14 files changed, 104 insertions, 39 deletions

diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix
index 6c5c86ead..7e3f1b542 100644
--- a/kartei/krebs/default.nix
+++ b/kartei/krebs/default.nix
@@ -87,7 +87,6 @@ in {
             "irc.r"
             "wiki.r"
           ];
-          tinc.port = 0;
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
             MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
@@ -114,7 +113,6 @@ in {
             "go.r"
             "rss.r"
           ];
-          tinc.port = 0;
           tinc.pubkey = ''
             -----BEGIN PUBLIC KEY-----
             MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc
@@ -225,7 +223,6 @@ in {
             "build.puyak.r"
             "cgit.puyak.r"
           ];
-          tinc.port = 0;
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
             MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix
new file mode 100644
index 000000000..aa023b42d
--- /dev/null
+++ b/kartei/tv/hosts/leg.nix
@@ -0,0 +1,24 @@
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.13.43";
+      aliases = [
+        "leg.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIIBCgKCAQEAsfL4VK3WbgbWVYsOA0TJ3iswRrvfE/z/TbNTtzULGPSA6bTG8QXO
+        f2cm6aY6UriMktJL6GB3XNYlDZDKi74bNOXP+O/p7dTr5g9PWjYeqLFiLFr0pwWi
+        pooKxrAcPEJ8khhCI7eXVGL1baiHZsPCZLmPXm+c3qke6uY/48zmt0SG3WwjybF/
+        JMbxE7XTMrsO28PiOZgWrXqZJgLhKygcz9WGMkQ9CcjnHobKIoTRWHILIsEPjR2s
+        /vNeGTa6v9/SpDQtHlfiELNxQAHUXU0//hJvEyH4dMS+vJKNQlL9z84fQqhZGfh0
+        nN++k9cHwSPDusbMqB2ncpx6v8ieUpCsewIDAQAB
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = " qmxNtjkjzXP4QCIJwXLncYFrIfU7royMlQNSVvR3XKH";
+    };
+  };
+  secure = true;
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg";
+  syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU";
+}
diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix
index 4fcbe76c2..4d312105f 100644
--- a/kartei/tv/hosts/zoppo.nix
+++ b/kartei/tv/hosts/zoppo.nix
@@ -1,7 +1,7 @@
 {
   nets = {
     retiolum = {
-      ip4.addr = "10.243.13.43";
+      ip4.addr = "10.243.13.45";
       aliases = [
         "zoppo.r"
       ];
diff --git a/kartei/tv/wiregrill/leg.pub b/kartei/tv/wiregrill/leg.pub
new file mode 100644
index 000000000..7e75edffe
--- /dev/null
+++ b/kartei/tv/wiregrill/leg.pub
@@ -0,0 +1 @@
+tlGh9gpV09TspLVV/9+Z5T5fhMAQcz5c5L3KNvR/d1I=
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 75a8a0da1..0a103ed1a 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -4,6 +4,7 @@
   imports = [
     ../../../krebs
     ../../../krebs/2configs
+    ../../../krebs/2configs/nginx.nix
 
     ../../../krebs/2configs/buildbot-stockholm.nix
     ../../../krebs/2configs/binary-cache/nixos.nix
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 0d55a01fa..5d64555c8 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -8,7 +8,17 @@ with import ../../lib/pure.nix { inherit lib; };
   ];
   krebs.announce-activation.enable = true;
   krebs.enable = true;
-  krebs.tinc.retiolum.enable = mkDefault true;
+
+  # retiolum
+  krebs.tinc.retiolum = {
+    enable = mkDefault true;
+    extraConfig = ''
+      AutoConnect = yes
+      LocalDiscovery = yes
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [ 655 ];
+  networking.firewall.allowedUDPPorts = [ 655 ];
 
   # trust krebs ACME CA
   krebs.ssl.trustIntermediate = true;
diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix
index 4d359c3fe..b579a5031 100644
--- a/krebs/2configs/mastodon-proxy.nix
+++ b/krebs/2configs/mastodon-proxy.nix
@@ -5,19 +5,12 @@
     virtualHosts."social.krebsco.de" = {
       forceSSL = true;
       enableACME = true;
+      acmeFallbackHost = "hotdog.r";
       locations."/" = {
         # TODO use this in 22.11
-        # recommendedProxySettings = true;
-        proxyPass = "http://hotdog.r";
+        recommendedProxySettings = true;
+        proxyPass = "https://hotdog.r";
         proxyWebsockets = true;
-        extraConfig = ''
-          proxy_set_header        Host $host;
-          proxy_set_header        X-Real-IP $remote_addr;
-          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header        X-Forwarded-Proto $scheme;
-          proxy_set_header        X-Forwarded-Host $host;
-          proxy_set_header        X-Forwarded-Server $host;
-        '';
       };
     };
   };
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index af308b2c7..ebc4207a0 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -3,7 +3,7 @@
   services.postgresql = {
     enable = true;
     dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
-    package = pkgs.postgresql_11;
+    package = pkgs.postgresql_16;
   };
   systemd.tmpfiles.rules = [
     "d /var/state/postgresql 0700 postgres postgres -"
@@ -13,23 +13,17 @@
     enable = true;
     localDomain = "social.krebsco.de";
     configureNginx = true;
+    streamingProcesses = 3;
     trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
     smtp.createLocally = false;
     smtp.fromAddress = "derp";
   };
 
-  services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
-    forceSSL = lib.mkForce false;
-    enableACME = lib.mkForce false;
-    locations."@proxy".extraConfig = ''
-      proxy_redirect off;
-      proxy_pass_header Server;
-      proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-    '';
-  };
+  security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
 
   networking.firewall.allowedTCPPorts = [
     80
+    443
   ];
 
   environment.systemPackages = [
diff --git a/krebs/2configs/nginx.nix b/krebs/2configs/nginx.nix
new file mode 100644
index 000000000..812093a7e
--- /dev/null
+++ b/krebs/2configs/nginx.nix
@@ -0,0 +1,24 @@
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "spam@krebsco.de";
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
+    enableReload = true;
+
+    virtualHosts.default = {
+      default = true;
+      locations."= /etc/os-release".extraConfig = ''
+        default_type text/plain;
+        alias /etc/os-release;
+      '';
+      # needed for acmeFallback in sync-containers, or other machines not reachable globally
+      locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
+    };
+  };
+}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index db7b794f4..e84827656 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -526,6 +526,8 @@ in {
       add_header 'Access-Control-Allow-Origin' '*';
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
     '';
+    # needed for acmeFallback in sync-containers, or other machines not reachable globally
+    locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
   };
 
   services.nginx.virtualHosts."bedge.r" = {
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index fdb96c8ba..e3108d88e 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -80,13 +80,25 @@ let
   };
 
   imp = {
-    system.activationScripts."krebs.setuid" = stringAfter [ "usrbinenv" ]
-      (concatMapStringsSep "\n"
-        (cfg: /* sh */ ''
-          ${cfg.activate}
-          rm -f ${cfg.wrapperDir}/${cfg.name}.real
-        '')
-        (attrValues config.krebs.setuid));
+    systemd.services."krebs.setuid" = {
+      wantedBy = [ "suid-sgid-wrappers.service" ];
+      after = [ "suid-sgid-wrappers.service" ];
+      path = [
+        pkgs.coreutils
+      ];
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeDash "krebs.setuid.sh" ''
+          ${concatMapStringsSep "\n"
+            (getAttr "activate")
+            (attrValues config.krebs.setuid)
+          }
+        '';
+      };
+      unitConfig = {
+        DefaultDependencies = false;
+      };
+    };
   };
 
 in out
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index cb239b955..7373592a5 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -58,6 +58,8 @@ in {
             pkgs.jq
           ];
           networking.useDHCP = lib.mkForce true;
+          networking.useHostResolvConf = false;
+          services.resolved.enable = true;
           systemd.services.autoswitch = {
             environment = {
               NIX_REMOTE = "daemon";
@@ -155,7 +157,7 @@ in {
                         # echo 'container is reachable, continueing'
                         continue
                       else
-                        # echo 'container seems dead, killing'
+                        echo 'container seems dead, killing'
                         break
                       fi
                     else
@@ -297,9 +299,6 @@ in {
     (lib.mkIf (cfg.containers != {}) {
       # networking
 
-      # needed because otherwise we lose local dns
-      environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf";
-
       boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1;
       systemd.network.networks.ctr0 = {
         name = "ctr0";
@@ -312,6 +311,9 @@ in {
           ConfigureWithoutCarrier = true;
           DHCPServer = "yes";
         };
+        dhcpServerConfig = {
+          DNS = "9.9.9.9";
+        };
       };
       systemd.network.netdevs.ctr0.netdevConfig = {
         Kind = "bridge";
@@ -344,6 +346,12 @@ in {
 
       networking.useHostResolvConf = false;
       networking.useNetworkd = true;
+      services.resolved = {
+        enable = true;
+        extraConfig = ''
+          Domains=~.
+        '';
+      };
       systemd.network = {
         enable = true;
         networks.eth0 = {
diff --git a/krebs/krops.nix b/krebs/krops.nix
index ad277ac86..eba966b4f 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -11,7 +11,7 @@
     nixpkgs = if test then {
       derivation = let
         rev = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
-        sha256 = (lib.importJSON ./nixpkgs.json).nixpkgs.locked.narHash;
+        sha256 = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.narHash;
       in ''
         with import (builtins.fetchTarball {
           url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
@@ -26,7 +26,7 @@
       '';
     } else {
       git = {
-        ref = (lib.importJSON ./nixpkgs.json).rev;
+        ref = (lib.importJSON ../flake.lock).nodes.nixpkgs.locked.rev;
         url = "https://github.com/NixOS/nixpkgs";
         shallow = true;
       };
diff --git a/lib/pure.nix b/lib/pure.nix
index 3329db022..3fe51cd54 100644
--- a/lib/pure.nix
+++ b/lib/pure.nix
@@ -23,7 +23,6 @@ let
     git = import ./git.nix { inherit (stockholm) lib; };
     haskell = import ./haskell.nix { inherit (stockholm) lib; };
     krebs = import ./krebs stockholm.lib;
-    krops = import ../submodules/krops/lib;
     shell = import ./shell.nix { inherit (stockholm) lib; };
     systemd = {
       encodeName = replaceStrings ["/"] ["\\x2f"];