diff options
62 files changed, 1116 insertions, 339 deletions
diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix index 74b8aca3c..9538c3003 100644 --- a/kartei/lass/neoprism.nix +++ b/kartei/lass/neoprism.nix @@ -1,6 +1,20 @@ { r6, w6, ... }: { - nets = { + nets = rec { + internet = { + ip4 = rec { + addr = "95.217.192.59"; + prefix = "${addr}/32"; + }; + ip6 = rec { + addr = "2a01:4f9:4a:4f1a::1"; + prefix = "${addr}/64"; + }; + aliases = [ + "neoprism.i" + ]; + ssh.port = 45621; + }; retiolum = { ip4.addr = "10.243.0.99"; ip6.addr = r6 "99"; diff --git a/kartei/lass/yellow.nix b/kartei/lass/yellow.nix index bb0b1f09b..b9dcb008c 100644 --- a/kartei/lass/yellow.nix +++ b/kartei/lass/yellow.nix @@ -9,6 +9,7 @@ "jelly.r" "radar.r" "sonar.r" + "transmission.r" ]; tinc = { pubkey = '' diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index b79a91967..5e236d574 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -74,6 +74,11 @@ in { retiolum.ip4.addr = "10.243.12.12"; }; }; + snake = { + nets = { + retiolum.ip4.addr = "10.243.12.13"; + }; + }; studio = rec { ci = false; diff --git a/kartei/makefu/retiolum/snake.pub b/kartei/makefu/retiolum/snake.pub new file mode 100644 index 000000000..ae69a162f --- /dev/null +++ b/kartei/makefu/retiolum/snake.pub @@ -0,0 +1,13 @@ +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEApRUsm8oiTCx5kqFqCUaDyI3iesCajS76lzCGa1HdeBVLvejyit4s +Vx848/Gr2Axbtqx8Fm3RUj29CEUTCUKQdEEOVE58bQ+euSRL/V7g+v+1NSGYSEwp +Xvojczppjm0e56kI0yngZh++6AM4/6eMWEQl3u45ZRFXH11ZfoZb+Z3jRAUk1FXt +rWyrNQ5kGOwNaTk0+mXB8irtYrjyehfZuzyE2z1GelKrSMM03jCFFzVqPu5irYIm +TghRhFMXIG9bm+gM+bj/GNHs2RHL633PUqI/I5Hj6trNBfqbcu7gpB9F6Edtqgtb +lQm0Qei/l4AQIxfA3LqNuTHaXp4LBG9IH2qvXSxsqWlgDnjg3CEJ8ZwpOzT7xFG2 +0NSRcAl+4i55j24ZxwWgS9H0Al3LMLzwVsToUfH9fGm1vtJ8ku8sx0AALVzVyabR +M5ywyi5oRhan/JZywFsACLDUFMiFqI/MIj6ao0pSZYaUXfKMtMCgJJ03NqWak8lc +yInBgIlEQgxljKW0LHeHoToBzuXhy70gtNswS61iKpuMDxbBYtyK1HuN8PS+vzS8 +svtbV3lvqJA2KcVlqwwgDwvzPX+T0kbI4UL3EjFIU2nepGNaRA1AWmTMrpdEPNdx +4RPg5EZDVp+Jeihjxpa8aOb3yjkE5i6K00TyjsSIJqWy296PfJC4VBsCAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/kartei/makefu/retiolum/snake_ed25519.pub b/kartei/makefu/retiolum/snake_ed25519.pub new file mode 100644 index 000000000..a7f9f749b --- /dev/null +++ b/kartei/makefu/retiolum/snake_ed25519.pub @@ -0,0 +1 @@ +Ed25519PublicKey = lKMWnuEVjcSoSEUWrj+51pwDQrQj2TqloL3aBKVWBbO diff --git a/kartei/makefu/sshd/snake.pub b/kartei/makefu/sshd/snake.pub new file mode 100644 index 000000000..eceeae899 --- /dev/null +++ b/kartei/makefu/sshd/snake.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBfIivSIxnkH212vtHiWPiUJcjSRrv3d4eVfkIahJA7S makefu@x diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 6eacb4a27..178cf27a2 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -502,6 +502,40 @@ in { }; }; + doctor = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # monitoring.dse.in.tum.de + ip4.addr = "131.159.102.4"; + ip6.addr = "2a09:80c0:102::4"; + aliases = [ "doctor.i" ]; + }; + retiolum = { + via = internet; + aliases = [ + "doctor.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAuXYfR5PRMcJkJG6yjxw0tQvjtzRwZI/k2ks1SBgVhtCh1TcMFraq + /u367B6E9BrGHhPZNtTcceMunC+Tow1+JIAHQPQU1+l1w+6n3esNgYUvakv0C/Dj + opOh5mWzS81UL1r+ifXKdEs4/u561GPUdhhScxnk2lsudh0fem0Rn7yDXuGofrIo + kAD49TLV0ZEflCQLe9/ck+qvzM8yPOnDsCZlCdCZJVpOW0Aq1cfghI6BiStVkDDU + DaBj74m3eK0wtPJlj0flebF91VNMsmQ4XSmFZeDtdx/xOJmqzB29C7tTynuPD5FV + zREKo5wxgvaf/J3da5K5nCP/sOBIishlYVBNZeJqwQiTze405ycdglNiYVISpYaF + 8ikv0w19E9nI3GVjwm6mYH29eKbHuEJSou5J/7lS2tlyVaGI9opGRLV+X7GLwE1D + 01uaQsyTYB7mK33broIABp5Mu/Il1+Mi3uwMKzCL/ciPMMFoSbR+zth2QoU1wRUz + A6OK3t6w5//ufq9bKGcZ3rhU/rYzfk8nHY1F/5QBPM95WTGZZ7CjAMPzyc6Is/CL + +7jtPZPrT05yc9HKPqG2RPWP3dziw4l1TX6NXstMzizyaayeF0yPQ6chNTqgvfFJ + s3ABq1R8UV0LUBmdDAxeyKOOEqrqBcShHFxWmEzk95ghdT6P5XSMMCUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "StFqqnSArvIfK07//ejbxkP3V4nnXsj8vu5km8LcM/P"; + }; + }; + }; + eva = { owner = config.krebs.users.mic92; nets = rec { diff --git a/kartei/tv/hosts/ru.nix b/kartei/tv/hosts/ru.nix new file mode 100644 index 000000000..334df5d07 --- /dev/null +++ b/kartei/tv/hosts/ru.nix @@ -0,0 +1,24 @@ +{ + ci = true; + nets = { + retiolum = { + ip4.addr = "10.243.13.42"; + aliases = [ + "ru.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAr4xgpXPr/OGrLO5vwur35esesbAwREwShGJf9btt65UQXst090tD + GWev8Yfi3Mr241r1TG7zpW3Idh5nth2yhzVvqGc9m6QmK27v2MKpb+ppjOKab7RL + 1KfdBAwjdrWdL2xO3XAYOUljxWoIV4VKX8kEBvjJEDOwl/u+g5mB3yLWebtIT7Wk + EneMU6wvCVKhOPeqyXmbqO/+j6+bqxkKP2/5hHcX3a91+15YbR3SvREK2rUm9stx + Rc3kmGUO/DiGK6MmUmt+qieGo/4vheK8hij57dY0uXFIC7U680QzV7jsUmtlKGBL + PoK/Xn6TLLG6nozgmF+q8esYyaYQFrwU2QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "Eg9l+RxFSNrQ9RkTd8tSkoTIG2m7zhQpjUJBWJRft1J"; + }; + }; + secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcNClgsey79WzdEQs/8qkLMHzc1SCU/MqyMerPcUi8X root@ru"; +} diff --git a/kartei/tv/wiregrill/ru.pub b/kartei/tv/wiregrill/ru.pub new file mode 100644 index 000000000..4a997c968 --- /dev/null +++ b/kartei/tv/wiregrill/ru.pub @@ -0,0 +1 @@ ++3GdhwFYmBr46bBwyqrY3UH9fU1b8c2Vqmx9JTY4syU= diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index f2705caa4..c0d0b588a 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -3,8 +3,7 @@ hostNames = ["github.com"] ++ - # List generated with (IPv6 addresses are currently ignored): - # curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | nix-shell -p cidr2glob --run cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json + # update known-hosts.json using ./update lib.importJSON ./known-hosts.json ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; diff --git a/krebs/3modules/github/update b/krebs/3modules/github/update new file mode 100755 index 000000000..3952dabae --- /dev/null +++ b/krebs/3modules/github/update @@ -0,0 +1,15 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p cidr2glob curl git jq + +# update known-hosts.json +# +# usage: ./update + +set -efu + +# XXX IPv6 addresses are currently ignored +curl -sS https://api.github.com/meta | jq -r .git[] | grep -v : | cidr2glob | jq -Rs 'split("\n")|map(select(.!=""))' > known-hosts.json + +if git diff --exit-code known-hosts.json; then + echo known-hosts.json is up to date: nothing to do >&2 +fi diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 0babc448a..52cdafe67 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -26,10 +26,7 @@ with import <stockholm/lib>; Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' - ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up - ${tinc.config.tincUp} - ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" tinc.config.tincUp; }); }; @@ -60,7 +57,8 @@ with import <stockholm/lib>; default = let net = tinc.config.host.nets.${netname}; iproute = tinc.config.iproutePackage; - in '' + in /* sh */ '' + ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up ${optionalString (net.ip4 != null) /* sh */ '' ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} @@ -69,14 +67,13 @@ with import <stockholm/lib>; ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} ''} - ${tinc.config.tincUpExtra} ''; - defaultText = '' - ip -4 addr add ‹net.ip4.addr› dev ${netname} - ip -4 route add ‹net.ip4.prefix› dev ${netname} - ip -6 addr add ‹net.ip6.addr› dev ${netname} - ip -6 route add ‹net.ip6.prefix› dev ${netname} - ${tinc.config.tincUpExtra} + defaultText = /* sh */ '' + ip link set ‹netname› up + ip -4 addr add ‹net.ip4.addr› dev ‹netname› + ip -4 route add ‹net.ip4.prefix› dev ‹netname› + ip -6 addr add ‹net.ip6.addr› dev ‹netname› + ip -6 route add ‹net.ip6.prefix› dev ‹netname› ''; description = '' tinc-up script to be used. Defaults to setting the @@ -85,11 +82,6 @@ with import <stockholm/lib>; ''; }; - tincUpExtra = mkOption { - type = types.str; - default = ""; - }; - tincPackage = mkOption { type = types.package; default = pkgs.tinc_pre; @@ -125,17 +117,13 @@ with import <stockholm/lib>; hostsPackage = mkOption { type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${tinc.config.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ - > $out/${shell.escape host.name} - '') tinc.config.hosts)} - ''; - }; + default = + pkgs.write "${tinc.config.netname}-tinc-hosts" + (mapAttrs' + (_: host: nameValuePair "/${host.name}" { + text = host.nets.${tinc.config.netname}.tinc.config; + }) + tinc.config.hosts); defaultText = "‹netname›-tinc-hosts"; description = '' Package of tinc host configuration files. By default, a package will diff --git a/krebs/5pkgs/override/default.nix b/krebs/5pkgs/override/default.nix index ae42bc1a3..f85f3f678 100644 --- a/krebs/5pkgs/override/default.nix +++ b/krebs/5pkgs/override/default.nix @@ -9,20 +9,6 @@ self: super: { }; }); - flameshot = super.flameshot.overrideAttrs (old: rec { - name = "flameshot-${version}"; - version = "0.10.2"; - src = self.fetchFromGitHub { - owner = "flameshot-org"; - repo = "flameshot"; - rev = "v${version}"; - sha256 = "sha256-rZUiaS32C77tFJmEkw/9MGbVTVscb6LOCyWaWO5FyR4="; - }; - patches = old.patches or [] ++ [ - ./flameshot/flameshot_imgur_0.10.2.patch - ]; - }); - # https://github.com/proot-me/PRoot/issues/106 proot = self.writeDashBin "proot" '' export PROOT_NO_SECCOMP=1 diff --git a/krebs/5pkgs/simple/syncthing-device-id.nix b/krebs/5pkgs/simple/syncthing-device-id.nix index 9533800fd..74983fc18 100644 --- a/krebs/5pkgs/simple/syncthing-device-id.nix +++ b/krebs/5pkgs/simple/syncthing-device-id.nix @@ -1,12 +1,13 @@ -{ openssl, writePython2Bin }: +{ openssl, writePython3Bin }: -writePython2Bin "syncthing-device-id" { +writePython3Bin "syncthing-device-id" { flakeIgnore = [ "E226" "E302" "E305" "E501" "F401" + "W504" ]; } /* python */ '' import base64 diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 644192bbf..6af475a29 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", - "date": "2022-12-11T09:33:23+00:00", - "path": "/nix/store/lmiwldi32kcc2qgm68swxgb3xzba0ayc-nixpkgs", - "sha256": "1hmx7hhjr74fqmxhb49yfyrpqhzwayrq48xwjv3a117czpb0gnjx", + "rev": "befc83905c965adfd33e5cae49acb0351f6e0404", + "date": "2023-01-13T18:32:21+01:00", + "path": "/nix/store/bwpp6fchhfw699jn9hsdypyc7ggb72gx-nixpkgs", + "sha256": "0m0ik7z06q3rshhhrg2p0vsrkf2jnqcq5gq1q6wb9g291rhyk6h2", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 17bffe634..fd6aeb114 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "9d692a724e74d2a49f7c985132972f991d144254", - "date": "2022-12-16T13:36:40-05:00", - "path": "/nix/store/76wc0ymx7rw348hpl0bp0yb77sf40xd6-nixpkgs", - "sha256": "1byh49p3kwi6adb1izaalj2ab9disfzq1cx526gwgv20ilmphvnr", + "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", + "date": "2023-01-15T13:38:37-03:00", + "path": "/nix/store/mn2dwzki0d159fl09y87jrvyvcjgyy03-nixpkgs", + "sha256": "0w3ysrhbqhgr1qnh0r9miyqd7yf7vsd4wcd21dffwjlb99lynla8", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 06561e9cf..73d7f3780 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -40,6 +40,7 @@ in { security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; + security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; services.nginx = { enable = true; package = pkgs.nginx.override { @@ -152,6 +153,14 @@ in { proxy_set_header Accept-Encoding ""; ''; }; + virtualHosts."transmission.r" = { + enableACME = true; + addSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:9091/; + proxy_set_header Accept-Encoding ""; + ''; + }; virtualHosts."radar.r" = { enableACME = true; addSSL = true; diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 51db9a40a..1af2fa226 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -2,9 +2,11 @@ with import <stockholm/lib>; { + # ipv6 from vodafone is really really flaky + boot.kernel.sysctl."net.ipv6.conf.et0.disable_ipv6" = 1; systemd.network.networks."50-et0" = { matchConfig.Name = "et0"; - DHCP = "yes"; + DHCP = "ipv4"; # dhcpV4Config.UseDNS = false; # dhcpV6Config.UseDNS = false; linkConfig = { @@ -23,14 +25,15 @@ with import <stockholm/lib>; # Managed = true; # }; }; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; systemd.network.networks."50-int0" = { name = "int0"; address = [ "10.42.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; # IPv6SendRA = "yes"; @@ -49,9 +52,16 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "MASQUERADE"; } + ]; networking.domain = "gg23"; + networking.useHostResolvConf = false; + services.resolved.extraConfig = '' + DNSStubListener=no + ''; services.dnsmasq = { enable = true; resolveLocalQueries = false; @@ -64,4 +74,12 @@ with import <stockholm/lib>; interface=int0 ''; }; + + environment.systemPackages = [ + (pkgs.writers.writeDashBin "restart_router" '' + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m OFF + sleep 2 + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m ON + '') + ]; } diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix index 559e7b20d..6aacec5b6 100644 --- a/ |