-{ config, pkgs, ... }:

-

-{

- boot.loader.grub.device = "/dev/sda";

- boot.loader.grub.enable = true;

- boot.loader.grub.version = 2;

-

- boot.initrd.availableKernelModules = [

- "ata_piix"

- "vmw_pvscsi"

- ];

-

- fileSystems."/" = {

- device = "/dev/centos/root";

- fsType = "xfs";

- };

-

- fileSystems."/boot" = {

- device = "/dev/sda1";

- fsType = "xfs";

- };

-

- swapDevices = [

- { device = "/dev/centos/swap"; }

- ];

-}

-

-{ config, pkgs, ... }:

-

-{

- time.timeZone = "Europe/Berlin";

-

- # TODO check if both are required:

- nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];

-

- nix.trustedBinaryCaches = [

- "https://cache.nixos.org"

- "http://cache.nixos.org"

- "http://hydra.nixos.org"

- ];

-

- nix.useChroot = true;

-}

-{ pkgs, ... }:

-

-{

- imports = [ ./consul-server.nix ];

-

- tv.consul = {

- server = pkgs.lib.mkForce false;

- };

-}

-{ config, ... }:

-

-{

- imports = [ ../../tv/consul ];

- tv.consul = rec {

- enable = true;

-

- inherit (config.tv.identity) self;

- inherit (self) dc;

-

- server = true;

-

- hosts = with config.tv.identity.hosts; [

- # TODO get this list automatically from each host where tv.consul.enable is true

- cd

- mkdir

- nomic

- rmdir

- #wu

- ];

- };

-}

-{ config, lib, pkgs, ... }:

-

-# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect

-# but -bootstrap

-# TODO consul-bootstrap HOST that actually does is

-# TODO tools to inspect state of a cluster in outage state

-

-with builtins;

-with lib;

-let

- cfg = config.tv.consul;

-

- out = {

- imports = [ ../../tv/iptables ];

- options.tv.consul = api;

- config = mkIf cfg.enable (mkMerge [

- imp

- { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; }

- # TODO udp for 8301

- ]);

- };

-

- api = {

- # TODO inherit (lib) api.options.enable; oder so

- enable = mkOption {

- type = types.bool;

- default = false;

- description = "enable tv.consul";

- };

- dc = mkOption {

- type = types.unspecified;

- };

- hosts = mkOption {

- type = with types; listOf unspecified;

- };

- encrypt-file = mkOption {

- type = types.str; # TODO path (but not just into store)

- default = "/etc/consul/encrypt.json";

- };

- data-dir = mkOption {

- type = types.str; # TODO path (but not just into store)

- default = "/var/lib/consul";

- };

- self = mkOption {

- type = types.unspecified;

- };

- server = mkOption {

- type = types.bool;

- default = false;

- };

- GOMAXPROCS = mkOption {

- type = types.int;

- default = cfg.self.cores;

- };

- };

-

- consul-config = {

- datacenter = cfg.dc;

- data_dir = cfg.data-dir;

- log_level = "INFO";

- #node_name =

- server = cfg.server;

- bind_addr = cfg.self.addr; # TODO cfg.addr

- enable_syslog = true;

- retry_join = map (getAttr "addr") (filter (host: host.fqdn != cfg.self.fqdn) cfg.hosts);

- leave_on_terminate = true;

- } // optionalAttrs cfg.server {

- bootstrap_expect = length cfg.hosts;

- leave_on_terminate = false;

- };

-

- imp = {

- environment.systemPackages = with pkgs; [

- consul

- ];

-

- systemd.services.consul = {

- after = [ "network.target" ];

- wantedBy = [ "multi-user.target" ];

- path = with pkgs; [

- consul

- ];

- environment = {

- GOMAXPROCS = toString cfg.GOMAXPROCS;

- };

- serviceConfig = {

- PermissionsStartOnly = "true";

- SyslogIdentifier = "consul";

- User = user.name;

- PrivateTmp = "true";

- Restart = "always";

- ExecStartPre = pkgs.writeScript "consul-init" ''

- #! /bin/sh

- mkdir -p ${cfg.data-dir}

- chown consul: ${cfg.data-dir}

- '';

- ExecStart = pkgs.writeScript "consul-service" ''

- #! /bin/sh

- set -euf

- exec >/dev/null

- exec consul agent \

- -config-file=${toFile "consul.json" (toJSON consul-config)} \

- -config-file=${cfg.encrypt-file} \

- '';

- #-node=${cfg.self.fqdn} \

- #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";

- };

- };

-

- users.extraUsers = singleton {

- inherit (user) name uid;

- };

- };

-

- user = {

- name = "consul";

- uid = 2983239726; # genid consul

- };

-

-in

-out

-{ config, lib, pkgs, ... }:

-

-with lib;

-

-let

-

- inherit (pkgs) ejabberd writeScript writeScriptBin utillinux;

- inherit (lib) makeSearchPath;

-

- cfg = config.services.ejabberd-cd;

-

- # XXX this is a placeholder that happens to work the default strings.

- toErlang = builtins.toJSON;

-

-in

-

-{

-

- ####### interface

-

- options = {

-

- services.ejabberd-cd = {

-

- enable = mkOption {

- default = false;

- description = "Whether to enable ejabberd server";

- };

-

- certFile = mkOption {

- # TODO if it's types.path then it gets copied to /nix/store with

- # bad unsafe permissions...

- type = types.string;

- default = "/etc/ejabberd/ejabberd.pem";

- description = ''

- TODO

- '';

- };

-

- config = mkOption {

- type = types.string;

- default = "";

- description = ''

- TODO

- '';

- };

-

- user = mkOption {

- type = types.string;

- default = "ejabberd";

- description = ''

- TODO

- '';

- };

-

- group = mkOption {

- type = types.string;

- default = "ejabberd";

- description = ''

- TODO

- '';

- };

-

-

- # spoolDir = mkOption {

- # default = "/var/lib/ejabberd";

- # description = "Location of the spooldir of ejabberd";

- # };

-

- # logsDir = mkOption {

- # default = "/var/log/ejabberd";

- # description = "Location of the logfile directory of ejabberd";

- # };

-

- # confDir = mkOption {

- # default = "/var/ejabberd";

- # description = "Location of the config directory of ejabberd";

- # };

-

- # virtualHosts = mkOption {

- # default = "\"localhost\"";

- # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas";

- # };

-

- # loadDumps = mkOption {

- # default = [];

- # description = "Configuration dump that should be loaded on the first startup";

- # example = literalExample "[ ./myejabberd.dump ]";

- # };

-

- # config

- };

-

- };

-

-

- ####### implementation

-

- config =

- let

- my-ejabberdctl = writeScriptBin "ejabberdctl" ''

- #! /bin/sh

- set -euf

- exec env \

- SPOOLDIR=/var/ejabberd \

- EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \

- ${ejabberd}/bin/ejabberdctl \

- --logs /var/ejabberd \

- "$@"

- '';

- in

- mkIf cfg.enable {

- #environment.systemPackages = [ pkgs.ejabberd ];

-

- environment = {

- etc."ejabberd.cfg".text = ''

- %%%

- %%% ejabberd configuration file

- %%%

- %%%'

-

- %%% The parameters used in this configuration file are explained in more detail

- %%% in the ejabberd Installation and Operation Guide.

- %%% Please consult the Guide in case of doubts, it is included with

- %%% your copy of ejabberd, and is also available online at

- %%% http://www.process-one.net/en/ejabberd/docs/

-

- %%% This configuration file contains Erlang terms.

- %%% In case you want to understand the syntax, here are the concepts:

- %%%

- %%% - The character to comment a line is %

- %%%

- %%% - Each term ends in a dot, for example:

- %%% override_global.

- %%%

- %%% - A tuple has a fixed definition, its elements are

- %%% enclosed in {}, and separated with commas:

- %%% {loglevel, 4}.

- %%%

- %%% - A list can have as many elements as you want,

- %%% and is enclosed in [], for example:

- %%% [http_poll, web_admin, tls]

- %%%

- %%% - A keyword of ejabberd is a word in lowercase.

- %%% Strings are enclosed in "" and can contain spaces, dots, ...

- %%% {language, "en"}.

- %%% {ldap_rootdn, "dc=example,dc=com"}.

- %%%

- %%% - This term includes a tuple, a keyword, a list, and two strings:

- %%% {hosts, ["jabber.example.net", "im.example.com"]}.

- %%%

-

-

- %%%. =======================

- %%%' OVERRIDE STORED OPTIONS

-

- %%

- %% Override the old values stored in the database.

- %%

-

- %%

- %% Override global options (shared by all ejabberd nodes in a cluster).

- %%

- %%override_global.

-

- %%

- %% Override local options (specific for this particular ejabberd node).

- %%

- %%override_local.

-

- %%

- %% Remove the Access Control Lists before new ones are added.

- %%

- %%override_acls.

-

-

- %%%. =========

- %%%' DEBUGGING

-

- %%

- %% loglevel: Verbosity of log files generated by ejabberd.

- %% 0: No ejabberd log at all (not recommended)

- %% 1: Critical

- %% 2: Error

- %% 3: Warning

- %% 4: Info

- %% 5: Debug

- %%

- {loglevel, 3}.

-

- %%

- %% watchdog_admins: Only useful for developers: if an ejabberd process

- %% consumes a lot of memory, send live notifications to these XMPP

- %% accounts.

- %%

- %%{watchdog_admins, ["bob@example.com"]}.

-

-

- %%%. ================

- %%%' SERVED HOSTNAMES

-

- %%

- %% hosts: Domains served by ejabberd.

- %% You can define one or several, for example:

- %% {hosts, ["example.net", "example.com", "example.org"]}.

- %%

- {hosts, ["jabber.viljetic.de"]}.

-

- %%

- %% route_subdomains: Delegate subdomains to other XMPP servers.

- %% For example, if this ejabberd serves example.org and you want

- %% to allow communication with an XMPP server called im.example.org.

- %%

- %%{route_subdomains, s2s}.

-

-

- %%%. ===============

- %%%' LISTENING PORTS

-

- %%

- %% listen: The ports ejabberd will listen on, which service each is handled

- %% by and what options to start it with.

- %%

- {listen,

- [

-

- {5222, ejabberd_c2s, [

-

- %%

- %% If TLS is compiled in and you installed a SSL

- %% certificate, specify the full path to the

- %% file and uncomment this line:

- %%

- starttls,

- {certfile, ${toErlang cfg.certFile}},

-

- {access, c2s},

- {shaper, c2s_shaper},

- {max_stanza_size, 65536}

- ]},

-

- {5269, ejabberd_s2s_in, [

- {shaper, s2s_shaper},

- {max_stanza_size, 131072}

- ]},

-

- %%

- %% ejabberd_service: Interact with external components (transports, ...)

- %%

- %%{8888, ejabberd_service, [

- %% {access, all},

- %% {shaper_rule, fast},

- %% {ip, {127, 0, 0, 1}},

- %% {hosts, ["icq.example.org", "sms.example.org"],

- %% [{password, "secret"}]

- %% }

- %% ]},

-

- %%

- %% ejabberd_stun: Handles STUN Binding requests

- %%

- %%{{3478, udp}, ejabberd_stun, []},

-

- {5280, ejabberd_http, [

- %%{request_handlers,

- %% [

- %% {["pub", "archive"], mod_http_fileserver}

- %% ]},

- captcha,

- http_bind,

- http_poll,

- %%register,

- web_admin

- ]}

-

- ]}.

-

- %%

- %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.

- %% Allowed values are: false optional required required_trusted

- %% You must specify a certificate file.

- %%

- {s2s_use_starttls, required}.

-

- %%

- %% s2s_certfile: Specify a certificate file.

- %%

- {s2s_certfile, ${toErlang cfg.certFile}}.

-

- %%

- %% domain_certfile: Specify a different certificate for each served hostname.

- %%

- %%{domain_certfile, "example.org", "/path/to/example_org.pem"}.

- %%{domain_certfile, "example.com", "/path/to/example_com.pem"}.

-

- %%

- %% S2S whitelist or blacklist

- %%

- %% Default s2s policy for undefined hosts.

- %%

- %%{s2s_default_policy, allow}.

-

- %%

- %% Allow or deny communication with specific servers.

- %%

- %%{{s2s_host, "goodhost.org"}, allow}.

- %%{{s2s_host, "badhost.org"}, deny}.

-

- %%

- %% Outgoing S2S options

- %%

- %% Preferred address families (which to try first) and connect timeout

- %% in milliseconds.

- %%

- %%{outgoing_s2s_options, [ipv4, ipv6], 10000}.

-

-

- %%%. ==============

- %%%' AUTHENTICATION

-

- %%

- %% auth_method: Method used to authenticate the users.

- %% The default method is the internal.

- %% If you want to use a different method,

- %% comment this line and enable the correct ones.

- %%

- {auth_method, internal}.

- %%

- %% Store the plain passwords or hashed for SCRAM:

- %%{auth_password_format, plain}.

- %%{auth_password_format, scram}.

- %%

- %% Define the FQDN if ejabberd doesn't detect it:

- %%{fqdn, "server3.example.com"}.

-

- %%

- %% Authentication using external script

- %% Make sure the script is executable by ejabberd.

- %%

- %%{auth_method, external}.

- %{extauth_program, "$ {ejabberd-auth}"}.

-

- %%

- %% Authentication using ODBC

- %% Remember to setup a database in the next section.

- %%

- %%{auth_method, odbc}.

-

- %%

- %% Authentication using PAM

- %%

- %%{auth_method, pam}.

- %%{pam_service, "pamservicename"}.

-

- %%

- %% Authentication using LDAP

- %%

- %%{auth_method, ldap}.

- %%

- %% List of LDAP servers:

- %%{ldap_servers, ["localhost"]}.

- %%

- %% Encryption of connection to LDAP servers:

- %%{ldap_encrypt, none}.

- %%{ldap_encrypt, tls}.

- %%

- %% Port to connect to on LDAP servers:

- %%{ldap_port, 389}.

- %%{ldap_port, 636}.

- %%

- %% LDAP manager:

- %%{ldap_rootdn, "dc=example,dc=com"}.

- %%

- %% Password of LDAP manager:

- %%{ldap_password, "******"}.

- %%

- %% Search base of LDAP directory:

- %%{ldap_base, "dc=example,dc=com"}.

- %%

- %% LDAP attribute that holds user ID:

- %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}.

- %%

- %% LDAP filter:

- %%{ldap_filter, "(objectClass=shadowAccount)"}.

-

- %%

- %% Anonymous login support:

- %% auth_method: anonymous

- %% anonymous_protocol: sasl_anon | login_anon | both

- %% allow_multiple_connections: true | false

- %%

- %%{host_config, "public.example.org", [{auth_method, anonymous},

- %% {allow_multiple_connections, false},

- %% {anonymous_protocol, sasl_anon}]}.

- %%

- %% To use both anonymous and internal authentication:

- %%

- %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.

-

-

- %%%. ==============

- %%%' DATABASE SETUP

-

- %% ejabberd by default uses the internal Mnesia database,

- %% so you do not necessarily need this section.

- %% This section provides configuration examples in case

- %% you want to use other database backends.

- %% Please consult the ejabberd Guide for details on database creation.

-

- %%

- %% MySQL server:

- %%

- %%{odbc_server, {mysql, "server", "database", "username", "password"}}.

- %%

- %% If you want to specify the port:

- %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}.

-

- %%

- %% PostgreSQL server:

- %%

- %%{odbc_server, {pgsql, "server", "database", "username", "password"}}.

- %%

- %% If you want to specify the port:

- %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}.

- %%

- %% If you use PostgreSQL, have a large database, and need a

- %% faster but inexact replacement for "select count(*) from users"

- %%

- %%{pgsql_users_number_estimate, true}.

-

- %%

- %% ODBC compatible or MSSQL server:

- %%

- %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.

-

- %%

- %% Number of connections to open to the database for each virtual host

- %%

- %%{odbc_pool_size, 10}.

-

- %%

- %% Interval to make a dummy SQL request to keep the connections to the

- %% database alive. Specify in seconds: for example 28800 means 8 hours

- %%

- %%{odbc_keepalive_interval, undefined}.

-

-

- %%%. ===============

- %%%' TRAFFIC SHAPERS

-

- %%

- %% The "normal" shaper limits traffic speed to 1000 B/s

- %%

- {shaper, normal, {maxrate, 1000}}.

-

- %%

- %% The "fast" shaper limits traffic speed to 50000 B/s

- %%

- {shaper, fast, {maxrate, 50000}}.

-

- %%

- %% This option specifies the maximum number of elements in the queue

- %% of the FSM. Refer to the documentation for details.

- %%

- {max_fsm_queue, 1000}.

-

-

- %%%. ====================

- %%%' ACCESS CONTROL LISTS

-

- %%

- %% The 'admin' ACL grants administrative privileges to XMPP accounts.

- %% You can put here as many accounts as you want.

- %%

- %%{acl, admin, {user, "aleksey", "localhost"}}.

- %%{acl, admin, {user, "ermine", "example.org"}}.

-

- %%

- %% Blocked users

- %%

- %%{acl, blocked, {user, "baduser", "example.org"}}.

- %%{acl, blocked, {user, "test"}}.

-

- %%

- %% Local users: don't modify this line.

- %%

- {acl, local, {user_regexp, ""}}.

-

- %%

- %% More examples of ACLs

- %%

- %%{acl, jabberorg, {server, "jabber.org"}}.

- %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.

- %%{acl, test, {user_regexp, "^test"}}.

- %%{acl, test, {user_glob, "test*"}}.

-

- %%

- %% Define specific ACLs in a virtual host.

- %%

- %%{host_config, "localhost",

- %% [

- %% {acl, admin, {user, "bob-local", "localhost"}}

- %% ]

- %%}.

-

-

- %%%. ============

- %%%' ACCESS RULES

-

- %% Maximum number of simultaneous sessions allowed for a single user:

- {access, max_user_sessions, [{10, all}]}.

-

- %% Maximum number of offline messages that users can have:

- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.

-

- %% This rule allows access only for local users:

- {access, local, [{allow, local}]}.

-

- %% Only non-blocked users can use c2s connections:

- {access, c2s, [{deny, blocked},

- {allow, all}]}.

-

- %% For C2S connections, all users except admins use the "normal" shaper

- {access, c2s_shaper, [{none, admin},

- {normal, all}]}.

-

- %% All S2S connections use the "fast" shaper

- {access, s2s_shaper, [{fast, all}]}.

-

- %% Only admins can send announcement messages:

- {access, announce, [{allow, admin}]}.

-

- %% Only admins can use the configuration interface:

- {access, configure, [{allow, admin}]}.

-

- %% Admins of this server are also admins of the MUC service:

- {access, muc_admin, [{allow, admin}]}.

-

- %% Only accounts of the local ejabberd server can create rooms:

- {access, muc_create, [{allow, local}]}.

-

- %% All users are allowed to use the MUC service:

- {access, muc, [{allow, all}]}.

-

- %% Only accounts on the local ejabberd server can create Pubsub nodes:

- {access, pubsub_createnode, [{allow, local}]}.

-

- %% In-band registration allows registration of any possible username.

- %% To disable in-band registration, replace 'allow' with 'deny'.

- {access, register, [{allow, all}]}.

-

- %% By default the frequency of account registrations from the same IP

- %% is limited to 1 account every 10 minutes. To disable, specify: infinity

- %%{registration_timeout, 600}.

-

- %%

- %% Define specific Access Rules in a virtual host.

- %%

- %%{host_config, "localhost",

- %% [

- %% {access, c2s, [{allow, admin}, {deny, all}]},

- %% {access, register, [{deny, all}]}

- %% ]

- %%}.

-

-

- %%%. ================

- %%%' DEFAULT LANGUAGE

-

- %%

- %% language: Default language used for server messages.

- %%

- {language, "en"}.

-

- %%

- %% Set a different default language in a virtual host.

- %%

- %%{host_config, "localhost",

- %% [{language, "ru"}]

- %%}.

-

-

- %%%. =======

- %%%' CAPTCHA

-

- %%

- %% Full path to a script that generates the image.

- %%

- %%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}.

-

- %%

- %% Host for the URL and port where ejabberd listens for CAPTCHA requests.

- %%

- %%{captcha_host, "example.org:5280"}.

-

- %%

- %% Limit CAPTCHA calls per minute for JID/IP to avoid DoS.

- %%

- %%{captcha_limit, 5}.

-

- %%%. =======

- %%%' MODULES

-

- %%

- %% Modules enabled in all ejabberd virtual hosts.

- %%

- {modules,

- [

- {mod_adhoc, []},

- {mod_announce, [{access, announce}]}, % recommends mod_adhoc

- {mod_blocking,[]}, % requires mod_privacy

- {mod_caps, []},

- {mod_configure,[]}, % requires mod_adhoc

- {mod_disco, []},

- %%{mod_echo, [{host, "echo.localhost"}]},

- {mod_irc, []},

- {mod_http_bind, []},

- %%{mod_http_fileserver, [

- %% {docroot, "/var/www"},

- %% {accesslog, "/var/log/ejabberd/access.log"}

- %% ]},

- {mod_last, []},

- {mod_muc, [

- %%{host, "conference.@HOST@"},

- {access, muc},

- {access_create, muc_create},

- {access_persistent, muc_create},

- {access_admin, muc_admin}

- ]},

- %%{mod_muc_log,[]},

- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},

- {mod_ping, []},

- %%{mod_pres_counter,[{count, 5}, {interval, 60}]},

- {mod_privacy, []},

- {mod_private, []},

- %%{mod_proxy65,[]},

- {mod_pubsub, [

- {access_createnode, pubsub_createnode},

- {ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant

- %%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption

- {last_item_cache, false},

- {plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps

- ]},

- {mod_register, [

- %%

- %% Protect In-Band account registrations with CAPTCHA.

- %%

- %%{captcha_protected, true},

-

- %%

- %% Set the minimum informational entropy for passwords.

- %%

- %%{password_strength, 32},

-

- %%

- %% After successful registration, the user receives

- %% a message with this subject and body.

- %%

- {welcome_message, {"Welcome!",

- "Hi.\nWelcome to this XMPP server."}},

-

- %%

- %% When a user registers, send a notification to

- %% these XMPP accounts.

- %%

- %%{registration_watchers, ["admin1@example.org"]},

-

- %%

- %% Only clients in the server machine can register accounts

- %%

- {ip_access, [{allow, "127.0.0.0/8"},

- {deny, "0.0.0.0/0"}]},

-

- %%

- %% Local c2s or remote s2s users cannot register accounts

- %%

- %%{access_from, deny},

-

- {access, register}

- ]},

- %%{mod_register_web, [

- %%

- %% When a user registers, send a notification to

- %% these XMPP accounts.

- %%

- %%{registration_watchers, ["admin1@example.org"]}

- %% ]},

- {mod_roster, []},

- %%{mod_service_log,[]},

- {mod_shared_roster,[]},

- {mod_stats, []},

- {mod_time, []},

- {mod_vcard, []},

- {mod_version, []}

- ]}.

-

- %%

- %% Enable modules with custom options in a specific virtual host

- %%

- %%{host_config, "localhost",

- %% [{{add, modules},

- %% [

- %% {mod_echo, [{host, "mirror.localhost"}]}

- %% ]

- %% }

- %% ]}.

-

-

- %%%.

- %%%'

-

- %%% $Id$

-

- %%% Local Variables:

- %%% mode: erlang

- %%% End:

- %%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker:

- '';

- # TODO properly configured wrapper

- systemPackages = [ my-ejabberdctl ];

- };

- #exim_user = ${cfg.user}

- #exim_group = ${cfg.group}

- #exim_path = /var/setuid-wrappers/exim

- #spool_directory = ${cfg.spoolDir}

- #${cfg.config}

-

- users.extraUsers = singleton {

- name = "ejabberd";

- description = "TODO";

- uid = 405222;

- group = "ejabberd";

- home = "/var/ejabberd";

- createHome = true;

- };

-

- users.extraGroups = singleton {

- name = "ejabberd";

- gid = 405222;

- };

-

- #security.setuidPrograms = [ "exim" ];

-

- systemd.services.ejabberd = {

- description = "ejabberd XMPP Daemon";

- wantedBy = [ "multi-user.target" ];

- after = [ "network.target" ];

- reloadIfChanged = true;

- serviceConfig = {

- ExecStart = "${my-ejabberdctl}/bin/ejabberdctl start";

- ExecStop = "${my-ejabberdctl}/bin/ejabberdctl stop";

- ExecReload = "${my-ejabberdctl}/bin/ejabberdctl restart";

- Type = "oneshot";

- RemainAfterExit = "yes";

- RestartSec = 5;

- LimitNOFILE = 16000;

- User = "ejabberd";

- Group = "ejabberd";

- };

- };

-

- systemd.services.ejabberd-prepare = {

- description = "ejabberd XMPP Preparetion Service";

- requiredBy = [ "ejabberd.service" ];

- serviceConfig = {

- Type = "oneshot";

- RestartSec = 5;

- ExecStart = "${writeScript "ejabberd-prepare"

- ''

- #! /bin/sh

- set -euf

- chown ejabberd: /etc/nixos/secrets/ejabberd.cd.retiolum.pem

- ''

- }";

- };

- };

-

-

-

- };

-

- #config = mkIf cfg.enable {

- # environment.systemPackages = [ pkgs.ejabberd ];

-

- # jobs.ejabberd =

- # { description = "EJabberd server";

-

- # startOn = "started network-interfaces";

- # stopOn = "stopping network-interfaces";

-

- # environment = {

- # PATH = "$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin";

- # };

-

- # preStart =

- # ''

- # PATH="$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin";

- #

- # # Initialise state data

- # mkdir -p ${cfg.logsDir}

-

- # if ! test -d ${cfg.spoolDir}

- # then

- # initialize=1

- # cp -av ${pkgs.ejabberd}/var/lib/ejabberd /var/lib

- # fi

-

- # #if ! test -d ${cfg.confDir}

- # #then

- # # mkdir -p ${cfg.confDir}

- # # cp ${pkgs.ejabberd}/etc/ejabberd/* ${cfg.confDir}

- # # sed -e 's|{hosts, \["localhost"\]}.|{hosts, \[${cfg.virtualHosts}\]}.|' ${pkgs.ejabberd}/etc/ejabberd/ejabberd.cfg > ${cfg.confDir}/ejabberd.cfg

- # #fi

- # mkdir -p ${cfg.confDir}

-

-

- # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} start

-

- # ${if cfg.loadDumps == [] then "" else

- # ''

- # if [ "$initialize" = "1" ]

- # then

- # # Wait until the ejabberd server is available for use

- # count=0

- # while ! ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} status

- # do

- # if [ $count -eq 30 ]

- # then

- # echo "Tried 30 times, giving up..."

- # exit 1

- # fi

-

- # echo "Ejabberd daemon not yet started. Waiting for 1 second..."

- # count=$((count++))

- # sleep 1

- # done

-

- # ${concatMapStrings (dump:

- # ''

- # echo "Importing dump: ${dump}"

-

- # if [ -f ${dump} ]

- # then

- # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load ${dump}

- # elif [ -d ${dump} ]

- # then

- # for i in ${dump}/ejabberd-dump/*

- # do

- # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load $i

- # done

- # fi

- # '') cfg.loadDumps}

- # fi

- # ''}

- # '';

-

- # postStop =

- # ''

- # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} stop

- # '';

- # };

-

- # security.pam.services.ejabberd = {};

-

- #};

-

-}

-{ pkgs, ... }:

-

-let

- lib = import ../../lib { lib = pkgs.lib; inherit pkgs; };

-

- inherit (lib) majmin;

-in

-

-{

- imports = [

- {

- imports = [ ../tv/users ];

- tv.users.tv.packages = with pkgs; [

- ascii

- mpv

- ];

- }

- ];

-

- environment.systemPackages = with pkgs; [

- vim

- ];

-

- environment.etc."vim/vimrc".text = ''

- set nocp

- '';

-

- environment.etc."vim/vim${majmin pkgs.vim.version}".source =

- "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}";

-

- # multiple-definition-problem when defining environment.variables.EDITOR

- environment.extraInit = ''

- EDITOR=vim

- '';

-

- environment.shellAliases = {

- # alias cal='cal -m3'

- gp = "${pkgs.pari}/bin/gp -q";

- df = "df -h";

- du = "du -h";

- # alias grep='grep --color=auto'

-

- # TODO alias cannot contain #\'

- # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";

-

- # alias la='ls -lA'

- lAtr = "ls -lAtr";

- # alias ll='ls -l'

- ls = "ls -h --color=auto --group-directories-first";

- # alias vim='vim -p'

- # alias vi='vim'

- # alias view='vim -R'

- dmesg = "dmesg -L --reltime";

- };

-

- environment.variables.VIM = "/etc/vim";

-

- programs.bash = {

- interactiveShellInit = ''

- HISTCONTROL='erasedups:ignorespace'

- HISTSIZE=65536

- HISTFILESIZE=$HISTSIZE

-

- shopt -s checkhash

- shopt -s histappend histreedit histverify

- shopt -s no_empty_cmd_completion

- complete -d cd

-

- # TODO source bridge

- '';

- promptInit = ''

- case $UID in

- 0)

- PS1='\[\e[1;31m\]\w\[\e[0m\] '

- ;;

- 1337)

- PS1='\[\e[1;32m\]\w\[\e[0m\] '

- ;;

- *)

- PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '

- ;;

- esac

- if test -n "$SSH_CLIENT"; then

- PS1='\[\e[35m\]\h'" $PS1"

- fi

- if test -n "$SSH_AGENT_PID"; then

- PS1="ssh-agent[$SSH_AGENT_PID] $PS1"

- fi

- '';

- };

-

- programs.ssh.startAgent = false;

-}

-{ config, pkgs, ... }:

-

-{

- services.exim =

- # This configuration makes only sense for retiolum-enabled hosts.

- # TODO modular configuration

- assert config.tv.retiolum.enable;

- let

- # TODO get the hostname from config.tv.retiolum.

- retiolumHostname = "${config.networking.hostName}.retiolum";

- in

- { enable = true;

- config = ''

- primary_hostname = ${retiolumHostname}

- domainlist local_domains = @ : localhost

- domainlist relay_to_domains = *.retiolum

- hostlist relay_from_hosts = <; 127.0.0.1 ; ::1

-

- acl_smtp_rcpt = acl_check_rcpt

- acl_smtp_data = acl_check_data

-

- host_lookup = *

- rfc1413_hosts = *

- rfc1413_query_timeout = 5s

-

- log_file_path = syslog

- syslog_timestamp = false

- syslog_duplication = false

-

- begin acl

-

- acl_check_rcpt:

- accept hosts = :

- control = dkim_disable_verify

-

- deny message = Restricted characters in address

- domains = +local_domains

- local_parts = ^[.] : ^.*[@%!/|]

-

- deny message = Restricted characters in address

- domains = !+local_domains

- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

-

- accept local_parts = postmaster

- domains = +local_domains

-

- #accept

- # hosts = *.retiolum

- # domains = *.retiolum

- # control = dkim_disable_verify

-

- #require verify = sender

-

- accept hosts = +relay_from_hosts

- control = submission

- control = dkim_disable_verify

-

- accept authenticated = *

- control = submission

- control = dkim_disable_verify

-

- require message = relay not permitted

- domains = +local_domains : +relay_to_domains

-

- require verify = recipient

-

- accept

-

-

- acl_check_data:

- accept

-

-

- begin routers

-

- retiolum:

- driver = manualroute

- domains = ! ${retiolumHostname} : *.retiolum

- transport = remote_smtp

- route_list = ^.* $0 byname

- no_more

-

- nonlocal:

- debug_print = "R: nonlocal for $local_part@$domain"

- driver = redirect

- domains = ! +local_domains

- allow_fail

- data = :fail: Mailing to remote domains not supported

- no_more

-

- local_user:

- # debug_print = "R: local_user for $local_part@$domain"

- driver = accept

- check_local_user

- # local_part_suffix = +* : -*

- # local_part_suffix_optional

- transport = home_maildir

- cannot_route_message = Unknown user

-

-

- begin transports

-

- remote_smtp:

- driver = smtp

-

- home_maildir:

- driver = appendfile

- maildir_format

- directory = $home/Maildir

- directory_mode = 0700

- delivery_date_add

- envelope_to_add

- return_path_add

- # group = mail

- # mode = 0660

-

- begin retry

- *.retiolum * F,42d,1m

- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h

-

- begin rewrite

-

- begin authenticators

- '';

- };

-}

-{ config, pkgs, ... }:

-

-let

- inherit (builtins) toFile;

- inherit (pkgs.lib.attrsets) mapAttrs;

- inherit (pkgs.lib.strings) concatMapStringsSep;

-in

-

-{

- services.exim =

- let

- retiolumHostname = "${config.networking.hostName}.retiolum";

-

- internet-aliases = [

- { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; }

-

- # (mindestens) lisp-stammtisch und elli haben die:

- { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; }

-

- { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; }

-

- { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; }

-

- # TODO killme (wo wird die benutzt?)

- { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; }

-

- { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; }

- ];

-

- system-aliases = [

- { from = "mailer-daemon"; to = "postmaster"; }

- { from = "postmaster"; to = "root"; }

- { from = "nobody"; to = "root"; }

- { from = "hostmaster"; to = "root"; }

- { from = "usenet"; to = "root"; }

- { from = "news"; to = "root"; }

- { from = "webmaster"; to = "root"; }

- { from = "www"; to = "root"; }

- { from = "ftp"; to = "root"; }

- { from = "abuse"; to = "root"; }

- { from = "noc"; to = "root"; }

- { from = "security"; to = "root"; }

- { from = "root"; to = "tv"; }

- { from = "mirko"; to = "mv"; }

- ];

-

- to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}");

- lsearch =

- mapAttrs (name: set: toFile name (to-lsearch set)) {

- inherit internet-aliases;

- inherit system-aliases;

- };

- in

- {

- enable = true;

- config =

- ''

- primary_hostname = ${retiolumHostname}

-

- # HOST_REDIR contains the real destinations for "local_domains".

- #HOST_REDIR = /etc/exim4/host_redirect

-

-

- # Domains not listed in local_domains need to be deliverable remotely.

- # XXX We abuse local_domains to mean "domains, we're the gateway for".

- domainlist local_domains = @ : localhost

- #: viljetic.de : SHACK_REDIR_HOSTNAME

- domainlist relay_to_domains =

- hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37

-

- acl_smtp_rcpt = acl_check_rcpt

- acl_smtp_data = acl_check_data

-

- # av_scanner = clamd:/tmp/clamd

- # spamd_address = 127.0.0.1 783

-

- # tls_advertise_hosts = *

- # tls_certificate = /etc/ssl/exim.crt

- # tls_privatekey = /etc/ssl/exim.pem

- # (debian) tls_verify_certificates (to check client certs)

-

- # daemon_smtp_ports = 25 : 465 : 587

- # tls_on_connect_ports = 465

-

- # qualify_domain defaults to primary_hostname

- # qualify_recipient defaults to qualify_domain

-

- # allow_domain_literals

-

- never_users = root

-

- host_lookup = *

-

- # ident callbacks for all incoming SMTP calls

- rfc1413_hosts = *

- rfc1413_query_timeout = 5s

-

- # sender_unqualified_hosts =

- # recipient_unqualified_hosts =

-

- # percent_hack_domains =

-

- # arch & debian

- #ignore_bounce_errors_after = 2d

- #timeout_frozen_after = 7d

- # debian

- #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full

- #freeze_tell = postmaster

- #trusted_users = uucp

- # arch

- #split_spool_directory = true

-

- log_selector = -queue_run +address_rewrite +all_parents +queue_time

- log_file_path = syslog

- syslog_timestamp = false

- syslog_duplication = false

-

- begin acl

-

- acl_check_rcpt:

- # Accept if the source is local SMTP (i.e. not over TCP/IP).

- # We do this by testing for an empty sending host field.

- accept hosts = :

- # arch & debian:

- control = dkim_disable_verify

-

- deny message = Restricted characters in address

- domains = +local_domains

- local_parts = ^[.] : ^.*[@%!/|]

-

- deny message = Restricted characters in address

- domains = !+local_domains

- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

-

- accept local_parts = postmaster

- domains = +local_domains

-

- ## feature RETIOLUM_MAIL

- #accept

- # hosts = *.retiolum

- # domains = *.retiolum

- # control = dkim_disable_verify

-

- #require verify = sender

-

- accept hosts = +relay_from_hosts

- control = submission

- # debian: control = submission/sender_retain

- # arch & debian:

- control = dkim_disable_verify

-

- accept authenticated = *

- control = submission

- control = dkim_disable_verify

-

- accept message = relay not permitted 2

- recipients = lsearch;${lsearch.internet-aliases}

-

- require message = relay not permitted

- domains = +local_domains : +relay_to_domains

-

- require

- message = unknown user

- verify = recipient/callout

-

- # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text

- # dnslists = black.list.example

- #

- # warn dnslists = black.list.example

- # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain

- # log_message = found in $dnslist_domain

-

- # Client SMTP Authorization (csa) checks on the sending host.

- # Such checks do DNS lookups for special SRV records.

- # require verify = csa

-

- accept

-

-

- acl_check_data:

- # see av_scanner

- #deny malware = *

- # message = This message contains a virus ($malware_name).

-

- # Add headers to a message if it is judged to be spam. Before enabling this,

- # you must install SpamAssassin. You may also need to set the spamd_address

- # option above.

- #

- # warn spam = nobody

- # add_header = X-Spam_score: $spam_score\n\

- # X-Spam_score_int: $spam_score_int\n\

- # X-Spam_bar: $spam_bar\n\

- # X-Spam_report: $spam_report

-

- # feature HELO_REWRITE

- # XXX note that the public ip (162.219.5.183) resolves to viljetic.de

- warn

- sender_domains = viljetic.de : shackspace.de

- set acl_m_special_dom = $sender_address_domain

-

- accept

-

-

- begin routers

-

- # feature RETIOLUM_MAIL

- retiolum:

- debug_print = "R: retiolum for $local_part@$domain"

- driver = manualroute

- domains = ! ${retiolumHostname} : *.retiolum

- transport = retiolum_smtp

- route_list = ^.* $0 byname

- no_more

-

- internet_aliases:

- debug_print = "R: internet_aliases for $local_part@$domain"

- driver = redirect

- data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}

-

- dnslookup:

- debug_print = "R: dnslookup for $local_part@$domain"

- driver = dnslookup

- domains = ! +local_domains

- transport = remote_smtp

- ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8

- # if ipv6-enabled then instead use:

- # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1

-

- # (debian) same_domain_copy_routing = yes

- # (debian) ignore private rfc1918 and APIPA addresses

- # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\

- # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\

- # 255.255.255.255

-

- # Fail and bounce if the router does not find the domain in the DNS.

- # I.e. no more routers are tried.

- # There are a few cases where a dnslookup router will decline to accept an

- # address; if such a router is expected to handle "all remaining non-local

- # domains", then it is important to set no_more.

- no_more

-

- # XXX this is only used because these "well known aliases" goto tv@cd.retiolum

- # TODO bounce everything, there is no @cd.retiolum

- system_aliases:

- debug_print = "R: system_aliases for $local_part@$domain"

- driver = redirect

- data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}

-

- # TODO this is only b/c mv here... send mv's mails somewhere else...

- local_user:

- debug_print = "R: local_user for $local_part@$domain"

- driver = accept

- check_local_user

- # local_part_suffix = +* : -*

- # local_part_suffix_optional

- transport = home_maildir

- cannot_route_message = Unknown user

-

- begin transports

-

- retiolum_smtp:

- driver = smtp

- retry_include_ip_address = false

- # serialize_hosts = TODO-all-slow-hosts

-

- remote_smtp:

- driver = smtp

- # debian has also stuff for tls, headers_rewrite and more here

-

- # feature HELO_REWRITE

- # XXX note that the public ip (162.219.5.183) resolves to viljetic.de

- helo_data = ''${if eq{$acl_m_special_dom}{} \

- {$primary_hostname} \

- {$acl_m_special_dom} }

-

- home_maildir:

- driver = appendfile

- maildir_format

- maildir_use_size_file

- directory = $home/Mail

- directory_mode = 0700

- delivery_date_add

- envelope_to_add

- return_path_add

-

- begin retry

- *.retiolum * F,42d,1m

- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h

-

- begin rewrite

- begin authenticators

- '';

-

-

- # group = mail

- # mode = 0660

-

-

- #address_pipe:

- # driver = pipe

- # return_output

- #

- #address_file:

- # driver = appendfile

- # delivery_date_add

- # envelope_to_add

- # return_path_add

- #

- #address_reply:

- # driver = autoreply

-

-

- #maildrop_pipe:

- # debug_print = "T: maildrop_pipe for $local_part@$domain"

- # driver = pipe

- # path = "/bin:/usr/bin:/usr/local/bin"

- # command = "/usr/bin/maildrop"

- # return_path_add

- # delivery_date_add

- # envelope_to_add

-

-

-

-

-

- ##begin retry

- # Address or Domain Error Retries

-

- # Our host_redirect destinations might be offline a lot.

- # TODO define fallback destinations(?)

- #lsearch;${lsearch.internet-aliases} * F,42d,1m

-

-

- ## begin rewrite

-

- # just in case (shackspace.de should already do this)

- #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T

-

-

- ## begin authenticators

- #PLAIN:

- # driver = plaintext

- # server_set_id = $auth2

- # server_prompts = :

- # server_condition = Authentication is not yet configured

- # server_advertise_condition = ''${if def:tls_in_cipher }

-

- #LOGIN:

- # driver = plaintext

- # server_set_id = $auth1

- # server_prompts = <| Username: | Password:

- # server_condition = Authentication is not yet configured

- # server_advertise_condition = ''${if def:tls_in_cipher }

-

-

-

- };

-

-}

-

-# config = ''

-# primary_hostname = ${retiolumHostname}

-# domainlist local_domains = @ : localhost

-# domainlist relay_to_domains = *.retiolum

-# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1

-#

-# acl_smtp_rcpt = acl_check_rcpt

-# acl_smtp_data = acl_check_data

-#

-# host_lookup = *

-# rfc1413_hosts = *

-# rfc1413_query_timeout = 5s

-#

-# log_file_path = syslog

-# syslog_timestamp = false

-# syslog_duplication = false

-#

-# begin acl

-#

-# acl_check_rcpt:

-# accept hosts = :

-# control = dkim_disable_verify

-#

-# deny message = Restricted characters in address

-# domains = +local_domains

-# local_parts = ^[.] : ^.*[@%!/|]

-#

-# deny message = Restricted characters in address

-# domains = !+local_domains

-# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

-#

-# accept local_parts = postmaster

-# domains = +local_domains

-#

-# #accept

-# # hosts = *.retiolum

-# # domains = *.retiolum

-# # control = dkim_disable_verify

-#

-# #require verify = sender

-#

-# accept hosts = +relay_from_hosts

-# control = submission

-# control = dkim_disable_verify

-#

-# accept authenticated = *

-# control = submission

-# control = dkim_disable_verify

-#

-# require message = relay not permitted

-# domains = +local_domains : +relay_to_domains

-#

-# require verify = recipient

-#

-# accept

-#

-#

-# acl_check_data:

-# accept

-#

-#

-# begin routers

-#

-# retiolum:

-# driver = manualroute

-# domains = ! ${retiolumHostname} : *.retiolum

-# transport = remote_smtp

-# route_list = ^.* $0 byname

-# no_more

-#

-# nonlocal:

-# debug_print = "R: nonlocal for $local_part@$domain"

-# driver = redirect

-# domains = ! +local_domains

-# allow_fail

-# data = :fail: Mailing to remote domains not supported

-# no_more

-#

-# local_user:

-# # debug_print = "R: local_user for $local_part@$domain"

-# driver = accept

-# check_local_user

-# # local_part_suffix = +* : -*

-# # local_part_suffix_optional

-# transport = home_maildir

-# cannot_route_message = Unknown user

-#

-#

-# begin transports

-#

-# remote_smtp:

-# driver = smtp

-#

-# home_maildir:

-# driver = appendfile

-# maildir_format

-# directory = $home/Maildir

-# directory_mode = 0700

-# delivery_date_add

-# envelope_to_add

-# return_path_add

-# # group = mail

-# # mode = 0660

-#

-# begin retry

-# *.retiolum * F,42d,1m

-# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h

-#

-# begin rewrite

-#

-# begin authenticators

-# '';

-# };

-#}

-{ cfg, config, lib, pkgs, ... }:

-

-let

- inherit (builtins) attrValues filter getAttr;

- inherit (lib) concatMapStringsSep mkIf optionalString;

-

- location = lib.nameValuePair; # TODO this is also in modules/wu/default.nix

-

- isPublicRepo = getAttr "public"; # TODO this is also in ./default.nix

-in

-

-{

- users.extraUsers = lib.singleton {

- name = "fcgiwrap";

- uid = 2851179180; # genid fcgiwrap

- group = "fcgiwrap";

- home = toString (pkgs.runCommand "empty" {} "mkdir -p $out");

- };

-

- users.extraGroups = lib.singleton {

- name = "fcgiwrap";

- gid = 2851179180; # genid fcgiwrap

- };

-

- services.fcgiwrap = {

- enable = true;

- user = "fcgiwrap";

- group = "fcgiwrap";

- # socketAddress = "/run/fcgiwrap.sock" (default)

- # socketType = "unix" (default)

- };

-

- environment.etc."cgitrc".text = ''

- css=/cgit-static/cgit.css

- logo=/cgit-static/cgit.png

-

- # if you do not want that webcrawler (like google) index your site

- robots=noindex, nofollow

-

- virtual-root=/cgit

-

- # TODO make this nicer (and/or somewhere else)

- cache-root=/tmp/cgit

-

- cache-size=1000

- enable-commit-graph=1

- enable-index-links=1

- enable-index-owner=0

- enable-log-filecount=1

- enable-log-linecount=1

- enable-remote-branches=1

-

- root-title=public repositories at ${config.networking.hostName}

- root-desc=keep calm and engage

-

- snapshots=0

- max-stats=year

-

- ${concatMapStringsSep "\n" (repo: ''

- repo.url=${repo.name}

- repo.path=${cfg.dataDir}/${repo.name}

- ${optionalString (repo.section != null) "repo.section=${repo.section}"}

- ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"}

- '') (filter isPublicRepo (attrValues cfg.repos))}

- '';

-

- system.activationScripts.cgit = ''

- mkdir -m 0700 -p /tmp/cgit

- chown fcgiwrap: /tmp/cgit

- '';

-

- tv.nginx = {

- enable = true;

- retiolum-locations = [

- (location "/cgit/" ''

- include ${pkgs.nginx}/conf/fastcgi_params;

- fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;

- fastcgi_split_path_info ^(/cgit/?)(.+)$;

- fastcgi_param PATH_INFO $fastcgi_path_info;

- fastcgi_param QUERY_STRING $args;

- fastcgi_param HTTP_HOST $server_name;

- fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};

- '')

- (location "= /cgit" ''

- return 301 /cgit/;

- '')

- (location "/cgit-static/" ''

- root ${pkgs.cgit}/cgit;

- rewrite ^/cgit-static(/.*)$ $1 break;

- '')

- ];

- };

-}

-arg@{ cfg, lib, pkgs, ... }:

-

-let

- inherit (builtins) head tail typeOf;

- inherit (lib)

- attrValues concatStringsSep concatMapStringsSep escapeShellArg filter

- getAttr hasAttr hasPrefix lessThan makeSearchPath mapAttrsToList

- optional optionalString removePrefix singleton sort unique;

- inherit (pkgs) linkFarm writeScript;

-

- ensureList = x:

- if typeOf x == "list" then x else [x];

-

- getName = x: x.name;

-

- isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix

-

- makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }:

- # TODO assert name

- # TODO assert pubkey

- let

- options = concatStringsSep "," [

- ''command="exec ${git-ssh-command} ${name}"''

- "no-agent-forwarding"

- "no-port-forwarding"

- "no-pty"

- "no-X11-forwarding"

- ];

- in

- "${options} ${pubkey}";

-

- # [case-pattern] -> shell-script

- # Create a shell script that succeeds (exit 0) when all its arguments

- # match the case patterns (in the given order).

- makeAuthorizeScript =

- let

- # TODO escape

- to-pattern = x: concatStringsSep "|" (ensureList x);

- go = i: ps:

- if ps == []

- then "exit 0"

- else ''

- case ''$${toString i} in ${to-pattern (head ps)})

- ${go (i + 1) (tail ps)}

- esac'';

- in

- patterns: ''

- #! /bin/sh

- set -euf

- ${concatStringsSep "\n" (map (go 1) patterns)}

- exit -1

- '';

-

- reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules));

-

- # TODO makeGitHooks that uses runCommand instead of scriptFarm?

- scriptFarm =

- farm-name: scripts:

- let

- makeScript = script-name: script-string: {

- name = script-name;

- path = writeScript "${farm-name}_${script-name}" script-string;

- };

- in

- linkFarm farm-name (mapAttrsToList makeScript scripts);

-

-

- git-ssh-command = writeScript "git-ssh-command" ''

- #! /bin/sh

- set -euf

-

- PATH=${makeSearchPath "bin" (with pkgs; [

- coreutils

- git

- gnugrep

- gnused

- systemd

- ])}

-

- abort() {

- echo "error: $1" >&2

- systemd-cat -p err -t git echo "error: $1"

- exit -1

- }

-

- GIT_SSH_USER=$1

-

- systemd-cat -p info -t git echo \

- "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND"

-

- # References: The Base Definitions volume of

- # POSIX.1‐2013, Section 3.278, Portable Filename Character Set

- portable_filename_bre="^[A-Za-z0-9._-]\\+$"

-

- command=$(echo "$SSH_ORIGINAL_COMMAND" \

- | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \

- | grep "$portable_filename_bre" \

- || abort 'cannot read command')

-

- GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \

- | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \

- | grep "$portable_filename_bre" \

- || abort 'cannot read reponame')

-

- ${cfg.etcDir}/authorize-command \

- "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \

- || abort 'access denied'

-

- repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO

-

- systemd-cat -p info -t git \

- echo "authorized exec $command $repodir"

-

- export GIT_SSH_USER

- export GIT_SSH_REPO

- exec "$command" "$repodir"

- '';

-

- init-script = writeScript "git-init" ''

- #! /bin/sh

- set -euf

-

- PATH=${makeSearchPath "bin" (with pkgs; [

- coreutils

- findutils

- gawk

- git

- gnugrep

- gnused

- ])}

-

- dataDir=${escapeShellArg cfg.dataDir}

- mkdir -p "$dataDir"

-

- # Notice how the presence of hooks symlinks determine whether

- # we manage a repositry or not.

-

- # Make sure that no existing repository has hooks. We can delete

- # symlinks because we assume we created them.

- find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete

- bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks)

- if echo "$bad_hooks" | grep -q .; then

- printf 'error: unknown hooks:\n%s\n' \

- "$(echo "$bad_hooks" | sed 's/^/ /')" \

- >&2

- exit -1

- fi

-

- # Initialize repositories.

- ${concatMapStringsSep "\n" (repo:

- let

- hooks = scriptFarm "git-hooks" (makeHooks repo);

- in

- ''

- reponame=${escapeShellArg repo.name}

- repodir=$dataDir/$reponame

- mode=${toString (if isPublicRepo repo then 0711 else 0700)}

- if ! test -d "$repodir"; then

- mkdir -m "$mode" "$repodir"

- git init --bare --template=/var/empty "$repodir"

- chown -R git:nogroup "$repodir"

- fi

- ln -s ${hooks} "$repodir/hooks"

- ''

- ) (attrValues cfg.repos)}

-

- # Warn about repositories that exist but aren't mentioned in the

- # current configuration (and thus didn't receive a hooks symlink).

- unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \

- -type d \! -exec test -e '{}/hooks' \; -print)

- if echo "$unknown_repos" | grep -q .; then

- printf 'warning: stale repositories:\n%s\n' \

- "$(echo "$unknown_repos" | sed 's/^/ /')" \

- >&2

- fi

- '';

-

- makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // {

- pre-receive = ''

- #! /bin/sh

- set -euf

-

- PATH=${makeSearchPath "bin" (with pkgs; [

- coreutils # env

- git

- systemd

- ])}

-

- accept() {

- #systemd-cat -p info -t git echo "authorized $1"

- accept_string="''${accept_string+$accept_string

- }authorized $1"

- }

- reject() {

- #systemd-cat -p err -t git echo "denied $1"

- #echo 'access denied' >&2

- #exit_code=-1

- reject_string="''${reject_string+$reject_string

- }access denied: $1"

- }

-

- empty=0000000000000000000000000000000000000000

-

- accept_string=

- reject_string=

- while read oldrev newrev ref; do

-

- if [ $oldrev = $empty ]; then

- receive_mode=create

- elif [ $newrev = $empty ]; then

- receive_mode=delete

- elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then

- receive_mode=fast-forward

- else

- receive_mode=non-fast-forward

- fi

-

- if ${cfg.etcDir}/authorize-push \

- "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then

- accept "$receive_mode $ref"

- else

- reject "$receive_mode $ref"

- fi

- done

-

- if [ -n "$reject_string" ]; then

- systemd-cat -p err -t git echo "$reject_string"

- exit -1

- fi

-

- systemd-cat -p info -t git echo "$accept_string"

-

- ${optionalString (hasAttr "post-receive" repo.hooks) ''

- # custom post-receive hook

- ${repo.hooks.post-receive}''}

- '';

- };

-

- etc-base =

- assert (hasPrefix "/etc/" cfg.etcDir);

- removePrefix "/etc/" cfg.etcDir;

-in

-

-{

- system.activationScripts.git-init = "${init-script}";

-

- # TODO maybe put all scripts here and then use PATH?

- environment.etc."${etc-base}".source =

- scriptFarm "git-ssh-authorizers" {

- authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [

- (map getName (ensureList user))

- (map getName (ensureList repo))

- (map getName perm.allow-commands)

- ]) cfg.rules);

-

- authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [

- (map getName (ensureList user))

- (map getName (ensureList repo))

- (ensureList perm.allow-receive-ref)

- (map getName perm.allow-receive-modes)

- ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules));

- };

-

- users.extraUsers = singleton {

- description = "Git repository hosting user";

- name = "git";

- shell = "/bin/sh";

- openssh.authorizedKeys.keys =

- mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users;

- uid = 112606723; # genid git

- };

-}

-arg@{ config, pkgs, lib, ... }:

-

-let

- inherit (lib) mkIf mkMerge;

-

- cfg = config.tv.git;

- arg' = arg // { inherit cfg; };

-in

-

-# TODO unify logging of shell scripts to user and journal

-# TODO move all scripts to ${etcDir}, so ControlMaster connections

-# immediately pick up new authenticators

-# TODO when authorized_keys changes, then restart ssh

-# (or kill already connected users somehow)

-

-{

- imports = [

- ../../tv/nginx

- ];

-

- options.tv.git = import ./options.nix arg';

-

- config = mkIf cfg.enable (mkMerge [

- (import ./config.nix arg')

- (mkIf cfg.cgit (import ./cgit.nix arg'))

- ]);

-}

-{ lib, ... }:

-

-let

- inherit (lib) literalExample mkOption types;

-in

-

-{

- enable = mkOption {

- type = types.bool;

- default = false;

- description = "Enable Git repository hosting.";

- };

- cgit = mkOption {

- type = types.bool;

- default = true;

- description = "Enable cgit."; # TODO better desc; talk about nginx

- };

- dataDir = mkOption {

- type = types.str;

- default = "/var/lib/git";

- description = "Directory used to store repositories.";

- };

- etcDir = mkOption {

- type = types.str;

- default = "/etc/git";

- };

- rules = mkOption {

- type = types.unspecified;

- };

- repos = mkOption {

- type = types.attrsOf (types.submodule ({

- options = {

- desc = mkOption {

- type = types.nullOr types.str;

- default = null;

- description = ''

- Repository description.

- '';

- };

- section = mkOption {

- type = types.nullOr types.str;

- default = null;

- description = ''

- Repository section.

- '';

- };

- name = mkOption {

- type = types.str;

- description = ''

- Repository name.

- '';

- };

- hooks = mkOption {

- type = types.attrsOf types.str;

- description = ''

- Repository-specific hooks.

- '';

- };

- public = mkOption {

- type = types.bool;

- default = false;

- description = ''

- Allow everybody to read the repository via HTTP if cgit enabled.

- '';

- # TODO allow every configured user to fetch the repository via SSH.

- };

- };

- }));

-

- default = {};

-

- example = literalExample ''

- {

- testing = {

- name = "testing";

- hooks.post-update = '''

- #! /bin/sh

- set -euf

- echo post-update hook: $* >&2

- ''';

- };

- testing2 = { name = "testing2"; };

- }

- '';

-

- description = ''

- Repositories.

- '';

- };

- users = mkOption {

- type = types.unspecified;

- };

-}

-{ config, lib, pkgs, ... }:

-

-let

- inherit (builtins) map readFile;

- inherit (lib) concatMap listToAttrs;

- # TODO lib should already include our stuff

- inherit (import ../../../lib { inherit lib pkgs; }) addNames git;

-

- public-git-repos = [

- (public "cgserver")

- (public "crude-mail-setup")

- (public "dot-xmonad")

- (public "hack")

- (public "load-env")

- (public "make-snapshot")

- (public "mime")

- (public "much")

- (public "nixos-infest")

- (public "nixpkgs")

- (public "painload")

- (public "regfish")

- (public' {

- name = "shitment";

- desc = "turn all the computers into one computer!";

- })

- (public "wai-middleware-time")

- (public "web-routes-wai-custom")

- ];

-

- users = addNames {

- tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };

- lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };

- uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };

- makefu = { pubkey = readFile <pubkeys/makefu.ssh.pub>; };

- };

-

- repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos);

-

- rules = concatMap ({ rules, ... }: rules) public-git-repos;

-

- public' = { name, desc }:

- let

- x = public name;

- in

- x // { repo = x.repo // { inherit desc; }; };

-

- public = repo-name:

- rec {

- repo = {

- name = repo-name;

- hooks = {

- post-receive = git.irc-announce {

- nick = config.networking.hostName; # TODO make this the default

- channel = "#retiolum";

- server = "ire.retiolum";

- };

- };

- public = true;

- };

- rules = with git; with users; [

- { user = tv;

- repo = [ repo ];

- perm = push "refs/*" [ non-fast-forward create delete merge ];

- }

- { user = [ lass makefu uriel ];

- repo = [ repo ];

- perm = fetch;

- }

- ];

- };

-

-in

-

-{

- imports = [

- ./.

- ];

- tv.git = {

- enable = true;

- inherit repos rules users;

- };

-}

-{ lib, ... }:

-

-with lib;

-

-let

-

- cfg = config.tv.identity;

-

- out = {

- options.tv.identity = api;

- #config = mkIf cfg.enable imp;

- };

-

- api = {

- enable = mkOption {

- type = types.bool;

- default = false;

- };

- self = mkOption {

- type = types.unspecified;

- };

- hosts = mkOption {

- type = with types; attrsOf unspecified;

- default = {

- cd = {

- #dc = "cac";

- dc = "tv";

- fqdn = "cd.retiolum";

- addr = "10.243.113.222";

- #addr6 = "42:4522:25f8:36bb:8ccb:0150:231a:2af3";

- #internet-addr = "162.219.5.183";

- cores = 2;

- };

- mkdir = {

- #dc = "cac";

- dc = "tv";

- fqdn = "mkdir.retiolum";

- addr = "10.243.113.223";

- cores = 1;

- };

- nomic = {

- #dc = "gg";

- dc = "tv";

- fqdn = "nomic.retiolum";

- addr = "10.243.0.110";

- cores = 2;

- };

- rmdir = {

- #dc = "cac";

- dc = "tv";

- fqdn = "rmdir.retiolum";

- addr = "10.243.113.224";

- #addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5";

- cores = 1;

- };

- wu = {

- #dc = "gg";

- dc = "tv";

- fqdn = "wu.retiolum";

- addr = "10.243.13.37";

- cores = 8;

- };

- };

- };

- };

-

- #imp = {

- #};

-

-in

-out

-{ cfg, lib, pkgs, ... }:

-

-let

- inherit (pkgs) writeScript writeText;

- inherit (lib) concatMapStringsSep;

-

- accept-new-tcp = port:

- "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";

-

- rules = iptables-version:

- writeText "tv-iptables-rules${toString iptables-version}" ''

- *nat

- :PREROUTING ACCEPT [0:0]

- :INPUT ACCEPT [0:0]

- :OUTPUT ACCEPT [0:0]

- :POSTROUTING ACCEPT [0:0]

- ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]

- ++ [

- "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"

- "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"

- ]

- )}

- COMMIT

- *filter

- :INPUT DROP [0:0]

- :FORWARD DROP [0:0]

- :OUTPUT ACCEPT [0:0]

- :Retiolum - [0:0]

- ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]

- ++ [

- "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"

- "-i lo -j ACCEPT"

- ]

- ++ map accept-new-tcp cfg.input-internet-accept-new-tcp

- ++ ["-i retiolum -j Retiolum"]

- )}

- ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]

- ++ {

- ip4tables = [

- "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"

- ];

- ip6tables = [

- "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"

- ];

- }."ip${toString iptables-version}tables"

- ++ map accept-new-tcp cfg.input-retiolum-accept-new-tcp

- ++ {

- ip4tables = [

- "-p tcp -j REJECT --reject-with tcp-reset"

- "-p udp -j REJECT --reject-with icmp-port-unreachable"

- "-j REJECT --reject-with icmp-proto-unreachable"

- ];

- ip6tables = [

- "-p tcp -j REJECT --reject-with tcp-reset"

- "-p udp -j REJECT --reject-with icmp6-port-unreachable"

- "-j REJECT"

- ];

- }."ip${toString iptables-version}tables"

- )}

- COMMIT

- '';

-

- startScript = writeScript "tv-iptables_start" ''

- #! /bin/sh

- set -euf

- iptables-restore < ${rules 4}

- ip6tables-restore < ${rules 6}

- '';

-in

-

-{

- networking.firewall.enable = false;

-

- systemd.services.tv-iptables = {

- description = "tv-iptables";

- wantedBy = [ "network-pre.target" ];

- before = [ "network-pre.target" ];

- after = [ "systemd-modules-load.service" ];

-

- path = with pkgs; [

- iptables

- ];

-

- restartIfChanged = true;

-

- serviceConfig = {

- Type = "simple";

- RemainAfterExit = true;

- Restart = "always";

- ExecStart = "@${startScript} tv-iptables_start";

- };

- };

-}

-arg@{ config, lib, pkgs, ... }:

-

-let

- cfg = config.tv.iptables;

- arg' = arg // { inherit cfg; };

-in

-

-{

- options.tv.iptables = import ./options.nix arg';

- config = lib.mkIf cfg.enable (import ./config.nix arg');

-}

-{ lib, ... }:

-

-let

- inherit (lib) mkOption types;

-in

-

-{

- enable = mkOption {

- type = types.bool;

- default = false;

- description = "Enable iptables.";

- };

-

- input-internet-accept-new-tcp = mkOption {

- type = with types; listOf str;

- default = [];

- description = ''

- TCP ports, accepting incoming connections from anywhere.

- '';

- };

-

- input-retiolum-accept-new-tcp = mkOption {

- type = with types; listOf str;

- default = [];

- description = ''

- TCP ports, accepting incoming connections from Retiolum.

- '';

- };

-}

-{ cfg, config, lib, pkgs, ... }:

-

-let

- inherit (lib) concatStrings replaceChars;

-

- indent = replaceChars ["\n"] ["\n "];

-

- to-location = { name, value }: ''

- location ${name} {

- ${indent value}

- }

- '';

-in

-

-{

- services.nginx =

- let

- name = config.tv.retiolum.name;

- qname = "${name}.retiolum";

- in

- assert config.tv.retiolum.enable;

- {

- enable = true;

- httpConfig = ''

- include ${pkgs.nginx}/conf/mime.types;

- default_type application/octet-stream;

- sendfile on;

- keepalive_timeout 65;

- gzip on;

- server {

- listen 80 default_server;

- server_name _;

- location / {

- return 404;

- }

- }

- server {

- listen 80;

- server_name ${name} ${qname};

-

- ${indent (concatStrings (map to-location cfg.retiolum-locations))}

-

- location / {

- return 404;

- }

- }

- '';

- };

-}

-arg@{ config, pkgs, lib, ... }:

-

-let

- cfg = config.tv.nginx;

- arg' = arg // { inherit cfg; };

-in

-

-{

- options.tv.nginx = import ./options.nix arg';

- config = lib.mkIf cfg.enable (import ./config.nix arg');

-}

-{ lib, ... }:

-

-let

- inherit (lib) mkOption types;

-in

-

-{

- enable = mkOption {

- type = types.bool;

- default = false;

- description = "Enable nginx.";

- };

-

- retiolum-locations = mkOption {

- type = with types; listOf (attrsOf str);

- default = [];

- description = ''

- TODO

- '';

- };

-}

-{ cfg, config, lib, pkgs, ... }:

-

-let

- inherit (lib) concatStrings singleton;

-

- tinc = cfg.tincPackage;

- hostsType = builtins.typeOf cfg.hosts;

- hosts =

- if hostsType == "package" then

- # use package as is

- cfg.hosts

- else if hostsType == "path" then

- # use path to generate a package

- pkgs.stdenv.mkDerivation {

- name = "custom-retiolum-hosts";

- src = cfg.hosts;

- installPhase = ''

- mkdir $out

- find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out

- '';

- }

- else

- abort "The option `services.retiolum.hosts' must be set to a package or a path"

- ;

- iproute = cfg.iproutePackage;

-

- retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"

- { }

- ''

- generate() {

- (cd ${hosts}

- printf \'\'

- for i in `ls`; do

- names=$(hostnames $i)

- for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do

- names="$names $(hostnames $j)"

- done

- sed -En '

- s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p

- ' $i

- done | sort

- printf \'\'

- )

- }

-

- case ${cfg.generateEtcHosts} in

- short)

- hostnames() { echo "$1"; }

- generate

- ;;

- long)

- hostnames() { echo "$1.${cfg.network}"; }

- generate

- ;;

- both)

- hostnames() { echo "$1.${cfg.network} $1"; }

- generate

- ;;

- *)

- echo '""'

- ;;

- esac > $out

- '');

-

-

- confDir = pkgs.runCommand "retiolum" {

- # TODO text

- executable = true;

- preferLocalBuild = true;

- } ''

- set -euf

-

- mkdir -p $out

-

- ln -s ${hosts} $out/hosts

-

- cat > $out/tinc.conf <<EOF

- Name = ${cfg.name}

- Device = /dev/net/tun

- Interface = ${cfg.network}

- ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}

- PrivateKeyFile = ${cfg.privateKeyFile}

- EOF

-

- # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up

- cat > $out/tinc-up <<EOF

- host=$out/hosts/${cfg.name}

- ${iproute}/sbin/ip link set \$INTERFACE up

-

- addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)

- if [ -n "\$addr4" ];then

- ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE

- ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE

- fi

- addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)

- ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE

- ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE

- EOF

-

- chmod +x $out/tinc-up

- '';

-

-

- user = cfg.network + "-tinc";

-

-in

-

-{

- environment.systemPackages = [ tinc hosts iproute ];

-

- networking.extraHosts = retiolumExtraHosts;

-

- systemd.services.retiolum = {

- description = "Tinc daemon for Retiolum";

- after = [ "network.target" ];

- wantedBy = [ "multi-user.target" ];

- path = [ tinc iproute ];

- serviceConfig = {

- # TODO we cannot chroot (-R) b/c we use symlinks to hosts

- # and the private key.

- ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";

- SyslogIdentifier = "retiolum-tincd";

- };

- };

-

- users.extraUsers = singleton {

- name = user;

- uid = 2961822815; # bin/genid retiolum-tinc

- };

-}

-arg@{ config, pkgs, lib, ... }:

-

-let

- cfg = config.tv.retiolum;

- arg' = arg // { inherit cfg; };

-in

-

-{

- options.tv.retiolum = import ./options.nix arg';

- config = lib.mkIf cfg.enable (import ./config.nix arg');

-}

-{ config, lib, pkgs, ... }:

-

-let

- inherit (lib) mkOption types;

-in

-

-{

- enable = mkOption {

- type = types.bool;

- default = false;

- description = "Enable tinc daemon for Retiolum.";

- };

-

- name = mkOption {

- type = types.string;

- default = config.networking.hostName;

- # Description stolen from tinc.conf(5).

- description = ''

- This is the name which identifies this tinc daemon. It must

- be unique for the virtual private network this daemon will

- connect to. The Name may only consist of alphanumeric and

- underscore characters. If Name starts with a $, then the

- contents of the environment variable that follows will be

- used. In that case, invalid characters will be converted to

- underscores. If Name is $HOST, but no such environment

- variable exist, the hostname will be read using the

- gethostnname() system call This is the name which identifies

- the this tinc daemon.

- '';

- };

-

- generateEtcHosts = mkOption {

- type = types.string;

- default = "both";

- description = ''

- If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>,

- then generate entries in <filename>/etc/hosts</filename> from subnets.

- '';

- };

-

- network = mkOption {

- type = types.string;

- default = "retiolum";

- description = ''

- The tinc network name.

- It is used to generate long host entries,

- derive the name of the user account under which tincd runs,

- and name the TUN device.

- '';

- };

-

- tincPackage = mkOption {

- type = types.package;

- default = pkgs.tinc;

- description = "Tincd package to use.";

- };

-

- hosts = mkOption {

- default = null;

- description = ''

- Hosts package or path to use.

- If a path is given, then it will be used to generate an ad-hoc package.

- '';

- };

-

- iproutePackage = mkOption {

- type = types.package;

- default = pkgs.iproute;

- description = "Iproute2 package to use.";

- };

-

-

- privateKeyFile = mkOption {

- # TODO if it's types.path then it gets copied to /nix/store with

- # bad unsafe permissions...

- type = types.string;

- default = "/etc/tinc/retiolum/rsa_key.priv";

- description = "Generate file with <literal>tincd -K</literal>.";

- };

-

- connectTo = mkOption {

- type = types.listOf types.string;

- default = [ "fastpoke" "pigstarter" "kheurop" ];

- description = "TODO describe me";

- };

-

-}

-{ ... }:

-

-{

- nixpkgs.config.packageOverrides = pkgs:

- {

- nano = pkgs.runCommand "empty" {} "mkdir -p $out";

- };

-

- services.cron.enable = false;

- services.nscd.enable = false;

- services.ntp.enable = false;

-}

-{ config, pkgs, ... }:

-

-{

- services.smartd = {

- enable = true;

- devices = [

- {

- device = "DEVICESCAN";

- options = toString [

- "-a"

- "-m tv@wu.retiolum"

- "-s (O/../.././09|S/../.././04|L/../../6/05)"

- ];

- }

- ];

- };

-}

-{ config, pkgs, ... }:

-

-{

- # TODO this is host specific

- services.xserver.synaptics = {

- enable = true;

- twoFingerScroll = true;

- accelFactor = "0.035";

- additionalOptions = ''

- Option "FingerHigh" "60"

- Option "FingerLow" "60"

- '';

- };

-}

-{ config, lib, pkgs, ... }:

-

-# TODO multiple users

-# TODO inform about unused caches

-# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"

-# TODO hooks.py

-

-let

- inherit (builtins) toFile;

- inherit (lib)

- concatStringsSep escapeShellArg mkIf mkOption optionals singleton types;

- inherit (pkgs) writeScript;

-

- cfg = config.tv.urlwatch;

-

- api = {

- dataDir = mkOption {

- type = types.str;

- default = "/var/lib/urlwatch";

- description = ''

- Directory where the urlwatch service should store its state.

- '';

- };

- enable = mkOption {

- type = types.bool;

- default = false;

- description = ''

- Whether to enable the urlwatch service.

- If enabled, then create a timer that calls urlwatch and sends mails

- whenever something has changed or an error occurs.

- '';

- };

- from = mkOption {

- type = types.str;

- default = "${cfg.user}@${config.networking.hostName}.retiolum";

- description = ''

- Content of the From: header of the generated mails.

- '';

- };

- mailto = mkOption {

- type = types.str;

- description = ''

- Content of the To: header of the generated mails. [AKA recipient :)]

- '';

- };

- onCalendar = mkOption {

- type = types.str;

- description = ''

- Run urlwatch at this interval.

- The format is described in systemd.time(7), CALENDAR EVENTS.

- '';

- example = "04:23";

- };

- urls = mkOption {

- type = with types; listOf str;

- description = "URL to watch.";

- example = [

- https://nixos.org/channels/nixos-unstable/git-revision

- ];

- };

- user = mkOption {

- type = types.str;

- default = "urlwatch";

- description = "User under which urlwatch runs.";

- };

- };

-

- urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls);

-

- impl = {

- systemd.timers.urlwatch = {

- wantedBy = [ "timers.target" ];

- timerConfig = {

- OnCalendar = cfg.onCalendar;

- Persistent = "true";

- };

- };

- systemd.services.urlwatch = {

- path = with pkgs; [

- coreutils

- gnused

- urlwatch

- ];

- environment = {

- HOME = cfg.dataDir;

- LC_ALL = "en_US.UTF-8";

- LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive";

- SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";

- };

- serviceConfig = {

- User = cfg.user;

- PermissionsStartOnly = "true";

- PrivateTmp = "true";

- Type = "oneshot";

- ExecStartPre =

- writeScript "urlwatch-prestart" ''

- #! /bin/sh

- set -euf

-

- dataDir=$HOME

- user=${escapeShellArg cfg.user}

-

- if ! test -e "$dataDir"; then

- mkdir -m 0700 -p "$dataDir"

- chown "$user": "$dataDir"

- fi

- '';

- ExecStart = writeScript "urlwatch" ''

- #! /bin/sh

- set -euf

-

- from=${escapeShellArg cfg.from}

- mailto=${escapeShellArg cfg.mailto}

- urlsFile=${escapeShellArg urlsFile}

- user=${escapeShellArg cfg.user}

-

- cd /tmp

-

- urlwatch -e --urls="$urlsFile" > changes 2>&1 || :

-

- if test -s changes; then

- date=$(date -R)

- subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \

- | tr \\n \ )

- {

- echo "Date: $date"

- echo "From: $from"

- echo "Subject: $subject"

- echo "To: $mailto"

- echo

- cat changes

- } | /var/setuid-wrappers/sendmail -t

- fi

- '';

- };

- };

- users.extraUsers = optionals (cfg.user == "urlwatch") (singleton {

- name = "urlwatch";

- uid = 3450919516; # bin/genid urlwatch

- });

- };

-

-in

-

-{

- # TODO

- #imports = [

- # ./exim

- #];

- #config = mkIf cfg.enable

- # (if config.tv.exim.enable

- # then impl

- # else throw "tv.exim must be enabled when enabling tv.urlwatch");

-

- options.tv.urlwatch = api;

-

- config = impl;

-}

-{ pkgs, ... }:

-

- with builtins;

-

-let

- users = [ "tv" ];

- urxvt = pkgs.rxvt_unicode;

- mkService = user: {

- description = "urxvt terminal daemon";

- wantedBy = [ "multi-user.target" ];

- restartIfChanged = false;

- serviceConfig = {

- Restart = "always";

- User = user;

- ExecStart = "${urxvt}/bin/urxvtd";

- };

- };

-

-in

-

-{

- environment.systemPackages = [ urxvt ];

- systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users);

-}

-{ config, lib, pkgs, ... }:

-

-with lib;

-

-let

- cfg = config.tv.users;

-

- opts = {

- enable = mkOption {

- default = true;

- type = types.bool;

- description = ''

- If set to false, TODO...

- '';

- };

-

- packages = mkOption {

- default = [];

- #example = literalExample "[ pkgs.firefox pkgs.thunderbird ]";

- type = with types; listOf path;

- description = ''

- TODO this description is for environment.systemPackages

- The set of packages that appear in

- /run/current-system/sw. These packages are

- automatically available to all users, and are

- automatically updated every time you rebuild the system

- configuration. (The latter is the main difference with

- installing them in the default profile,

- <filename>/nix/var/nix/profiles/default</filename>.

- '';

- };

- };

-in

-

-{

- options.tv.users = mkOption {

- default = {};

- type = with types; attrsOf optionSet;

- options = [ opts ];

- description = ''

- TODO

- '';

- };

-

- config = {

- system.activationScripts."tv.users" =

- let

- bindir = name: packages:

- pkgs.symlinkJoin "${name}-bindir" (map (path: path + "/" + "bin") packages);

- in

- ''

- mkdir -m 0755 -p /run/tv.users

- # TODO delete old

- # TODO detect collisions

- # TODO don't link .xxx-wrapped

- ${concatStrings (mapAttrsToList (name: { packages, ... }: ''

- mkdir -m 0755 -p /run/tv.users/${name}

- ln -snf ${bindir name packages} /run/tv.users/${name}/bin

- '') cfg)}

- '';

- environment.shellInit = ''

- # XXX lower precedence than ~/bin

- PATH=/run/tv.users/$LOGNAME/bin:$PATH

- export PATH

- '';

- };

-}

-{ config, pkgs, ... }:

-

-{

- services.xserver.enable = true;

-

-

- #fonts.enableFontConfig = true;

- #fonts.enableFontDir = true;

- fonts.fonts = [

- pkgs.xlibs.fontschumachermisc

- ];

- #services.xfs.enable = true;

- #services.xserver.useXFS = "unix/:7100";

-

- services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;

-

- #services.xserver.display = 11;

- #services.xserver.tty = 11;

- # services.xserver.layout = "us";

- # services.xserver.xkbOptions = "eurosign:e";

-

- #services.xserver.multitouch.enable = true;

-

- services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [

- X11-xshape

- ];

- services.xserver.windowManager.xmonad.enable = true;

- services.xserver.windowManager.xmonad.enableContribAndExtras = true;

- services.xserver.windowManager.default = "xmonad";

- services.xserver.desktopManager.default = "none";

- services.xserver.desktopManager.xterm.enable = false;

-

- services.xserver.displayManager.slim.enable = true;

- #services.xserver.displayManager.auto.enable = true;

- #services.xserver.displayManager.auto.user = "tv";

- #services.xserver.displayManager.job.logsXsession = true;

-

-

- services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];

-}