diff options
Diffstat (limited to 'krebs')
29 files changed, 523 insertions, 197 deletions
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix new file mode 100644 index 000000000..8250ebad9 --- /dev/null +++ b/krebs/1systems/ponte/config.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./hw.nix + <stockholm/krebs> + <stockholm/krebs/2configs> + <stockholm/krebs/2configs/matterbridge.nix> + ]; + + krebs.build.host = config.krebs.hosts.ponte; +} diff --git a/krebs/1systems/ponte/hw.nix b/krebs/1systems/ponte/hw.nix new file mode 100644 index 000000000..78f7a603e --- /dev/null +++ b/krebs/1systems/ponte/hw.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.efi.efiSysMountPoint = "/boot/EFI"; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + copyKernels = false; + }; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + fileSystems."/boot/EFI" = { device = "/dev/disk/by-uuid/628A-7F3B"; fsType = "vfat"; }; +} diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix index fa4488800..bf3fe711e 100644 --- a/krebs/2configs/container-networking.nix +++ b/krebs/2configs/container-networking.nix @@ -1,7 +1,7 @@ { lib, ... }: { networking.nat.enable = true; - networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.internalInterfaces = ["ve-+" "ctr+" ]; networking.nat.externalInterface = lib.mkDefault "et0"; networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; } diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix new file mode 100644 index 000000000..a68aa292c --- /dev/null +++ b/krebs/2configs/matterbridge.nix @@ -0,0 +1,40 @@ +{ pkgs, lib, ... }: { + services.matterbridge = { + enable = true; + configPath = let + bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>; + in + toString ((pkgs.formats.toml {}).generate "config.toml" { + general = { + RemoteNickFormat = "[{NICK}] "; + Charset = "utf-8"; + }; + telegram.krebs.Token = bridgeBotToken; + irc = let + Nick = "ponte"; + in { + hackint = { + Server = "irc.hackint.org:6697"; + UseTLS = true; + inherit Nick; + }; + }; + gateway = [ + { + name = "krebs-bridge"; + enable = true; + inout = [ + { + account = "irc.hackint"; + channel = "#krebs"; + } + { + account = "telegram.krebs"; + channel = "-330372458"; + } + ]; + } + ]; + }); + }; +} diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix index 30f232b64..a53596cc6 100644 --- a/krebs/2configs/mud.nix +++ b/krebs/2configs/mud.nix @@ -5,7 +5,7 @@ MUD_SERVER=''${MUD_SERVER:-127.0.0.1} MUD_PORT=''${MUD_PORT:-8080} - if $(${pkgs.netcat-openbsd}/bin/nc -z "$MUD_SERVER" "$MUD_PORT"); then + if $(${pkgs.libressl.nc}/bin/nc -z "$MUD_SERVER" "$MUD_PORT"); then ${nvim}/bin/nvim \ +"let g:instant_username = \"$MUD_NICKNAME\"" \ +":InstantJoinSession $MUD_SERVER $MUD_PORT" \ diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 1f966bf24..9e2cec10a 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -164,7 +164,7 @@ if [ ''${#youtube_url} -eq 24 ]; then youtube_id=$youtube_url else - youtube_id=$(${pkgs.youtube-dl}/bin/youtube-dl --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id') + youtube_id=$(${pkgs.yt-dlp}/bin/yt-dlp --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id') fi echo "brockman: add yt_$youtube_nick http://rss.r/?action=display&bridge=Youtube&context=By+channel+id&c=$youtube_id&duration_min=&duration_max=&format=Mrss" ''; diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 305d31405..205cc96f4 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -148,6 +148,7 @@ in { services.nginx = { virtualHosts."agenda.r" = { + serverAliases = [ "kri.r" ]; locations."= /index.html".extraConfig = '' alias ${pkgs.writeText "agenda.html" '' <!DOCTYPE html> diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix index 0743f2b49..b1a492f51 100644 --- a/krebs/2configs/security-workarounds.nix +++ b/krebs/2configs/security-workarounds.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; { - # https://github.com/Lassulus/CVE-2021-4034 - security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); } diff --git a/krebs/3modules/acl.nix b/krebs/3modules/acl.nix index 9cdbb6cff..d23706499 100644 --- a/krebs/3modules/acl.nix +++ b/krebs/3modules/acl.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let parents = dir: if dir == "/" then - [ dir ] + [] else [ dir ] ++ parents (builtins.dirOf dir) ; @@ -40,13 +40,16 @@ in { pkgs.coreutils ]; serviceConfig = { - ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - )); + ExecStart = pkgs.writers.writeDash "acl" '' + mkdir -p "${path}" + ${lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents (builtins.dirOf path)))} + '') rules + )} + ''; RemainAfterExit = true; Type = "simple"; }; diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index cc67c1a0a..bf0b82de0 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -306,7 +306,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.42.63"; - ip6.addr = "42:4a6f::4263"; + ip6.addr = "42:0:4a6f::4263"; aliases = [ "crustacea.r" ]; @@ -563,28 +563,28 @@ in { }; }; }; - alsace = { - owner = config.krebs.users.xkey; - nets = { - retiolum = { - ip4.addr = "10.243.73.31"; - aliases = [ "alsace.r" ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAn9mZHXfUcR1/oby6KB1Z8s1AAuie4l5G624r0UqbWu+4xowFIeZs - kv2dqd+yiqammAA9P207ooLbGBp+P6i4f5VMCemkCnv0sC1TJ+DNwYqWYcFRZE7I - j00fw/QI9d6L1c4CqZHJPQXEHG3v46qPuUow8FDJ6fjoBmy6biHjSd0XC7oHGqRh - GE5RolnqUiQhW0b4TkHJV4yUfVki+olxQtYd4xIHs1hcSqoMK898jsPX5cLgoCzR - NPZVyHf2BM0urPn4mu/th4ZDKpQtrqeI7h6yhnzJ0onhtValwHiA3/DcHcWmYvHC - vw6umyiCqFDx2kmzOnpkBWv65ugKUwDSZR8ibp3q7W9iPBiCPv0FtKXsQW9EngSS - asQWC8U6cB23nKuMYQrtD33fVwYn58FBIY6+avroc7XN5cPM/9VBHqyXSDZNAWtt - TwC/sXFWqT6AbTwLV6zY1TW4jiwKOh3KAVnHqQhUhNlEMk6EFOjR1CABSwUVXleR - 5whr1RbKAsrhqMprGKHndvxLXjbKSh6A0bVdOLOzSs7BME2Oi1OdHd6tqqYmcyuV - XQnFcOYKxF0RM83/V8rEgvVisIxXTGVrGw8Kse7PGFA1dGldptTC6kofLUxzADNw - bRnXtRk8VR0BBzTuPNDgUXL2XQLht6FwDKCA/En2vId98yc2uuDk468CAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "lPvwNm2mfF+rX3noqt+80c7nlDCpC+98JPLWx2jJRLN"; + rojava = { + owner = config.krebs.users.xkey; + nets = { + retiolum = { + ip4.addr = "10.243.23.42"; + aliases = [ "rojava.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA3Xafx5PYDNRxRwWGo25paveBgEFQYWWOg5YYcqSlBsUzWkEwZPdd + B0O8xJDIS3SDZrDW5aC43RGe+l6L68OBzB79DNAhxcdzzDQkAqI4IsaWBzgEFIbb + HG+Asx2ZN1biykCR4GN77JYGwa7RrCgsA3LdT6ICGPWbLU3M/QeaIbTooDq/PF61 + Eu8i/S/qqhC/KBDq9CXL+amiyjoe4l+iLIKtCmvJZge1v8cc9n4iHqfP1JPXMPrD + lu9Mshxy8um62oaC/jvyw9R511LaEcT/Hvxi030tiL/H/1dOIhx+4RJsapHGw4LW + +ud1UAU8WXSRmYqeRw11+obZycnxZF0R0xEKGVIxCnf+vAriEM2iqruRKP1gYVzs + 3DW+dq5eirkzdmJZsTY3lX+q/hR9lfzQFuq9G6lrqKyx5L7FZNCMviMfw63TfHF2 + vV4D77hrRH1yp/c5UUo8H9j9/u62JyZ/pSszjKgVy+nSD+zJ6waEZWip7T8V/pmx + HOTIZC5xGKyxX/6DTVU7YJzLlaiZLJ3RudNrTXY9w24NEhum5A7BaEmyJbbqRdx+ + XJ3+vf9jPCW9wUGKO5vsu67x/xy8eEVx7Tm5aVWlpXGvlfTiOvhUCPNDOa/HMYp4 + yuy4xLEIhAlt7jI02aYe3Cj3CbJEYdNJj+qBPzpfKCuCyATQzGmgaq0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "WuvA0epfMZnPysLc+oKQydgWAz9/Mc+fM1DujeKj65F"; }; }; }; diff --git a/krebs/3modules/external/gpg/kmein.gpg b/krebs/3modules/external/gpg/kmein.gpg new file mode 100644 index 000000000..1fa694326 --- /dev/null +++ b/krebs/3modules/external/gpg/kmein.gpg @@ -0,0 +1,30 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBF0GDc0BCACZi+PQgX6Lefq/36X68W+XEyA2fWbMPJE1vAHETlzcMluOIL++ +6KRYqGr0ieFcaXNn4joNDN7cFMN0YHF2Rr7k6SWjOtcHS1RnZ8g/N+uxEvTBug60 +tRbhcO80rnHHb25jloV//wAAWD2ukTtwXWAMVBXwEXMc1JBOlFXcIDlNPdBMJG7A +/5+AKMXg8HYUSbsad1SyagZbo9KuC/s4BVReBr4vK/zTo1gIwy95dQrBnC31O7Wa +/s9CpNG//QJAbAxMN15P7Yo9xxG/AALjPSnKamp3yJsSiSyxhXImXEZtxU7ahq3t +/DzuI2BbIv3Nj/39IZLgETrplzKUnWV18TzdABEBAAG0HUtpZXLDoW4gTWVpbmhh +cmR0IDxrZm1Ad2lsZGU+iQFOBBMBCAA4FiEEnt6CzHKjQ6lSZtD0RIVwdKOsyLcF +Al0GDc0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQRIVwdKOsyLfHDQf/ +YLaprugBmzaCvAGADzdgSrQJyFY2BnncVH1b/0HQ1p1smrcvKqbCXxlUmrWM896B +7xHpcDPz/mMfNPTvSrcUHgqVkiiSsSzno1RCmeHKMiUaR/M6Ik59aa/EzxJf/QDT +3QYy3mFIj44M0ZWjRZJ/3RhVT6QxaUh7fRNzduVE0LH6suybPcTcnIUGSURKwG9F +cTXtMJA3+7UGj/emHk8yaFOWMJDY6h7rnXxiD5xcxapjrygFFNfAuaA2NcY3HEeG +yOVYGwPQhwFWjbUhC1RIYu2fz7fkD11zQ22gt0aEn5fqiIVssBEvHJqNp577QxO4 +6q4ag1Js/gbus6PfQzlvqrkBDQRdBg3NAQgA1ewP1suBTB5UxyqEl7fpisD6hZ62 +9TDQUSn2yfxa8W1wtTH5i1Mw0p5e/+vPFqfu2TMSPoqASq9sDjeWSsiCdtaHbLu0 +y1W5hhQwGcxqauFJBSj/VpDnKd38inOvbW5PwDqZBqnbRZOpsdvsQ2dlaS0/5AJa +RqJXNRc7Owg3ssqeBuhvZKeiPNADn3k9ZbAYNfDkYPJDbHTNPd8eu44vlBlMC7kX +IkucV8zV31x9lCZx0cjI+OQbd/4GOSxBKqjBX5SBUQAlzHUT2CLoeKkivxbnHH40 +gV1PP/3QVVMJjkAot0v/n95KRj78iYOU2PrP5DiPogtLO4v14/lE3eaENwARAQAB +iQE2BBgBCAAgFiEEnt6CzHKjQ6lSZtD0RIVwdKOsyLcFAl0GDc0CGwwACgkQRIVw +dKOsyLfjegf/bX4MkzqsIOOAcmVla7M29Uk0HX5j4dK5t4Z7kx8OnhbYUMr8vr1w ++2D5HiaV2kib5yhI17z9lL6vKyIWwTdf93zS+ivV+IUpxbx/KAdr83dd7B3RCdU7 +GFMzj7f3ieGQYOXw7pROZQR1zF90H6AtW/8qvOs73hSdcnQOtnmntvY/S5ifnzxi +jpsOgjM7VD+BWsmhmYw7E4FiZOaLfoRsylyj5I+Sim2j9Xnu6lYvcgBXvwIqfunO +O/gY21iomMwQm4mlXsFVRfSzRE4zlNASql1zcS1mbO6yeKJDKJgzqvWkcjd3OOuF +e67yzkzlwiVDJIjhV6B0tRCDIqiOaiS3vw== +=pwUK +-----END PGP PUBLIC KEY BLOCK----- diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix index 6e4457eae..09a95f02e 100644 --- a/krebs/3modules/external/kmein.nix +++ b/krebs/3modules/external/kmein.nix @@ -31,6 +31,28 @@ in }; }; hosts = mapAttrs hostDefaults { + ful = { + nets.retiolum = { + aliases = [ "ful.r" ]; + ip4.addr = "10.243.2.107"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwoaPWvnl+g9KYh8coXj/RAaxGHEtbuTG2NpWxbeJG0CemxBoYz2c + EE/2JbGRrSaNj3nrFWBTqmTuEB7nHyurFe06G0t+Or5eCBPg2zS5LiQE/LTZV08t + 5jUm0jfOQHWbtCMrFGisH9R9Z3XId5cJGN1KsYg4R9RkKIKVVhKJ7maBWbsc+V5G + LxKEdDL7T4AfesQzzlAYUQ/s+zHlwJ2fyl3NrBg6Nc27C2A2g9pefhJbn0h8lWdn + I627DIrjDMvoSTiF1MKD/N4bXbF665gflUxbI5DTTHCtWf+0lP9i8mXP0kXQU4By + 2QLdcpQzlHgnprI+qio1ioKuojcPcryYaOnpQWFHL6AqHzkRJRpMLPBhgQPbpz1v + BaShxGBasSHO+Htw5PbwrNwWvU8eH5joRQu3PBgzATS9M91RN58i03u2oQMt3Qif + e5USnfk3iYir/qkJWJk8m2kveZy0giI8AaRISu0jXNsB8euQXP2dxTKIF3BPEi5m + MZKTGTS4Tz3alpHWaeJtfJT0ihq4HME91rTKgP+CIHWYR4hmTPyYgrX0mm2MN+wi + G4vJXtcmBaCdcQZ1buCBVWJCUJ0bWZ3Fs4Ohjw6bP3iyb+Q5UOcXNyOi5NpaUbAi + 47F5O6hvEWPxHRhvPD/9NASjRSxaUDbBVj5lieUXCHnhMSAHo1H3kHMCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "id5vF2fBwUCMrT5HLvIpeXmvQMQoksUBYXOdc9RyOUF"; + }; + }; kabsa = { nets.retiolum = { aliases = [ "kabsa.r" "kabsa.kmein.r" ]; @@ -116,6 +138,28 @@ in wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ="; }; }; + tahina = { + nets.retiolum = { + ip4.addr = "10.243.2.74"; + aliases = [ "tahina.r" "tahina.kmein.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAtX6RpdFl9AqCF6Jy9ZhGY1bOUnEw5x3wm8gBK/aFb5592G3sGbWV + 5Vv1msdLcoYQ5X4sgp3wizE5tbW7SiRVBwVB4mfYxe5KSiFJvTmXdp/VtKXs/hD8 + VXNBjCdPeFOZ4Auh4AT+eibA/lW5veOnBkrsD/GkEcAkKb2MMEoxv4VqLDKuNzPv + EfE+mIb/J3vJmfpLG/+VGLrCuyShjPR2z0o5KMg8fI4ukcg6vwWwGE3Qd8JkSYMz + iy9oIGo/AJNyOUG0vQXL1JU/LFBXKty515UmXR2hO/Xi1w92DT8lxfLYRgoseT2u + i4aHmfl49LGkpQVIFejj6R0FrZBd5R2ElmQbmxSKS1PO9VheOOm02fgVXRpeoh6R + FdDkFWWmELW921UtEB2jSIMkf5xW8XmlJlGveaDnkld07aQlshnnOUfIs3r7H+T9 + 9g1QxiE7EFeoLrfIkgT81F+iL6RazSbf9DcTxvrKv+cZBrZKdcurcTtX0wFFD4wZ + 0tzYPTcAnv/ytacf2/jv/Vm3xNFyjrBLM6ZtJtZ6NAJvD+OW4G/o2941KCu1Mqz/ + VFAJW3djrqfASNCU1GqtHV0wdJMN8EszDNYdJ7pyw6+rG2PeYCVfE7wNe3b6zYqY + tUYhU1xkQQD4xgOMX3AdSI/JGjxMBBKlJXafwdDW8LMBWBPt+9Xq2vMCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "m8fnOzCx2KVsQx/616+AzVW5OTgAjBGDoT/PpKuyx+I"; + }; + }; zaatar = { nets.retiolum = { ip4.addr = "10.243.2.34"; diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b62ece0c7..d63a6b306 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -160,6 +160,26 @@ in { }; }; }; + rauter = { + owner = config.krebs.users.mic92; + nets = rec { + internet.addrs = [ "rauter.thalheim.io" ]; + retiolum = { + aliases = [ "rauter.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArpSEoqFUdjaLiR3MpBlEoR0AOyaHPY9IPG4C5KsrfjeMDdfpOEGu + G0VHksBbkDV/MIgUVlK1B7LxZ73WUwKKB1YWGtY+QVX1tzoUqYwjMhp/xFVybyBw + M7nmTnM6Uq9Xd+S5mNMmOdvgNXfiP+zy4+iHJpn8YN/RnuyETqXhvVW9UasqVlmz + cY0dl+wsYFsJDnGc2ebpx5dzfpPgZKIFc0GlqDX0AqdQ2t2O9x4G5sFyUH0qPnDQ + 776it6NXhwSKfl1h9xjQp8+qowIUlUqKgiVXfAzXHSxWmVQyxilCAkEk4vSs1HOj + ZNiK3LJKWEsy61hMt6K6AqpvSGlOdGa8WQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "bL0slCR9oHx7FBeVb4ubo/bX8QJJBgchVKVSlWh3y1D"; + }; + }; + }; eve = { owner = config.krebs.users.mic92; extraZones."krebsco.de" = '' @@ -453,6 +473,7 @@ in { rock = { owner = config.krebs.users.mic92; nets = { + internet.addrs = [ "rock.thalheim.io" ]; retiolum = { aliases = [ "rock.r" @@ -783,6 +804,26 @@ in { }; }; + mauricehome = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "mauricehome.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwFmnVmH2n3sa/iJE1u7kSWHMW2nx66wnq7ZA2XF5Wt1hiky4BKBj + jxIIdXHlSmARhDSCMgBKl9Z6/8PsmCK3xEO8q60oTsT8PQIhN3eSF8n92iK3dyKx + PyUsUUHjkqkNtmo/M70T4gAEuB1b/QRkATco/pTv+lMVkYdIydtdALjSxU0YrTiz + J5Ntsngi9+yUJ5g3r/lCuWobKxd5Dlsx3nXg81jTsp9hlXW2HC0XTbOSyH2NC36C + 97Kgx2T25cG/FPhtQztQOems+FhbyJTFyZTGa8v/5rXeJlwcVFRh8sZ7E5yPzbJV + ZlBaorcpRtx8NY4jd8FnZftHF0BeAQJoYwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "ohFUBMdmgS/DMe24sZ1+jNWzx65jCxto9pVjPnYIqzL"; + }; + }; + }; + mickey = { owner = config.krebs.users.mic92; nets = rec { @@ -871,6 +912,163 @@ in { }; }; }; + + jackson = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # jackson.dse.in.tum.de + ip4.addr = "131.159.102.3"; + ip6.addr = "2a09:80c0:102::3"; + aliases = [ "jackson.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "jackson.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA11g2uc9+tw1Bmvs4U6gsyimZ1hR1rnWTJw8CDRw6t7gx0HhRnRgB + 0Fv11KjFGbImrcZ1wxCOJA+RQise18YnlpWIwYf/nDPGR21a1wcg3ZxVRa3/UQzb + pvbTFqK9NpPt7ENWs25ZLnatTFfc+D3kfoUSrwIVGKAaM87GlMkTH3FsARo4xj6H + NJeQ2snOIbLQ3xXQm3oZ5YN4CN30mtrcae+jIMlKnagBuDjP9UZ73GLHu1gJAPb6 + iXdBK6/UTGY9uYKNHXnpf11I4rPSPK1r/6KxS1sX65hh4BT5Fs5goRhVqIeeICVJ + Ufnwj7se3Ao24nLXyTRmVXaTEVN/AqPyyQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "cjYmx4Bb0JjogXNov+wSiPPIHM06n1jQnPJbP/E1yRN"; + }; + }; + }; + adelaide = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # adelaide.dse.in.tum.de + ip4.addr = "131.159.102.13"; + ip6.addr = "2a09:80c0:102::13"; + aliases = [ "adelaide.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "adelaide.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzxKKd1dV+XDUV8pHqkAtbLcwEZVsf0kK+y5X/zbZcXEZhQQv6/dY + YJRoNG3lo8+7FMwYO2b2uyIkO1PopsORMAA2vIFaKJ2Qnt7byuIQ6n9CafIADx1M + dVf+cwUhY8IVIX2ndz9pIAY8NhmzEcjG5vGKxRqev1zNwa1LtsLDLObhkKYznM6y + HV5F92GONMeNOovHCxIYsSJ8jLn8BB60toADzocgzKvCiEw4IwKnzL/au9RGY4Xi + 25YXBzF5ai84e+HyaGGGD/qa4SqL9/jCkDB7QAwRqb01wGhtTLty+ubjzh1HF3am + zpizPVNwBTqHW1S3W1i/yi5a5w4D/zdrRQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "YzB5BqgIQ4f209B2KhpdHu6gRYj5IS64zy1wneq/yiG"; + }; + }; + }; + christina = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # christina.dse.in.tum.de + ip4.addr = "131.159.102.14"; + ip6.addr = "2a09:80c0:102::14"; + aliases = [ "christina.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "christina.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA2pP2uCuvFWKfUwYIOcmPkqG8q/rNNyfw9C39tIC0VsDD6WJ0I7xZ + S57AiG4j6OZwbv7/89qAR94SM4Q9LgmVHhUHf06gPhO0MTVNt0N1PrOnfxeCOlgK + aH6DWZVhiwwiYwAJ55CVNFSkuL7/FtJAkAXmP0Y+xmn0mi1GpMa6RfSazqNPkXik + HdB7u96D7Ul75yPdTDi0dvMvCxQGo4PQBctheNPY61s7P1/7tRhBT+22iJn3v2Bc + Q9qLa6WuGIuFYCxT7GDGrKVu+V9VhFJe42p8yyIscqFagc61C/whN6v7eOh22gSR + 8EbaexJIQ5xl8ZIJto+fr8MvYAQR4FpopwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "/W10YGvcWZnVxCB6pxsC2D5A7QMk1Aw81YWi1p0Ex9O"; + }; + }; + }; + wilfred = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # wilfred.dse.in.tum.de + ip4.addr = "131.159.102.15"; + ip6.addr = "2a09:80c0:102::15"; + aliases = [ "wilfred.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "wilfred.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtQMC/LTfesg49VU06TFt3ikA9cdXuWzvg1FkCo6yXBlQt8fLFYg1 + YBthh7W6CZYJwf6lGXUBtCiOnxidoQ89Fq61AQGGYzW8G/vqHwFaPGHQ42Eru+XG + RDi7ZjqOibdTemahX7gcDk6irB9WbkuXIS15n5FdQHhmjiun3zaEMoWpyiSM1HFQ + UfJLI8pRtB65RTdT3yp8XMASldTAlSlFj2AYlDZkgcRYLZuVWb/Wz7EewG4SiB9T + wZ1pUIhdnGNdb37S/VIjMPavaV4HK7u7awqwaaIRUYwWloCo8LGRDCXa3iEMql7J + tI4iMEsmjHi8P5mQp4ZwwNLWucdM9+Wt6QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "5dMnJmUDmCnN/3dc7fTPlXweMmbs6W+VgSgZi+p+u2B"; + }; + }; + }; + river = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # river.dse.in.tum.de + ip4.addr = "131.159.102.16"; + ip6.addr = "2a09:80c0:102::16"; + aliases = [ "river.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "river.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAumAOQf8/nv2Ml082e7fgoicoQ7stspsx8v1bkoubW9yq/LbdcTki + cP6uZkLBXgd9cPq4vhSso/kaGn6UzPWeUCLv17gPn6jFlB1AYN6mJNLOxJyotajc + 78SyqzDyZ4iA0W44w98ic5yWQ/uaF3q3npFlHtAN4fD0aw50uR+2TgH5zCB8iNul + CNIRWU9sp1t6VFYSN49tcqZ4j6jb6q/MyH5o5WLPasnq0SzQd09rnhUax7QLbIBP + iNBYLOFYMYmoN1WlPwZf1Dt6NeFGyNn5aWE3xtOG6FYwzzCEXYOxxdXzuL5Mmiv9 + 6d71+XWEAzNT9OQB3oGCLAamT+9le7SqnwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "gcgEqGyhO4S7Q44vID/cpbbVaLSNYov97oGwa3pSI4N"; + }; + }; + }; + jack = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + # river.dse.in.tum.de + ip4.addr = "131.159.102.17"; + ip6.addr = "2a09:80c0:102::17"; + aliases = [ "jack.i" ]; + }; + retiolum = { + via = internet; + aliases = [ "jack.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAx5ROeRs0CxD2IPfkrFB4O03/Kf8Ajjmd/J1gpCvHROKL+gDvaCO1 + 68RbTdC1f5K6Dwc51oX87XisrD435aNCqnlE8fw1X8ZYLKRlZmLDBJGSupm35jj3 + w80L9OTK07I3cK6AqCfRWyI9Ja6J9PGOT95h8OtiAPlYssEkSqGJrtwe61V5rq1A + st7khZO0b+xYsr+ZgOVuZMDAco9DwG7NFfpWkzAgTF6q0a+kdjFrFb6SaeJJf12t + WUGWEkaTP5iLQ/h3M+a7MH0Col+aPNEWE4ycqZR9U3E4pMqoD7tjkYdYtv9kR/j+ + ZtN2Vlw+hKC47DA3zRNRcg7DC+FFDNFaYwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "vmtUoblzicabsNFu7u889cF9pgBKoJpHHIhY8Y/eQgC"; + }; + }; + }; hal9000 = { owner = config.krebs.users.mic92; nets = rec { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 3bab13b0e..7007090c0 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -125,8 +125,8 @@ let (interface: interfaceConfig: [ (map (port: { predicate = "-i ${interface} -p tcp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPorts) (map (port: { predicate = "-i ${interface} -p udp --dport ${toString port}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPorts) - (map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges) - (map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges) + (map (portRange: { predicate = "-i ${interface} -p tcp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) interfaceConfig.allowedTCPPortRanges) + (map (portRange: { predicate = "-i ${interface} -p udp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) interfaceConfig.allowedUDPPortRanges) ]) config.networking.firewall.interfaces ); diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 5e0e69924..854176f0b 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -74,6 +74,7 @@ in { aliases = [ "hotdog.r" "agenda.r" + "kri.r" "build.r" "build.hotdog.r" "ca.r" @@ -160,6 +161,46 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; }; + ponte = { + cores = 1; + owner = config.krebs.users.krebs; + nets = rec { + internet = { + ip4 = { + addr = "141.147.36.79"; + prefix = "0.0.0.0/0"; + }; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.4.43"; + ip6.addr = "42::443"; + aliases = [ + "ponte.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA52Glj/C85oMy3cnaRAtg2qkleaJFWiqwaQNUsk4JgX1PwZJ8aInD + YAMXj0H0wz7h3mh5QVRDq4i11LXOIy1P6J6QAvb3lssYnFfJkR9j/dArCIFsEhHf + V41E4KMcHV9t17xO6wQitXqzvcmxodxly8qAx1k7ddlGdQPTWXVvQTRgWBwm9oQ9 + w0d5p2fej/E5iOmbLyVjiJ72rFJIQdfPo782W78ZQftMSXsnyrr5OJu1b4qsga1Q + fYiAKjNE29OPiw5hLy9W/jLJMm0eR94LpUy0MZ5hYkYmvII1TqIqxVgj48gYfJ5v + QCjU9R2H5pUNfDiYutCqscRn5YDe44dcYBeG8Rkf0i4BTdqiE7h1AIciccXsJddt + HFxbWqi3HDoWlo7cFK9vYVUi4jgQP5cUVP85I43aDu3S3M3mszk1nyP+gDobE5Z9 + jPGckgn7wTYXlDioIlExJJ6FCaSWSxvh0Zh0HDrTD+WKP6qJ2aYnAz2xptiQGNCu + rYEvFoWd5T7VMzI02Z2hCiE2fFWlH63Am1tKspFKl+lHjwMrwcwFA5WoNHCeXx2X + S1T3I7P4SkRZervYJ55wQxCBKLgvZP2I1J1JzMkyuTszg9tex14MdVdZZrKXVrnr + exCMJruliLbZmtrbHHTXoCngppylnJOxKXpfpogLTZzLGncO6Ry5G18CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "0l+q3Bg5gYcw8VDjSYV7+wVSO3t4Es5jizAYJ9UR8cA"; + }; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEw9fo8Qtb/DTLacdrJP7Ti7c4UXTm6wUUX+iRFweEo "; + }; puyak = { ci = true; cores = 4; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 25125157d..b05e774b4 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -129,6 +129,7 @@ in { "c.r" "p.r" "search.r" + "radio-news.r" ]; tinc.port = 655; tinc = { @@ -875,12 +876,10 @@ in { lass-blue = { mail = "lass@blue.r"; pubkey = builtins.readFile ./ssh/blue.rsa; - pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp; }; lass-green = { mail = "lass@green.r"; pubkey = builtins.readFile ./ssh/green.ed25519; - pgp.pubkeys.default = builtins.readFile . |