diff options
| -rw-r--r-- | krebs/2configs/default.nix | 7 | ||||
| -rw-r--r-- | krebs/3modules/external/default.nix | 53 | ||||
| -rw-r--r-- | krebs/3modules/external/mic92.nix | 19 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 65 | ||||
| -rw-r--r-- | krebs/3modules/lass/ssh/tablet.ed25519 | 1 | ||||
| -rw-r--r-- | krebs/5pkgs/override/default.nix | 2 | ||||
| -rw-r--r-- | krebs/nixpkgs-unstable.json | 9 | ||||
| -rw-r--r-- | krebs/nixpkgs.json | 9 | ||||
| -rw-r--r-- | lass/1systems/dishfire/config.nix | 10 | ||||
| -rw-r--r-- | lass/1systems/dishfire/physical.nix | 21 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 6 | ||||
| -rw-r--r-- | lass/1systems/yellow/config.nix | 2 | ||||
| -rw-r--r-- | lib/types.nix | 13 |
13 files changed, 191 insertions, 26 deletions
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 4c25bc963..369b750b7 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -45,6 +45,13 @@ with import <stockholm/lib>; services.cron.enable = false; services.ntp.enable = false; + # limit journald size + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + Storage=persistent + ''; + users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.jeschli-brauerei.pubkey diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 7c896e90a..d919c8129 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -207,18 +207,45 @@ in { aliases = [ "qubasa.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEA65g1Xql+S+Dd90uDpSVxzGRTL8n4DHc1p9T8u9h7ioytC9B+e2dQ - RU/y3gdJ0gXxrbth36MhTANuUonnqpHvsWwUDCQRbxLEFh8avlzLsecWvwrIt3zL - 102EaVurRySUa83D6TK8ZsDa2+ADY7tEzfFMJhT53g7MpBNIeOquB0rR6hVYBbHc - 3B+QtwdM8dx1gO/5+FsPYhJbR7ARczYHsj7Eyb8NbdzthEO0ICDgwzmcXTJfVHGR - qfT7DUolXsu7uSPMLB+Pe/leI7XcQ2VFukpVGP0fZv0mSMxavFlcFVkLgdbAEd2H - DPEBEcJpLR4Hw3HlO1kPPufaUdoeNhUmTkIp76mkCbanS1P/aFNFFcVB+a/+tpdK - z5pG8K3qANg5txp6sAatPchvkeQelIg11lvT9luc+nFsTEW6Ky5nDLo60luZVFnn - i1bdVeOojXR0u7M2gMqQZcSuscvy8APe48S8vPsqoiob1l/r77B7iNrWDwH8IutW - u8fpC64CbhlR76Orp3xTZPmJQCRT8XYpKDDoq5Z7prdlAEz3U6wEfVckVv+f1dmU - odG0zDTsmyKhkWWmZbPgPrOEUvAVoSpSLSQQxPR+UHArlgYe+2dAf8IHYqrgmhuO - D4Lga4nNwTyVbCZ8vUu5b/lnGCLpNcVj22WVQTdAJzNsCVTdIM2V5hcCAwEAAQ== + MIICCgKCAgEAwEaIkC/JxEI6mAnA2lnoNYRSVAVOggtm7XBAX2tTq9OCnwgh6Nnr + Bv8S6j8HBybMqZHKBlfFUo+Trm7Ig/g8KI8xwm2ThO83GnXLyu5qoIFLgjAtvx9w + uh/ZGIn2MKHy0aZ6J/HqDEbsr6XC/YpLb3mA3C5Msaiand0zmAh1oYQVvNJMLgLA + HgBr7a14ngyndwGiBoFDoHu2gtPXTallruv/eopnOVaidkyNRDlMhbqr/Xkxlwov + E2pewl+IKvt5WnGzCHDFvHYCDpeKX9ZAiBBJQ5tgGhxScN5rJ4Omx7iVbnjjPMzs + 1VSRgOqR1xPk5aMa0ByV2P978mNJL6MwIEhnGjg6Dyr1hvmjFxKjj+Pd8IWAeli9 + G3Xq4xJ8+vRbFBoqzBuxcUOTN/V1i1XECGMxEg5cE+9tp+2mvOSpiChkpxeGA42Y + KbcVR7df2bjIQ+8IQzgPkpGnpG/XwC8JKsy+2jiiXOWrwUDfEFrkFaqGNareTeST + ynkbl+y8PgtoHloubckKoXqyY/zHTG3gDDW7SLfr/OpHqyq8MtITyojwMB/Ijyzo + 6mAPiTLI7oFYpWIP0UiM7u4o6iDW9S8G9l+vLZJyEmhEUZJUkWoXRy2Ibd6ix0L3 + eA6izpRuehl1OLePY4HNkuqOgXiEf1mgNcoGnyx3kzKYa1cUlMP0ve8CAwEAAQ== -----END RSA PUBLIC KEY----- + Ed25519PublicKey = dqJq+qESCNakC3p9duc5LrG26D1scj58Hy1S5kPGtME + ''; + }; + }; + }; + + keller = { + owner = config.krebs.users.qubasa; + nets = { + retiolum = { + ip4.addr = "10.243.30.2"; + aliases = [ "kelle.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA3jJgnaEJnKiBILtdtIROVfJJ1IgQSdfAw83aNE8xinkIFkP8lSFS + Nd1C9pRI2r8Tjut/MB0b7MRlwOS2FWP1COcKzZGR4gKSiwK9oWGy6Vf5Qvrsd5M+ + 0roUsf6Km/muJgqhWYY4OOaDK3LSp4mAo8H9+pibH9GuMuhu/Ebe0gtwnoOuuQs5 + GeHtaBrtpiGX2WvIU2S1TwDw0cmheEbqyaQ9COSqdOW1ldbfAbh7Zv38iUzMNXJ2 + yAWUfT5eYsIWlQc55JzEABuxIZEFj7BiR2vQYjVa+sIjsb+vI/6SFK4uiuqPP0dW + xFAQyRuQbW0gyooMLXnZ6ByD/t4mFpk7Eo1Sxiv8CdgDI/lELZ1h7jTYKrcuPHYc + P9m2Ut9FxuFMl+s2etkVUVGba2Kz9b9iwvvAZUtU85UrsQCkrghIT0Hm0SIdYQHO + +WyCw46okk5xLicXEd+RgwlWWq+AJeo0LKof3uoRnjQq1kkU5E0nGX/YqRa3YIxV + qmShTnQSTGUe6qVz1uAoh+ljTEUWWgW5UKuHPn1gdqFcIJ+4DSkJgiQ/cbSXtyp0 + 35bQuqjpFe/bwW1PuK6YspMRK2hQrYkypQNrvjcz0RJJc/1ULILTl0NaZEMtCcj2 + t7KpA6wY6WIz5+uTVBnc3vQrcBebfSWzl0IWxjaSufp8ojq5B7mz8s0CAwEAAQ== + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = HeSMxgGaB9alyS0n766TJ3qA2fAwvJmMyLPFbYhfZdJ ''; }; }; @@ -633,8 +660,10 @@ in { }; hydrogen = { owner = config.krebs.users.sandro; - nets = { + nets = rec { + internet.addrs = [ "hydrogen.supersandro.de" ]; retiolum = { + via = internet; ip4.addr = "10.243.54.54"; aliases = [ "hydrogen.r" ]; tinc.pubkey = '' diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b4e046303..e83608385 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -451,6 +451,7 @@ in { nets = rec { internet = { ip4.addr = "129.215.165.75"; + ip6.addr = "2001:630:3c1:164:d65d:64ff:feb0:e8a8"; aliases = [ "sauron.i" ]; }; retiolum = { @@ -707,8 +708,8 @@ in { nets = rec { internet = { # eva.thalheim.io - ip4.addr = "157.90.232.92"; - ip6.addr = "2a01:4f8:1c1c:9a9::1"; + ip4.addr = "131.159.102.4"; + ip6.addr = "2a09:80c0:102::4"; aliases = [ "eva.i" ]; }; retiolum = { @@ -798,7 +799,14 @@ in { ryan = { owner = config.krebs.users.mic92; nets = rec { + internet = { + # ryan.dse.in.tum.de + ip4.addr = "131.159.102.8"; + ip6.addr = "2a09:80c0:102::8"; + aliases = [ "ryan.i" ]; + }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.ryan.nets.retiolum.ip4.addr config.krebs.hosts.ryan.nets.retiolum.ip6.addr @@ -823,7 +831,14 @@ in { graham = { owner = config.krebs.users.mic92; nets = rec { + internet = { + # graham.dse.in.tum.de + ip4.addr = "131.159.102.9"; + ip6.addr = "2a09:80c0:102::9"; + aliases = [ "graham.i" ]; + }; retiolum = { + via = internet; addrs = [ config.krebs.hosts.graham.nets.retiolum.ip4.addr config.krebs.hosts.graham.nets.retiolum.ip6.addr diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 2475a0d5a..280021347 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -14,7 +14,47 @@ in { dns.providers = { "lassul.us" = "zones"; }; - hosts = mapAttrs hostDefaults { + hosts = mapAttrs (_: recursiveUpdate { + owner = config.krebs.users.lass; + ci = true; + monitoring = true; + }) { + dishfire = { + cores = 4; + nets = rec { + internet = { + ip4 = rec { + addr = "157.90.232.92"; + prefix = "${addr}/32"; + }; + aliases = [ + "dishfire.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.133.99"; + ip6.addr = r6 "d15f:1233"; + aliases = [ + "dishfire.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs + Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7 + uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK + R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd + vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U + HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.port = 655; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; + }; prism = rec { cores = 4; extraZones = { @@ -31,6 +71,7 @@ in { 60 IN NS ns16.ovh.net. 60 IN NS dns16.ovh.net. 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} IN MX 5 lassul.us. 60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) @@ -58,6 +99,10 @@ in { addr = "95.216.1.150"; prefix = "0.0.0.0/0"; }; + ip6 = { + addr = "2a01:4f9:2a:1e9::1"; + prefix = "2a01:4f9:2a:1e9::/64"; + }; aliases = [ "prism.i" "paste.i" @@ -73,6 +118,7 @@ in { "cache.prism.r" "cgit.prism.r" "flix.r" + "jelly.r" "paste.r" "c.r" "p.r" @@ -529,6 +575,20 @@ in { ci = false; syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; }; + tablet = { + nets = { + wiregrill = { + ip4.addr = "10.244.1.14"; + ip6.addr = w6 "b"; + aliases = [ + "tablet.w" + ]; + wireguard.pubkey = "eIafsxYEFCqmWNFon6ZsYXeDrK4X1UJ9KD0zmNZjgEI="; + }; + }; + external = true; + ci = false; + }; hilum = { cores = 1; nets = { @@ -777,5 +837,8 @@ in { mail = "lassulus@gmail.com"; pubkey = builtins.readFile ./ssh/android.ed25519; }; + lass-tablet = { + pubkey = builtins.readFile ./ssh/tablet.ed25519; + }; }; } diff --git a/krebs/3modules/lass/ssh/tablet.ed25519 b/krebs/3modules/lass/ssh/tablet.ed25519 new file mode 100644 index 000000000..250be53f7 --- /dev/null +++ b/krebs/3modules/lass/ssh/tablet.ed25519 @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMaulRARjJt6gQ4q5DCj3ySAf4juHvVaIcXDRhWZ5mM u0_a234@localhost
\ No newline at end of file diff --git a/krebs/5pkgs/override/default.nix b/krebs/5pkgs/override/default.nix index 2291132ba..c1d8fa3da 100644 --- a/krebs/5pkgs/override/default.nix +++ b/krebs/5pkgs/override/default.nix @@ -20,7 +20,7 @@ self: super: { "0.10.1" = [ ./flameshot/flameshot_imgur_0.9.0.patch ]; - }.${old.version}; + }.${old.version} or []; }); # https://github.com/proot-me/PRoot/issues/106 diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 594147405..da23245ae 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "b165ce0c4efbb74246714b5c66b6bcdce8cde175", - "date": "2021-11-01T19:42:18+01:00", - "path": "/nix/store/ccfd4ijkp4rn018sjghkhn4a7gkdq84l-nixpkgs", - "sha256": "1q7n9rk4i8ky2xxiymm72cfq1xra3ss3vkhbwf60rhiblslldgqg", + "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", + "date": "2021-11-17T14:17:56+01:00", + "path": "/nix/store/85yrz3ygrzkgw87fp3j42i1i9f4vf0n0-nixpkgs", + "sha256": "152kxfk11mgwg8gx0s1rgykyydfb7s746yfylvbwk5mk5cv4z9nv", + "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 8bfd16523..d6d70faf6 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "f0869b1a2c0b150aac26e10bb5c2364ffb2e804f", - "date": "2021-10-31T15:33:08-07:00", - "path": "/nix/store/60dqlv3rf8dyf041qwx2bblmpd7mp7q6-nixpkgs", - "sha256": "150rrksrjf6w9m3c1ll04xilpglysklfpi636rxwyy318g5xss55", + "rev": "24528474d2b3370f2f23879a557ae2cc92a5d50b", + "date": "2021-11-19T11:04:27+01:00", + "path": "/nix/store/f435816nqq7y14ar1haadw228nbxnh33-nixpkgs", + "sha256": "0pdmqzk1l7cwwfp005kzv0dwnmg8xnskzc745052gdxp8pzh1w45", + "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix new file mode 100644 index 000000000..b814d7188 --- /dev/null +++ b/lass/1systems/dishfire/config.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.dishfire; +} diff --git a/lass/1systems/dishfire/physical.nix b/lass/1systems/dishfire/physical.nix new file mode 100644 index 000000000..ca013132f --- /dev/null +++ b/lass/1systems/dishfire/physical.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + ./config.nix + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub.devices = [ "/dev/sda" ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/84053adc-49bc-4e02-8a19-3838bf3a43fd"; + fsType = "ext4"; + }; + + swapDevices = [ ]; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 45f9ae00e..c92a239f9 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -284,6 +284,12 @@ with import <stockholm/lib>; localAddress = "10.233.2.14"; }; + services.nginx.virtualHosts."jelly.r" = { + locations."/".extraConfig = '' + proxy_pass http://10.233.2.14:8096/; + proxy_set_header Accept-Encoding ""; + ''; + }; services.nginx.virtualHosts."flix.r" = { locations."/".extraConfig = '' proxy_pass http://10.233.2.14:80/; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index dc3b4b566..554882bf3 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -21,7 +21,7 @@ with import <stockholm/lib>; download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; - rpc-bind-address = "0.0.0.0"; + rpc-bind-address = "::"; message-level = 1; umask = 18; rpc-whitelist-enabled = false; diff --git a/lib/types.nix b/lib/types.nix index c50969de7..b6c266c33 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -113,7 +113,7 @@ rec { default = null; }; addrs = mkOption { - type = listOf addr; + type = listOf (either addr str); default = optional (config.ip4 != null) config.ip4.addr ++ optional (config.ip6 != null) config.ip6.addr; @@ -187,6 +187,8 @@ rec { [config.extraConfig] ++ [config.pubkey] + ++ + optional (config.weight != null) "Weight = ${toString config.weight}" ); defaultText = '' Address = ‹addr› ‹port› # for each ‹net.via.addrs› @@ -217,6 +219,15 @@ rec { description = "tinc subnets"; default = []; }; + weight = mkOption { + type = nullOr int; + description = '' + global tinc weight (latency in ms) of this particular node. + can be set to some high value to make it unprobable to be used as router. + if set to null, tinc will autogenerate the value based on latency. + ''; + default = if net.via != null then null else 300; + }; }; })); default = null; |