summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/backup.nix1
-rw-r--r--krebs/3modules/default.nix35
-rw-r--r--krebs/5pkgs/simple/cidr2glob.nix30
3 files changed, 51 insertions, 15 deletions
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix
index 6f015d66b..c0b218c15 100644
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@@ -83,6 +83,7 @@ let
rsync
utillinux
];
+ restartIfChanged = false;
serviceConfig = rec {
ExecStart = start plan;
SyslogIdentifier = ExecStart.name;
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 7cf02cd8b..caeef2885 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -225,21 +225,26 @@ let
};
})
//
- # GitHub's IPv4 address range is 192.30.252.0/22
- # Refs https://help.github.com/articles/github-s-ip-addresses/
- # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
- # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
- # we split each /24 into its own entry.
- listToAttrs (map
- (c: {
- name = "github${toString c}";
- value = {
- hostNames = ["github.com"] ++
- map (d: "192.30.${toString c}.${toString d}") (range 0 255);
- publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
- };
- })
- (range 252 255))
+ {
+ github = {
+ hostNames = [
+ "github.com"
+ # List generated with
+ # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+ "192.30.253.*"
+ "192.30.254.*"
+ "192.30.255.*"
+ "185.199.108.*"
+ "185.199.109.*"
+ "185.199.110.*"
+ "185.199.111.*"
+ "18.195.85.27"
+ "18.194.104.89"
+ "35.159.8.160"
+ ];
+ publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+ };
+ }
//
mapAttrs
(name: host: {
diff --git a/krebs/5pkgs/simple/cidr2glob.nix b/krebs/5pkgs/simple/cidr2glob.nix
new file mode 100644
index 000000000..9b0b3f86b
--- /dev/null
+++ b/krebs/5pkgs/simple/cidr2glob.nix
@@ -0,0 +1,30 @@
+{ python, writeScriptBin, ... }:
+
+let
+ pythonEnv = python.withPackages (ps: [ ps.netaddr ]);
+in
+ writeScriptBin "cidr2glob" ''
+ #! ${pythonEnv}/bin/python
+
+ import netaddr
+ import re
+ import sys
+
+ def cidr2glob(cidr):
+ net = netaddr.IPNetwork(cidr)
+
+ if net.prefixlen <= 8:
+ return map(lambda subnet: re.sub(r'\.0\.0\.0$', '.*', str(subnet.ip)), net.subnet(8))
+ elif net.prefixlen <= 16:
+ return map(lambda subnet: re.sub(r'\.0\.0$', '.*', str(subnet.ip)), net.subnet(16))
+ elif net.prefixlen <= 24:
+ return map(lambda subnet: re.sub(r'\.0$', '.*', str(subnet.ip)), net.subnet(24))
+ else:
+ return map(lambda ip: str(ip), list(net))
+
+ if __name__ == "__main__":
+ for cidr in sys.stdin:
+ for glob in cidr2glob(cidr):
+ print glob
+
+ ''