summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/hotdog/config.nix2
-rw-r--r--krebs/2configs/ergo.nix13
-rw-r--r--krebs/2configs/ircd.nix149
-rw-r--r--krebs/2configs/news.nix8
-rw-r--r--krebs/3modules/ergo.nix15
-rw-r--r--krebs/3modules/external/mic92.nix9
-rw-r--r--krebs/5pkgs/haskell/brockman/default.nix4
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
9 files changed, 73 insertions, 143 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 6a51bf45f..cf07d3b4d 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -7,7 +7,7 @@
<stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
- <stockholm/krebs/2configs/ergo.nix>
+ <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
<stockholm/krebs/2configs/acme.nix>
diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix
deleted file mode 100644
index db0bc5748..000000000
--- a/krebs/2configs/ergo.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.firewall.allowedTCPPorts = [
- 6667
- ];
-
- krebs.ergo = {
- enable = true;
- };
-}
-
-
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 904878731..c6c91e074 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -1,121 +1,44 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
- 6667 6669
+ 6667
];
- systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384;
-
- services.solanum = {
+ krebs.ergo = {
enable = true;
- motd = ''
- hello
- '';
- config = ''
- loadmodule "extensions/m_omode";
- serverinfo {
- name = "${config.krebs.build.host.name}.irc.r";
- sid = "1as";
- description = "irc!";
- network_name = "irc.r";
-
- vhost = "0.0.0.0";
- vhost6 = "::";
-
- #ssl_private_key = "etc/ssl.key";
- #ssl_cert = "etc/ssl.cert";
- #ssl_dh_params = "etc/dh.pem";
- #ssld_count = 1;
-
- default_max_clients = 2048;
- #nicklen = 30;
- };
-
- listen {
- defer_accept = yes;
-
- /* If you want to listen on a specific IP only, specify host.
- * host definitions apply only to the following port line.
- */
- host = "0.0.0.0";
- port = 6667;
- #sslport = 6697;
-
- /* Listen on IPv6 (if you used host= above). */
- host = "::";
- port = 6667;
- #sslport = 6697;
- };
-
- class "users" {
- ping_time = 2 minutes;
- number_per_ident = 10;
- number_per_ip = 4096;
- number_per_ip_global = 4096;
- cidr_ipv4_bitlen = 24;
- cidr_ipv6_bitlen = 64;
- number_per_cidr = 65535;
- max_number = 65535;
- sendq = 1000 megabyte;
- };
-
- privset "op" {
- privs = oper:admin, oper:general;
- };
-
- operator "aids" {
- user = "*@*";
- password = "balls";
- flags = ~encrypted;
- snomask = "+s";
- privset = "op";
- };
-
- exempt {
- ip = "127.0.0.1";
- };
-
- exempt {
- ip = "10.243.0.0/16";
- };
-
- auth {
- user = "*@*";
- class = "users";
- flags = kline_exempt, exceed_limit, flood_exempt;
- };
-
- channel {
- autochanmodes = "+t";
- use_invex = yes;
- use_except = yes;
- use_forward = yes;
- use_knock = yes;
- knock_delay = 5 minutes;
- knock_delay_channel = 1 minute;
- max_chans_per_user = 150;
- max_bans = 100;
- max_bans_large = 500;
- default_split_user_count = 0;
- default_split_server_count = 0;
- no_create_on_split = no;
- no_join_on_split = no;
- burst_topicwho = yes;
- kick_on_split_riding = no;
- only_ascii_channels = no;
- resv_forcepart = yes;
- channel_target_change = yes;
- disable_local_channels = no;
- };
-
- general {
- #maybe we want ident someday?
- default_floodcount = 10000;
- disable_auth = yes;
- throttle_duration = 1;
- throttle_count = 10000;
- };
- '';
+ config = {
+ server.secure-nets = [
+ "42::0/16"
+ "10.240.0.0/12"
+ ];
+ oper-classes.server-admin = {
+ title = "admin";
+ capabilities = [
+ "kill" # disconnect user sessions
+ "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
+ "nofakelag" # remove "fakelag" restrictions on rate of message sending
+ "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
+ "vhosts" # add and remove vhosts from users
+ "sajoin" # join arbitrary channels, including private channels
+ "samode" # modify arbitrary channel and user modes
+ "snomasks" # subscribe to arbitrary server notice masks
+ "roleplay" # use the (deprecated) roleplay commands in any channel
+ "rehash" # rehash the server, i.e. reload the config at runtime
+ "accreg" # modify arbitrary account registrations
+ "chanreg" # modify arbitrary channel registrations
+ "history" # modify or delete history messages
+ "defcon" # use the DEFCON command (restrict server capabilities)
+ "massmessage" # message all users on the server
+ ];
+ };
+ opers.aids = {
+ class = "server-admin";
+ hidden = false;
+ password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
+ };
+ };
};
}
+
+
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 84a39f95b..9ea4cbf8d 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,7 +68,13 @@
wantedBy = [ "multi-user.target" ];
};
- systemd.services.brockman.bindsTo = [ "solanum.service" ];
+ krebs.ergo.openFilesLimit = 16384;
+ krebs.ergo.config = {
+ limits.nicklen = 100;
+ limits.identlen = 100;
+ history.enabled = false;
+ };
+ systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = {
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
index 3153e4cfc..50c5ab628 100644
--- a/krebs/3modules/ergo.nix
+++ b/krebs/3modules/ergo.nix
@@ -2,6 +2,13 @@
options = {
krebs.ergo = {
enable = lib.mkEnableOption "Ergo IRC daemon";
+ openFilesLimit = lib.mkOption {
+ type = lib.types.int;
+ default = 1024;
+ description = ''
+ Maximum number of open files. Limits the clients and server connections.
+ '';
+ };
config = lib.mkOption {
type = (pkgs.formats.json {}).type;
description = ''
@@ -54,8 +61,8 @@
multiclient = {
enabled = true;
allowed-by-default = true;
- always-on = "opt-in";
- auto-away = "opt-in";
+ always-on = "opt-out";
+ auto-away = "opt-out";
};
};
channels = {
@@ -111,13 +118,15 @@
systemd.services.ergo = {
description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
+ # reload currently not working as expected
+ # reloadIfChanged = true;
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";
+ LimitNOFILE = "${toString cfg.openFilesLimit}";
};
};
});
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 349a6c343..cd11fb2c5 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -526,8 +526,10 @@ in {
};
turingmachine = {
owner = config.krebs.users.mic92;
- nets = {
+ nets = rec {
+ internet.addrs = [ "turingmachine.thalheim.io" ];
retiolum = {
+ via = internet;
aliases = [
"turingmachine.r"
];
@@ -678,7 +680,9 @@ in {
jarvis = {
owner = config.krebs.users.mic92;
nets = rec {
+ internet.addrs = [ "jarvis.thalheim.io" ];
retiolum = {
+ via = internet;
aliases = [ "jarvis.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -697,7 +701,9 @@ in {
bernie = {
owner = config.krebs.users.mic92;
nets = rec {
+ internet.addrs = [ "bernie.thalheim.io" ];
retiolum = {
+ via = internet;
aliases = [ "bernie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -719,7 +725,6 @@ in {
};
};
-
ryan = {
owner = config.krebs.users.mic92;
nets = rec {
diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix
index 01b7a0570..8a2311a2e 100644
--- a/krebs/5pkgs/haskell/brockman/default.nix
+++ b/krebs/5pkgs/haskell/brockman/default.nix
@@ -7,12 +7,12 @@
}:
mkDerivation rec {
pname = "brockman";
- version = "4.0.2";
+ version = "4.0.3";
src = fetchFromGitHub {
owner = "kmein";
repo = "brockman";
rev = version;
- sha256 = "sha256-EKXKhGdIJRbRklD5zxJNGhOxqPzog4f9NMXo/c8iBGc=";
+ sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw=";
};
isLibrary = false;
isExecutable = true;
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index cab3ab115..29b3178c8 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "59bfda72480496f32787cec8c557182738b1bd3f",
- "date": "2021-12-31T15:09:52+01:00",
- "path": "/nix/store/wy2iidg15nwgmn8xir8fbr1lfz1hqphb-nixpkgs",
- "sha256": "18akd1chfvniq1q774rigfxgmxwi0wyjljpa1j9ls59szpzr316d",
+ "rev": "0ecf7d414811f831060cf55707c374d54fbb1dec",
+ "date": "2022-01-09T09:46:51+03:00",
+ "path": "/nix/store/msdcl0dhi6480vnsmv7vgpif42wj2al3-nixpkgs",
+ "sha256": "00xbm9lrivsj2w1jks2cnk5brbg5kvxjfj23kq0qyr8nvh57wln9",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 43f298973..f34cfa32b 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff",
- "date": "2022-01-01T22:20:39+08:00",
- "path": "/nix/store/azrxsxpszjwgg75jk1pkzlzjcj0qnw8d-nixpkgs",
- "sha256": "03ldf1dlxqf3g8qh9x5vp6vd9zvvr481fyjds111imll69y60wpm",
+ "rev": "79c7b6a353e22f0eec342dead0bc69fb7ce846db",
+ "date": "2022-01-09T23:59:32-03:00",
+ "path": "/nix/store/41cc41pyszadfgkddrp6dv11wkkmq5ji-nixpkgs",
+ "sha256": "1ihlj5wrzx151zhyr0vbiwyvhhc4g9chbaz4dy2a2i2v9fwwhjl2",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-26 15:05:14 +0000