diff options
26 files changed, 146 insertions, 61 deletions
diff --git a/default.nix b/default.nix index 9368dcd9e..45b4f03f6 100644 --- a/default.nix +++ b/default.nix @@ -1,7 +1,7 @@ import <nixpkgs/nixos> {} // rec { lib = import ./lib; systems = with lib; let - namespace = getEnv "LOGNAME"; + namespace = krebs; systemsDir = <stockholm> + "/${namespace}/1systems"; in genAttrs diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8bb14d517..5deeb9923 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,18 @@ <stockholm/krebs/2configs/nameserver.nix> ]; + #networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + #networking.interfaces.ens3.ipv6.addresses = [ + # { + # # old: address = "2a03:4000:13:4c::1"; + # address = "2a03:4000:1a:cf::1"; #/64" + # prefixLength = 64; + # } + #]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index fb22dc6f9..c394f312d 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -146,10 +146,14 @@ in { ''; }; + #krebs.systemd.services.knot.restartIfCredentialsChange = true; systemd.services."knsupdate-krebsco.de" = { serviceConfig = { Type = "oneshot"; SyslogIdentifier = "knsupdate-krebsco.de"; + #LoadCredential = [ + # "keys.conf:/var/src/secrets/knot-keys.conf" + #]; ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' set -efu diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 51aeefb9f..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,7 +2,6 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28,12 @@ in { }; }) (filterAttrs (_: per-user: per-user.packages != []) cfg); - profiles = ["/etc/per-user/$LOGNAME"]; + + # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get + # replaced by @{PAM_USER} the way $USER does. + # See <nixpkgs/nixos/modules/config/system-environment.nix> + #profiles = ["/etc/per-user/$LOGNAME"]; + profiles = ["/etc/per-user/$USER"]; }; }; } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index d65ce2a31..51f5cb752 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -73,6 +73,12 @@ with lib; { pkgs.findutils pkgs.inotify-tools ]; + # TODO + # der code könnte aber bisschen vorbereitet werden, damit man später einfach file-modes einbauen kann + # die drei finds müssten zu `find "$ROOT_PATH" -exec ${permown}` {} \;` werden + # und der while-block zu: + # ${permown} "$path" (egal ob vor oder nach dem if test -d) + # und dann müsste man danach nur das permown script bearbeiten serviceConfig = { ExecStart = pkgs.writeDash "permown" '' set -efu diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix index b977df99a..d552178f9 100644 --- a/krebs/3modules/reaktor2.nix +++ b/krebs/3modules/reaktor2.nix @@ -69,6 +69,12 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { Group = "reaktor2"; DynamicUser = true; StateDirectory = cfg.username; + #ExecStartPre = [ + # (pkgs.writeDash "test-dynamic-user" '' + # set -efux + # ${pkgs.coreutils}/bin/id + # '') + #]; ExecStart = let configFile = pkgs.writers.writeJSON configFileName configValue; configFileName = "${cfg.systemd-service-name}.config.json"; diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index ce41548ae..d13fcccaa 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -33,7 +33,7 @@ let }; capabilities = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf types.str; # TODO }; owner = mkOption { default = "root"; @@ -52,6 +52,8 @@ let merge = mergeOneOption; }; }; + # TODO clear non-standard wrapperDirs + # TODO? allow only wrapperDirs below /run/wrappers? wrapperDir = mkOption { default = config.security.wrapperDir; type = types.absolute-pathname; @@ -73,13 +75,16 @@ let chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' + set -x ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + set +x ''} ''; })); }; imp = { + # run after "wrappers" so config.security.wrapperDir can be hijacked. systemd.services."krebs.setuid" = { wantedBy = [ "suid-sgid-wrappers.service" ]; after = [ "suid-sgid-wrappers.service" ]; diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index aba825c29..012b365fb 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -62,24 +62,26 @@ let } ])); - programs.ssh.extraConfig = concatMapStrings - (net: '' - Host ${toString (net.aliases ++ net.addrs)} - Port ${toString net.ssh.port} - '') - (filter - (net: net.ssh.port != 22) - (concatMap (host: attrValues host.nets) - (mapAttrsToList - (_: host: recursiveUpdate host - (optionalAttrs (cfg.dns.search-domain != null && - hasAttr cfg.dns.search-domain host.nets) { - nets."" = host.nets.${cfg.dns.search-domain} // { - aliases = [host.name]; - addrs = []; - }; - })) - config.krebs.hosts))); + programs.ssh.extraConfig = + mkBefore/*<-KILLME*/ + (concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts)))); } ]; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 02b3eeb9d..65f4f6a2b 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,6 @@ -{ config, pkgs, lib, ... }: -with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { +{ config, pkgs, lib, ... }: let + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); +in with slib; { options.krebs.tinc = mkOption { default = {}; description = '' @@ -235,13 +236,14 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { "$CREDENTIALS_DIRECTORY"/rsa_key.priv \ /etc/tinc/${netname}/ ''; - ExecStart = "+" + toString [ - "${cfg.tincPackage}/sbin/tincd" - "-D" - "-U ${cfg.username}" - "-d 0" - "-n ${netname}" - ]; + ExecStart = "+" + pkgs.writers.writeDash "tinc-${netname}" '' + set -efu + exec ${cfg.tincPackage}/sbin/tincd \ + -D \ + -U ${cfg.username} \ + -d 0 \ + -n ${netname} + ''; SyslogIdentifier = netname; DynamicUser = true; User = cfg.username; diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 8d3bdfbe0..b2c264a06 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -214,6 +214,7 @@ let }; filter = mkOption { default = null; + # TODO nullOr subtypes.filter type = with types; nullOr (either str (listOf (pkgs.formats.json {}).type)); diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 51e559d88..6ac2ebac2 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -10,7 +10,8 @@ with lib; { default = { "krebsco.de" = /* bindzone */ '' $TTL 60 - @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. diff --git a/krebs/5pkgs/simple/TabFS/src.json b/krebs/5pkgs/simple/TabFS/src.json index 24e36aef3..931c9ecb8 100644 --- a/krebs/5pkgs/simple/TabFS/src.json +++ b/krebs/5pkgs/simple/TabFS/src.json @@ -1,8 +1,6 @@ { "url": "https://cgit.krebsco.de/TabFS", "rev": "a6045e0e29b85e3e66c468f3561009ded1db6ec5", - "date": "2021-01-14T23:56:09+01:00", - "path": "/nix/store/mbcywm1yq5vr7awxqb533faz34minfax-TabFS", "sha256": "1z0kj95zh0jl8laa0whra1jys8pws3199sy29vmlv2nxrkz13blv", "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/5pkgs/simple/airdcpp-webclient/default.nix b/krebs/5pkgs/simple/airdcpp-webclient/default.nix index 754fecf9c..f4634b595 100644 --- a/krebs/5pkgs/simple/airdcpp-webclient/default.nix +++ b/krebs/5pkgs/simple/airdcpp-webclient/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { name = "airdcpp-webclient-${version}"; version = "2.3.0"; - + src = fetchurl { url = http://web-builds.airdcpp.net/stable/airdcpp_2.3.0_webui-2.3.0_64-bit_portable.tar.gz; sha256 = "0yvcl0nc70fghc7vfsgvbpryi5q97arld8adql4way4qa0mdnyv1"; diff --git a/krebs/5pkgs/simple/default.nix b/krebs/5pkgs/simple/default.nix index a07e88c3b..e0b9ffdae 100644 --- a/krebs/5pkgs/simple/default.nix +++ b/krebs/5pkgs/simple/default.nix @@ -13,5 +13,15 @@ let lib.compareVersions upstream.name override.name != -1 then lib.trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override else override; + + ## This callPackage will try to detect obsolete overrides. + #callPackage = path: args: let + # pname = (parseDrvName override.name).name; + # override = self.callPackage path args; + # upstream = super.${pname} or { name = ""; }; + #in + # override.overrideAttrs (old: { + # name = warnOldVersion upstream.name old.name; + # }); in lib.mapNixDir (path: callPackage path {}) ./. diff --git a/krebs/5pkgs/simple/font-size.nix b/krebs/5pkgs/simple/font-size.nix index 21097ed6a..829325192 100644 --- a/krebs/5pkgs/simple/font-size.nix +++ b/krebs/5pkgs/simple/font-size.nix @@ -1,3 +1,4 @@ +# TODO kill me in favor of urxvt-resize-font { writeDashBin }: writeDashBin "font-size" '' set -efu diff --git a/krebs/5pkgs/simple/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix index 51b4babfc..fe159c833 100644 --- a/krebs/5pkgs/simple/git-hooks/default.nix +++ b/krebs/5pkgs/simple/git-hooks/default.nix @@ -114,6 +114,7 @@ with stockholm.lib; git diff --stat $id2..$id \ | sed '$!s/\(+*\)\(-*\)$/'$(green '\1')$(red '\2')'/' )" + echo "$(red "$message")" ''} done diff --git a/krebs/5pkgs/simple/gitignore.nix b/krebs/5pkgs/simple/gitignore.nix index b7a9f7eb5..50c8d6190 100644 --- a/krebs/5pkgs/simple/gitignore.nix +++ b/krebs/5pkgs/simple/gitignore.nix @@ -1,4 +1,4 @@ -{ pkgs, writeDash }: +{ pkgs, writeDashBin }: /* gitignore - Filter for intentionally untracked lines or blocks of code @@ -34,7 +34,7 @@ Installation: [2]: For more information about assigning filters see gitattributes(5). */ -writeDash "gitignore" '' +writeDashBin "gitignore" '' exec ${pkgs.gnused}/bin/sed ' /#gitignore-begin/,/#gitignore-end/d /#gitignore/d diff --git a/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur b/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur index 696d1c00d..bdfb3eb61 100644 --- a/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur +++ b/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur @@ -1,3 +1,4 @@ +# TODO dedup with paste find_item() { if test ${#1} -ge 7; then set -- "$(find "$STATEDIR/items" -mindepth 1 -maxdepth 1 \ @@ -58,6 +59,9 @@ read_uri() { $uri | capture("^((?<scheme>[^:]*):)?(//(?<authority>[^/]*))?(?<path>[^?#]*)([?](?<query>[^#]*))?([#](?<fragment>.*))?$") | . + { + #authority: (.authority | if . != null then + # capture("^((?<userinfo>[^@]*)@)?(?<host>[^:]*)(:(?<port>.*))?$") + #else . end), query: (.query | if . != null then split("&") | map(split("=") | {key:.[0],value:.[1]}) | @@ -141,26 +145,26 @@ case "$Method $path" in description: $uri.query.description, datetime: now, type: $info["MIME type"], - animated: false, + animated: false, # TODO width: $info.width, height: $info.height, size: $info.size, - views: 0, - bandwidth: 0, - vote: null, - favorite: false, - nsfw: null, - section: null, - account_url: null, - acount_id: 0, - is_ad: false, - is_most_viral: false, - tags: [], - ad_type: 0, - ad_url: "", - in_gallery: false, + views: 0, # TODO + bandwidth: 0, # TODO + vote: null, # TODO + favorite: false, # TODO + nsfw: null, # TODO + section: null, # TODO + account_url: null, # TODO + acount_id: 0, # TODO + is_ad: false, # TODO + is_most_viral: false, # TODO + tags: [], # TODO + ad_type: 0, # TODO + ad_url: "", # TODO + in_gallery: false, # TODO deletehash: @uri "\($id)?deletehash=\($deletehash)", - name: "", + name: "", # TODO link: $link, } ') diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index f9f2f1579..000000000 --- a/lib/default.nix +++ /dev/null @@ -1 +0,0 @@ -import ./impure.nix diff --git a/lib/eval-source.nix b/lib/eval-source.nix index ff853185b..93320a218 100644 --- a/lib/eval-source.nix +++ b/lib/eval-source.nix @@ -1,4 +1,5 @@ -with import <stockholm/lib>; +{ lib }: +with lib; let eval = _file: source: evalModules { modules = singleton { diff --git a/lib/impure.nix b/lib/impure.nix deleted file mode 100644 index 3f95c375f..000000000 --- a/lib/impure.nix +++ /dev/null @@ -1,3 +0,0 @@ -import ./pure.nix { - lib = import <nixpkgs/lib>; -} diff --git a/lib/pure.nix b/lib/pure.nix index 3fe51cd54..6b5f229e6 100644 --- a/lib/pure.nix +++ b/lib/pure.nix @@ -9,7 +9,7 @@ let }; in filterAttrsRecursive (name: _: !hasPrefix "_" name) eval.config; - evalSource = import ./eval-source.nix; + evalSource = import ./eval-source.nix { lib = stockholm.lib; }; evalSubmodule = submodule: modules: let prefix = ["evalSubmodule"]; @@ -37,7 +37,7 @@ let eq = x: y: x == y; ne = x: y: x != y; - mod = x: y: x - y * (x / y); + #mod = x: y: x - y * (x / y); on = b: u: x: y: b (u x) (u y); diff --git a/lib/types.nix b/lib/types.nix index ad8421b18..f0165c523 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -1,5 +1,4 @@ { lib, ... }: - let inherit (lib) all any attrNames concatMapStringsSep concatStringsSep const filter flip @@ -198,9 +197,32 @@ rec { }; tinc = mkOption { type = let net = config; in nullOr (submodule ({ config, ... }: { + config = { + config = + #assert (with builtins; trace "xxxxxx ${toJSON config.subnets}" true); + concatStringsSep "\n" ( + (optionals (net.via != null) + (map (a: "Address = ${a} ${toString config.port}") net.via.addrs)) + ++ + (map (a: "Subnet = ${a}") config.subnets) + ++ + (map (a: "Subnet = ${a}") net.addrs) + ++ + [config.extraConfig] + ++ + [config.pubkey] + ++ + optional (config.pubkey_ed25519 != null) '' + Ed25519PublicKey = ${config.pubkey_ed25519} + '' + ++ + optional (config.weight != null) "Weight = ${toString config.weight}" + ); + }; options = { config = mkOption { type = str; + # TODO: readOnly = true; default = concatStringsSep "\n" ( (optionals (net.via != null) (map (a: "Address = ${a} ${toString config.port}") net.via.addrs)) |