diff options
| author | tv <tv@krebsco.de> | 2016-12-01 21:59:25 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2016-12-01 21:59:25 +0100 |
| commit | 1e599969524d9772ad9c891a383048d9fef843e5 (patch) | |
| tree | 6ae4edef0df43dcd82a7dedfa1aa5e45741cd233 /krebs | |
| parent | 32c59103f5315fb6160b1dd38df2c27647aaffdd (diff) | |
| parent | f4ce5ea248c6dcb965f9367a4569a39f4be747af (diff) | |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/default.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/iptables.nix | 30 |
2 files changed, 6 insertions, 27 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 7f5d2c7b..bf09b742 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -155,14 +155,13 @@ let to = concatMapStringsSep "," (getAttr "mail") (toList to); }; in mapAttrsToList format (with config.krebs.users; let - eloop-ml = spam-ml ++ [ ciko Mic92 ]; + eloop-ml = spam-ml ++ [ ciko ]; spam-ml = [ lass makefu tv ]; ciko.mail = "wieczorek.stefan@gmail.com"; - Mic92.mail = "joerg@higgsboson.tk"; in { "anmeldung@eloop.org" = eloop-ml; "cfp@eloop.org" = eloop-ml; diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index a4a4de6f..09b493c2 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -29,9 +29,10 @@ let tables = mkOption { type = with types; attrsOf (attrsOf (submodule ({ options = { + #TODO: find out good defaults. policy = mkOption { type = str; - default = "-"; + default = "ACCEPT"; }; rules = mkOption { type = nullOr (listOf (submodule ({ @@ -133,30 +134,9 @@ let #===== rules = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - pkgs.writeText "krebs-iptables-rules${iptables-version}" '' - ${buildTables iptables-version tables} - ''; + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' + ${buildTables iptables-version cfg.tables} + ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf |