From 6b248db017a4172f12a48d7cd253414f354d5bd9 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 5 Sep 2020 01:17:51 +0200 Subject: krebs.tinc: add support for ED25519 keys --- krebs/3modules/tinc.nix | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 1fca7de5c..0f5e1aa83 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -29,6 +29,9 @@ let Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} + ${optionalString (tinc.config.privkey_ed25519 != null) + "Ed25519PrivateKeyFile = ${tinc.config.privkey_ed25519.path}" + } PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} @@ -165,6 +168,17 @@ let }; }; + privkey_ed25519 = mkOption { + type = types.nullOr types.secret-file; + default = + if config.krebs.hosts.${tinc.config.host.name}.nets.${tinc.config.netname}.tinc.pubkey_ed25519 == null then null else { + name = "${tinc.config.netname}.ed25519_key.priv"; + path = "${tinc.config.user.home}/tinc.ed25519_key.priv"; + owner = tinc.config.user; + source-path = toString + "/${tinc.config.netname}.ed25519_key.priv"; + }; + }; + connectTo = mkOption { type = types.listOf types.str; ${if tinc.config.netname == "retiolum" then "default" else null} = [ @@ -198,8 +212,23 @@ let # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, # avoid conflicts in environment if the packages differ - krebs.secret.files = mapAttrs' (netname: cfg: - nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + krebs.secret.files = + let + ed25519_keys = + filterAttrs + (_: key: key != null) + (mapAttrs' + (netname: cfg: + nameValuePair "${netname}.ed25519_key.priv" cfg.privkey_ed25519 + ) + config.krebs.tinc); + + rsa_keys = + mapAttrs' + (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey) + config.krebs.tinc; + in + ed25519_keys // rsa_keys; users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { @@ -221,11 +250,15 @@ let in { description = "Tinc daemon for ${netname}"; after = [ - config.krebs.secret.files."${netname}.rsa_key.priv".service "network.target" + config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service ]; partOf = [ config.krebs.secret.files."${netname}.rsa_key.priv".service + ] ++ optionals (cfg.privkey_ed25519 != null) [ + config.krebs.secret.files."${netname}.ed25519_key.priv".service ]; wantedBy = [ "multi-user.target" ]; path = [ tinc iproute ]; -- cgit v1.3.1 From a5d4acd92b2eae8c8886103f1e5c3d122acf01cc Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 5 Sep 2020 01:24:43 +0200 Subject: tv au: init --- krebs/3modules/tv/default.nix | 27 +++++++++++++++++++++++++++ tv/1systems/au/config.nix | 18 ++++++++++++++++++ tv/1systems/au/disks.nix | 19 +++++++++++++++++++ tv/2configs/nets/hkw.nix | 14 +++++++++++++- 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 tv/1systems/au/config.nix create mode 100644 tv/1systems/au/disks.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index c2bf406f1..c86fda05d 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -55,6 +55,33 @@ in { ssh.privkey.path = ; ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q=="; }; + au = { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.13.39"; + aliases = [ + "au.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEApD+HJS5gANbZScCMLxgZZgHZUsQUDlyWTLNdANfo0gXQdsYRVE/z + 9zMG/VE9xwy0OC9JM73YaEymXdmWa3kGXP2jjQnOZyJTFMNFHc8dkl+RBnWv8eZm + PzFN84ZjnYXyOpXJFajR8eelzqlFvD+2WKsXAD5xaW5EmCBTMIjB/zSuLBpqnIHb + PqQA1XUye69dQRjjcPn1mtYQPS78H8ClJjnhS76owFzyzNZjri1tr2xi2oevnVJG + cnYNggZHz3Kg3btJQ3VtDKGLJTzHvvMcn2JfPrePR2+KK0/KbMitpYAS687Ikb83 + jjB+eZgXq5g81vc1116bA5yqcT2UNdOPWwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = + "Ed25519PublicKey = bfDtJbxusBdosE6dMED32Yc6ZeYI3RFyXryQr7heZpO"; + }; + }; + secure = true; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; + }; mu = { ci = true; cores = 2; diff --git a/tv/1systems/au/config.nix b/tv/1systems/au/config.nix new file mode 100644 index 000000000..fc4b216f5 --- /dev/null +++ b/tv/1systems/au/config.nix @@ -0,0 +1,18 @@ +{ config, ... }: { + imports = [ + ./disks.nix + + + + ]; + + krebs.build.host = config.krebs.hosts.au; + + networking.wireless.enable = true; + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + networking.interfaces.wlp3s0.useDHCP = true; + networking.interfaces.wwp0s29u1u4i6.useDHCP = true; + + system.stateVersion = "20.03"; +} diff --git a/tv/1systems/au/disks.nix b/tv/1systems/au/disks.nix new file mode 100644 index 000000000..434de1740 --- /dev/null +++ b/tv/1systems/au/disks.nix @@ -0,0 +1,19 @@ +{ + boot.initrd.luks.devices.main.device = "/dev/sda2"; + fileSystems."/" = { + device = "/dev/main/root"; + options = ["defaults" "noatime" "commit=60"]; + }; + fileSystems."/boot" = { + device = "/dev/sda1"; + options = ["defaults" "noatime"]; + }; + fileSystems."/bku" = { + device = "/dev/main/bku"; + options = ["defaults" "noatime"]; + }; + fileSystems."/home" = { + device = "/dev/main/home"; + options = ["defaults" "noatime" "commit=60"]; + }; +} diff --git a/tv/2configs/nets/hkw.nix b/tv/2configs/nets/hkw.nix index 725e63b13..c3acde1fb 100644 --- a/tv/2configs/nets/hkw.nix +++ b/tv/2configs/nets/hkw.nix @@ -2,6 +2,18 @@ krebs = { dns.providers.hkw = "hosts"; hosts = { + au = { + nets.hkw = { + ip4 = { + addr = "10.23.1.39"; + prefix = "10.23.1.0/24"; + }; + aliases = [ + "au.hkw" + ]; + ssh.port = 11423; + }; + }; nomic = { nets.hkw = { ip4 = { @@ -55,7 +67,7 @@ zu = { nets.hkw = { ip4 = { - addr = "10.23.1.39"; + addr = "10.23.1.40"; prefix = "10.23.1.0/24"; }; aliases = [ -- cgit v1.3.1 From 6fbbf7e6170f6a1ba42c5dcecd11ca67c6bc5afd Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 8 Sep 2020 21:47:29 +0200 Subject: krebs.permown: add keepGoing option --- krebs/3modules/permown.nix | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index fe293810c..ca81e2ea5 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -18,6 +18,15 @@ with import ; default = null; type = types.nullOr types.groupname; }; + keepGoing = mkOption { + default = false; + type = types.bool; + description = '' + Whether to keep going when chowning or chmodding fails. + If set to false, then errors will cause the service to restart + instead. + ''; + }; owner = mkOption { type = types.username; }; @@ -43,7 +52,12 @@ with import ; ''; in concatMapStrings mkdir plans; - systemd.services = genAttrs' plans (plan: { + systemd.services = genAttrs' plans (plan: let + continuable = command: + if plan.keepGoing + then /* sh */ "{ ${command}; } || :" + else command; + in { name = "permown.${replaceStrings ["/"] ["_"] plan.path}"; value = { environment = { @@ -82,9 +96,9 @@ with import ; cleanup exec "$0" "$@" fi - chown -h "$OWNER_GROUP" "$path" + ${continuable /* sh */ ''chown -h "$OWNER_GROUP" "$path"''} if test -f "$path"; then - chmod "$FILE_MODE" "$path" + ${continuable /* sh */ ''chmod "$FILE_MODE" "$path"''} fi done < "$paths" ''; -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/7b100000.lock: No such file or directory (2)