diff options
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/1systems/ponte/config.nix | 10 | ||||
| -rw-r--r-- | krebs/1systems/ponte/hw.nix | 14 | ||||
| -rw-r--r-- | krebs/3modules/external/mic92.nix | 19 | ||||
| -rw-r--r-- | krebs/3modules/krebs/default.nix | 40 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/generate-secrets/default.nix | 18 |
5 files changed, 94 insertions, 7 deletions
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix new file mode 100644 index 000000000..1e25ca9bf --- /dev/null +++ b/krebs/1systems/ponte/config.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./hw.nix + <stockholm/krebs> + <stockholm/krebs/2configs> + ]; + + krebs.build.host = config.krebs.hosts.ponte; +} diff --git a/krebs/1systems/ponte/hw.nix b/krebs/1systems/ponte/hw.nix new file mode 100644 index 000000000..78f7a603e --- /dev/null +++ b/krebs/1systems/ponte/hw.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.efi.efiSysMountPoint = "/boot/EFI"; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + copyKernels = false; + }; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + fileSystems."/boot/EFI" = { device = "/dev/disk/by-uuid/628A-7F3B"; fsType = "vfat"; }; +} diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index b62ece0c7..779e242c0 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -160,6 +160,25 @@ in { }; }; }; + rauter = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "rauter.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArpSEoqFUdjaLiR3MpBlEoR0AOyaHPY9IPG4C5KsrfjeMDdfpOEGu + G0VHksBbkDV/MIgUVlK1B7LxZ73WUwKKB1YWGtY+QVX1tzoUqYwjMhp/xFVybyBw + M7nmTnM6Uq9Xd+S5mNMmOdvgNXfiP+zy4+iHJpn8YN/RnuyETqXhvVW9UasqVlmz + cY0dl+wsYFsJDnGc2ebpx5dzfpPgZKIFc0GlqDX0AqdQ2t2O9x4G5sFyUH0qPnDQ + 776it6NXhwSKfl1h9xjQp8+qowIUlUqKgiVXfAzXHSxWmVQyxilCAkEk4vSs1HOj + ZNiK3LJKWEsy61hMt6K6AqpvSGlOdGa8WQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "bL0slCR9oHx7FBeVb4ubo/bX8QJJBgchVKVSlWh3y1D"; + }; + }; + }; eve = { owner = config.krebs.users.mic92; extraZones."krebsco.de" = '' diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 5e0e69924..d58f0fbaa 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -160,6 +160,46 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; }; + ponte = { + cores = 1; + owner = config.krebs.users.krebs; + nets = rec { + internet = { + ip4 = { + addr = "141.147.36.79"; + prefix = "0.0.0.0/0"; + }; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.4.43"; + ip6.addr = "42::443"; + aliases = [ + "ponte.r" + ]; + tinc = { + pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA52Glj/C85oMy3cnaRAtg2qkleaJFWiqwaQNUsk4JgX1PwZJ8aInD + YAMXj0H0wz7h3mh5QVRDq4i11LXOIy1P6J6QAvb3lssYnFfJkR9j/dArCIFsEhHf + V41E4KMcHV9t17xO6wQitXqzvcmxodxly8qAx1k7ddlGdQPTWXVvQTRgWBwm9oQ9 + w0d5p2fej/E5iOmbLyVjiJ72rFJIQdfPo782W78ZQftMSXsnyrr5OJu1b4qsga1Q + fYiAKjNE29OPiw5hLy9W/jLJMm0eR94LpUy0MZ5hYkYmvII1TqIqxVgj48gYfJ5v + QCjU9R2H5pUNfDiYutCqscRn5YDe44dcYBeG8Rkf0i4BTdqiE7h1AIciccXsJddt + HFxbWqi3HDoWlo7cFK9vYVUi4jgQP5cUVP85I43aDu3S3M3mszk1nyP+gDobE5Z9 + jPGckgn7wTYXlDioIlExJJ6FCaSWSxvh0Zh0HDrTD+WKP6qJ2aYnAz2xptiQGNCu + rYEvFoWd5T7VMzI02Z2hCiE2fFWlH63Am1tKspFKl+lHjwMrwcwFA5WoNHCeXx2X + S1T3I7P4SkRZervYJ55wQxCBKLgvZP2I1J1JzMkyuTszg9tex14MdVdZZrKXVrnr + exCMJruliLbZmtrbHHTXoCngppylnJOxKXpfpogLTZzLGncO6Ry5G18CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + pubkey_ed25519 = "0l+q3Bg5gYcw8VDjSYV7+wVSO3t4Es5jizAYJ9UR8cA"; + }; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEw9fo8Qtb/DTLacdrJP7Ti7c4UXTm6wUUX+iRFweEo "; + }; puyak = { ci = true; cores = 4; diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix index a800ff543..f9a7450f7 100644 --- a/krebs/5pkgs/simple/generate-secrets/default.nix +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -1,20 +1,21 @@ { pkgs }: -pkgs.writeDashBin "generate-secrets" '' +pkgs.writers.writeDashBin "generate-secrets" '' + set -eu HOSTNAME="$1" TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + cd $TMPDIR + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null - ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + ${pkgs.tinc_pre}/bin/tinc --config "$TMPDIR" generate-keys 4096 >/dev/null cat <<EOF > $TMPDIR/hashedPasswords.nix { root = "$HASHED_PASSWORD"; } EOF - cd $TMPDIR for x in *; do ${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null done @@ -31,9 +32,12 @@ pkgs.writeDashBin "generate-secrets" '' aliases = [ "$HOSTNAME.r" ]; - tinc.pubkey = ${"''"} - $(cat $TMPDIR/retiolum.rsa_key.pub) - ${"''"}; + tinc = { + pubkey = ${"''"} + $(cat $TMPDIR/rsa_key.pub) + ${"''"}; + pubkey_ed25519 = "$(cut -d ' ' -f 3 $TMPDIR/ed25519_key.pub)"; + }; }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; |