diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/lass/default.nix | 60 | ||||
-rw-r--r-- | krebs/3modules/makefu/default.nix | 4 | ||||
-rw-r--r-- | krebs/3modules/retiolum-bootstrap.nix | 58 | ||||
-rw-r--r-- | krebs/4lib/infest/finalize.sh | 2 | ||||
-rw-r--r-- | krebs/4lib/infest/prepare.sh | 7 | ||||
-rw-r--r-- | krebs/5pkgs/retiolum-bootstrap/default.nix | 29 |
7 files changed, 154 insertions, 7 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e2aea7057..c695589ca 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -14,6 +14,7 @@ let ./iptables.nix ./nginx.nix ./Reaktor.nix + ./retiolum-bootstrap.nix ./realwallpaper.nix ./retiolum.nix ./urlwatch.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 59052021b..498282b03 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -2,7 +2,35 @@ with lib; -{ +let + testHosts = lib.genAttrs [ + "test-arch" + "test-centos6" + "test-centos7" + ] (name: { + inherit name; + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.111.111"]; + addrs6 = ["42:0:0:0:0:0:0:7357"]; + aliases = [ + "test.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd + mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5 + TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1 + K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8 + QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY + VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }); +in { hosts = addNames { echelon = { cores = 4; @@ -104,7 +132,11 @@ with lib; uriel = { cores = 1; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.12"]; + aliases = ["uriel.gg23"]; + }; retiolum = { addrs4 = ["10.243.81.176"]; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; @@ -131,7 +163,11 @@ with lib; mors = { cores = 2; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.11"]; + aliases = ["mors.gg23"]; + }; retiolum = { addrs4 = ["10.243.0.2"]; addrs6 = ["42:0:0:0:0:0:0:dea7"]; @@ -155,8 +191,24 @@ with lib; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD"; }; + schnabel-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.20"]; + aliases = ["schnabel-ap.gg23"]; + }; + }; + }; + Reichsfunk-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.10"]; + aliases = ["Reichsfunk-ap.gg23"]; + }; + }; + }; - }; + } // testHosts; users = addNames { lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 9cf5c9aea..42764e48c 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -127,10 +127,8 @@ with lib; "krebsco.de" = '' IN MX 10 mx42 euer IN MX 1 aspmx.l.google.com. - io IN NS pigstarter.krebsco.de. pigstarter IN A ${head nets.internet.addrs4} gold IN A ${head nets.internet.addrs4} - tinc IN A ${head nets.internet.addrs4} boot IN A ${head nets.internet.addrs4}''; }; nets = { @@ -166,7 +164,9 @@ with lib; extraZones = { "krebsco.de" = '' wry IN A ${head nets.internet.addrs4} + io IN NS wry.krebsco.de. graphs IN A ${head nets.internet.addrs4} + tinc IN A ${head nets.internet.addrs4} ''; }; nets = rec { diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix new file mode 100644 index 000000000..eed11642f --- /dev/null +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.krebs.retiolum-bootstrap; + + out = { + options.krebs.retiolum-bootstrap = api; + config = mkIf cfg.enable imp ; + }; + + api = { + enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; + hostname = mkOption { + type = types.str; + description = "hostname which serves tinc boot"; + default = "tinc.krebsco.de" ; + }; + ssl_certificate_key = mkOption { + type = types.str; + description = "Certificate key to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.key"; + }; + ssl_certificate = mkOption { + type = types.str; + description = "Certificate file to use for ssl"; + default = "/root/secrets/tinc.krebsco.de.crt" ; + }; + # in use: + # <secrets/tinc.krebsco.de.crt> + # <secrets/tinc.krebsco.de.key> + }; + + imp = { + krebs.nginx.servers = assert config.krebs.nginx.enable; { + retiolum-boot-redir = { + server-names = singleton cfg.hostname; + extraConfig = '' + return 301 https://$server_name$request_uri; + ''; + locations = []; + }; + retiolum-boot-ssl = { + server-names = singleton cfg.hostname; + listen = "443 ssl"; + extraConfig = '' + ssl_certificate ${cfg.ssl_certificate}; + ssl_certificate_key ${cfg.ssl_certificate_key}; + root ${pkgs.retiolum-bootstrap}; + try_files $uri $uri/retiolum.sh; + ''; + locations = []; + }; + }; + }; + +in +out diff --git a/krebs/4lib/infest/finalize.sh b/krebs/4lib/infest/finalize.sh index 0039960c5..94b13e0be 100644 --- a/krebs/4lib/infest/finalize.sh +++ b/krebs/4lib/infest/finalize.sh @@ -3,8 +3,8 @@ set -eux { umount /mnt/nix umount /mnt/root - umount /boot || : umount /mnt/boot + umount /boot || : umount /mnt coreutils_path=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i) diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 9fbd5be86..94c9b0fb5 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -18,6 +18,13 @@ prepare() {( esac ;; esac + elif test -e /etc/centos-release; then + case $(cat /etc/centos-release) in + 'CentOS release 6.5 (Final)') + prepare_centos "$@" + exit + ;; + esac fi echo "$0 prepare: unknown OS" >&2 exit -1 diff --git a/krebs/5pkgs/retiolum-bootstrap/default.nix b/krebs/5pkgs/retiolum-bootstrap/default.nix new file mode 100644 index 000000000..331b1cb7f --- /dev/null +++ b/krebs/5pkgs/retiolum-bootstrap/default.nix @@ -0,0 +1,29 @@ +{ stdenv,lib,fetchurl, ... }: +with lib; +stdenv.mkDerivation rec { + name = "retiolum-bootstrap"; + version = "4.2.3"; + + + src = fetchurl { + url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh; + sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s"; + }; + + phases = [ + "installPhase" + ]; + + installPhase = '' + mkdir -p "$out" + cp -a ${src} $out/retiolum.sh + ''; + + meta = { + description = "Retiolum boostrap scripts"; + url = https://github.com/krebscode/painload; + license = licenses.wtfpl; + platforms = platforms.unix; + maintainers = with maintainers; [ makefu ]; + }; +} |