diff options
| author | lassulus <lass@aidsballs.de> | 2015-09-28 18:43:56 +0200 |
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2015-09-28 18:43:56 +0200 |
| commit | ad5ef3947660cb3ca76b30f908621beb513903a2 (patch) | |
| tree | ed68bb6a682c77a5a87e84ee4a2a7463e8cd13f6 /krebs | |
| parent | a9f6f7ac7b8e70633164d10980d1d041f34be3ac (diff) | |
| parent | c88a7d3be5d9a8ee748cb8bdfac97de3277e0d5e (diff) | |
Merge branch 'tv'
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/build/default.nix | 52 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 80 | ||||
| -rw-r--r-- | krebs/4lib/types.nix | 48 | ||||
| -rw-r--r-- | krebs/Zhosts/ire | 2 |
4 files changed, 168 insertions, 14 deletions
diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix index 4d2f36a02..6097a7b5d 100644 --- a/krebs/3modules/build/default.nix +++ b/krebs/3modules/build/default.nix @@ -28,6 +28,42 @@ let type = types.user; }; + options.krebs.build.scripts.init = lib.mkOption { + type = lib.types.str; + default = + let + inherit (config.krebs.build) host; + in + '' + #! /bin/sh + set -efu + + hostname=${host.name} + secrets_dir=${config.krebs.build.source.dir.secrets.path} + key_type=ed25519 + key_file=$secrets_dir/ssh.id_$key_type + key_comment=$hostname + + if test -e "$key_file"; then + echo "Warning: privkey already exists: $key_file" >&2 + else + ssh-keygen \ + -C "$key_comment" \ + -t "$key_type" \ + -f "$key_file" \ + -N "" + rm "$key_file.pub" + fi + + pubkey=$(ssh-keygen -y -f "$key_file") + + cat<<EOF + # put following into config.krebs.hosts.$hostname: + ssh.pubkey = $(echo $pubkey | jq -R .); + EOF + ''; + }; + options.krebs.build.scripts.deploy = lib.mkOption { type = lib.types.str; default = '' @@ -67,12 +103,16 @@ let src=$(type -p nixos-install) cat_src() { sed < "$src" "$( - sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - ' \ - | sed 's:$:s/^/#krebs#/:' + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' )" } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index dc30b9c50..f0eb290ca 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -84,13 +84,16 @@ let mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let - aliases = toString (unique (longs ++ shorts)); + aliases = longs ++ shorts; providers = dns.split-by-provider net.aliases cfg.dns.providers; longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets + map (addr: "${addr} ${toString aliases}") net.addrs + ) (filterAttrs (name: host: host.aliases != []) host.nets) ) cfg.hosts )); @@ -100,6 +103,36 @@ let ([cfg.zone-head-config] ++ combined-hosts) ; combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; + + services.openssh.hostKeys = + let inherit (config.krebs.build.host.ssh) privkey; in + mkIf (privkey != null) (mkForce [privkey]); + + services.openssh.knownHosts = + mapAttrs + (name: host: { + hostNames = + concatLists + (mapAttrsToList + (net-name: net: + let + aliases = shorts ++ longs; + longs = net.aliases; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); + add-port = a: + if net.ssh.port != null + then "[${a}]:${toString net.ssh.port}" + else a; + in + aliases ++ map add-port net.addrs) + host.nets); + + publicKey = host.ssh.pubkey; + }) + (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); } ]; @@ -501,6 +534,7 @@ let "cgit.cd.viljetic.de" "cd.krebsco.de" ]; + ssh.port = 11423; }; retiolum = { via = internet; @@ -527,6 +561,8 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; mkdir = rec { cores = 1; @@ -534,7 +570,7 @@ let infest.addr = head nets.internet.addrs4; nets = rec { internet = { - addrs4 = ["104.233.84.102"]; + addrs4 = ["104.233.84.173"]; aliases = [ "mkdir.internet" ]; @@ -559,6 +595,35 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; + }; + ire = { + nets = { + internet = { + addrs4 = ["198.147.22.115"]; + ssh.port = 11423; + }; + retiolum = { + addrs4 = ["10.243.231.66"]; + addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; + aliases = [ + "ire.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7 + rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt + 6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU + 1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K + LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu + nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + ssh.port = 11423; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY"; }; nomic = { cores = 2; @@ -584,6 +649,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09"; }; rmdir = rec { cores = 1; @@ -616,6 +682,8 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4"; }; wu = { cores = 4; @@ -641,6 +709,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { cores = 4; @@ -666,6 +735,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw"; }; }; users = addNames { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index dbffdf850..0aa594fb1 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,11 +1,12 @@ { lib, ... }: +with builtins; with lib; with types; types // rec { - host = submodule { + host = submodule ({ config, ... }: { options = { name = mkOption { type = label; @@ -46,8 +47,39 @@ types // rec { TODO define minimum requirements for secure hosts ''; }; + + ssh.pubkey = mkOption { + type = nullOr str; + default = null; + apply = x: + if x != null + then x + else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; + }; + ssh.privkey = mkOption { + type = nullOr (submodule { + options = { + bits = mkOption { + type = nullOr (enum ["4096"]); + default = null; + }; + path = mkOption { + type = either path str; + apply = x: { + path = toString x; + string = x; + }.${typeOf x}; + }; + type = mkOption { + type = enum ["rsa" "ed25519"]; + default = "ed25519"; + }; + }; + }); + default = null; + }; }; - }; + }); net = submodule ({ config, ... }: { options = { @@ -71,6 +103,18 @@ types // rec { aliases = mkOption { # TODO nonEmptyListOf hostname type = listOf hostname; + default = []; + }; + ssh = mkOption { + type = submodule { + options = { + port = mkOption { + type = nullOr int; + default = null; + }; + }; + }; + default = {}; }; tinc = mkOption { type = let net-config = config; in nullOr (submodule ({ config, ... }: { diff --git a/krebs/Zhosts/ire b/krebs/Zhosts/ire index 724158cb0..db4f9808c 100644 --- a/krebs/Zhosts/ire +++ b/krebs/Zhosts/ire @@ -1,4 +1,4 @@ -Address = 198.147.23.143 +Address = 198.147.22.115 Subnet = 10.243.231.66 Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c |