add tinc article and add scripts to publish css

.gitignore

@@ -1 +1,5 @@
 public
+*.swp
+*.css
+static/nixos/tinc/*.png
+static/nixos/tinc/*.svg

README.md

@@ -1 +1,5 @@
 My Blog using Hugo
+
+# how to create a new article
+
+hugo new 

Rakefile

@@ -0,0 +1,157 @@
+
+#
+# configuration
+#
+
+@viewer = "feh" # just comment out if you don't want the viewr task
+
+#
+# default task
+#
+
+desc "create all files"
+task :all
+task :default => :all
+
+#
+# tasks I need for all files
+#
+
+def rest_tasks(name, file, png_file, svg_file)
+
+  desc "generate all files for ./#{file}"
+  task name => png_file
+  task name => svg_file
+
+  if @viewer
+
+    show_name = "view_#{name}"
+    desc "#{@viewer} ./#{png_file}"
+    task show_name => png_file do
+      sh "#{@viewer} #{png_file}"
+    end
+
+  end
+
+  # append tasks to default task
+  task :all => png_file
+  task :all => svg_file
+
+end
+
+#
+# tasks for blockdiag files
+#
+Dir['static/**/*.diag'].each do |diag_file|
+
+  name      = diag_file[0..-6]
+  svg_file  = "#{name}.svg"
+  png_file  = "#{name}.png"
+
+
+  task svg_file do
+    sh "blockdiag -Tsvg -o #{name}.svg #{diag_file}"
+  end
+
+  task png_file do
+    sh "blockdiag --no-transparency -Tpng -o #{name}.png #{diag_file}"
+  end
+
+  rest_tasks(name, diag_file, png_file, svg_file)
+
+end
+
+#
+# tasks for nwdiag files
+#
+Dir['static/**/*.nwdiag'].each do |diag_file|
+
+  name      = diag_file[0..-8]
+  svg_file  = "#{name}.svg"
+  png_file  = "#{name}.png"
+
+
+  task svg_file do
+    sh "nwdiag -Tsvg -o #{name}.svg #{diag_file}"
+  end
+
+  task png_file do
+    sh "nwdiag --no-transparency -Tpng -o #{name}.png #{diag_file}"
+  end
+
+  rest_tasks(name, diag_file, png_file, svg_file)
+
+end
+
+#
+# tasks for seqdiag files
+#
+Dir['static/**/*.seqdiag'].each do |diag_file|
+
+  name      = diag_file[0..-9]
+  svg_file  = "#{name}.svg"
+  png_file  = "#{name}.png"
+
+
+  task svg_file do
+    sh "seqdiag -Tsvg -o #{name}.svg #{diag_file}"
+  end
+
+  task png_file do
+    sh "seqdiag --no-transparency -Tpng -o #{name}.png #{diag_file}"
+  end
+
+  rest_tasks(name, diag_file, png_file, svg_file)
+
+end
+
+#
+# tasks for actdiag files
+#
+Dir['static/**/*.actdiag'].each do |diag_file|
+
+  name      = diag_file[0..-9]
+  svg_file  = "#{name}.svg"
+  png_file  = "#{name}.png"
+
+
+  task svg_file do
+    sh "actdiag -Tsvg -o #{name}.svg #{diag_file}"
+  end
+
+  task png_file do
+    sh "actdiag --no-transparency -Tpng -o #{name}.png #{diag_file}"
+  end
+
+  rest_tasks(name, diag_file, png_file, svg_file)
+
+end
+
+
+#
+# theme
+#
+task :build_theme do
+  Dir.chdir('themes/first') do
+    sh'rake'
+  end
+end
+task :all => :build_theme
+
+
+#
+# hugo server
+#
+desc "start the hugo server"
+task :run_server do
+  sh "hugo serve"
+end
+
+
+#
+# publish
+#
+desc "publish"
+task :publish do
+  sh "./upload.ion"
+end

config.toml

@@ -1,3 +1,5 @@
 baseURL = "http://example.org/"
 languageCode = "en-us"
 title = "My New Hugo Site"
+
+theme = "first"

content/nixos/kubernetes.md

@@ -2,7 +2,7 @@
 title: "Kubernetes"
 date: 2018-06-18T08:56:23+02:00
 tags: ["kubernetes", "tinc", "nixos"]
-draft: false
+draft: true
 ---
 
 # My Kubernetes Setup

content/nixos/nix-generators.md

@@ -0,0 +1,16 @@
+---
+title: "Nix Generators"
+date: 2018-06-27T19:09:36+02:00
+draft: true
+---
+
+# Nix Generators for the win.
+
+Today I'll talk about a nice project which might your live simpler.
+[nixos-generators](https://github.com/Lassulus/nixos-generators)
+
+## Creating installation ISO
+
+You want to create a iso that alreay knows the wifi password and starts sshd and root knows your ssh key?
+This is you choice.
+

content/nixos/tinc.md

@@ -0,0 +1,315 @@
+---
+title: "Tinc"
+date: 2018-07-07T21:43:24+02:00
+tags:
+- NixOS
+- NixOps
+- Tinc
+---
+
+In this article I will describe how to use my
+[NixOS](https://nixos.org/)
+tinc-module.
+I had to write my own,
+because the standard `services.tinc` module
+misses a lot of features,
+for example maintaining sub-net and network wise activation and deactivation.
+I designed it to be used with
+[NixOps](https://nixos.org/nixops/).
+
+You have to `enable` and `disable ` every network you define,
+instead of `enable ` tinc and which enables all defined networks.
+This should make it easy to define all your networks
+in one file (to keep track about everything).
+
+# How to use
+
+To use this module you can use `fetchgit` to import it.
+
+{{% note %}}
+To find the newest `rev` and `sha256` just call `nix-shell -p nix-prefetch-git --run "nix-prefetch-git https://github.com/mrVanDalo/nixos-tinc.git"`
+{{% /note %}}
+
+```
+{pkgs, ... }:
+let
+  tincModule = {
+    url    = "https://github.com/mrVanDalo/nixos-tinc.git";
+    rev    = "8755d954fcadeef5d0e30488a7b11e3f1a505769";
+    sha256 = "0swkk5zxg9vqdf2j0m9zki13wr0g8ws77y4v5wzklrdcmbny5qjm";
+  };
+in {
+  imports = [
+    "${tincModule}"
+  ];
+}
+```
+
+Now you are ready to go!
+
+# Create Keys
+
+First of all,
+we have to create tinc keys for every computer in the VPN Mesh.
+To put the keys in the current folder we use the `'--config .'` option,
+
+```
+$> nix-shell -p tinc_pre --run "tinc --config . generate-keys 4096"
+```
+
+After that is done we create the `hostfile` by
+
+```
+$> cat *.pub > hostfile
+```
+
+## Key-File-structure for these Examples
+
+In the following examples we use the following file-structure
+
+```
+|-- configuration.nix
+`-- secrets
+    |-- Gibson
+    |   |-- ed25519_key.priv
+    |   |-- hostfile
+    |   `-- rsa_key.priv
+    |-- Hackbardt
+    |   |-- ed25519_key.priv
+    |   |-- hostfile
+    |   `-- rsa_key.priv
+    `-- HAL
+        |-- ed25519_key.priv
+        |-- hostfile
+        `-- rsa_key.priv
+```
+
+
+# Using tinc to connect 3 computers
+
+First we want to connect 3 computers in a private network of range ``10.1.1.0/24``.
+One computer needs to be accessable from the internet,
+it will be the computer that connects all the other computer.
+You can have multiple computers which are reachable but for this example we only have one.
+
+{{<figure src="/nixos/tinc/3computers.svg">}}
+
+Here is the `configuration.nix`.
+First we setup the whole infrastructure in the `default` and 
+than we `enable` and configure secret-keys 
+for every computer in `Gibson`, `Hackbardt` and `HAL`
+
+```
+let
+
+  includePrivateKeys = host: {
+    deployment.keys."rsa_key" = {
+      keyFile = ./secrets/"${host}"/rsa_key.priv;
+      destDir = "/root/secrets";
+    };
+    deployment.keys."ed25519_key" = {
+      keyFile = ./secrets/"${host}"/ed25519_key.priv;
+      destDir = "/root/secrets";
+    };
+  };
+
+
+in {
+
+# for all machines
+# ----------------
+default =
+{config, pkgs, lib, ... }:
+{
+  with lib;
+  services.custom.tinc =
+  let
+    publicHostFile = host: fileContent ./secrets/"${host}"/hostfile;
+  in {
+    "private" = {
+      debugLevel    = 0;
+      port          = 655;
+      networkSubnet = "10.1.1.0/24";
+      hosts = {
+        Gibson = {
+          realAddress = [ "my.awesome.dns.com" ];
+          tincIp      = "10.1.1.1";
+          publicKey   = publicHostFile "Gibson";
+        };
+        Hackbardt = {
+          tincIp      = "10.1.1.2";
+          publicKey   = publicHostFile "Hackbardt";
+        };
+        HAL = {
+          tincIp      = "10.1.1.3";
+          publicKey   = publicHostFile "HAL";
+        };
+      };
+    };
+  };
+}
+
+# Gibson specific
+# ---------------
+Gibson =
+{config, pkgs, ... }:
+includePrivateKeys "Gibson" // {
+  services.custom.tinc = {
+    "private" = {
+      enable                = true;
+      privateRsaKeyFile     = config.deployment.keys."rsa_key".path;
+      privateEd25519KeyFile = config.deployment.keys."ed25519_key".path;
+    };
+  };
+}
+
+# Hackbardt specific
+# ------------------
+Hackbardt =
+{config, pkgs, ... }:
+includePrivateKeys "Hackbardt" // {
+  services.custom.tinc = {
+    "private" = {
+      enable                = true;
+      connectTo             = [ "Gibson" ];
+      privateRsaKeyFile     = config.deployment.keys."rsa_key".path;
+      privateEd25519KeyFile = config.deployment.keys."ed25519_key".path;
+    };
+  };
+}
+
+# HAL specific
+# ------------
+HAL =
+{config, pkgs, ... }:
+includePrivateKeys "HAL" // {
+  services.custom.tinc = {
+    "private" = {
+      enable                = true;
+      connectTo             = [ "Gibson" ];
+      privateRsaKeyFile     = config.deployment.keys."rsa_key".path;
+      privateEd25519KeyFile = config.deployment.keys."ed25519_key".path;
+    };
+  };
+}
+
+}
+```
+
+If we deploy that and check the servers, 
+we can see tinc creates interfaces called `tinc.private`.
+Observing the routes we see that tinc sets up everything so these computers can see each other.
+
+```
+$Gibson> ip addr show dev tinc.private
+4: tinc.private: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
+    link/ether 3f:ac:bd:c2:f6:9c brd ff:ff:ff:ff:ff:ff
+    inet 10.1.1.1/32 scope global tinc.private
+       valid_lft forever preferred_lft forever
+    inet 169.254.22.60/16 brd 169.254.255.255 scope global tinc.private
+       valid_lft forever preferred_lft forever
+    inet6 ffa1::2afc:b2ff:fcf2:f97a/64 scope link
+       valid_lft forever preferred_lft forever
+```
+```
+$Gibson> ip route show dev tinc.private
+10.1.1.0/24 scope link
+169.254.0.0/16 proto kernel scope link src 169.254.22.60 metric 204
+```
+
+It also creates `/etc/host` entries `<computername>.<networkname>`
+so you don't have to remember the IPs.
+
+```
+$Gibson> ping HAL.private  -c 1
+PING HAL.private (10.1.1.3) 56(84) bytes of data.
+64 bytes from HAL.private (10.1.1.1): icmp_seq=1 ttl=64 time=5.27 ms
+```
+
+**Awesome!** That was easy!
+
+
+# Using tinc to connect 2 sub-nets
+
+So far so good, 
+but lets imagine we have some virtual machines running on 2 computers and want to make these virtual machines see each other.
+This is a very common problem in [Kubernetes](https://kubernetes.io/).
+It can be resolved by using the `tincSubnet` parameter.
+
+{{<figure src="/nixos/tinc/2subnets.svg">}}
+
+Achieving this is very simple,
+just add the `tincSubnet` parameter in the `hosts` attribute and your done.
+
+```
+...
+
+default =
+{config, pkgs, lib, ... }:
+{
+  with lib;
+  services.custom.tinc =
+  let
+    publicHostFile = name: fileContent ./secrets/"${name}"/hostfile;
+  in {
+    "private" = {
+      debugLevel    = 0;
+      port          = 655;
+      networkSubnet = "10.1.1.0/24";
+      hosts = {
+        Gibson = {
+          realAddress = [ "my.awesome.dns.com" ];
+          tincIp      = "10.1.1.1";
+          publicKey   = publicHostFile "Gibson";
+        };
+        Hackbardt = {
+          tincIp      = "10.1.1.2";
+          subnetIp    = "10.2.2.0/24";
+          publicKey   = publicHostFile "Hackbardt";
+        };
+        HAL = {
+          tincIp      = "10.1.1.3";
+          subnetIp    = "10.2.3.0/24";
+          publicKey   = publicHostFile "HAL";
+        };
+      };
+    };
+  };
+}
+
+...
+```
+
+After deployment we can see that `Gibson` has proper routing to the configured `tincSubnet` 
+ranges as well as to `10.1.1.0/24` to reach other the computers.
+
+```
+$> ip route show dev tinc.private
+10.1.1.0/24 scope link 
+10.2.2.0/24 scope link 
+10.2.3.0/24 scope link 
+169.254.0.0/16 proto kernel scope link src 169.254.116.112 metric 203 
+```
+
+`Hackbardt` has routing to the network provided by `HAL`,
+but has no routing (on the `tinc.private` interface) to the network it provides it self.
+
+```
+$> ip route show dev tinc.private
+10.1.1.0/24 scope link 
+10.2.2.0/24 scope link 
+169.254.0.0/16 proto kernel scope link src 169.254.116.112 metric 203 
+```
+
+The module also sets the `sysctl` parameter 
+`net.ipv4.config.tinc/private.forwarding`
+and
+`net.ipv6.config.tinc/private.forwarding`
+to 
+make sure the `tinc.private` interface forwards the traffic
+to the configured sub-nets.
+
+{{% note %}}
+If that is not set to true, you have to turn it on yourself.
+In the future this will also be managed by the `module`.
+{{% /note %}}

default.nix

@@ -0,0 +1,33 @@
+# Nix-shell script
+# ----------------
+
+with import <nixpkgs> {};
+
+stdenv.mkDerivation rec {
+
+  name = "block-diagram";
+
+  env = buildEnv {
+    name = name;
+    paths = buildInputs;
+  };
+
+  buildInputs = [
+    blockdiag
+    nwdiag
+    seqdiag
+    actdiag
+
+    lessc
+
+    rake
+    feh
+
+    # not needed anymore
+    inotifyTools
+  ];
+
+  shellHook = ''
+  '';
+
+}

static/nixos/tinc/2subnets.nwdiag

@@ -0,0 +1,21 @@
+
+nwdiag {
+
+  internet [shape = cloud];
+
+  internet -- Gibson [address = "my.awesome.dns.com"]
+
+  network private {
+      address = "10.1.1.0/24";
+
+      Gibson    [address = "10.1.1.1"];
+      Hackbardt [address = "10.1.1.2"];
+      HAL       [address = "10.1.1.3"];
+  }
+
+  network "private (subnet)" {
+      Hackbardt [address = "10.2.2.0/24"];
+      HAL       [address = "10.2.3.0/24"];
+  }
+
+}

static/nixos/tinc/3computers.nwdiag

@@ -0,0 +1,16 @@
+
+nwdiag {
+
+  internet [shape = cloud];
+
+  internet -- Gibson [address = "my.awesome.dns.com"]
+
+  network private {
+      address = "10.1.1.0/24";
+
+      Gibson    [address = "10.1.1.1"];
+      Hackbardt [address = "10.1.1.2"];
+      HAL       [address = "10.1.1.3"];
+  }
+
+}

themes/first/Rakefile

@@ -0,0 +1,9 @@
+
+task :all
+task :default => :all
+
+desc "build css"
+task :build_css do
+  sh "lessc src/css/main.less static/css/main.css"
+end
+task :all => :build_css

themes/first/layouts/_default/baseof.html

@@ -1,6 +1,12 @@
 <html>
 <head>
 <title> {{ .Title }} </title>
+
+<link href="https://fonts.googleapis.com/css?family=Dosis|Inconsolata|Libre+Baskerville" rel="stylesheet">
+
+<link rel="stylesheet" href="/css/main.css">
+
+
 </head>
 <body>
 

themes/first/layouts/_default/single.html

@@ -1,4 +1,5 @@
 {{ define "main" }}
   <h1> {{ .Title }} </h1>
+  {{ .TableOfContents }}
   {{ .Content }}
 {{ end }}

themes/first/layouts/shortcodes/note.html

@@ -0,0 +1,4 @@
+
+<div class="note">
+{{ .Inner }}
+</div>

themes/first/layouts/shortcodes/warning.html

@@ -0,0 +1,4 @@
+
+<div class="warning">
+{{ .Inner }}
+</div>

themes/first/src/css/color.less

@@ -0,0 +1,7 @@
+
+@color-code-background: rgba(229, 169, 18, 0.3);
+@color-code-border: black;
+@color-code-inline: rgb(25, 59, 102);
+
+@color-warning-background: rgba(188, 32, 11, 0.55);
+@color-note-background: rgba(94, 188, 11, 0.55);

themes/first/src/css/main.less

@@ -0,0 +1,68 @@
+
+@font-normal: ~"'Libre Baskerville', serif";
+@font-code: ~"'Inconsolata', monospace";
+@font-header: ~"'Dosis', sans-serif";
+
+@import "color.less";
+@import "media-types.less";
+
+
+body {
+  width: 100%;
+  margin: auto;
+
+  font-family: @font-normal;
+}
+
+@media @desktop {
+  body {
+    width:50em;
+    margin: auto;
+  }
+}
+
+h1,h2,h3,h4 {
+  font-family: @font-header;
+};
+
+pre {
+  background: @color-code-background;
+  margin: 0em 0em .4em 0em;
+  padding: .3em .6em .3em 0.4em;
+
+  border-radius: .2em;
+  border-color: @color-code-border;
+  border: 1px;
+  border-style: solid;
+
+  white-space: pre-wrap;
+
+  code {
+    font-weight: normal;
+    font-family: @font-code;
+  }
+}
+
+@media @desktop {
+  pre {
+    margin: 0em 1em .4em 1em;
+  }
+}
+
+
+p > code {
+  border-radius: .2em;
+
+  color: @color-code-inline;
+
+  font-weight: bold;
+  font-family: @font-code;
+}
+
+.note {
+  background: @color-note-background;
+}
+
+.warning {
+  background: @color-warning-background;
+}

themes/first/src/css/media-types.less

@@ -0,0 +1,2 @@
+
+@desktop: ~"(min-width: 52em)";

upload.ion

@@ -0,0 +1,38 @@
+#!/usr/bin/env ion
+
+set -e
+
+let server      = es5.siteground.eu
+let server_path = public_html/tech
+let syncfolder  = sync
+
+echo
+echo "create page"
+echo
+hugo
+
+echo
+echo "mount $syncfolder"
+echo
+sshfs \
+  $server:$server_path \
+  $syncfolder
+
+echo
+echo "copy stuff"
+echo
+rsync \
+  --recursive \
+  --checksum \
+  --verbose \
+  --human-readable \
+  --delete-after \
+  public/ $syncfolder/
+
+
+echo
+echo "unmount $syncfolder"
+echo
+fusermount -u $syncfolder
+
+