summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/iptables.nix51
-rw-r--r--krebs/3modules/nginx.nix45
-rw-r--r--krebs/3modules/tv/default.nix11
-rw-r--r--krebs/5pkgs/builders.nix16
-rw-r--r--krebs/5pkgs/dic/default.nix4
-rw-r--r--krebs/5pkgs/github-hosts-sync/default.nix1
-rw-r--r--krebs/5pkgs/haskell-overrides/blessings.nix8
-rw-r--r--krebs/5pkgs/painload/default.nix4
8 files changed, 93 insertions, 47 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..a4a4de6f9 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
let
inherit (pkgs) writeText;
@@ -7,27 +9,6 @@ let
elem
;
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- hasPrefix
- mkEnableOption
- mkOption
- mkIf
- types
- sort
- ;
-
cfg = config.krebs.iptables;
out = {
@@ -65,6 +46,14 @@ let
type = int;
default = 0;
};
+ v4 = mkOption {
+ type = bool;
+ default = true;
+ };
+ v6 = mkOption {
+ type = bool;
+ default = true;
+ };
};
})));
default = null;
@@ -93,7 +82,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} krebs-iptables_start";
+ ExecStart = startScript;
};
};
};
@@ -109,7 +98,8 @@ let
buildChain = tn: cn:
let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+ filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
+ sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in
#TODO: double check should be unneccessary, refactor!
@@ -123,13 +113,6 @@ let
buildRule = tn: cn: rule:
- #target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
@@ -149,7 +132,7 @@ let
#=====
- rules4 = iptables-version:
+ rules = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
@@ -171,14 +154,14 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "krebs-iptables-rules${toString iptables-version}" ''
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
+ iptables-restore < ${rules "v4"}
+ ip6tables-restore < ${rules "v6"}
'';
in
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
default = "";
};
ssl = mkOption {
- type = with types; submodule ({
+ type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
+ acmeEnable = mkOption {
+ type = bool;
+ apply = x:
+ if x && config.enable
+ #conflicts because of certificate/certificate_key location
+ then throw "can't use ssl.enable and ssl.acmeEnable together"
+ else x;
+ default = false;
+ description = ''
+ enables automatical generation of lets-encrypt certificates and setting them as certificate
+ conflicts with ssl.enable
+ '';
+ };
certificate = mkOption {
type = str;
};
@@ -95,6 +108,7 @@ let
};
imp = {
+ security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
@@ -117,13 +131,24 @@ let
indent = replaceChars ["\n"] ["\n "];
+ to-acme = { server-names, ssl, ... }:
+ optionalAttrs ssl.acmeEnable {
+ email = "lassulus@gmail.com";
+ webroot = "${config.security.acme.directory}/${head server-names}";
+ };
+
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+ domain = head server-names;
+ acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+ root ${config.security.acme.certs.${domain}.webroot};
+ '');
+ in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
+ ${optionalString ssl.acmeEnable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
+ listen 443 ssl;
+ ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+ ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+ ${optionalString ssl.prefer_server_ciphers ''
+ ssl_prefer_server_ciphers On;
+ ''}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ '')}
${indent extraConfig}
+ ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 8e266e1b3..3315dd157 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -78,7 +78,9 @@ with import <stockholm/lib>;
extraZones = {
# TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = ''
+ krebsco.de. 60 IN MX 5 mx23
cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
+ mx23 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
'';
};
nets = {
@@ -213,7 +215,6 @@ with import <stockholm/lib>;
ni = {
extraZones = {
"krebsco.de" = ''
- krebsco.de. 60 IN MX 5 ni
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
@@ -351,11 +352,17 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
xu = {
+ binary-cache = {
+ pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
+ };
cores = 4;
nets = {
gg23 = {
ip4.addr = "10.23.1.38";
- aliases = ["xu.gg23"];
+ aliases = [
+ "cache.xu.gg23"
+ "xu.gg23"
+ ];
ssh.port = 11423;
};
retiolum = {
diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix
index 5860b9a15..49d04be4d 100644
--- a/krebs/5pkgs/builders.nix
+++ b/krebs/5pkgs/builders.nix
@@ -37,7 +37,17 @@ rec {
};
};
- writeBash = makeScriptWriter "${pkgs.bash}/bin/bash";
+ writeBash = name: text:
+ assert (with types; either absolute-pathname filename).check name;
+ pkgs.writeOut (baseNameOf name) {
+ ${optionalString (types.absolute-pathname.check name) name} = {
+ check = pkgs.writeDash "shellcheck.sh" ''
+ ${pkgs.haskellPackages.ShellCheck}/bin/shellcheck "$1" || :
+ '';
+ executable = true;
+ text = "#! ${pkgs.bash}/bin/bash\n${text}";
+ };
+ };
writeBashBin = name:
assert types.filename.check name;
@@ -91,6 +101,7 @@ rec {
writers.text =
{ path
+ , check ? null
, executable ? false
, mode ? if executable then "0755" else "0644"
, text
@@ -102,6 +113,9 @@ rec {
var = "file_${hashString "sha1" path}";
val = text;
install = /* sh */ ''
+ ${optionalString (check != null) /* sh */ ''
+ ${check} ''$${var}Path
+ ''}
${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path}
'';
};
diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix
index ea70f34d7..963786f0c 100644
--- a/krebs/5pkgs/dic/default.nix
+++ b/krebs/5pkgs/dic/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
src = fetchgit {
url = http://cgit.ni.krebsco.de/dic;
- rev = "refs/tags/v1.0.0";
- sha256 = "0f3f5dqpw5y79p2k68qw6jdlkrnapqs3nvnc41zwacyhgppiww0k";
+ rev = "refs/tags/v1.0.1";
+ sha256 = "1686mba1z4m7vq70w26qpl00z1cz286c9bya9ql36g6w2pbcs8d3";
};
phases = [
diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index bc4c58bb0..cdfed468c 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -19,6 +19,7 @@ stdenv.mkDerivation {
git
gnugrep
gnused
+ nettools
openssh
socat
]);
diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix
index 5fb57a332..f852b4a44 100644
--- a/krebs/5pkgs/haskell-overrides/blessings.nix
+++ b/krebs/5pkgs/haskell-overrides/blessings.nix
@@ -1,11 +1,11 @@
{ mkDerivation, base, fetchgit, stdenv }:
-mkDerivation {
+mkDerivation rec {
pname = "blessings";
- version = "1.0.0";
+ version = "1.1.0";
src = fetchgit {
url = http://cgit.ni.krebsco.de/blessings;
- rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
- sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
+ rev = "refs/tags/v${version}";
+ sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
};
libraryHaskellDepends = [ base ];
doHaddock = false;
diff --git a/krebs/5pkgs/painload/default.nix b/krebs/5pkgs/painload/default.nix
index 10fd379c0..136ec4394 100644
--- a/krebs/5pkgs/painload/default.nix
+++ b/krebs/5pkgs/painload/default.nix
@@ -2,6 +2,6 @@
fetchgit {
url = https://github.com/krebscode/painload;
- rev = "8df031f810a2776d8c43b03a9793cb49398bd33b";
- sha256 = "03md5k6fmz0j1ny22iw96dzq7cvijbz24ii85i0h2dhcychdp650";
+ rev = "c113487f73713a03b1a139b22bb34b86234d0495";
+ sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
}