summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/iptables.nix51
-rw-r--r--krebs/3modules/nginx.nix45
-rw-r--r--krebs/5pkgs/buildbot/default.nix3
-rw-r--r--krebs/5pkgs/buildbot/irc_messages.patch40
-rw-r--r--lass/1systems/prism.nix3
-rw-r--r--lass/2configs/buildbot-standalone.nix20
-rw-r--r--lass/2configs/default.nix4
-rw-r--r--lass/2configs/mail.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/pulse.nix2
-rw-r--r--lass/2configs/repo-sync.nix2
-rw-r--r--lass/2configs/websites/util.nix41
-rw-r--r--lass/3modules/usershadow.nix29
-rw-r--r--makefu/6tests/data/secrets/extra-hosts.nix1
14 files changed, 163 insertions, 82 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..a4a4de6f9 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
let
inherit (pkgs) writeText;
@@ -7,27 +9,6 @@ let
elem
;
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- hasPrefix
- mkEnableOption
- mkOption
- mkIf
- types
- sort
- ;
-
cfg = config.krebs.iptables;
out = {
@@ -65,6 +46,14 @@ let
type = int;
default = 0;
};
+ v4 = mkOption {
+ type = bool;
+ default = true;
+ };
+ v6 = mkOption {
+ type = bool;
+ default = true;
+ };
};
})));
default = null;
@@ -93,7 +82,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} krebs-iptables_start";
+ ExecStart = startScript;
};
};
};
@@ -109,7 +98,8 @@ let
buildChain = tn: cn:
let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+ filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
+ sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in
#TODO: double check should be unneccessary, refactor!
@@ -123,13 +113,6 @@ let
buildRule = tn: cn: rule:
- #target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
@@ -149,7 +132,7 @@ let
#=====
- rules4 = iptables-version:
+ rules = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
@@ -171,14 +154,14 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "krebs-iptables-rules${toString iptables-version}" ''
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
+ iptables-restore < ${rules "v4"}
+ ip6tables-restore < ${rules "v6"}
'';
in
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
default = "";
};
ssl = mkOption {
- type = with types; submodule ({
+ type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
+ acmeEnable = mkOption {
+ type = bool;
+ apply = x:
+ if x && config.enable
+ #conflicts because of certificate/certificate_key location
+ then throw "can't use ssl.enable and ssl.acmeEnable together"
+ else x;
+ default = false;
+ description = ''
+ enables automatical generation of lets-encrypt certificates and setting them as certificate
+ conflicts with ssl.enable
+ '';
+ };
certificate = mkOption {
type = str;
};
@@ -95,6 +108,7 @@ let
};
imp = {
+ security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
@@ -117,13 +131,24 @@ let
indent = replaceChars ["\n"] ["\n "];
+ to-acme = { server-names, ssl, ... }:
+ optionalAttrs ssl.acmeEnable {
+ email = "lassulus@gmail.com";
+ webroot = "${config.security.acme.directory}/${head server-names}";
+ };
+
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+ domain = head server-names;
+ acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+ root ${config.security.acme.certs.${domain}.webroot};
+ '');
+ in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
+ ${optionalString ssl.acmeEnable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
+ listen 443 ssl;
+ ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+ ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+ ${optionalString ssl.prefer_server_ciphers ''
+ ssl_prefer_server_ciphers On;
+ ''}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ '')}
${indent extraConfig}
+ ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';
diff --git a/krebs/5pkgs/buildbot/default.nix b/krebs/5pkgs/buildbot/default.nix
index a0e6bb6a5..2e14b6b63 100644
--- a/krebs/5pkgs/buildbot/default.nix
+++ b/krebs/5pkgs/buildbot/default.nix
@@ -55,6 +55,9 @@ pythonPackages.buildPythonApplication (rec {
] ++ plugins;
+ patchPhase = ''
+ patch -p1 < ${./irc_messages.patch}
+ '';
preInstall = ''
# writes out a file that can't be read properly
sed -i.bak -e '69,84d' buildbot/test/unit/test_www_config.py
diff --git a/krebs/5pkgs/buildbot/irc_messages.patch b/krebs/5pkgs/buildbot/irc_messages.patch
new file mode 100644
index 000000000..ab8597dbd
--- /dev/null
+++ b/krebs/5pkgs/buildbot/irc_messages.patch
@@ -0,0 +1,40 @@
+diff --git a/buildbot/reporters/words.py b/master/buildbot/reporters/words.py
+index a65147b..bf44118 100644
+--- a/buildbot/reporters/words.py
++++ b/buildbot/reporters/words.py
+@@ -550,14 +550,15 @@ class Contact(service.AsyncService):
+
+ if self.useRevisions:
+ revisions = yield self.getRevisionsForBuild(build)
+- r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \
++ r = "Build %s containing revision(s) [%s] is complete: %s" % \
+ (builderName, ','.join(revisions), results[0])
+ else:
+- r = "Hey! build %s #%d is complete: %s" % \
++ r = "Build %s #%d is complete: %s" % \
+ (builderName, buildNumber, results[0])
+
+ r += ' [%s]' % maybeColorize(build['state_string'],
+ results[1], self.useColors)
++ r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber)
+ self.send(r)
+
+ # FIXME: where do we get the list of changes for a build ?
+@@ -622,14 +623,15 @@ class Contact(service.AsyncService):
+ results = self.getResultsDescriptionAndColor(build['results'])
+ if self.useRevisions:
+ revisions = yield self.getRevisionsForBuild(build)
+- r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \
++ r = "Build %s containing revision(s) [%s] is complete: %s" % \
+ (builder_name, ','.join(revisions), results[0])
+ else:
+- r = "Hey! build %s #%d is complete: %s" % \
++ r = "Build %s #%d is complete: %s" % \
+ (builder_name, buildnum, results[0])
+
+ r += ' [%s]' % maybeColorize(build['state_string'],
+ results[1], self.useColors)
++ r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber)
+ self.send(r)
+
+ # FIXME: where do we get the base_url? Then do we use the build Link to
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 555e7fe1a..269f94526 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -142,8 +142,7 @@ in {
}
{
users.users.chat.openssh.authorizedKeys.keys = [
- "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHF9tijlMoEevRZCG1AggukxWggfxPHUwg6Ye113ODG6PZ2m98oSmnsjixDy4GfIJjy+8HBbkwS6iH+fsNk86QtAgFNMjBl+9YvEzNRBzcyCqdOkZFvvZvV2oYA7I15il4ln62PDPKjEIS3YPhZPSwc6GhrlsFTnIG56NF/93IhF7R/FA== JuiceSSH"
- config.krebs.users.lass-uriel.pubkey
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDiupmvj8gmiqIUTk9t4AOZ6bYvIpMMuNZULwIu/lbq8epK+FyvjRtCxqkLgFw0BfNYHzT9fxJ3kZY+nf/pnpI0j8TRwLAyPnfKuBfehrtzjdNbf1jCB9BQAaLoBHkLUFLJxskIC11nHx5KJVJvZBZZ6Odq1WIb4RZXjtEreQfvF8+YyFgHQ/epmQupKK6agHGkjtqvH+hz//dwDqHU9orj8MCWxNaa2wUgn+5laAvpLS15MQeCDIz8GJtJWToETY6bvldiLp2hIAJmgx8LIecV1h7YPR81Rk80gIk3f0PDfsLnnM6ibkI5p8NGh7nRKAdf+W90HpBIHKMRpRkMYvgL3ejVuKJZyzhYKUArA6egNRAN2d67eOpR/yKV5LjRxv+JBCOln5ynDbAmP4Hq98h+0K9Md7VavrRJzzPRTH3MPx+OKqsnRBRjhKsRFIUaO6/TBjZF4RCbbSSbvBW1u+qbTWX1MGUJNB5huL/OIBdHHcTb6GI3W4Svtgq4in2KI4COBhUJogm5UmaXRHtgqvn8byxutIsXMOTFjjdDK6r7mmOj1mzlu5wEHAV6FRsII92pf4WO2GYEUxz1ABu4HvRsVKlvYoEwwBhpXecTve6nogAiDvuxHjUX1eup3If3s4SvNirNPPUQuzNriYJ4JXiU6pGCJcBgxhl+NQ7ajxCdaw== JuiceSSH"
];
}
{
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index cf3354fd7..7422abdc8 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -13,8 +13,8 @@ in {
config.krebs.buildbot.master = let
stockholm-mirror-url = http://cgit.prism/stockholm ;
in {
- slaves = {
- testslave = "lasspass";
+ workers = {
+ testworker = "lasspass";
};
change_source.stockholm = ''
stockholm_repo = '${stockholm-mirror-url}'
@@ -36,7 +36,7 @@ in {
};
builder_pre = ''
# prepare grab_repo step for stockholm
- grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
+ grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True)
# TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
@@ -94,7 +94,7 @@ in {
system={}".format(i)])
bu.append(util.BuilderConfig(name="build-all",
- slavenames=slavenames,
+ workernames=workernames,
factory=f))
'';
@@ -152,7 +152,7 @@ in {
make system=prism pkgs.{}".format(i)])
bu.append(util.BuilderConfig(name="build-pkgs",
- slavenames=slavenames,
+ workernames=workernames,
factory=f))
'';
};
@@ -162,15 +162,15 @@ in {
enable = true;
nick = "buildbot-lass";
server = "ni.r";
- channels = [ { channels = "retiolum"; } ];
+ channels = [ { channel = "retiolum"; } ];
allowForce = true;
};
};
- config.krebs.buildbot.slave = {
+ config.krebs.buildbot.worker = {
enable = true;
masterhost = "localhost";
- username = "testslave";
+ username = "testworker";
password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate ];
extraEnviron = {
@@ -190,8 +190,8 @@ in {
options.lass.build-ssh-privkey = mkOption {
type = types.secret-file;
default = {
- path = "${config.users.users.buildbotSlave.home}/ssh.privkey";
- owner = { inherit (config.users.users.buildbotSlave ) name uid;};
+ path = "${config.users.users.buildbotworker.home}/ssh.privkey";
+ owner = { inherit (config.users.users.buildbotworker ) name uid;};
source-path = toString <secrets> + "/build.ssh.key";
};
};
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a7d2a6cef..21a2ec038 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -194,7 +194,9 @@ with import <stockholm/lib>;
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
- { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; }
+ { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+ { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+ { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
};
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index c637b08fb..872acc003 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -12,7 +12,7 @@ let
msmtp = pkgs.writeBashBin "msmtp" ''
${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
- ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
+ ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@"
'';
muttrc = pkgs.writeText "muttrc" ''
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e665b6c6f..caca98746 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
+ ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
};
}
diff --git a/lass/2configs/pulse.nix b/lass/2configs/pulse.nix
index 373207461..55efaea13 100644
--- a/lass/2configs/pulse.nix
+++ b/lass/2configs/pulse.nix
@@ -26,7 +26,7 @@ let
'';
daemonConf = pkgs.writeText "daemon.conf" ''
- exit-idle-time=0
+ exit-idle-time=-1
flat-volumes = no
default-fragments = 4
default-fragment-size-msec = 25
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index baa4bb380..765769936 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -41,7 +41,7 @@ let
mirror.url = "${mirror}${name}";
};
tv = {
- origin.url = "http://cgit.ni.i/${name}";
+ origin.url = "http://cgit.ni.r/${name}";
mirror.url = "${mirror}${name}";
};
lassulus = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 55be8a8d9..3356fe9a8 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -8,28 +8,29 @@ rec {
let
domain = head domains;
in {
- security.acme = {
- certs."${domain}" = {
- email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/challenges/${domain}";
- plugins = [
- "account_key.json"
- "key.pem"
- "fullchain.pem"
- ];
- group = "nginx";
- allowKeysForGroup = true;
- extraDomains = genAttrs domains (_: null);
- };
- };
+ #security.acme = {
+ # certs."${domain}" = {
+ # email = "lassulus@gmail.com";
+ # webroot = "/var/lib/acme/challenges/${domain}";
+ # plugins = [
+ # "account_key.json"
+ # "key.pem"
+ # "fullchain.pem"
+ # ];
+ # group = "nginx";
+ # allowKeysForGroup = true;
+ # extraDomains = genAttrs domains (_: null);
+ # };
+ #};
krebs.nginx.servers."${domain}" = {
+ ssl.acmeEnable = true;
server-names = domains;
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/${domain}/;
- '')
- ];
+ #locations = [
+ # (nameValuePair "/.well-known/acme-challenge" ''
+ # root /var/lib/acme/challenges/${domain}/;
+ # '')
+ #];
};
};
@@ -37,7 +38,7 @@ rec {
{
imports = [
( manageCerts domains )
- ( activateACME (head domains) )
+ #( activateACME (head domains) )
];
};
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index a8ab1c52a..c0be053ab 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -70,9 +70,7 @@
extra-depends = deps;
text = ''
import Data.Monoid
- import System.IO
- import Data.Char (chr)
- import System.Environment (getEnv, getArgs)
+ import System.Environment (getArgs)
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
import System.Exit (exitFailure, exitSuccess)
@@ -96,16 +94,29 @@
import System.Environment (getEnv)
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
- import System.IO (stdin, hSetEcho, putStrLn)
+ import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
+ import Control.Exception (bracket_)
main :: IO ()
main = do
home <- getEnv "HOME"
- putStrLn "password:"
- hSetEcho stdin False
- password <- BS8.hGetLine stdin
- hash <- makePasswordWith pbkdf2 password 10
- BS8.writeFile (home ++ "/.shadow") hash
+ mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
+ putStr "Enter new UNIX password: "
+ hFlush stdout
+ password <- BS8.hGetLine stdin
+ putStrLn ""
+ putStr "Retype new UNIX password: "
+ hFlush stdout
+ password2 <- BS8.hGetLine stdin
+ return $ if password == password2
+ then Just password
+ else Nothing
+ case mb_password of
+ Just password -> do
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ putStrLn "passwd: all authentication tokens updated successfully."
+ Nothing -> putStrLn "Sorry, passwords do not match"
'';
};
};
diff --git a/makefu/6tests/data/secrets/extra-hosts.nix b/makefu/6tests/data/secrets/extra-hosts.nix
new file mode 100644
index 000000000..e16c76dff
--- /dev/null
+++ b/makefu/6tests/data/secrets/extra-hosts.nix
@@ -0,0 +1 @@
+""