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAlnHedIf4f3/6Wfl5PSSz+7KvdIMkygp5m/U270sdPBh46MqYa8cn + OfPq40LcbWIZqAVex7mP+fK7vq8LTIr+sCKvzY46o3ZLbQQ7cCtQi02GFnSAPhVT + 4XEmPn9dX/nRmI8xQqzh5jRMpgeOKE+xY6QfgkERD9mflkJi5dGYCOVW1UUK7pHR + 7giCrUiLuQbUeIz+G7KOeIRHxU8dwD8it1Jk6KxdM3MW6HwFsuqZu0qjbBPKhTEe + fgzSTDtZEGmcQw5vA/RwjxoRvKYThbK/lLoVJItFAhUCWUJA8bJuIanwzPfOF0JO + xWkxiY3ntvn5ykbvhF6LoHE+kEfcBJzBfRFRSXV5qU5wW1FC4AQylUDrest/qXQh + DY8boUqK/hi/MlC2ciPH+DlBOi5wduWty8F0KqNzjg1IIEOk8H+z9hgBDbdJnYHH + MBjYOZ3MFpoNb2VCJTE7dlIarVdH1OOO2KkzX/GGW7wGQK94iqLHjBcGl15GcGOz + EOivq+783VOtzZGS4jd8D0OcCo725FzhuWi6KR5QTljwrd5C1gGFoAW7RCsUiveZ + 0by9aB+G2DWmSRWZsmPnnbYo6yPvp+WR2yfPu1pKwjyNsmAgTYm4bkwRIvODb6Xk + ShgawP5V8RDp+hUmr27KgJvUJnQbVeJf9SO1pT7IfNOjLwHv26iOo7UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "dVIOgHjuKLDJ+QB+sDjL9Pk3pXs8wKo+gemGvNG3z1H"; + }; + wiregrill = { + ip6.addr = w6 "012a"; + aliases = [ + "orange.w" + ]; + wireguard.pubkey = '' + NP8zM9+ocwsHhY9Rn6tFqIU1FR8JidqtDs7IKpl3yU8= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnHnTPPwMW1Oy3DBuaT4fG5ryhWmVS9Y8Sw0ezUGuLn"; +} diff --git a/kartei/lass/ubik.nix b/kartei/lass/ubik.nix new file mode 100644 index 000000000..94a4a8b05 --- /dev/null +++ b/kartei/lass/ubik.nix @@ -0,0 +1,38 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.12"; + ip6.addr = r6 "0b1c"; + aliases = [ + "ubik.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAnWJKDrDmmGZbwVeaBhvOdTR4nsumo1yzOR2Iu+SMTOH6fbgJM5cW + WtlgPhrdOMrBYR956SBiBNkvsdczRrOF7F6hvXyDwwoGdWGsZXzaTMJlNAYjP5Y4 + fbJlDq8/QV/SvVFGeu4XP3g2yuU/aNu/4FkU4jlysX+8wo9qGpIFPLpLvqfuU247 + jHCatNzHfLK60fx7yt57iDhuX2plyFfQVX7xPTxudfGZKD7rEDEnKX4Ghd5dUkOA + z0lr0B1AOrkZgrnajU0ZmkjnNy8lrylCWDOnEPhJdao53gL4XFmUcZaR4uFsWuS7 + V1VM+VivuMTAXRUnJScyLap2mo6dcr9h11kas70c/R7tI2pGmxlNk9t2uYy/jQnC + WmyzNCcqpPSfKikx5sRVAVIuv2wtAKYDuZg+1D4YEfeklA0+ZZlHO43NnRnIoKeO + Za0SNUE6vtd/EPoiifMkOWtHaO0LppgOxMTk8OgUxR6dcTmbuL0Roz3aY0rSW3EG + +li3yjS3YAtMtvhQwuqooVrkBFrcGQLjTnAfCeUHbCjZidGAHnqhESA+Aj+LKx32 + 0ALQY439xAs6Vf3rICs93cO4Yxa8W1F5sHE6ANOGU+jCmSkCWI2hdHGbckD3L0AQ + NBJ+jyXm0kFfVgqRS2i17JPz2ZZxhAHw3KH13Ef1KI4tMdzCvFSayW0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "BcbZOID7dipWNH0/uowqCF7Ivqm4QktMoz11Yv249tG"; + }; + wiregrill = { + ip6.addr = w6 "0b1c"; + aliases = [ + "ubik.w" + ]; + wireguard.pubkey = '' + JakWwg7Rq76jjzLFWPBQJPpzRHbIEbb46VLsSUOKI2I= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlqW8zqJpjbva0NTty9Ex7R/Jk2emDxHJNpaM3WPt5L"; +} diff --git a/kartei/lass/yellow.nix b/kartei/lass/yellow.nix index bb0b1f09b..b9dcb008c 100644 --- a/kartei/lass/yellow.nix +++ b/kartei/lass/yellow.nix @@ -9,6 +9,7 @@ "jelly.r" "radar.r" "sonar.r" + "transmission.r" ]; tinc = { pubkey = '' diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 6eacb4a27..178cf27a2 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -502,6 +502,40 @@ in { }; }; + doctor = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # monitoring.dse.in.tum.de + ip4.addr = "131.159.102.4"; + ip6.addr = "2a09:80c0:102::4"; + aliases = [ "doctor.i" ]; + }; + retiolum = { + via = internet; + aliases = [ + "doctor.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAuXYfR5PRMcJkJG6yjxw0tQvjtzRwZI/k2ks1SBgVhtCh1TcMFraq + /u367B6E9BrGHhPZNtTcceMunC+Tow1+JIAHQPQU1+l1w+6n3esNgYUvakv0C/Dj + opOh5mWzS81UL1r+ifXKdEs4/u561GPUdhhScxnk2lsudh0fem0Rn7yDXuGofrIo + kAD49TLV0ZEflCQLe9/ck+qvzM8yPOnDsCZlCdCZJVpOW0Aq1cfghI6BiStVkDDU + DaBj74m3eK0wtPJlj0flebF91VNMsmQ4XSmFZeDtdx/xOJmqzB29C7tTynuPD5FV + zREKo5wxgvaf/J3da5K5nCP/sOBIishlYVBNZeJqwQiTze405ycdglNiYVISpYaF + 8ikv0w19E9nI3GVjwm6mYH29eKbHuEJSou5J/7lS2tlyVaGI9opGRLV+X7GLwE1D + 01uaQsyTYB7mK33broIABp5Mu/Il1+Mi3uwMKzCL/ciPMMFoSbR+zth2QoU1wRUz + A6OK3t6w5//ufq9bKGcZ3rhU/rYzfk8nHY1F/5QBPM95WTGZZ7CjAMPzyc6Is/CL + +7jtPZPrT05yc9HKPqG2RPWP3dziw4l1TX6NXstMzizyaayeF0yPQ6chNTqgvfFJ + s3ABq1R8UV0LUBmdDAxeyKOOEqrqBcShHFxWmEzk95ghdT6P5XSMMCUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "StFqqnSArvIfK07//ejbxkP3V4nnXsj8vu5km8LcM/P"; + }; + }; + }; + eva = { owner = config.krebs.users.mic92; nets = rec { diff --git a/kartei/tv/hosts/ru.nix b/kartei/tv/hosts/ru.nix new file mode 100644 index 000000000..334df5d07 --- /dev/null +++ b/kartei/tv/hosts/ru.nix @@ -0,0 +1,24 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.42"; + aliases = [ + "ru.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAr4xgpXPr/OGrLO5vwur35esesbAwREwShGJf9btt65UQXst090tD + GWev8Yfi3Mr241r1TG7zpW3Idh5nth2yhzVvqGc9m6QmK27v2MKpb+ppjOKab7RL + 1KfdBAwjdrWdL2xO3XAYOUljxWoIV4VKX8kEBvjJEDOwl/u+g5mB3yLWebtIT7Wk + EneMU6wvCVKhOPeqyXmbqO/+j6+bqxkKP2/5hHcX3a91+15YbR3SvREK2rUm9stx + Rc3kmGUO/DiGK6MmUmt+qieGo/4vheK8hij57dY0uXFIC7U680QzV7jsUmtlKGBL + PoK/Xn6TLLG6nozgmF+q8esYyaYQFrwU2QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "Eg9l+RxFSNrQ9RkTd8tSkoTIG2m7zhQpjUJBWJRft1J"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcNClgsey79WzdEQs/8qkLMHzc1SCU/MqyMerPcUi8X root@ru"; +} diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 11aaf876a..39039cc11 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -52,7 +52,7 @@ let }; confuse = { - pattern = "^!confuse (.*)$"; + pattern = "!confuse (.*)$"; activate = "match"; arguments = [1]; command = { @@ -90,7 +90,7 @@ let }; confuse_hackint = { - pattern = "^!confuse (.*)$"; + pattern = "!confuse (.*)$"; activate = "match"; arguments = [1]; command = { diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bff7e135f..6d763afed 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -53,6 +53,7 @@ let ./sitemap.nix ./ssl.nix ./sync-containers.nix + ./sync-containers3.nix ./systemd.nix ./tinc.nix ./tinc_graphs.nix diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index f2705caa4..c0d0b588a 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -3,8 +3,7 @@ hostNames = ["github.com"] ++ - # List generated with (IPv6 addresses are currently ignored): - # curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | nix-shell -p cidr2glob --run cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json + # update known-hosts.json using ./update lib.importJSON ./known-hosts.json ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; diff --git a/krebs/3modules/github/update b/krebs/3modules/github/update new file mode 100755 index 000000000..3952dabae --- /dev/null +++ b/krebs/3modules/github/update @@ -0,0 +1,15 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p cidr2glob curl git jq + +# update known-hosts.json +# +# usage: ./update + +set -efu + +# XXX IPv6 addresses are currently ignored +curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json + +if git diff --exit-code known-hosts.json; then + echo known-hosts.json is up to date: nothing to do >&2 +fi diff --git a/lass/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 86aa40f03..4a00b23ab 100644 --- a/lass/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ... }: let - cfg = config.lass.sync-containers3; + cfg = config.krebs.sync-containers3; slib = pkgs.stockholm.lib; in { - options.lass.sync-containers3 = { + options.krebs.sync-containers3 = { inContainer = { enable = lib.mkEnableOption "container config for syncing"; pubkey = lib.mkOption { @@ -104,9 +104,8 @@ in { consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' set -efux if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then - touch "$HOME"/incomplete - rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk - rm "$HOME"/incomplete + nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk + rm -f "$HOME"/incomplete fi ''} ''; @@ -218,10 +217,6 @@ in { exit 0 ;; esac - if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then - echo 'data is inconistent, start aborted' - exit 1 - fi consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" '' set -efu @@ -230,8 +225,8 @@ in { mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state /run/current-system/sw/bin/nixos-container start ${ctr.name} # wait for system to become reachable for the first time - retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null systemctl start ${ctr.name}_watcher.service + retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null sleep 10 @@ -240,6 +235,13 @@ in { ''; }; }; } + { "container@${ctr.name}" = lib.mkIf ctr.runContainer { + serviceConfig = { + ExecStop = pkgs.writers.writeDash "remove_interface" '' + ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} + ''; + }; + }; } ]) (lib.attrValues cfg.containers))); systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" { @@ -280,14 +282,19 @@ in { }) (lib.mkIf (cfg.containers != {}) { # networking + + # needed because otherwise we lose local dns + environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; + + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; systemd.network.networks.ctr0 = { name = "ctr0"; address = [ "10.233.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; }; @@ -304,6 +311,9 @@ in { { predicate = "-i ctr0"; target = "ACCEPT"; } { predicate = "-o ctr0"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; } + ]; }) (lib.mkIf cfg.inContainer.enable { users.groups.container_sync = {}; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 0babc448a..f6727e4d4 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -125,17 +125,13 @@ with import <stockholm/lib>; hostsPackage = mkOption { type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${tinc.config.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ - > $out/${shell.escape host.name} - '') tinc.config.hosts)} - ''; - }; + default = + pkgs.write "${tinc.config.netname}-tinc-hosts" + (mapAttrs' + (_: host: (nameValuePair "/${host.name}" { + text = host.nets.${tinc.config.netname}.tinc.config; + })) + tinc.config.hosts); defaultText = "‹netname›-tinc-hosts" |