diff options
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/iptables.nix | 186 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 2 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix | 1 | ||||
| -rw-r--r-- | krebs/5pkgs/get/default.nix | 6 | ||||
| -rw-r--r-- | krebs/5pkgs/jq/default.nix | 33 | ||||
| -rw-r--r-- | krebs/default.nix | 1 |
7 files changed, 226 insertions, 4 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 8e9a42fd0..9ec9d0a8a 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,7 @@ let ./exim-smarthost.nix ./github-hosts-sync.nix ./git.nix + ./iptables.nix ./nginx.nix ./Reaktor.nix ./retiolum.nix diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix new file mode 100644 index 000000000..9596229de --- /dev/null +++ b/krebs/3modules/iptables.nix @@ -0,0 +1,186 @@ +arg@{ config, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + + inherit (builtins) + elem + ; + + inherit (lib) + concatMapStringsSep + concatStringsSep + attrNames + unique + fold + any + attrValues + catAttrs + filter + flatten + length + hasAttr + mkEnableOption + mkOption + mkIf + types + sort + ; + + cfg = config.krebs.iptables; + + out = { + options.krebs.iptables = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; + }; + + imp = { + networking.firewall.enable = false; + + systemd.services.krebs-iptables = { + description = "krebs-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} krebs-iptables_start"; + }; + }; + }; + + #buildTable :: iptablesVersion -> iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = v: ts: + let + + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + let + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + + in + #TODO: double check should be unneccessary, refactor! + if ts.${tn}.${cn}.rules or null != null then + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) + else + "" + ; + + + buildRule = tn: cn: rule: + #target validation test: + assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + + #predicate validation test: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "krebs-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "krebs-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; + +in +out + diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 32b366b91..0065f7692 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -9,7 +9,7 @@ with import ../../4lib { inherit lib; }; dc = "lass"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["104.233.84.57"]; + addrs4 = ["162.248.162.105"]; aliases = [ "echelon.internet" ]; diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 52b5dc78c..7e136d96f 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -15,6 +15,7 @@ rec { github-hosts-sync = callPackage ./github-hosts-sync {}; github-known_hosts = callPackage ./github-known_hosts {}; hashPassword = callPackage ./hashPassword {}; + jq = callPackage ./jq {}; krebszones = callPackage ./krebszones {}; lentil = callPackage ./lentil {}; much = callPackage ./much {}; diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/get/default.nix index 20bbfd014..d4f5f6b46 100644 --- a/krebs/5pkgs/get/default.nix +++ b/krebs/5pkgs/get/default.nix @@ -1,12 +1,12 @@ { coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }: stdenv.mkDerivation { - name = "get-1.3.0"; + name = "get-1.3.1"; src = fetchgit { url = http://cgit.cd.retiolum/get; - rev = "fbe8f8d12ede9762fceb15b9944b69a4ee6331eb"; - sha256 = "bcdf036f8b5d1467285d0998aeac7e48280adfb9e1278f9f424c9c8b5e6ed8fa"; + rev = "64c97edd3f9952cd5e703208c46748a035a515bf"; + sha256 = "32ca83f4fd86fd3285bef9dcfd0917308086d239189858daceca175de49ff97c"; }; phases = [ diff --git a/krebs/5pkgs/jq/default.nix b/krebs/5pkgs/jq/default.nix new file mode 100644 index 000000000..41db0f284 --- /dev/null +++ b/krebs/5pkgs/jq/default.nix @@ -0,0 +1,33 @@ +{stdenv, fetchurl}: +let + s = # Generated upstream information + rec { + baseName="jq"; + version="1.5"; + name="${baseName}-${version}"; + url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz; + sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4"; + }; + buildInputs = [ + ]; +in +stdenv.mkDerivation { + inherit (s) name version; + inherit buildInputs; + src = fetchurl { + inherit (s) url sha256; + }; + + # jq is linked to libjq: + configureFlags = [ + "LDFLAGS=-Wl,-rpath,\\\${libdir}" + ]; + meta = { + inherit (s) version; + description = ''A lightweight and flexible command-line JSON processor''; + license = stdenv.lib.licenses.mit ; + maintainers = [stdenv.lib.maintainers.raskin]; + platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; + }; +} + diff --git a/krebs/default.nix b/krebs/default.nix index 0ec4c6079..b98fad558 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -85,6 +85,7 @@ # s:^nix-env:chroot $mountPoint '"$nix_env"': #' nixos-install + unset SSL_CERT_FILE ./nixos-install ${builtins.readFile ./4lib/infest/finalize.sh} |