diff options
Diffstat (limited to 'lass/2configs')
51 files changed, 1109 insertions, 291 deletions
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index bdd568c15..490601641 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ...}: { - nixpkgs.config.packageOverrides = p: { - nix-serve = p.haskellPackages.nix-serve-ng; - }; + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; # generate private key with: # nix-store --generate-binary-cache-key my-secret-key my-public-key services.nix-serve = { diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index 84f06e587..43573d893 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -15,18 +15,20 @@ with (import <stockholm/lib>); # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; + configDir = "/var/state/bitlbee"; }; - users.users.bitlbee = { - uid = genid_uint31 "bitlbee"; - isSystemUser = true; - group = "bitlbee"; - }; - users.groups.bitlbee = {}; - systemd.services.bitlbee.serviceConfig = { - DynamicUser = lib.mkForce false; - User = "bitlbee"; - StateDirectory = lib.mkForce null; + ExecStartPre = [ + "+${pkgs.writeDash "setup-bitlbee" '' + ${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || : + ''}" + ]; + ReadWritePaths = [ + "/var/state/bitlbee" + ]; }; + systemd.tmpfiles.rules = [ + "d /var/state/bitlbee 0700 - - -" + ]; } diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index ea6fb644b..92ee8e30f 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -3,6 +3,6 @@ programs.firefox.nativeMessagingHosts.tridactyl = true; environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox"; environment.systemPackages = [ - pkgs.firefox + pkgs.firefox-devedition ]; } diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix index a8dd3dd1d..c9ad8cf68 100644 --- a/lass/2configs/c-base.nix +++ b/lass/2configs/c-base.nix @@ -17,7 +17,7 @@ in { }; routes = [ { routeConfig = { - Destination = "10.0.1.0/24"; + Destination = "10.0.0.0/23"; Gateway = "172.31.77.1"; };} { routeConfig = { diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index ccca49fac..d0ba8912c 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -2,7 +2,8 @@ with import <stockholm/lib>; let domain = "pad.lassul.us"; -in { +in +{ # redirect legacy domain to new one services.nginx.virtualHosts."codi.lassul.us" = { @@ -25,13 +26,26 @@ in { security.dhparams = { enable = true; - params.hedgedoc = {}; + params.hedgedoc = { }; }; systemd.services.hedgedoc.environment = { CMD_COOKIE_POLICY = "none"; CMD_CSP_ALLOW_FRAMING = "true"; }; + + services.borgbackup.jobs.hetzner.paths = [ + "/var/backup" + "/var/lib/hedgedoc" + ]; + systemd.services.hedgedoc-backup = { + startAt = "daily"; + serviceConfig = { + ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; + Type = "oneshot"; + }; + }; + services.hedgedoc = { enable = true; configuration.allowOrigin = [ domain ]; @@ -51,8 +65,6 @@ in { sslCertPath = "/var/lib/acme/${domain}/cert.pem"; sslKeyPath = "/var/lib/acme/${domain}/key.pem"; dhParamPath = config.security.dhparams.params.hedgedoc.path; - }; }; } - diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix index b8d925de5..67467364e 100644 --- a/lass/2configs/consul.nix +++ b/lass/2configs/consul.nix @@ -17,9 +17,6 @@ # try to fix random lock loss on leader reelection retry_interval = "3s"; - performance = { - raft_multiplier = 8; - }; }; }; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 72dbfc480..6d4230c68 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -40,6 +40,7 @@ with import <stockholm/lib>; "video" "fuse" "wheel" + "tor" ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey @@ -74,6 +75,7 @@ with import <stockholm/lib>; krebs = { enable = true; build.user = config.krebs.users.lass; + ssl.trustIntermediate = true; }; nix.useSandbox = true; @@ -93,12 +95,15 @@ with import <stockholm/lib>; #stockholm deploy git + git-absorb git-preview gnumake jq + nix-output-monitor #style rxvt-unicode-unwrapped.terminfo + alacritty.terminfo #monitoring tools htop @@ -109,6 +114,7 @@ with import <stockholm/lib>; iftop tcpdump mosh + eternal-terminal sshify #stuff for dl @@ -226,13 +232,18 @@ with import <stockholm/lib>; noipv4ll ''; + networking.extraHosts = '' + 10.42.0.1 styx.gg23 + ''; + + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; # use 24:00 time format, the default got sneakily changed around 20.03 i18n.defaultLocale = mkDefault "C.UTF-8"; time.timeZone = mkDefault"Europe/Berlin"; - system.stateVersion = mkDefault "20.03"; - # disable doc usually documentation.nixos.enable = mkDefault false; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index cb9abd43a..2a3a6b1e5 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,18 +14,22 @@ in { dkim = [ { domain = "lassul.us"; } ]; + ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; primary_hostname = "lassul.us"; sender_domains = [ "lassul.us" ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ + config.krebs.hosts.aergia config.krebs.hosts.blue config.krebs.hosts.coaxmetal config.krebs.hosts.green config.krebs.hosts.mors config.krebs.hosts.xerxes ]; - internet-aliases = map (from: { inherit from to; }) mails; + internet-aliases = map (from: { inherit from to; }) mails ++ [ + ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } { from = "postmaster"; to = "root"; } @@ -45,4 +49,14 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } ]; + + security.acme.certs."mail.lassul.us" = { + group = "lasscert"; + webroot = "/var/lib/acme/acme-challenge"; + }; + users.groups.lasscert.members = [ + "dovecot2" + "exim" + "nginx" + ]; } diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix index 809298df4..b2912d894 100644 --- a/lass/2configs/fysiirc.nix +++ b/lass/2configs/fysiirc.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: let format-github-message = pkgs.writeDashBin "format-github-message" '' - set -xefu + set -efu export PATH=${lib.makeBinPath [ pkgs.jq ]} INPUT=$(jq -c .) - if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then - ${write_to_irc} "$(echo "$INPUT" | jq -r ' + if $(printf '%s' "$INPUT" | jq 'has("issue") or has("pull_request")'); then + ${write_to_irc} "$(printf '%s' "$INPUT" | jq -r ' "\(.action): " + "[\(.issue.title // .pull_request.title)] " + "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " @@ -57,16 +57,7 @@ in { case "$Method $Request_URI" in "POST /") payload=$(head -c "$req_content_length") - raw=$(printf '%s' "$payload" | ${pkgs.curl}/bin/curl --data-binary @- http://p.krebsco.de | tail -1) - payload2=$payload - payload2=$(printf '%s' "$payload" | tr '\n' ' ' | tr -d '\r') - if [ "$payload" != "$payload2" ]; then - echo "payload has been mangled" >&2 - else - echo "payload not mangled" >&2 - fi - echo "$payload2" | ${format-github-message}/bin/format-github-message - ${write_to_irc} "$raw" + printf '%s' "$payload" | ${format-github-message}/bin/format-github-message printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 224a6cbb9..d56e95368 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,7 +3,7 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); + automatic = ! (elem config.krebs.build.host.name [ "aergia" "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); options = "--delete-older-than 15d"; }; } diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index b35b0cb85..bb38f1f90 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -39,6 +39,14 @@ with import <stockholm/lib>; # IPv6SendRA = "yes"; # DHCPPrefixDelegation = "yes"; }; + dhcpServerStaticLeases = [ + { + dhcpServerStaticLeaseConfig = { + Address = "10.42.0.4"; + MACAddress = "3c:2a:f4:22:28:37"; + }; + } + ]; }; networking.networkmanager.unmanaged = [ "int0" ]; krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix index f4d1a27cd..d4ce263ef 100644 --- a/lass/2configs/git-brain.nix +++ b/lass/2configs/git-brain.nix @@ -7,7 +7,6 @@ let krebs-repos = mapAttrs make-krebs-repo { brain = { }; - krebs-secrets = { }; }; diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix new file mode 100644 index 000000000..d60dc5951 --- /dev/null +++ b/lass/2configs/green-hosts/cryfs.nix @@ -0,0 +1,95 @@ +# seems to work, very slow though + +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +let + + cname = "green-cryfs"; + +in { + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { + source = "/var/lib/sync-containers/${cname}/cryfs"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "init-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/sync-containers/${cname}/cryfs + '') + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix new file mode 100644 index 000000000..2c335f6f2 --- /dev/null +++ b/lass/2configs/green-hosts/ecryptfs.nix @@ -0,0 +1,99 @@ + +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +let + + cname = "green"; + +in { + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + pkgs.ecryptfs + pkgs.keyutils + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix new file mode 100644 index 000000000..81d8f20c2 --- /dev/null +++ b/lass/2configs/green-hosts/plain-bindfs.nix @@ -0,0 +1,90 @@ +# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, + +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +let + + cname = "green-plain"; + +in { + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/containers/${cname}/var/state" = { + source = "/var/lib/containers/${cname}/var/state"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src |