diff options
69 files changed, 787 insertions, 190 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..5ace4600 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml new file mode 100644 index 00000000..4284463f --- /dev/null +++ b/.github/workflows/repo-sync.yml @@ -0,0 +1,19 @@ +on: + schedule: + - cron: "*/15 * * * *" + workflow_dispatch: + +jobs: + repo-sync: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + persist-credentials: false + - name: repo-sync + uses: repo-sync/github-sync@v2 + with: + source_repo: "https://git.thalheim.io/Mic92/stockholm.git" + source_branch: "master" + destination_branch: "master" + github_token: ${{ secrets.PAT }} diff --git a/krebs/0tests/data/secrets/syncthing.cert b/krebs/0tests/data/secrets/syncthing.cert new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.cert diff --git a/krebs/0tests/data/secrets/syncthing.key b/krebs/0tests/data/secrets/syncthing.key new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.key diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 5c4b37ae..79946dad 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -18,13 +18,6 @@ boot.isContainer = true; networking.useDHCP = false; krebs.bindfs = { - "/var/lib/htgen-go" = { - source = "/var/state/htgen-go"; - options = [ - "-m ${toString config.users.users.htgen-go.uid}" - ]; - clearTarget = true; - }; "/var/lib/brockman" = { source = "/var/state/brockman"; options = [ diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 1e0687ba..2f122f6f 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -19,6 +19,12 @@ <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> + ## news host + + <stockholm/krebs/2configs/container-networking.nix> + <stockholm/krebs/2configs/syncthing.nix> + <stockholm/krebs/2configs/news-host.nix> + ### shackspace ### # handle the worlddomination map via coap <stockholm/krebs/2configs/shack/worlddomination.nix> diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix index 8dab11e1..a46a2495 100644 --- a/krebs/1systems/puyak/net.nix +++ b/krebs/1systems/puyak/net.nix @@ -8,8 +8,8 @@ in { SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}" ''; networking = { - firewall.enable = false; - firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ]; + firewall.enable = true; + firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ]; interfaces."${ext-if}".ipv4.addresses = [ { address = shack-ip; diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix new file mode 100644 index 00000000..fa448880 --- /dev/null +++ b/krebs/2configs/container-networking.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = lib.mkDefault "et0"; + networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; +} diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 0de07a02..3ef2e7d2 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -87,6 +87,7 @@ }; channel { + autochanmodes = "+t"; use_invex = yes; use_except = yes; use_forward = yes; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 82360a67..b7728986 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -4,6 +4,7 @@ "shodan" "mors" "styx" + "puyak" ]; hostIp = "10.233.2.101"; localIp = "10.233.2.102"; diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 410beb04..2da3e6fc 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -15,6 +15,16 @@ serverAliases = [ "news.r" ]; + locations."/api".extraConfig = '' + proxy_pass http://127.0.0.1:7777/; + proxy_pass_header Server; + ''; + locations."= /graph.html".extraConfig = '' + alias ${pkgs.fetchurl { + url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html"; + sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w"; + }}; + ''; locations."/".extraConfig = '' root /var/lib/brockman; index brockman.json; @@ -27,6 +37,7 @@ }; systemd.tmpfiles.rules = [ "d /var/lib/brockman 1750 brockman nginx -" + "d /run/irc-api 1750 brockman nginx -" ]; systemd.services.brockman-graph = { @@ -67,12 +78,28 @@ shortener = "http://go.r"; controller = { nick = "brockman"; - channels = [ "#all" ]; + extraChannels = [ "#all" ]; }; bots = {}; }; }; + krebs.reaktor2.api = { + hostname = "localhost"; + port = "6667"; + nick = "api"; + API.listen = "inet://127.0.0.1:7777"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#all" + ]; + }; + } + ]; + }; krebs.reaktor2.news = let name = "candyman"; in { diff --git a/krebs/2configs/shack/prometheus/alert-rules.nix b/krebs/2configs/shack/prometheus/alert-rules.nix index 12c69146..65e5d900 100644 --- a/krebs/2configs/shack/prometheus/alert-rules.nix +++ b/krebs/2configs/shack/prometheus/alert-rules.nix @@ -14,7 +14,14 @@ in { labels.severity = "warning"; annotations.summary = "{{ $labels.alias }} root disk full"; annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf"; - annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and run `nix-collect-garbage -d` and clean up the shack share folder in `/home/share` .If this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete''; + annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do: +1. `nix-collect-garbage -d` +2. clean up the shack share folder in `/home/share` +3. check `du -hs /var/ | sort -h`. +4. run `docker system prune` +5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data +5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete +6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` ''; } { alert = "RootPartitionFull"; diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 31e33ad5..125e2aea 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,6 +10,10 @@ in { configDir = "/var/lib/syncthing"; declarative = { devices = mk_peers used_peers; + key = toString <secrets/syncthing.key>; + cert = toString <secrets/syncthing.cert>; }; }; + + boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; } diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index c8e360a1..809d5a7d 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -671,6 +671,7 @@ in { pubkey = ssh-for "raute"; }; rtjure = { + pubkey = ssh-for "rtjure"; }; sokratess = { }; diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 306ab34e..15136cbc 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -152,30 +152,6 @@ in { }; }; }; - dpdkm = { - owner = config.krebs.users.mic92; - nets = rec { - retiolum = { - ip4.addr = "10.243.29.173"; - aliases = [ "dpdkm.r" ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj - NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp - qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP - X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn - f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa - bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL - Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T - B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w - tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n - dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls - mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; herbert = { owner = config.krebs.users.mic92; nets = rec { @@ -199,35 +175,6 @@ in { }; }; }; - inspector = { - owner = config.krebs.users.mic92; - nets = rec { - internet = { - ip4.addr = "141.76.44.154"; - aliases = [ "inspector.i" ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.29.172"; - aliases = [ "inspector.r" ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG - EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ - 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF - m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw - WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd - eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 - OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau - ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x - B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG - q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj - 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; eddie = { owner = config.krebs.users.mic92; nets = rec { @@ -303,6 +250,82 @@ in { }; }; }; + okelmann = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.190"; + aliases = [ + "okelmann.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxquUuiW9a304H9Ls81+2BMm4bviDUU2Zogu0F1mPp6X8TpdjYpDs + +tlakSTEPHo+aIdcV9rHpjOC3tirNbYU56D8DdoSo1Ra6XNFbxWrw7usSR9gz7L+ + kYp1Uij4gKTfg6YQkU0lkufk13if6zvb/GjoBUTS/Tx+8sZm2/JKEK8JLQaCkmMu + LAUTsHj35Q8S99TzCLAoQLo136AtvPqcwwHVwkdX+S4WqtlODxfJ7T+9KFxGg54B + 1M6btg8iL5sdTFrLIBi7oK6GuLK9izvZ4O9O9H2bStW6LodqPtw2v5WA8li+YJx7 + LBgLO4aAAA6bF9WFcYyKBh6iCX0WxB7LowIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + anindya = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.191"; + aliases = [ + "anindya.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA8yWr01WlmM4RYuJdxvzvfdN3C5T3DOknWvK7U3y92HYgtQfYtZwu + +J8r1fpTsdIS8wKdSEqz7Mjhb1JabJBB1fv/2mkAF4V/gkMbP0jqZ6QQL29kgkNP + aI/+zG1yh4kEDgSn843J6XnTsJ/4Na2zmbVP1iIIQYMXyh+meWsBVR6DKV5ighjz + 4h3wKbuMmDrS50aTk8ahgWoiqcE2DTUMeprw4SIL+RTepmsCINQtAJui5Ys6AAbK + ab6gxMzRH2txLBcTfSrbqTX3qHZHLlB9Ai5FEItWqMBxquD6OCxn8DNU+5LgGpt1 + Z37SI1U0c4uu1oo7kOSx6wYP2ZVOatys6QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + dimitra = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.192"; + aliases = [ + "dimitra.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtgvjWP2KIawJDk32P8Uiwz95REACx43CXUIgcBx5qg9ZQrHnJZxH + RkXLnWUmjpnEmPUfvg/b8YCyoHgzD6GQEXcWaiMXBQ/nsrSEN4mpY7tzInerzGsv + /M66WzPUWSUC9kbncLXt+2A64B23h1ki+MyMyKGIpHq21+F1b6ZHW2rkMnk3BKa4 + aJKNfadjP4V1lnPd40VBpcA3dlQfGF057GJz+2fzlfh1Bp41r/uP2NHieSAlyBws + IaVZPWbfxFyYU8JbrlYUAlLjdXFG1meo5On0K0N8tTBKfnD1nwSqTPAfM7WqOm4A + ImYB8LzjmIdXM+QUqbVFTgiY4jBDg61krwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + philipsaendig = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.193"; + aliases = [ + "philipsaendig.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX + 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl + 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl + +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF + Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S + oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; martha = { owner = config.krebs.users.mic92; |