diff options
| author | lassulus <lass@aidsballs.de> | 2015-08-13 22:36:07 +0200 |
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2015-08-13 22:36:07 +0200 |
| commit | cc1baf4d385e45b8c9f0509c04e8883f48ade6ae (patch) | |
| tree | 9eb6a04cdb91414d662409e7f8b3b2e396f92895 /krebs | |
| parent | dbd69c4e956bc1c88b379c273a5ea5b4ceea8813 (diff) | |
| parent | db4b55527d527158bd4e7f93128668e646f2cf1f (diff) | |
Merge branch 'tv' into newmaster
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/default.nix | 147 | ||||
| -rw-r--r-- | krebs/3modules/exim-retiolum.nix | 143 | ||||
| -rw-r--r-- | krebs/4lib/types.nix | 7 | ||||
| -rw-r--r-- | krebs/5pkgs/cac.nix | 38 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix | 1 |
5 files changed, 332 insertions, 4 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 668d66cc..9ad9c9f9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./exim-retiolum.nix ./github-hosts-sync.nix ./git.nix ./nginx.nix @@ -55,7 +56,7 @@ let --exclude .git \ --exclude .graveyard \ --exclude old \ - --rsync-path="mkdir -p \"$dst\" && rsync" \ + --rsync-path="mkdir -p \"$2\" && rsync" \ --usermap=\*:0 \ --groupmap=\*:0 \ --delete-excluded \ @@ -164,7 +165,7 @@ let { krebs = tv-imp; } { krebs.dns.providers = { - de.krebsco = "ovh"; + de.krebsco = "zones"; internet = "hosts"; retiolum = "hosts"; }; @@ -183,7 +184,42 @@ let ) host.nets ) cfg.hosts )); - } + + # krebs.hosts.bob = rec { + # addrs4 = "10.0.0.1"; + # extraZones = { + # # extraZones + # "krebsco.de" = '' + # krebsco.de. IN MX 10 mx1 + # mx1 IN A ${addrs4} + # ''; + # "dickbutt.de" = '' + # dickbutt.de. IN NS ns + # ns IN A ${addrs4} + # '' + # } + # } + # krebs.hosts.khan = rec { + # addrs4 = "10.0.0.2"; + # extraZones = { + # "krebsco.de" = '' + # khan.krebsco.de IN A ${addrs4} + # }; + # } + # + # => + # "zone/krebsco.de".text = '' + # krebsco.de. IN MX 10 mx1 + # mx1 IN A 10.0.0.1 + # khan.krebsco.de IN A 10.0.0.2 + # ''; + + + environment.etc = mapAttrs' + (name: value: + nameValuePair (("zones/" + name)) ({ text=value;})) + cfg.hosts.pigstarter.extraZones; + } ]; lass-imp = { @@ -306,10 +342,106 @@ let }; }; }; + tsp = { + cores = 2; + dc = "makefu"; #x200 + nets = { + retiolum = { + addrs4 = ["10.243.0.212"]; + addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"]; + aliases = [ + "tsp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi + HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 + mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ + n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG + R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr + Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi + aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo + ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE + KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v + XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ + teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + pornocauster = { + cores = 2; + dc = "makefu"; #x220 + nets = { + retiolum = { + addrs4 = ["10.243.0.91"]; + addrs6 = ["42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"]; + aliases = [ + "pornocauster.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi + HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 + mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ + n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG + R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr + Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi + aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo + ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE + KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v + XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ + teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + pigstarter = rec { + cores = 1; + dc = "frontrange"; #vps + + extraZones = { + "de.krebsco" = '' + pigstarter.krebsco.de IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN NS io + io IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 10 mx42 + mx42 IN A ${elemAt nets.internet.addrs4 0} + ''; + }; + nets = { + internet = { + addrs4 = ["192.40.56.122"]; + addrs6 = ["2604:2880::841f:72c"]; + aliases = [ + "pigstarter.internet" + ]; + }; + retiolum = { + addrs4 = ["10.243.0.153"]; + addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"]; + aliases = [ + "pigstarter.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA/efJuJRLUIZROe3QE8WYTD/zyNGRh9I2/yw+5It9HSNVDMIOV1FZ + 9PaspsC+YQSBUQRN8SJ95G4RM6TIn/+ei7LiUYsf1Ik+uEOpP5EPthXqvdJEeswv + 3QFwbpBeOMNdvmGvQLeR1uJKVyf39iep1wWGOSO1sLtUA+skUuN38QKc1BPASzFG + 4ATM6rd2Tkt8+9hCeoePJdLr3pXat9BBuQIxImgx7m5EP02SH1ndb2wttQeAi9cE + DdJadpzOcEgFatzXP3SoKVV9loRHz5HhV4WtAqBIkDvgjj2j+NnXolAUY25Ix+kv + sfqfIw5aNLoIX4kDhuDEVBIyoc7/ofSbkQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; users = addNames { makefu = { - mail = "root@euer.krebsco.de"; + mail = "root@tsp.retiolum"; pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; }; }; @@ -323,6 +455,13 @@ let cd = { cores = 2; dc = "tv"; #dc = "cac"; + extraZones = { + "de.krebsco" = '' + mx23 IN A ${elemAt nets.internet.addrs4 0} + cd IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 5 mx23 + ''; + }; nets = rec { internet = { addrs4 = ["162.219.7.216"]; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix new file mode 100644 index 00000000..e1315d8c --- /dev/null +++ b/krebs/3modules/exim-retiolum.nix @@ -0,0 +1,143 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.exim-retiolum; + + out = { + options.krebs.exim-retiolum = api; + config = + mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.exim-retiolum"; + }; + + imp = { + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; + }; + + # TODO get the hostname from somewhere else. + retiolumHostname = "${config.networking.hostName}.retiolum"; +in +out diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 92410dd5..f767d20f 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,13 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + + extraZones = mkOption { + default = {}; + # TODO: string is either MX, NS, A or AAAA + type = with types; attrsOf string; + }; + secure = mkOption { type = bool; default = false; diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac.nix new file mode 100644 index 00000000..eff52304 --- /dev/null +++ b/krebs/5pkgs/cac.nix @@ -0,0 +1,38 @@ +{ stdenv, fetchgit, coreutils, curl, gnused, jq, ncurses, sshpass, ... }: + +stdenv.mkDerivation { + name = "cac"; + + src = fetchgit { + url = http://cgit.cd.retiolum/cac; + rev = "f4589158572ab35969b9bccf801ea07e115705e1"; + sha256 = "9d761cd1d7ff68507392cbfd6c3f6000ddff9cc540293da2b3c4ee902321fb27"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + path = stdenv.lib.makeSearchPath "bin" [ + coreutils + curl + gnused + jq + ncurses + sshpass + ]; + in + '' + mkdir -p $out/bin + + sed \ + 's,^\( true) \)\(cac "$@";;\)$,\1 PATH=${path}${PATH+:$PATH} \2,' \ + < ./cac \ + > $out/bin/cac + + chmod +x $out/bin/cac + ''; +} diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 231fda79..5de84f66 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -6,6 +6,7 @@ in pkgs // { + cac = callPackage ./cac.nix {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; github-hosts-sync = callPackage ./github-hosts-sync.nix {}; |