From 85816b60c2002ea3ea68e51523b9fc2490f0a8e5 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 14:06:03 +0200 Subject: zones: import misplaced options from ssh --- krebs/3modules/ssh.nix | 23 ----------------------- krebs/3modules/zones.nix | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 23 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index 58f3a3c10..aba825c29 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -4,32 +4,9 @@ let cfg = config.krebs; out = { - options.krebs = api; config = lib.mkIf cfg.enable imp; }; - api = { - zone-head-config = mkOption { - type = with types; attrsOf str; - description = '' - The zone configuration head which is being used to create the - zone files. The string for each key is pre-pended to the zone file. - ''; - # TODO: configure the default somewhere else, - # maybe use krebs.dns.providers - default = { - - # github.io -> 192.30.252.154 - "krebsco.de" = '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - IN NS ns19.ovh.net. - IN NS dns19.ovh.net. - ''; - }; - }; - }; - imp = lib.mkMerge [ { services.openssh.hostKeys = diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 7771d3b51..a7bd867f5 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,6 +1,22 @@ { config, pkgs, lib, ... }: with lib; { + options.krebs.zone-head-config = mkOption { + type = lib.types.attrsOf lib.types.str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + default = { + "krebsco.de" = /* bindzone */ '' + $TTL 86400 + @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) + @ IN NS ns19.ovh.net. + @ IN NS dns19.ovh.net. + ''; + }; + }; + config = { environment.etc = mapAttrs' -- cgit v1.3.1 From b63f7920b5bce1670692e6278eb87db52b1ba0af Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:09 +0200 Subject: zones: update default head config --- krebs/3modules/zones.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index a7bd867f5..1d63548b8 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -9,10 +9,9 @@ with lib; { ''; default = { "krebsco.de" = /* bindzone */ '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - @ IN NS ns19.ovh.net. - @ IN NS dns19.ovh.net. + $TTL 60 + @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 ''; }; }; -- cgit v1.3.1 From 7cd50a3c07e788fa0b4ab53c78b9dea10ff30b2d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 11:39:33 +0200 Subject: nameserver config: add ni as secondary --- krebs/2configs/nameserver.nix | 9 +++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 10 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4b205a13d..a4c4b5f05 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key acl: - id: acme_acl @@ -70,6 +73,10 @@ in { key: dane action: update + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + mod-rrl: - id: default rate-limit: 200 # Allow 200 resp/s for each flow @@ -94,6 +101,8 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: krebscode_ni + acl: transfer_to_krebscode_secondary acl: dane_acl - domain: _acme-challenge.krebsco.de diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 1d63548b8..bf904a268 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -12,6 +12,7 @@ with lib; { $TTL 60 @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 + @ 3600 IN NS ni ''; }; }; -- cgit v1.3.1 From 193baa8f2f64a4909e38069d4f21ac6c46d2796b Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 15:53:27 +0200 Subject: nameserver config: add he.net as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 2 ++ 2 files changed, 12 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index a4c4b5f05..4c6b95516 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: henet_ns1 + address: 216.218.130.2 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -73,6 +76,11 @@ in { key: dane action: update + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -101,7 +109,9 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: henet_ns1 notify: krebscode_ni + acl: transfer_to_henet_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index bf904a268..8cb68c4f7 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -13,6 +13,8 @@ with lib; { @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 @ 3600 IN NS ni + @ 3600 IN NS ns2.he.net. + @ 3600 IN NS ns3.he.net. ''; }; }; -- cgit v1.3.1 From 7e98588f8e626c4e2800e1238ea8a1df1f5c8f7a Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 17:42:32 +0200 Subject: nameserver config: add hosting.de as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 11 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4c6b95516..633f6f5d5 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -63,6 +63,9 @@ in { - id: henet_ns1 address: 216.218.130.2 + - id: hostingde_ns1 + address: 134.0.30.178 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -81,6 +84,11 @@ in { address: [ 216.218.133.2, 2001:470:600::2 ] action: transfer + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -110,8 +118,10 @@ in { dnssec-signing: on dnssec-policy: rsa2k notify: henet_ns1 + notify: hostingde_ns1 notify: krebscode_ni acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 8cb68c4f7..e68482d77 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -15,6 +15,7 @@ with lib; { @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. @ 3600 IN NS ns3.he.net. + @ 3600 IN NS ns2.hosting.de. ''; }; }; -- cgit v1.3.1 From 1105d9ef32d5512b0e6eee7fb6c8d7e0435a893c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:32:48 +0200 Subject: fetchWallpaper: use upstream writers --- krebs/3modules/fetchWallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 79187adfa..0d67120fd 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -40,7 +40,7 @@ let }; }; - fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' + fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' set -euf mkdir -p ${cfg.stateDir} -- cgit v1.3.1 From 245dd8b67ffe133dbff76a59a4f9e7f5401f7aec Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:35:32 +0200 Subject: iptables: use upstream writers --- krebs/3modules/iptables.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index c1c5b68c8..32a5273a5 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -177,7 +177,7 @@ let ${buildTables iptables-version cfg.tables} ''; - startScript = pkgs.writeDash "krebs-iptables_start" '' + startScript = pkgs.writers.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} -- cgit v1.3.1 From 5e215d87e53f97e73247c0d415a416cade9f9328 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:36:51 +0200 Subject: power-action: use upstream writers --- krebs/3modules/power-action.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix index 71e2b541a..a9ed24d3f 100644 --- a/krebs/3modules/power-action.nix +++ b/krebs/3modules/power-action.nix @@ -60,7 +60,7 @@ let }; }; - startScript = pkgs.writeDash "power-action" '' + startScript = pkgs.writers.writeDash "power-action" '' set -euf power="$(${powerlvl})" @@ -77,11 +77,11 @@ let writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; - powerlvl = pkgs.writeDash "powerlvl" '' + powerlvl = pkgs.writers.writeDash "powerlvl" '' cat /sys/class/power_supply/${cfg.battery}/capacity ''; - state = pkgs.writeDash "state" '' + state = pkgs.writers.writeDash "state" '' if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] then echo "false" else echo "true" -- cgit v1.3.1 From 083229d0211096daec08673f743ccc45b1d8a0ac Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 19:00:57 +0200 Subject: krebs: krebs.secret.directory --- krebs/2configs/acme.nix | 2 +- krebs/2configs/cal.nix | 2 +- krebs/2configs/hotdog-host.nix | 3 ++- krebs/2configs/news-host.nix | 3 ++- krebs/2configs/repo-sync.nix | 2 +- krebs/2configs/syncthing.nix | 4 ++-- krebs/2configs/tor/initrd.nix | 4 ++-- krebs/2configs/wiki.nix | 2 +- krebs/3modules/exim-smarthost.nix | 4 ++-- krebs/3modules/github/hosts-sync.nix | 2 +- krebs/3modules/repo-sync.nix | 2 +- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- krebs/3modules/tinc.nix | 4 ++-- 13 files changed, 20 insertions(+), 18 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString }/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString }/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString ; - cert = toString ; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = ; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 093ae2030..4e42ce72e 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -20,14 +20,14 @@ let }; dkim = mkOption { - type = types.listOf (types.submodule ({ config, ... }: { + type = types.listOf (types.submodule (dkim: { options = { domain = mkOption { type = types.str; }; private_key = mkOption { type = types.absolute-pathname; - default = toString + "/${config.domain}.dkim.priv"; + default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix index 6f9aee0ce..2f373f9bc 100644 --- a/krebs/3modules/github/hosts-sync.nix +++ b/krebs/3modules/github/hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString ; + default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519"; defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›"; }; url = mkOption { diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index a6de3f3f6..5208d91ae 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -123,7 +123,7 @@ let privateKeyFile = mkOption { type = types.absolute-pathname; - default = toString + "/repo-sync.ssh.key"; + default = "${config.krebs.secret.directory}/repo-sync.ssh.key"; defaultText = "‹secrets/repo-sync.ssh.key›"; }; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index c9ea8a619..bd7e7c5f6 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -14,12 +14,12 @@ in sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "${toString }/tinc.krebsco.de.crt" ; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ; }; sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "${toString }/tinc.krebsco.de.key"; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: # diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 2f9efad46..9df368cfb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; { privkey = mkOption { type = types.absolute-pathname; - default = toString + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; { default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; }; -- cgit v1.3.1