diff options
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/Reaktor.nix | 216 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/exim-smarthost.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/fetchWallpaper.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/git.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/nin/default.nix | 65 | ||||
| -rw-r--r-- | krebs/3modules/tv/default.nix | 2 |
8 files changed, 183 insertions, 116 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index d87003ac2..a70f1ef5d 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -3,99 +3,88 @@ with import <stockholm/lib>; let - ReaktorConfig = pkgs.writeText "config.py" '' - ${if (isString cfg.overrideConfig ) then '' - # Overriden Config - ${cfg.overrideConfig} - '' else ""} - ## Extra Config - ${concatStringsSep "\n" (map (plug: plug.config) cfg.plugins)} - ${cfg.extraConfig} - ''; cfg = config.krebs.Reaktor; + workdir = "/var/lib/Reaktor"; + out = { options.krebs.Reaktor = api; - config = lib.mkIf cfg.enable imp; + config = imp; }; - api = { - enable = mkOption { - default = false; - description = '' - Start Reaktor at system boot - ''; - }; + api = mkOption { + default = {}; + type = with types; attrsOf (submodule ({ options = { - nickname = mkOption { - default = config.krebs.build.host.name + "|r"; - type = types.string; - description = '' - The nick name of the irc bot. - Defaults to {hostname}|r - ''; - }; + nickname = mkOption { + default = config.krebs.build.host.name + "|r"; + type = types.string; + description = '' + The nick name of the irc bot. + Defaults to {hostname}|r + ''; + }; - overrideConfig = mkOption { - default = null; - type = types.nullOr types.str; - description = '' - configuration to be used instead of default ones. - Reaktor default cfg can be retrieved via `reaktor get-config` - ''; - }; - plugins = mkOption { - default = [pkgs.ReaktorPlugins.nixos-version]; - }; - extraConfig = mkOption { - default = ""; - type = types.string; - description = '' - configuration appended to the default or overridden configuration - ''; - }; + overrideConfig = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + configuration to be used instead of default ones. + Reaktor default cfg can be retrieved via `reaktor get-config` + ''; + }; - workdir = mkOption { - default = "/var/lib/Reaktor"; - type = types.str; - description = '' - Reaktor working directory - ''; - }; - extraEnviron = mkOption { - default = {}; - type = types.attrsOf types.str; - description = '' - Environment to be provided to the service, can be: - REAKTOR_HOST - REAKTOR_PORT - REAKTOR_STATEDIR - - debug and nickname can be set separately via the Reaktor api - ''; - }; - channels = mkOption { - default = [ "#krebs" ]; - type = types.listOf types.str; - description = '' - Channels the Reaktor should connect to at startup. - ''; - }; - debug = mkOption { - default = false; - description = '' - Reaktor debug output - ''; - }; + plugins = mkOption { + default = [pkgs.ReaktorPlugins.nixos-version]; + }; + + extraConfig = mkOption { + default = ""; + type = types.string; + description = '' + configuration appended to the default or overridden configuration + ''; + }; + + extraEnviron = mkOption { + default = {}; + type = types.attrsOf types.str; + description = '' + Environment to be provided to the service, can be: + REAKTOR_HOST + REAKTOR_PORT + REAKTOR_STATEDIR + + debug and nickname can be set separately via the Reaktor api + ''; + }; + + channels = mkOption { + default = [ "#krebs" ]; + type = types.listOf types.str; + description = '' + Channels the Reaktor should connect to at startup. + ''; + }; + + debug = mkOption { + default = false; + description = '' + Reaktor debug output + ''; + }; + };})); }; imp = { + # TODO get user per configured bot + # TODO get home from api # for reaktor get-config users.extraUsers = singleton rec { name = "Reaktor"; uid = genid name; description = "Reaktor user"; - home = cfg.workdir; + home = workdir; createHome = true; }; @@ -104,39 +93,52 @@ let # gid = config.ids.gids.Reaktor; #}; - systemd.services.Reaktor = { - path = with pkgs; [ - utillinux #flock for tell_on-join - git # for nag - python # for caps - ]; - description = "Reaktor IRC Bot"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - REAKTOR_NICKNAME = cfg.nickname; - REAKTOR_DEBUG = (if cfg.debug then "True" else "False"); - REAKTOR_CHANNELS = lib.concatStringsSep "," cfg.channels; - state_dir = cfg.workdir; - - } // cfg.extraEnviron; - serviceConfig= { - ExecStartPre = pkgs.writeScript "Reaktor-init" '' - #! /bin/sh - ${if (isString cfg.overrideConfig) then - ''cp ${ReaktorConfig} /tmp/config.py'' - else - ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py'' - } + systemd.services = mapAttrs' (name: botcfg: + let + ReaktorConfig = pkgs.writeText "config.py" '' + ${if (isString botcfg.overrideConfig ) then '' + # Overriden Config + ${botcfg.overrideConfig} + '' else ""} + ## Extra Config + ${concatStringsSep "\n" (map (plug: plug.config) botcfg.plugins)} + ${botcfg.extraConfig} ''; - ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/config.py"; - PrivateTmp = "true"; - User = "Reaktor"; - Restart = "always"; - RestartSec= "30" ; + in nameValuePair "Reaktor-${name}" { + path = with pkgs; [ + utillinux #flock for tell_on-join + git # for nag + python # for caps + ]; + description = "Reaktor IRC Bot"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + REAKTOR_NICKNAME = botcfg.nickname; + REAKTOR_DEBUG = (if botcfg.debug then "True" else "False"); + REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels; + state_dir = workdir; + + } // botcfg.extraEnviron; + serviceConfig= { + ExecStartPre = pkgs.writeScript "Reaktor-init" '' + #! /bin/sh + ${if (isString botcfg.overrideConfig) then + ''cp ${ReaktorConfig} /tmp/reaktor-${name}-config.py'' + else + ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/reaktor-${name}-config.py'' + } + ''; + ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/reaktor-${name}-config.py"; + PrivateTmp = "true"; + User = "Reaktor"; + Restart = "always"; + RestartSec= "30" ; }; - }; + } + ) cfg; + }; in diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bf09b7424..4b17c4abd 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -93,6 +93,7 @@ let { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } { krebs = import ./mv { inherit config; }; } + { krebs = import ./nin { inherit config; }; } { krebs = import ./shared { inherit config; }; } { krebs = import ./tv { inherit config; }; } { @@ -200,7 +201,7 @@ let }) // # GitHub's IPv4 address range is 192.30.252.0/22 - # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + # Refs https://help.github.com/articles/github-s-ip-addresses/ # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses) # Because line length is limited by OPENSSH_LINE_MAX (= 8192), # we split each /24 into its own entry. diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index c96b14723..bda563f8d 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -2,7 +2,6 @@ with import <stockholm/lib>; let - indent = replaceChars ["\n"] ["\n "]; cfg = config.krebs.exim-smarthost; out = { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 94bcbed9d..aed5f595c 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -45,7 +45,7 @@ let mkdir -p ${shell.escape cfg.stateDir} cd ${shell.escape cfg.stateDir} - curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper + (curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper ''; diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 164831846..a08dbb32c 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -339,9 +339,11 @@ let description = "Git repository hosting user"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - (filterAttrs (_: user: isString user.pubkey) - config.krebs.users); + unique + (sort lessThan + (map (makeAuthorizedKey git-ssh-command) + (filter (user: isString user.pubkey) + (concatMap (getAttr "user") cfg.rules)))); }; }; diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 933c2e513..b28e97e37 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -129,8 +129,6 @@ let }; }; - indent = replaceChars ["\n"] ["\n "]; - to-acme = { server-names, ssl, ... }: optionalAttrs ssl.acmeEnable { email = "lassulus@gmail.com"; diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix new file mode 100644 index 000000000..3231c0e23 --- /dev/null +++ b/krebs/3modules/nin/default.nix @@ -0,0 +1,65 @@ +{ config, ... }: + +with import <stockholm/lib>; + +{ + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.nin) { + hiawatha = { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.132.96"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342"; + aliases = [ + "hiawatha.retiolum" + "hiawatha.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o + Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB + iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E + UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr + lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ + yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; + }; + onondaga = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.132.55"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357"; + aliases = [ + "onondaga.retiolum" + "onondaga.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR + OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu + htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH + xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO + kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn + hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO"; + }; + + }; + users = { + nin = { + mail = "nin@hiawatha.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha"; + }; + }; +} diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index d44c322aa..1220143a7 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -85,7 +85,7 @@ with import <stockholm/lib>; }; nets = { internet = { - ip4.addr = "45.62.237.203"; + ip4.addr = "64.137.177.226"; aliases = [ "cd.i" "cd.krebsco.de" |