diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/3modules/iptables.nix | 51 | ||||
-rw-r--r-- | krebs/3modules/nginx.nix | 45 | ||||
-rw-r--r-- | krebs/3modules/tv/default.nix | 11 | ||||
-rw-r--r-- | krebs/5pkgs/builders.nix | 16 | ||||
-rw-r--r-- | krebs/5pkgs/dic/default.nix | 4 | ||||
-rw-r--r-- | krebs/5pkgs/github-hosts-sync/default.nix | 1 | ||||
-rw-r--r-- | krebs/5pkgs/haskell-overrides/blessings.nix | 8 | ||||
-rw-r--r-- | krebs/5pkgs/painload/default.nix | 4 |
8 files changed, 93 insertions, 47 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index b610ff3d1..a4a4de6f9 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -1,5 +1,7 @@ { config, lib, pkgs, ... }: +with import <stockholm/lib>; + let inherit (pkgs) writeText; @@ -7,27 +9,6 @@ let elem ; - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - hasPrefix - mkEnableOption - mkOption - mkIf - types - sort - ; - cfg = config.krebs.iptables; out = { @@ -65,6 +46,14 @@ let type = int; default = 0; }; + v4 = mkOption { + type = bool; + default = true; + }; + v6 = mkOption { + type = bool; + default = true; + }; }; }))); default = null; @@ -93,7 +82,7 @@ let Type = "simple"; RemainAfterExit = true; Restart = "always"; - ExecStart = "@${startScript} krebs-iptables_start"; + ExecStart = startScript; }; }; }; @@ -109,7 +98,8 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; in #TODO: double check should be unneccessary, refactor! @@ -123,13 +113,6 @@ let buildRule = tn: cn: rule: - #target validation test: - assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target; - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. "${rule.predicate} -j ${rule.target}"; buildTable = tn: @@ -149,7 +132,7 @@ let #===== - rules4 = iptables-version: + rules = iptables-version: let #TODO: find out good defaults. tables-defaults = { @@ -171,14 +154,14 @@ let tables = tables-defaults // cfg.tables; in - writeText "krebs-iptables-rules${toString iptables-version}" '' + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' ${buildTables iptables-version tables} ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} + iptables-restore < ${rules "v4"} + ip6tables-restore < ${rules "v6"} ''; in diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 1577c5b64..933c2e513 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -53,9 +53,22 @@ let default = ""; }; ssl = mkOption { - type = with types; submodule ({ + type = with types; submodule ({ config, ... }: { options = { enable = mkEnableOption "ssl"; + acmeEnable = mkOption { + type = bool; + apply = x: + if x && config.enable + #conflicts because of certificate/certificate_key location + then throw "can't use ssl.enable and ssl.acmeEnable together" + else x; + default = false; + description = '' + enables automatical generation of lets-encrypt certificates and setting them as certificate + conflicts with ssl.enable + ''; + }; certificate = mkOption { type = str; }; @@ -95,6 +108,7 @@ let }; imp = { + security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); services.nginx = { enable = true; httpConfig = '' @@ -117,13 +131,24 @@ let indent = replaceChars ["\n"] ["\n "]; + to-acme = { server-names, ssl, ... }: + optionalAttrs ssl.acmeEnable { + email = "lassulus@gmail.com"; + webroot = "${config.security.acme.directory}/${head server-names}"; + }; + to-location = { name, value }: '' location ${name} { ${indent value} } ''; - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: '' + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let + domain = head server-names; + acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' + root ${config.security.acme.certs.${domain}.webroot}; + ''); + in '' server { server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} @@ -142,7 +167,23 @@ let ssl_ciphers ${ssl.ciphers}; ssl_protocols ${toString ssl.protocols}; '')} + ${optionalString ssl.acmeEnable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} + listen 443 ssl; + ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; + ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; + ${optionalString ssl.prefer_server_ciphers '' + ssl_prefer_server_ciphers On; + ''} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '')} ${indent extraConfig} + ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} ${indent (concatMapStrings to-location locations)} } ''; diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 8e266e1b3..3315dd157 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -78,7 +78,9 @@ with import <stockholm/lib>; extraZones = { # TODO generate krebsco.de zone from nets and don't use extraZones at all "krebsco.de" = '' + krebsco.de. 60 IN MX 5 mx23 cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} + mx23 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr} ''; }; nets = { @@ -213,7 +215,6 @@ with import <stockholm/lib>; ni = { extraZones = { "krebsco.de" = '' - krebsco.de. 60 IN MX 5 ni ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} @@ -351,11 +352,17 @@ with import <stockholm/lib>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { + binary-cache = { + pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s="; + }; cores = 4; nets = { gg23 = { ip4.addr = "10.23.1.38"; - aliases = ["xu.gg23"]; + aliases = [ + "cache.xu.gg23" + "xu.gg23" + ]; ssh.port = 11423; }; retiolum = { diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix index 5860b9a15..49d04be4d 100644 --- a/krebs/5pkgs/builders.nix +++ b/krebs/5pkgs/builders.nix @@ -37,7 +37,17 @@ rec { }; }; - writeBash = makeScriptWriter "${pkgs.bash}/bin/bash"; + writeBash = name: text: + assert (with types; either absolute-pathname filename).check name; + pkgs.writeOut (baseNameOf name) { + ${optionalString (types.absolute-pathname.check name) name} = { + check = pkgs.writeDash "shellcheck.sh" '' + ${pkgs.haskellPackages.ShellCheck}/bin/shellcheck "$1" || : + ''; + executable = true; + text = "#! ${pkgs.bash}/bin/bash\n${text}"; + }; + }; writeBashBin = name: assert types.filename.check name; @@ -91,6 +101,7 @@ rec { writers.text = { path + , check ? null , executable ? false , mode ? if executable then "0755" else "0644" , text @@ -102,6 +113,9 @@ rec { var = "file_${hashString "sha1" path}"; val = text; install = /* sh */ '' + ${optionalString (check != null) /* sh */ '' + ${check} ''$${var}Path + ''} ${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path} ''; }; diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix index ea70f34d7..963786f0c 100644 --- a/krebs/5pkgs/dic/default.nix +++ b/krebs/5pkgs/dic/default.nix @@ -5,8 +5,8 @@ stdenv.mkDerivation { src = fetchgit { url = http://cgit.ni.krebsco.de/dic; - rev = "refs/tags/v1.0.0"; - sha256 = "0f3f5dqpw5y79p2k68qw6jdlkrnapqs3nvnc41zwacyhgppiww0k"; + rev = "refs/tags/v1.0.1"; + sha256 = "1686mba1z4m7vq70w26qpl00z1cz286c9bya9ql36g6w2pbcs8d3"; }; phases = [ diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix index bc4c58bb0..cdfed468c 100644 --- a/krebs/5pkgs/github-hosts-sync/default.nix +++ b/krebs/5pkgs/github-hosts-sync/default.nix @@ -19,6 +19,7 @@ stdenv.mkDerivation { git gnugrep gnused + nettools openssh socat ]); diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix index 5fb57a332..f852b4a44 100644 --- a/krebs/5pkgs/haskell-overrides/blessings.nix +++ b/krebs/5pkgs/haskell-overrides/blessings.nix @@ -1,11 +1,11 @@ { mkDerivation, base, fetchgit, stdenv }: -mkDerivation { +mkDerivation rec { pname = "blessings"; - version = "1.0.0"; + version = "1.1.0"; src = fetchgit { url = http://cgit.ni.krebsco.de/blessings; - rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f"; - sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc"; + rev = "refs/tags/v${version}"; + sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1"; }; libraryHaskellDepends = [ base ]; doHaddock = false; diff --git a/krebs/5pkgs/painload/default.nix b/krebs/5pkgs/painload/default.nix index 10fd379c0..136ec4394 100644 --- a/krebs/5pkgs/painload/default.nix +++ b/krebs/5pkgs/painload/default.nix @@ -2,6 +2,6 @@ fetchgit { url = https://github.com/krebscode/painload; - rev = "8df031f810a2776d8c43b03a9793cb49398bd33b"; - sha256 = "03md5k6fmz0j1ny22iw96dzq7cvijbz24ii85i0h2dhcychdp650"; + rev = "c113487f73713a03b1a139b22bb34b86234d0495"; + sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6"; } |