From 20bc13044d2851d1ddaff68383209817dd0445f9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 14 Aug 2022 16:42:52 +0200 Subject: tv ni: add NS record for tv.krebsco.de --- krebs/3modules/tv/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 965505a75..fa088e46e 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -168,6 +168,7 @@ in { cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} krebsco.de. 60 IN MX 5 ni krebsco.de. 60 IN TXT v=spf1 mx -all + tv 300 IN NS ni ''; }; nets = { -- cgit v1.2.3 From a78ae459283a05c47f023be1cfa8208e4da855a4 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 14 Aug 2022 16:43:29 +0200 Subject: tv ni internet: add ip6 --- krebs/3modules/tv/default.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index fa088e46e..016d5ca9f 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -164,8 +164,11 @@ in { extraZones = { "krebsco.de" = '' ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} krebsco.de. 60 IN MX 5 ni krebsco.de. 60 IN TXT v=spf1 mx -all tv 300 IN NS ni @@ -173,7 +176,14 @@ in { }; nets = { internet = { - ip4.addr = "188.68.36.196"; + ip4 = rec { + addr = "188.68.36.196"; + prefix = "${addr}/32"; + }; + ip6 = rec { + addr = "2a03:4000:13:4c::1"; + prefix = "${addr}/64"; + }; aliases = [ "ni.i" "cgit.ni.i" -- cgit v1.2.3 From 31b30c5f22757da774c1cd4d409696138e6dca6b Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 15 Aug 2022 01:43:57 +0200 Subject: zones: make zonefiles available as packages --- krebs/3modules/zones.nix | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index eb1351866..b9b69e993 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,22 +1,36 @@ with import ; -{ config, ... }: { +{ config, pkgs, ... }: { config = { - # Implements environment.etc."zones/" - environment.etc = let - stripEmptyLines = s: (concatStringsSep "\n" - (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; - all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" - ([config.krebs.zone-head-config] ++ combined-hosts); - combined-hosts = - mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts; - in + environment.etc = mapAttrs' - (name: value: { + (name: pkg: { name = "zones/${name}"; - value.text = stripEmptyLines value; + value.source = pkg; }) - all-zones; + pkgs.krebs.zones; + + nixpkgs.overlays = [ + # Explicit zones generated from config.krebs.hosts.*.extraZones + (self: super: let + stripEmptyLines = s: (concatStringsSep "\n" + (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; + all-zones = foldAttrs (sum: current: sum + "\n" + current) "" + ([config.krebs.zone-head-config] ++ combined-hosts); + combined-hosts = + mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts; + in { + krebs = super.krebs or {} // { + zones = super.krebs.zones or {} // + mapAttrs' + (name: value: { + name = name; + value = self.writeText "${name}.zone" (stripEmptyLines value); + }) + all-zones; + }; + }) + ]; }; } -- cgit v1.2.3 From e5425253146157eb8ea251db2ad38840a4cdb255 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 15 Aug 2022 01:44:59 +0200 Subject: zones: add zonefile packages for i, r, and w --- krebs/3modules/zones.nix | 67 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index b9b69e993..51ced6f95 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -30,6 +30,73 @@ with import ; all-zones; }; }) + + # Implicit zones generated from config.krebs.hosts.*.nets.*.ip{4,6}.addr + (self: super: let + # record : { name : str, type : enum [ "A" "AAAA" ], data : str } + + # toRecord : record.name -> record.type -> record.data -> record + toRecord = name: type: data: + { inherit name type data; }; + + # toRecords : str -> host -> [record] + toRecords = netname: host: + let + net = host.nets.${netname}; + in + optionals + (hasAttr netname host.nets) + (filter + (x: x.data != null) + (concatLists [ + (map + (name: toRecord name "A" (net.ip4.addr or null)) + (concatMap + (name: [ "${name}." "4.${name}." ]) + (net.aliases or []))) + (map + (name: toRecord name "AAAA" (net.ip6.addr or null)) + (concatMap + (name: [ "${name}." "6.${name}." ]) + (net.aliases or []))) + ])); + + # formatRecord : record -> str + formatRecord = { name, type, data }: "${name} IN ${type} ${data}"; + + # writeZone : attrs -> package + writeZone = + { name ? "${domain}.zone" + , domain ? substring 0 1 netname + , nameservers ? [ "ni" ] + , netname + , hosts ? config.krebs.hosts + }: + self.writeText name /* bindzone */ '' + $TTL 60 + @ IN SOA ns admin 1 3600 600 86400 60 + @ IN NS ns + ${concatMapStringsSep "\n" + (name: /* bindzone */ "ns IN CNAME ${name}") + nameservers + } + ${concatMapStringsSep + "\n" + formatRecord + (concatMap + (toRecords netname) + (attrValues hosts)) + } + ''; + in { + krebs = super.krebs or {} // { + zones = super.krebs.zones or {} // { + i = writeZone { netname = "internet"; }; + r = writeZone { netname = "retiolum"; }; + w = writeZone { netname = "wiregrill"; }; + }; + }; + }) ]; }; -- cgit v1.2.3 From 4f9e6225341a273eca9866fe65911afb8b99bb41 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 20 Aug 2022 19:03:06 +0200 Subject: tv gitrepos: move regfish to museum --- tv/2configs/gitrepos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index 4d22fdff5..50444c1ee 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -109,7 +109,6 @@ let { }; q = {}; reaktor2 = {}; - regfish = {}; stockholm = { cgit.desc = "NixOS configuration"; }; @@ -156,6 +155,7 @@ let { painload = {}; push = {}; Reaktor = {}; + regfish = {}; with-tmpdir = {}; get = {}; load-env = {}; -- cgit v1.2.3 From 587015b9d7d3955d8e1c8d89ef95047078492f9a Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 20 Aug 2022 21:50:48 +0200 Subject: tv nginx: close requests with bad Host header --- tv/2configs/nginx/default.nix | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index b0acb9435..e68fc714f 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -8,18 +8,13 @@ with import ; recommendedOptimisation = true; recommendedTlsSettings = true; - virtualHosts._http = { + virtualHosts.${toJSON ""} = { default = true; extraConfig = '' - return 404; - ''; - }; - - virtualHosts.default = { - locations."= /etc/os-release".extraConfig = '' - default_type text/plain; - alias /etc/os-release; + error_page 400 =444 /; + return 444; ''; + rejectSSL = true; }; }; tv.iptables = { -- cgit v1.2.3 From b00873ffa73fdee8473158be7de11557ab4e36b7 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 20 Aug 2022 22:32:00 +0200 Subject: tv nginx: enable reload --- tv/2configs/nginx/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index e68fc714f..efea3a844 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,6 +4,8 @@ with import ; { services.nginx = { + enableReload = true; + recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; -- cgit v1.2.3 From ab4838d5f36fb38d358b8da93ebf5dfc3c8bb4f2 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 22 Aug 2022 23:09:31 +0200 Subject: tv jc: init at 1.21.0 --- tv/5pkgs/override/jc.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tv/5pkgs/override/jc.nix diff --git a/tv/5pkgs/override/jc.nix b/tv/5pkgs/override/jc.nix new file mode 100644 index 000000000..346dd3eee --- /dev/null +++ b/tv/5pkgs/override/jc.nix @@ -0,0 +1,21 @@ +self: super: + +let + version = "1.21.0"; +in + +# Prevent downgrades. +assert self.lib.versionAtLeast version super.jc.version; + +self.python3.pkgs.toPythonApplication + (self.python3.pkgs.jc.overrideAttrs + (oldAttrs: { + name = "jc-${version}"; + version = version; + src = self.fetchFromGitHub { + owner = "kellyjonbrazil"; + repo = "jc"; + rev = "v${version}"; + sha256 = "sha256-kS42WokR7ZIqIPi8LbX4tmtjn37tckea2ELbuqzTm2o"; + }; + })) -- cgit v1.2.3 From 86942a302126e66b7dcb03d66cb64facb7437ca1 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 23 Aug 2022 02:29:25 +0200 Subject: certaids: init --- krebs/5pkgs/simple/certaids.nix | 109 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 krebs/5pkgs/simple/certaids.nix diff --git a/krebs/5pkgs/simple/certaids.nix b/krebs/5pkgs/simple/certaids.nix new file mode 100644 index 000000000..34f4c3e14 --- /dev/null +++ b/krebs/5pkgs/simple/certaids.nix @@ -0,0 +1,109 @@ +{ pkgs }: + +pkgs.write "certaids" { + "/bin/cert2json".link = pkgs.writeDash "cert2json" '' + # usage: cert2json < CERT > JSON + set -efu + + ${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin | + ${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text | + ${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" '' + function abort(msg) { + print(msg) > "/dev/stderr" + exit 1 + } + + function toJSON(x, type, ret) { + type = typeof(x) + switch (type) { + case "array": + if (isArray(x)) return arrayToJSON(x) + if (isObject(x)) return objectToJSON(x) + abort("cannot render array to JSON", x) + case "number": + return numberToJSON(x) + case "string": + return stringToJSON(x) + case "strnum": + case "unassigned": + case "regexp": + case "untyped": + default: + abort("cannot render type: " type) + } + } + + function isArray(x, i, k) { + i = 1 + for (k in x) { + if (k != i++) return 0 + i++ + } + return 1 + } + + function isObject(x, k) { + for (k in x) { + if (typeof(k) != "string") return 0 + } + return 1 + } + + function arrayToJSON(x, k, ret) { + ret = "[" + for (k in x) { + ret=ret toJSON(x[k]) "," + } + sub(/,$/,"",ret) + ret=ret "]" + return ret + } + + function objectToJSON(x, k,ret) { + ret = "{" + for (k in x) { + ret = ret toJSON(k) ":" toJSON(x[k]) "," + } + sub(/,$/, "", ret) + ret = ret "}" + return ret + } + + function numberToJSON(x) { + return x + } + + function stringToJSON(x) { + gsub(/\\/, "&&",x) + gsub(/\n/, "\\n", x) + return "\"" x "\"" + } + + $1 ~ /^ *(Subject|Issuer):/ { + sub(/^ */, "") + sub(/: */, ",") + key=tolower($1) + sub(/[^,]*,/, "") + + # Normalize separators between relative distinguished names. + # [1]: RFC2253, 3. Parsing a String back to a Distinguished Name + # TODO support any distinguished name + gsub(/ *[;,] */, ",") + + for(i = 0; i <= NF; i++) { + split($i, a, "=") + cache[key][a[1]] = a[2] + } + } + + /BEGIN CERTIFICATE/,/END CERTIFICATE/{ + cache["certificate"] = cache["certificate"] $0 "\n" + } + + /END CERTIFICATE/{ + print toJSON(cache) + delete cache + } + ''} + ''; +} -- cgit v1.2.3