summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors.nix12
-rw-r--r--lass/1systems/uriel.nix79
-rw-r--r--lass/2configs/base.nix7
-rw-r--r--lass/2configs/browsers.nix10
-rw-r--r--lass/2configs/downloading.nix3
-rw-r--r--lass/2configs/fastpoke-pages.nix6
-rw-r--r--lass/2configs/retiolum.nix5
-rw-r--r--lass/2configs/steam.nix4
-rw-r--r--lass/2configs/virtualbox.nix2
-rw-r--r--lass/2configs/wordpress.nix4
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/iptables.nix187
12 files changed, 20 insertions, 300 deletions
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index b7291a8f2..c67cc8209 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -195,21 +195,11 @@
};
};
- networking.firewall = {
- allowPing = true;
- allowedTCPPorts = [
- 8000
- ];
- allowedUDPPorts = [
- 67
- ];
- };
-
services.mongodb = {
enable = true;
};
- lass.iptables = {
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; }
diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix
index 9d96e7814..c690fda93 100644
--- a/lass/1systems/uriel.nix
+++ b/lass/1systems/uriel.nix
@@ -82,9 +82,6 @@ with builtins;
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
'';
- #services.xserver = {
- #};
-
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
@@ -101,80 +98,4 @@ with builtins;
#for google hangout
users.extraUsers.google.extraGroups = [ "audio" "video" ];
-
-
- #users.extraGroups = {
- # loot = {
- # members = [
- # "lass"
- # "firefox"
- # "chromium"
- # "google"
- # ];
- # };
- #};
- #
- # iptables
- #
- #networking.firewall.enable = false;
- #system.activationScripts.iptables =
- # let
- # log = false;
- # when = c: f: if c then f else "";
- # in
- # ''
- # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
- # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
- # ipXtables() { ip4tables "$@"; ip6tables "$@"; }
-
- # #
- # # nat
- # #
-
- # # reset tables
- # ipXtables -t nat -F
- # ipXtables -t nat -X
-
- # #
- # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
- # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
-
- # #
- # # filter
- # #
-
- # # reset tables
- # ipXtables -P INPUT DROP
- # ipXtables -P FORWARD DROP
- # ipXtables -F
- # ipXtables -X
-
- # # create custom chains
- # ipXtables -N Retiolum
-
- # # INPUT
- # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- # ipXtables -A INPUT -j ACCEPT -i lo
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j Retiolum -i retiolum
- # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
-
- # # FORWARD
- # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
-
- # # Retiolum
- # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
- # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
-
-
- # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
- # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
- # ip6tables -A Retiolum -j REJECT
-
- # '';
}
diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 46435649b..4f5685b4a 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -3,14 +3,13 @@
with lib;
{
imports = [
- ../3modules/iptables.nix
../2configs/vim.nix
../2configs/zsh.nix
../2configs/mc.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
- (import /root/src/secrets/hashedPasswords.nix);
+ (import /root/secrets/hashedPasswords.nix);
}
{
users.extraUsers = {
@@ -45,7 +44,7 @@ with lib;
build.source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
- rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
+ rev = "e916273209560b302ab231606babf5ce1c481f08";
};
};
};
@@ -137,7 +136,7 @@ with lib;
RuntimeMaxUse=128M
'';
- lass.iptables = {
+ krebs.iptables = {
enable = true;
tables = {
filter.INPUT.policy = "DROP";
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index f37dace2c..47275af6f 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -66,16 +66,16 @@ in {
( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] )
( createChromiumUser "fb" [ ] [ pkgs.chromium ] )
( createChromiumUser "gm" [ ] [ pkgs.chromium ] )
- ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
+ # ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
];
nixpkgs.config.packageOverrides = pkgs : {
flash = pkgs.chromium.override {
- pulseSupport = true;
+ # pulseSupport = true;
enablePepperFlash = true;
};
- chromium = pkgs.chromium.override {
- pulseSupport = true;
- };
+ #chromium = pkgs.chromium.override {
+ # pulseSupport = true;
+ #};
};
}
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index e6d31a6c4..5052da5c8 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -2,7 +2,6 @@
{
imports = [
- ../3modules/iptables.nix
../3modules/folderPerms.nix
];
@@ -47,7 +46,7 @@
};
};
- lass.iptables = {
+ krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix
index 1c8106a88..0470865b6 100644
--- a/lass/2configs/fastpoke-pages.nix
+++ b/lass/2configs/fastpoke-pages.nix
@@ -29,9 +29,7 @@ let
};
in {
- imports = [
- ../3modules/iptables.nix
- ] ++ map createStaticPage [
+ imports = map createStaticPage [
"habsys.de"
"pixelpocket.de"
"karlaskop.de"
@@ -39,7 +37,7 @@ in {
"apanowicz.de"
];
- lass.iptables = {
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index d7df15027..7f0bcc5e8 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -1,11 +1,8 @@
{ ... }:
{
- imports = [
- ../3modules/iptables.nix
- ];
- lass.iptables = {
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix
index bd895e156..225ddd308 100644
--- a/lass/2configs/steam.nix
+++ b/lass/2configs/steam.nix
@@ -16,7 +16,9 @@
environment.systemPackages = with pkgs; [
steam
];
- lass.iptables = {
+
+ #ports for inhome streaming
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 27031"; target = "ACCEPT"; }
diff --git a/lass/2configs/virtualbox.nix b/lass/2configs/virtualbox.nix
index 9769cd68d..f7d196057 100644
--- a/lass/2configs/virtualbox.nix
+++ b/lass/2configs/virtualbox.nix
@@ -4,6 +4,8 @@ let
mainUser = config.users.extraUsers.mainUser;
in {
+ #services.virtualboxHost.enable = true;
+ virtualisation.virtualbox.host.enable = true;
users.extraUsers = {
virtual = {
diff --git a/lass/2configs/wordpress.nix b/lass/2configs/wordpress.nix
index 9458deb38..bd59080d9 100644
--- a/lass/2configs/wordpress.nix
+++ b/lass/2configs/wordpress.nix
@@ -8,10 +8,10 @@
config = {
imports = [
- ../3modules/iptables.nix
+ ../../krebs/3modules/iptables.nix
];
- lass.iptables = {
+ krebs.iptables = {
enable = true;
tables = {
filter.INPUT.policy = "DROP";
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index d4e231ec7..9de987bf3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,6 +3,5 @@ _:
{
imports = [
./xresources.nix
- ./iptables.nix
];
}
diff --git a/lass/3modules/iptables.nix b/lass/3modules/iptables.nix
deleted file mode 100644
index 8c6ad3fa1..000000000
--- a/lass/3modules/iptables.nix
+++ /dev/null
@@ -1,187 +0,0 @@
-arg@{ config, lib, pkgs, ... }:
-
-let
- inherit (pkgs) writeScript writeText;
-
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- mkEnableOption
- mkOption
- mkIf
- types
- sort;
-
- elemIsIn = a: as:
- any (x: x == a) as;
-
- cfg = config.lass.iptables;
-
- out = {
- options.lass.iptables = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "iptables";
-
- #tables.filter.INPUT = {
- # policy = "DROP";
- # rules = [
- # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
- # ];
- #};
- #new api
- tables = mkOption {
- type = with types; attrsOf (attrsOf (submodule ({
- options = {
- policy = mkOption {
- type = str;
- default = "-";
- };
- rules = mkOption {
- type = nullOr (listOf (submodule ({
- options = {
- predicate = mkOption {
- type = str;
- };
- target = mkOption {
- type = str;
- };
- precedence = mkOption {
- type = int;
- default = 0;
- };
- };
- })));
- default = null;
- };
- };
- })));
- };
- };
-
- imp = {
- networking.firewall.enable = false;
-
- systemd.services.lass-iptables = {
- description = "lass-iptables";
- wantedBy = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- ExecStart = "@${startScript} lass-iptables_start";
- };
- };
- };
-
- #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
- #todo: differentiate by iptables-version
- buildTables = v: ts:
- let
-
- declareChain = t: cn:
- #TODO: find out what to do whit these count numbers
- ":${cn} ${t."${cn}".policy} [0:0]";
-
- buildChain = tn: cn:
- let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
-
- in
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
- else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map (buildRule tn cn) sortedRules
- )
- else
- ""
- ;
-
-
- buildRule = tn: cn: rule:
- #target validation test:
- assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
- "${rule.predicate} -j ${rule.target}";
-
- buildTable = tn:
- "*${tn}\n" +
- concatStringsSep "\n" ([]
- ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
- ) +
- #this looks dirty, find a better way to do this (maybe optionalString)
- concatStringsSep "" ([]
- ++ map (buildChain tn) (attrNames ts."${tn}")
- ) +
- "\nCOMMIT";
- in
- concatStringsSep "\n" ([]
- ++ map buildTable (attrNames ts)
- );
-
-#=====
-
- rules4 = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- writeText "lass-iptables-rules${toString iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
-
- startScript = writeScript "lass-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
- '';
-
-in
-out
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 09:04:46 +0000