diff options
53 files changed, 208 insertions, 791 deletions
@@ -1,6 +1,6 @@ # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq . -with import ./lib; let + lib = pkgs.lib; pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; }; system = import <nixpkgs/nixos/lib/eval-config.nix> { @@ -16,9 +16,9 @@ let } ; - ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts; + ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts; build = host: owner: - ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build";}); + ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${builtins.getEnv "HOME"}/stockholm-build";}); -in mapAttrs (n: h: build n h.owner.name) ci-systems +in lib.mapAttrs (n: h: build n h.owner.name) ci-systems diff --git a/default.nix b/default.nix index 9368dcd9e..45b4f03f6 100644 --- a/default.nix +++ b/default.nix @@ -1,7 +1,7 @@ import <nixpkgs/nixos> {} // rec { lib = import ./lib; systems = with lib; let - namespace = getEnv "LOGNAME"; + namespace = krebs; systemsDir = <stockholm> + "/${namespace}/1systems"; in genAttrs diff --git a/flake.lock b/flake.lock index b11c289b4..c7b051683 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1760516981, - "narHash": "sha256-4AYTAH7WDL6C6WKktc9UEQRiav6oPzVpKuFWRyYeuTQ=", + "lastModified": 1768927382, + "narHash": "sha256-qdmb8Pm73PADLgO8Q06QfyPbEQS6el9Si+dGQc3TB1I=", "owner": "Mic92", "repo": "buildbot-nix", - "rev": "01dfc9a07c070092e3187be8edbd2243a9e301a5", + "rev": "eb4e904a8dc1aa12a964752e4fd9977c6aead724", "type": "github" }, "original": { @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1758022363, - "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", + "lastModified": 1768476106, + "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", + "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb", "type": "github" }, "original": { @@ -87,7 +87,9 @@ "nix-writers": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1677612737, @@ -105,26 +107,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677608380, - "narHash": "sha256-k82O23qBAK+43X0KSBjsMYXG2x4kWWXeAmpPTc2KRGY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4aba90e89f6d4ac6138939961f62842bd94ec929", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1768886240, + "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", "type": "github" }, "original": { @@ -138,7 +125,7 @@ "inputs": { "buildbot-nix": "buildbot-nix", "nix-writers": "nix-writers", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" } }, "treefmt-nix": { @@ -149,11 +136,11 @@ ] }, "locked": { - "lastModified": 1758728421, - "narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=", + "lastModified": 1768158989, + "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1", + "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca", "type": "github" }, "original": { @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-writers.url = "git+https://cgit.krebsco.de/nix-writers"; + nix-writers.inputs.nixpkgs.follows = "nixpkgs"; # disko.url = "github:nix-community/disko"; # disko.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.url = "github:Mic92/buildbot-nix"; diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 91071ec85..655192077 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -5,6 +5,17 @@ ../../../krebs ../../../krebs/2configs ../../../krebs/2configs/nginx.nix + { + # Cherry-pick services.nginx.recommendedTlsSettings to fix: + # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform + services.nginx.recommendedTlsSettings = lib.mkForce false; + services.nginx.appendHttpConfig = '' + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_prefer_server_ciphers off; + ''; + } ../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/ircd.nix diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8bb14d517..5deeb9923 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,18 @@ <stockholm/krebs/2configs/nameserver.nix> ]; + #networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + #networking.interfaces.ens3.ipv6.addresses = [ + # { + # # old: address = "2a03:4000:13:4c::1"; + # address = "2a03:4000:1a:cf::1"; #/64" + # prefixLength = 64; + # } + #]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 0c361cc42..60479fd90 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -27,11 +27,11 @@ ### shackspace ### # handle the worlddomination map via coap - ../../2configs/shack/worlddomination.nix + #../../2configs/shack/worlddomination.nix (FIXME error: python3.13-LinkHeader-0.4.3 does not configure a `format`. To build with setuptools as before, set `pyproject = true` and `build-system = [ setuptools ]`.) ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - ../../2configs/shack/drivedroid.nix + #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing) # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected @@ -70,7 +70,7 @@ # ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - ../../2configs/shack/mobile.mpd.nix + #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.) # hass.shack ../../2configs/shack/glados diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 32452e010..c51d3c651 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; }; enable = true; repos = { disko.urls = [ - "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" "http://cgit.orange.r/disko" ]; @@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; }; "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.orange.r/stockholm" ]; diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index a797673c9..937a20c29 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -17,8 +17,8 @@ }; hardware.opengl.extraPackages = [ - pkgs.vaapiIntel - pkgs.vaapiVdpau + pkgs.intel-vaapi-driver + pkgs.libva-vdpau-driver ]; services.xserver = { diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index fb22dc6f9..c394f312d 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -146,10 +146,14 @@ in { ''; }; + #krebs.systemd.services.knot.restartIfCredentialsChange = true; systemd.services."knsupdate-krebsco.de" = { serviceConfig = { Type = "oneshot"; SyslogIdentifier = "knsupdate-krebsco.de"; + #LoadCredential = [ + # "keys.conf:/var/src/secrets/knot-keys.conf" + #]; ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' set -efu diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index e7d348d50..600f7cd6d 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -235,20 +235,20 @@ let env.TASKDATA = "${stateDir}/${name}"; commands = rec { add.filename = pkgs.writers.writeDash "${name}-task-add" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1" ''; list.filename = pkgs.writers.writeDash "${name}-task-list" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \ + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \ | ${pkgs.jq}/bin/jq -r ' .[] | select(.id != 0) | "\(.id) \(.description)" ' ''; delete.filename = pkgs.writers.writeDash "${name}-task-delete" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1" ''; del = delete; done.filename = pkgs.writers.writeDash "${name}-task-done" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1" ''; }; }; @@ -456,7 +456,7 @@ in { printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' - TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export + TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export exit ;; esac diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index a488fdfea..1c7ed4719 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519"; }; imports = [ @@ -107,9 +107,10 @@ in { desc = "take all computers hostage, they love it"; section = "configuration"; remotes = { - makefu = "http://cgit.gum.r/stockholm"; - tv = "http://cgit.ni.r/stockholm"; + krebs = "https://github.com/krebs/stockholm"; lassulus = "http://cgit.orange.r/stockholm"; + makefu = "https://cgit.euer.krebsco.de/makefu/stockholm.git"; + tv = "http://cgit.ni.r/stockholm"; }; }) ({ krebs.git = defineRepo { diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 1f029276a..18fe46a98 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -50,7 +50,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=30 + pollInterval=30 ) '') repo.urls ) cfg.repos; diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 51aeefb9f..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,7 +2,6 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28,12 @@ in { }; }) (filterAttrs (_: per-user: per-user.packages != []) cfg); - profiles = ["/etc/per-user/$LOGNAME"]; + + # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get + # replaced by @{PAM_USER} the way $USER does. + # See <nixpkgs/nixos/modules/config/system-environment.nix> + #profiles = ["/etc/per-user/$LOGNAME"]; + profiles = ["/etc/per-user/$USER"]; }; }; } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index d65ce2a31..51f5cb752 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -73,6 +73,12 @@ with lib; { pkgs.findutils pkgs.inotify-tools ]; + # TODO + # der code könnte aber bisschen vorbereitet werden, damit man später einfach file-modes einbauen kann + # die drei finds müssten zu `find "$ROOT_PATH" -exec ${permown}` {} \;` werden + # und der while-block zu: + # ${permown} "$path" (egal ob vor oder nach dem if test -d) + # und dann müsste man danach nur das permown script bearbeiten serviceConfig = { ExecStart = pkgs.writeDash "permown" '' set -efu diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix index b977df99a..d552178f9 100644 --- a/krebs/3modules/reaktor2.nix +++ b/krebs/3modules/reaktor2.nix @@ -69,6 +69,12 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { Group = "reaktor2"; DynamicUser = true; StateDirectory = cfg.username; + #ExecStartPre = [ + # (pkgs.writeDash "test-dynamic-user" '' + # set -efux + # ${pkgs.coreutils}/bin/id + # '') + #]; ExecStart = let configFile = pkgs.writers.writeJSON configFileName configValue; configFileName = "${cfg.systemd-service-name}.config.json"; diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 13c4ecaec..ad9ceccbe 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -15,7 +15,7 @@ in { secret-file else secret-file // { - source-path = "${config.krebs.secret.directory}/secret-file.source-path"; + source-path = "${config.krebs.secret.directory}/${secret-file.source-path}"; } ); }; diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index ce41548ae..d13fcccaa 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -33,7 +33,7 @@ let }; capabilities = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf types.str; # TODO }; owner = mkOption { default = "root"; @@ -52,6 +52,8 @@ let merge = mergeOneOption; }; }; + # TODO clear non-standard wrapperDirs + # TODO? allow only wrapperDirs below /run/wrappers? wrapperDir = mkOption { default = config.security.wrapperDir; type = types.absolute-pathname; @@ -73,13 +75,16 @@ let chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' + set -x ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + set +x ''} ''; })); }; imp = { + # run after "wrappers" so config.security.wrapperDir can be hijacked. systemd.services."krebs.setuid" = { wantedBy = [ "suid-sgid-wrappers.service" ]; after = [ "suid-sgid-wrappers.service" ]; diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index aba825c29..012b365fb 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -62,24 +62,26 @@ let } ])); - programs.ssh.extraConfig = concatMapStrings - (net: '' - Host ${toString (net.aliases ++ net.addrs)} - Port ${toString net.ssh.port} - '') - (filter - (net: net.ssh.port != 22) - (concatMap (host: attrValues host.nets) - (mapAttrsToList - (_: host: recursiveUpdate host - (optionalAttrs (cfg.dns.search-domain != null && - hasAttr cfg.dns.search-domain host.nets) { - nets."" = host.nets.${cfg.dns.search-domain} // { - aliases = [host.name]; - addrs = []; - }; - })) - config.krebs.hosts))); + programs.ssh.extraConfig = + mkBefore/*<-KILLME*/ + (concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts)))); } ]; diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 872f04db2..cbffeb6f3 100644 --- a/krebs/3modules |