diff options
-rw-r--r-- | krebs/3modules/ci.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/default.nix | 14 | ||||
-rw-r--r-- | krebs/3modules/external/mic92.nix | 25 | ||||
-rw-r--r-- | krebs/3modules/sync-containers.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/tinc.nix | 5 | ||||
-rw-r--r-- | lass/3modules/acl.nix | 55 | ||||
-rw-r--r-- | lass/3modules/default.nix | 1 | ||||
-rw-r--r-- | lib/types.nix | 4 |
8 files changed, 71 insertions, 37 deletions
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 822dbab61..5efe41786 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -166,6 +166,8 @@ let nick = "buildbot|${hostname}", notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, ) '']; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index b58b52038..e8f0d35e4 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -19,13 +19,13 @@ let ./current.nix ./dns.nix ./ergo.nix - ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix + ./exim.nix ./fetchWallpaper.nix + ./git.nix ./github-hosts-sync.nix ./github-known-hosts.nix - ./git.nix ./go.nix ./hidden-ssh.nix ./hosts.nix @@ -38,11 +38,12 @@ let ./nixpkgs.nix ./on-failure.nix ./os-release.nix - ./permown.nix ./per-user.nix + ./permown.nix ./power-action.nix ./reaktor2.nix ./realwallpaper.nix + ./repo-sync.nix ./retiolum-bootstrap.nix ./rtorrent.nix ./secret.nix @@ -55,7 +56,6 @@ let ./tinc_graphs.nix ./upstream ./urlwatch.nix - ./repo-sync.nix ./xresources.nix ./zones.nix ]; @@ -102,13 +102,13 @@ let imp = lib.mkMerge [ { krebs = import ./external { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./jeschli { inherit config; }; } { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./external/palo.nix { inherit config; }; } - { krebs = import ./external/mic92.nix { inherit config; }; } - { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 27a2beed6..dd6f4f456 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -279,25 +279,6 @@ in { ''; }; }; - philipsaendig = { - owner = config.krebs.users.mic92; - nets.retiolum = { - ip4.addr = "10.243.29.193"; - aliases = [ - "philipsaendig.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX - 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl - 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl - +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF - Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S - oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; yasmin = { owner = config.krebs.users.mic92; nets.internet = { @@ -306,7 +287,6 @@ in { aliases = [ "yasmin.i" ]; }; nets.retiolum = { - ip4.addr = "10.243.29.197"; aliases = [ "yasmin.r" ]; @@ -414,7 +394,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.195"; aliases = [ "bill.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -445,7 +424,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.173"; aliases = [ "nardole.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -470,7 +448,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.171"; aliases = [ "rock.r" ]; @@ -736,7 +713,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.198"; aliases = [ "ryan.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -764,7 +740,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.199"; aliases = [ "graham.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index e47f9a3a7..e2caa0834 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -97,7 +97,7 @@ in { ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ devices = ctr.peers; ignorePerms = false; })) cfg.containers); diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..31371af59 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -48,7 +48,7 @@ with import <stockholm/lib>; }; extraConfig = mkOption { - type = types.str; + type = types.lines; default = ""; description = '' Extra Configuration to be appended to tinc.conf @@ -233,6 +233,7 @@ with import <stockholm/lib>; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +261,7 @@ with import <stockholm/lib>; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix new file mode 100644 index 000000000..81eeae920 --- /dev/null +++ b/lass/3modules/acl.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: let + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.lass.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = lib.mkIf (config.lass.acl != {}) { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); + RemainAfterExit = true; + Type = "simple"; + }; + }) config.lass.acl; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 570bb45be..0373bd44c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix diff --git a/lib/types.nix b/lib/types.nix index 318e2f237..f312b734b 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -7,7 +7,7 @@ let mkOptionType optional optionalAttrs optionals range splitString stringLength substring test testString typeOf; inherit (lib.types) - attrsOf bool either enum int listOf nullOr path str submodule; + attrsOf bool either enum int lines listOf nullOr path str submodule; in rec { @@ -211,7 +211,7 @@ rec { extraConfig = mkOption { description = "Extra Configuration to be appended to the hosts file"; default = ""; - type = str; + type = lines; }; port = mkOption { type = int; |