summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/2configs/exim-smarthost.nix50
-rw-r--r--krebs/3modules/default.nix144
-rw-r--r--krebs/3modules/dns.nix12
-rw-r--r--krebs/3modules/github-known-hosts.nix40
-rw-r--r--krebs/3modules/hosts.nix36
-rw-r--r--krebs/3modules/retiolum-hosts.nix28
-rw-r--r--krebs/5pkgs/haskell/blessings.nix4
7 files changed, 178 insertions, 136 deletions
diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix
new file mode 100644
index 000000000..5dc24f1de
--- /dev/null
+++ b/krebs/2configs/exim-smarthost.nix
@@ -0,0 +1,50 @@
+with import <stockholm/lib>;
+{ config, ... }: let
+
+ format = from: to: {
+ inherit from;
+ # TODO assert is-retiolum-mail-address to;
+ to = concatMapStringsSep "," (getAttr "mail") (toList to);
+ };
+
+in {
+ krebs.exim-smarthost.internet-aliases =
+ mapAttrsToList format (with config.krebs.users; let
+ brain-ml = [
+ lass
+ makefu
+ tv
+ ];
+ eloop-ml = spam-ml ++ [ ciko ];
+ spam-ml = [
+ lass
+ makefu
+ tv
+ ];
+ ciko.mail = "ciko@slash16.net";
+ in {
+ "anmeldung@eloop.org" = eloop-ml;
+ "brain@krebsco.de" = brain-ml;
+ "cfp@eloop.org" = eloop-ml;
+ "kontakt@eloop.org" = eloop-ml;
+ "root@eloop.org" = eloop-ml;
+ "youtube@eloop.org" = eloop-ml;
+ "eloop2016@krebsco.de" = eloop-ml;
+ "eloop2017@krebsco.de" = eloop-ml;
+ "postmaster@krebsco.de" = spam-ml; # RFC 822
+ "lass@krebsco.de" = lass;
+ "makefu@krebsco.de" = makefu;
+ "spam@krebsco.de" = spam-ml;
+ "tv@krebsco.de" = tv;
+ # XXX These are no internet aliases
+ # XXX exim-retiolum hosts should be able to relay to retiolum addresses
+ "lass@retiolum" = lass;
+ "makefu@retiolum" = makefu;
+ "spam@retiolum" = spam-ml;
+ "tv@retiolum" = tv;
+ "lass@r" = lass;
+ "makefu@r" = makefu;
+ "spam@r" = spam-ml;
+ "tv@r" = tv;
+ });
+}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 2e7c61fb5..bb69bfad3 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -18,14 +18,17 @@ let
./charybdis.nix
./ci.nix
./current.nix
+ ./dns.nix
./exim.nix
./exim-retiolum.nix
./exim-smarthost.nix
./fetchWallpaper.nix
./github-hosts-sync.nix
+ ./github-known-hosts.nix
./git.nix
./go.nix
./hidden-ssh.nix
+ ./hosts.nix
./htgen.nix
./iana-etc.nix
./iptables.nix
@@ -41,6 +44,7 @@ let
./Reaktor.nix
./realwallpaper.nix
./retiolum-bootstrap.nix
+ ./retiolum-hosts.nix
./rtorrent.nix
./secret.nix
./setuid.nix
@@ -58,28 +62,10 @@ let
api = {
enable = mkEnableOption "krebs";
- dns = {
- providers = mkOption {
- type = with types; attrsOf str;
- };
- };
-
- hosts = mkOption {
- type = with types; attrsOf host;
- default = {};
- };
-
users = mkOption {
type = with types; attrsOf user;
};
- # XXX is there a better place to define search-domain?
- # TODO search-domains :: listOf hostname
- search-domain = mkOption {
- type = types.hostname;
- default = "r";
- };
-
sitemap = mkOption {
default = {};
type = types.attrsOf types.sitemap.entry;
@@ -125,6 +111,8 @@ let
w = "hosts";
};
+ krebs.dns.search-domain = mkDefault "r";
+
krebs.users = {
krebs = {
home = "/krebs";
@@ -137,93 +125,6 @@ let
};
};
- networking.extraHosts = let
- domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
- check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
- in concatStringsSep "\n" (flatten (
- mapAttrsToList (hostname: host:
- mapAttrsToList (netname: net:
- let
- aliases = longs ++ shorts;
- longs = filter check net.aliases;
- shorts = let s = ".${cfg.search-domain}"; in
- map (removeSuffix s) (filter (hasSuffix s) longs);
- in
- optionals
- (aliases != [])
- (map (addr: "${addr} ${toString aliases}") net.addrs)
- ) (filterAttrs (name: host: host.aliases != []) host.nets)
- ) cfg.hosts
- ));
-
- # TODO dedup with networking.extraHosts
- nixpkgs.config.packageOverrides = oldpkgs:
- let
- domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
- check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
- in
- {
- retiolum-hosts = oldpkgs.writeText "retiolum-hosts" ''
- ${concatStringsSep "\n" (flatten (
- map (host:
- let
- net = host.nets.retiolum;
- aliases = longs;
- longs = filter check net.aliases;
- in
- optionals
- (aliases != [])
- (map (addr: "${addr} ${toString aliases}") net.addrs)
- ) (filter (host: hasAttr "retiolum" host.nets)
- (attrValues cfg.hosts))))}
- '';
- };
-
- krebs.exim-smarthost.internet-aliases = let
- format = from: to: {
- inherit from;
- # TODO assert is-retiolum-mail-address to;
- to = concatMapStringsSep "," (getAttr "mail") (toList to);
- };
- in mapAttrsToList format (with config.krebs.users; let
- brain-ml = [
- lass
- makefu
- tv
- ];
- eloop-ml = spam-ml ++ [ ciko ];
- spam-ml = [
- lass
- makefu
- tv
- ];
- ciko.mail = "ciko@slash16.net";
- in {
- "anmeldung@eloop.org" = eloop-ml;
- "brain@krebsco.de" = brain-ml;
- "cfp@eloop.org" = eloop-ml;
- "kontakt@eloop.org" = eloop-ml;
- "root@eloop.org" = eloop-ml;
- "youtube@eloop.org" = eloop-ml;
- "eloop2016@krebsco.de" = eloop-ml;
- "eloop2017@krebsco.de" = eloop-ml;
- "postmaster@krebsco.de" = spam-ml; # RFC 822
- "lass@krebsco.de" = lass;
- "makefu@krebsco.de" = makefu;
- "spam@krebsco.de" = spam-ml;
- "tv@krebsco.de" = tv;
- # XXX These are no internet aliases
- # XXX exim-retiolum hosts should be able to relay to retiolum addresses
- "lass@retiolum" = lass;
- "makefu@retiolum" = makefu;
- "spam@retiolum" = spam-ml;
- "tv@retiolum" = tv;
- "lass@r" = lass;
- "makefu@r" = makefu;
- "spam@r" = spam-ml;
- "tv@r" = tv;
- });
-
services.openssh.hostKeys =
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) (mkForce [privkey]);
@@ -238,31 +139,6 @@ let
};
})
//
- {
- github = {
- hostNames = [
- "github.com"
- # List generated with
- # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
- "192.30.252.*"
- "192.30.253.*"
- "192.30.254.*"
- "192.30.255.*"
- "185.199.108.*"
- "185.199.109.*"
- "185.199.110.*"
- "185.199.111.*"
- "13.229.188.59"
- "13.250.177.223"
- "18.194.104.89"
- "18.195.85.27"
- "35.159.8.160"
- "52.74.223.119"
- ];
- publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
- };
- }
- //
mapAttrs
(name: host: {
hostNames =
@@ -272,8 +148,8 @@ let
let
longs = net.aliases;
shorts =
- map (removeSuffix ".${cfg.search-domain}")
- (filter (hasSuffix ".${cfg.search-domain}")
+ map (removeSuffix ".${cfg.dns.search-domain}")
+ (filter (hasSuffix ".${cfg.dns.search-domain}")
longs);
add-port = a:
if net.ssh.port != 22
@@ -297,8 +173,8 @@ let
(concatMap (host: attrValues host.nets)
(mapAttrsToList
(_: host: recursiveUpdate host
- (optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
- nets."" = host.nets.${config.krebs.search-domain} // {
+ (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) {
+ nets."" = host.nets.${cfg.dns.search-domain} // {
aliases = [host.name];
addrs = [];
};
diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix
new file mode 100644
index 000000000..b7e2a2cbb
--- /dev/null
+++ b/krebs/3modules/dns.nix
@@ -0,0 +1,12 @@
+with import <stockholm/lib>;
+{
+ options = {
+ krebs.dns.providers = mkOption {
+ type = types.attrsOf types.str;
+ };
+
+ krebs.dns.search-domain = mkOption {
+ type = types.hostname;
+ };
+ };
+}
diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix
new file mode 100644
index 000000000..def06f17a
--- /dev/null
+++ b/krebs/3modules/github-known-hosts.nix
@@ -0,0 +1,40 @@
+{
+ services.openssh.knownHosts.github = {
+ hostNames = [
+ "github.com"
+ # List generated with
+ # curl -sS https://api.github.com/meta | jq -r .git[] | nix-shell -p cidr2glob --run cidr2glob | jq -R .
+ "192.30.252.*"
+ "192.30.253.*"
+ "192.30.254.*"
+ "192.30.255.*"
+ "185.199.108.*"
+ "185.199.109.*"
+ "185.199.110.*"
+ "185.199.111.*"
+ "140.82.112.*"
+ "140.82.113.*"
+ "140.82.114.*"
+ "140.82.115.*"
+ "140.82.116.*"
+ "140.82.117.*"
+ "140.82.118.*"
+ "140.82.119.*"
+ "140.82.120.*"
+ "140.82.121.*"
+ "140.82.122.*"
+ "140.82.123.*"
+ "140.82.124.*"
+ "140.82.125.*"
+ "140.82.126.*"
+ "140.82.127.*"
+ "13.229.188.59"
+ "13.250.177.223"
+ "18.194.104.89"
+ "18.195.85.27"
+ "35.159.8.160"
+ "52.74.223.119"
+ ];
+ publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+ };
+}
diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix
new file mode 100644
index 000000000..a95557b3d
--- /dev/null
+++ b/krebs/3modules/hosts.nix
@@ -0,0 +1,36 @@
+with import <stockholm/lib>;
+{ config, ... }: let
+ # TODO dedup functions with ./retiolum-hosts.nix
+ check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
+ domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers);
+in {
+
+ options = {
+ krebs.hosts = mkOption {
+ default = {};
+ type = types.attrsOf types.host;
+ };
+ };
+
+ config = {
+ networking.extraHosts =
+ concatStringsSep
+ "\n"
+ (flatten
+ (mapAttrsToList
+ (hostname: host:
+ mapAttrsToList
+ (netname: net: let
+ aliases = longs ++ shorts;
+ longs = filter check net.aliases;
+ shorts = let s = ".${config.krebs.dns.search-domain}"; in
+ map (removeSuffix s) (filter (hasSuffix s) longs);
+ in
+ optionals
+ (aliases != [])
+ (map (addr: "${addr} ${toString aliases}") net.addrs))
+ (filterAttrs (name: host: host.aliases != []) host.nets))
+ config.krebs.hosts));
+ };
+
+}
diff --git a/krebs/3modules/retiolum-hosts.nix b/krebs/3modules/retiolum-hosts.nix
new file mode 100644
index 000000000..ddf85ead7
--- /dev/null
+++ b/krebs/3modules/retiolum-hosts.nix
@@ -0,0 +1,28 @@
+with import <stockholm/lib>;
+{ config, ... }: let
+ # TODO dedup functions with ./hosts.nix
+ check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
+ domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers);
+in {
+ nixpkgs.config.packageOverrides = super: {
+ retiolum-hosts =
+ super.writeText "retiolum-hosts" ''
+ ${
+ concatStringsSep
+ "\n"
+ (flatten
+ (map
+ (host: let
+ net = host.nets.retiolum;
+ aliases = longs;
+ longs = filter check net.aliases;
+ in
+ optionals
+ (aliases != [])
+ (map (addr: "${addr} ${toString aliases}") net.addrs))
+ (filter (host: hasAttr "retiolum" host.nets)
+ (attrValues config.krebs.hosts))))
+ }
+ '';
+ };
+}
diff --git a/krebs/5pkgs/haskell/blessings.nix b/krebs/5pkgs/haskell/blessings.nix
index 59c5b7984..19f8da19d 100644
--- a/krebs/5pkgs/haskell/blessings.nix
+++ b/krebs/5pkgs/haskell/blessings.nix
@@ -7,8 +7,8 @@ with import <stockholm/lib>;
sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
};
"18.09" = {
- version = "1.2.0";
- sha256 = "03hz43ixww0h4fwxqrlrlvmj3pxswhb50ijaapwjz8457il2r300";
+ version = "1.3.0";
+ sha256 = "1y9jhh9pchrr48zgfib2jip97x1fkm7qb1gnfx477rmmryjs500h";
};
}.${versions.majorMinor nixpkgsVersion};