diff options
Diffstat (limited to 'krebs')
26 files changed, 439 insertions, 128 deletions
diff --git a/krebs/0tests/data/secrets/syncthing.cert b/krebs/0tests/data/secrets/syncthing.cert new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.cert diff --git a/krebs/0tests/data/secrets/syncthing.key b/krebs/0tests/data/secrets/syncthing.key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.key diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 5c4b37aef..79946dad7 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -18,13 +18,6 @@ boot.isContainer = true; networking.useDHCP = false; krebs.bindfs = { - "/var/lib/htgen-go" = { - source = "/var/state/htgen-go"; - options = [ - "-m ${toString config.users.users.htgen-go.uid}" - ]; - clearTarget = true; - }; "/var/lib/brockman" = { source = "/var/state/brockman"; options = [ diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 1e0687ba7..2f122f6ff 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -19,6 +19,12 @@ <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> + ## news host + + <stockholm/krebs/2configs/container-networking.nix> + <stockholm/krebs/2configs/syncthing.nix> + <stockholm/krebs/2configs/news-host.nix> + ### shackspace ### # handle the worlddomination map via coap <stockholm/krebs/2configs/shack/worlddomination.nix> diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix index 8dab11e16..a46a24952 100644 --- a/krebs/1systems/puyak/net.nix +++ b/krebs/1systems/puyak/net.nix @@ -8,8 +8,8 @@ in { SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}" ''; networking = { - firewall.enable = false; - firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ]; + firewall.enable = true; + firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ]; interfaces."${ext-if}".ipv4.addresses = [ { address = shack-ip; diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix new file mode 100644 index 000000000..fa4488800 --- /dev/null +++ b/krebs/2configs/container-networking.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = lib.mkDefault "et0"; + networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; +} diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 0de07a027..3ef2e7d2b 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -87,6 +87,7 @@ }; channel { + autochanmodes = "+t"; use_invex = yes; use_except = yes; use_forward = yes; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 82360a670..b7728986f 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -4,6 +4,7 @@ "shodan" "mors" "styx" + "puyak" ]; hostIp = "10.233.2.101"; localIp = "10.233.2.102"; diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 410beb041..2da3e6fcc 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -15,6 +15,16 @@ serverAliases = [ "news.r" ]; + locations."/api".extraConfig = '' + proxy_pass http://127.0.0.1:7777/; + proxy_pass_header Server; + ''; + locations."= /graph.html".extraConfig = '' + alias ${pkgs.fetchurl { + url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html"; + sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w"; + }}; + ''; locations."/".extraConfig = '' root /var/lib/brockman; index brockman.json; @@ -27,6 +37,7 @@ }; systemd.tmpfiles.rules = [ "d /var/lib/brockman 1750 brockman nginx -" + "d /run/irc-api 1750 brockman nginx -" ]; systemd.services.brockman-graph = { @@ -67,12 +78,28 @@ shortener = "http://go.r"; controller = { nick = "brockman"; - channels = [ "#all" ]; + extraChannels = [ "#all" ]; }; bots = {}; }; }; + krebs.reaktor2.api = { + hostname = "localhost"; + port = "6667"; + nick = "api"; + API.listen = "inet://127.0.0.1:7777"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#all" + ]; + }; + } + ]; + }; krebs.reaktor2.news = let name = "candyman"; in { diff --git a/krebs/2configs/shack/prometheus/alert-rules.nix b/krebs/2configs/shack/prometheus/alert-rules.nix index 12c691466..65e5d9005 100644 --- a/krebs/2configs/shack/prometheus/alert-rules.nix +++ b/krebs/2configs/shack/prometheus/alert-rules.nix @@ -14,7 +14,14 @@ in { labels.severity = "warning"; annotations.summary = "{{ $labels.alias }} root disk full"; annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf"; - annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and run `nix-collect-garbage -d` and clean up the shack share folder in `/home/share` .If this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete''; + annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do: +1. `nix-collect-garbage -d` +2. clean up the shack share folder in `/home/share` +3. check `du -hs /var/ | sort -h`. +4. run `docker system prune` +5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data +5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete +6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` ''; } { alert = "RootPartitionFull"; diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 31e33ad5e..125e2aea4 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,6 +10,10 @@ in { configDir = "/var/lib/syncthing"; declarative = { devices = mk_peers used_peers; + key = toString <secrets/syncthing.key>; + cert = toString <secrets/syncthing.cert>; }; }; + + boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; } diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index c8e360a1e..809d5a7db 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -671,6 +671,7 @@ in { pubkey = ssh-for "raute"; }; rtjure = { + pubkey = ssh-for "rtjure"; }; sokratess = { }; diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 306ab34eb..15136cbce 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -152,30 +152,6 @@ in { }; }; }; - dpdkm = { - owner = config.krebs.users.mic92; - nets = rec { - retiolum = { - ip4.addr = "10.243.29.173"; - aliases = [ "dpdkm.r" ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj - NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp - qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP - X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn - f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa - bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL - Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T - B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w - tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n - dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls - mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; herbert = { owner = config.krebs.users.mic92; nets = rec { @@ -199,35 +175,6 @@ in { }; }; }; - inspector = { - owner = config.krebs.users.mic92; - nets = rec { - internet = { - ip4.addr = "141.76.44.154"; - aliases = [ "inspector.i" ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.29.172"; - aliases = [ "inspector.r" ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG - EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ - 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF - m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw - WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd - eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 - OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau - ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x - B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG - q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj - 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; eddie = { owner = config.krebs.users.mic92; nets = rec { @@ -303,6 +250,82 @@ in { }; }; }; + okelmann = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.190"; + aliases = [ + "okelmann.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxquUuiW9a304H9Ls81+2BMm4bviDUU2Zogu0F1mPp6X8TpdjYpDs + +tlakSTEPHo+aIdcV9rHpjOC3tirNbYU56D8DdoSo1Ra6XNFbxWrw7usSR9gz7L+ + kYp1Uij4gKTfg6YQkU0lkufk13if6zvb/GjoBUTS/Tx+8sZm2/JKEK8JLQaCkmMu + LAUTsHj35Q8S99TzCLAoQLo136AtvPqcwwHVwkdX+S4WqtlODxfJ7T+9KFxGg54B + 1M6btg8iL5sdTFrLIBi7oK6GuLK9izvZ4O9O9H2bStW6LodqPtw2v5WA8li+YJx7 + LBgLO4aAAA6bF9WFcYyKBh6iCX0WxB7LowIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + anindya = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.191"; + aliases = [ + "anindya.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA8yWr01WlmM4RYuJdxvzvfdN3C5T3DOknWvK7U3y92HYgtQfYtZwu + +J8r1fpTsdIS8wKdSEqz7Mjhb1JabJBB1fv/2mkAF4V/gkMbP0jqZ6QQL29kgkNP + aI/+zG1yh4kEDgSn843J6XnTsJ/4Na2zmbVP1iIIQYMXyh+meWsBVR6DKV5ighjz + 4h3wKbuMmDrS50aTk8ahgWoiqcE2DTUMeprw4SIL+RTepmsCINQtAJui5Ys6AAbK + ab6gxMzRH2txLBcTfSrbqTX3qHZHLlB9Ai5FEItWqMBxquD6OCxn8DNU+5LgGpt1 + Z37SI1U0c4uu1oo7kOSx6wYP2ZVOatys6QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + dimitra = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.192"; + aliases = [ + "dimitra.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtgvjWP2KIawJDk32P8Uiwz95REACx43CXUIgcBx5qg9ZQrHnJZxH + RkXLnWUmjpnEmPUfvg/b8YCyoHgzD6GQEXcWaiMXBQ/nsrSEN4mpY7tzInerzGsv + /M66WzPUWSUC9kbncLXt+2A64B23h1ki+MyMyKGIpHq21+F1b6ZHW2rkMnk3BKa4 + aJKNfadjP4V1lnPd40VBpcA3dlQfGF057GJz+2fzlfh1Bp41r/uP2NHieSAlyBws + IaVZPWbfxFyYU8JbrlYUAlLjdXFG1meo5On0K0N8tTBKfnD1nwSqTPAfM7WqOm4A + ImYB8LzjmIdXM+QUqbVFTgiY4jBDg61krwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + philipsaendig = { + owner = config.krebs.users.mic92; + nets.retiolum = { + ip4.addr = "10.243.29.193"; + aliases = [ + "philipsaendig.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX + 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl + 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl + +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF + Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S + oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; martha = { owner = config.krebs.users.mic92; nets = rec { @@ -363,6 +386,80 @@ in { }; }; }; + sauron = { + owner = config.krebs.users.mic92; + nets = rec { + internet = { + ip4.addr = "129.215.165.75"; + aliases = [ "sauron.i" ]; + }; + retiolum = { + via = internet; + addrs = [ + config.krebs.hosts.sauron.nets.retiolum.ip4.addr + config.krebs.hosts.sauron.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.194"; + aliases = [ "sauron.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxmCryT4ZEhPOvdZhWhYZsRS7sz1njSh2ozh6iwXRXhjRjZ9tYZVQ + GoYc6ADnWCnb9SGpPe1WqwFMblfKofnXCvC4wLQaFsch1GIMPhujosJ4Te84BHi1 + XKqyompotE2F7iWYPE6i6UAdRK2dCapfCbiDBOjMhCnmmhM1oY5Bv/fBtx3/2N7E + W+iN6LG2t9cKibs8qrLzFtJIfWn8uXU9dkdhX3d9guCdplGOn/NT/Aq3ayvA+/Mf + 74oJVJgBT5M1rTH2+u+MU+kC+x2UD+jjXEjS55owFWsEM1jI4rGra+dpsDuzdGdG + 67wl9JlpDBy4Tkf2Bl3CQWZHsWDsR6jCqwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + bill = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.bill.nets.retiolum.ip4.addr + config.krebs.hosts.bill.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.195"; + aliases = [ "bill.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzg0wJuDvsbflRKSJ7+ug9y7Gn+BH3CR44fuCPZpWmIcGIUbA6rXj + CD8pF5heOvXNCFlEip2wqTkaCJPnUs3x8BRtORmD6OxDdmqt0xH54u7CixKzrPp9 + GIQydv+ZsGA2z3aDbmBydRPDIvYGhW68FJn10qlGRjCZ5zCl1eVEZ/wMddFXc0B8 + KDbxh7qOkjXon6EOGACVbnrnUR3F1GsIvCxX0cCDrO0P8XHwwsZiAfUwXYkiqw7t + zPcty6Bbr34mSJbb9cFb/qQlfPWT0HVgo+Q65HVkr/64o/9tTyREZcj1dk5PpEPE + bt7PGlOF1oPZpVFQh8S+NviHTtqrvkuISQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + nardole = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.nardole.nets.retiolum.ip4.addr + config.krebs.hosts.nardole.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.173"; + aliases = [ "nardole.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA05JzZLPH4+t2X8TI1nYsv4WCQ/OUmuMy9YbKUIRITE2EVA+x47Cf + qdYPucWUpF7ap1rykxHBcPnmORO/NjAymlt25FDyyYQ2uWm17VE7P7jefAUnX7xj + 80Rt7aWCXfldQuRAbza35G+Kl50Y6ydkZYkKCbyQ8fMhuzNp6Wn/pAJD3yr+zdka + AsIoir9Ut9/9CKayRqGF+zaIf2Lj7nl5GL8bCAVJydU98GjlnXt7iuaWCt0H7NiK + FWOjkGhAUlQI9I6l+5ELWClpyk5X+isfbUbYaCCspZJvos+vDE8hJuH5PrH8NuJj + fJv8HrHkcGphn/Nn1TotpHBkyMyE5h6akwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; rock = { owner = config.krebs.users.mic92; nets = { @@ -463,12 +560,12 @@ in { ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv - 3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC - pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r - NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44 - 9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd - WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB + MIIBCgKCAQEA9VVG+kwSXDmjLuNCT6Mp9xTCj9IdzgjWxkExEH/Jd9kgVNXRa+39 + P8OQuHXi9fC/51363hh7ThggneIxOs2R4fZDyUcWfzv13aik34U0e+tYjhWXig+o + MClkK4/uhLrsk370MQVevpjYW23S5d+pThOm84xIchvjR9nqzp6E3jzjhyeQwHJg + dM48y7XT2+7hLvOkkEQ8xLcd35J228wVSilsSYhye1D2+ThRDbjjEkKXnIeOmU5h + TPNvn+U0lVdwUDYlS+XUhNl3awRdfzTYlPvUhTWv9zwSxS5EQjvgMqC/3/fQod2K + zyYdPwCwEyrksr9JvJF/t+oCw4hf3V4iOwIDAQAB -----END RSA PUBLIC KEY----- ''; }; diff --git a/krebs/3modules/external/ssh/rtjure.pub b/krebs/3modules/external/ssh/rtjure.pub new file mode 100644 index 000000000..4c69e1836 --- /dev/null +++ b/krebs/3modules/external/ssh/rtjure.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVFTzk646b/XXTFyWoKLw92jLmqC3EwAURtSZkWPxcZv+OPd76cgLl2bKgEHZ1/n4784zqNM85q+pk1NJfaTNB2SMksM5p8yFdCKcrMci0mdIcjp53z0SxUU4EozUnuntfFPnvjMAG5i1ppungkala9svc6x4vHuinHSvGXDJW7YsF5vSbDppGvgji9HKN8iagPhT1gnOf4o5ZqgD9cwS/3cXZx+gcSNnEolhr1WKcglDGeMJKQoNLkfojgLw4ZE4DpNYN5CJ64adZOXun9DrhV2iYgkKurJ9CxJXSP9ULQKKMayDCJBE5XTWxgH6oyOAjurYQoYozI4/yKZXRgrIz97gHgXqh45/q64gNe9XbLXzhz4neOE77L1WYEE+sUYqXIlKwtFQHqYLuU09ZCkiKft9N0A2Lpcm0m7ebpSBd6PH8sF9hrAjtNACReTYritXF7b+LT5Zkxu98BgK36rcOnMkPpMm+svh+MiCCE4jm6HT+O2yikYSnc2q7W6ljjxs= rtjure@nxdc diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index 4df73509c..fea25e036 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -20,61 +20,41 @@ let }; imp = { + services.redis = { + enable = true; + }; + krebs.htgen.go = { port = cfg.port; script = ''. ${pkgs.writeDash "go" '' - find_item() { - if test ''${#1} -ge 7; then - set -- "$(find "$STATEDIR/items" -mindepth 1 -maxdepth 1 \ - -regex "$STATEDIR/items/$1[0-9A-Za-z]*$")" - if test -n "$1" && test $(echo "$1" | wc -l) = 1; then - echo "$1" - return 0 - fi - fi - return 1 - } - - STATEDIR=$HOME - mkdir -p "$STATEDIR/items" + set -x case "$Method $Request_URI" in "GET /"*) - if item=$(find_item "''${Request_URI#/}"); then - uri=$(cat "$item") + if item=$(${pkgs.redis}/bin/redis-cli --raw get "''${Request_URI#/}"); then printf 'HTTP/1.1 302 Found\r\n' printf 'Content-Type: text/plain\r\n' printf 'Connection: closed\r\n' - printf 'Location: %s\r\n' "$uri" + printf 'Location: %s\r\n' "$item" printf '\r\n' exit fi ;; "POST /") - uri=$(mktemp -t htgen.$$.content.XXXXXXXX) - trap 'rm $uri >&2' EXIT - - head -c "$req_content_length" \ + uri=$(head -c "$req_content_length" \ | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ | xargs -0 echo -e \ | tee /tmp/tee.log \ | ${pkgs.urix}/bin/urix \ | head -1 \ - > "$uri" - sha256=$(sha256sum -b "$uri" | cut -d\ -f1) - base32=$(${pkgs.nixStable}/bin/nix-hash --to-base32 --type sha256 "$sha256") - item="$STATEDIR/items/$base32" - ref="http://$req_host/$base32" + ) - if ! test -e "$item"; then - mkdir -v -p "$STATEDIR/items" >&2 - cp -v "$uri" "$item" >&2 - fi + sha256=$(echo "$uri" | sha256sum -b | cut -d\ -f1) + base32=$(${pkgs.nixStable}/bin/nix-hash --to-base32 --type sha256 "$sha256") + base32short=$(echo "$base32" | cut -c48-52) + ${pkgs.redis}/bin/redis-cli set "$base32short" "$uri" >/dev/null - base32short=$(echo "$base32" | cut -b-7) - if item=$(find_item "$base32short"); then - ref="http://$req_host/$base32short" - fi + ref="http://$req_host/$base32short" printf 'HTTP/1.1 200 OK\r\n' printf 'Content-Type: text/plain; charset=UTF-8\r\n' diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 8c164cfe3..37b939358 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -77,6 +77,7 @@ in { "wiki.r" "wiki.hotdog.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc @@ -177,6 +178,7 @@ in { }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY"; + syncthing.id = "DK5CEE2-PNUXYCE-Q42H2HP-623GART-B7KS4VK-HU2RBGQ-EK6QPUP-HUL3PAR"; }; wolf = { ci = true; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 6978c0b4e..d29988be2 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -67,7 +67,9 @@ in { "cgit.prism.r" "paste.r" "p.r" + "search.r" ]; + tinc.port = 655; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje @@ -126,6 +128,7 @@ in { aliases = [ "uriel.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR @@ -151,6 +154,7 @@ in { aliases = [ "mors.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE @@ -184,6 +188,7 @@ in { aliases = [ "shodan.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT @@ -218,6 +223,7 @@ in { aliases = [ "icarus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr @@ -251,6 +257,7 @@ in { aliases = [ "daedalus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 @@ -282,6 +289,7 @@ in { aliases = [ "skynet.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX @@ -315,6 +323,7 @@ in { aliases = [ "littleT.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF @@ -364,6 +373,7 @@ in { aliases = [ "xerxes.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U @@ -414,6 +424,7 @@ in { aliases = [ "red.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG @@ -444,6 +455,7 @@ in { aliases = [ "yellow.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP @@ -481,6 +493,7 @@ in { aliases = [ "blue.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd @@ -520,6 +533,7 @@ in { aliases = [ "green.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk @@ -574,6 +588,7 @@ in { aliases = [ "morpheus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY @@ -611,6 +626,7 @@ in { aliases = [ "hilum.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb @@ -651,6 +667,7 @@ in { aliases = [ "styx.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn @@ -692,6 +709,7 @@ in { aliases = [ "coaxmetal.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA @@ -724,6 +742,46 @@ in { syncthing.id = "W5BJ4TL-GAQ46WS-ZB72HFS-XOURLBA-RNBVMYC-POFH4UA-CBORQID-BMIHNQZ"; }; + echelon = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.3"; + ip6.addr = r6 "4"; + aliases = [ + "echelon.r" |