diff options
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/default.nix | 8 | ||||
-rw-r--r-- | lass/3modules/iptables.nix | 187 | ||||
-rw-r--r-- | lass/3modules/sshkeys.nix | 26 | ||||
-rw-r--r-- | lass/3modules/urxvtd.nix | 55 | ||||
-rw-r--r-- | lass/3modules/xresources.nix | 57 |
5 files changed, 333 insertions, 0 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix new file mode 100644 index 000000000..d4e231ec7 --- /dev/null +++ b/lass/3modules/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} diff --git a/lass/3modules/iptables.nix b/lass/3modules/iptables.nix new file mode 100644 index 000000000..8c6ad3fa1 --- /dev/null +++ b/lass/3modules/iptables.nix @@ -0,0 +1,187 @@ +arg@{ config, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + + inherit (lib) + concatMapStringsSep + concatStringsSep + attrNames + unique + fold + any + attrValues + catAttrs + filter + flatten + length + hasAttr + mkEnableOption + mkOption + mkIf + types + sort; + + elemIsIn = a: as: + any (x: x == a) as; + + cfg = config.lass.iptables; + + out = { + options.lass.iptables = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; + }; + + imp = { + networking.firewall.enable = false; + + systemd.services.lass-iptables = { + description = "lass-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} lass-iptables_start"; + }; + }; + }; + + #buildTable :: iptablesVersion -> iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = v: ts: + let + + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + let + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + + in + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) + else + "" + ; + + + buildRule = tn: cn: rule: + #target validation test: + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + + #predicate validation test: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; + +in +out + diff --git a/lass/3modules/sshkeys.nix b/lass/3modules/sshkeys.nix new file mode 100644 index 000000000..5f1c60668 --- /dev/null +++ b/lass/3modules/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/lass/3modules/urxvtd.nix b/lass/3modules/urxvtd.nix new file mode 100644 index 000000000..469616a9f --- /dev/null +++ b/lass/3modules/urxvtd.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let +in + +with builtins; +with lib; + +{ + options = { + services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable urxvtd per user"; + }; + users = mkOption { + type = types.listOf types.string; + default = []; + description = "users to run urxvtd for"; + }; + urxvtPackage = mkOption { + type = types.package; + default = pkgs.rxvt_unicode; + description = "urxvt package to use"; + }; + }; + }; + + config = + let + cfg = config.services.urxvtd; + users = cfg.users; + urxvt = cfg.urxvtPackage; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + path = [ pkgs.xlibs.xrdb ]; + environment = { + DISPLAY = ":0"; + URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; + }; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + in + mkIf cfg.enable { + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); + }; +} diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix new file mode 100644 index 000000000..15c5b8b74 --- /dev/null +++ b/lass/3modules/xresources.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +#TODO: +#prefix with Attribute Name +#ex: urxvt + +# +# +with builtins; +with lib; + + +let + + inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (pkgs) writeScript; + +in + +{ + + options = { + services.xresources.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the automatic loading of Xresources definitions at display-manager start; + ''; + }; + + services.xresources.resources = mkOption { + default = {}; + type = types.attrsOf types.str; + example = { + urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + ''; + }; + description = '' + Xresources definitions. + ''; + }; + }; + + config = + let + cfg = config.services.xresources; + xres = concatStringsSep "\n" (attrValues cfg.resources); + + in mkIf cfg.enable { + services.xserver.displayManager.sessionCommands = '' + echo ${shell-escape xres} | xrdb -merge + ''; + }; + +} |