diff options
author | tv <tv@krebsco.de> | 2015-07-19 11:18:15 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-07-19 11:18:15 +0200 |
commit | 1f747580290cb71b64d7f714601e9084f52eaf50 (patch) | |
tree | c109e79f39e87c9a190c9bbc351bcd51fb2e747f | |
parent | 09b16855722c368b429867279d62895de7e441ec (diff) | |
parent | 1691f1b780924d1416bc340b1ab268e7efa70e39 (diff) |
Merge remote-tracking branch 'lass/master'
-rw-r--r-- | 0make/lass/mors.makefile | 2 | ||||
-rw-r--r-- | 1systems/lass/mors.nix | 6 | ||||
-rw-r--r-- | 1systems/lass/uriel.nix | 6 | ||||
-rw-r--r-- | 2configs/lass/git-repos.nix | 10 | ||||
-rw-r--r-- | 2configs/lass/ircd.nix | 4 | ||||
-rw-r--r-- | 2configs/lass/steam.nix | 1 | ||||
-rw-r--r-- | 3modules/lass/iptables.nix | 65 |
7 files changed, 71 insertions, 23 deletions
diff --git a/0make/lass/mors.makefile b/0make/lass/mors.makefile index 892bc2e..896466a 100644 --- a/0make/lass/mors.makefile +++ b/0make/lass/mors.makefile @@ -1,4 +1,4 @@ deploy_host := root@mors nixpkgs_url := https://github.com/Lassulus/nixpkgs -nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90 +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b secrets_dir := /home/lass/secrets/mors diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index f724dec..940dc4f 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -33,6 +33,12 @@ ]; }; } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } ]; networking.hostName = "mors"; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index b8fa899..25745d0 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -24,6 +24,12 @@ ]; }; } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } ]; networking.hostName = "uriel"; diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix index 94ab631..c0c305b 100644 --- a/2configs/lass/git-repos.nix +++ b/2configs/lass/git-repos.nix @@ -121,10 +121,20 @@ in { imports = [ ../../3modules/tv/git.nix + ../../3modules/lass/iptables.nix ]; tv.git = { enable = true; inherit repos rules users; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + }; + } diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix index c57f7dd..f71b769 100644 --- a/2configs/lass/ircd.nix +++ b/2configs/lass/ircd.nix @@ -83,6 +83,10 @@ channel_target_change = yes; disable_local_channels = no; }; + general { + #maybe we want ident someday? + disable_auth = yes; + }; ''; }; } diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix index d54873b..7d088fc 100644 --- a/2configs/lass/steam.nix +++ b/2configs/lass/steam.nix @@ -12,6 +12,7 @@ ##TODO: make steam module hardware.opengl.driSupport32Bit = true; + nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam ]; diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index 6d567ca..c97b9f7 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }: let inherit (pkgs) writeScript writeText; - inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types; + + inherit (lib) + concatMapStringsSep + concatStringsSep + attrNames + unique + fold + any + attrValues + catAttrs + filter + flatten + length + hasAttr + mkEnableOption + mkOption + mkIf + types + sort; + + elemIsIn = a: as: + any (x: x == a) as; cfg = config.lass.iptables; @@ -74,38 +95,38 @@ let }; }; - #buildTable :: iptablesAttrSet` -> str + #buildTable :: iptablesVersion -> iptablesAttrSet` -> str #todo: differentiate by iptables-version - buildTables = iptv: ts: + buildTables = v: ts: let + declareChain = t: cn: #TODO: find out what to do whit these count numbers ":${cn} ${t."${cn}".policy} [0:0]"; buildChain = tn: cn: - #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; - - #TODO: sort by precedence - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" + let + sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + + in + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map buildRule ts."${tn}"."${cn}".rules - ) - else - "" - ; + "" + ; - buildRule = rule: - #TODO implement rule validation-test here - # - #target: - #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN + buildRule = tn: cn: rule: + #target validation test: + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - #predicate: + #predicate validation test: #maybe use iptables-test #TODO: howto exit with evaluation error by shellscript? #apperantly not possible from nix because evalatution wouldn't be deterministic. |