diff options
author | makefu <github@syntax-fehler.de> | 2015-07-29 14:56:06 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2015-07-29 14:56:06 +0200 |
commit | 0bf2b871dda30231443324588ab8142e125e9774 (patch) | |
tree | 0646d45eab135eb2c7d8665c31d7ac135e29afff /3modules/lass | |
parent | 671710c573980d859cb82993cd0514058a63262f (diff) | |
parent | 1bf670270c1e87900a908f7e9b949b5502158f4f (diff) |
merge cloudkrebs, fix path to krebs/4lib
Diffstat (limited to '3modules/lass')
-rw-r--r-- | 3modules/lass/iptables.nix | 187 | ||||
-rw-r--r-- | 3modules/lass/sshkeys.nix | 26 | ||||
-rw-r--r-- | 3modules/lass/urxvtd.nix | 55 | ||||
-rw-r--r-- | 3modules/lass/xresources.nix | 57 |
4 files changed, 0 insertions, 325 deletions
diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix deleted file mode 100644 index c97b9f730..000000000 --- a/3modules/lass/iptables.nix +++ /dev/null @@ -1,187 +0,0 @@ -arg@{ config, lib, pkgs, ... }: - -let - inherit (pkgs) writeScript writeText; - - inherit (lib) - concatMapStringsSep - concatStringsSep - attrNames - unique - fold - any - attrValues - catAttrs - filter - flatten - length - hasAttr - mkEnableOption - mkOption - mkIf - types - sort; - - elemIsIn = a: as: - any (x: x == a) as; - - cfg = config.lass.iptables; - - out = { - options.lass.iptables = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "iptables"; - - #tables.filter.INPUT = { - # policy = "DROP"; - # rules = [ - # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } - # ]; - #}; - #new api - tables = mkOption { - type = with types; attrsOf (attrsOf (submodule ({ - options = { - policy = mkOption { - type = str; - default = "-"; - }; - rules = mkOption { - type = nullOr (listOf (submodule ({ - options = { - predicate = mkOption { - type = str; - }; - target = mkOption { - type = str; - }; - precedence = mkOption { - type = int; - default = 0; - }; - }; - }))); - default = null; - }; - }; - }))); - }; - }; - - imp = { - networking.firewall.enable = false; - - systemd.services.lass-iptables = { - description = "lass-iptables"; - wantedBy = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = with pkgs; [ - iptables - ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript} lass-iptables_start"; - }; - }; - }; - - #buildTable :: iptablesVersion -> iptablesAttrSet` -> str - #todo: differentiate by iptables-version - buildTables = v: ts: - let - - declareChain = t: cn: - #TODO: find out what to do whit these count numbers - ":${cn} ${t."${cn}".policy} [0:0]"; - - buildChain = tn: cn: - let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; - - in - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" - else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules - ) - else - "" - ; - - - buildRule = tn: cn: rule: - #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); - - #predicate validation test: - #maybe use iptables-test - #TODO: howto exit with evaluation error by shellscript? - #apperantly not possible from nix because evalatution wouldn't be deterministic. - "${rule.predicate} -j ${rule.target}"; - - buildTable = tn: - "*${tn}\n" + - concatStringsSep "\n" ([] - ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") - ) + - #this looks dirty, find a better way to do this (maybe optionalString) - concatStringsSep "" ([] - ++ map (buildChain tn) (attrNames ts."${tn}") - ) + - "\nCOMMIT"; - in - concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) - ); - -#===== - - rules4 = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - writeText "lass-iptables-rules${toString iptables-version}" '' - ${buildTables iptables-version tables} - ''; - - startScript = writeScript "lass-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules4 4} - ip6tables-restore < ${rules4 6} - ''; - -in -out - diff --git a/3modules/lass/sshkeys.nix b/3modules/lass/sshkeys.nix deleted file mode 100644 index 5f1c60668..000000000 --- a/3modules/lass/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/3modules/lass/urxvtd.nix b/3modules/lass/urxvtd.nix deleted file mode 100644 index 469616a9f..000000000 --- a/3modules/lass/urxvtd.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/3modules/lass/xresources.nix b/3modules/lass/xresources.nix deleted file mode 100644 index 15c5b8b74..000000000 --- a/3modules/lass/xresources.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: -#prefix with Attribute Name -#ex: urxvt - -# -# -with builtins; -with lib; - - -let - - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; - inherit (pkgs) writeScript; - -in - -{ - - options = { - services.xresources.enable = mkOption { - type = types.bool; - default = false; - description = '' - Whether to enable the automatic loading of Xresources definitions at display-manager start; - ''; - }; - - services.xresources.resources = mkOption { - default = {}; - type = types.attrsOf types.str; - example = { - urxvt = '' - URxvt*scrollBar: false - URxvt*urgentOnBell: true - ''; - }; - description = '' - Xresources definitions. - ''; - }; - }; - - config = - let - cfg = config.services.xresources; - xres = concatStringsSep "\n" (attrValues cfg.resources); - - in mkIf cfg.enable { - services.xserver.displayManager.sessionCommands = '' - echo ${shell-escape xres} | xrdb -merge - ''; - }; - -} |