summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/default.nix2
-rw-r--r--lass/3modules/iptables.nix187
-rw-r--r--lass/3modules/realwallpaper.nix102
3 files changed, 103 insertions, 188 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index d4e231ec7..9b6211278 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,6 +3,6 @@ _:
{
imports = [
./xresources.nix
- ./iptables.nix
+ ./realwallpaper.nix
];
}
diff --git a/lass/3modules/iptables.nix b/lass/3modules/iptables.nix
deleted file mode 100644
index 8c6ad3fa1..000000000
--- a/lass/3modules/iptables.nix
+++ /dev/null
@@ -1,187 +0,0 @@
-arg@{ config, lib, pkgs, ... }:
-
-let
- inherit (pkgs) writeScript writeText;
-
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- mkEnableOption
- mkOption
- mkIf
- types
- sort;
-
- elemIsIn = a: as:
- any (x: x == a) as;
-
- cfg = config.lass.iptables;
-
- out = {
- options.lass.iptables = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "iptables";
-
- #tables.filter.INPUT = {
- # policy = "DROP";
- # rules = [
- # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
- # ];
- #};
- #new api
- tables = mkOption {
- type = with types; attrsOf (attrsOf (submodule ({
- options = {
- policy = mkOption {
- type = str;
- default = "-";
- };
- rules = mkOption {
- type = nullOr (listOf (submodule ({
- options = {
- predicate = mkOption {
- type = str;
- };
- target = mkOption {
- type = str;
- };
- precedence = mkOption {
- type = int;
- default = 0;
- };
- };
- })));
- default = null;
- };
- };
- })));
- };
- };
-
- imp = {
- networking.firewall.enable = false;
-
- systemd.services.lass-iptables = {
- description = "lass-iptables";
- wantedBy = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- ExecStart = "@${startScript} lass-iptables_start";
- };
- };
- };
-
- #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
- #todo: differentiate by iptables-version
- buildTables = v: ts:
- let
-
- declareChain = t: cn:
- #TODO: find out what to do whit these count numbers
- ":${cn} ${t."${cn}".policy} [0:0]";
-
- buildChain = tn: cn:
- let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
-
- in
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
- else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map (buildRule tn cn) sortedRules
- )
- else
- ""
- ;
-
-
- buildRule = tn: cn: rule:
- #target validation test:
- assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
- "${rule.predicate} -j ${rule.target}";
-
- buildTable = tn:
- "*${tn}\n" +
- concatStringsSep "\n" ([]
- ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
- ) +
- #this looks dirty, find a better way to do this (maybe optionalString)
- concatStringsSep "" ([]
- ++ map (buildChain tn) (attrNames ts."${tn}")
- ) +
- "\nCOMMIT";
- in
- concatStringsSep "\n" ([]
- ++ map buildTable (attrNames ts)
- );
-
-#=====
-
- rules4 = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- writeText "lass-iptables-rules${toString iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
-
- startScript = writeScript "lass-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
- '';
-
-in
-out
-
diff --git a/lass/3modules/realwallpaper.nix b/lass/3modules/realwallpaper.nix
new file mode 100644
index 000000000..85dd35233
--- /dev/null
+++ b/lass/3modules/realwallpaper.nix
@@ -0,0 +1,102 @@
+arg@{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib)
+ mkEnableOption
+ mkOption
+ types
+ mkIf
+ ;
+
+ lpkgs = import ../5pkgs { inherit pkgs; };
+
+ cfg = config.lass.realwallpaper;
+
+ out = {
+ options.lass.realwallpaper = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "realwallpaper";
+
+ workingDir = mkOption {
+ type = types.str;
+ default = "/var/realwallpaper/";
+ };
+
+ nightmap = mkOption {
+ type = types.str;
+ default = "http://eoimages.gsfc.nasa.gov/images/imagerecords/55000/55167/earth_lights_lrg.jpg";
+ };
+
+ daymap = mkOption {
+ type = types.str;
+ default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
+ };
+
+ cloudmap = mkOption {
+ type = types.str;
+ default = "http://xplanetclouds.com/free/local/clouds_2048.jpg";
+ };
+
+ outFile = mkOption {
+ type = types.str;
+ default = "/tmp/wallpaper.png";
+ };
+
+ timerConfig = mkOption {
+ type = types.unspecified;
+ default = {
+ OnCalendar = "*:0/15";
+ };
+ };
+
+ };
+
+ imp = {
+ systemd.timers.realwallpaper = {
+ description = "real wallpaper generator timer";
+
+ timerConfig = cfg.timerConfig;
+ };
+
+ systemd.services.realwallpaper = {
+ description = "real wallpaper generator";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ path = with pkgs; [
+ xplanet
+ imagemagick
+ curl
+ file
+ ];
+
+ environment = {
+ working_dir = cfg.workingDir;
+ nightmap_url = cfg.nightmap;
+ daymap_url = cfg.daymap;
+ cloudmap_url = cfg.cloudmap;
+ out_file = cfg.outFile;
+ };
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${lpkgs.realwallpaper}/realwallpaper.sh";
+ User = "realwallpaper";
+ };
+ };
+
+ users.extraUsers.realwallpaper = {
+ uid = 2009435407; #genid realwallpaper
+ home = cfg.workingDir;
+ createHome = true;
+ };
+ };
+
+in
+out
+