diff options
Diffstat (limited to '3modules')
| -rw-r--r-- | 3modules/krebs/default.nix | 91 | ||||
| -rw-r--r-- | 3modules/lass/iptables.nix | 187 | ||||
| -rw-r--r-- | 3modules/lass/sshkeys.nix | 26 | ||||
| -rw-r--r-- | 3modules/lass/urxvtd.nix | 55 | ||||
| -rw-r--r-- | 3modules/lass/xresources.nix | 57 |
5 files changed, 91 insertions, 325 deletions
diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 32c93689..234c5e11 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -167,6 +167,11 @@ let de.krebsco = "ovh"; internet = "hosts"; retiolum = "hosts"; + de.habsys = "hosts"; + de.pixelpocket = "hosts"; + de.karlaskop = "hosts"; + de.ubikmedia = "hosts"; + de.apanowicz = "hosts"; }; # XXX This overlaps with krebs.retiolum @@ -188,6 +193,92 @@ let lass-imp = { hosts = addNames { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + uriel = { + cores = 1; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.81.176"]; + addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + aliases = [ + "uriel.retiolum" + "cgit.uriel.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR + duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb + MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME + m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx + uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo + u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mors = { + cores = 2; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.2"]; + addrs6 = ["42:0:0:0:0:0:0:dea7"]; + aliases = [ + "mors.retiolum" + "cgit.mors.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; users = addNames { lass = { diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix deleted file mode 100644 index c97b9f73..00000000 --- a/3modules/lass/iptables.nix +++ /dev/null @@ -1,187 +0,0 @@ -arg@{ config, lib, pkgs, ... }: - -let - inherit (pkgs) writeScript writeText; - - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - mkEnableOption - mkOption - mkIf - types - sort; - - elemIsIn = a: as: - any (x: x == a) as; - - cfg = config.lass.iptables; - - out = { - options.lass.iptables = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "iptables"; - - #tables.filter.INPUT = { - # policy = "DROP"; - # rules = [ - # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } - # ]; - #}; - #new api - tables = mkOption { - type = with types; attrsOf (attrsOf (submodule ({ - options = { - policy = mkOption { - type = str; - default = "-"; - }; - rules = mkOption { - type = nullOr (listOf (submodule ({ - options = { - predicate = mkOption { - type = str; - }; - target = mkOption { - type = str; - }; - precedence = mkOption { - type = int; - default = 0; - }; - }; - }))); - default = null; - }; - }; - }))); - }; - }; - - imp = { - networking.firewall.enable = false; - - systemd.services.lass-iptables = { - description = "lass-iptables"; - wantedBy = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = with pkgs; [ - iptables - ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript} lass-iptables_start"; - }; - }; - }; - - #buildTable :: iptablesVersion -> iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = v: ts: - let - - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; - - in - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) - else - "" - ; - - - buildRule = tn: cn: rule: - #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; - -in -out - diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix deleted file mode 100644 index 5f1c6066..00000000 --- a/3modules/lass/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix deleted file mode 100644 index 469616a9..00000000 --- a/3modules/lass/urxvtd.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix deleted file mode 100644 index 15c5b8b7..00000000 --- a/3modules/lass/xresources.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: -#prefix with Attribute Name -#ex: urxvt - -# -# -with builtins; -with lib; - - -let - - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; - inherit (pkgs) writeScript; - -in - -{ - - options = { - services.xresources.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the automatic loading of Xresources definitions at display-manager start; - ''; - }; - - services.xresources.resources = mkOption { - default = {}; - type = types.attrsOf types.str; - example = { - urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - ''; - }; - description = '' - Xresources definitions. - ''; - }; - }; - - config = - let - cfg = config.services.xresources; - xres = concatStringsSep "\n" (attrValues cfg.resources); - - in mkIf cfg.enable { - services.xserver.displayManager.sessionCommands = '' - echo ${shell-escape xres} | xrdb -merge - ''; - }; - -} |