From 84818541d5db5a1c129c29506a6eca8e8faf6522 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 5 Oct 2023 21:25:37 +0200 Subject: sync-containers3: add startComamnd option --- krebs/3modules/sync-containers3.nix | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index c88dd5919..6d3a71324 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -32,6 +32,17 @@ in { type = lib.types.bool; default = true; }; + startCommand = lib.mkOption { + type = lib.types.str; + default = '' + set -efu + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + }; }; })); }; @@ -52,14 +63,7 @@ in { NIX_REMOTE = "daemon"; }; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' - set -efu - mkdir -p /var/state/var_src - ln -Tfrs /var/state/var_src /var/src - if test -e /var/src/nixos-config; then - /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : - fi - ''; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ctr.startCommand; unitConfig.X-StopOnRemoval = false; }; }; -- cgit v1.2.3 From b5c9c677e3cd2e2f5576b468402486255e43000e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 11 Oct 2023 19:58:47 +0200 Subject: zones: add NS _acme-challenge.krebsco.de --- krebs/3modules/zones.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 29c0b0f23..7a9cf5be1 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -17,6 +17,8 @@ with lib; { @ 3600 IN NS ns3.he.net. @ 3600 IN NS ns2.hosting.de. + _acme-challenge IN NS ns1 + panda NS panda panda A 130.61.237.100 ''; -- cgit v1.2.3 From 23d52de962f91cde3761645c57c301a294b9b7b6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 Oct 2023 09:16:33 +0100 Subject: remove deprecated fetchWallpaper --- krebs/3modules/default.nix | 1 - krebs/3modules/fetchWallpaper.nix | 95 --------------------------------------- 2 files changed, 96 deletions(-) delete mode 100644 krebs/3modules/fetchWallpaper.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 5d12ea7af..27c3da2e6 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -17,7 +17,6 @@ ./exim-retiolum.nix ./exim-smarthost.nix ./exim.nix - ./fetchWallpaper.nix ./git.nix ./github ./go.nix diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix deleted file mode 100644 index 0d67120fd..000000000 --- a/krebs/3modules/fetchWallpaper.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../lib/pure.nix { inherit lib; }; - -let - cfg = config.krebs.fetchWallpaper; - - out = { - options.krebs.fetchWallpaper = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "fetch wallpaper"; - url = mkOption { - type = types.str; - }; - timerConfig = mkOption { - type = types.unspecified; - default = { - OnCalendar = "*:00,10,20,30,40,50"; - }; - }; - stateDir = mkOption { - type = types.str; - default = "/var/lib/wallpaper"; - }; - display = mkOption { - type = types.str; - default = ":${toString config.services.xserver.display}"; - }; - unitConfig = mkOption { - type = types.attrsOf types.str; - description = "Extra unit configuration for fetchWallpaper to define conditions and assertions for the unit"; - example = literalExample '' - # do not start when running on umts - { ConditionPathExists = "!/var/run/ppp0.pid"; } - ''; - default = {}; - }; - }; - - fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' - set -euf - - mkdir -p ${cfg.stateDir} - chmod o+rx ${cfg.stateDir} - cd ${cfg.stateDir} - (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : - feh --no-fehbg --bg-scale wallpaper - ''; - - imp = { - users.users.fetchWallpaper = { - name = "fetchWallpaper"; - uid = genid_uint31 "fetchWallpaper"; - description = "fetchWallpaper user"; - group = "fetchWallpaper"; - home = cfg.stateDir; - createHome = true; - isSystemUser = true; - }; - users.groups.fetchWallpaper = {}; - - systemd.timers.fetchWallpaper = { - description = "fetch wallpaper timer"; - wantedBy = [ "timers.target" ]; - - timerConfig = cfg.timerConfig; - }; - systemd.services.fetchWallpaper = { - description = "fetch wallpaper"; - after = [ "network.target" ]; - - path = with pkgs; [ - curl - feh - ]; - - environment = { - URL = cfg.url; - DISPLAY = cfg.display; - }; - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - ExecStart = fetchWallpaperScript; - User = "fetchWallpaper"; - }; - - unitConfig = cfg.unitConfig; - }; - }; -in out -- cgit v1.2.3 From cc928a38a98f50e060a2c9a9bbe98ea92564270c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 2 Nov 2023 09:56:42 +0100 Subject: setuid: run after usrbinenv, since wrappers got removed --- krebs/3modules/setuid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 53fed0e36..fdb96c8ba 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -80,7 +80,7 @@ let }; imp = { - system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] + system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ] (concatMapStringsSep "\n" (cfg: /* sh */ '' ${cfg.activate} -- cgit v1.2.3 From 095f89e9726fe5247aba6508b13ecbba756904d1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:03:01 +0100 Subject: git: declare group --- krebs/3modules/git.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 1ec216f62..347a2c32b 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -376,6 +376,7 @@ let (filter (user: isString user.pubkey) (concatMap (getAttr "user") cfg.rules)))); }; + users.groups.${cfg.cgit.fcgiwrap.group.name} = {}; }; cgit-imp = { -- cgit v1.2.3 From 4fd1aaaf8d1f4656f02d7868dcd6e7b297bb5cfe Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:03:49 +0100 Subject: exim: use upstream security wrappers --- krebs/3modules/exim.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 917a8e5a4..583fd07b1 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -50,14 +50,18 @@ in { ''; systemPackages = [ pkgs.exim ]; }; - krebs.setuid = { + security.wrappers = { exim = { - filename = "${pkgs.exim}/bin/exim"; - mode = "4111"; + source = "${pkgs.exim}/bin/exim"; + owner = "root"; + group = "root"; + setuid = true; }; sendmail = { - filename = "${pkgs.exim}/bin/exim"; - mode = "4111"; + source = "${pkgs.exim}/bin/exim"; + owner = "root"; + group = "root"; + setuid = true; }; }; systemd.services.exim = { -- cgit v1.2.3 From 8a62119217a92691e80fb0991b223694419373d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Nov 2023 18:43:57 +0100 Subject: sync-containers3: use ping from path --- krebs/3modules/sync-containers3.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 6d3a71324..7bec27b0f 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -88,6 +88,7 @@ in { { "${ctr.name}_syncer" = { path = with pkgs; [ coreutils + inetutils consul rsync openssh @@ -107,7 +108,7 @@ in { set -efux consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' set -efux - if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then + if ping -c 1 ${ctr.name}.r; then nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync touch "$HOME"/incomplete nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk @@ -120,6 +121,7 @@ in { { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { path = with pkgs; [ coreutils + inetutils consul cryptsetup curl @@ -149,7 +151,7 @@ in { export payload if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then # echo 'we are the host, trying to reach container' - if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then + if $(retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null); then # echo 'container is reachable, continueing' continue else @@ -177,6 +179,7 @@ in { wantedBy = [ "multi-user.target" ]; path = with pkgs; [ coreutils + inetutils consul cryptsetup mount @@ -232,8 +235,8 @@ in { /run/current-system/sw/bin/nixos-container start ${ctr.name} # wait for system to become reachable for the first time systemctl start ${ctr.name}_watcher.service - retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null - while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do + retry -t 10 -d 10 -- ping -q -c 1 ${ctr.name}.r > /dev/null + while systemctl is-active container@${ctr.name}.service >/devnull && ping -q -c 3 ${ctr.name}.r >/dev/null; do consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null sleep 10 done -- cgit v1.2.3 From 015ef28416289059a66b1df043a186256384cc7b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 9 Nov 2023 21:21:24 +0100 Subject: tinc: reload on change --- krebs/3modules/tinc.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 9df368cfb..d73d5ca61 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -208,10 +208,9 @@ with import ../../lib/pure.nix { inherit lib; }; { description = "Tinc daemon for ${netname}"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - # Restart the service in a single step in order to prevent potential - # connection timeouts and subsequent issues while deploying via tinc. - stopIfChanged = false; + reloadIfChanged = true; serviceConfig = { + ExecReload = "+${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; Restart = "always"; LoadCredential = filter (x: x != "") [ (optionalString (cfg.privkey_ed25519 != null) -- cgit v1.2.3 From 334378bc5730f7758a3e45346f6641b4464fc97d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 25 Nov 2023 12:42:10 +0100 Subject: sync-containers3: bind to bridge after startup --- krebs/3modules/sync-containers3.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 7bec27b0f..58446c82b 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -246,9 +246,11 @@ in { }; } { "container@${ctr.name}" = lib.mkIf ctr.runContainer { serviceConfig = { - ExecStop = pkgs.writers.writeDash "remove_interface" '' - ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} - ''; + ExecStartPost = [ + (pkgs.writers.writeDash "bind-to-bridge" '' + ${pkgs.iproute2}/bin/ip link set "vb-$INSTANCE" master ctr0 + '') + ]; }; }; } ]) (lib.attrValues cfg.containers))); -- cgit v1.2.3