summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/default.nix8
-rw-r--r--lass/3modules/iptables.nix187
-rw-r--r--lass/3modules/sshkeys.nix26
-rw-r--r--lass/3modules/urxvtd.nix55
-rw-r--r--lass/3modules/xresources.nix57
5 files changed, 333 insertions, 0 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
new file mode 100644
index 000000000..d4e231ec7
--- /dev/null
+++ b/lass/3modules/default.nix
@@ -0,0 +1,8 @@
+_:
+
+{
+ imports = [
+ ./xresources.nix
+ ./iptables.nix
+ ];
+}
diff --git a/lass/3modules/iptables.nix b/lass/3modules/iptables.nix
new file mode 100644
index 000000000..8c6ad3fa1
--- /dev/null
+++ b/lass/3modules/iptables.nix
@@ -0,0 +1,187 @@
+arg@{ config, lib, pkgs, ... }:
+
+let
+ inherit (pkgs) writeScript writeText;
+
+ inherit (lib)
+ concatMapStringsSep
+ concatStringsSep
+ attrNames
+ unique
+ fold
+ any
+ attrValues
+ catAttrs
+ filter
+ flatten
+ length
+ hasAttr
+ mkEnableOption
+ mkOption
+ mkIf
+ types
+ sort;
+
+ elemIsIn = a: as:
+ any (x: x == a) as;
+
+ cfg = config.lass.iptables;
+
+ out = {
+ options.lass.iptables = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "iptables";
+
+ #tables.filter.INPUT = {
+ # policy = "DROP";
+ # rules = [
+ # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
+ # ];
+ #};
+ #new api
+ tables = mkOption {
+ type = with types; attrsOf (attrsOf (submodule ({
+ options = {
+ policy = mkOption {
+ type = str;
+ default = "-";
+ };
+ rules = mkOption {
+ type = nullOr (listOf (submodule ({
+ options = {
+ predicate = mkOption {
+ type = str;
+ };
+ target = mkOption {
+ type = str;
+ };
+ precedence = mkOption {
+ type = int;
+ default = 0;
+ };
+ };
+ })));
+ default = null;
+ };
+ };
+ })));
+ };
+ };
+
+ imp = {
+ networking.firewall.enable = false;
+
+ systemd.services.lass-iptables = {
+ description = "lass-iptables";
+ wantedBy = [ "network-pre.target" ];
+ before = [ "network-pre.target" ];
+ after = [ "systemd-modules-load.service" ];
+
+ path = with pkgs; [
+ iptables
+ ];
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ Type = "simple";
+ RemainAfterExit = true;
+ Restart = "always";
+ ExecStart = "@${startScript} lass-iptables_start";
+ };
+ };
+ };
+
+ #buildTable :: iptablesVersion -> iptablesAttrSet` -> str
+ #todo: differentiate by iptables-version
+ buildTables = v: ts:
+ let
+
+ declareChain = t: cn:
+ #TODO: find out what to do whit these count numbers
+ ":${cn} ${t."${cn}".policy} [0:0]";
+
+ buildChain = tn: cn:
+ let
+ sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+
+ in
+ #TODO: double check should be unneccessary, refactor!
+ if (hasAttr "rules" ts."${tn}"."${cn}") then
+ if (ts."${tn}"."${cn}".rules == null) then
+ ""
+ else
+ concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+ ++ map (buildRule tn cn) sortedRules
+ )
+ else
+ ""
+ ;
+
+
+ buildRule = tn: cn: rule:
+ #target validation test:
+ assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
+
+ #predicate validation test:
+ #maybe use iptables-test
+ #TODO: howto exit with evaluation error by shellscript?
+ #apperantly not possible from nix because evalatution wouldn't be deterministic.
+ "${rule.predicate} -j ${rule.target}";
+
+ buildTable = tn:
+ "*${tn}\n" +
+ concatStringsSep "\n" ([]
+ ++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
+ ) +
+ #this looks dirty, find a better way to do this (maybe optionalString)
+ concatStringsSep "" ([]
+ ++ map (buildChain tn) (attrNames ts."${tn}")
+ ) +
+ "\nCOMMIT";
+ in
+ concatStringsSep "\n" ([]
+ ++ map buildTable (attrNames ts)
+ );
+
+#=====
+
+ rules4 = iptables-version:
+ let
+ #TODO: find out good defaults.
+ tables-defaults = {
+ nat.PREROUTING.policy = "ACCEPT";
+ nat.INPUT.policy = "ACCEPT";
+ nat.OUTPUT.policy = "ACCEPT";
+ nat.POSTROUTING.policy = "ACCEPT";
+ filter.INPUT.policy = "ACCEPT";
+ filter.FORWARD.policy = "ACCEPT";
+ filter.OUTPUT.policy = "ACCEPT";
+
+ #if someone specifies any other rules on this chain, the default rules get lost.
+ #is this wanted beahiviour or a bug?
+ #TODO: implement abstraction of rules
+ filter.INPUT.rules = [
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+ ];
+ };
+ tables = tables-defaults // cfg.tables;
+
+ in
+ writeText "lass-iptables-rules${toString iptables-version}" ''
+ ${buildTables iptables-version tables}
+ '';
+
+ startScript = writeScript "lass-iptables_start" ''
+ #! /bin/sh
+ set -euf
+ iptables-restore < ${rules4 4}
+ ip6tables-restore < ${rules4 6}
+ '';
+
+in
+out
+
diff --git a/lass/3modules/sshkeys.nix b/lass/3modules/sshkeys.nix
new file mode 100644
index 000000000..5f1c60668
--- /dev/null
+++ b/lass/3modules/sshkeys.nix
@@ -0,0 +1,26 @@
+{ lib, ... }:
+
+with lib;
+
+{
+ options = {
+ sshKeys = mkOption {
+ type = types.attrsOf (types.submodule (
+ { config, ... }:
+ {
+ options = {
+ pub = mkOption {
+ type = types.str;
+ description = "Public part of the ssh key.";
+ };
+
+ priv = mkOption {
+ type = types.str;
+ description = "Private part of the ssh key.";
+ };
+ };
+ }));
+ description = "collection of ssh-keys";
+ };
+ };
+}
diff --git a/lass/3modules/urxvtd.nix b/lass/3modules/urxvtd.nix
new file mode 100644
index 000000000..469616a9f
--- /dev/null
+++ b/lass/3modules/urxvtd.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+let
+in
+
+with builtins;
+with lib;
+
+{
+ options = {
+ services.urxvtd = {
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable urxvtd per user";
+ };
+ users = mkOption {
+ type = types.listOf types.string;
+ default = [];
+ description = "users to run urxvtd for";
+ };
+ urxvtPackage = mkOption {
+ type = types.package;
+ default = pkgs.rxvt_unicode;
+ description = "urxvt package to use";
+ };
+ };
+ };
+
+ config =
+ let
+ cfg = config.services.urxvtd;
+ users = cfg.users;
+ urxvt = cfg.urxvtPackage;
+ mkService = user: {
+ description = "urxvt terminal daemon";
+ wantedBy = [ "multi-user.target" ];
+ restartIfChanged = false;
+ path = [ pkgs.xlibs.xrdb ];
+ environment = {
+ DISPLAY = ":0";
+ URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl";
+ };
+ serviceConfig = {
+ Restart = "always";
+ User = user;
+ ExecStart = "${urxvt}/bin/urxvtd";
+ };
+ };
+ in
+ mkIf cfg.enable {
+ environment.systemPackages = [ urxvt ];
+ systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users);
+ };
+}
diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix
new file mode 100644
index 000000000..15c5b8b74
--- /dev/null
+++ b/lass/3modules/xresources.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+#TODO:
+#prefix with Attribute Name
+#ex: urxvt
+
+#
+#
+with builtins;
+with lib;
+
+
+let
+
+ inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape;
+ inherit (pkgs) writeScript;
+
+in
+
+{
+
+ options = {
+ services.xresources.enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Whether to enable the automatic loading of Xresources definitions at display-manager start;
+ '';
+ };
+
+ services.xresources.resources = mkOption {
+ default = {};
+ type = types.attrsOf types.str;
+ example = {
+ urxvt = ''
+ URxvt*scrollBar: false
+ URxvt*urgentOnBell: true
+ '';
+ };
+ description = ''
+ Xresources definitions.
+ '';
+ };
+ };
+
+ config =
+ let
+ cfg = config.services.xresources;
+ xres = concatStringsSep "\n" (attrValues cfg.resources);
+
+ in mkIf cfg.enable {
+ services.xserver.displayManager.sessionCommands = ''
+ echo ${shell-escape xres} | xrdb -merge
+ '';
+ };
+
+}