summaryrefslogtreecommitdiffstats
path: root/krebs/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/3modules')
-rw-r--r--krebs/3modules/default.nix34
-rw-r--r--krebs/3modules/dns.nix13
-rw-r--r--krebs/3modules/ergo.nix133
-rw-r--r--krebs/3modules/exim-smarthost.nix43
-rw-r--r--krebs/3modules/hosts.nix2
-rw-r--r--krebs/3modules/htgen.nix21
-rw-r--r--krebs/3modules/sitemap.nix8
-rw-r--r--krebs/3modules/ssl.nix21
-rw-r--r--krebs/3modules/users.nix20
9 files changed, 102 insertions, 193 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 70fc05813..0ac8cb743 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -20,7 +20,6 @@ let
./ci
./current.nix
./dns.nix
- ./ergo.nix
./exim-retiolum.nix
./exim-smarthost.nix
./exim.nix
@@ -49,6 +48,7 @@ let
./secret.nix
./setuid.nix
./shadow.nix
+ ./sitemap.nix
./ssl.nix
./sync-containers.nix
./systemd.nix
@@ -56,6 +56,7 @@ let
./tinc_graphs.nix
./upstream
./urlwatch.nix
+ ./users.nix
./xresources.nix
./zones.nix
];
@@ -66,15 +67,6 @@ let
api = {
enable = mkEnableOption "krebs";
- users = mkOption {
- type = with types; attrsOf user;
- };
-
- sitemap = mkOption {
- default = {};
- type = types.attrsOf types.sitemap.entry;
- };
-
zone-head-config = mkOption {
type = with types; attrsOf str;
description = ''
@@ -102,28 +94,6 @@ let
imp = lib.mkMerge [
{
- krebs.dns.providers = {
- "krebsco.de" = "zones";
- shack = "hosts";
- i = "hosts";
- r = "hosts";
- w = "hosts";
- };
-
- krebs.dns.search-domain = mkDefault "r";
-
- krebs.users = {
- krebs = {
- home = "/krebs";
- mail = "spam@krebsco.de";
- };
- root = {
- home = "/root";
- pubkey = config.krebs.build.host.ssh.pubkey;
- uid = 0;
- };
- };
-
services.openssh.hostKeys =
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) [privkey];
diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix
index 8acc4ccd8..8a74d3067 100644
--- a/krebs/3modules/dns.nix
+++ b/krebs/3modules/dns.nix
@@ -1,12 +1,21 @@
with import <stockholm/lib>;
-{
+{ config, ... }: {
options = {
krebs.dns.providers = mkOption {
type = types.attrsOf types.str;
};
-
krebs.dns.search-domain = mkOption {
type = types.nullOr types.hostname;
};
};
+ config = mkIf config.krebs.enable {
+ krebs.dns.providers = {
+ "krebsco.de" = "zones";
+ shack = "hosts";
+ i = "hosts";
+ r = "hosts";
+ w = "hosts";
+ };
+ krebs.dns.search-domain = mkDefault "r";
+ };
}
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
deleted file mode 100644
index d5f167e79..000000000
--- a/krebs/3modules/ergo.nix
+++ /dev/null
@@ -1,133 +0,0 @@
-{ config, lib, options, pkgs, ... }: {
- options = {
- krebs.ergo = {
- enable = lib.mkEnableOption "Ergo IRC daemon";
- openFilesLimit = lib.mkOption {
- type = lib.types.int;
- default = 1024;
- description = ''
- Maximum number of open files. Limits the clients and server connections.
- '';
- };
- config = lib.mkOption {
- type = (pkgs.formats.json {}).type;
- description = ''
- Ergo IRC daemon configuration file.
- https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
- '';
- default = {
- network = {
- name = "krebstest";
- };
- server = {
- name = "${config.networking.hostName}.r";
- listeners = {
- ":6667" = {};
- };
- casemapping = "permissive";
- enforce-utf = true;
- lookup-hostnames = false;
- ip-cloaking = {
- enabled = false;
- };
- forward-confirm-hostnames = false;
- check-ident = false;
- relaymsg = {
- enabled = false;
- };
- max-sendq = "1M";
- ip-limits = {
- count = false;
- throttle = false;
- };
- };
- datastore = {
- autoupgrade = true;
- path = "/var/lib/ergo/ircd.db";
- };
- accounts = {
- authentication-enabled = true;
- registration = {
- enabled = true;
- allow-before-connect = true;
- throttling = {
- enabled = true;
- duration = "10m";
- max-attempts = 30;
- };
- bcrypt-cost = 4;
- email-verification.enabled = false;
- };
- multiclient = {
- enabled = true;
- allowed-by-default = true;
- always-on = "opt-out";
- auto-away = "opt-out";
- };
- };
- channels = {
- default-modes = "+ntC";
- registration = {
- enabled = true;
- };
- };
- limits = {
- nicklen = 32;
- identlen = 20;
- channellen = 64;
- awaylen = 390;
- kicklen = 390;
- topiclen = 390;
- };
- history = {
- enabled = true;
- channel-length = 2048;
- client-length = 256;
- autoresize-window = "3d";
- autoreplay-on-join = 0;
- chathistory-maxmessages = 100;
- znc-maxmessages = 2048;
- restrictions = {
- expire-time = "1w";
- query-cutoff = "none";
- grace-period = "1h";
- };
- retention = {
- allow-individual-delete = false;
- enable-account-indexing = false;
- };
- tagmsg-storage = {
- default = false;
- whitelist = [
- "+draft/react"
- "+react"
- ];
- };
- };
- };
- };
- };
- };
- config = let
- cfg = config.krebs.ergo;
- configFile = pkgs.writeJSON "ergo.conf" cfg.config;
- in lib.mkIf cfg.enable ({
- environment.etc."ergo.yaml".source = configFile;
- krebs.ergo.config =
- lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default;
- systemd.services.ergo = {
- description = "Ergo IRC daemon";
- wantedBy = [ "multi-user.target" ];
- # reload currently not working as expected
- # reloadIfChanged = true;
- restartTriggers = [ configFile ];
- serviceConfig = {
- ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
- ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
- DynamicUser = true;
- StateDirectory = "ergo";
- LimitNOFILE = "${toString cfg.openFilesLimit}";
- };
- };
- });
-}
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index fe149448b..7c176d224 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -12,6 +12,8 @@ let
api = {
enable = mkEnableOption "krebs.exim-smarthost";
+ enableSPFVerification = mkEnableOption "SPF verification";
+
authenticators = mkOption {
type = types.attrsOf types.str;
default = {};
@@ -123,10 +125,12 @@ let
# XXX We abuse local_domains to mean "domains, we're the gateway for".
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
+ domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains}
hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
- acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
+ acl_smtp_mail = acl_check_mail
+ acl_smtp_rcpt = acl_check_rcpt
never_users = root
@@ -173,11 +177,46 @@ let
acl_check_data:
warn
- sender_domains = ${concatStringsSep ":" cfg.sender_domains}
+ sender_domains = +sender_domains
set acl_m_special_dom = $sender_address_domain
accept
+ acl_check_mail:
+ ${if cfg.enableSPFVerification then indent /* exim */ ''
+ accept
+ authenticated = *
+ accept
+ hosts = +relay_from_hosts
+ deny
+ spf = fail : softfail
+ log_message = spf=$spf_result
+ message = SPF validation failed: \
+ $sender_host_address is not allowed to send mail from \
+ ''${if def:sender_address_domain\
+ {$sender_address_domain}\
+ {$sender_helo_name}}
+ deny
+ spf = permerror
+ log_message = spf=$spf_result
+ message = SPF validation failed: \
+ syntax error in SPF record(s) for \
+ ''${if def:sender_address_domain\
+ {$sender_address_domain}\
+ {$sender_helo_name}}
+ defer
+ spf = temperror
+ log_message = spf=$spf_result; deferred
+ message = temporary error during SPF validation; \
+ please try again later
+ warn
+ spf = none : neutral
+ log_message = spf=$spf_result
+ accept
+ add_header = $spf_received
+ '' else indent /* exim */ ''
+ accept
+ ''}
begin routers
diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix
index ae0136303..bd1bb1652 100644
--- a/krebs/3modules/hosts.nix
+++ b/krebs/3modules/hosts.nix
@@ -11,7 +11,7 @@ in {
};
};
- config = {
+ config = mkIf config.krebs.enable {
networking.hosts =
filterAttrs
(_name: value: value != [])
diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix
index 375e26974..1e7e69927 100644
--- a/krebs/3modules/htgen.nix
+++ b/krebs/3modules/htgen.nix
@@ -2,6 +2,12 @@
with import <stockholm/lib>;
let
+ optionalAttr = name: value:
+ if name != null then
+ { ${name} = value; }
+ else
+ {};
+
cfg = config.krebs.htgen;
out = {
@@ -30,8 +36,15 @@ let
};
script = mkOption {
- type = types.str;
+ type = types.nullOr types.str;
+ default = null;
+ };
+
+ scriptFile = mkOption {
+ type = types.nullOr types.str;
+ default = null;
};
+
user = mkOption {
type = types.user;
default = {
@@ -54,8 +67,10 @@ let
after = [ "network.target" ];
environment = {
HTGEN_PORT = toString htgen.port;
- HTGEN_SCRIPT = htgen.script;
- };
+ }
+ // optionalAttr "HTGEN_SCRIPT" htgen.script
+ // optionalAttr "HTGEN_SCRIPT_FILE" htgen.scriptFile
+ ;
serviceConfig = {
SyslogIdentifier = "htgen";
User = htgen.user.name;
diff --git a/krebs/3modules/sitemap.nix b/krebs/3modules/sitemap.nix
new file mode 100644
index 000000000..ec2179db1
--- /dev/null
+++ b/krebs/3modules/sitemap.nix
@@ -0,0 +1,8 @@
+let
+ lib = import ../../lib;
+in {
+ options.krebs.sitemap = lib.mkOption {
+ type = with lib.types; attrsOf sitemap.entry;
+ default = {};
+ };
+}
diff --git a/krebs/3modules/ssl.nix b/krebs/3modules/ssl.nix
index 3a9b5d329..8cbd8dcce 100644
--- a/krebs/3modules/ssl.nix
+++ b/krebs/3modules/ssl.nix
@@ -5,26 +5,7 @@ in {
rootCA = lib.mkOption {
type = lib.types.str;
readOnly = true;
- default = ''
- -----BEGIN CERTIFICATE-----
- MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
- VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw
- CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ
- ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5
- MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx
- EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS
- b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw
- gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/
- /qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU
- QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B
- HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo
- 3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD
- AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9
- GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese
- 725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63
- 80WiO952
- -----END CERTIFICATE-----
- '';
+ default = builtins.readFile ../6assets/krebsRootCA.crt;
};
intermediateCA = lib.mkOption {
type = lib.types.str;
diff --git a/krebs/3modules/users.nix b/krebs/3modules/users.nix
new file mode 100644
index 000000000..c1ad4b44b
--- /dev/null
+++ b/krebs/3modules/users.nix
@@ -0,0 +1,20 @@
+{ config, ... }: let
+ lib = import ../../lib;
+in {
+ options.krebs.users = lib.mkOption {
+ type = with lib.types; attrsOf user;
+ };
+ config = lib.mkIf config.krebs.enable {
+ krebs.users = {
+ krebs = {
+ home = "/krebs";
+ mail = "spam@krebsco.de";
+ };
+ root = {
+ home = "/root";
+ pubkey = config.krebs.build.host.ssh.pubkey;
+ uid = 0;
+ };
+ };
+ };
+}