summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-02-18 17:07:49 +0100
committerlassulus <lass@aidsballs.de>2016-02-18 17:07:49 +0100
commitb7e4fa76513f07674e6a32a706e0ffa9fca3e897 (patch)
treee1a1936c53a608b2e1fd4f401fbb127f8055ad1f
parent97798eb4ede9a121092229b2f9ab68800b0ae866 (diff)
parent482180639dcf6064f0b249aeb350347f6e8e461f (diff)
Merge remote-tracking branch 'cd/master'
-rw-r--r--Makefile2
-rw-r--r--tv/1systems/nomic.nix2
-rw-r--r--tv/1systems/wu.nix28
-rw-r--r--tv/1systems/xu.nix7
-rw-r--r--tv/2configs/backup.nix38
-rw-r--r--tv/2configs/default.nix1
-rw-r--r--tv/2configs/im.nix24
-rw-r--r--tv/2configs/man.nix12
-rw-r--r--tv/2configs/urlwatch.nix41
-rw-r--r--tv/2configs/xu-qemu0.nix20
-rw-r--r--tv/3modules/iptables.nix22
11 files changed, 143 insertions, 54 deletions
diff --git a/Makefile b/Makefile
index 60dfe80..9dcd475 100644
--- a/Makefile
+++ b/Makefile
@@ -51,7 +51,7 @@ evaluate = \
execute = \
result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \
script=$$(echo "$$result" | jq -r .) && \
- echo "$$script" | sh
+ echo "$$script" | PS5=% sh
# usage: make deploy system=foo [target_host=bar]
deploy: ssh ?= ssh
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 2c9775d..4532069 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -10,6 +10,8 @@ with config.krebs.lib;
../2configs/hw/AO753.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
+ ../2configs/im.nix
+ ../2configs/mail-client.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 6154e4d..8c363d9 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -10,7 +10,9 @@ with config.krebs.lib;
../2configs/hw/w110er.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
+ ../2configs/im.nix
../2configs/mail-client.nix
+ ../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@@ -23,19 +25,6 @@ with config.krebs.lib;
hashPassword
haskellPackages.lentil
parallel
- (pkgs.writeScriptBin "im" ''
- #! ${pkgs.bash}/bin/bash
- export PATH=${makeSearchPath "bin" (with pkgs; [
- tmux
- gnugrep
- weechat
- ])}
- if tmux list-sessions -F\#S | grep -q '^im''$'; then
- exec tmux attach -t im
- else
- exec tmux new -s im weechat
- fi
- '')
# root
cryptsetup
@@ -52,14 +41,12 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
- manpages
mkpasswd
netcat
nix-repl
nmap
nq
p7zip
- posix_man_pages
push
qrencode
texLive
@@ -165,11 +152,7 @@ with config.krebs.lib;
hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
- xlibs.fontschumachermisc
- slock
ethtool
- #firefoxWrapper # with plugins
- #chromiumDevWrapper
tinc
iptables
#jack2
@@ -177,7 +160,6 @@ with config.krebs.lib;
security.setuidPrograms = [
"sendmail" # for cron
- "slock"
];
services.printing.enable = true;
@@ -201,12 +183,6 @@ with config.krebs.lib;
KERNEL=="hpet", GROUP="audio"
'';
- services.bitlbee = {
- enable = true;
- plugins = [
- pkgs.bitlbee-facebook
- ];
- };
services.tor.client.enable = true;
services.tor.enable = true;
services.virtualboxHost.enable = true;
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 5ec1fe5..c6a69a8 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -11,6 +11,7 @@ with config.krebs.lib;
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
+ ../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@@ -52,7 +53,6 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
- manpages
mkpasswd
netcat
nix-repl
@@ -60,7 +60,6 @@ with config.krebs.lib;
nq
p7zip
pass
- posix_man_pages
qrencode
texLive
tmux
@@ -163,11 +162,7 @@ with config.krebs.lib;
#hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
- #xlibs.fontschumachermisc
- #slock
ethtool
- #firefoxWrapper # with plugins
- #chromiumDevWrapper
tinc
iptables
#jack2
diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 641e2d5..b551266 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -2,29 +2,43 @@
with config.krebs.lib;
{
krebs.backup.plans = {
+ } // mapAttrs (_: recursiveUpdate {
+ snapshots = {
+ daily = { format = "%Y-%m-%d"; retain = 7; };
+ weekly = { format = "%YW%W"; retain = 4; };
+ monthly = { format = "%Y-%m"; retain = 12; };
+ yearly = { format = "%Y"; };
+ };
+ }) {
+ nomic-home-xu = {
+ method = "push";
+ src = { host = config.krebs.hosts.nomic; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
+ startAt = "05:00";
+ };
wu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.wu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
startAt = "05:00";
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
};
xu-home-wu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; };
startAt = "06:00";
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
+ };
+ xu-pull-cd-ejabberd = {
+ method = "pull";
+ src = { host = config.krebs.hosts.cd; path = "/var/ejabberd"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/cd-ejabberd"; };
+ startAt = "07:00";
+ };
+ xu-pull-cd-home = {
+ method = "pull";
+ src = { host = config.krebs.hosts.cd; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
+ startAt = "07:00";
};
} // mapAttrs (_: recursiveUpdate {
snapshots = {
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index c4a2d6b..13699a3 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -50,6 +50,7 @@ with config.krebs.lib;
{
security.sudo.extraConfig = ''
Defaults mailto="${config.krebs.users.tv.mail}"
+ Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}
diff --git a/tv/2configs/im.nix b/tv/2configs/im.nix
new file mode 100644
index 0000000..db1be7f
--- /dev/null
+++ b/tv/2configs/im.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+with config.krebs.lib;
+{
+ environment.systemPackages = with pkgs; [
+ (pkgs.writeDashBin "im" ''
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+ ];
+ services.bitlbee = {
+ enable = true;
+ plugins = [
+ pkgs.bitlbee-facebook
+ ];
+ };
+}
diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix
new file mode 100644
index 0000000..a84e60b
--- /dev/null
+++ b/tv/2configs/man.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+{
+ environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
+ ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
+ s:^NROFF\t.*:& -Wbreak:
+ '
+ '';
+ environment.systemPackages = with pkgs; [
+ manpages
+ posix_man_pages
+ ];
+}
diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 0106cdd..51b5323 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -1,5 +1,5 @@
-{ config, ... }:
-
+{ config, pkgs, ... }:
+with config.krebs.lib;
{
krebs.urlwatch = {
enable = true;
@@ -52,8 +52,43 @@
# is derived from `configFile` in:
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
- https://pypi.python.org/pypi/vncdotool
+ {
+ url = https://pypi.python.org/pypi/vncdotool/json;
+ filter = "system:${pkgs.jq}/bin/jq -r '.releases|keys[]'";
+ }
https://api.github.com/repos/kanaka/noVNC/tags
];
+ hooksFile = toFile "hooks.py" ''
+ import subprocess
+ import urlwatch
+
+ class CaseFilter(urlwatch.filters.FilterBase):
+ """Filter for piping data through an external process"""
+
+ __kind__ = 'system'
+
+ def filter(self, data, subfilter=None):
+ if subfilter is None:
+ raise ValueError('The system filter needs a command')
+
+ proc = subprocess.Popen(
+ subfilter,
+ shell=True,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ )
+
+ (stdout, stderr) = proc.communicate(data.encode())
+
+ if proc.returncode != 0:
+ raise RuntimeError(
+ "system filter returned non-zero exit status %d; stderr:\n"
+ % proc.returncode
+ + stderr.decode()
+ )
+
+ return stdout.decode()
+ '';
};
}
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 720a8ac..5be4899 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -15,18 +15,26 @@ in
#
# make [install] system=xu-qemu0 target_host=10.56.0.101
-# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
-# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
-
with config.krebs.lib;
{
networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
+ tv.iptables.extra = {
+ nat.POSTROUTING = ["-j MASQUERADE"];
+ filter.FORWARD = [
+ "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+ "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
+ ];
+ filter.INPUT = [
+ "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
+ "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
+ ];
+ };
+
systemd.network.enable = true;
+ systemd.services.systemd-networkd-wait-online.enable = false;
+
services.resolved.enable = mkForce false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index c0fd7ec..c0e71f2 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -26,6 +26,21 @@ let
type = with types; listOf (either int str);
default = [];
};
+
+ extra = {
+ nat.POSTROUTING = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ filter.FORWARD = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ filter.INPUT = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ };
};
imp = {
@@ -57,6 +72,11 @@ let
};
};
+ formatTable = table:
+ (concatStringsSep "\n"
+ (mapAttrsToList
+ (chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
+ table));
rules = iptables-version: let
accept-echo-request = {
@@ -79,6 +99,7 @@ let
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
+ ${formatTable cfg.extra.nat}
COMMIT
*filter
:INPUT DROP [0:0]
@@ -94,6 +115,7 @@ let
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
+ ${formatTable cfg.extra.filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))