From eee4142d06f9d5c35af70a647af7fe71adefdaa2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:25:40 +0200 Subject: lass 3: add folderPerms.nix --- lass/3modules/folderPerms.nix | 107 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 lass/3modules/folderPerms.nix (limited to 'lass') diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix new file mode 100644 index 00000000..789fd48d --- /dev/null +++ b/lass/3modules/folderPerms.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +let + inherit (pkgs) + writeScript + ; + + inherit (lib) + concatMapStringsSep + concatStringsSep + mkEnableOption + mkIf + mkOption + types + ; + + cfg = config.lass.folderPerms; + + out = { + options.lass.folderPerms = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "folder permissions"; + permissions = mkOption { + type = with types; listOf (submodule ({ + options = { + path = mkOption { + type = str; + }; + permission = mkOption { + type = nullOr str; + example = "755"; + description = '' + basically anything that chmod takes as permission + ''; + default = null; + }; + owner = mkOption { + type = nullOr str; + example = "root:root"; + description = '' + basically anything that chown takes as owner + ''; + default = null; + }; + recursive = mkOption { + type = bool; + default = false; + }; + }; + })); + }; + }; + + imp = { + systemd.services.lass-folderPerms = { + description = "lass-folderPerms"; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ + coreutils + ]; + + restartIfChanged = true; + + serviceConfig = { + type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript}"; + }; + }; + }; + + startScript = writeScript "lass-folderPerms" '' + ${concatMapStringsSep "\n" writeCommand cfg.permissions} + ''; + + writeCommand = fperm: + concatStringsSep "\n" [ + (buildPermission fperm) + (buildOwner fperm) + ]; + + buildPermission = perm: + if (perm.permission == null) then + "" + else + if perm.recursive then + "chmod -R ${perm.permission} ${perm.path}" + else + "chmod ${perm.permission} ${perm.path}" + ; + + buildOwner = perm: + if (perm.owner == null) then + "" + else + if perm.recursive then + "chown -R ${perm.owner} ${perm.path}" + else + "chown ${perm.owner} ${perm.path}" + ; + +in out -- cgit v1.2.3 From e30ee0f14bce976f38f9954dd4432368bd978822 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:26:07 +0200 Subject: lass 2: add downloading.nix --- lass/2configs/downloading.nix | 67 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 lass/2configs/downloading.nix (limited to 'lass') diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix new file mode 100644 index 00000000..e6d31a6c --- /dev/null +++ b/lass/2configs/downloading.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../3modules/iptables.nix + ../3modules/folderPerms.nix + ]; + + users.extraUsers = { + download = { + name = "download"; + home = "/var/download"; + createHome = true; + extraGroups = [ + "download" + ]; + }; + + transmission = { + extraGroups = [ + "download" + ]; + }; + }; + + users.extraGroups = { + download = { + members = [ + "download" + "transmission" + ]; + }; + }; + + services.transmission = { + enable = true; + settings = { + download-dir = "/var/download/finished"; + incomplete-dir = "/var/download/incoming"; + incomplete-dir-enabled = true; + + rpc-authentication-required = true; + rpc-whitelist-enabled = false; + rpc-username = "download"; + #add rpc-password in secrets + rpc-password = "test123"; + }; + }; + + lass.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + ]; + }; + + lass.folderPerms = { + enable = true; + permissions = [ + { + path = "/var/download"; + permission = "775"; + owner = "transmission:download"; + } + ]; + }; +} -- cgit v1.2.3 From dd43270cebcd88f1f4a06b15e5f94434f68993c5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:28:19 +0200 Subject: lass 1: repair uriel --- lass/1systems/uriel.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'lass') diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 74d99556..041b891b 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -3,15 +3,15 @@ with builtins; { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/bird.nix - ../../2configs/lass/new-repos.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/retiolum.nix + ../2configs/desktop-base.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/urxvt.nix + ../2configs/bird.nix + ../2configs/new-repos.nix + ../2configs/chromium-patched.nix + ../2configs/retiolum.nix { users.extraUsers = { root = { -- cgit v1.2.3 From 44f0a81ff0b2b399e90cda6e5eddf1e3a2cd9552 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:29:14 +0200 Subject: lass 1: bump rev --- lass/1systems/mors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e7edccce..e4bc1622 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -29,7 +29,7 @@ deps = { nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + rev = "961fd7b7a0f88dde7dac2f7a4c05ee4e1a25381d"; }; secrets = { url = "/home/lass/secrets/${config.krebs.build.host.name}"; -- cgit v1.2.3 From fa7f1946c39b0223b5a3ea31414fa48b14952660 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:29:37 +0200 Subject: lass 2: remove unneded " --- lass/2configs/fastpoke-pages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lass') diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix index 9c80fa77..bcf80114 100644 --- a/lass/2configs/fastpoke-pages.nix +++ b/lass/2configs/fastpoke-pages.nix @@ -20,8 +20,8 @@ let # 10.243.206.102 ${domain} #''; users.extraUsers = { - "${domain}" = { - name = "${domain}"; + ${domain} = { + name = domain; home = "/var/lib/http/${domain}"; createHome = true; }; -- cgit v1.2.3 From aee18a93d39b617d3f857cc9c8db3c82474ba10b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:30:50 +0200 Subject: lass 2 fastpoke-pages: disable postgresql --- lass/2configs/fastpoke-pages.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass') diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix index bcf80114..1c8106a8 100644 --- a/lass/2configs/fastpoke-pages.nix +++ b/lass/2configs/fastpoke-pages.nix @@ -90,9 +90,9 @@ in { }; }; - services.postgresql = { - enable = true; - }; + #services.postgresql = { + # enable = true; + #}; #config.services.vsftpd = { # enable = true; -- cgit v1.2.3 From 434581244077cf97cec96cca5e5cb5a18cd15ad1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:32:03 +0200 Subject: lass 2: add wordpress.nix --- lass/2configs/wordpress.nix | 59 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 lass/2configs/wordpress.nix (limited to 'lass') diff --git a/lass/2configs/wordpress.nix b/lass/2configs/wordpress.nix new file mode 100644 index 00000000..9458deb3 --- /dev/null +++ b/lass/2configs/wordpress.nix @@ -0,0 +1,59 @@ +{ config, pkgs, ... }: + +{ + containers.wordpress = { + privateNetwork = true; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.2"; + + config = { + imports = [ + ../3modules/iptables.nix + ]; + + lass.iptables = { + enable = true; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + iptables + ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql; + }; + + services.httpd = { + enable = true; + adminAddr = "root@apanowicz.de"; + extraModules = [ + { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; } + ]; + virtualHosts = [ + { + hostName = "wordpress"; + serverAliases = [ "wordpress" "www.wordpress" ]; + + extraSubservices = [ + { + serviceName = "wordpress"; + } + ]; + } + ]; + }; + }; + }; +} -- cgit v1.2.3 From dbd69c4e956bc1c88b379c273a5ea5b4ceea8813 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:32:46 +0200 Subject: lass 1 mors: enable wordpress --- lass/1systems/mors.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e4bc1622..e7f8d527 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -20,6 +20,7 @@ ../2configs/new-repos.nix #../../2configs/tv/synaptics.nix ../2configs/retiolum.nix + ../2configs/wordpress.nix ]; krebs.build = { -- cgit v1.2.3 From f36177cf91fa7db20f7e30e84910fb9efd82b975 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 14 Aug 2015 15:41:49 +0200 Subject: lass 3 folderPerms: remove recursive option --- lass/3modules/folderPerms.nix | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) (limited to 'lass') diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix index 789fd48d..bb032032 100644 --- a/lass/3modules/folderPerms.nix +++ b/lass/3modules/folderPerms.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +#TODO: implement recursive mode maybe? +# enable different mods for files and folders + let inherit (pkgs) writeScript @@ -45,10 +48,6 @@ let ''; default = null; }; - recursive = mkOption { - type = bool; - default = false; - }; }; })); }; @@ -85,23 +84,21 @@ let ]; buildPermission = perm: + #TODO: create folder maybe + #TODO: check if permission is valid if (perm.permission == null) then "" else - if perm.recursive then - "chmod -R ${perm.permission} ${perm.path}" - else - "chmod ${perm.permission} ${perm.path}" + "chmod ${perm.permission} ${perm.path}" ; buildOwner = perm: + #TODO: create folder maybe + #TODO: check if owner/group valid if (perm.owner == null) then "" else - if perm.recursive then - "chown -R ${perm.owner} ${perm.path}" - else - "chown ${perm.owner} ${perm.path}" + "chown ${perm.owner} ${perm.path}" ; in out -- cgit v1.2.3