diff options
author | lassulus <lass@aidsballs.de> | 2016-02-18 17:07:49 +0100 |
---|---|---|
committer | lassulus <lass@aidsballs.de> | 2016-02-18 17:07:49 +0100 |
commit | b7e4fa76513f07674e6a32a706e0ffa9fca3e897 (patch) | |
tree | e1a1936c53a608b2e1fd4f401fbb127f8055ad1f | |
parent | 97798eb4ede9a121092229b2f9ab68800b0ae866 (diff) | |
parent | 482180639dcf6064f0b249aeb350347f6e8e461f (diff) |
Merge remote-tracking branch 'cd/master'
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | tv/1systems/nomic.nix | 2 | ||||
-rw-r--r-- | tv/1systems/wu.nix | 28 | ||||
-rw-r--r-- | tv/1systems/xu.nix | 7 | ||||
-rw-r--r-- | tv/2configs/backup.nix | 38 | ||||
-rw-r--r-- | tv/2configs/default.nix | 1 | ||||
-rw-r--r-- | tv/2configs/im.nix | 24 | ||||
-rw-r--r-- | tv/2configs/man.nix | 12 | ||||
-rw-r--r-- | tv/2configs/urlwatch.nix | 41 | ||||
-rw-r--r-- | tv/2configs/xu-qemu0.nix | 20 | ||||
-rw-r--r-- | tv/3modules/iptables.nix | 22 |
11 files changed, 143 insertions, 54 deletions
@@ -51,7 +51,7 @@ evaluate = \ execute = \ result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \ script=$$(echo "$$result" | jq -r .) && \ - echo "$$script" | sh + echo "$$script" | PS5=% sh # usage: make deploy system=foo [target_host=bar] deploy: ssh ?= ssh diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 2c9775d..4532069 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -10,6 +10,8 @@ with config.krebs.lib; ../2configs/hw/AO753.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/im.nix + ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 6154e4d..8c363d9 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -10,7 +10,9 @@ with config.krebs.lib; ../2configs/hw/w110er.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/im.nix ../2configs/mail-client.nix + ../2configs/man.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix @@ -23,19 +25,6 @@ with config.krebs.lib; hashPassword haskellPackages.lentil parallel - (pkgs.writeScriptBin "im" '' - #! ${pkgs.bash}/bin/bash - export PATH=${makeSearchPath "bin" (with pkgs; [ - tmux - gnugrep - weechat - ])} - if tmux list-sessions -F\#S | grep -q '^im''$'; then - exec tmux attach -t im - else - exec tmux new -s im weechat - fi - '') # root cryptsetup @@ -52,14 +41,12 @@ with config.krebs.lib; haskellPackages.hledger htop jq - manpages mkpasswd netcat nix-repl nmap nq p7zip - posix_man_pages push qrencode texLive @@ -165,11 +152,7 @@ with config.krebs.lib; hardware.opengl.driSupport32Bit = true; environment.systemPackages = with pkgs; [ - xlibs.fontschumachermisc - slock ethtool - #firefoxWrapper # with plugins - #chromiumDevWrapper tinc iptables #jack2 @@ -177,7 +160,6 @@ with config.krebs.lib; security.setuidPrograms = [ "sendmail" # for cron - "slock" ]; services.printing.enable = true; @@ -201,12 +183,6 @@ with config.krebs.lib; KERNEL=="hpet", GROUP="audio" ''; - services.bitlbee = { - enable = true; - plugins = [ - pkgs.bitlbee-facebook - ]; - }; services.tor.client.enable = true; services.tor.enable = true; services.virtualboxHost.enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 5ec1fe5..c6a69a8 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -11,6 +11,7 @@ with config.krebs.lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/man.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix @@ -52,7 +53,6 @@ with config.krebs.lib; haskellPackages.hledger htop jq - manpages mkpasswd netcat nix-repl @@ -60,7 +60,6 @@ with config.krebs.lib; nq p7zip pass - posix_man_pages qrencode texLive tmux @@ -163,11 +162,7 @@ with config.krebs.lib; #hardware.opengl.driSupport32Bit = true; environment.systemPackages = with pkgs; [ - #xlibs.fontschumachermisc - #slock ethtool - #firefoxWrapper # with plugins - #chromiumDevWrapper tinc iptables #jack2 diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 641e2d5..b551266 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -2,29 +2,43 @@ with config.krebs.lib; { krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + nomic-home-xu = { + method = "push"; + src = { host = config.krebs.hosts.nomic; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; }; + startAt = "05:00"; + }; wu-home-xu = { method = "push"; src = { host = config.krebs.hosts.wu; path = "/home"; }; dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; }; startAt = "05:00"; - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; }; xu-home-wu = { method = "push"; src = { host = config.krebs.hosts.xu; path = "/home"; }; dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; }; startAt = "06:00"; - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; + }; + xu-pull-cd-ejabberd = { + method = "pull"; + src = { host = config.krebs.hosts.cd; path = "/var/ejabberd"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/cd-ejabberd"; }; + startAt = "07:00"; + }; + xu-pull-cd-home = { + method = "pull"; + src = { host = config.krebs.hosts.cd; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; }; + startAt = "07:00"; }; } // mapAttrs (_: recursiveUpdate { snapshots = { diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index c4a2d6b..13699a3 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -50,6 +50,7 @@ with config.krebs.lib; { security.sudo.extraConfig = '' Defaults mailto="${config.krebs.users.tv.mail}" + Defaults !lecture ''; time.timeZone = "Europe/Berlin"; } diff --git a/tv/2configs/im.nix b/tv/2configs/im.nix new file mode 100644 index 0000000..db1be7f --- /dev/null +++ b/tv/2configs/im.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + environment.systemPackages = with pkgs; [ + (pkgs.writeDashBin "im" '' + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + ]; + services.bitlbee = { + enable = true; + plugins = [ + pkgs.bitlbee-facebook + ]; + }; +} diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix new file mode 100644 index 0000000..a84e60b --- /dev/null +++ b/tv/2configs/man.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: +{ + environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} '' + ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out ' + s:^NROFF\t.*:& -Wbreak: + ' + ''; + environment.systemPackages = with pkgs; [ + manpages + posix_man_pages + ]; +} diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index 0106cdd..51b5323 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -1,5 +1,5 @@ -{ config, ... }: - +{ config, pkgs, ... }: +with config.krebs.lib; { krebs.urlwatch = { enable = true; @@ -52,8 +52,43 @@ # is derived from `configFile` in: https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix - https://pypi.python.org/pypi/vncdotool + { + url = https://pypi.python.org/pypi/vncdotool/json; + filter = "system:${pkgs.jq}/bin/jq -r '.releases|keys[]'"; + } https://api.github.com/repos/kanaka/noVNC/tags ]; + hooksFile = toFile "hooks.py" '' + import subprocess + import urlwatch + + class CaseFilter(urlwatch.filters.FilterBase): + """Filter for piping data through an external process""" + + __kind__ = 'system' + + def filter(self, data, subfilter=None): + if subfilter is None: + raise ValueError('The system filter needs a command') + + proc = subprocess.Popen( + subfilter, + shell=True, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + ) + + (stdout, stderr) = proc.communicate(data.encode()) + + if proc.returncode != 0: + raise RuntimeError( + "system filter returned non-zero exit status %d; stderr:\n" + % proc.returncode + + stderr.decode() + ) + + return stdout.decode() + ''; }; } diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix index 720a8ac..5be4899 100644 --- a/tv/2configs/xu-qemu0.nix +++ b/tv/2configs/xu-qemu0.nix @@ -15,18 +15,26 @@ in # # make [install] system=xu-qemu0 target_host=10.56.0.101 -# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT -# TODO iptables -A POSTROUTING -t nat -j MASQUERADE -# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT -# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT - with config.krebs.lib; { networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; + tv.iptables.extra = { + nat.POSTROUTING = ["-j MASQUERADE"]; + filter.FORWARD = [ + "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" + ]; + filter.INPUT = [ + "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" + "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" + ]; + }; + systemd.network.enable = true; + systemd.services.systemd-networkd-wait-online.enable = false; + services.resolved.enable = mkForce false; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index c0fd7ec..c0e71f2 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -26,6 +26,21 @@ let type = with types; listOf (either int str); default = []; }; + + extra = { + nat.POSTROUTING = mkOption { + type = with types; listOf str; + default = []; + }; + filter.FORWARD = mkOption { + type = with types; listOf str; + default = []; + }; + filter.INPUT = mkOption { + type = with types; listOf str; + default = []; + }; + }; }; imp = { @@ -57,6 +72,11 @@ let }; }; + formatTable = table: + (concatStringsSep "\n" + (mapAttrsToList + (chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}")) + table)); rules = iptables-version: let accept-echo-request = { @@ -79,6 +99,7 @@ let ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [ "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" ]} + ${formatTable cfg.extra.nat} COMMIT *filter :INPUT DROP [0:0] @@ -94,6 +115,7 @@ let ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) ++ ["-i retiolum -j Retiolum"] )} + ${formatTable cfg.extra.filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) |