From 8c81dde1f3b3ce8edcad2ca42ff973c06c13d788 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 28 Jan 2022 23:34:21 +0100 Subject: l: add acl module --- lass/3modules/acl.nix | 64 +++++++++++++++++++++++++++++++++++++++++++++++ lass/3modules/default.nix | 1 + 2 files changed, 65 insertions(+) create mode 100644 lass/3modules/acl.nix (limited to 'lass') diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix new file mode 100644 index 000000000..b87ca2e08 --- /dev/null +++ b/lass/3modules/acl.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: let + generateACLs = attrs: + lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' + mkdir -p "${path}" + ${generateRules rules path} + '') attrs; + + generateRules = rules: path: + lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + ); + + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.lass.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = lib.mkIf (config.lass.acl != {}) { + systemd.services.set_acl = { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = generateACLs config.lass.acl; + RemainAfterExit = true; + Type = "oneshot"; + }; + }; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 570bb45be..0373bd44c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix -- cgit v1.2.3 From 57341fa82f22806032e5411261a7bba6d0c5384f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:14:21 +0100 Subject: l acl: use a simple unit per path --- lass/3modules/acl.nix | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) (limited to 'lass') diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix index b87ca2e08..81eeae920 100644 --- a/lass/3modules/acl.nix +++ b/lass/3modules/acl.nix @@ -1,19 +1,4 @@ { config, lib, pkgs, ... }: let - generateACLs = attrs: - lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' - mkdir -p "${path}" - ${generateRules rules path} - '') attrs; - - generateRules = rules: path: - lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - ); - parents = dir: if dir == "/" then [ dir ] @@ -48,17 +33,23 @@ in { default = {}; }; config = lib.mkIf (config.lass.acl != {}) { - systemd.services.set_acl = { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { wantedBy = [ "multi-user.target" ]; path = [ pkgs.acl pkgs.coreutils ]; serviceConfig = { - ExecStart = generateACLs config.lass.acl; + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); RemainAfterExit = true; - Type = "oneshot"; + Type = "simple"; }; - }; + }) config.lass.acl; }; } -- cgit v1.2.3 From 100b6fc2438db6ca2c7abe0ad525be3b1dd64895 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 30 Jan 2022 10:47:23 +0100 Subject: move acl module to krebs --- lass/2configs/sync/the_playlist.nix | 6 ++-- lass/3modules/acl.nix | 55 ------------------------------------- lass/3modules/default.nix | 1 - 3 files changed, 3 insertions(+), 59 deletions(-) delete mode 100644 lass/3modules/acl.nix (limited to 'lass') diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index 5bbf790a7..d8b17d239 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -3,7 +3,7 @@ path = "/home/lass/tmp/the_playlist"; devices = [ "mors" "phone" "prism" ]; }; - lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; - lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; - lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; + krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; } diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix deleted file mode 100644 index 81eeae920..000000000 --- a/lass/3modules/acl.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: let - parents = dir: - if dir == "/" then - [ dir ] - else - [ dir ] ++ parents (builtins.dirOf dir) - ; -in { - options.lass.acl = lib.mkOption { - type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { - options = { - rule = lib.mkOption { - type = lib.types.str; - default = config._module.args.name; - }; - default = lib.mkOption { - type = lib.types.bool; - default = !config.parents; - }; - recursive = lib.mkOption { - type = lib.types.bool; - default = !config.parents; - }; - parents = lib.mkOption { - type = lib.types.bool; - default = false; - description = '' - apply ACL to every parent folder - ''; - }; - }; - }))); - default = {}; - }; - config = lib.mkIf (config.lass.acl != {}) { - systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.acl - pkgs.coreutils - ]; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - )); - RemainAfterExit = true; - Type = "simple"; - }; - }) config.lass.acl; - }; -} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0373bd44c..570bb45be 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,7 +1,6 @@ _: { imports = [ - ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix -- cgit v1.2.3 From af2faf380358fca09ee429690875c89eb965ea82 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 30 Jan 2022 10:52:13 +0100 Subject: l the_playlist: share with omo --- lass/2configs/sync/the_playlist.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index d8b17d239..c01a11cc3 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" ]; + devices = [ "mors" "phone" "prism" "omo" ]; }; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; -- cgit v1.2.3 From be042e3446905e2517b530403bacc63b6de49d34 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 Feb 2022 13:52:21 +0100 Subject: gum.r: set weight to over 9000 we do this so we never route via gum, which tends to eat our packets and makes it impossible to connect to other peers via gum. --- lass/2configs/retiolum.nix | 3 --- 1 file changed, 3 deletions(-) (limited to 'lass') diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index a305d3e18..d4d97a889 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -28,9 +28,6 @@ ''; }; - # never connect via gum (he eats our packets!) - krebs.hosts.gum.nets.retiolum.tinc.weight = 9000; - nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; -- cgit v1.2.3