diff options
| author | jeschli <jeschli@gmail.com> | 2019-01-29 19:17:43 +0100 |
|---|---|---|
| committer | jeschli <jeschli@gmail.com> | 2019-01-29 19:17:43 +0100 |
| commit | 924c8fb748a92720c75750cee528ac2f4b7c5c8e (patch) | |
| tree | 1a3b956f7f8527e533040cee1138810fe304bbc9 /krebs/3modules | |
| parent | 06b6454af78e8236a67d69cab94f62c32054be47 (diff) | |
| parent | e64bbd8d6864e21f9e7b6b9a11cf95c976bdc109 (diff) | |
Merge branch 'master' of prism.r:stockholm
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/Reaktor.nix | 5 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 145 | ||||
| -rw-r--r-- | krebs/3modules/dns.nix | 12 | ||||
| -rw-r--r-- | krebs/3modules/external/default.nix | 53 | ||||
| -rw-r--r-- | krebs/3modules/github-known-hosts.nix | 40 | ||||
| -rw-r--r-- | krebs/3modules/hosts.nix | 35 | ||||
| -rw-r--r-- | krebs/3modules/per-user.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/reaktor2.nix | 71 | ||||
| -rw-r--r-- | krebs/3modules/retiolum-hosts.nix | 28 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 1 |
10 files changed, 252 insertions, 140 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index 669483f3..308c6d41 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -113,10 +113,11 @@ let ''; in nameValuePair "Reaktor-${name}" { path = with pkgs; [ - utillinux #flock for tell_on-join git # for nag + jq # for tell python # for caps - ]; + utillinux # flock for tell + ]; description = "Reaktor IRC Bot"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 2e7c61fb..9303a81f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -18,14 +18,17 @@ let ./charybdis.nix ./ci.nix ./current.nix + ./dns.nix ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix ./fetchWallpaper.nix ./github-hosts-sync.nix + ./github-known-hosts.nix ./git.nix ./go.nix ./hidden-ssh.nix + ./hosts.nix ./htgen.nix ./iana-etc.nix ./iptables.nix @@ -39,8 +42,10 @@ let ./per-user.nix ./power-action.nix ./Reaktor.nix + ./reaktor2.nix ./realwallpaper.nix ./retiolum-bootstrap.nix + ./retiolum-hosts.nix ./rtorrent.nix ./secret.nix ./setuid.nix @@ -58,28 +63,10 @@ let api = { enable = mkEnableOption "krebs"; - dns = { - providers = mkOption { - type = with types; attrsOf str; - }; - }; - - hosts = mkOption { - type = with types; attrsOf host; - default = {}; - }; - users = mkOption { type = with types; attrsOf user; }; - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = "r"; - }; - sitemap = mkOption { default = {}; type = types.attrsOf types.sitemap.entry; @@ -125,6 +112,8 @@ let w = "hosts"; }; + krebs.dns.search-domain = mkDefault "r"; + krebs.users = { krebs = { home = "/krebs"; @@ -137,93 +126,6 @@ let }; }; - networking.extraHosts = let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in concatStringsSep "\n" (flatten ( - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = longs ++ shorts; - longs = filter check net.aliases; - shorts = let s = ".${cfg.search-domain}"; in - map (removeSuffix s) (filter (hasSuffix s) longs); - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filterAttrs (name: host: host.aliases != []) host.nets) - ) cfg.hosts - )); - - # TODO dedup with networking.extraHosts - nixpkgs.config.packageOverrides = oldpkgs: - let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in - { - retiolum-hosts = oldpkgs.writeText "retiolum-hosts" '' - ${concatStringsSep "\n" (flatten ( - map (host: - let - net = host.nets.retiolum; - aliases = longs; - longs = filter check net.aliases; - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filter (host: hasAttr "retiolum" host.nets) - (attrValues cfg.hosts))))} - ''; - }; - - krebs.exim-smarthost.internet-aliases = let - format = from: to: { - inherit from; - # TODO assert is-retiolum-mail-address to; - to = concatMapStringsSep "," (getAttr "mail") (toList to); - }; - in mapAttrsToList format (with config.krebs.users; let - brain-ml = [ - lass - makefu - tv - ]; - eloop-ml = spam-ml ++ [ ciko ]; - spam-ml = [ - lass - makefu - tv - ]; - ciko.mail = "ciko@slash16.net"; - in { - "anmeldung@eloop.org" = eloop-ml; - "brain@krebsco.de" = brain-ml; - "cfp@eloop.org" = eloop-ml; - "kontakt@eloop.org" = eloop-ml; - "root@eloop.org" = eloop-ml; - "youtube@eloop.org" = eloop-ml; - "eloop2016@krebsco.de" = eloop-ml; - "eloop2017@krebsco.de" = eloop-ml; - "postmaster@krebsco.de" = spam-ml; # RFC 822 - "lass@krebsco.de" = lass; - "makefu@krebsco.de" = makefu; - "spam@krebsco.de" = spam-ml; - "tv@krebsco.de" = tv; - # XXX These are no internet aliases - # XXX exim-retiolum hosts should be able to relay to retiolum addresses - "lass@retiolum" = lass; - "makefu@retiolum" = makefu; - "spam@retiolum" = spam-ml; - "tv@retiolum" = tv; - "lass@r" = lass; - "makefu@r" = makefu; - "spam@r" = spam-ml; - "tv@r" = tv; - }); - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); @@ -238,31 +140,6 @@ let }; }) // - { - github = { - hostNames = [ - "github.com" - # List generated with - # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob - "192.30.252.*" - "192.30.253.*" - "192.30.254.*" - "192.30.255.*" - "185.199.108.*" - "185.199.109.*" - "185.199.110.*" - "185.199.111.*" - "13.229.188.59" - "13.250.177.223" - "18.194.104.89" - "18.195.85.27" - "35.159.8.160" - "52.74.223.119" - ]; - publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; - }; - } - // mapAttrs (name: host: { hostNames = @@ -272,8 +149,8 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.search-domain}") - (filter (hasSuffix ".${cfg.search-domain}") + map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") longs); add-port = a: if net.ssh.port != 22 @@ -297,8 +174,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr config.krebs.search-domain host.nets) { - nets."" = host.nets.${config.krebs.search-domain} // { + (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; }; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix new file mode 100644 index 00000000..b7e2a2cb --- /dev/null +++ b/krebs/3modules/dns.nix @@ -0,0 +1,12 @@ +with import <stockholm/lib>; +{ + options = { + krebs.dns.providers = mkOption { + type = types.attrsOf types.str; + }; + + krebs.dns.search-domain = mkOption { + type = types.hostname; + }; + }; +} diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index baa49dbe..089113ac 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -84,8 +84,8 @@ in { nets = rec { internet = { # eve.thalheim.io - ip4.addr = "188.68.39.17"; - ip6.addr = "2a03:4000:13:31e::1"; + ip4.addr = "95.216.112.61"; + ip6.addr = "2a01:4f9:2b:1605::1"; aliases = [ "eve.i" ]; }; retiolum = { @@ -141,6 +141,29 @@ in { }; }; }; + idontcare = { + owner = config.krebs.users.Mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.idontcare.nets.retiolum.ip4.addr + config.krebs.hosts.idontcare.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.177"; + aliases = [ "idontcare.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxmmbQLVXcnCU9Vg9TCoJxfq/RyNfzaTj8XJsn4Kpo3CvQOwFzL6O + qZnbG55WjPjPumuFgtUdHA/G8mgtrTVaIRbVE9ck2l2wWFzMWxORzuvDbMh5xP8A + OW2Z2qjlH6O9GTBCzpYyHuyBWCjtiN4x9zEqxkIsBARKOylAoy3zQIiiQF0d72An + lqKFi9vYUU90zo9rP8BTzx2ZsEWb28xhHUlwf1+vgaOHI1jI99gnr12dVYl/i/Hb + O28gDUogfpP/5pWFAHJ+53ZscHo8/Y7imjiKgGXmOHywoXOsKQ67M6ROEU/0xPnw + jKmq2p7zTJk2mDhphjePi5idd5yKNX5Q3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; justraute = { owner = config.krebs.users.raute; # laptop nets = { @@ -344,6 +367,30 @@ in { }; }; }; + matchbox = { + owner = config.krebs.users.Mic92; + nets = { + retiolum = { + ip4.addr = "10.243.29.176"; + aliases = [ "matchbox.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m + VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w + nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u + TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE + TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1 + yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO + 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4 + Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/ + bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4 + nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR + /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; miaoski = { owner = config.krebs.users.miaoski; nets = { @@ -369,7 +416,7 @@ in { pubkey = ssh-for "kmein"; }; Mic92 = { - mail = "joerg@higgsboson.tk"; + mail = "joerg@thalheim.io"; pubkey = ssh-for "Mic92"; }; palo = { diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix new file mode 100644 index 00000000..def06f17 --- /dev/null +++ b/krebs/3modules/github-known-hosts.nix @@ -0,0 +1,40 @@ +{ + services.openssh.knownHosts.github = { + hostNames = [ + "github.com" + # List generated with + # curl -sS https://api.github.com/meta | jq -r .git[] | nix-shell -p cidr2glob --run cidr2glob | jq -R . + "192.30.252.*" + "192.30.253.*" + "192.30.254.*" + "192.30.255.*" + "185.199.108.*" + "185.199.109.*" + "185.199.110.*" + "185.199.111.*" + "140.82.112.*" + "140.82.113.*" + "140.82.114.*" + "140.82.115.*" + "140.82.116.*" + "140.82.117.*" + "140.82.118.*" + "140.82.119.*" + "140.82.120.*" + "140.82.121.*" + "140.82.122.*" + "140.82.123.*" + "140.82.124.*" + "140.82.125.*" + "140.82.126.*" + "140.82.127.*" + "13.229.188.59" + "13.250.177.223" + "18.194.104.89" + "18.195.85.27" + "35.159.8.160" + "52.74.223.119" + ]; + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; +} diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix new file mode 100644 index 00000000..0985bb53 --- /dev/null +++ b/krebs/3modules/hosts.nix @@ -0,0 +1,35 @@ +with import <stockholm/lib>; +{ config, ... }: let + # TODO dedup functions with ./retiolum-hosts.nix + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + + options = { + krebs.hosts = mkOption { + default = {}; + type = types.attrsOf types.host; + }; + }; + + config = { + networking.hosts = + filterAttrs + (_name: value: value != []) + (zipAttrsWith + (_: concatLists) + (concatMap + (host: + concatMap + (net: let + aliases = longs ++ shorts; + longs = filter check net.aliases; + shorts = let s = ".${config.krebs.dns.search-domain}"; in + map (removeSuffix s) (filter (hasSuffix s) longs); + in + map (addr: { ${addr} = aliases; }) net.addrs) + (attrValues host.nets)) + (attrValues config.krebs.hosts))); + }; + +} diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index a7a07a8e..5beb859a 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -13,7 +13,7 @@ in { }); default = {}; }; - config = { + config = mkIf (cfg != {}) { environment = { etc = mapAttrs' diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix new file mode 100644 index 00000000..e3e6ddf4 --- /dev/null +++ b/krebs/3modules/reaktor2.nix @@ -0,0 +1,71 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: { + + options.krebs.reaktor2 = mkOption { + default = {}; + type = types.attrsOf (types.submodule (self: let + name = self.config._module.args.name; + in { + options = { + nick = mkOption { + default = name; + # TODO types.irc.nickname + type = types.str; + }; + hostname = mkOption { + default = "irc.r"; + type = types.hostname; + }; + port = mkOption { + default = "6667"; + # TODO type = types.service-name + }; + plugins = mkOption { + default = []; + type = types.listOf types.attrs; + }; + stateDir = mkOption { + default = "/var/lib/${self.config.username}"; + readOnly = true; + type = types.absolute-pathname; + }; + systemd-service-name = mkOption { + default = "reaktor2${optionalString (name != "default") "-${name}"}"; + type = types.filename; + }; + username = mkOption { + default = self.config.systemd-service-name; + type = types.username; + }; + useTLS = mkOption { + default = self.config.port == "6697"; + type = types.bool; + }; + }; + })); + }; + + config = { + systemd.services = flip mapAttrs' config.krebs.reaktor2 (_: cfg: + nameValuePair cfg.systemd-service-name { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.username; + Group = "reaktor2"; + DynamicUser = true; + StateDirectory = cfg.username; + ExecStart = let + configFile = pkgs.writeJSON configFileName configValue; + configFileName = "${cfg.systemd-service-name}.config.json"; + configValue = recursiveUpdate { + logTime = false; + } (removeAttrs cfg ["_module"]); + in "${pkgs.reaktor2}/bin/reaktor ${configFile}"; + Restart = "always"; + RestartSec = "30"; + }; + } + ); + }; +} diff --git a/krebs/3modules/retiolum-hosts.nix b/krebs/3modules/retiolum-hosts.nix new file mode 100644 index 00000000..ddf85ead --- /dev/null +++ b/krebs/3modules/retiolum-hosts.nix @@ -0,0 +1,28 @@ +with import <stockholm/lib>; +{ config, ... }: let + # TODO dedup functions with ./hosts.nix + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + nixpkgs.config.packageOverrides = super: { + retiolum-hosts = + super.writeText "retiolum-hosts" '' + ${ + concatStringsSep + "\n" + (flatten + (map + (host: let + net = host.nets.retiolum; + aliases = longs; + longs = filter check net.aliases; + in + optionals + (aliases != []) + (map (addr: "${addr} ${toString aliases}") net.addrs)) + (filter (host: hasAttr "retiolum" host.nets) + (attrValues config.krebs.hosts)))) + } + ''; + }; +} diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index ecd449b0..24eac715 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -27,6 +27,7 @@ let "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" '' Name = ${tinc.config.host.name} Interface = ${netname} + Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} PrivateKeyFile = ${tinc.config.privkey.path} Port = ${toString tinc.config.host.nets.${netname}.tinc.port} |