diff options
-rw-r--r-- | krebs/3modules/tv/default.nix | 13 | ||||
-rw-r--r-- | krebs/3modules/zones.nix | 107 | ||||
-rw-r--r-- | krebs/5pkgs/simple/certaids.nix | 109 | ||||
-rw-r--r-- | tv/2configs/gitrepos.nix | 2 | ||||
-rw-r--r-- | tv/2configs/nginx/default.nix | 15 | ||||
-rw-r--r-- | tv/5pkgs/override/jc.nix | 21 |
6 files changed, 243 insertions, 24 deletions
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 965505a75..016d5ca9f 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -164,15 +164,26 @@ in { extraZones = { "krebsco.de" = '' ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr} + cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr} krebsco.de. 60 IN MX 5 ni krebsco.de. 60 IN TXT v=spf1 mx -all + tv 300 IN NS ni ''; }; nets = { internet = { - ip4.addr = "188.68.36.196"; + ip4 = rec { + addr = "188.68.36.196"; + prefix = "${addr}/32"; + }; + ip6 = rec { + addr = "2a03:4000:13:4c::1"; + prefix = "${addr}/64"; + }; aliases = [ "ni.i" "cgit.ni.i" diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index eb1351866..51ced6f95 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,22 +1,103 @@ with import <stockholm/lib>; -{ config, ... }: { +{ config, pkgs, ... }: { config = { - # Implements environment.etc."zones/<zone-name>" - environment.etc = let - stripEmptyLines = s: (concatStringsSep "\n" - (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; - all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" - ([config.krebs.zone-head-config] ++ combined-hosts); - combined-hosts = - mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts; - in + environment.etc = mapAttrs' - (name: value: { + (name: pkg: { name = "zones/${name}"; - value.text = stripEmptyLines value; + value.source = pkg; }) - all-zones; + pkgs.krebs.zones; + + nixpkgs.overlays = [ + # Explicit zones generated from config.krebs.hosts.*.extraZones + (self: super: let + stripEmptyLines = s: (concatStringsSep "\n" + (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; + all-zones = foldAttrs (sum: current: sum + "\n" + current) "" + ([config.krebs.zone-head-config] ++ combined-hosts); + combined-hosts = + mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts; + in { + krebs = super.krebs or {} // { + zones = super.krebs.zones or {} // + mapAttrs' + (name: value: { + name = name; + value = self.writeText "${name}.zone" (stripEmptyLines value); + }) + all-zones; + }; + }) + + # Implicit zones generated from config.krebs.hosts.*.nets.*.ip{4,6}.addr + (self: super: let + # record : { name : str, type : enum [ "A" "AAAA" ], data : str } + + # toRecord : record.name -> record.type -> record.data -> record + toRecord = name: type: data: + { inherit name type data; }; + + # toRecords : str -> host -> [record] + toRecords = netname: host: + let + net = host.nets.${netname}; + in + optionals + (hasAttr netname host.nets) + (filter + (x: x.data != null) + (concatLists [ + (map + (name: toRecord name "A" (net.ip4.addr or null)) + (concatMap + (name: [ "${name}." "4.${name}." ]) + (net.aliases or []))) + (map + (name: toRecord name "AAAA" (net.ip6.addr or null)) + (concatMap + (name: [ "${name}." "6.${name}." ]) + (net.aliases or []))) + ])); + + # formatRecord : record -> str + formatRecord = { name, type, data }: "${name} IN ${type} ${data}"; + + # writeZone : attrs -> package + writeZone = + { name ? "${domain}.zone" + , domain ? substring 0 1 netname + , nameservers ? [ "ni" ] + , netname + , hosts ? config.krebs.hosts + }: + self.writeText name /* bindzone */ '' + $TTL 60 + @ IN SOA ns admin 1 3600 600 86400 60 + @ IN NS ns + ${concatMapStringsSep "\n" + (name: /* bindzone */ "ns IN CNAME ${name}") + nameservers + } + ${concatMapStringsSep + "\n" + formatRecord + (concatMap + (toRecords netname) + (attrValues hosts)) + } + ''; + in { + krebs = super.krebs or {} // { + zones = super.krebs.zones or {} // { + i = writeZone { netname = "internet"; }; + r = writeZone { netname = "retiolum"; }; + w = writeZone { netname = "wiregrill"; }; + }; + }; + }) + ]; }; } diff --git a/krebs/5pkgs/simple/certaids.nix b/krebs/5pkgs/simple/certaids.nix new file mode 100644 index 000000000..34f4c3e14 --- /dev/null +++ b/krebs/5pkgs/simple/certaids.nix @@ -0,0 +1,109 @@ +{ pkgs }: + +pkgs.write "certaids" { + "/bin/cert2json".link = pkgs.writeDash "cert2json" '' + # usage: cert2json < CERT > JSON + set -efu + + ${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin | + ${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text | + ${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" '' + function abort(msg) { + print(msg) > "/dev/stderr" + exit 1 + } + + function toJSON(x, type, ret) { + type = typeof(x) + switch (type) { + case "array": + if (isArray(x)) return arrayToJSON(x) + if (isObject(x)) return objectToJSON(x) + abort("cannot render array to JSON", x) + case "number": + return numberToJSON(x) + case "string": + return stringToJSON(x) + case "strnum": + case "unassigned": + case "regexp": + case "untyped": + default: + abort("cannot render type: " type) + } + } + + function isArray(x, i, k) { + i = 1 + for (k in x) { + if (k != i++) return 0 + i++ + } + return 1 + } + + function isObject(x, k) { + for (k in x) { + if (typeof(k) != "string") return 0 + } + return 1 + } + + function arrayToJSON(x, k, ret) { + ret = "[" + for (k in x) { + ret=ret toJSON(x[k]) "," + } + sub(/,$/,"",ret) + ret=ret "]" + return ret + } + + function objectToJSON(x, k,ret) { + ret = "{" + for (k in x) { + ret = ret toJSON(k) ":" toJSON(x[k]) "," + } + sub(/,$/, "", ret) + ret = ret "}" + return ret + } + + function numberToJSON(x) { + return x + } + + function stringToJSON(x) { + gsub(/\\/, "&&",x) + gsub(/\n/, "\\n", x) + return "\"" x "\"" + } + + $1 ~ /^ *(Subject|Issuer):/ { + sub(/^ */, "") + sub(/: */, ",") + key=tolower($1) + sub(/[^,]*,/, "") + + # Normalize separators between relative distinguished names. + # [1]: RFC2253, 3. Parsing a String back to a Distinguished Name + # TODO support any distinguished name + gsub(/ *[;,] */, ",") + + for(i = 0; i <= NF; i++) { + split($i, a, "=") + cache[key][a[1]] = a[2] + } + } + + /BEGIN CERTIFICATE/,/END CERTIFICATE/{ + cache["certificate"] = cache["certificate"] $0 "\n" + } + + /END CERTIFICATE/{ + print toJSON(cache) + delete cache + } + ''} + ''; +} diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index 4d22fdff5..50444c1ee 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -109,7 +109,6 @@ let { }; q = {}; reaktor2 = {}; - regfish = {}; stockholm = { cgit.desc = "NixOS configuration"; }; @@ -156,6 +155,7 @@ let { painload = {}; push = {}; Reaktor = {}; + regfish = {}; with-tmpdir = {}; get = {}; load-env = {}; diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index b0acb9435..efea3a844 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -4,22 +4,19 @@ with import <stockholm/lib>; { services.nginx = { + enableReload = true; + recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; - virtualHosts._http = { + virtualHosts.${toJSON ""} = { default = true; extraConfig = '' - return 404; - ''; - }; - - virtualHosts.default = { - locations."= /etc/os-release".extraConfig = '' - default_type text/plain; - alias /etc/os-release; + error_page 400 =444 /; + return 444; ''; + rejectSSL = true; }; }; tv.iptables = { diff --git a/tv/5pkgs/override/jc.nix b/tv/5pkgs/override/jc.nix new file mode 100644 index 000000000..346dd3eee --- /dev/null +++ b/tv/5pkgs/override/jc.nix @@ -0,0 +1,21 @@ +self: super: + +let + version = "1.21.0"; +in + +# Prevent downgrades. +assert self.lib.versionAtLeast version super.jc.version; + +self.python3.pkgs.toPythonApplication + (self.python3.pkgs.jc.overrideAttrs + (oldAttrs: { + name = "jc-${version}"; + version = version; + src = self.fetchFromGitHub { + owner = "kellyjonbrazil"; + repo = "jc"; + rev = "v${version}"; + sha256 = "sha256-kS42WokR7ZIqIPi8LbX4tmtjn37tckea2ELbuqzTm2o"; + }; + })) |