diff options
-rw-r--r-- | krebs/3modules/iptables.nix | 51 | ||||
-rw-r--r-- | krebs/3modules/nginx.nix | 45 | ||||
-rw-r--r-- | krebs/5pkgs/buildbot/default.nix | 3 | ||||
-rw-r--r-- | krebs/5pkgs/buildbot/irc_messages.patch | 40 | ||||
-rw-r--r-- | lass/1systems/prism.nix | 3 | ||||
-rw-r--r-- | lass/2configs/buildbot-standalone.nix | 20 | ||||
-rw-r--r-- | lass/2configs/default.nix | 4 | ||||
-rw-r--r-- | lass/2configs/mail.nix | 2 | ||||
-rw-r--r-- | lass/2configs/nixpkgs.nix | 2 | ||||
-rw-r--r-- | lass/2configs/pulse.nix | 2 | ||||
-rw-r--r-- | lass/2configs/repo-sync.nix | 2 | ||||
-rw-r--r-- | lass/2configs/websites/util.nix | 41 | ||||
-rw-r--r-- | lass/3modules/usershadow.nix | 29 | ||||
-rw-r--r-- | makefu/6tests/data/secrets/extra-hosts.nix | 1 |
14 files changed, 163 insertions, 82 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index b610ff3d1..a4a4de6f9 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: +with import <stockholm/lib>; + let inherit (pkgs) writeText; @@ -7,27 +9,6 @@ let elem ; - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - hasPrefix - mkEnableOption - mkOption - mkIf - types - sort - ; - cfg = config.krebs.iptables; out = { @@ -65,6 +46,14 @@ let type = int; default = 0; }; + v4 = mkOption { + type = bool; + default = true; + }; + v6 = mkOption { + type = bool; + default = true; + }; }; }))); default = null; @@ -93,7 +82,7 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} krebs-iptables_start"; + ExecStart = startScript; }; }; }; @@ -109,7 +98,8 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; in #TODO: double check should be unneccessary, refactor! @@ -123,13 +113,6 @@ let buildRule = tn: cn: rule: - #target validation test: - assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target; - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. "${rule.predicate} -j ${rule.target}"; buildTable = tn: @@ -149,7 +132,7 @@ let #===== - rules4 = iptables-version: + rules = iptables-version: let #TODO: find out good defaults. tables-defaults = { @@ -171,14 +154,14 @@ let tables = tables-defaults // cfg.tables; in - writeText "krebs-iptables-rules${toString iptables-version}" '' + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' ${buildTables iptables-version tables} ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} + iptables-restore < ${rules "v4"} + ip6tables-restore < ${rules "v6"} ''; in diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 1577c5b64..933c2e513 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -53,9 +53,22 @@ let default = ""; }; ssl = mkOption { - type = with types; submodule ({ + type = with types; submodule ({ config, ... }: { options = { enable = mkEnableOption "ssl"; + acmeEnable = mkOption { + type = bool; + apply = x: + if x && config.enable + #conflicts because of certificate/certificate_key location + then throw "can't use ssl.enable and ssl.acmeEnable together" + else x; + default = false; + description = '' + enables automatical generation of lets-encrypt certificates and setting them as certificate + conflicts with ssl.enable + ''; + }; certificate = mkOption { type = str; }; @@ -95,6 +108,7 @@ let }; imp = { + security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); services.nginx = { enable = true; httpConfig = '' @@ -117,13 +131,24 @@ let indent = replaceChars ["\n"] ["\n "]; + to-acme = { server-names, ssl, ... }: + optionalAttrs ssl.acmeEnable { + email = "lassulus@gmail.com"; + webroot = "${config.security.acme.directory}/${head server-names}"; + }; + to-location = { name, value }: '' location ${name} { ${indent value} } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let + domain = head server-names; + acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' + root ${config.security.acme.certs.${domain}.webroot}; + ''); + in '' server { server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} @@ -142,7 +167,23 @@ let ssl_ciphers ${ssl.ciphers}; ssl_protocols ${toString ssl.protocols}; '')} + ${optionalString ssl.acmeEnable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} + listen 443 ssl; + ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; + ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} ${indent extraConfig} + ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} ${indent (concatMapStrings to-location locations)} } ''; diff --git a/krebs/5pkgs/buildbot/default.nix b/krebs/5pkgs/buildbot/default.nix index a0e6bb6a5..2e14b6b63 100644 --- a/krebs/5pkgs/buildbot/default.nix +++ b/krebs/5pkgs/buildbot/default.nix @@ -55,6 +55,9 @@ pythonPackages.buildPythonApplication (rec { ] ++ plugins; + patchPhase = '' + patch -p1 < ${./irc_messages.patch} + ''; preInstall = '' # writes out a file that can't be read properly sed -i.bak -e '69,84d' buildbot/test/unit/test_www_config.py diff --git a/krebs/5pkgs/buildbot/irc_messages.patch b/krebs/5pkgs/buildbot/irc_messages.patch new file mode 100644 index 000000000..ab8597dbd --- /dev/null +++ b/krebs/5pkgs/buildbot/irc_messages.patch @@ -0,0 +1,40 @@ +diff --git a/buildbot/reporters/words.py b/master/buildbot/reporters/words.py +index a65147b..bf44118 100644 +--- a/buildbot/reporters/words.py ++++ b/buildbot/reporters/words.py +@@ -550,14 +550,15 @@ class Contact(service.AsyncService): + + if self.useRevisions: + revisions = yield self.getRevisionsForBuild(build) +- r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \ ++ r = "Build %s containing revision(s) [%s] is complete: %s" % \ + (builderName, ','.join(revisions), results[0]) + else: +- r = "Hey! build %s #%d is complete: %s" % \ ++ r = "Build %s #%d is complete: %s" % \ + (builderName, buildNumber, results[0]) + + r += ' [%s]' % maybeColorize(build['state_string'], + results[1], self.useColors) ++ r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber) + self.send(r) + + # FIXME: where do we get the list of changes for a build ? +@@ -622,14 +623,15 @@ class Contact(service.AsyncService): + results = self.getResultsDescriptionAndColor(build['results']) + if self.useRevisions: + revisions = yield self.getRevisionsForBuild(build) +- r = "Hey! build %s containing revision(s) [%s] is complete: %s" % \ ++ r = "Build %s containing revision(s) [%s] is complete: %s" % \ + (builder_name, ','.join(revisions), results[0]) + else: +- r = "Hey! build %s #%d is complete: %s" % \ ++ r = "Build %s #%d is complete: %s" % \ + (builder_name, buildnum, results[0]) + + r += ' [%s]' % maybeColorize(build['state_string'], + results[1], self.useColors) ++ r += " - %s" % self.master.status.getURLForBuild(builder['builderid'],buildNumber) + self.send(r) + + # FIXME: where do we get the base_url? Then do we use the build Link to diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 555e7fe1a..269f94526 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -142,8 +142,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHF9tijlMoEevRZCG1AggukxWggfxPHUwg6Ye113ODG6PZ2m98oSmnsjixDy4GfIJjy+8HBbkwS6iH+fsNk86QtAgFNMjBl+9YvEzNRBzcyCqdOkZFvvZvV2oYA7I15il4ln62PDPKjEIS3YPhZPSwc6GhrlsFTnIG56NF/93IhF7R/FA== JuiceSSH" - config.krebs.users.lass-uriel.pubkey + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDiupmvj8gmiqIUTk9t4AOZ6bYvIpMMuNZULwIu/lbq8epK+FyvjRtCxqkLgFw0BfNYHzT9fxJ3kZY+nf/pnpI0j8TRwLAyPnfKuBfehrtzjdNbf1jCB9BQAaLoBHkLUFLJxskIC11nHx5KJVJvZBZZ6Odq1WIb4RZXjtEreQfvF8+YyFgHQ/epmQupKK6agHGkjtqvH+hz//dwDqHU9orj8MCWxNaa2wUgn+5laAvpLS15MQeCDIz8GJtJWToETY6bvldiLp2hIAJmgx8LIecV1h7YPR81Rk80gIk3f0PDfsLnnM6ibkI5p8NGh7nRKAdf+W90HpBIHKMRpRkMYvgL3ejVuKJZyzhYKUArA6egNRAN2d67eOpR/yKV5LjRxv+JBCOln5ynDbAmP4Hq98h+0K9Md7VavrRJzzPRTH3MPx+OKqsnRBRjhKsRFIUaO6/TBjZF4RCbbSSbvBW1u+qbTWX1MGUJNB5huL/OIBdHHcTb6GI3W4Svtgq4in2KI4COBhUJogm5UmaXRHtgqvn8byxutIsXMOTFjjdDK6r7mmOj1mzlu5wEHAV6FRsII92pf4WO2GYEUxz1ABu4HvRsVKlvYoEwwBhpXecTve6nogAiDvuxHjUX1eup3If3s4SvNirNPPUQuzNriYJ4JXiU6pGCJcBgxhl+NQ7ajxCdaw== JuiceSSH" ]; } { diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index cf3354fd7..7422abdc8 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -13,8 +13,8 @@ in { config.krebs.buildbot.master = let stockholm-mirror-url = http://cgit.prism/stockholm ; in { - slaves = { - testslave = "lasspass"; + workers = { + testworker = "lasspass"; }; change_source.stockholm = '' stockholm_repo = '${stockholm-mirror-url}' @@ -36,7 +36,7 @@ in { }; builder_pre = '' # prepare grab_repo step for stockholm - grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') + grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True) # TODO: get nixpkgs/stockholm paths from krebs env_lass = { @@ -94,7 +94,7 @@ in { system={}".format(i)]) bu.append(util.BuilderConfig(name="build-all", - slavenames=slavenames, + workernames=workernames, factory=f)) ''; @@ -152,7 +152,7 @@ in { make system=prism pkgs.{}".format(i)]) bu.append(util.BuilderConfig(name="build-pkgs", - slavenames=slavenames, + workernames=workernames, factory=f)) ''; }; @@ -162,15 +162,15 @@ in { enable = true; nick = "buildbot-lass"; server = "ni.r"; - channels = [ { channels = "retiolum"; } ]; + channels = [ { channel = "retiolum"; } ]; allowForce = true; }; }; - config.krebs.buildbot.slave = { + config.krebs.buildbot.worker = { enable = true; masterhost = "localhost"; - username = "testslave"; + username = "testworker"; password = "lasspass"; packages = with pkgs; [ gnumake jq nix populate ]; extraEnviron = { @@ -190,8 +190,8 @@ in { options.lass.build-ssh-privkey = mkOption { type = types.secret-file; default = { - path = "${config.users.users.buildbotSlave.home}/ssh.privkey"; - owner = { inherit (config.users.users.buildbotSlave ) name uid;}; + path = "${config.users.users.buildbotworker.home}/ssh.privkey"; + owner = { inherit (config.users.users.buildbotworker ) name uid;}; source-path = toString <secrets> + "/build.ssh.key"; }; }; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index a7d2a6cef..21a2ec038 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -194,7 +194,9 @@ with import <stockholm/lib>; { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } ]; }; }; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index c637b08fb..872acc003 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -12,7 +12,7 @@ let msmtp = pkgs.writeBashBin "msmtp" '' ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \ - ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ + ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@" ''; muttrc = pkgs.writeText "muttrc" '' diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index e665b6c6f..caca98746 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731"; + ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e"; }; } diff --git a/lass/2configs/pulse.nix b/lass/2configs/pulse.nix index 373207461..55efaea13 100644 --- a/lass/2configs/pulse.nix +++ b/lass/2configs/pulse.nix @@ -26,7 +26,7 @@ let ''; daemonConf = pkgs.writeText "daemon.conf" '' - exit-idle-time=0 + exit-idle-time=-1 flat-volumes = no default-fragments = 4 default-fragment-size-msec = 25 diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index baa4bb380..765769936 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -41,7 +41,7 @@ let mirror.url = "${mirror}${name}"; }; tv = { - origin.url = "http://cgit.ni.i/${name}"; + origin.url = "http://cgit.ni.r/${name}"; mirror.url = "${mirror}${name}"; }; lassulus = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 55be8a8d9..3356fe9a8 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -8,28 +8,29 @@ rec { let domain = head domains; in { - security.acme = { - certs."${domain}" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/challenges/${domain}"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - extraDomains = genAttrs domains (_: null); - }; - }; + #security.acme = { + # certs."${domain}" = { + # email = "lassulus@gmail.com"; + # webroot = "/var/lib/acme/challenges/${domain}"; + # plugins = [ + # "account_key.json" + # "key.pem" + # "fullchain.pem" + # ]; + # group = "nginx"; + # allowKeysForGroup = true; + # extraDomains = genAttrs domains (_: null); + # }; + #}; krebs.nginx.servers."${domain}" = { + ssl.acmeEnable = true; server-names = domains; - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/${domain}/; - '') - ]; + #locations = [ + # (nameValuePair "/.well-known/acme-challenge" '' + # root /var/lib/acme/challenges/${domain}/; + # '') + #]; }; }; @@ -37,7 +38,7 @@ rec { { imports = [ ( manageCerts domains ) - ( activateACME (head domains) ) + #( activateACME (head domains) ) ]; }; diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index a8ab1c52a..c0be053ab 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -70,9 +70,7 @@ extra-depends = deps; text = '' import Data.Monoid - import System.IO - import Data.Char (chr) - import System.Environment (getEnv, getArgs) + import System.Environment (getArgs) import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 import System.Exit (exitFailure, exitSuccess) @@ -96,16 +94,29 @@ import System.Environment (getEnv) import Crypto.PasswordStore (makePasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 - import System.IO (stdin, hSetEcho, putStrLn) + import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn) + import Control.Exception (bracket_) main :: IO () main = do home <- getEnv "HOME" - putStrLn "password:" - hSetEcho stdin False - password <- BS8.hGetLine stdin - hash <- makePasswordWith pbkdf2 password 10 - BS8.writeFile (home ++ "/.shadow") hash + mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do + putStr "Enter new UNIX password: " + hFlush stdout + password <- BS8.hGetLine stdin + putStrLn "" + putStr "Retype new UNIX password: " + hFlush stdout + password2 <- BS8.hGetLine stdin + return $ if password == password2 + then Just password + else Nothing + case mb_password of + Just password -> do + hash <- makePasswordWith pbkdf2 password 10 + BS8.writeFile (home ++ "/.shadow") hash + putStrLn "passwd: all authentication tokens updated successfully." + Nothing -> putStrLn "Sorry, passwords do not match" ''; }; }; diff --git a/makefu/6tests/data/secrets/extra-hosts.nix b/makefu/6tests/data/secrets/extra-hosts.nix new file mode 100644 index 000000000..e16c76dff --- /dev/null +++ b/makefu/6tests/data/secrets/extra-hosts.nix @@ -0,0 +1 @@ +"" |