diff options
| -rw-r--r-- | krebs/3modules/permown.nix | 20 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 39 | ||||
| -rw-r--r-- | krebs/3modules/tv/default.nix | 27 | ||||
| -rw-r--r-- | lib/types.nix | 4 | ||||
| -rw-r--r-- | tv/1systems/alnus/config.nix | 13 | ||||
| -rw-r--r-- | tv/1systems/au/config.nix | 18 | ||||
| -rw-r--r-- | tv/1systems/au/disks.nix | 19 | ||||
| -rw-r--r-- | tv/2configs/nets/hkw.nix | 14 |
8 files changed, 141 insertions, 13 deletions
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index fe293810c..ca81e2ea5 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -18,6 +18,15 @@ with import <stockholm/lib>; default = null; type = types.nullOr types.groupname; }; + keepGoing = mkOption { + default = false; + type = types.bool; + description = '' + Whether to keep going when chowning or chmodding fails. + If set to false, then errors will cause the service to restart + instead. + ''; + }; owner = mkOption { type = types.username; }; @@ -43,7 +52,12 @@ with import <stockholm/lib>; ''; in concatMapStrings mkdir plans; - systemd.services = genAttrs' plans (plan: { + systemd.services = genAttrs' plans (plan: let + continuable = command: + if plan.keepGoing + then /* sh */ "{ ${command}; } || :" + else command; + in { name = "permown.${replaceStrings ["/"] ["_"] plan.path}"; value = { environment = { @@ -82,9 +96,9 @@ with import <stockholm/lib>; cleanup exec "$0" "$@" fi - chown -h "$OWNER_GROUP" "$path" + ${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''} if test -f "$path"; then - chmod "$FILE_MODE" "$path" + ${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''} fi done < "$paths" ''; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 1fca7de5c..0f5e1aa83 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -29,6 +29,9 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} + ${optionalString (tinc.config.privkey_ed25519 != null) + "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" + } PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} @@ -165,6 +168,17 @@ let }; }; + privkey_ed25519 = mkOption { + type = types.nullOr types.secret-file; + default = + if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { + name = "${tinc.config.netname}.ed25519_key.priv"; + path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; + owner = tinc.config.user; + source-path = toString <secrets> + "/${tinc.config.netname}.ed25519_key.priv"; + }; + }; + connectTo = mkOption { type = types.listOf types.str; ${if tinc.config.netname == "retiolum" then "default" else null} = [ @@ -198,8 +212,23 @@ let # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, # avoid conflicts in environment if the packages differ - krebs.secret.files = mapAttrs' (netname: cfg: - nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + krebs.secret.files = + let + ed25519_keys = + filterAttrs + (_: key: key != null) + (mapAttrs' + (netname: cfg: + nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 + ) + config.krebs.tinc); + + rsa_keys = + mapAttrs' + (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) + config.krebs.tinc; + in + ed25519_keys // rsa_keys; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { @@ -221,11 +250,15 @@ let in { description = "Tinc daemon for ${netname}"; after = [ - config.krebs.secret.files."${netname}.rsa_key.priv".service "network.target" + config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service ]; partOf = [ config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service ]; wantedBy = [ "multi-user.target" ]; path = [ tinc iproute ]; diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index c2bf406f1..c86fda05d 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -55,6 +55,33 @@ in { ssh.privkey.path = <secrets/ssh.id_rsa>; ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q=="; }; + au = { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.13.39"; + aliases = [ + "au.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z + 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm + PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb + PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG + cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83 + jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = + "Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; + }; + }; + secure = true; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; + }; mu = { ci = true; cores = 2; diff --git a/lib/types.nix b/lib/types.nix index 1eb4d947c..3eda2262f 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -179,6 +179,10 @@ rec { pubkey = mkOption { type = tinc-pubkey; }; + pubkey_ed25519 = mkOption { + type = nullOr tinc-pubkey; + default = null; + }; extraConfig = mkOption { description = "Extra Configuration to be appended to the hosts file"; default = ""; diff --git a/tv/1systems/alnus/config.nix b/tv/1systems/alnus/config.nix index 66bd52ab2..ed5fb671c 100644 --- a/tv/1systems/alnus/config.nix +++ b/tv/1systems/alnus/config.nix @@ -17,7 +17,6 @@ with import <stockholm/lib>; }; environment.systemPackages = with pkgs; [ - chromium firefoxWrapper networkmanagerapplet (pkgs.pidgin-with-plugins.override { @@ -31,12 +30,12 @@ with import <stockholm/lib>; }; "/" = { device = "/dev/mapper/main-root"; - fsType = "btrfs"; + fsType = "ext4"; options = [ "defaults" "noatime" ]; }; "/home" = { device = "/dev/mapper/main-home"; - fsType = "btrfs"; + fsType = "ext4"; options = [ "defaults" "noatime" ]; }; }; @@ -55,9 +54,11 @@ with import <stockholm/lib>; networking.networkmanager.enable = true; - nixpkgs.config = { - allowUnfree = true; - }; + services.earlyoom.enable = true; + services.earlyoom.freeMemThreshold = 5; + systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [ + "--prefer '^(Web Content|Privileged Cont)$'" # firefox tabs + ]; services.xserver = { enable = true; diff --git a/tv/1systems/au/config.nix b/tv/1systems/au/config.nix new file mode 100644 index 000000000..fc4b216f5 --- /dev/null +++ b/tv/1systems/au/config.nix @@ -0,0 +1,18 @@ +{ config, ... }: { + imports = [ + ./disks.nix + <stockholm/tv> + <stockholm/tv/2configs/hw/x220.nix> + <stockholm/tv/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.au; + + networking.wireless.enable = true; + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + networking.interfaces.wlp3s0.useDHCP = true; + networking.interfaces.wwp0s29u1u4i6.useDHCP = true; + + system.stateVersion = "20.03"; +} diff --git a/tv/1systems/au/disks.nix b/tv/1systems/au/disks.nix new file mode 100644 index 000000000..434de1740 --- /dev/null +++ b/tv/1systems/au/disks.nix @@ -0,0 +1,19 @@ +{ + boot.initrd.luks.devices.main.device = "/dev/sda2"; + fileSystems."/" = { + device = "/dev/main/root"; + options = ["defaults" "noatime" "commit=60"]; + }; + fileSystems."/boot" = { + device = "/dev/sda1"; + options = ["defaults" "noatime"]; + }; + fileSystems."/bku" = { + device = "/dev/main/bku"; + options = ["defaults" "noatime"]; + }; + fileSystems."/home" = { + device = "/dev/main/home"; + options = ["defaults" "noatime" "commit=60"]; + }; +} diff --git a/tv/2configs/nets/hkw.nix b/tv/2configs/nets/hkw.nix index 725e63b13..c3acde1fb 100644 --- a/tv/2configs/nets/hkw.nix +++ b/tv/2configs/nets/hkw.nix @@ -2,6 +2,18 @@ krebs = { dns.providers.hkw = "hosts"; hosts = { + au = { + nets.hkw = { + ip4 = { + addr = "10.23.1.39"; + prefix = "10.23.1.0/24"; + }; + aliases = [ + "au.hkw" + ]; + ssh.port = 11423; + }; + }; nomic = { nets.hkw = { ip4 = { @@ -55,7 +67,7 @@ zu = { nets.hkw = { ip4 = { - addr = "10.23.1.39"; + addr = "10.23.1.40"; prefix = "10.23.1.0/24"; }; aliases = [ |