summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lassulus@lassul.us>2022-08-23 11:28:45 +0200
committerlassulus <lassulus@lassul.us>2022-08-23 11:28:45 +0200
commitd1fa957ed5bf60767c83c96135f9142f6c96ea50 (patch)
treedbe3238f0c1407d5a5af0680e4a67237138ed9e8
parent90cd7e6050b1c73cfb8deb3aaf2686312dc1dda7 (diff)
parentafa416983a9fdf223a548b6c469c02dfae84023b (diff)
Merge remote-tracking branch 'ni/master'
-rw-r--r--krebs/3modules/tv/default.nix13
-rw-r--r--krebs/3modules/zones.nix107
-rw-r--r--krebs/5pkgs/simple/certaids.nix109
-rw-r--r--tv/2configs/gitrepos.nix2
-rw-r--r--tv/2configs/nginx/default.nix15
-rw-r--r--tv/5pkgs/override/jc.nix21
6 files changed, 243 insertions, 24 deletions
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 965505a75..016d5ca9f 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -164,15 +164,26 @@ in {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
+ ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
+ cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
+ cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT v=spf1 mx -all
+ tv 300 IN NS ni
'';
};
nets = {
internet = {
- ip4.addr = "188.68.36.196";
+ ip4 = rec {
+ addr = "188.68.36.196";
+ prefix = "${addr}/32";
+ };
+ ip6 = rec {
+ addr = "2a03:4000:13:4c::1";
+ prefix = "${addr}/64";
+ };
aliases = [
"ni.i"
"cgit.ni.i"
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index eb1351866..51ced6f95 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -1,22 +1,103 @@
with import <stockholm/lib>;
-{ config, ... }: {
+{ config, pkgs, ... }: {
config = {
- # Implements environment.etc."zones/<zone-name>"
- environment.etc = let
- stripEmptyLines = s: (concatStringsSep "\n"
- (remove "\n" (remove "" (splitString "\n" s)))) + "\n";
- all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
- ([config.krebs.zone-head-config] ++ combined-hosts);
- combined-hosts =
- mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
- in
+ environment.etc =
mapAttrs'
- (name: value: {
+ (name: pkg: {
name = "zones/${name}";
- value.text = stripEmptyLines value;
+ value.source = pkg;
})
- all-zones;
+ pkgs.krebs.zones;
+
+ nixpkgs.overlays = [
+ # Explicit zones generated from config.krebs.hosts.*.extraZones
+ (self: super: let
+ stripEmptyLines = s: (concatStringsSep "\n"
+ (remove "\n" (remove "" (splitString "\n" s)))) + "\n";
+ all-zones = foldAttrs (sum: current: sum + "\n" + current) ""
+ ([config.krebs.zone-head-config] ++ combined-hosts);
+ combined-hosts =
+ mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
+ in {
+ krebs = super.krebs or {} // {
+ zones = super.krebs.zones or {} //
+ mapAttrs'
+ (name: value: {
+ name = name;
+ value = self.writeText "${name}.zone" (stripEmptyLines value);
+ })
+ all-zones;
+ };
+ })
+
+ # Implicit zones generated from config.krebs.hosts.*.nets.*.ip{4,6}.addr
+ (self: super: let
+ # record : { name : str, type : enum [ "A" "AAAA" ], data : str }
+
+ # toRecord : record.name -> record.type -> record.data -> record
+ toRecord = name: type: data:
+ { inherit name type data; };
+
+ # toRecords : str -> host -> [record]
+ toRecords = netname: host:
+ let
+ net = host.nets.${netname};
+ in
+ optionals
+ (hasAttr netname host.nets)
+ (filter
+ (x: x.data != null)
+ (concatLists [
+ (map
+ (name: toRecord name "A" (net.ip4.addr or null))
+ (concatMap
+ (name: [ "${name}." "4.${name}." ])
+ (net.aliases or [])))
+ (map
+ (name: toRecord name "AAAA" (net.ip6.addr or null))
+ (concatMap
+ (name: [ "${name}." "6.${name}." ])
+ (net.aliases or [])))
+ ]));
+
+ # formatRecord : record -> str
+ formatRecord = { name, type, data }: "${name} IN ${type} ${data}";
+
+ # writeZone : attrs -> package
+ writeZone =
+ { name ? "${domain}.zone"
+ , domain ? substring 0 1 netname
+ , nameservers ? [ "ni" ]
+ , netname
+ , hosts ? config.krebs.hosts
+ }:
+ self.writeText name /* bindzone */ ''
+ $TTL 60
+ @ IN SOA ns admin 1 3600 600 86400 60
+ @ IN NS ns
+ ${concatMapStringsSep "\n"
+ (name: /* bindzone */ "ns IN CNAME ${name}")
+ nameservers
+ }
+ ${concatMapStringsSep
+ "\n"
+ formatRecord
+ (concatMap
+ (toRecords netname)
+ (attrValues hosts))
+ }
+ '';
+ in {
+ krebs = super.krebs or {} // {
+ zones = super.krebs.zones or {} // {
+ i = writeZone { netname = "internet"; };
+ r = writeZone { netname = "retiolum"; };
+ w = writeZone { netname = "wiregrill"; };
+ };
+ };
+ })
+ ];
};
}
diff --git a/krebs/5pkgs/simple/certaids.nix b/krebs/5pkgs/simple/certaids.nix
new file mode 100644
index 000000000..34f4c3e14
--- /dev/null
+++ b/krebs/5pkgs/simple/certaids.nix
@@ -0,0 +1,109 @@
+{ pkgs }:
+
+pkgs.write "certaids" {
+ "/bin/cert2json".link = pkgs.writeDash "cert2json" ''
+ # usage: cert2json < CERT > JSON
+ set -efu
+
+ ${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
+ ${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text |
+ ${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" ''
+ function abort(msg) {
+ print(msg) > "/dev/stderr"
+ exit 1
+ }
+
+ function toJSON(x, type, ret) {
+ type = typeof(x)
+ switch (type) {
+ case "array":
+ if (isArray(x)) return arrayToJSON(x)
+ if (isObject(x)) return objectToJSON(x)
+ abort("cannot render array to JSON", x)
+ case "number":
+ return numberToJSON(x)
+ case "string":
+ return stringToJSON(x)
+ case "strnum":
+ case "unassigned":
+ case "regexp":
+ case "untyped":
+ default:
+ abort("cannot render type: " type)
+ }
+ }
+
+ function isArray(x, i, k) {
+ i = 1
+ for (k in x) {
+ if (k != i++) return 0
+ i++
+ }
+ return 1
+ }
+
+ function isObject(x, k) {
+ for (k in x) {
+ if (typeof(k) != "string") return 0
+ }
+ return 1
+ }
+
+ function arrayToJSON(x, k, ret) {
+ ret = "["
+ for (k in x) {
+ ret=ret toJSON(x[k]) ","
+ }
+ sub(/,$/,"",ret)
+ ret=ret "]"
+ return ret
+ }
+
+ function objectToJSON(x, k,ret) {
+ ret = "{"
+ for (k in x) {
+ ret = ret toJSON(k) ":" toJSON(x[k]) ","
+ }
+ sub(/,$/, "", ret)
+ ret = ret "}"
+ return ret
+ }
+
+ function numberToJSON(x) {
+ return x
+ }
+
+ function stringToJSON(x) {
+ gsub(/\\/, "&&",x)
+ gsub(/\n/, "\\n", x)
+ return "\"" x "\""
+ }
+
+ $1 ~ /^ *(Subject|Issuer):/ {
+ sub(/^ */, "")
+ sub(/: */, ",")
+ key=tolower($1)
+ sub(/[^,]*,/, "")
+
+ # Normalize separators between relative distinguished names.
+ # [1]: RFC2253, 3. Parsing a String back to a Distinguished Name
+ # TODO support any distinguished name
+ gsub(/ *[;,] */, ",")
+
+ for(i = 0; i <= NF; i++) {
+ split($i, a, "=")
+ cache[key][a[1]] = a[2]
+ }
+ }
+
+ /BEGIN CERTIFICATE/,/END CERTIFICATE/{
+ cache["certificate"] = cache["certificate"] $0 "\n"
+ }
+
+ /END CERTIFICATE/{
+ print toJSON(cache)
+ delete cache
+ }
+ ''}
+ '';
+}
diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix
index 4d22fdff5..50444c1ee 100644
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@@ -109,7 +109,6 @@ let {
};
q = {};
reaktor2 = {};
- regfish = {};
stockholm = {
cgit.desc = "NixOS configuration";
};
@@ -156,6 +155,7 @@ let {
painload = {};
push = {};
Reaktor = {};
+ regfish = {};
with-tmpdir = {};
get = {};
load-env = {};
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index b0acb9435..efea3a844 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -4,22 +4,19 @@ with import <stockholm/lib>;
{
services.nginx = {
+ enableReload = true;
+
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
- virtualHosts._http = {
+ virtualHosts.${toJSON ""} = {
default = true;
extraConfig = ''
- return 404;
- '';
- };
-
- virtualHosts.default = {
- locations."= /etc/os-release".extraConfig = ''
- default_type text/plain;
- alias /etc/os-release;
+ error_page 400 =444 /;
+ return 444;
'';
+ rejectSSL = true;
};
};
tv.iptables = {
diff --git a/tv/5pkgs/override/jc.nix b/tv/5pkgs/override/jc.nix
new file mode 100644
index 000000000..346dd3eee
--- /dev/null
+++ b/tv/5pkgs/override/jc.nix
@@ -0,0 +1,21 @@
+self: super:
+
+let
+ version = "1.21.0";
+in
+
+# Prevent downgrades.
+assert self.lib.versionAtLeast version super.jc.version;
+
+self.python3.pkgs.toPythonApplication
+ (self.python3.pkgs.jc.overrideAttrs
+ (oldAttrs: {
+ name = "jc-${version}";
+ version = version;
+ src = self.fetchFromGitHub {
+ owner = "kellyjonbrazil";
+ repo = "jc";
+ rev = "v${version}";
+ sha256 = "sha256-kS42WokR7ZIqIPi8LbX4tmtjn37tckea2ELbuqzTm2o";
+ };
+ }))