13 files changed, 167 insertions, 75 deletions

diff --git a/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519 b/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index f68c8ce50..32e416831 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -18,6 +18,7 @@
   ];
 
   krebs.build.host = config.krebs.hosts.hotdog;
+  krebs.github-hosts-sync.enable = true;
 
   boot.isContainer = true;
   networking.useDHCP = false;
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 67257eacd..af11c6944 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -73,6 +73,13 @@
   system.activationScripts."disengage fancontrol" = ''
     echo level disengaged > /proc/acpi/ibm/fan
   '';
+
+  # to access vorstand vm
+  users.users.root.openssh.authorizedKeys.keys = [
+    config.krebs.users.ulrich.pubkey
+    config.krebs.users.raute.pubkey
+  ];
+
   users.users.joerg = {
     openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ];
     isNormalUser = true;
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 9bfc920a3..080c259aa 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -167,6 +167,20 @@ in {
         };
       };
     };
+    horisa = {
+      cores = 2;
+      owner = config.krebs.users.ulrich; # main laptop
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.226.213";
+          ip6.addr = "42:0:e644:9099:4f8:b9aa:3856:4e85";
+          aliases = [
+            "horisa.r"
+          ];
+          tinc.pubkey = tinc-for "horisa";
+        };
+      };
+    };
     idontcare = {
       owner = config.krebs.users.Mic92;
       nets = rec {
diff --git a/krebs/3modules/external/tinc/horisa.pub b/krebs/3modules/external/tinc/horisa.pub
new file mode 100644
index 000000000..06d686ce3
--- /dev/null
+++ b/krebs/3modules/external/tinc/horisa.pub
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1hhBqCku98gimv0yXr6DFwE2HUemigyqX8o7IsPOW5XT/K8o+V40
+Oxk3r0+c7IYREvug/raxoullf5TMJFzTzqzX4njgsiTs25V8D7hVT4jcRKTcXmBn
+XpjtD+tIeDW1E6dIMMDbxKCyfd/qaeg83G7gPobeFYr4JNqQLXrnotlWMO9S13UT
++EgSP2pixv/dGIqX8WRg23YumO8jZKbso/sKKFMIEOJvnh/5EcWb24+q2sDRCitP
+sWJ5j/9M1Naec/Zl27Ac2HyMWRk39F9Oo+iSbc47QvjKTEmn37P4bBg3hY9FSSFo
+M90wG/NRbw1Voz6BgGlwOAoA+Ln0rVKqDQIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 3b626dc46..0b7d56098 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -11,17 +11,25 @@ let
 
   api = {
     enable = mkEnableOption "krebs.github-hosts-sync";
-    port = mkOption {
-      type = types.int; # TODO port type
-      default = 1028;
-    };
     dataDir = mkOption {
       type = types.str; # TODO path (but not just into store)
       default = "/var/lib/github-hosts-sync";
     };
+    srcDir = mkOption {
+      type = types.str;
+      default = "${config.krebs.tinc.retiolum.confDir}/hosts";
+    };
     ssh-identity-file = mkOption {
       type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
-      default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
+      default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
+    };
+    url = mkOption {
+      type = types.str;
+      default = "git@github.com:krebs/hosts.git";
+    };
+    workTree = mkOption {
+      type = types.absolute-pathname;
+      default = "${cfg.dataDir}/cache";
     };
   };
 
@@ -30,13 +38,18 @@ let
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       environment = {
-        port = toString cfg.port;
+        GITHUB_HOST_SYNC_USER_MAIL = user.mail;
+        GITHUB_HOST_SYNC_USER_NAME = user.name;
+        GITHUB_HOST_SYNC_SRCDIR = cfg.srcDir;
+        GITHUB_HOST_SYNC_WORKTREE = cfg.workTree;
+        GITHUB_HOST_SYNC_URL = cfg.url;
       };
       serviceConfig = {
         PermissionsStartOnly = "true";
         SyslogIdentifier = "github-hosts-sync";
         User = user.name;
-        Restart = "always";
+        Type = "oneshot";
+        RemainAfterExit = true;
         ExecStartPre = pkgs.writeDash "github-hosts-sync-init" ''
           set -euf
           install -m 0711 -o ${user.name} -d ${cfg.dataDir}
@@ -56,6 +69,7 @@ let
   };
 
   user = rec {
+    mail = "${name}@${config.krebs.build.host.name}";
     name = "github-hosts-sync";
     uid = genid_uint31 name;
   };
diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix
index def06f17a..bae8b96bf 100644
--- a/krebs/3modules/github-known-hosts.nix
+++ b/krebs/3modules/github-known-hosts.nix
@@ -28,12 +28,22 @@
       "140.82.125.*"
       "140.82.126.*"
       "140.82.127.*"
+      "13.114.40.48"
       "13.229.188.59"
+      "13.234.176.102"
+      "13.234.210.38"
+      "13.236.229.21"
+      "13.237.44.5"
       "13.250.177.223"
+      "15.164.81.167"
       "18.194.104.89"
       "18.195.85.27"
       "35.159.8.160"
+      "52.192.72.89"
+      "52.64.108.95"
+      "52.69.186.44"
       "52.74.223.119"
+      "52.78.231.108"
     ];
     publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
   };
diff --git a/krebs/3modules/mb/default.nix b/krebs/3modules/mb/default.nix
index c98db4b27..e77811f08 100644
--- a/krebs/3modules/mb/default.nix
+++ b/krebs/3modules/mb/default.nix
@@ -3,7 +3,6 @@ with import <stockholm/lib>;
 
   hostDefaults = hostName: host: flip recursiveUpdate host {
     ci = true;
-    monitoring = true;
     owner = config.krebs.users.mb;
   };
 
@@ -63,6 +62,59 @@ in {
         };
       };
     };
+    gr33n = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.42.123";
+          aliases = [
+            "gr33n.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvcqecLfk8TlGFF7JJpv8
+            kjLFNgoNfu9FYRMNG4GSxWL5w+49n6b+GC5ciOC+RJ+N56jfB9JYE0MtbuOmkY5M
+            JUphuvgOCNhTbBJsjnmG9n02evpxZn9HWypNC3oQCvY2K7vHpIxGKR5PyTVKPO0P
+            OOYKAbCLD9F2bmuLaBQ/dFXFQxfu3tjvJI9mYDWBpSkh1mYeMZLw2xxnRZLs0bEO
+            ZWdzxCh9UM/mgb4WYuNED9+sz7MSsaMPAqquarFCguUxhjp6rElGFcNWjXaxA5zt
+            JGS6VompUViVSHjSaQ5/3VRKoIQjr4NOFYQqLpmB5S2OpiggV6I9OpB7QUGlvcYd
+            I3j+1AeK11HuEyPqSwxjNCCrI12bSIo3685BPHbl+AMhWGhzrCkAGcOCbAefreXQ
+            5v4SaKUIDlCYhN+vyNdlu2jvqQlxfJrPAfBt+jJBK6gMcAEKc7P/Oj4B9Fsl331X
+            s0kWH5G9t6OhO/Of8/kb2/P+YEbM6zi1QQdZAOr6Cg0y4cMt9zxLWknaM4yEDAXH
+            oSM33PTv9DOvBjfxRXqOHqOHRq5ayqZdIFgfLUlPTdbWRkhNzjG8f7k7p32m20A6
+            Kal+OF//I2c9E9vKFzyepyTcnwi3B8+cFJ74+XYaNApdwHSb1BU/+c3O9RJExZGV
+            jtTSbSJHU5esECtAuXy1XH8CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    sunsh1n3 = {
+      ci = false;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.42.142";
+          aliases = [
+            "sunsh1n3.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo2VCqp6mUbyo3n+1XpKf
+            QavpgRYQyv9wAZzYSYHjxThuLmNb/wERPbWJFMZfAGuku0blKWJISSgFWd9YL7dU
+            pZQZxfqo/9xnS/r0xIKrKSsBiTZt7JZmTQzj1ri11TIO0S1QPjIP5HsxlZZAw0nz
+            idEDlKmgWs74FPdezlXqvJyEUKDqL/ZQBtdhZZIDMkSJnCdBzXxKwv+uLVE46ZBf
+            4HrtQjcj+dyVMogMIoseAgf5lS6V3pyCM7/NHZFxrIxoIAxSsUoB59i2EbK6aUK5
+            yuiWHI6ZHToxN2K/0SX96hzxcwrUmdk49tTHBY0Zhn2ku6NjQPU3LuxgIwrSaSJD
+            /KWh6XkqR7EsCVN0AIsLvFelI2ckSyNyAlnYbMAHDt7GwHlNp4Lsy+x4ZQ6m0xTY
+            Z+/jt6sfoMiulPcwWEpqNCCf5A65lF77DldQhH3qYrdQ756n/kOqSfQtPCnVNYXy
+            LlN5rKCOgxKxxtKkwMUif2OM9RPHpM7wS09Rvek6zpL9ymhU5THF7UylLKxKGjYj
+            6dTooyRVQRJdrwIYLrJIy0MfGyYiGAJxf/C0KOOZnJPCW2b51+bo5Zh+BhKZYN8H
+            C2DEGc8+4h5hX1TAaUfTpfVm3mMTh8H2m9N8Pdl5ji+A0m0IwHDLQyaoskcxSjvU
+            9IxYLfkSD6AJqasnHlz0L08CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
   };
   users = {
     mb = {
diff --git a/krebs/5pkgs/simple/github-hosts-sync/default.nix b/krebs/5pkgs/simple/github-hosts-sync/default.nix
index cdfed468c..fbc48fa3f 100644
--- a/krebs/5pkgs/simple/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/simple/github-hosts-sync/default.nix
@@ -1,37 +1,32 @@
 { pkgs, stdenv, ... }:
 
-stdenv.mkDerivation {
-  name = "github-hosts-sync";
+stdenv.mkDerivation rec {
+  name = "github-hosts-sync-${version}";
+  version = "2.0.0";
 
-  src = pkgs.painload;
+  src = ./src;
 
   phases = [
     "unpackPhase"
     "installPhase"
   ];
 
-  installPhase =
-    let
-      ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-      path = stdenv.lib.makeBinPath (with pkgs; [
-        coreutils
-        findutils
-        git
-        gnugrep
-        gnused
-        nettools
-        openssh
-        socat
-      ]);
-    in
+  installPhase = let
+    ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    path = stdenv.lib.makeBinPath [
+      pkgs.git
+      pkgs.nettools
+      pkgs.openssh
+      pkgs.rsync
+    ];
+  in
     ''
       mkdir -p $out/bin
 
-      sed \
-        's,^main() {$,&\n  export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \
-        < ./retiolum/scripts/github_hosts_sync/hosts-sync \
-        > $out/bin/github-hosts-sync
+      cp hosts-sync $out/bin/github-hosts-sync
 
-      chmod +x $out/bin/github-hosts-sync
+      sed -i \
+        '1s,$,\nPATH=${path}''${PATH+:$PATH} GIT_SSL_CAINFO=${ca-bundle},' \
+        $out/bin/github-hosts-sync
     '';
 }
diff --git a/krebs/5pkgs/simple/github-hosts-sync/src/hosts-sync b/krebs/5pkgs/simple/github-hosts-sync/src/hosts-sync
new file mode 100755
index 000000000..a8973e72b
--- /dev/null
+++ b/krebs/5pkgs/simple/github-hosts-sync/src/hosts-sync
@@ -0,0 +1,33 @@
+#! /bin/sh
+set -efu
+exec >&2
+
+hosts_srcdir=$GITHUB_HOST_SYNC_SRCDIR
+hosts_worktree=${GITHUB_HOST_SYNC_WORKTREE-/tmp/hosts}
+hosts_url=${GITHUB_HOST_SYNC_URL-git@github.com:krebs/hosts.git}
+user_mail=${GITHUB_HOST_SYNC_USER_MAIL-$LOGNAME@$(hostname)}
+user_name=${GITHUB_HOST_SYNC_USER_NAME-$LOGNAME}
+
+test -d "$hosts_worktree" || git clone "$hosts_url" "$hosts_worktree"
+
+cd "$hosts_worktree"
+
+git pull
+
+rsync \
+    --chmod D755,F644 \
+    --delete-excluded \
+    --filter 'protect .git' \
+    --recursive \
+    --verbose \
+    "$hosts_srcdir/" \
+    .
+
+git add .
+
+if test -n "$(git status --porcelain)"; then
+  git config user.email "$user_mail"
+  git config user.name "$user_name"
+  git commit -m bump
+  git push
+fi
diff --git a/krebs/5pkgs/simple/prison-break/default.nix b/krebs/5pkgs/simple/prison-break/default.nix
deleted file mode 100644
index 051a46184..000000000
--- a/krebs/5pkgs/simple/prison-break/default.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{pkgs, fetchFromGitHub}:
-with pkgs.python3.pkgs;
-
-buildPythonPackage rec {
-  pname = "prison-break";
-  version = "1.0.0";
-  src = fetchFromGitHub {
-    owner = "makefu";
-    repo = pname;
-    rev = "1.0.0";
-    sha256 = "0ab42z6qr42vz4fc077irn9ykrrylagx1dzlw8dqcanf49dxd961";
-  };
-  propagatedBuildInputs = [
-    docopt
-    requests
-    beautifulsoup4
-    (callPackage ./straight-plugin.nix {})
-  ];
-  checkInputs = [ black ];
-}
diff --git a/krebs/5pkgs/simple/prison-break/straight-plugin.nix b/krebs/5pkgs/simple/prison-break/straight-plugin.nix
deleted file mode 100644
index 606c60b5d..000000000
--- a/krebs/5pkgs/simple/prison-break/straight-plugin.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ lib
-, buildPythonPackage
-, fetchPypi
-}:
-
-buildPythonPackage rec {
-  pname = "straight-plugin";
-  version = "1.5.0";
-
-  src = fetchPypi {
-    pname = "straight.plugin";
-    inherit version;
-    sha256 = "818a7641068932ed6436d0af0a3bb77bbbde29df0a7142c8bd1a249e7c2f0d38";
-  };
-
-  meta = with lib; {
-    description = "A simple namespaced plugin facility";
-    homepage = https://github.com/ironfroggy/straight.plugin;
-    license = licenses.mit;
-    maintainers = [ maintainers.makefu ];
-  };
-}
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 811eb826e..340b926ce 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "705986f5a986be5c5ae13193b487c7ec8ca05f16",
-  "date": "2019-05-18T20:38:59-04:00",
-  "sha256": "0zpch2cpl2yx0mp7hnyjd03hqs7rxza9wc2p97njsdzhi56gxwxp",
+  "rev": "e2883c31628ea0f3e00f899062327468a20d1aa1",
+  "date": "2019-05-27T17:09:30-04:00",
+  "sha256": "1xrpd8ykr8g3h4b33z69vngh6hfayi51jajbnfm6phhpwgd6mmld",
   "fetchSubmodules": false
 }