diff options
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/exim-retiolum.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/exim-smarthost.nix | 63 | ||||
| -rw-r--r-- | krebs/3modules/git.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix | 59 | ||||
| -rw-r--r-- | krebs/3modules/os-release.nix | 28 |
7 files changed, 148 insertions, 19 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 186469e97..bdd9049cb 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -23,6 +23,7 @@ let ./lib.nix ./nginx.nix ./nixpkgs.nix + ./os-release.nix ./per-user.nix ./Reaktor.nix ./realwallpaper.nix diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 6e6928f89..696c48baf 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -39,6 +39,8 @@ let # TODO modular configuration assert config.krebs.retiolum.enable; '' + keep_environment = + primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index c976e89de..cee10ce7d 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -12,6 +12,29 @@ let api = { enable = mkEnableOption "krebs.exim-smarthost"; + dkim = mkOption { + type = types.listOf (types.submodule ({ config, ... }: { + options = { + domain = mkOption { + type = types.str; + }; + private_key = mkOption { + type = types.secret-file; + default = { + path = "/run/krebs.secret/${config.domain}.dkim_private_key"; + owner.name = "exim"; + source-path = toString <secrets> + "/${config.domain}.dkim.priv"; + }; + }; + selector = mkOption { + type = types.str; + default = "default"; + }; + }; + })); + default = []; + }; + internet-aliases = mkOption { type = types.listOf (types.submodule ({ options = { @@ -72,9 +95,21 @@ let }; imp = { + krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: { + name = "exim.dkim_private_key/${dkim.domain}"; + value = dkim.private_key; + })); + systemd.services = mkIf (cfg.dkim != []) { + exim = { + after = [ "secret.service" ]; + requires = [ "secret.service" ]; + }; + }; services.exim = { enable = true; config = '' + keep_environment = + primary_hostname = ${cfg.primary_hostname} # HOST_REDIR contains the real destinations for "local_domains". @@ -191,6 +226,12 @@ let remote_smtp: driver = smtp + ${optionalString (cfg.dkim != []) '' + dkim_canon = relaxed + dkim_domain = $sender_address_domain + dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} + dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} + ''} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ {$acl_m_special_dom} } @@ -219,12 +260,20 @@ let }; - lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) { + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({ inherit (cfg) internet-aliases; inherit (cfg) system-aliases; - }; - - to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}"); - -in -out + } // optionalAttrs (cfg.dkim != []) { + dkim_private_key = flip map cfg.dkim (dkim: { + from = dkim.domain; + to = dkim.private_key.path; + }); + dkim_selector = flip map cfg.dkim (dkim: { + from = dkim.domain; + to = dkim.selector; + }); + }); + + to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n"); + +in out diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 0cc2f11c9..d2d73ba3d 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,7 +400,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils git gnugrep @@ -451,7 +451,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils findutils gawk @@ -511,7 +511,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils # env git systemd diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4bf10ac56..6220a2d6f 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -19,6 +19,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; aliases = [ "dishfire.retiolum" + "dishfire.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -52,6 +53,7 @@ with config.krebs.lib; "echelon.retiolum" "cgit.echelon.retiolum" "go.retiolum" + "go.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -83,6 +85,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; aliases = [ "prism.retiolum" + "prism.r" "cgit.prism.retiolum" ]; tinc.pubkey = '' @@ -114,6 +117,7 @@ with config.krebs.lib; addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; aliases = [ "fastpoke.retiolum" + "fastpoke.r" "cgit.fastpoke.retiolum" ]; tinc.pubkey = '' @@ -144,6 +148,7 @@ with config.krebs.lib; addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; aliases = [ "cloudkrebs.retiolum" + "cloudkrebs.r" "cgit.cloudkrebs.retiolum" ]; tinc.pubkey = '' @@ -173,6 +178,7 @@ with config.krebs.lib; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; aliases = [ "uriel.retiolum" + "uriel.r" "cgit.uriel.retiolum" ]; tinc.pubkey = '' @@ -203,6 +209,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:dea7"]; aliases = [ "mors.retiolum" + "mors.r" "cgit.mors.retiolum" ]; tinc.pubkey = '' @@ -229,6 +236,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:7105"]; aliases = [ "helios.retiolum" + "helios.r" "cgit.helios.retiolum" ]; tinc.pubkey = '' diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index ec39715d8..196a6eae7 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -39,6 +39,34 @@ let type = with types; string; default = ""; }; + ssl = mkOption { + type = with types; submodule ({ + options = { + enable = mkEnableOption "ssl"; + certificate = mkOption { + type = str; + }; + certificate_key = mkOption { + type = str; + }; + #TODO: check for valid cipher + ciphers = mkOption { + type = str; + default = "AES128+EECDH:AES128+EDH"; + }; + prefer_server_ciphers = mkOption { + type = bool; + default = true; + }; + protocols = mkOption { + type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); + default = [ "TLSv1.1" "TLSv1.2" ]; + + }; + }; + }); + default = {}; + }; }; }); default = {}; @@ -49,7 +77,6 @@ let services.nginx = { enable = true; httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; @@ -73,14 +100,28 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ... }: '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") listen} - server_name ${toString server-names}; - ${indent extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: + let + _extraConfig = if ssl.enable then + extraConfig + '' + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '' + else + extraConfig + ; + + in '' + server { + ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} + server_name ${toString server-names}; + ${indent _extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out diff --git a/krebs/3modules/os-release.nix b/krebs/3modules/os-release.nix new file mode 100644 index 000000000..4c803fff8 --- /dev/null +++ b/krebs/3modules/os-release.nix @@ -0,0 +1,28 @@ +{ config, ... }: +with config.krebs.lib; +let + nixos-version-id = "${config.system.nixosVersion}"; + nixos-version = "${nixos-version-id} (${config.system.nixosCodeName})"; + nixos-pretty-name = "NixOS ${nixos-version}"; + + stockholm-version-id = maybeEnv "STOCKHOLM_VERSION" "unknown"; + stockholm-version = "${stockholm-version-id}"; + stockholm-pretty-name = "stockholm ${stockholm-version}"; + + version = "${stockholm-version}/${nixos-version}"; + version-id = "${stockholm-version-id}/${nixos-version-id}"; + pretty-name = "${stockholm-pretty-name} / ${nixos-pretty-name}"; + + home-url = http://cgit.cd.krebsco.de/stockholm; +in +{ + # http://0pointer.de/public/systemd-man/os-release.html + environment.etc."os-release".text = mkForce '' + NAME="stockholm/NixOS" + ID=stockholm + VERSION="${version}" + VERSION_ID="${version-id}" + PRETTY_NAME="${pretty-name}" + HOME_URL="${home-url}" + ''; +} |