diff options
Diffstat (limited to 'krebs/3modules')
33 files changed, 95 insertions, 59 deletions
diff --git a/krebs/3modules/airdcpp.nix b/krebs/3modules/airdcpp.nix index acd007cb8..901b1eb87 100644 --- a/krebs/3modules/airdcpp.nix +++ b/krebs/3modules/airdcpp.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: with lib; let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.airdcpp; out = { diff --git a/krebs/3modules/announce-activation.nix b/krebs/3modules/announce-activation.nix index fa0f1530c..1c4067e7a 100644 --- a/krebs/3modules/announce-activation.nix +++ b/krebs/3modules/announce-activation.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.announce-activation; announce-activation = pkgs.writeDash "announce-activation" '' set -efu diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 900be5139..2be3a1422 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let out = { options.krebs.backup = api; diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index a3acf83cf..e7847aa09 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, ... }: with lib; let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.brockman; in { options.krebs.brockman = { diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index bf20cb099..6480c300f 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { options.krebs.build = { diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 5035a11a8..1f029276a 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.ci; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index a268b931c..fd672a890 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; { +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { options = { krebs.dns.providers = mkOption { type = types.attrsOf types.str; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index f78f1746c..b5f8d187a 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,5 +1,5 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; let +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim-retiolum; # Due to improvements to the JSON notation, braces around top-level objects diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 4e42ce72e..14963f472 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim-smarthost; diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 583fd07b1..bb749b273 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: with import ../../lib/pure.nix { inherit lib; }; let +{ config, lib, pkgs, ... }: with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim; in { options.krebs.exim = { diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 6d666b6d6..8b8f205dc 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -6,7 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.git; diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 2333d0a8d..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,8 +2,7 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { options = { diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 334a83cb3..020b3eaea 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let optionalAttr = name: value: if name != null then diff --git a/krebs/3modules/iana-etc.nix b/krebs/3modules/iana-etc.nix index dabe2f8aa..8858c6ed5 100644 --- a/krebs/3modules/iana-etc.nix +++ b/krebs/3modules/iana-etc.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in with lib; { options.krebs.iana-etc.services = mkOption { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/konsens.nix b/krebs/3modules/konsens.nix index 0463de53f..b71cb2ba9 100644 --- a/krebs/3modules/konsens.nix +++ b/krebs/3modules/konsens.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.konsens; diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix index 11d2b4194..d87b279a0 100644 --- a/krebs/3modules/on-failure.nix +++ b/krebs/3modules/on-failure.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: with import ../../lib/pure.nix { inherit lib; }; let +{ config, lib, pkgs, ... }: with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let out = { options.krebs.on-failure = api; config = lib.mkIf cfg.enable imp; diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28,12 @@ in { }; }) (filterAttrs (_: per-user: per-user.packages != []) cfg); - profiles = ["/etc/per-user/$LOGNAME"]; + + # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get + # replaced by @{PAM_USER} the way $USER does. + # See <nixpkgs/nixos/modules/config/system-environment.nix> + #profiles = ["/etc/per-user/$LOGNAME"]; + profiles = ["/etc/per-user/$USER"]; }; }; } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index ae8702978..51f5cb752 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -1,5 +1,5 @@ { config, pkgs, lib, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in with lib; { @@ -73,6 +73,12 @@ with lib; { pkgs.findutils pkgs.inotify-tools ]; + # TODO + # der code könnte aber bisschen vorbereitet werden, damit man später einfach file-modes einbauen kann + # die drei finds müssten zu `find "$ROOT_PATH" -exec ${permown}` {} \;` werden + # und der while-block zu: + # ${permown} "$path" (egal ob vor oder nach dem if test -d) + # und dann müsste man danach nur das permown script bearbeiten serviceConfig = { ExecStart = pkgs.writeDash "permown" '' set -efu diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix index aa6254786..d552178f9 100644 --- a/krebs/3modules/reaktor2.nix +++ b/krebs/3modules/reaktor2.nix @@ -1,5 +1,5 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; { +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { options.krebs.reaktor2 = mkOption { default = {}; @@ -69,6 +69,12 @@ with import ../../lib/pure.nix { inherit lib; }; { Group = "reaktor2"; DynamicUser = true; StateDirectory = cfg.username; + #ExecStartPre = [ + # (pkgs.writeDash "test-dynamic-user" '' + # set -efux + # ${pkgs.coreutils}/bin/id + # '') + #]; ExecStart = let configFile = pkgs.writers.writeJSON configFileName configValue; configFileName = "${cfg.systemd-service-name}.config.json"; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index a65a22b29..21603d94c 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.realwallpaper; diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 5208d91ae..7b2be4057 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.repo-sync; diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index c35dceba3..13c4ecaec 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; let +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.secret; in { options.krebs.secret = { diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index e3108d88e..d13fcccaa 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -1,5 +1,5 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let out = { @@ -33,7 +33,7 @@ let }; capabilities = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf types.str; # TODO }; owner = mkOption { default = "root"; @@ -52,6 +52,8 @@ let merge = mergeOneOption; }; }; + # TODO clear non-standard wrapperDirs + # TODO? allow only wrapperDirs below /run/wrappers? wrapperDir = mkOption { default = config.security.wrapperDir; type = types.absolute-pathname; @@ -73,13 +75,16 @@ let chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' + set -x ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + set +x ''} ''; })); }; imp = { + # run after "wrappers" so config.security.wrapperDir can be hijacked. systemd.services."krebs.setuid" = { wantedBy = [ "suid-sgid-wrappers.service" ]; after = [ "suid-sgid-wrappers.service" ]; diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index aba825c29..012b365fb 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -62,24 +62,26 @@ let } ])); - programs.ssh.extraConfig = concatMapStrings - (net: '' - Host ${toString (net.aliases ++ net.addrs)} - Port ${toString net.ssh.port} - '') - (filter - (net: net.ssh.port != 22) - (concatMap (host: attrValues host.nets) - (mapAttrsToList - (_: host: recursiveUpdate host - (optionalAttrs (cfg.dns.search-domain != null && - hasAttr cfg.dns.search-domain host.nets) { - nets."" = host.nets.${cfg.dns.search-domain} // { - aliases = [host.name]; - addrs = []; - }; - })) - config.krebs.hosts))); + programs.ssh.extraConfig = + mkBefore/*<-KILLME*/ + (concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts)))); } ]; diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 12a5ee4e7..872f04db2 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: let cfg = config.krebs.sync-containers3; - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { options.krebs.sync-containers3 = { inContainer = { diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 754b25675..c0bd4768b 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let { - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); body.options.krebs.systemd.services = lib.mkOption { default = {}; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index d73d5ca61..65f4f6a2b 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,6 @@ -{ config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; { +{ config, pkgs, lib, ... }: let + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); +in with slib; { options.krebs.tinc = mkOption { default = {}; description = '' @@ -91,7 +92,7 @@ with import ../../lib/pure.nix { inherit lib; }; { hosts = mkOption { type = with types; attrsOf host; default = - filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; + filterAttrs (_: h: hasAttr tinc.config.netname h.nets && h.nets.${tinc.config.netname}.tinc.config or null != null) config.krebs.hosts; defaultText = "‹all-hosts-of-‹netname››"; description = '' Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>. @@ -235,13 +236,14 @@ with import ../../lib/pure.nix { inherit lib; }; { "$CREDENTIALS_DIRECTORY"/rsa_key.priv \ /etc/tinc/${netname}/ ''; - ExecStart = "+" + toString [ - "${cfg.tincPackage}/sbin/tincd" - "-D" - "-U ${cfg.username}" - "-d 0" - "-n ${netname}" - ]; + ExecStart = "+" + pkgs.writers.writeDash "tinc-${netname}" '' + set -efu + exec ${cfg.tincPackage}/sbin/tincd \ + -D \ + -U ${cfg.username} \ + -d 0 \ + -n ${netname} + ''; SyslogIdentifier = netname; DynamicUser = true; User = cfg.username; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index dd132a2de..c8c75f919 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.tinc_graphs; internal_dir = "${cfg.workingDir}/internal"; diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index b811b6fa6..b2c264a06 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -4,7 +4,7 @@ # TODO inform about unused caches # cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.urlwatch; @@ -214,6 +214,7 @@ let }; filter = mkOption { default = null; + # TODO nullOr subtypes.filter type = with types; nullOr (either str (listOf (pkgs.formats.json {}).type)); diff --git a/krebs/3modules/users.nix b/krebs/3modules/users.nix index 614e6ab42..d41b34f7d 100644 --- a/krebs/3modules/users.nix +++ b/krebs/3modules/users.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { options.krebs.users = lib.mkOption { type = lib.types.attrsOf slib.types.user; diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 51e559d88..6ac2ebac2 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -10,7 +10,8 @@ with lib; { default = { "krebsco.de" = /* bindzone */ '' $TTL 60 - @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. |