summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/0tests/data/test-config.nix1
-rw-r--r--krebs/1systems/hotdog/config.nix2
-rw-r--r--krebs/1systems/ponte/config.nix26
-rw-r--r--krebs/1systems/puyak/config.nix3
-rw-r--r--krebs/2configs/default.nix6
-rw-r--r--krebs/2configs/ircd.nix5
-rw-r--r--krebs/2configs/mastodon-proxy.nix24
-rw-r--r--krebs/2configs/mastodon.nix46
-rw-r--r--krebs/2configs/news.nix4
-rw-r--r--krebs/2configs/reaktor2.nix39
-rw-r--r--krebs/2configs/shack/prometheus/alertmanager-telegram.nix17
-rw-r--r--krebs/3modules/default.nix40
-rw-r--r--krebs/3modules/dns.nix13
-rw-r--r--krebs/3modules/ergo.nix133
-rw-r--r--krebs/3modules/exim-smarthost.nix43
-rw-r--r--krebs/3modules/hosts.nix2
-rw-r--r--krebs/3modules/htgen.nix21
-rw-r--r--krebs/3modules/krebs-pages.nix46
-rw-r--r--krebs/3modules/sitemap.nix8
-rw-r--r--krebs/3modules/ssl.nix21
-rw-r--r--krebs/3modules/users.nix20
-rw-r--r--krebs/5pkgs/simple/generate-secrets/default.nix1
-rw-r--r--krebs/5pkgs/simple/git-assembler.nix24
-rw-r--r--krebs/5pkgs/simple/htgen/default.nix7
-rw-r--r--krebs/5pkgs/simple/krebs-pages/fixtures/index.html21
-rw-r--r--krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html133
-rw-r--r--krebs/5pkgs/simple/passwdqc-utils/default.nix11
-rw-r--r--krebs/5pkgs/simple/stable-generate/default.nix64
-rw-r--r--krebs/5pkgs/simple/stable-interrogate/default.nix30
-rw-r--r--krebs/5pkgs/simple/ukrepl.nix11
-rw-r--r--krebs/6assets/krebsAcmeCA.crt22
-rw-r--r--krebs/6assets/krebsRootCA.crt18
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rwxr-xr-xkrebs/update-nixpkgs.sh2
35 files changed, 425 insertions, 455 deletions
diff --git a/krebs/0tests/data/test-config.nix b/krebs/0tests/data/test-config.nix
index f0927ddd9..33cb01245 100644
--- a/krebs/0tests/data/test-config.nix
+++ b/krebs/0tests/data/test-config.nix
@@ -8,7 +8,6 @@
];
krebs.hosts.minimal = {
- cores = 1;
secure = false;
};
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 02749dafe..9849937d5 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -14,6 +14,7 @@
<stockholm/krebs/2configs/mud.nix>
<stockholm/krebs/2configs/cal.nix>
+ <stockholm/krebs/2configs/mastodon.nix>
## shackie irc bot
<stockholm/krebs/2configs/shack/reaktor.nix>
@@ -21,6 +22,7 @@
krebs.build.host = config.krebs.hosts.hotdog;
krebs.github-hosts-sync.enable = true;
+ krebs.pages.enable = true;
boot.isContainer = true;
networking.useDHCP = false;
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 8250ebad9..2f55995cf 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -7,5 +7,31 @@
<stockholm/krebs/2configs/matterbridge.nix>
];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+ networking.firewall.logRefusedConnections = false;
+ networking.firewall.logRefusedUnicastsOnly = false;
+
+ # Move Internet-facing SSH port to reduce logspam.
+ networking.firewall.extraCommands = let
+ host = config.krebs.build.host;
+ in /* sh */ ''
+ iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+ iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+ iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT
+ iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+
+ ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+ ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+ ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT
+ ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+ '';
+
krebs.build.host = config.krebs.hosts.ponte;
+
+ krebs.pages.enable = true;
+ krebs.pages.nginx.addSSL = true;
+ krebs.pages.nginx.enableACME = true;
+
+ security.acme.acceptTerms = true;
+ security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
}
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index f4bd472a4..033cb94d1 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -110,7 +110,8 @@
<stockholm/krebs/2configs/shack/prometheus/server.nix>
<stockholm/krebs/2configs/shack/prometheus/blackbox.nix>
#<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
- <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
+ # TODO: alertmanager 0.24+ supports telegram
+ # <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
];
krebs.build.host = config.krebs.hosts.puyak;
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 38d770316..fffe128e6 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -27,9 +27,6 @@ with import <stockholm/lib>;
];
console.keyMap = "us";
- i18n = {
- defaultLocale = lib.mkForce "C";
- };
programs.ssh.startAgent = false;
@@ -60,4 +57,7 @@ with import <stockholm/lib>;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "17.03";
+
+ # maybe fix Error: unsupported locales detected:
+ i18n.defaultLocale = mkDefault "C.UTF-8";
}
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index c6c91e074..5435ea166 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -5,9 +5,10 @@
6667
];
- krebs.ergo = {
+ services.ergochat = {
enable = true;
- config = {
+ settings = {
+ server.name = "irc.r";
server.secure-nets = [
"42::0/16"
"10.240.0.0/12"
diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix
new file mode 100644
index 000000000..4d359c3fe
--- /dev/null
+++ b/krebs/2configs/mastodon-proxy.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+{
+ services.nginx = {
+ enable = true;
+ virtualHosts."social.krebsco.de" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ # TODO use this in 22.11
+ # recommendedProxySettings = true;
+ proxyPass = "http://hotdog.r";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $host;
+ proxy_set_header X-Forwarded-Server $host;
+ '';
+ };
+ };
+ };
+}
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
new file mode 100644
index 000000000..145b383ed
--- /dev/null
+++ b/krebs/2configs/mastodon.nix
@@ -0,0 +1,46 @@
+{ config, lib, pkgs, ... }:
+{
+ services.postgresql = {
+ enable = true;
+ dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
+ package = pkgs.postgresql_11;
+ };
+ systemd.tmpfiles.rules = [
+ "d /var/state/postgresql 0700 postgres postgres -"
+ ];
+
+ services.mastodon = {
+ enable = true;
+ localDomain = "social.krebsco.de";
+ configureNginx = true;
+ trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
+ smtp.createLocally = false;
+ smtp.fromAddress = "derp";
+ };
+
+ services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
+ forceSSL = lib.mkForce false;
+ enableACME = lib.mkForce false;
+ locations."@proxy".extraConfig = ''
+ proxy_redirect off;
+ proxy_pass_header Server;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+ '';
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ 80
+ ];
+
+ environment.systemPackages = [
+ (pkgs.writers.writeDashBin "tootctl" ''
+ sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@"
+ '')
+ (pkgs.writers.writeDashBin "create-mastodon-user" ''
+ set -efu
+ nick=$1
+ /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed
+ /run/current-system/sw/bin/tootctl accounts approve "$nick"
+ '')
+ ];
+}
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 3649aeeea..d6c6371da 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,8 +68,8 @@
wantedBy = [ "multi-user.target" ];
};
- krebs.ergo.openFilesLimit = 16384;
- krebs.ergo.config = {
+ services.ergochat.openFilesLimit = 16384;
+ services.ergochat.settings = {
limits.nicklen = 100;
limits.identlen = 100;
history.enabled = false;
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 13b59fa82..11aaf876a 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -64,8 +64,7 @@ let
pkgs.curl
pkgs.stable-generate
]}
- stable_url=$(stable-generate "$@")
- paste_url=$(curl -Ss "$stable_url" |
+ paste_url=$(stable-generate "$@" |
curl -Ss http://p.r --data-binary @- |
tail -1
)
@@ -73,6 +72,22 @@ let
'';
};
};
+ interrogate = {
+ pattern = "^!interrogate (.*)$";
+ activate = "match";
+ arguments = [1];
+ command = {
+ filename = pkgs.writeDash "interrogate" ''
+ set -efux
+
+ export PATH=${makeBinPath [
+ pkgs.stable-interrogate
+ ]}
+ caption=$(stable-interrogate "$@")
+ echo "$_from: $caption"
+ '';
+ };
+ };
confuse_hackint = {
pattern = "^!confuse (.*)$";
@@ -87,8 +102,7 @@ let
pkgs.stable-generate
]}
case $_msgtarget in \#*)
- stable_url=$(stable-generate "$@")
- paste_url=$(curl -Ss "$stable_url" |
+ paste_url=$(stable-generate "$@" |
curl -Ss https://p.krebsco.de --data-binary @- |
tail -1
)
@@ -132,7 +146,7 @@ let
command = 1;
arguments = [2];
env.TASKDATA = "${stateDir}/${name}";
- commands = {
+ commands = rec {
add.filename = pkgs.writeDash "${name}-task-add" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1"
'';
@@ -145,6 +159,7 @@ let
delete.filename = pkgs.writeDash "${name}-task-delete" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1"
'';
+ del = delete;
done.filename = pkgs.writeDash "${name}-task-done" ''
${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1"
'';
@@ -289,7 +304,18 @@ let
longitude=$(echo "$poi" | jq -r .longitude)
fi
- restaurant=$(osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude")
+ for api_endpoint in \
+ https://lz4.overpass-api.de/api/interpreter \
+ https://z.overpass-api.de/api/interpreter \
+ https://maps.mail.ru/osm/tools/overpass/api/interpreter \
+ https://overpass.openstreetmap.ru/api/interpreter \
+ https://overpass.kumi.systems/api/interpreter
+ do
+ restaurant=$(osm-restaurants --endpoint "$api_endpoint" --radius "$2" --latitude "$latitude" --longitude "$longitude")
+ if [ "$?" -eq 0 ]; then
+ break
+ fi
+ done
printf '%s' "$restaurant" | tail -1 | jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
'';
};
@@ -297,6 +323,7 @@ let
bedger-add
bedger-balance
hooks.sed
+ interrogate
say
(generators.command_hook {
inherit (commands) dance random-emoji nixos-version;
diff --git a/krebs/2configs/shack/prometheus/alertmanager-telegram.nix b/krebs/2configs/shack/prometheus/alertmanager-telegram.nix
deleted file mode 100644
index 8527001cb..000000000
--- a/krebs/2configs/shack/prometheus/alertmanager-telegram.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{ pkgs, ...}:
-{
- systemd.services.alertmanager-bot-telegram = {
- wantedBy = [ "multi-user.target" ];
- after = [ "ip-up.target" ];
- serviceConfig = {
- EnvironmentFile = toString <secrets/shack/telegram_bot.env>;
- DynamicUser = true;
- StateDirectory = "alertbot";
- ExecStart = ''${pkgs.alertmanager-bot-telegram}/bin/alertmanager-bot \
- --alertmanager.url=http://alert.prometheus.shack --log.level=info \
- --store=bolt --bolt.path=/var/lib/alertbot/bot.db \
- --listen.addr="0.0.0.0:16320" \
- --template.paths=${./templates}/shack.tmpl'';
- };
- };
-}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 70fc05813..bff7e135f 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -7,6 +7,7 @@ let
out = {
imports = [
../../kartei
+ ../../submodules/disko/module.nix
./acl.nix
./airdcpp.nix
./announce-activation.nix
@@ -20,7 +21,6 @@ let
./ci
./current.nix
./dns.nix
- ./ergo.nix
./exim-retiolum.nix
./exim-smarthost.nix
./exim.nix
@@ -35,6 +35,7 @@ let
./iptables.nix
./kapacitor.nix
./konsens.nix
+ ./krebs-pages.nix
./monit.nix
./nixpkgs.nix
./on-failure.nix
@@ -49,6 +50,7 @@ let
./secret.nix
./setuid.nix
./shadow.nix
+ ./sitemap.nix
./ssl.nix
./sync-containers.nix
./systemd.nix
@@ -56,6 +58,7 @@ let
./tinc_graphs.nix
./upstream
./urlwatch.nix
+ ./users.nix
./xresources.nix
./zones.nix
];
@@ -66,15 +69,6 @@ let
api = {
enable = mkEnableOption "krebs";
- users = mkOption {
- type = with types; attrsOf user;
- };
-
- sitemap = mkOption {
- default = {};
- type = types.attrsOf types.sitemap.entry;
- };
-
zone-head-config = mkOption {
type = with types; attrsOf str;
description = ''
@@ -91,10 +85,6 @@ let
@ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
IN NS ns19.ovh.net.
IN NS dns19.ovh.net.
- IN A 185.199.108.153
- IN A 185.199.109.153
- IN A 185.199.110.153
- IN A 185.199.111.153
'';
};
};
@@ -102,28 +92,6 @@ let
imp = lib.mkMerge [
{
- krebs.dns.providers = {
- "krebsco.de" = "zones";
- shack = "hosts";
- i = "hosts";
- r = "hosts";
- w = "hosts";
- };
-
- krebs.dns.search-domain = mkDefault "r";
-
- krebs.users = {
- krebs = {
- home = "/krebs";
- mail = "spam@krebsco.de";
- };
- root = {
- home = "/root";
- pubkey = config.krebs.build.host.ssh.pubkey;
- uid = 0;
- };
- };
-
services.openssh.hostKeys =
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) [privkey];
diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix
index 8acc4ccd8..8a74d3067 100644
--- a/krebs/3modules/dns.nix
+++ b/krebs/3modules/dns.nix
@@ -1,12 +1,21 @@
with import <stockholm/lib>;
-{
+{ config, ... }: {
options = {
krebs.dns.providers = mkOption {
type = types.attrsOf types.str;
};
-
krebs.dns.search-domain = mkOption {
type = types.nullOr types.hostname;
};
};
+ config = mkIf config.krebs.enable {
+ krebs.dns.providers = {
+ "krebsco.de" = "zones";
+ shack = "hosts";
+ i = "hosts";
+ r = "hosts";
+ w = "hosts";
+ };
+ krebs.dns.search-domain = mkDefault "r";
+ };
}
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
deleted file mode 100644
index d5f167e79..000000000
--- a/krebs/3modules/ergo.nix
+++ /dev/null
@@ -1,133 +0,0 @@
-{ config, lib, options, pkgs, ... }: {
- options = {
- krebs.ergo = {
- enable = lib.mkEnableOption "Ergo IRC daemon";
- openFilesLimit = lib.mkOption {
- type = lib.types.int;
- default = 1024;
- description = ''
- Maximum number of open files. Limits the clients and server connections.
- '';
- };
- config = lib.mkOption {
- type = (pkgs.formats.json {}).type;
- description = ''
- Ergo IRC daemon configuration file.
- https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
- '';
- default = {
- network = {
- name = "krebstest";
- };
- server = {
- name = "${config.networking.hostName}.r";
- listeners = {
- ":6667" = {};
- };
- casemapping = "permissive";
- enforce-utf = true;
- lookup-hostnames = false;
- ip-cloaking = {
- enabled = false;
- };
- forward-confirm-hostnames = false;
- check-ident = false;
- relaymsg = {
- enabled = false;
- };
- max-sendq = "1M";
- ip-limits = {
- count = false;
- throttle = false;
- };
- };
- datastore = {
- autoupgrade = true;
- path = "/var/lib/ergo/ircd.db";
- };
- accounts = {
- authentication-enabled = true;
- registration = {
- enabled = true;
- allow-before-connect = true;
- throttling = {
- enabled = true;
- duration = "10m";
- max-attempts = 30;
- };
- bcrypt-cost = 4;
- email-verification.enabled = false;
- };
- multiclient = {
- enabled = true;
- allowed-by-default = true;
- always-on = "opt-out";
- auto-away = "opt-out";
- };
- };
- channels = {
- default-modes = "+ntC";
- registration = {
- enabled = true;
- };
- };
- limits = {
- nicklen = 32;
- identlen = 20;
- channellen = 64;
- awaylen = 390;
- kicklen = 390;
- topiclen = 390;
- };
- history = {
- enabled = true;
- channel-length = 2048;
- client-length = 256;
- autoresize-window = "3d";
- autoreplay-on-join = 0;
- chathistory-maxmessages = 100;
- znc-maxmessages = 2048;
- restrictions = {
- expire-time = "1w";
- query-cutoff = "none";
- grace-period = "1h";
- };
- retention = {
- allow-individual-delete = false;
- enable-account-indexing = false;
- };
- tagmsg-storage = {
- default = false;
- whitelist = [
- "+draft/react"
- "+react"
- ];
- };
- };
- };
- };
- };
- };
- config = let
- cfg = config.krebs.ergo;
- configFile = pkgs.writeJSON "ergo.conf" cfg.config;
- in lib.mkIf cfg.enable ({
- environment.etc."ergo.yaml".source = configFile;
- krebs.ergo.config =
- lib.mapAttrsRecursive (_: lib.mkDefault) options.krebs.ergo.config.default;
- systemd.services.ergo = {
- description = "Ergo IRC daemon";
- wantedBy = [ "multi-user.target" ];
- # reload currently not working as expected
- # reloadIfChanged = true;
- restartTriggers = [ configFile ];
- serviceConfig = {
- ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
- ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
- DynamicUser = true;
- StateDirectory = "ergo";
- LimitNOFILE = "${toString cfg.openFilesLimit}";
- };
- };
- });
-}
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index fe149448b..7c176d224 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -12,6 +12,8 @@ let
api = {
enable = mkEnableOption "krebs.exim-smarthost";
+ enableSPFVerification = mkEnableOption "SPF verification";
+
authenticators = mkOption {
type = types.attrsOf types.str;
default = {};
@@ -123,10 +125,12 @@ let
# XXX We abuse local_domains to mean "domains, we're the gateway for".
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
+ domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains}
hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
- acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
+ acl_smtp_mail = acl_check_mail
+ acl_smtp_rcpt = acl_check_rcpt
never_users = root
@@ -173,11 +177,46 @@ let
acl_check_data:
warn
- sender_domains = ${concatStringsSep ":" cfg.sender_domains}
+ sender_domains = +sender_domains
set acl_m_special_dom = $sender_address_domain
accept
+ acl_check_mail:
+ ${if cfg.enableSPFVerification then indent /* exim */ ''
+ accept
+ authenticated = *
+ accept
+ hosts = +relay_from_hosts
+ deny
+ spf = fail : softfail
+ log_message = spf=$spf_result
+ message = SPF validation failed: \
+ $sender_host_address is not allowed to send mail from \
+ ''${if def:sender_address_domain\
+ {$sender_address_domain}\
+ {$sender_helo_name}}
+ deny
+ spf = permerror
+ log_message = spf=$spf_result
+ message = SPF validation failed: \
+ syntax error in SPF record(s) for \
+ ''${if def:sender_address_domain\
+ {$sender_address_domain}\
+ {$sender_helo_name}}
+ defer
+ spf = temperror
+ log_message = spf=$spf_result; deferred
+ message = temporary error during SPF validation; \
+ please try again later
+ warn
+ spf = none : neutral
+ log_message = spf=$spf_result
+ accept
+ add_header = $spf_received
+ '' else indent /* exim */ ''
+ accept
+ ''}
begin routers
diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix
index ae0136303..bd1bb1652 100644
--- a/krebs/3modules/hosts.nix
+++ b/krebs/3modules/hosts.nix
@@ -11,7 +11,7 @@ in {
};
};
- config = {
+ config = mkIf config.krebs.enable {
networking.hosts =
filterAttrs
(_name: value: value != [])
diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix
index 375e26974..b760ea671 100644
--- a/krebs/3modules/htgen.nix
+++ b/krebs/3modules/htgen.nix
@@ -2,6 +2,12 @@
with import <stockholm/lib>;
let
+ optionalAttr = name: value:
+ if name != null then
+ { ${name} = value; }
+ else
+ {};
+
cfg = config.krebs.htgen;
out = {
@@ -30,8 +36,15 @@ let
};
script = mkOption {
- type = types.str;
+ type = types.nullOr types.str;
+ default = null;
+ };
+
+ scriptFile = mkOption {
+ type = types.nullOr (types.either types.package types.pathname);
+ default = null;
};
+
user = mkOption {
type = types.user;
default = {
@@ -54,8 +67,10 @@ let
after = [ "network.target" ];
environment = {
HTGEN_PORT = toString htgen.port;
- HTGEN_SCRIPT = htgen.script;
- };
+ }
+ // optionalAttr "HTGEN_SCRIPT" htgen.script
+ // optionalAttr "HTGEN_SCRIPT_FILE" htgen.scriptFile
+ ;
serviceConfig = {
SyslogIdentifier = "htgen";
User = htgen.user.name;
diff --git a/krebs/3modules/krebs-pages.nix b/krebs/3modules/krebs-pages.nix
new file mode 100644
index 000000000..6dd046a8b
--- /dev/null
+++ b/krebs/3modules/krebs-pages.nix