diff options
| -rw-r--r-- | krebs/3modules/default.nix | 14 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 3 | ||||
| -rw-r--r-- | lass/3modules/acl.nix | 29 | ||||
| -rw-r--r-- | makefu/2configs/tinc/retiolum.nix | 10 |
5 files changed, 30 insertions, 29 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index b58b52038..e8f0d35e4 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -19,13 +19,13 @@ let ./current.nix ./dns.nix ./ergo.nix - ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix + ./exim.nix ./fetchWallpaper.nix + ./git.nix ./github-hosts-sync.nix ./github-known-hosts.nix - ./git.nix ./go.nix ./hidden-ssh.nix ./hosts.nix @@ -38,11 +38,12 @@ let ./nixpkgs.nix ./on-failure.nix ./os-release.nix - ./permown.nix ./per-user.nix + ./permown.nix ./power-action.nix ./reaktor2.nix ./realwallpaper.nix + ./repo-sync.nix ./retiolum-bootstrap.nix ./rtorrent.nix ./secret.nix @@ -55,7 +56,6 @@ let ./tinc_graphs.nix ./upstream ./urlwatch.nix - ./repo-sync.nix ./xresources.nix ./zones.nix ]; @@ -102,13 +102,13 @@ let imp = lib.mkMerge [ { krebs = import ./external { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./jeschli { inherit config; }; } { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./external/palo.nix { inherit config; }; } - { krebs = import ./external/mic92.nix { inherit config; }; } - { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 62316bfdb..b3c09db78 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -102,6 +102,7 @@ in { x = { ci = true; cores = 4; + syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; nets = { retiolum.ip4.addr = "10.243.0.91"; wiregrill = { @@ -121,7 +122,7 @@ in { omo = rec { ci = true; cores = 2; - + syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; nets = { retiolum = { ip4.addr = "10.243.0.89"; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..4a54d2950 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -233,6 +233,7 @@ with import <stockholm/lib>; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +261,7 @@ with import <stockholm/lib>; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix index b87ca2e08..81eeae920 100644 --- a/lass/3modules/acl.nix +++ b/lass/3modules/acl.nix @@ -1,19 +1,4 @@ { config, lib, pkgs, ... }: let - generateACLs = attrs: - lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' - mkdir -p "${path}" - ${generateRules rules path} - '') attrs; - - generateRules = rules: path: - lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - ); - parents = dir: if dir == "/" then [ dir ] @@ -48,17 +33,23 @@ in { default = {}; }; config = lib.mkIf (config.lass.acl != {}) { - systemd.services.set_acl = { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { wantedBy = [ "multi-user.target" ]; path = [ pkgs.acl pkgs.coreutils ]; serviceConfig = { - ExecStart = generateACLs config.lass.acl; + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); RemainAfterExit = true; - Type = "oneshot"; + Type = "simple"; }; - }; + }) config.lass.acl; }; } diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index 0d2774209..a2b24d35a 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,10 +1,18 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: { imports = [ ../binary-cache/lass.nix ]; krebs.tinc.retiolum.enable = true; + krebs.tinc.retiolum.extraConfig = '' + StrictSubnets = yes + ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' + LocalDiscovery = no + ''} + ''; + #krebs.tinc.retiolum.connectTo = [ "gum" ]; environment.systemPackages = [ pkgs.tinc ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; + } |