From acd91d2263840c6c4b97195239c4e1a1f8287cdf Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 12:19:47 +0100 Subject: krebs modules: reorder main imports --- krebs/3modules/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index b58b52038..cc4f4d492 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -19,13 +19,13 @@ let ./current.nix ./dns.nix ./ergo.nix - ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix + ./exim.nix ./fetchWallpaper.nix + ./git.nix ./github-hosts-sync.nix ./github-known-hosts.nix - ./git.nix ./go.nix ./hidden-ssh.nix ./hosts.nix @@ -38,11 +38,12 @@ let ./nixpkgs.nix ./on-failure.nix ./os-release.nix - ./permown.nix ./per-user.nix + ./permown.nix ./power-action.nix ./reaktor2.nix ./realwallpaper.nix + ./repo-sync.nix ./retiolum-bootstrap.nix ./rtorrent.nix ./secret.nix @@ -55,7 +56,6 @@ let ./tinc_graphs.nix ./upstream ./urlwatch.nix - ./repo-sync.nix ./xresources.nix ./zones.nix ]; -- cgit v1.2.3 From 109f6ab1c5bef23922c6e96b3f3f2dedc81b6d78 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 12:20:31 +0100 Subject: krebs modules: reorder externals --- krebs/3modules/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index cc4f4d492..e8f0d35e4 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -102,13 +102,13 @@ let imp = lib.mkMerge [ { krebs = import ./external { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./jeschli { inherit config; }; } { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./external/palo.nix { inherit config; }; } - { krebs = import ./external/mic92.nix { inherit config; }; } - { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { -- cgit v1.2.3 From 088ff202cc41d516279ea8671d76c1716589df7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 28 Jan 2022 10:13:51 +0100 Subject: mic92: drop ipv4 for yasmin, nardole, bill, graham, ryan --- krebs/3modules/external/mic92.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 27a2beed6..45a139d8c 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -306,7 +306,6 @@ in { aliases = [ "yasmin.i" ]; }; nets.retiolum = { - ip4.addr = "10.243.29.197"; aliases = [ "yasmin.r" ]; @@ -414,7 +413,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.195"; aliases = [ "bill.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -445,7 +443,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.173"; aliases = [ "nardole.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -736,7 +733,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.198"; aliases = [ "ryan.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -764,7 +760,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.199"; aliases = [ "graham.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- -- cgit v1.2.3 From 248b3459c7102b094987b8ce9c798f001faacde9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 28 Jan 2022 10:36:12 +0100 Subject: mic92: drop philipsaendig, drop rock ip4 --- krebs/3modules/external/mic92.nix | 20 -------------------- 1 file changed, 20 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 45a139d8c..dd6f4f456 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -279,25 +279,6 @@ in { ''; }; }; - philipsaendig = { - owner = config.krebs.users.mic92; - nets.retiolum = { - ip4.addr = "10.243.29.193"; - aliases = [ - "philipsaendig.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX - 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl - 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl - +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF - Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S - oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; yasmin = { owner = config.krebs.users.mic92; nets.internet = { @@ -467,7 +448,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.171"; aliases = [ "rock.r" ]; -- cgit v1.2.3 From fca55dd3e94fed2a9d903341f0ffa79bc42f062d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:14:53 +0100 Subject: tinc: restart via reload for less downtimes --- krebs/3modules/tinc.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..4a54d2950 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -233,6 +233,7 @@ with import ; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +261,7 @@ with import ; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; -- cgit v1.2.3 From 510bfbc9b22416359a116f9cdbab74207372b2f5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:23:36 +0100 Subject: sync-containers: remove obsolete .decalartive --- krebs/3modules/ci.nix | 2 ++ krebs/3modules/sync-containers.nix | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 822dbab61..5efe41786 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -166,6 +166,8 @@ let nick = "buildbot|${hostname}", notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, ) '']; diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index e47f9a3a7..e2caa0834 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -97,7 +97,7 @@ in { ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ devices = ctr.peers; ignorePerms = false; })) cfg.containers); -- cgit v1.2.3 From 7ec575267cb7d8e7f6636911ececddccac062ab6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 23:45:55 +0100 Subject: tinc.extraConfig: str -> lines --- krebs/3modules/tinc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 4a54d2950..31371af59 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -48,7 +48,7 @@ with import ; }; extraConfig = mkOption { - type = types.str; + type = types.lines; default = ""; description = '' Extra Configuration to be appended to tinc.conf -- cgit v1.2.3 From 100b6fc2438db6ca2c7abe0ad525be3b1dd64895 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 30 Jan 2022 10:47:23 +0100 Subject: move acl module to krebs --- krebs/3modules/acl.nix | 55 ++++++++++++++++++++++++++++++++++++++++++++++ krebs/3modules/default.nix | 1 + 2 files changed, 56 insertions(+) create mode 100644 krebs/3modules/acl.nix (limited to 'krebs') diff --git a/krebs/3modules/acl.nix b/krebs/3modules/acl.nix new file mode 100644 index 000000000..9cdbb6cff --- /dev/null +++ b/krebs/3modules/acl.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: let + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.krebs.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); + RemainAfterExit = true; + Type = "simple"; + }; + }) config.krebs.acl; + }; +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e8f0d35e4..fc57d8188 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./acl.nix ./airdcpp.nix ./announce-activation.nix ./apt-cacher-ng.nix -- cgit v1.2.3 From be042e3446905e2517b530403bacc63b6de49d34 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 Feb 2022 13:52:21 +0100 Subject: gum.r: set weight to over 9000 we do this so we never route via gum, which tends to eat our packets and makes it impossible to connect to other peers via gum. --- krebs/3modules/makefu/default.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index b3c09db78..f87802b45 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -219,6 +219,9 @@ in { retiolum = { via = internet; ip4.addr = "10.243.0.213"; + # never connect via gum (he eats your packets!) + tinc.weight = 9001; + aliases = [ "gum.r" "backup.makefu.r" -- cgit v1.2.3