diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/2configs/exim-smarthost.nix | 50 | ||||
-rw-r--r-- | krebs/3modules/default.nix | 144 | ||||
-rw-r--r-- | krebs/3modules/dns.nix | 12 | ||||
-rw-r--r-- | krebs/3modules/github-known-hosts.nix | 40 | ||||
-rw-r--r-- | krebs/3modules/hosts.nix | 36 | ||||
-rw-r--r-- | krebs/3modules/retiolum-hosts.nix | 28 | ||||
-rw-r--r-- | krebs/5pkgs/haskell/blessings.nix | 4 |
7 files changed, 178 insertions, 136 deletions
diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix new file mode 100644 index 000000000..5dc24f1de --- /dev/null +++ b/krebs/2configs/exim-smarthost.nix @@ -0,0 +1,50 @@ +with import <stockholm/lib>; +{ config, ... }: let + + format = from: to: { + inherit from; + # TODO assert is-retiolum-mail-address to; + to = concatMapStringsSep "," (getAttr "mail") (toList to); + }; + +in { + krebs.exim-smarthost.internet-aliases = + mapAttrsToList format (with config.krebs.users; let + brain-ml = [ + lass + makefu + tv + ]; + eloop-ml = spam-ml ++ [ ciko ]; + spam-ml = [ + lass + makefu + tv + ]; + ciko.mail = "ciko@slash16.net"; + in { + "anmeldung@eloop.org" = eloop-ml; + "brain@krebsco.de" = brain-ml; + "cfp@eloop.org" = eloop-ml; + "kontakt@eloop.org" = eloop-ml; + "root@eloop.org" = eloop-ml; + "youtube@eloop.org" = eloop-ml; + "eloop2016@krebsco.de" = eloop-ml; + "eloop2017@krebsco.de" = eloop-ml; + "postmaster@krebsco.de" = spam-ml; # RFC 822 + "lass@krebsco.de" = lass; + "makefu@krebsco.de" = makefu; + "spam@krebsco.de" = spam-ml; + "tv@krebsco.de" = tv; + # XXX These are no internet aliases + # XXX exim-retiolum hosts should be able to relay to retiolum addresses + "lass@retiolum" = lass; + "makefu@retiolum" = makefu; + "spam@retiolum" = spam-ml; + "tv@retiolum" = tv; + "lass@r" = lass; + "makefu@r" = makefu; + "spam@r" = spam-ml; + "tv@r" = tv; + }); +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 2e7c61fb5..bb69bfad3 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -18,14 +18,17 @@ let ./charybdis.nix ./ci.nix ./current.nix + ./dns.nix ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix ./fetchWallpaper.nix ./github-hosts-sync.nix + ./github-known-hosts.nix ./git.nix ./go.nix ./hidden-ssh.nix + ./hosts.nix ./htgen.nix ./iana-etc.nix ./iptables.nix @@ -41,6 +44,7 @@ let ./Reaktor.nix ./realwallpaper.nix ./retiolum-bootstrap.nix + ./retiolum-hosts.nix ./rtorrent.nix ./secret.nix ./setuid.nix @@ -58,28 +62,10 @@ let api = { enable = mkEnableOption "krebs"; - dns = { - providers = mkOption { - type = with types; attrsOf str; - }; - }; - - hosts = mkOption { - type = with types; attrsOf host; - default = {}; - }; - users = mkOption { type = with types; attrsOf user; }; - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = "r"; - }; - sitemap = mkOption { default = {}; type = types.attrsOf types.sitemap.entry; @@ -125,6 +111,8 @@ let w = "hosts"; }; + krebs.dns.search-domain = mkDefault "r"; + krebs.users = { krebs = { home = "/krebs"; @@ -137,93 +125,6 @@ let }; }; - networking.extraHosts = let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in concatStringsSep "\n" (flatten ( - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = longs ++ shorts; - longs = filter check net.aliases; - shorts = let s = ".${cfg.search-domain}"; in - map (removeSuffix s) (filter (hasSuffix s) longs); - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filterAttrs (name: host: host.aliases != []) host.nets) - ) cfg.hosts - )); - - # TODO dedup with networking.extraHosts - nixpkgs.config.packageOverrides = oldpkgs: - let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in - { - retiolum-hosts = oldpkgs.writeText "retiolum-hosts" '' - ${concatStringsSep "\n" (flatten ( - map (host: - let - net = host.nets.retiolum; - aliases = longs; - longs = filter check net.aliases; - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filter (host: hasAttr "retiolum" host.nets) - (attrValues cfg.hosts))))} - ''; - }; - - krebs.exim-smarthost.internet-aliases = let - format = from: to: { - inherit from; - # TODO assert is-retiolum-mail-address to; - to = concatMapStringsSep "," (getAttr "mail") (toList to); - }; - in mapAttrsToList format (with config.krebs.users; let - brain-ml = [ - lass - makefu - tv - ]; - eloop-ml = spam-ml ++ [ ciko ]; - spam-ml = [ - lass - makefu - tv - ]; - ciko.mail = "ciko@slash16.net"; - in { - "anmeldung@eloop.org" = eloop-ml; - "brain@krebsco.de" = brain-ml; - "cfp@eloop.org" = eloop-ml; - "kontakt@eloop.org" = eloop-ml; - "root@eloop.org" = eloop-ml; - "youtube@eloop.org" = eloop-ml; - "eloop2016@krebsco.de" = eloop-ml; - "eloop2017@krebsco.de" = eloop-ml; - "postmaster@krebsco.de" = spam-ml; # RFC 822 - "lass@krebsco.de" = lass; - "makefu@krebsco.de" = makefu; - "spam@krebsco.de" = spam-ml; - "tv@krebsco.de" = tv; - # XXX These are no internet aliases - # XXX exim-retiolum hosts should be able to relay to retiolum addresses - "lass@retiolum" = lass; - "makefu@retiolum" = makefu; - "spam@retiolum" = spam-ml; - "tv@retiolum" = tv; - "lass@r" = lass; - "makefu@r" = makefu; - "spam@r" = spam-ml; - "tv@r" = tv; - }); - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); @@ -238,31 +139,6 @@ let }; }) // - { - github = { - hostNames = [ - "github.com" - # List generated with - # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob - "192.30.252.*" - "192.30.253.*" - "192.30.254.*" - "192.30.255.*" - "185.199.108.*" - "185.199.109.*" - "185.199.110.*" - "185.199.111.*" - "13.229.188.59" - "13.250.177.223" - "18.194.104.89" - "18.195.85.27" - "35.159.8.160" - "52.74.223.119" - ]; - publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; - }; - } - // mapAttrs (name: host: { hostNames = @@ -272,8 +148,8 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.search-domain}") - (filter (hasSuffix ".${cfg.search-domain}") + map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") longs); add-port = a: if net.ssh.port != 22 @@ -297,8 +173,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr config.krebs.search-domain host.nets) { - nets."" = host.nets.${config.krebs.search-domain} // { + (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; }; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix new file mode 100644 index 000000000..b7e2a2cbb --- /dev/null +++ b/krebs/3modules/dns.nix @@ -0,0 +1,12 @@ +with import <stockholm/lib>; +{ + options = { + krebs.dns.providers = mkOption { + type = types.attrsOf types.str; + }; + + krebs.dns.search-domain = mkOption { + type = types.hostname; + }; + }; +} diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix new file mode 100644 index 000000000..def06f17a --- /dev/null +++ b/krebs/3modules/github-known-hosts.nix @@ -0,0 +1,40 @@ +{ + services.openssh.knownHosts.github = { + hostNames = [ + "github.com" + # List generated with + # curl -sS https://api.github.com/meta | jq -r .git[] | nix-shell -p cidr2glob --run cidr2glob | jq -R . + "192.30.252.*" + "192.30.253.*" + "192.30.254.*" + "192.30.255.*" + "185.199.108.*" + "185.199.109.*" + "185.199.110.*" + "185.199.111.*" + "140.82.112.*" + "140.82.113.*" + "140.82.114.*" + "140.82.115.*" + "140.82.116.*" + "140.82.117.*" + "140.82.118.*" + "140.82.119.*" + "140.82.120.*" + "140.82.121.*" + "140.82.122.*" + "140.82.123.*" + "140.82.124.*" + "140.82.125.*" + "140.82.126.*" + "140.82.127.*" + "13.229.188.59" + "13.250.177.223" + "18.194.104.89" + "18.195.85.27" + "35.159.8.160" + "52.74.223.119" + ]; + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; +} diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix new file mode 100644 index 000000000..a95557b3d --- /dev/null +++ b/krebs/3modules/hosts.nix @@ -0,0 +1,36 @@ +with import <stockholm/lib>; +{ config, ... }: let + # TODO dedup functions with ./retiolum-hosts.nix + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + + options = { + krebs.hosts = mkOption { + default = {}; + type = types.attrsOf types.host; + }; + }; + + config = { + networking.extraHosts = + concatStringsSep + "\n" + (flatten + (mapAttrsToList + (hostname: host: + mapAttrsToList + (netname: net: let + aliases = longs ++ shorts; + longs = filter check net.aliases; + shorts = let s = ".${config.krebs.dns.search-domain}"; in + map (removeSuffix s) (filter (hasSuffix s) longs); + in + optionals + (aliases != []) + (map (addr: "${addr} ${toString aliases}") net.addrs)) + (filterAttrs (name: host: host.aliases != []) host.nets)) + config.krebs.hosts)); + }; + +} diff --git a/krebs/3modules/retiolum-hosts.nix b/krebs/3modules/retiolum-hosts.nix new file mode 100644 index 000000000..ddf85ead7 --- /dev/null +++ b/krebs/3modules/retiolum-hosts.nix @@ -0,0 +1,28 @@ +with import <stockholm/lib>; +{ config, ... }: let + # TODO dedup functions with ./hosts.nix + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + nixpkgs.config.packageOverrides = super: { + retiolum-hosts = + super.writeText "retiolum-hosts" '' + ${ + concatStringsSep + "\n" + (flatten + (map + (host: let + net = host.nets.retiolum; + aliases = longs; + longs = filter check net.aliases; + in + optionals + (aliases != []) + (map (addr: "${addr} ${toString aliases}") net.addrs)) + (filter (host: hasAttr "retiolum" host.nets) + (attrValues config.krebs.hosts)))) + } + ''; + }; +} diff --git a/krebs/5pkgs/haskell/blessings.nix b/krebs/5pkgs/haskell/blessings.nix index 59c5b7984..19f8da19d 100644 --- a/krebs/5pkgs/haskell/blessings.nix +++ b/krebs/5pkgs/haskell/blessings.nix @@ -7,8 +7,8 @@ with import <stockholm/lib>; sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1"; }; "18.09" = { - version = "1.2.0"; - sha256 = "03hz43ixww0h4fwxqrlrlvmj3pxswhb50ijaapwjz8457il2r300"; + version = "1.3.0"; + sha256 = "1y9jhh9pchrr48zgfib2jip97x1fkm7qb1gnfx477rmmryjs500h"; }; }.${versions.majorMinor nixpkgsVersion}; |