summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-01-25 11:28:26 +0100
committertv <tv@krebsco.de>2021-01-25 11:28:26 +0100
commita0ca091cbf4e9ca41390ad9d54844c9eb2660406 (patch)
treeaae89f223f953a81da400d6f7deac1d5ae5d240e /lass/3modules
parent1cd73df0c8694f491d40f93a796ea58f150e88dc (diff)
parent71206dc6a2852dd69664e85aa6dcb49676ec1f6e (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/bindfs.nix51
-rw-r--r--lass/3modules/default.nix3
-rw-r--r--lass/3modules/ejabberd/config.nix128
-rw-r--r--lass/3modules/ejabberd/default.nix103
-rw-r--r--lass/3modules/sync-containers.nix166
5 files changed, 0 insertions, 451 deletions
diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix
deleted file mode 100644
index 5c8df8dc5..000000000
--- a/lass/3modules/bindfs.nix
+++ /dev/null
@@ -1,51 +0,0 @@
-with import <stockholm/lib>;
-{ config, pkgs, ... }:
-let
- cfg = config.lass.bindfs;
-in {
- options.lass.bindfs = mkOption {
- type = types.attrsOf (types.submodule ({ config, ... }: {
- options = {
- target = mkOption {
- description = ''
- destination where bindfs mounts to.
- second positional argument to bindfs.
- '';
- default = config._module.args.name;
- type = types.absolute-pathname;
- };
- source = mkOption {
- description = ''
- source folder where the mounted directory is originally.
- first positional argument to bindfs.
- '';
- type = types.absolute-pathname;
- };
- options = mkOption {
- description = ''
- additional arguments to bindfs
- '';
- type = types.listOf types.str;
- default = [];
- };
- };
- }));
- default = {};
- };
-
- config = mkIf (cfg != {}) {
- systemd.services = mapAttrs' (n: mount: let
- name = replaceStrings [ "/" ] [ "_" ] n;
- in nameValuePair "bindfs-${name}" {
- wantedBy = [ "local-fs.target" ];
- path = [ pkgs.coreutils ];
- serviceConfig = {
- ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
- mkdir -p '${mount.source}'
- mkdir -p '${mount.target}'
- '';
- ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}";
- };
- }) cfg;
- };
-}
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 8bee08caa..1ce88b238 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,9 +1,7 @@
_:
{
imports = [
- ./bindfs.nix
./dnsmasq.nix
- ./ejabberd
./folderPerms.nix
./hosts.nix
./klem.nix
@@ -13,7 +11,6 @@ _:
./pyload.nix
./restic.nix
./screenlock.nix
- ./sync-containers.nix
./usershadow.nix
./xjail.nix
./autowifi.nix
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
deleted file mode 100644
index 4630f25c1..000000000
--- a/lass/3modules/ejabberd/config.nix
+++ /dev/null
@@ -1,128 +0,0 @@
-with import <stockholm/lib>;
-{ config, ... }: let
-
- # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
-
- ciphers = concatStringsSep ":" [
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-CHACHA20-POLY1305"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-SHA384"
- "ECDHE-RSA-AES256-SHA384"
- "ECDHE-ECDSA-AES128-SHA256"
- "ECDHE-RSA-AES128-SHA256"
- ];
-
- protocol_options = [
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_10"
- ];
-
-in /* yaml */ ''
-
- access_rules:
- announce:
- - allow: admin
- local:
- - allow: local
- configure:
- - allow: admin
- register:
- - allow
- s2s:
- - allow
- trusted_network:
- - allow: loopback
-
- acl:
- local:
- user_regexp: ""
- loopback:
- ip:
- - "127.0.0.0/8"
- - "::1/128"
- - "::FFFF:127.0.0.1/128"
-
- hosts: ${toJSON config.hosts}
-
- language: "en"
-
- listen:
- -
- port: 5222
- ip: "::"
- module: ejabberd_c2s
- shaper: c2s_shaper
- certfile: ${toJSON config.certfile.path}
- ciphers: ${toJSON ciphers}
- dhfile: ${toJSON config.dhfile.path}
- protocol_options: ${toJSON protocol_options}
- starttls: true
- starttls_required: true
- tls: false
- tls_compression: false
- max_stanza_size: 65536
- -
- port: 5269
- ip: "::"
- module: ejabberd_s2s_in
- shaper: s2s_shaper
- max_stanza_size: 131072
-
- loglevel: 4
-
- modules:
- mod_adhoc: {}
- mod_admin_extra: {}
- mod_announce:
- access: announce
- mod_caps: {}
- mod_carboncopy: {}
- mod_client_state: {}
- mod_configure: {}
- mod_disco: {}
- mod_echo: {}
- mod_bosh: {}
- mod_last: {}
- mod_offline:
- access_max_user_messages: max_user_offline_messages
- mod_ping: {}
- mod_privacy: {}
- mod_private: {}
- mod_register:
- access_from: allow
- access: register
- # ip_access: trusted_network
- registration_watchers: ${toJSON config.registration_watchers}
- mod_roster: {}
- mod_shared_roster: {}
- mod_stats: {}
- mod_time: {}
- mod_vcard:
- search: false
- mod_version: {}
- mod_http_api: {}
-
- s2s_access: s2s
- s2s_certfile: ${toJSON config.s2s_certfile.path}
- s2s_ciphers: ${toJSON ciphers}
- s2s_dhfile: ${toJSON config.dhfile.path}
- s2s_protocol_options: ${toJSON protocol_options}
- s2s_tls_compression: false
- s2s_use_starttls: required
-
- shaper_rules:
- max_user_offline_messages:
- - 5000: admin
- - 100
- max_user_sessions: 10
- c2s_shaper:
- - none: admin
- - normal
- s2s_shaper: fast
-''
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
deleted file mode 100644
index 20a38d572..000000000
--- a/lass/3modules/ejabberd/default.nix
+++ /dev/null
@@ -1,103 +0,0 @@
-{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
- cfg = config.lass.ejabberd;
-
- gen-dhparam = pkgs.writeDash "gen-dhparam" ''
- set -efu
- path=$1
- bits=2048
- # TODO regenerate dhfile after some time?
- if ! test -e "$path"; then
- ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
- fi
- '';
-
-in {
- options.lass.ejabberd = {
- enable = mkEnableOption "lass.ejabberd";
- certfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-certfile";
- path = "${cfg.user.home}/ejabberd.pem";
- owner = cfg.user;
- source-path = "/var/lib/acme/lassul.us/full.pem";
- };
- };
- dhfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-dhfile";
- path = "${cfg.user.home}/dhparams.pem";
- owner = cfg.user;
- source-path = "/dev/null";
- };
- };
- hosts = mkOption {
- type = with types; listOf str;
- };
- pkgs.ejabberdctl = mkOption {
- type = types.package;
- default = pkgs.writeDashBin "ejabberdctl" ''
- exec ${pkgs.ejabberd}/bin/ejabberdctl \
- --config ${toFile "ejabberd.yaml" (import ./config.nix {
- inherit pkgs;
- config = cfg;
- })} \
- --logs ${shell.escape cfg.user.home} \
- --spool ${shell.escape cfg.user.home} \
- "$@"
- '';
- };
- registration_watchers = mkOption {
- type = types.listOf types.str;
- default = [
- config.krebs.users.tv.mail
- ];
- };
- s2s_certfile = mkOption {
- type = types.secret-file;
- default = cfg.certfile;
- };
- user = mkOption {
- type = types.user;
- default = {
- name = "ejabberd";
- home = "/var/ejabberd";
- };
- };
- };
- config = lib.mkIf cfg.enable {
- environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
-
- krebs.secret.files = {
- ejabberd-certfile = cfg.certfile;
- ejabberd-s2s_certfile = cfg.s2s_certfile;
- };
-
- systemd.services.ejabberd = {
- wantedBy = [ "multi-user.target" ];
- after = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- "network.target"
- ];
- partOf = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- ];
- serviceConfig = {
- ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
- ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
- PermissionsStartOnly = true;
- SyslogIdentifier = "ejabberd";
- User = cfg.user.name;
- TimeoutStartSec = 60;
- };
- };
-
- users.users.${cfg.user.name} = {
- inherit (cfg.user) home name uid;
- createHome = true;
- };
- };
-}
diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix
deleted file mode 100644
index ca81458a9..000000000
--- a/lass/3modules/sync-containers.nix
+++ /dev/null
@@ -1,166 +0,0 @@
-with import <stockholm/lib>;
-{ config, pkgs, ... }: let
- cfg = config.lass.sync-containers;
- paths = cname: {
- plain = "/var/lib/containers/${cname}/var/state";
- ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
- securefs = "${cfg.dataLocation}/${cname}/securefs";
- };
- start = cname: {
- plain = ''
- '';
- ecryptfs = ''
- if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
- if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
- ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
- else
- ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
- fi
- fi
- '';
- securefs = ''
- ## TODO init file systems if it does not exist
- # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
- if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
- ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
- fi
- '';
- };
- stop = cname: {
- plain = ''
- '';
- ecryptfs = ''
- ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
- '';
- securefs = ''
- umount /var/lib/containers/${cname}/var/state
- '';
- };
-in {
- options.lass.sync-containers = {
- dataLocation = mkOption {
- description = ''
- location where the encrypted sync-container lie around
- '';
- default = "/var/lib/sync-containers";
- type = types.absolute-pathname;
- };
- containers = mkOption {
- type = types.attrsOf (types.submodule ({ config, ... }: {
- options = {
- name = mkOption {
- description = ''
- name of the container
- '';
- default = config._module.args.name;
- type = types.str;
- };
- peers = mkOption {
- description = ''
- syncthing peers to share this container with
- '';
- default = [];
- type = types.listOf types.str;
- };
- hostIp = mkOption { # TODO find this automatically
- description = ''
- hostAddress of the privateNetwork
- '';
- example = "10.233.2.15";
- type = types.str;
- };
- localIp = mkOption { # TODO find this automatically
- description = ''
- localAddress of the privateNetwork
- '';
- example = "10.233.2.16";
- type = types.str;
- };
- format = mkOption {
- description = ''
- file system encrption format of the container
- '';
- type = types.enum [ "plain" "ecryptfs" "securefs" ];
- };
- };
- }));
- default = {};
- };
- };
-
- config = mkIf (cfg.containers != {}) {
- programs.fuse.userAllowOther = true;
-
- services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
- devices = ctr.peers;
- ignorePerms = false;
- })) cfg.containers);
-
- krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
- file-mode = "u+rw";
- directory-mode = "u+rwx";
- owner = "syncthing";
- keepGoing = false;
- })) cfg.containers);
-
- systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
- reloadIfChanged = mkForce false;
- })) cfg.containers;
-
- containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
- config = { ... }: {
- environment.systemPackages = [
- pkgs.git
- ];
- system.activationScripts.fuse = {
- text = ''
- ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
- '';
- deps = [];
- };
- };
- allowedDevices = [
- { modifier = "rwm"; node = "/dev/fuse"; }
- ];
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = ctr.hostIp;
- localAddress = ctr.localIp;
- })) cfg.containers;
-
- environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
- (pkgs.writeDashBin "start-${ctr.name}" ''
- set -euf
- set -x
-
- mkdir -p /var/lib/containers/${ctr.name}/var/state
-
- ${(start ctr.name).${ctr.format}}
-
- STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
- if [ "$STATE" = 'down' ]; then
- ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
- fi
-
- ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
- set -x
-
- mkdir -p /var/state/var_src
- ln -sfTr /var/state/var_src /var/src
- touch /etc/NIXOS
- ''}
-
- if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
- ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
- fi
- '')
- (pkgs.writeDashBin "stop-${ctr.name}" ''
- set -euf
-
- ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
- ${(stop ctr.name).${ctr.format}}
- '')
- ]) cfg.containers);
- };
-}