summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2015-07-19 11:18:15 +0200
committertv <tv@krebsco.de>2015-07-19 11:18:15 +0200
commit1f747580290cb71b64d7f714601e9084f52eaf50 (patch)
treec109e79f39e87c9a190c9bbc351bcd51fb2e747f
parent09b16855722c368b429867279d62895de7e441ec (diff)
parent1691f1b780924d1416bc340b1ab268e7efa70e39 (diff)
Merge remote-tracking branch 'lass/master'
-rw-r--r--0make/lass/mors.makefile2
-rw-r--r--1systems/lass/mors.nix6
-rw-r--r--1systems/lass/uriel.nix6
-rw-r--r--2configs/lass/git-repos.nix10
-rw-r--r--2configs/lass/ircd.nix4
-rw-r--r--2configs/lass/steam.nix1
-rw-r--r--3modules/lass/iptables.nix65
7 files changed, 71 insertions, 23 deletions
diff --git a/0make/lass/mors.makefile b/0make/lass/mors.makefile
index 892bc2e..896466a 100644
--- a/0make/lass/mors.makefile
+++ b/0make/lass/mors.makefile
@@ -1,4 +1,4 @@
deploy_host := root@mors
nixpkgs_url := https://github.com/Lassulus/nixpkgs
-nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90
+nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b
secrets_dir := /home/lass/secrets/mors
diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix
index f724dec..940dc4f 100644
--- a/1systems/lass/mors.nix
+++ b/1systems/lass/mors.nix
@@ -33,6 +33,12 @@
];
};
}
+ {
+ imports = [ ../../3modules/tv/identity.nix ];
+ tv.identity = {
+ enable = true;
+ };
+ }
];
networking.hostName = "mors";
diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix
index b8fa899..25745d0 100644
--- a/1systems/lass/uriel.nix
+++ b/1systems/lass/uriel.nix
@@ -24,6 +24,12 @@
];
};
}
+ {
+ imports = [ ../../3modules/tv/identity.nix ];
+ tv.identity = {
+ enable = true;
+ };
+ }
];
networking.hostName = "uriel";
diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix
index 94ab631..c0c305b 100644
--- a/2configs/lass/git-repos.nix
+++ b/2configs/lass/git-repos.nix
@@ -121,10 +121,20 @@ in
{
imports = [
../../3modules/tv/git.nix
+ ../../3modules/lass/iptables.nix
];
tv.git = {
enable = true;
inherit repos rules users;
};
+
+ lass.iptables = {
+ tables = {
+ filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
+ ];
+ };
+ };
+
}
diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix
index c57f7dd..f71b769 100644
--- a/2configs/lass/ircd.nix
+++ b/2configs/lass/ircd.nix
@@ -83,6 +83,10 @@
channel_target_change = yes;
disable_local_channels = no;
};
+ general {
+ #maybe we want ident someday?
+ disable_auth = yes;
+ };
'';
};
}
diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix
index d54873b..7d088fc 100644
--- a/2configs/lass/steam.nix
+++ b/2configs/lass/steam.nix
@@ -12,6 +12,7 @@
##TODO: make steam module
hardware.opengl.driSupport32Bit = true;
+ nixpkgs.config.steam.java = true;
environment.systemPackages = with pkgs; [
steam
];
diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix
index 6d567ca..c97b9f7 100644
--- a/3modules/lass/iptables.nix
+++ b/3modules/lass/iptables.nix
@@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }:
let
inherit (pkgs) writeScript writeText;
- inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types;
+
+ inherit (lib)
+ concatMapStringsSep
+ concatStringsSep
+ attrNames
+ unique
+ fold
+ any
+ attrValues
+ catAttrs
+ filter
+ flatten
+ length
+ hasAttr
+ mkEnableOption
+ mkOption
+ mkIf
+ types
+ sort;
+
+ elemIsIn = a: as:
+ any (x: x == a) as;
cfg = config.lass.iptables;
@@ -74,38 +95,38 @@ let
};
};
- #buildTable :: iptablesAttrSet` -> str
+ #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
#todo: differentiate by iptables-version
- buildTables = iptv: ts:
+ buildTables = v: ts:
let
+
declareChain = t: cn:
#TODO: find out what to do whit these count numbers
":${cn} ${t."${cn}".policy} [0:0]";
buildChain = tn: cn:
- #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
-
- #TODO: sort by precedence
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
+ let
+ sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules;
+
+ in
+ #TODO: double check should be unneccessary, refactor!
+ if (hasAttr "rules" ts."${tn}"."${cn}") then
+ if (ts."${tn}"."${cn}".rules == null) then
+ ""
+ else
+ concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+ ++ map (buildRule tn cn) sortedRules
+ )
else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map buildRule ts."${tn}"."${cn}".rules
- )
- else
- ""
- ;
+ ""
+ ;
- buildRule = rule:
- #TODO implement rule validation-test here
- #
- #target:
- #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
+ buildRule = tn: cn: rule:
+ #target validation test:
+ assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
- #predicate:
+ #predicate validation test:
#maybe use iptables-test
#TODO: howto exit with evaluation error by shellscript?
#apperantly not possible from nix because evalatution wouldn't be deterministic.