summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/0tests/data/secrets/syncthing.cert0
-rw-r--r--krebs/0tests/data/secrets/syncthing.key0
-rw-r--r--krebs/1systems/news/config.nix7
-rw-r--r--krebs/1systems/puyak/config.nix6
-rw-r--r--krebs/1systems/puyak/net.nix4
-rw-r--r--krebs/2configs/container-networking.nix7
-rw-r--r--krebs/2configs/ircd.nix1
-rw-r--r--krebs/2configs/news-host.nix1
-rw-r--r--krebs/2configs/news.nix29
-rw-r--r--krebs/2configs/shack/prometheus/alert-rules.nix9
-rw-r--r--krebs/2configs/syncthing.nix4
-rw-r--r--krebs/3modules/krebs/default.nix2
-rw-r--r--krebs/3modules/lass/default.nix18
-rw-r--r--krebs/3modules/makefu/default.nix1
-rw-r--r--krebs/3modules/sync-containers.nix2
-rw-r--r--krebs/5pkgs/haskell/recht.nix25
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
18 files changed, 112 insertions, 20 deletions
diff --git a/krebs/0tests/data/secrets/syncthing.cert b/krebs/0tests/data/secrets/syncthing.cert
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/syncthing.cert
diff --git a/krebs/0tests/data/secrets/syncthing.key b/krebs/0tests/data/secrets/syncthing.key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/syncthing.key
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index 5c4b37aef..79946dad7 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -18,13 +18,6 @@
boot.isContainer = true;
networking.useDHCP = false;
krebs.bindfs = {
- "/var/lib/htgen-go" = {
- source = "/var/state/htgen-go";
- options = [
- "-m ${toString config.users.users.htgen-go.uid}"
- ];
- clearTarget = true;
- };
"/var/lib/brockman" = {
source = "/var/state/brockman";
options = [
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 1e0687ba7..2f122f6ff 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -19,6 +19,12 @@
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
+ ## news host
+
+ <stockholm/krebs/2configs/container-networking.nix>
+ <stockholm/krebs/2configs/syncthing.nix>
+ <stockholm/krebs/2configs/news-host.nix>
+
### shackspace ###
# handle the worlddomination map via coap
<stockholm/krebs/2configs/shack/worlddomination.nix>
diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix
index 8dab11e16..a46a24952 100644
--- a/krebs/1systems/puyak/net.nix
+++ b/krebs/1systems/puyak/net.nix
@@ -8,8 +8,8 @@ in {
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}"
'';
networking = {
- firewall.enable = false;
- firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ];
+ firewall.enable = true;
+ firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ];
interfaces."${ext-if}".ipv4.addresses = [
{
address = shack-ip;
diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix
new file mode 100644
index 000000000..fa4488800
--- /dev/null
+++ b/krebs/2configs/container-networking.nix
@@ -0,0 +1,7 @@
+{ lib, ... }:
+{
+ networking.nat.enable = true;
+ networking.nat.internalInterfaces = ["ve-+"];
+ networking.nat.externalInterface = lib.mkDefault "et0";
+ networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
+}
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 0de07a027..3ef2e7d2b 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -87,6 +87,7 @@
};
channel {
+ autochanmodes = "+t";
use_invex = yes;
use_except = yes;
use_forward = yes;
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
index 82360a670..b7728986f 100644
--- a/krebs/2configs/news-host.nix
+++ b/krebs/2configs/news-host.nix
@@ -4,6 +4,7 @@
"shodan"
"mors"
"styx"
+ "puyak"
];
hostIp = "10.233.2.101";
localIp = "10.233.2.102";
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 410beb041..2da3e6fcc 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -15,6 +15,16 @@
serverAliases = [
"news.r"
];
+ locations."/api".extraConfig = ''
+ proxy_pass http://127.0.0.1:7777/;
+ proxy_pass_header Server;
+ '';
+ locations."= /graph.html".extraConfig = ''
+ alias ${pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html";
+ sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w";
+ }};
+ '';
locations."/".extraConfig = ''
root /var/lib/brockman;
index brockman.json;
@@ -27,6 +37,7 @@
};
systemd.tmpfiles.rules = [
"d /var/lib/brockman 1750 brockman nginx -"
+ "d /run/irc-api 1750 brockman nginx -"
];
systemd.services.brockman-graph = {
@@ -67,12 +78,28 @@
shortener = "http://go.r";
controller = {
nick = "brockman";
- channels = [ "#all" ];
+ extraChannels = [ "#all" ];
};
bots = {};
};
};
+ krebs.reaktor2.api = {
+ hostname = "localhost";
+ port = "6667";
+ nick = "api";
+ API.listen = "inet://127.0.0.1:7777";
+ plugins = [
+ {
+ plugin = "register";
+ config = {
+ channels = [
+ "#all"
+ ];
+ };
+ }
+ ];
+ };
krebs.reaktor2.news = let
name = "candyman";
in {
diff --git a/krebs/2configs/shack/prometheus/alert-rules.nix b/krebs/2configs/shack/prometheus/alert-rules.nix
index 12c691466..65e5d9005 100644
--- a/krebs/2configs/shack/prometheus/alert-rules.nix
+++ b/krebs/2configs/shack/prometheus/alert-rules.nix
@@ -14,7 +14,14 @@ in {
labels.severity = "warning";
annotations.summary = "{{ $labels.alias }} root disk full";
annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf";
- annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and run `nix-collect-garbage -d` and clean up the shack share folder in `/home/share` .If this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete'';
+ annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do:
+1. `nix-collect-garbage -d`
+2. clean up the shack share folder in `/home/share`
+3. check `du -hs /var/ | sort -h`.
+4. run `docker system prune`
+5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data
+5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete
+6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` '';
}
{
alert = "RootPartitionFull";
diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix
index 31e33ad5e..125e2aea4 100644
--- a/krebs/2configs/syncthing.nix
+++ b/krebs/2configs/syncthing.nix
@@ -10,6 +10,10 @@ in {
configDir = "/var/lib/syncthing";
declarative = {
devices = mk_peers used_peers;
+ key = toString <secrets/syncthing.key>;
+ cert = toString <secrets/syncthing.cert>;
};
};
+
+ boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
}
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 8c164cfe3..37b939358 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -77,6 +77,7 @@ in {
"wiki.r"
"wiki.hotdog.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
@@ -177,6 +178,7 @@ in {
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
+ syncthing.id = "DK5CEE2-PNUXYCE-Q42H2HP-623GART-B7KS4VK-HU2RBGQ-EK6QPUP-HUL3PAR";
};
wolf = {
ci = true;
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 6978c0b4e..300ea2ccc 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -67,7 +67,9 @@ in {
"cgit.prism.r"
"paste.r"
"p.r"
+ "search.r"
];
+ tinc.port = 655;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje
@@ -126,6 +128,7 @@ in {
aliases = [
"uriel.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR
@@ -151,6 +154,7 @@ in {
aliases = [
"mors.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE
@@ -184,6 +188,7 @@ in {
aliases = [
"shodan.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT
@@ -218,6 +223,7 @@ in {
aliases = [
"icarus.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr
@@ -251,6 +257,7 @@ in {
aliases = [
"daedalus.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8
@@ -282,6 +289,7 @@ in {
aliases = [
"skynet.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX
@@ -315,6 +323,7 @@ in {
aliases = [
"littleT.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF
@@ -364,6 +373,7 @@ in {
aliases = [
"xerxes.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
@@ -414,6 +424,7 @@ in {
aliases = [
"red.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
@@ -444,6 +455,7 @@ in {
aliases = [
"yellow.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
@@ -481,6 +493,7 @@ in {
aliases = [
"blue.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd
@@ -520,6 +533,7 @@ in {
aliases = [
"green.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk
@@ -574,6 +588,7 @@ in {
aliases = [
"morpheus.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
@@ -611,6 +626,7 @@ in {
aliases = [
"hilum.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb
@@ -651,6 +667,7 @@ in {
aliases = [
"styx.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn
@@ -692,6 +709,7 @@ in {
aliases = [
"coaxmetal.r"
];
+ tinc.port = 0;
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index f9fa037d3..30d90bf2b 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -187,6 +187,7 @@ in {
maps.work.euer IN A ${nets.internet.ip4.addr}
play.work.euer IN A ${nets.internet.ip4.addr}
ul.work.euer IN A ${nets.internet.ip4.addr}
+ bw.euer IN A ${nets.internet.ip4.addr}
'';
};
cores = 8;
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index d31022d3a..fcfaf1dd0 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -93,7 +93,7 @@ in {
config = mkIf (cfg.containers != {}) {
programs.fuse.userAllowOther = true;
# allow syncthing to enter /var/lib/containers
- system.activationScripts.syncthing-home = ''
+ system.activationScripts.containers-enter = mkDefault ''
${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
'';
diff --git a/krebs/5pkgs/haskell/recht.nix b/krebs/5pkgs/haskell/recht.nix
new file mode 100644
index 000000000..7d884a9fa
--- /dev/null
+++ b/krebs/5pkgs/haskell/recht.nix
@@ -0,0 +1,25 @@
+{ mkDerivation, ansi-terminal, async, base, binary, bytestring
+, data-default, directory, filepath, megaparsec
+, optparse-applicative, pandoc, random, safe, scalpel, stdenv, text
+, time
+, fetchFromGitHub
+}:
+mkDerivation rec {
+ pname = "recht";
+ version = "0.3.0";
+ src = fetchFromGitHub {
+ owner = "kmein";
+ repo = "recht";
+ rev = version;
+ sha256 = "07cyd06wbnzcp33v0nq8cxyggvqrnbni0v2g8cpxar6idn1wlz85";
+
+ };
+ isLibrary = false;
+ isExecutable = true;
+ executableHaskellDepends = [
+ ansi-terminal async base binary bytestring data-default directory
+ filepath megaparsec optparse-applicative pandoc random safe scalpel
+ text time
+ ];
+ license = stdenv.lib.licenses.mit;
+}
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index c0ffcf3e3..25389ad9c 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "266dc8c3d052f549826ba246d06787a219533b8f",
- "date": "2021-03-15T09:37:03+01:00",
- "path": "/nix/store/dkim3k1b5bdga370xpw0r52w0ac5y3fn-nixpkgs",
- "sha256": "09ydqx2lznixmw8z4cfz1j3k137mh8n3cdpygwqymknhfdjq7lg4",
+ "rev": "04a2b269d8921505a2969fc9ec25c1f517f2b307",
+ "date": "2021-03-30T01:32:47-04:00",
+ "path": "/nix/store/wb6m2d6p3kadk6pbqdjq3ydswbvmb0lq-nixpkgs",
+ "sha256": "15hgx2i71pqgvzv56jwzfs8rkhjbm35wk1i6mxrqbq6wd0y10isv",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 837782ff6..44a5d0c37 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "36e15cd6e7d55ba143caf3dc930467ace573d85c",
- "date": "2021-03-16T08:18:29+01:00",
- "path": "/nix/store/rsh8kmy9jiwdhsm390zw0mq1p256xzrk-nixpkgs",
- "sha256": "15dwscz9s71n6hn1wml95il8hl8aza16jj9qwywps8bsdamgymfq",
+ "rev": "dec334fa196a4aeedb1b60d8f7d61aa00d327499",
+ "date": "2021-04-14T01:54:42+02:00",
+ "path": "/nix/store/x1dkzxknsrf0060pz1vwa7ibmq7899wb-nixpkgs",
+ "sha256": "1sm1p2qliz11qw6va01knm0rikhpq2h4c70ci98vi4q26y4q9z72",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false