From 644649e7250f7ef5c553cd6ad404d544097ed698 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 08:36:18 +0100 Subject: ma 2 mycube: cleanup --- makefu/2configs/deployment/mycube.connector.one.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 6a32656b..38fc4a24 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -16,7 +16,7 @@ in { vassals = { mycube-flask = { type = "normal"; - python2Packages = self: with self; [ pkgs.mycube-flask self.flask self.redis self.werkzeug self.jinja2 self.markupsafe itsdangerous ]; + python2Packages = self: with self; [ pkgs.mycube-flask flask redis werkzeug jinja2 markupsafe itsdangerous ]; socket = wsgi-sock; }; }; -- cgit v1.2.3 From 54dc51d341f5a3b253341a20a4e35b1ed03a3244 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 08:37:40 +0100 Subject: ma 2 laptop: add user to "dialout" --- makefu/2configs/main-laptop.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index c3e43723..452cdfb2 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -12,6 +12,9 @@ with config.krebs.lib; ./fetchWallpaper.nix ./zsh-user.nix ]; + + users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; + environment.systemPackages = with pkgs;[ vlc firefox -- cgit v1.2.3 From 74cfe87654638106f2d2a1a698814b41c2e904f2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 22:14:16 +0100 Subject: ma 2 default: apply cve-2015-7547 hotfix --- makefu/2configs/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 83018e9f..3043a1af 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -4,6 +4,13 @@ with config.krebs.lib; { system.stateVersion = "15.09"; + system.replaceRuntimeDependencies = with pkgs.lib; + [{original = pkgs.glibc; replacement = pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = oldAttr.patches ++ + [(pkgs.fetchurl { url = "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch"; + sha256 = "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})]; + });} + ]; + imports = [ { users.extraUsers = -- cgit v1.2.3 From c040c8f1b5fcfbd1b784c9460f4a0b78091ff2db Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:15:14 +0100 Subject: make: allow evaluation of arbitrary expressions --- Makefile | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 9dcd4754..12a60a90 100644 --- a/Makefile +++ b/Makefile @@ -46,10 +46,12 @@ evaluate = \ --show-trace \ -I nixos-config=$(nixos-config) \ -I stockholm=$(stockholm) \ - $(1) + -E '{ eval, f }: f eval' \ + --arg eval 'import ./.' \ + --arg f "eval@{ config, ... }: $(1)" execute = \ - result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \ + result=$$($(call evaluate,config.krebs.build.$(1))) && \ script=$$(echo "$$result" | jq -r .) && \ echo "$$script" | PS5=% sh @@ -61,8 +63,8 @@ deploy: nixos-rebuild switch --show-trace -I $(target_path) # usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name -eval eval.:;@$(call evaluate) -eval.%:;@$(call evaluate,-A $*) +eval eval.:;@$(call evaluate,$${expr-eval}) +eval.%:;@$(call evaluate,$*) # usage: make install system=foo [target_host=bar] install: ssh ?= ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -- cgit v1.2.3 From 47ef169276fcb500a3764c050dbeca1f7fc4a18b Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:28 +0100 Subject: krebs.hosts.*: set owner --- krebs/3modules/lass/default.nix | 2 +- krebs/3modules/makefu/default.nix | 2 +- krebs/3modules/miefda/default.nix | 2 +- krebs/3modules/mv/default.nix | 2 +- krebs/3modules/tv/default.nix | 2 +- krebs/4lib/types.nix | 9 +++++++++ 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 41a60910..4bf10ac5 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { dishfire = { cores = 4; nets = rec { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 6af77ad9..d309c171 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) { pnp = { cores = 1; nets = { diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 6587ad92..9a586629 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.miefda) { bobby = { cores = 4; nets = { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 33f941aa..3b4001e7 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.mv) { stro = { cores = 4; nets = { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 300fce01..1a9198b4 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -6,7 +6,7 @@ with config.krebs.lib; dns.providers = { de.viljetic = "regfish"; }; - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { cd = rec { cores = 2; extraZones = { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d0a53746..d63080b9 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,15 @@ types // rec { default = {}; }; + owner = mkOption { + type = user; + # TODO proper user + default = { + name = "krebs"; + mail = "spam@krebsco.de"; + }; + }; + extraZones = mkOption { default = {}; # TODO: string is either MX, NS, A or AAAA -- cgit v1.2.3 From dbe2ece8ad962d654bc34f3a7c4802768df71ebb Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:50 +0100 Subject: krebs.hosts.*.infest: RIP --- krebs/4lib/types.nix | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d63080b9..7fb20692 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -35,19 +35,6 @@ types // rec { type = with types; attrsOf string; }; - infest = { - addr = mkOption { - type = str; - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.addr' is used. It was replaced by the `target' argument to `make` or `get`. See Makefile for more information."; - }; - port = mkOption { - type = int; - default = 22; - # TODO replacement: allow target with port, SSH-style: [lol]:666 - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.port' is used. It's gone without replacement."; - }; - }; - secure = mkOption { type = bool; default = false; -- cgit v1.2.3 From bb201b19659b1da47f212d3b74cd18da543e8d6e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:37:25 +0100 Subject: push: 1.1.1 -> 1.1.2 --- krebs/5pkgs/push/default.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/krebs/5pkgs/push/default.nix b/krebs/5pkgs/push/default.nix index 13769c74..aa17a21a 100644 --- a/krebs/5pkgs/push/default.nix +++ b/krebs/5pkgs/push/default.nix @@ -1,20 +1,21 @@ { fetchgit, lib, stdenv , coreutils -, get , git +, gnumake , gnused , jq +, nix , openssh , parallel , ... }: stdenv.mkDerivation { - name = "push-1.1.1"; + name = "push-1.1.2"; src = fetchgit { url = http://cgit.cd.krebsco.de/push; - rev = "ea8b76569c6b226fe148e559477669b095408472"; - sha256 = "c305a1515d30603f6ed825d44487e863fdc7d90400620ceaf2c335a3b5d1e221"; + rev = "da5b3a4b05ef822cc41d36b6cc2071a2e78506d4"; + sha256 = "0gfxz207lm11g77rw02jcqpvzhx07j9hzgjgscbmslzl5r8icd6g"; }; phases = [ @@ -26,10 +27,11 @@ stdenv.mkDerivation { let path = lib.makeSearchPath "bin" [ coreutils - get git + gnumake gnused jq + nix openssh parallel ]; -- cgit v1.2.3 From 06537421ddb9727cf33b1ce0115c9077751c8399 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 15 Feb 2016 16:56:29 +0100 Subject: l 1 helios: add pass.nix config --- lass/1systems/helios.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 88fb6aac..593baa00 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -8,6 +8,7 @@ with builtins; ../2configs/browsers.nix ../2configs/programs.nix ../2configs/git.nix + ../2configs/pass.nix #{ # users.extraUsers = { # root = { -- cgit v1.2.3 From d1507e4c88dfa651bb1688e01875880d124340cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 15 Feb 2016 16:56:45 +0100 Subject: l 1 helios: open up port 8000 for webtesting --- lass/1systems/helios.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 593baa00..d878b2b6 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -18,6 +18,15 @@ with builtins; # }; # }; #} + { + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.helios; -- cgit v1.2.3 From 56aa68df42c21be4fc9d653cc61920e4827f47b7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 15 Feb 2016 16:57:04 +0100 Subject: l 1 helios: disbale intel sna because of bugs --- lass/1systems/helios.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index d878b2b6..0103b6ec 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -63,15 +63,6 @@ with builtins; # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" #''; - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; - services.xserver.synaptics = { enable = true; twoFingerScroll = true; -- cgit v1.2.3 From bb1d0e913e2f96ddfc28c199ab29372c8f57a9e3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 15 Feb 2016 16:57:48 +0100 Subject: l 1 mors: add python test-env --- lass/1systems/mors.nix | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index f6ac1b4e..96a57d0f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -97,6 +97,39 @@ # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } # ]; #} + { + containers.pythonenv = { + config = { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + + environment = { + systemPackages = with pkgs; [ + git + libxml2 + libxslt + libzip + python27Full + python27Packages.buildout + stdenv + zlib + ]; + + pathsToLink = [ "/include" ]; + + shellInit = '' + # help pip to find libz.so when building lxml + export LIBRARY_PATH=/var/run/current-system/sw/lib + # ditto for header files, e.g. sqlite + export C_INCLUDE_PATH=/var/run/current-system/sw/include + ''; + }; + + }; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; -- cgit v1.2.3 From 0e03417f2e214795320c0a0f75b10d1bfbdf8648 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 15 Feb 2016 16:58:04 +0100 Subject: l 1 mors: activate postgresql --- lass/1systems/mors.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 96a57d0f..e3bb4e48 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -130,6 +130,12 @@ }; }; } + { + services.postgresql = { + enable = true; + authentication = "local all all ident"; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; -- cgit v1.2.3 From 3e542873a9bc1a66bd1ed25b0e72c0311f23ac00 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 16 Feb 2016 17:12:39 +0100 Subject: l 2 browsers: allow audio in flash browser --- lass/2configs/browsers.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 61016fed..eb764068 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -58,7 +58,7 @@ in { ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] ) ( createChromiumUser "fb" [ ] [ pkgs.chromium ] ) ( createChromiumUser "gm" [ ] [ pkgs.chromium ] ) - ( createChromiumUser "flash" [ ] [ pkgs.flash ] ) + ( createChromiumUser "flash" [ "audio" ] [ pkgs.flash ] ) ]; nixpkgs.config.packageOverrides = pkgs : { -- cgit v1.2.3 From 168e8baaf0fc7c9318e60cfd5d0b4a9d507c8c72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 16 Feb 2016 17:13:40 +0100 Subject: l 2 git: add extraction_webinterface repo --- lass/2configs/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 76b897d1..bd4ce3ec 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -42,6 +42,7 @@ let brain = { collaborators = with config.krebs.users; [ tv makefu ]; }; + extraction_webinterface = {}; } // import { inherit config lib pkgs; } ); -- cgit v1.2.3 From 179ce6c3f9eff376da6bb93feffbb11a52e5d33b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 16 Feb 2016 17:13:54 +0100 Subject: l 2 git: add politics-fetching repo --- lass/2configs/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index bd4ce3ec..0aab298c 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -43,6 +43,7 @@ let collaborators = with config.krebs.users; [ tv makefu ]; }; extraction_webinterface = {}; + politics-fetching = {}; } // import { inherit config lib pkgs; } ); -- cgit v1.2.3 From 81fa056af7446a461d24b538c225605589d15cef Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 16 Feb 2016 17:14:27 +0100 Subject: l 2 xserver: add systemPackages PATH --- lass/2configs/xserver/default.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix index 82cfd57b..203ed0b0 100644 --- a/lass/2configs/xserver/default.nix +++ b/lass/2configs/xserver/default.nix @@ -93,11 +93,9 @@ let xmonad-start = pkgs.writeScriptBin "xmonad" '' #! ${pkgs.bash}/bin/bash set -efu - export PATH; PATH=${makeSearchPath "bin" [ - pkgs.alsaUtils - pkgs.pulseaudioLight + export PATH; PATH=${makeSearchPath "bin" ([ pkgs.rxvt_unicode - ]}:/var/setuid-wrappers + ] ++ config.environment.systemPackages)}:/var/setuid-wrappers settle() {( # Use PATH for a clean journal command=''${1##*/} -- cgit v1.2.3 From 4b1ff53f304ab41a99cb24fc0424017c86e5993b Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 14:58:59 +0100 Subject: l 1 mors: disbale broken configs --- lass/1systems/mors.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e3bb4e48..7d4cd72d 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -20,12 +20,12 @@ ../2configs/git.nix #../2configs/wordpress.nix ../2configs/bitlbee.nix - ../2configs/firefoxPatched.nix + #../2configs/firefoxPatched.nix ../2configs/skype.nix ../2configs/teamviewer.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix - ../2configs/buildbot-standalone.nix + #../2configs/buildbot-standalone.nix { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ -- cgit v1.2.3 From d01c882e1ead9a2cd01c2f3a7f1c198dbce24953 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 14:59:21 +0100 Subject: l 1 mors: postgre -> mariadb --- lass/1systems/mors.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 7d4cd72d..31663008 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -131,9 +131,10 @@ }; } { - services.postgresql = { + services.mysql = { enable = true; - authentication = "local all all ident"; + package = pkgs.mariadb; + rootPassword = "/mysql_rootPassword"; }; } ]; -- cgit v1.2.3 From 146421e96912ffd8dd5e2dd10019e5099d7d155b Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 14:59:36 +0100 Subject: add /mnt/conf to automounted disks --- lass/1systems/mors.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 31663008..a7f4ee5f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -210,6 +210,11 @@ device = "/dev/big/public"; fsType = "ext4"; }; + + "/mnt/conf" = { + device = "/dev/big/conf"; + fsType = "ext4"; + }; }; services.udev.extraRules = '' -- cgit v1.2.3 From 9d519dd4d28d05f0fb86f742fedaa6a505522a4b Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 15:00:18 +0100 Subject: l 2: use inherit genid from krebs.lib --- lass/2configs/libvirt.nix | 3 ++- lass/2configs/skype.nix | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index 7520a0e3..a51ccae5 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -2,13 +2,14 @@ let mainUser = config.users.extraUsers.mainUser; + inherit (config.krebs.lib) genid; in { virtualisation.libvirtd.enable = true; users.extraUsers = { libvirt = { - uid = lib.genid "libvirt"; + uid = genid "libvirt"; description = "user for running libvirt stuff"; home = "/home/libvirt"; useDefaultShell = true; diff --git a/lass/2configs/skype.nix b/lass/2configs/skype.nix index d62a18a5..5b6da4a9 100644 --- a/lass/2configs/skype.nix +++ b/lass/2configs/skype.nix @@ -2,12 +2,13 @@ let mainUser = config.users.extraUsers.mainUser; + inherit (config.krebs.lib) genid; in { users.extraUsers = { skype = { name = "skype"; - uid = lib.genid "skype"; + uid = genid "skype"; description = "user for running skype"; home = "/home/skype"; useDefaultShell = true; -- cgit v1.2.3 From a278c6588750c09f97e83c53d86aef5ec82a7bcd Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 15:00:52 +0100 Subject: l 5: callPackage -> pkgs.callPackage --- lass/5pkgs/default.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix index fee4654a..ce29ae33 100644 --- a/lass/5pkgs/default.nix +++ b/lass/5pkgs/default.nix @@ -1,16 +1,13 @@ { pkgs, ... }: -let - inherit (pkgs) callPackage; -in { nixpkgs.config.packageOverrides = rec { firefoxPlugins = { - noscript = callPackage ./firefoxPlugins/noscript.nix {}; - ublock = callPackage ./firefoxPlugins/ublock.nix {}; - vimperator = callPackage ./firefoxPlugins/vimperator.nix {}; + noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {}; + ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {}; + vimperator = pkgs.callPackage ./firefoxPlugins/vimperator.nix {}; }; - newsbot-js = callPackage ./newsbot-js/default.nix {}; + newsbot-js = pkgs.callPackage ./newsbot-js/default.nix {}; xmonad-lass = let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in pkgs.haskellPackages.callPackage src {}; -- cgit v1.2.3 From 43f06b9773bdd93e0e369012081dc359aa29ea1e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 15:01:35 +0100 Subject: l 5 xmonad-lass Main: fix xmonad errors --- lass/5pkgs/xmonad-lass/Main.hs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lass/5pkgs/xmonad-lass/Main.hs b/lass/5pkgs/xmonad-lass/Main.hs index faaa00aa..503df3be 100644 --- a/lass/5pkgs/xmonad-lass/Main.hs +++ b/lass/5pkgs/xmonad-lass/Main.hs @@ -12,7 +12,6 @@ import XMonad import System.IO (hPutStrLn, stderr) import System.Environment (getArgs, withArgs, getEnv, getEnvironment) import System.Posix.Process (executeFile) -import XMonad.Prompt (defaultXPConfig) import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace , removeEmptyWorkspace) import XMonad.Actions.GridSelect @@ -73,7 +72,7 @@ mainNoArgs = do -- $ withUrgencyHook borderUrgencyHook "magenta" -- $ withUrgencyHookC BorderUrgencyHook { urgencyBorderColor = "magenta" } urgencyConfig { suppressWhen = Never } $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ") - $ defaultConfig + $ def { terminal = myTerm , modMask = mod4Mask , workspaces = workspaces0 @@ -169,7 +168,7 @@ myWSConfig = myGSConfig } pagerConfig :: PagerConfig -pagerConfig = defaultPagerConfig +pagerConfig = def { pc_font = myFont , pc_cellwidth = 64 --, pc_cellheight = 36 -- TODO automatically keep screen aspect @@ -182,13 +181,13 @@ pagerConfig = defaultPagerConfig where windowColors _ _ _ True _ = ("#ef4242","#ff2323") windowColors wsf m c u wf = do - let def = defaultWindowColors wsf m c u wf + let y = defaultWindowColors wsf m c u wf if m == False && wf == True - then ("#402020", snd def) - else def + then ("#402020", snd y) + else y wGSConfig :: GSConfig Window -wGSConfig = defaultGSConfig +wGSConfig = def { gs_cellheight = 20 , gs_cellwidth = 192 , gs_cellpadding = 5 -- cgit v1.2.3 From 98ca03d76bb63cd9ac429d541a91d4da7080107c Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 17 Feb 2016 15:01:59 +0100 Subject: l: add 5pkgs to default.nix --- lass/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/default.nix b/lass/default.nix index 69b4abaa..377708c3 100644 --- a/lass/default.nix +++ b/lass/default.nix @@ -3,5 +3,6 @@ _: imports = [ ../krebs ./3modules + ./5pkgs ]; } -- cgit v1.2.3 From 8f6892ef5b73230fab2fae58b969c00cd328d71f Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 18 Feb 2016 17:05:01 +0100 Subject: l 1 mors: enable elasticsearch --- lass/1systems/mors.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index a7f4ee5f..9f492e2c 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -137,6 +137,14 @@ rootPassword = "/mysql_rootPassword"; }; } + { + services.elasticsearch = { + enable = true; + plugins = [ + pkgs.elasticsearchPlugins.elasticsearch_kopf + ]; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; -- cgit v1.2.3 From a60767166201066eea80b7f53fdcc2e623dc769a Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 18:54:20 +0100 Subject: krebs.build.populate: allow overriding ssh --- krebs/3modules/build.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index b8ea34ae..08a7cd04 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -41,6 +41,8 @@ let #! /bin/sh set -eu + ssh=''${ssh-ssh} + verbose() { printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 "$@" @@ -48,7 +50,7 @@ let { printf 'PS5=%q%q\n' @ "$PS5" echo ${shell.escape git-script} - } | verbose ssh -p ${shell.escape target-port} \ + } | verbose $ssh -p ${shell.escape target-port} \ ${shell.escape "${target-user}@${target-host}"} -T unset tmpdir @@ -77,7 +79,7 @@ let ) (attrNames source-by-method.file)} \ --delete \ -vFrlptD \ - -e ${shell.escape "ssh -p ${target-port}"} \ + -e "$ssh -p ${shell.escape target-port}" \ ${shell.escape target-path}/ \ ${shell.escape "${target-user}@${target-host}:${target-path}"} ''; -- cgit v1.2.3 From 2ff36bad032df0900e13a3ec743b09064c3d07c6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 18:56:01 +0100 Subject: test infest-cac-centos7: use make install interface --- krebs/5pkgs/test/infest-cac-centos7/notes | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes index db80c0c6..6bb0258a 100755 --- a/krebs/5pkgs/test/infest-cac-centos7/notes +++ b/krebs/5pkgs/test/infest-cac-centos7/notes @@ -1,4 +1,4 @@ -# nix-shell -p gnumake jq openssh cac-api cac-panel +# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass set -eufx # 2 secrets are required: @@ -99,7 +99,7 @@ defer "cac-api delete $id;$old_trapstr" mkdir -p shared/2configs/temp cac-api generatenetworking $id > \ shared/2configs/temp/networking.nix -# new temporary ssh key we will use to log in after infest +# new temporary ssh key we will use to log in after install ssh-keygen -f $krebs_ssh -N "" cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv # we override the directories for secrets and stockholm @@ -118,12 +118,12 @@ _: { } EOF -LOGNAME=shared make eval get=krebs.infest \ - target=derp system=test-centos7 filter=json \ - | sed -e "s#^ssh.*<<#cac-api ssh $id<<#" \ - -e "/^rsync/a -e 'cac-api ssh $id' \\\\" \ - -e "s#root.derp:#:#" > $krebs_secrets/infest -sh -x $krebs_secrets/infest +make install \ + LOGNAME=shared \ + SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \ + ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \ + system=test-centos7 \ + target=$ip # TODO: generate secrets directory $krebs_secrets for nix import cac-api powerop $id reset -- cgit v1.2.3 From 1226a20038fa61e8a98b31f223a59b244dd6cd03 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 19:12:09 +0100 Subject: krebs.build.populate fetch_git: checkout with force --- krebs/3modules/build.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 08a7cd04..d4c6b08d 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -116,7 +116,7 @@ let if ! test "$(git log --format=%H -1)" = "$hash"; then git fetch origin git checkout "$hash" -- "$dst_dir" - git checkout "$hash" + git checkout -f "$hash" fi git clean -dxf -- cgit v1.2.3 From d8d39f5c4a9925f2098e58dc80e36920ece6ac71 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 19:37:00 +0100 Subject: prepare_common: simplify nixos-install installation --- krebs/4lib/infest/prepare.sh | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index b3824c7d..a217e7be 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -184,26 +184,21 @@ prepare_common() {( . /root/.nix-profile/etc/profile.d/nix.sh - for i in \ - bash \ - coreutils \ - # This line intentionally left blank. - do - if ! nix-env -q $i | grep -q .; then - nix-env -iA nixpkgs.pkgs.$i - fi - done + mkdir -p /mnt/"$target_path" + mkdir -p "$target_path" + + if ! mountpoint "$target_path"; then + mount --rbind /mnt/"$target_path" "$target_path" + fi + + mkdir -p bin + rm -f bin/nixos-install + cp "$(type -p nixos-install)" bin/nixos-install + sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install - # install nixos-install - if ! type nixos-install 2>/dev/null; then - nixpkgs_expr='import { system = builtins.currentSystem; }' - nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath 'throw "no modulesPath"' \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.nixos-install + if ! grep -q '^PATH.*#krebs' .bashrc; then + echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc + echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc fi )} -- cgit v1.2.3 From b5fbca3a365b1188c1274e3288ba39a88ecad2e3 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:27:37 +0100 Subject: krebs.secret: init --- krebs/3modules/default.nix | 1 + krebs/3modules/secret.nix | 39 +++++++++++++++++++++++++++++++++++++++ krebs/4lib/types.nix | 13 +++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 krebs/3modules/secret.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index c06f3754..df1c7db6 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./realwallpaper.nix ./retiolum-bootstrap.nix ./retiolum.nix + ./secret.nix ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix new file mode 100644 index 00000000..46802a66 --- /dev/null +++ b/krebs/3modules/secret.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.krebs.secret; +in { + options.krebs.secret = { + files = mkOption { + type = with types; attrsOf secret-file; + default = {}; + }; + }; + config = lib.mkIf (cfg.files != {}) { + systemd.services.secret = let + # TODO fail if two files have the same path but differ otherwise + files = unique (map (flip removeAttrs ["_module"]) + (attrValues cfg.files)); + in { + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + SyslogIdentifier = "secret"; + ExecStart = pkgs.writeDash "install-secret-files" '' + exit_code=0 + ${concatMapStringsSep "\n" (file: '' + ${pkgs.coreutils}/bin/install \ + -D \ + --compare \ + --verbose \ + --mode=${shell.escape file.mode} \ + --owner=${shell.escape file.owner-name} \ + --group=${shell.escape file.group-name} \ + ${shell.escape file.source-path} \ + ${shell.escape file.path} \ + || exit_code=1 + '') files} + exit $exit_code + ''; + }; + }; + }; +} diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7fb20692..55301add 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -143,6 +143,19 @@ types // rec { merge = mergeOneOption; }; + secret-file = submodule ({ config, ... }: { + options = { + path = mkOption { type = str; }; + mode = mkOption { type = str; default = "0400"; }; + owner-name = mkOption { type = str; default = "root"; }; + group-name = mkOption { type = str; default = "root"; }; + source-path = mkOption { + type = str; + default = toString + "/${config._module.args.name}"; + }; + }; + }); + suffixed-str = suffs: mkOptionType { name = "string suffixed by ${concatStringsSep ", " suffs}"; -- cgit v1.2.3 From d488e5fe7236a74ab63a21d97db10923482b18dd Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:41:59 +0100 Subject: tv.ejabberd: use krebs.secret --- tv/3modules/ejabberd.nix | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix index c9d9b48b..7ecd0a87 100644 --- a/tv/3modules/ejabberd.nix +++ b/tv/3modules/ejabberd.nix @@ -12,9 +12,17 @@ let api = { enable = mkEnableOption "tv.ejabberd"; - certFile = mkOption { - type = types.str; - default = toString ; + certfile = mkOption { + type = types.secret-file; + default = { + path = "/etc/ejabberd/ejabberd.pem"; + owner-name = "ejabberd"; + source-path = toString + "/ejabberd.pem"; + }; + }; + s2s_certfile = mkOption { + type = types.secret-file; + default = cfg.certfile; }; hosts = mkOption { @@ -25,21 +33,22 @@ let imp = { environment.systemPackages = [ my-ejabberdctl ]; + krebs.secret.files = { + ejabberd-certfile = cfg.certfile; + ejabberd-s2s_certfile = cfg.s2s_certfile; + }; + systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + requires = [ "secret.service" ]; + after = [ "network.target" "secret.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; PermissionsStartOnly = "true"; SyslogIdentifier = "ejabberd"; User = user.name; - ExecStartPre = pkgs.writeScript "ejabberd-start" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.certFile} /etc/ejabberd/ejabberd.pem - ''; - ExecStart = pkgs.writeScript "ejabberd-service" '' - #! /bin/sh + ExecStart = pkgs.writeDash "ejabberd" '' ${my-ejabberdctl}/bin/ejabberdctl start ''; }; @@ -75,7 +84,7 @@ let [ {5222, ejabberd_c2s, [ starttls, - {certfile, "/etc/ejabberd/ejabberd.pem"}, + {certfile, ${toErlang cfg.certfile.path}}, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} @@ -92,7 +101,7 @@ let ]} ]}. {s2s_use_starttls, required}. - {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. + {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. {auth_method, internal}. {shaper, normal, {maxrate, 1000}}. {shaper, fast, {maxrate, 50000}}. @@ -161,5 +170,4 @@ let # XXX this is a placeholder that happens to work the default strings. toErlang = builtins.toJSON; -in -out +in out -- cgit v1.2.3 From 8a7e4b95c23c45b9d341f38b7bb96c3acfecff8a Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:05:49 +0100 Subject: tv.ejabberd: refactor --- tv/3modules/default.nix | 2 +- tv/3modules/ejabberd.nix | 173 --------------------------------------- tv/3modules/ejabberd/config.nix | 93 +++++++++++++++++++++ tv/3modules/ejabberd/default.nix | 76 +++++++++++++++++ 4 files changed, 170 insertions(+), 174 deletions(-) delete mode 100644 tv/3modules/ejabberd.nix create mode 100644 tv/3modules/ejabberd/config.nix create mode 100644 tv/3modules/ejabberd/default.nix diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index f7889b24..22f3d801 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -2,7 +2,7 @@ _: { imports = [ - ./ejabberd.nix + ./ejabberd ./iptables.nix ]; } diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix deleted file mode 100644 index 7ecd0a87..00000000 --- a/tv/3modules/ejabberd.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -let - cfg = config.tv.ejabberd; - - out = { - options.tv.ejabberd = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.ejabberd"; - - certfile = mkOption { - type = types.secret-file; - default = { - path = "/etc/ejabberd/ejabberd.pem"; - owner-name = "ejabberd"; - source-path = toString + "/ejabberd.pem"; - }; - }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; - - hosts = mkOption { - type = with types; listOf str; - }; - }; - - imp = { - environment.systemPackages = [ my-ejabberdctl ]; - - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - after = [ "network.target" "secret.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - PermissionsStartOnly = "true"; - SyslogIdentifier = "ejabberd"; - User = user.name; - ExecStart = pkgs.writeDash "ejabberd" '' - ${my-ejabberdctl}/bin/ejabberdctl start - ''; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = "/var/ejabberd"; - createHome = true; - }; - }; - - user = rec { - name = "ejabberd"; - uid = genid name; - }; - - my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" '' - #! /bin/sh - set -euf - exec env \ - SPOOLDIR=/var/ejabberd \ - EJABBERD_CONFIG_PATH=${config-file} \ - ${pkgs.ejabberd}/bin/ejabberdctl \ - --logs /var/ejabberd \ - "$@" - ''; - - config-file = pkgs.writeText "ejabberd.cfg" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, all}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - {ip_access, [{allow, "127.0.0.0/8"}, - {deny, "0.0.0.0/0"}]}, - {access, register} - ]}, - {mod_roster, []}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. - ''; - - - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; - -in out diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix new file mode 100644 index 00000000..49bded85 --- /dev/null +++ b/tv/3modules/ejabberd/config.nix @@ -0,0 +1,93 @@ +{ config, ... }: with config.krebs.lib; let + cfg = config.tv.ejabberd; + + # XXX this is a placeholder that happens to work the default strings. + toErlang = builtins.toJSON; +in toFile "ejabberd.conf" '' + {loglevel, 3}. + {hosts, ${toErlang cfg.hosts}}. + {listen, + [ + {5222, ejabberd_c2s, [ + starttls, + {certfile, ${toErlang cfg.certfile.path}}, + {access, c2s}, + {shaper, c2s_shaper}, + {max_stanza_size, 65536} + ]}, + {5269, ejabberd_s2s_in, [ + {shaper, s2s_shaper}, + {max_stanza_size, 131072} + ]}, + {5280, ejabberd_http, [ + captcha, + http_bind, + http_poll, + web_admin + ]} + ]}. + {s2s_use_starttls, required}. + {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. + {auth_method, internal}. + {shaper, normal, {maxrate, 1000}}. + {shaper, fast, {maxrate, 50000}}. + {max_fsm_queue, 1000}. + {acl, local, {user_regexp, ""}}. + {access, max_user_sessions, [{10, all}]}. + {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. + {access, local, [{allow, local}]}. + {access, c2s, [{deny, blocked}, + {allow, all}]}. + {access, c2s_shaper, [{none, admin}, + {normal, all}]}. + {access, s2s_shaper, [{fast, all}]}. + {access, announce, [{allow, admin}]}. + {access, configure, [{allow, admin}]}. + {access, muc_admin, [{allow, admin}]}. + {access, muc_create, [{allow, local}]}. + {access, muc, [{allow, all}]}. + {access, pubsub_createnode, [{allow, local}]}. + {access, register, [{allow, all}]}. + {language, "en"}. + {modules, + [ + {mod_adhoc, []}, + {mod_announce, [{access, announce}]}, + {mod_blocking,[]}, + {mod_caps, []}, + {mod_configure,[]}, + {mod_disco, []}, + {mod_irc, []}, + {mod_http_bind, []}, + {mod_last, []}, + {mod_muc, [ + {access, muc}, + {access_create, muc_create}, + {access_persistent, muc_create}, + {access_admin, muc_admin} + ]}, + {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, + {mod_ping, []}, + {mod_privacy, []}, + {mod_private, []}, + {mod_pubsub, [ + {access_createnode, pubsub_createnode}, + {ignore_pep_from_offline, true}, + {last_item_cache, false}, + {plugins, ["flat", "hometree", "pep"]} + ]}, + {mod_register, [ + {welcome_message, {"Welcome!", + "Hi.\nWelcome to this XMPP server."}}, + {ip_access, [{allow, "127.0.0.0/8"}, + {deny, "0.0.0.0/0"}]}, + {access, register} + ]}, + {mod_roster, []}, + {mod_shared_roster,[]}, + {mod_stats, []}, + {mod_time, []}, + {mod_vcard, []}, + {mod_version, []} + ]}. +'' diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix new file mode 100644 index 00000000..51a3060f --- /dev/null +++ b/tv/3modules/ejabberd/default.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.tv.ejabberd; +in { + options.tv.ejabberd = { + enable = mkEnableOption "tv.ejabberd"; + certfile = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/ejabberd.pem"; + owner-name = "ejabberd"; + source-path = toString + "/ejabberd.pem"; + }; + }; + hosts = mkOption { + type = with types; listOf str; + }; + pkgs.ejabberdctl = mkOption { + type = types.package; + default = pkgs.writeDashBin "ejabberdctl" '' + set -efu + export SPOOLDIR=${shell.escape cfg.user.home} + export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)} + exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --logs ${shell.escape cfg.user.home} \ + "$@" + ''; + }; + s2s_certfile = mkOption { + type = types.secret-file; + default = cfg.certfile; + }; + user = mkOption { + type = types.submodule { + options = { + name = mkOption { + type = types.str; + default = "ejabberd"; + }; + home = mkOption { + type = types.str; + default = "/var/ejabberd"; + }; + }; + }; + default = {}; + }; + }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; + + krebs.secret.files = { + ejabberd-certfile = cfg.certfile; + ejabberd-s2s_certfile = cfg.s2s_certfile; + }; + + systemd.services.ejabberd = { + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + after = [ "network.target" "secret.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + PermissionsStartOnly = "true"; + SyslogIdentifier = "ejabberd"; + User = cfg.user.name; + ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start"; + }; + }; + + users.users.${cfg.user.name} = { + inherit (cfg.user) home name; + createHome = true; + uid = genid cfg.user.name; + }; + }; +} -- cgit v1.2.3 From d5db8b88edbf40df3b48364429310872edb64cea Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:23:06 +0100 Subject: tv.charybdis: use krebs.secret --- tv/1systems/cd.nix | 7 +- tv/2configs/charybdis.nix | 601 -------------------------------------- tv/3modules/charybdis/config.nix | 522 +++++++++++++++++++++++++++++++++ tv/3modules/charybdis/default.nix | 90 ++++++ tv/3modules/default.nix | 1 + 5 files changed, 618 insertions(+), 603 deletions(-) delete mode 100644 tv/2configs/charybdis.nix create mode 100644 tv/3modules/charybdis/config.nix create mode 100644 tv/3modules/charybdis/default.nix diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 9b638260..687f1795 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -14,11 +14,14 @@ with config.krebs.lib; ../2configs/retiolum.nix ../2configs/urlwatch.nix { - imports = [ ../2configs/charybdis.nix ]; tv.charybdis = { enable = true; - sslCert = ../Zcerts/charybdis_cd.crt.pem; + ssl_cert = ../Zcerts/charybdis_cd.crt.pem; }; + tv.iptables.input-retiolum-accept-new-tcp = [ + config.tv.charybdis.port + config.tv.charybdis.sslport + ]; } { tv.ejabberd = { diff --git a/tv/2configs/charybdis.nix b/tv/2configs/charybdis.nix deleted file mode 100644 index eefb2810..00000000 --- a/tv/2configs/charybdis.nix +++ /dev/null @@ -1,601 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -let - cfg = config.tv.charybdis; - - out = { - options.tv.charybdis = api; - config = lib.mkIf cfg.enable (lib.mkMerge [ - imp - { tv.iptables.input-retiolum-accept-new-tcp = [ 6667 6697 ]; } - ]); - }; - - api = { - enable = mkEnableOption "tv.charybdis"; - dataDir = mkOption { - type = types.str; - default = "/var/lib/charybdis"; - }; - dhParams = mkOption { - type = types.str; - default = toString ; - }; - motd = mkOption { - type = types.str; - default = "/join #retiolum"; - }; - sslCert = mkOption { - type = types.path; - }; - sslKey = mkOption { - type = types.str; - default = toString ; - }; - }; - - imp = { - systemd.services.charybdis = { - wantedBy = [ "multi-user.target" ]; - environment = { - BANDB_DBPATH = "${cfg.dataDir}/ban.db"; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "charybdis"; - User = user.name; - PrivateTmp = "true"; - Restart = "always"; - ExecStartPre = pkgs.writeScript "charybdis-init" '' - #! /bin/sh - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - install -o ${user.name} -m 0400 ${cfg.sslKey} /tmp/ssl.key - install -o ${user.name} -m 0400 ${cfg.dhParams} /tmp/dh.pem - echo ${escapeShellArg cfg.motd} > /tmp/ircd.motd - ''; - ExecStart = pkgs.writeScript "charybdis-service" '' - #! /bin/sh - set -euf - exec ${pkgs.charybdis}/bin/charybdis-ircd \ - -foreground \ - -logfile /dev/stderr \ - -configfile ${configFile} - ''; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = rec { - name = "charybdis"; - uid = genid name; - }; - - configFile = toFile "charybdis-ircd.conf" '' - /* doc/example.conf - brief example configuration file - * - * Copyright (C) 2000-2002 Hybrid Development Team - * Copyright (C) 2002-2005 ircd-ratbox development team - * Copyright (C) 2005-2006 charybdis development team - * - * $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $ - * - * See reference.conf for more information. - */ - - /* Extensions */ - #loadmodule "extensions/chm_operonly_compat.so"; - #loadmodule "extensions/chm_quietunreg_compat.so"; - #loadmodule "extensions/chm_sslonly_compat.so"; - #loadmodule "extensions/createauthonly.so"; - #loadmodule "extensions/extb_account.so"; - #loadmodule "extensions/extb_canjoin.so"; - #loadmodule "extensions/extb_channel.so"; - #loadmodule "extensions/extb_extgecos.so"; - #loadmodule "extensions/extb_oper.so"; - #loadmodule "extensions/extb_realname.so"; - #loadmodule "extensions/extb_server.so"; - #loadmodule "extensions/extb_ssl.so"; - #loadmodule "extensions/hurt.so"; - #loadmodule "extensions/m_findforwards.so"; - #loadmodule "extensions/m_identify.so"; - #loadmodule "extensions/no_oper_invis.so"; - #loadmodule "extensions/sno_farconnect.so"; - #loadmodule "extensions/sno_globalkline.so"; - #loadmodule "extensions/sno_globaloper.so"; - #loadmodule "extensions/sno_whois.so"; - loadmodule "extensions/override.so"; - - /* - * IP cloaking extensions: use ip_cloaking_4.0 - * if you're linking 3.2 and later, otherwise use - * ip_cloaking.so, for compatibility with older 3.x - * releases. - */ - - #loadmodule "extensions/ip_cloaking_4.0.so"; - #loadmodule "extensions/ip_cloaking.so"; - - serverinfo { - name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; - sid = "4z3"; - description = "miep!"; - network_name = "irc.retiolum"; - #network_desc = "Retiolum IRC Network"; - hub = yes; - - /* On multi-homed hosts you may need the following. These define - * the addresses we connect from to other servers. */ - /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; - /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; - - /* ssl_private_key: our ssl private key */ - ssl_private_key = "/tmp/ssl.key"; - - /* ssl_cert: certificate for our ssl server */ - ssl_cert = ${toJSON cfg.sslCert}; - - /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ - ssl_dh_params = "/tmp/dh.pem"; - - /* ssld_count: number of ssld processes you want to start, if you - * have a really busy server, using N-1 where N is the number of - * cpu/cpu cores you have might be useful. A number greater than one - * can also be useful in case of bugs in ssld and because ssld needs - * two file descriptors per SSL connection. - */ - ssld_count = 1; - - /* default max clients: the default maximum number of clients - * allowed to connect. This can be changed once ircd has started by - * issuing: - * /quote set maxclients - */ - default_max_clients = 1024; - - /* nicklen: enforced nickname length (for this server only; must not - * be longer than the maximum length set while building). - */ - nicklen = 30; - }; - - admin { - name = "tv"; - description = "peer"; - mail = "${config.krebs.users.tv.mail}"; - }; - - log { - fname_userlog = "/dev/stderr"; - fname_fuserlog = "/dev/stderr"; - fname_operlog = "/dev/stderr"; - fname_foperlog = "/dev/stderr"; - fname_serverlog = "/dev/stderr"; - fname_klinelog = "/dev/stderr"; - fname_killlog = "/dev/stderr"; - fname_operspylog = "/dev/stderr"; - fname_ioerrorlog = "/dev/stderr"; - }; - - /* class {} blocks MUST be specified before anything that uses them. That - * means they must be defined before auth {} and before connect {}. - */ - - class "krebs" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 2048; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65536; - max_number = 3000; - sendq = 1 megabyte; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 1024; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65536; - max_number = 3000; - sendq = 400 kbytes; - }; - - class "opers" { - ping_time = 5 minutes; - number_per_ip = 10; - max_number = 1000; - sendq = 1 megabyte; - }; - - class "server" { - ping_time = 5 minutes; - connectfreq = 5 minutes; - max_number = 1; - sendq = 4 megabytes; - }; - - listen { - /* defer_accept: wait for clients to send IRC handshake data before - * accepting them. if you intend to use software which depends on the - * server replying first, such as BOPM, you should disable this feature. - * otherwise, you probably want to leave it on. - */ - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - # XXX This is stupid because only one host is allowed[?] - #host = ''${concatMapStringsSep ", " toJSON ( - # config.krebs.build.host.nets.retiolum.addrs - #)}; - port = 6667; - sslport = 6697; - }; - - /* auth {}: allow users to connect to the ircd (OLD I:) - * auth {} blocks MUST be specified in order of precedence. The first one - * that matches a user will be used. So place spoofs first, then specials, - * then general access, then restricted. - */ - auth { - /* user: the user@host allowed to connect. Multiple IPv4/IPv6 user - * lines are permitted per auth block. This is matched against the - * hostname and IP address (using :: shortening for IPv6 and - * prepending a 0 if it starts with a colon) and can also use CIDR - * masks. - */ - user = "*@10.243.0.0/12"; - user = "*@42::/16"; - - /* password: an optional password that is required to use this block. - * By default this is not encrypted, specify the flag "encrypted" in - * flags = ...; below if it is. - */ - #password = "letmein"; - - /* spoof: fake the users user@host to be be this. You may either - * specify a host or a user@host to spoof to. This is free-form, - * just do everyone a favour and dont abuse it. (OLD I: = flag) - */ - #spoof = "I.still.hate.packets"; - - /* Possible flags in auth: - * - * encrypted | password is encrypted with mkpasswd - * spoof_notice | give a notice when spoofing hosts - * exceed_limit (old > flag) | allow user to exceed class user limits - * kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls - * dnsbl_exempt | exempt this user from dnsbls - * spambot_exempt | exempt this user from spambot checks - * shide_exempt | exempt this user from serverhiding - * jupe_exempt | exempt this user from generating - * warnings joining juped channels - * resv_exempt | exempt this user from resvs - * flood_exempt | exempt this user from flood limits - * USE WITH CAUTION. - * no_tilde (old - flag) | don't prefix ~ to username if no ident - * need_ident (old + flag) | require ident for user in this class - * need_ssl | require SSL/TLS for user in this class - * need_sasl | require SASL id for user in this class - */ - flags = kline_exempt, exceed_limit, flood_exempt; - - /* class: the class the user is placed in */ - class = "krebs"; - }; - - auth { - user = "*@*"; - class = "users"; - }; - - /* privset {} blocks MUST be specified before anything that uses them. That - * means they must be defined before operator {}. - */ - privset "local_op" { - privs = oper:local_kill, oper:operwall; - }; - - privset "server_bot" { - extends = "local_op"; - privs = oper:kline, oper:remoteban, snomask:nick_changes; - }; - - privset "global_op" { - extends = "local_op"; - privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline, - oper:resv, oper:mass_notice, oper:remoteban; - }; - - privset "admin" { - extends = "global_op"; - privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:override; - }; - - privset "aids" { - privs = oper:override, oper:rehash; - }; - - operator "aids" { - user = "*@10.243.*"; - privset = "aids"; - flags = ~encrypted; - password = "balls"; - }; - - operator "god" { - /* name: the name of the oper must go above */ - - /* user: the user@host required for this operator. CIDR *is* - * supported now. auth{} spoofs work here, other spoofs do not. - * multiple user="" lines are supported. - */ - user = "*god@127.0.0.1"; - - /* password: the password required to oper. Unless ~encrypted is - * contained in flags = ...; this will need to be encrypted using - * mkpasswd, MD5 is supported - */ - password = "5"; - - /* rsa key: the public key for this oper when using Challenge. - * A password should not be defined when this is used, see - * doc/challenge.txt for more information. - */ - #rsa_public_key_file = "/usr/local/ircd/etc/oper.pub"; - - /* umodes: the specific umodes this oper gets when they oper. - * If this is specified an oper will not be given oper_umodes - * These are described above oper_only_umodes in general {}; - */ - #umodes = locops, servnotice, operwall, wallop; - - /* fingerprint: if specified, the oper's client certificate - * fingerprint will be checked against the specified fingerprint - * below. - */ - #fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b"; - - /* snomask: specific server notice mask on oper up. - * If this is specified an oper will not be given oper_snomask. - */ - snomask = "+Zbfkrsuy"; - - /* flags: misc options for the operator. You may prefix an option - * with ~ to disable it, e.g. ~encrypted. - * - * Default flags are encrypted. - * - * Available options: - * - * encrypted: the password above is encrypted [DEFAULT] - * need_ssl: must be using SSL/TLS to oper up - */ - flags = encrypted; - - /* privset: privileges set to grant */ - privset = "admin"; - }; - - service { - name = "services.int"; - }; - - cluster { - name = "*"; - flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; - }; - - shared { - oper = "*@*", "*"; - flags = all, rehash; - }; - - /* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */ - exempt { - ip = "127.0.0.1"; - }; - - channel { - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 15; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - - serverhide { - flatten_links = yes; - links_delay = 5 minutes; - hidden = no; - disable_hidden = no; - }; - - /* These are the blacklist settings. - * You can have multiple combinations of host and rejection reasons. - * They are used in pairs of one host/rejection reason. - * - * These settings should be adequate for most networks, and are (presently) - * required for use on StaticBox. - * - * Word to the wise: Do not use blacklists like SPEWS for blocking IRC - * connections. - * - * As of charybdis 2.2, you can do some keyword substitution on the rejection - * reason. The available keyword substitutions are: - * - * ''${ip} - the user's IP - * ''${host} - the user's canonical hostname - * ''${dnsbl-host} - the dnsbl hostname the lookup was done against - * ''${nick} - the user's nickname - * ''${network-name} - the name of the network - * - * As of charybdis 3.4, a type parameter is supported, which specifies the - * address families the blacklist supports. IPv4 and IPv6 are supported. - * IPv4 is currently the default as few blacklists support IPv6 operation - * as of this writing. - * - * Note: AHBL (the providers of the below *.ahbl.org BLs) request that they be - * contacted, via email, at admins@2mbit.com befor