summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/ci.nix2
-rw-r--r--krebs/3modules/default.nix14
-rw-r--r--krebs/3modules/external/mic92.nix25
-rw-r--r--krebs/3modules/sync-containers.nix2
-rw-r--r--krebs/3modules/tinc.nix5
-rw-r--r--lass/3modules/acl.nix55
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lib/types.nix4
8 files changed, 71 insertions, 37 deletions
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index 822dbab61..5efe41786 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -166,6 +166,8 @@ let
nick = "buildbot|${hostname}",
notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ],
channels = [{"channel": "#xxx"}],
+ showBlameList = True,
+ authz={'force': True},
)
''];
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index b58b52038..e8f0d35e4 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -19,13 +19,13 @@ let
./current.nix
./dns.nix
./ergo.nix
- ./exim.nix
./exim-retiolum.nix
./exim-smarthost.nix
+ ./exim.nix
./fetchWallpaper.nix
+ ./git.nix
./github-hosts-sync.nix
./github-known-hosts.nix
- ./git.nix
./go.nix
./hidden-ssh.nix
./hosts.nix
@@ -38,11 +38,12 @@ let
./nixpkgs.nix
./on-failure.nix
./os-release.nix
- ./permown.nix
./per-user.nix
+ ./permown.nix
./power-action.nix
./reaktor2.nix
./realwallpaper.nix
+ ./repo-sync.nix
./retiolum-bootstrap.nix
./rtorrent.nix
./secret.nix
@@ -55,7 +56,6 @@ let
./tinc_graphs.nix
./upstream
./urlwatch.nix
- ./repo-sync.nix
./xresources.nix
./zones.nix
];
@@ -102,13 +102,13 @@ let
imp = lib.mkMerge [
{ krebs = import ./external { inherit config; }; }
+ { krebs = import ./external/kmein.nix { inherit config; }; }
+ { krebs = import ./external/mic92.nix { inherit config; }; }
+ { krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; }
- { krebs = import ./external/palo.nix { inherit config; }; }
- { krebs = import ./external/mic92.nix { inherit config; }; }
- { krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; }
{
krebs.dns.providers = {
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 27a2beed6..dd6f4f456 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -279,25 +279,6 @@ in {
'';
};
};
- philipsaendig = {
- owner = config.krebs.users.mic92;
- nets.retiolum = {
- ip4.addr = "10.243.29.193";
- aliases = [
- "philipsaendig.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX
- 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl
- 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl
- +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF
- Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S
- oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
yasmin = {
owner = config.krebs.users.mic92;
nets.internet = {
@@ -306,7 +287,6 @@ in {
aliases = [ "yasmin.i" ];
};
nets.retiolum = {
- ip4.addr = "10.243.29.197";
aliases = [
"yasmin.r"
];
@@ -414,7 +394,6 @@ in {
};
retiolum = {
via = internet;
- ip4.addr = "10.243.29.195";
aliases = [ "bill.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -445,7 +424,6 @@ in {
};
retiolum = {
via = internet;
- ip4.addr = "10.243.29.173";
aliases = [ "nardole.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -470,7 +448,6 @@ in {
owner = config.krebs.users.mic92;
nets = {
retiolum = {
- ip4.addr = "10.243.29.171";
aliases = [
"rock.r"
];
@@ -736,7 +713,6 @@ in {
};
retiolum = {
via = internet;
- ip4.addr = "10.243.29.198";
aliases = [ "ryan.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -764,7 +740,6 @@ in {
};
retiolum = {
via = internet;
- ip4.addr = "10.243.29.199";
aliases = [ "graham.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index e47f9a3a7..e2caa0834 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -97,7 +97,7 @@ in {
${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || :
'';
- services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+ services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
devices = ctr.peers;
ignorePerms = false;
})) cfg.containers);
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 21ddde1c6..31371af59 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -48,7 +48,7 @@ with import <stockholm/lib>;
};
extraConfig = mkOption {
- type = types.str;
+ type = types.lines;
default = "";
description = ''
Extra Configuration to be appended to tinc.conf
@@ -233,6 +233,7 @@ with import <stockholm/lib>;
cfg.iproutePackage
cfg.tincPackage
];
+ reloadIfChanged = true;
serviceConfig = {
Restart = "always";
LoadCredential = filter (x: x != "") [
@@ -260,7 +261,7 @@ with import <stockholm/lib>;
"-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
"--pidfile=/var/run/tinc.${netname}.pid"
];
- ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
+ ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart";
SyslogIdentifier = netname;
};
}) config.krebs.tinc;
diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix
new file mode 100644
index 000000000..81eeae920
--- /dev/null
+++ b/lass/3modules/acl.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }: let
+ parents = dir:
+ if dir == "/" then
+ [ dir ]
+ else
+ [ dir ] ++ parents (builtins.dirOf dir)
+ ;
+in {
+ options.lass.acl = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
+ options = {
+ rule = lib.mkOption {
+ type = lib.types.str;
+ default = config._module.args.name;
+ };
+ default = lib.mkOption {
+ type = lib.types.bool;
+ default = !config.parents;
+ };
+ recursive = lib.mkOption {
+ type = lib.types.bool;
+ default = !config.parents;
+ };
+ parents = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ apply ACL to every parent folder
+ '';
+ };
+ };
+ })));
+ default = {};
+ };
+ config = lib.mkIf (config.lass.acl != {}) {
+ systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" {
+ wantedBy = [ "multi-user.target" ];
+ path = [
+ pkgs.acl
+ pkgs.coreutils
+ ];
+ serviceConfig = {
+ ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings (
+ lib.mapAttrsToList (_: rule: ''
+ setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
+ ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
+ ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))}
+ '') rules
+ ));
+ RemainAfterExit = true;
+ Type = "simple";
+ };
+ }) config.lass.acl;
+ };
+}
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 570bb45be..0373bd44c 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,6 +1,7 @@
_:
{
imports = [
+ ./acl.nix
./dnsmasq.nix
./folderPerms.nix
./hosts.nix
diff --git a/lib/types.nix b/lib/types.nix
index 318e2f237..f312b734b 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -7,7 +7,7 @@ let
mkOptionType optional optionalAttrs optionals range splitString
stringLength substring test testString typeOf;
inherit (lib.types)
- attrsOf bool either enum int listOf nullOr path str submodule;
+ attrsOf bool either enum int lines listOf nullOr path str submodule;
in
rec {
@@ -211,7 +211,7 @@ rec {
extraConfig = mkOption {
description = "Extra Configuration to be appended to the hosts file";
default = "";
- type = str;
+ type = lines;
};
port = mkOption {
type = int;