summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2015-08-13 22:36:07 +0200
committerlassulus <lass@aidsballs.de>2015-08-13 22:36:07 +0200
commitcc1baf4d385e45b8c9f0509c04e8883f48ade6ae (patch)
tree9eb6a04cdb91414d662409e7f8b3b2e396f92895 /krebs
parentdbd69c4e956bc1c88b379c273a5ea5b4ceea8813 (diff)
parentdb4b55527d527158bd4e7f93128668e646f2cf1f (diff)
Merge branch 'tv' into newmaster
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/default.nix147
-rw-r--r--krebs/3modules/exim-retiolum.nix143
-rw-r--r--krebs/4lib/types.nix7
-rw-r--r--krebs/5pkgs/cac.nix38
-rw-r--r--krebs/5pkgs/default.nix1
5 files changed, 332 insertions, 4 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 668d66cc..9ad9c9f9 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
out = {
imports = [
+ ./exim-retiolum.nix
./github-hosts-sync.nix
./git.nix
./nginx.nix
@@ -55,7 +56,7 @@ let
--exclude .git \
--exclude .graveyard \
--exclude old \
- --rsync-path="mkdir -p \"$dst\" && rsync" \
+ --rsync-path="mkdir -p \"$2\" && rsync" \
--usermap=\*:0 \
--groupmap=\*:0 \
--delete-excluded \
@@ -164,7 +165,7 @@ let
{ krebs = tv-imp; }
{
krebs.dns.providers = {
- de.krebsco = "ovh";
+ de.krebsco = "zones";
internet = "hosts";
retiolum = "hosts";
};
@@ -183,7 +184,42 @@ let
) host.nets
) cfg.hosts
));
- }
+
+ # krebs.hosts.bob = rec {
+ # addrs4 = "10.0.0.1";
+ # extraZones = {
+ # # extraZones
+ # "krebsco.de" = ''
+ # krebsco.de. IN MX 10 mx1
+ # mx1 IN A ${addrs4}
+ # '';
+ # "dickbutt.de" = ''
+ # dickbutt.de. IN NS ns
+ # ns IN A ${addrs4}
+ # ''
+ # }
+ # }
+ # krebs.hosts.khan = rec {
+ # addrs4 = "10.0.0.2";
+ # extraZones = {
+ # "krebsco.de" = ''
+ # khan.krebsco.de IN A ${addrs4}
+ # };
+ # }
+ #
+ # =>
+ # "zone/krebsco.de".text = ''
+ # krebsco.de. IN MX 10 mx1
+ # mx1 IN A 10.0.0.1
+ # khan.krebsco.de IN A 10.0.0.2
+ # '';
+
+
+ environment.etc = mapAttrs'
+ (name: value:
+ nameValuePair (("zones/" + name)) ({ text=value;}))
+ cfg.hosts.pigstarter.extraZones;
+ }
];
lass-imp = {
@@ -306,10 +342,106 @@ let
};
};
};
+ tsp = {
+ cores = 2;
+ dc = "makefu"; #x200
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.0.212"];
+ addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"];
+ aliases = [
+ "tsp.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi
+ HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3
+ mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+
+ n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG
+ R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr
+ Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi
+ aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo
+ ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE
+ KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v
+ XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ
+ teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ pornocauster = {
+ cores = 2;
+ dc = "makefu"; #x220
+ nets = {
+ retiolum = {
+ addrs4 = ["10.243.0.91"];
+ addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"];
+ aliases = [
+ "pornocauster.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi
+ HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3
+ mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+
+ n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG
+ R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr
+ Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi
+ aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo
+ ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE
+ KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v
+ XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ
+ teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ pigstarter = rec {
+ cores = 1;
+ dc = "frontrange"; #vps
+
+ extraZones = {
+ "de.krebsco" = ''
+ pigstarter.krebsco.de IN A ${elemAt nets.internet.addrs4 0}
+ krebsco.de. IN NS io
+ io IN A ${elemAt nets.internet.addrs4 0}
+ krebsco.de. IN MX 10 mx42
+ mx42 IN A ${elemAt nets.internet.addrs4 0}
+ '';
+ };
+ nets = {
+ internet = {
+ addrs4 = ["192.40.56.122"];
+ addrs6 = ["2604:2880::841f:72c"];
+ aliases = [
+ "pigstarter.internet"
+ ];
+ };
+ retiolum = {
+ addrs4 = ["10.243.0.153"];
+ addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"];
+ aliases = [
+ "pigstarter.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA/efJuJRLUIZROe3QE8WYTD/zyNGRh9I2/yw+5It9HSNVDMIOV1FZ
+ 9PaspsC+YQSBUQRN8SJ95G4RM6TIn/+ei7LiUYsf1Ik+uEOpP5EPthXqvdJEeswv
+ 3QFwbpBeOMNdvmGvQLeR1uJKVyf39iep1wWGOSO1sLtUA+skUuN38QKc1BPASzFG
+ 4ATM6rd2Tkt8+9hCeoePJdLr3pXat9BBuQIxImgx7m5EP02SH1ndb2wttQeAi9cE
+ DdJadpzOcEgFatzXP3SoKVV9loRHz5HhV4WtAqBIkDvgjj2j+NnXolAUY25Ix+kv
+ sfqfIw5aNLoIX4kDhuDEVBIyoc7/ofSbkQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
};
users = addNames {
makefu = {
- mail = "root@euer.krebsco.de";
+ mail = "root@tsp.retiolum";
pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
};
};
@@ -323,6 +455,13 @@ let
cd = {
cores = 2;
dc = "tv"; #dc = "cac";
+ extraZones = {
+ "de.krebsco" = ''
+ mx23 IN A ${elemAt nets.internet.addrs4 0}
+ cd IN A ${elemAt nets.internet.addrs4 0}
+ krebsco.de. IN MX 5 mx23
+ '';
+ };
nets = rec {
internet = {
addrs4 = ["162.219.7.216"];
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
new file mode 100644
index 00000000..e1315d8c
--- /dev/null
+++ b/krebs/3modules/exim-retiolum.nix
@@ -0,0 +1,143 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+ cfg = config.krebs.exim-retiolum;
+
+ out = {
+ options.krebs.exim-retiolum = api;
+ config =
+ mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "krebs.exim-retiolum";
+ };
+
+ imp = {
+ services.exim =
+ # This configuration makes only sense for retiolum-enabled hosts.
+ # TODO modular configuration
+ assert config.krebs.retiolum.enable;
+ {
+ enable = true;
+ config = ''
+ primary_hostname = ${retiolumHostname}
+ domainlist local_domains = @ : localhost
+ domainlist relay_to_domains = *.retiolum
+ hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
+
+ acl_smtp_rcpt = acl_check_rcpt
+ acl_smtp_data = acl_check_data
+
+ host_lookup = *
+ rfc1413_hosts = *
+ rfc1413_query_timeout = 5s
+
+ log_file_path = syslog
+ syslog_timestamp = false
+ syslog_duplication = false
+
+ begin acl
+
+ acl_check_rcpt:
+ accept hosts = :
+ control = dkim_disable_verify
+
+ deny message = Restricted characters in address
+ domains = +local_domains
+ local_parts = ^[.] : ^.*[@%!/|]
+
+ deny message = Restricted characters in address
+ domains = !+local_domains
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+ accept local_parts = postmaster
+ domains = +local_domains
+
+ #accept
+ # hosts = *.retiolum
+ # domains = *.retiolum
+ # control = dkim_disable_verify
+
+ #require verify = sender
+
+ accept hosts = +relay_from_hosts
+ control = submission
+ control = dkim_disable_verify
+
+ accept authenticated = *
+ control = submission
+ control = dkim_disable_verify
+
+ require message = relay not permitted
+ domains = +local_domains : +relay_to_domains
+
+ require verify = recipient
+
+ accept
+
+
+ acl_check_data:
+ accept
+
+
+ begin routers
+
+ retiolum:
+ driver = manualroute
+ domains = ! ${retiolumHostname} : *.retiolum
+ transport = remote_smtp
+ route_list = ^.* $0 byname
+ no_more
+
+ nonlocal:
+ debug_print = "R: nonlocal for $local_part@$domain"
+ driver = redirect
+ domains = ! +local_domains
+ allow_fail
+ data = :fail: Mailing to remote domains not supported
+ no_more
+
+ local_user:
+ # debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ check_local_user
+ # local_part_suffix = +* : -*
+ # local_part_suffix_optional
+ transport = home_maildir
+ cannot_route_message = Unknown user
+
+
+ begin transports
+
+ remote_smtp:
+ driver = smtp
+
+ home_maildir:
+ driver = appendfile
+ maildir_format
+ directory = $home/Maildir
+ directory_mode = 0700
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+ # group = mail
+ # mode = 0660
+
+ begin retry
+ *.retiolum * F,42d,1m
+ * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+ begin rewrite
+
+ begin authenticators
+ '';
+ };
+ };
+
+ # TODO get the hostname from somewhere else.
+ retiolumHostname = "${config.networking.hostName}.retiolum";
+in
+out
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 92410dd5..f767d20f 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -20,6 +20,13 @@ types // rec {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
+
+ extraZones = mkOption {
+ default = {};
+ # TODO: string is either MX, NS, A or AAAA
+ type = with types; attrsOf string;
+ };
+
secure = mkOption {
type = bool;
default = false;
diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix
new file mode 100644
index 00000000..eff52304
--- /dev/null
+++ b/krebs/5pkgs/cac.nix
@@ -0,0 +1,38 @@
+{ stdenv, fetchgit, coreutils, curl, gnused, jq, ncurses, sshpass, ... }:
+
+stdenv.mkDerivation {
+ name = "cac";
+
+ src = fetchgit {
+ url = http://cgit.cd.retiolum/cac;
+ rev = "f4589158572ab35969b9bccf801ea07e115705e1";
+ sha256 = "9d761cd1d7ff68507392cbfd6c3f6000ddff9cc540293da2b3c4ee902321fb27";
+ };
+
+ phases = [
+ "unpackPhase"
+ "installPhase"
+ ];
+
+ installPhase =
+ let
+ path = stdenv.lib.makeSearchPath "bin" [
+ coreutils
+ curl
+ gnused
+ jq
+ ncurses
+ sshpass
+ ];
+ in
+ ''
+ mkdir -p $out/bin
+
+ sed \
+ 's,^\( true) \)\(cac "$@";;\)$,\1 PATH=${path}${PATH+:$PATH} \2,' \
+ < ./cac \
+ > $out/bin/cac
+
+ chmod +x $out/bin/cac
+ '';
+}
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 231fda79..5de84f66 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -6,6 +6,7 @@ in
pkgs //
{
+ cac = callPackage ./cac.nix {};
dic = callPackage ./dic.nix {};
genid = callPackage ./genid.nix {};
github-hosts-sync = callPackage ./github-hosts-sync.nix {};