summaryrefslogtreecommitdiffstats
path: root/3modules/lass
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2015-07-29 14:56:06 +0200
committermakefu <github@syntax-fehler.de>2015-07-29 14:56:06 +0200
commit0bf2b871dda30231443324588ab8142e125e9774 (patch)
tree0646d45eab135eb2c7d8665c31d7ac135e29afff /3modules/lass
parent671710c573980d859cb82993cd0514058a63262f (diff)
parent1bf670270c1e87900a908f7e9b949b5502158f4f (diff)
merge cloudkrebs, fix path to krebs/4lib
Diffstat (limited to '3modules/lass')
-rw-r--r--3modules/lass/iptables.nix187
-rw-r--r--3modules/lass/sshkeys.nix26
-rw-r--r--3modules/lass/urxvtd.nix55
-rw-r--r--3modules/lass/xresources.nix57
4 files changed, 0 insertions, 325 deletions
diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix
deleted file mode 100644
index c97b9f730..000000000
--- a/3modules/lass/iptables.nix
+++ /dev/null
@@ -1,187 +0,0 @@
-arg@{ config, lib, pkgs, ... }:
-
-let
- inherit (pkgs) writeScript writeText;
-
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- mkEnableOption
- mkOption
- mkIf
- types
- sort;
-
- elemIsIn = a: as:
- any (x: x == a) as;
-
- cfg = config.lass.iptables;
-
- out = {
- options.lass.iptables = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "iptables";
-
- #tables.filter.INPUT = {
- # policy = "DROP";
- # rules = [
- # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
- # ];
- #};
- #new api
- tables = mkOption {
- type = with types; attrsOf (attrsOf (submodule ({
- options = {
- policy = mkOption {
- type = str;
- default = "-";
- };
- rules = mkOption {
- type = nullOr (listOf (submodule ({
- options = {
- predicate = mkOption {
- type = str;
- };
- target = mkOption {
- type = str;
- };
- precedence = mkOption {
- type = int;
- default = 0;
- };
- };
- })));
- default = null;
- };
- };
- })));
- };
- };
-
- imp = {
- networking.firewall.enable = false;
-
- systemd.services.lass-iptables = {
- description = "lass-iptables";
- wantedBy = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- ExecStart = "@${startScript} lass-iptables_start";
- };
- };
- };
-
- #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
- #todo: differentiate by iptables-version
- buildTables = v: ts:
- let
-
- declareChain = t: cn:
- #TODO: find out what to do whit these count numbers
- ":${cn} ${t."${cn}".policy} [0:0]";
-
- buildChain = tn: cn:
- let
- sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules;
-
- in
- #TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
- else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map (buildRule tn cn) sortedRules
- )
- else
- ""
- ;
-
-
- buildRule = tn: cn: rule:
- #target validation test:
- assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
- "${rule.predicate} -j ${rule.target}";
-
- buildTable = tn:
- "*${tn}\n" +
- concatStringsSep "\n" ([]
- ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
- ) +
- #this looks dirty, find a better way to do this (maybe optionalString)
- concatStringsSep "" ([]
- ++ map (buildChain tn) (attrNames ts."${tn}")
- ) +
- "\nCOMMIT";
- in
- concatStringsSep "\n" ([]
- ++ map buildTable (attrNames ts)
- );
-
-#=====
-
- rules4 = iptables-version:
- let
- #TODO: find out good defaults.
- tables-defaults = {
- nat.PREROUTING.policy = "ACCEPT";
- nat.INPUT.policy = "ACCEPT";
- nat.OUTPUT.policy = "ACCEPT";
- nat.POSTROUTING.policy = "ACCEPT";
- filter.INPUT.policy = "ACCEPT";
- filter.FORWARD.policy = "ACCEPT";
- filter.OUTPUT.policy = "ACCEPT";
-
- #if someone specifies any other rules on this chain, the default rules get lost.
- #is this wanted beahiviour or a bug?
- #TODO: implement abstraction of rules
- filter.INPUT.rules = [
- { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
- ];
- };
- tables = tables-defaults // cfg.tables;
-
- in
- writeText "lass-iptables-rules${toString iptables-version}" ''
- ${buildTables iptables-version tables}
- '';
-
- startScript = writeScript "lass-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
- '';
-
-in
-out
-
diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix
deleted file mode 100644
index 5f1c60668..000000000
--- a/3modules/lass/sshkeys.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-{ lib, ... }:
-
-with lib;
-
-{
- options = {
- sshKeys = mkOption {
- type = types.attrsOf (types.submodule (
- { config, ... }:
- {
- options = {
- pub = mkOption {
- type = types.str;
- description = "Public part of the ssh key.";
- };
-
- priv = mkOption {
- type = types.str;
- description = "Private part of the ssh key.";
- };
- };
- }));
- description = "collection of ssh-keys";
- };
- };
-}
diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix
deleted file mode 100644
index 469616a9f..000000000
--- a/3modules/lass/urxvtd.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-in
-
-with builtins;
-with lib;
-
-{
- options = {
- services.urxvtd = {
- enable = mkOption {
- type = types.bool;
- default = false;
- description = "Enable urxvtd per user";
- };
- users = mkOption {
- type = types.listOf types.string;
- default = [];
- description = "users to run urxvtd for";
- };
- urxvtPackage = mkOption {
- type = types.package;
- default = pkgs.rxvt_unicode;
- description = "urxvt package to use";
- };
- };
- };
-
- config =
- let
- cfg = config.services.urxvtd;
- users = cfg.users;
- urxvt = cfg.urxvtPackage;
- mkService = user: {
- description = "urxvt terminal daemon";
- wantedBy = [ "multi-user.target" ];
- restartIfChanged = false;
- path = [ pkgs.xlibs.xrdb ];
- environment = {
- DISPLAY = ":0";
- URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl";
- };
- serviceConfig = {
- Restart = "always";
- User = user;
- ExecStart = "${urxvt}/bin/urxvtd";
- };
- };
- in
- mkIf cfg.enable {
- environment.systemPackages = [ urxvt ];
- systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users);
- };
-}
diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix
deleted file mode 100644
index 15c5b8b74..000000000
--- a/3modules/lass/xresources.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-#TODO:
-#prefix with Attribute Name
-#ex: urxvt
-
-#
-#
-with builtins;
-with lib;
-
-
-let
-
- inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape;
- inherit (pkgs) writeScript;
-
-in
-
-{
-
- options = {
- services.xresources.enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Whether to enable the automatic loading of Xresources definitions at display-manager start;
- '';
- };
-
- services.xresources.resources = mkOption {
- default = {};
- type = types.attrsOf types.str;
- example = {
- urxvt = ''
- URxvt*scrollBar: false
- URxvt*urgentOnBell: true
- '';
- };
- description = ''
- Xresources definitions.
- '';
- };
- };
-
- config =
- let
- cfg = config.services.xresources;
- xres = concatStringsSep "\n" (attrValues cfg.resources);
-
- in mkIf cfg.enable {
- services.xserver.displayManager.sessionCommands = ''
- echo ${shell-escape xres} | xrdb -merge
- '';
- };
-
-}