diff options
Diffstat (limited to 'tv')
| -rw-r--r-- | tv/1systems/cd.nix | 8 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix | 4 | ||||
| -rw-r--r-- | tv/1systems/mu.nix | 2 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix | 4 | ||||
| -rw-r--r-- | tv/1systems/wu.nix | 4 | ||||
| -rw-r--r-- | tv/1systems/xu.nix | 4 | ||||
| -rw-r--r-- | tv/2configs/default.nix | 4 | ||||
| -rw-r--r-- | tv/2configs/exim-retiolum.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/exim-smarthost.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/nginx/default.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/nginx/public_html.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/retiolum.nix | 6 | ||||
| -rw-r--r-- | tv/2configs/vim.nix | 314 | ||||
| -rw-r--r-- | tv/3modules/iptables.nix | 24 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix | 4 |
15 files changed, 211 insertions, 175 deletions
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 32d956b8a..a46edb4d9 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -18,7 +18,7 @@ with config.krebs.lib; enable = true; ssl_cert = ../Zcerts/charybdis_cd.crt.pem; }; - tv.iptables.input-retiolum-accept-new-tcp = [ + tv.iptables.input-retiolum-accept-tcp = [ config.tv.charybdis.port config.tv.charybdis.sslport ]; @@ -28,14 +28,14 @@ with config.krebs.lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; - tv.iptables.input-internet-accept-new-tcp = [ + tv.iptables.input-internet-accept-tcp = [ "xmpp-client" "xmpp-server" ]; } { krebs.github-hosts-sync.enable = true; - tv.iptables.input-internet-accept-new-tcp = + tv.iptables.input-internet-accept-tcp = singleton config.krebs.github-hosts-sync.port; } { @@ -57,7 +57,7 @@ with config.krebs.lib; root ${pkgs.viljetic-pages}; ''); }; - tv.iptables.input-internet-accept-new-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = singleton "http"; } ]; diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index f46ed9547..dcec1e200 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,12 +22,12 @@ in { tv.iptables = { enable = true; - input-internet-accept-new-tcp = [ + input-internet-accept-tcp = [ "ssh" "tinc" "smtp" ]; - input-retiolum-accept-new-tcp = [ + input-retiolum-accept-tcp = [ "http" ]; }; diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index 06da15ecc..ec208a0bd 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -76,7 +76,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ slock - tinc + tinc_pre iptables vim gimp diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 25fae2c36..34f926020 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -22,12 +22,12 @@ in { tv.iptables = { enable = true; - input-internet-accept-new-tcp = [ + input-internet-accept-tcp = [ "ssh" "tinc" "smtp" ]; - input-retiolum-accept-new-tcp = [ + input-retiolum-accept-tcp = [ "http" ]; }; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index cebd7c9e4..d115e274b 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -38,7 +38,7 @@ with config.krebs.lib; dic file get - gnupg21 + gnupg1compat haskellPackages.hledger htop jq @@ -153,7 +153,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ ethtool - tinc + tinc_pre iptables #jack2 ]; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 6ba7ab327..7277f5cb7 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -49,7 +49,7 @@ with config.krebs.lib; cac-api dic file - gnupg21 + gnupg1compat haskellPackages.hledger htop jq @@ -163,7 +163,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ ethtool - tinc + tinc_pre iptables #jack2 diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 741955eee..3e4810dd3 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with config.krebs.lib; stockholm = "/home/tv/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "87fe38fd0e19ca83fc3ea338f8e0e7b12971d204"; + rev = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; }; } // optionalAttrs config.krebs.build.host.secure { secrets-master = "/home/tv/secrets/master"; @@ -174,7 +174,7 @@ with config.krebs.lib; { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; + tv.iptables.input-internet-accept-tcp = singleton "ssh"; } { diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 9197a3c30..ad355f8b4 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -4,5 +4,5 @@ with config.krebs.lib; { krebs.exim-retiolum.enable = true; - tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; + tv.iptables.input-retiolum-accept-tcp = singleton "smtp"; } diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 3616a8f52..351b54da1 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -43,5 +43,5 @@ with config.krebs.lib; { from = "mirko"; to = "mv"; } ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; + tv.iptables.input-internet-accept-tcp = singleton "smtp"; } diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 1fac65a31..d0d07d5ca 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -12,6 +12,6 @@ with config.krebs.lib; ]; }; tv.iptables = optionalAttrs config.krebs.nginx.enable { - input-retiolum-accept-new-tcp = singleton "http"; + input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 15a3b5482..858f16563 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -11,5 +11,5 @@ with config.krebs.lib; '') ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = singleton "http"; } diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index e1598d792..f79454157 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with config.krebs.lib; @@ -12,6 +12,8 @@ with config.krebs.lib; "cd" "ire" ]; + tincPackage = pkgs.tinc_pre; }; - tv.iptables.input-internet-accept-new-tcp = singleton "tinc"; + tv.iptables.input-internet-accept-tcp = singleton "tinc"; + tv.iptables.input-internet-accept-udp = singleton "tinc"; } diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index f77b18108..20e1943e7 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -101,6 +101,170 @@ let command! -n=0 -bar ShowSyntax :call ShowSyntax() ''; }))) + ((rtp: rtp // { inherit rtp; }) (pkgs.writeOut "vim-tv" { + "/syntax/haskell.vim".text = /* vim */ '' + syn region String start=+\[[[:alnum:]]*|+ end=+|]+ + + hi link ConId Identifier + hi link VarId Identifier + hi link hsDelimiter Delimiter + ''; + "/syntax/nix.vim".text = /* vim */ '' + "" Quit when a (custom) syntax file was already loaded + "if exists("b:current_syntax") + " finish + "endif + + "setf nix + + " Ref <nix/src/libexpr/lexer.l> + syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/ + syn match NixINT /\<[0-9]\+\>/ + syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ + syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ + syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/ + syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/ + syn region NixSTRING + \ matchgroup=NixSTRING + \ start='"' + \ skip='\\"' + \ end='"' + syn region NixIND_STRING + \ matchgroup=NixIND_STRING + \ start="'''" + \ skip="'''\('\|[$]\|\\[nrt]\)" + \ end="'''" + + syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/ + + syn match NixCommentMatch /\(^\|\s\)#.*/ + syn region NixCommentRegion start="/\*" end="\*/" + + hi link NixCode Statement + hi link NixData Constant + hi link NixComment Comment + + hi link NixCommentMatch NixComment + hi link NixCommentRegion NixComment + hi link NixID NixCode + hi link NixINT NixData + hi link NixPATH NixData + hi link NixHPATH NixData + hi link NixSPATH NixData + hi link NixURI NixData + hi link NixSTRING NixData + hi link NixIND_STRING NixData + + hi link NixEnter NixCode + hi link NixOther NixCode + hi link NixQuote NixData + + syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings + syn cluster nix_ind_strings contains=NixIND_STRING + syn cluster nix_strings contains=NixSTRING + + ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let + startAlts = filter isString [ + ''/\* ${lang} \*/'' + extraStart + ]; + sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; + in /* vim */ '' + syn include @nix_${lang}_syntax syntax/${lang}.vim + unlet b:current_syntax + + syn match nix_${lang}_sigil + \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X + \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING + \ transparent + + syn region nix_${lang}_region_STRING + \ matchgroup=NixSTRING + \ start='"' + \ skip='\\"' + \ end='"' + \ contained + \ contains=@nix_${lang}_syntax + \ transparent + + syn region nix_${lang}_region_IND_STRING + \ matchgroup=NixIND_STRING + \ start="'''" + \ skip="'''\('\|[$]\|\\[nrt]\)" + \ end="'''" + \ contained + \ contains=@nix_${lang}_syntax + \ transparent + + syn cluster nix_ind_strings + \ add=nix_${lang}_region_IND_STRING + + syn cluster nix_strings + \ add=nix_${lang}_region_STRING + + " This is required because containedin isn't transitive. + syn cluster nix_has_dollar_curly + \ add=@nix_${lang}_syntax + '') { + c = {}; + cabal = {}; + diff = {}; + haskell = {}; + lua = {}; + sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"''; + sh.extraStart = concatStringsSep ''\|'' [ + ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'' + ''[a-z]*Phase[ \t\r\n]*='' + ]; + vim.extraStart = + ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; + xdefaults = {}; + })} + + " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY. + syn clear shVarAssign + + syn region nixINSIDE_DOLLAR_CURLY + \ matchgroup=NixEnter + \ start="[$]{" + \ end="}" + \ contains=TOP + \ containedin=@nix_has_dollar_curly + \ transparent + + syn region nix_inside_curly + \ matchgroup=NixEnter + \ start="{" + \ end="}" + \ contains=TOP + \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly + \ transparent + + syn match NixQuote /'''\(''$\|\\.\)/he=s+2 + \ containedin=@nix_ind_strings + \ contained + + syn match NixQuote /'''\('\|\\.\)/he=s+1 + \ containedin=@nix_ind_strings + \ contained + + syn match NixQuote /\\./he=s+1 + \ containedin=@nix_strings + \ contained + + syn sync fromstart + + let b:current_syntax = "nix" + + set isk=@,48-57,_,192-255,-,' + ''; + "/syntax/sed.vim".text = /* vim */ '' + syn region sedBranch + \ matchgroup=sedFunction start="T" + \ matchgroup=sedSemicolon end=";\|$" + \ contains=sedWhitespace + ''; + })) ]; dirs = { @@ -137,7 +301,7 @@ let set mouse=a set noruler set pastetoggle=<INS> - set runtimepath=${extra-runtimepath},$VIMRUNTIME + set runtimepath=$VIMRUNTIME,${extra-runtimepath} set shortmess+=I set showcmd set showmatch @@ -164,9 +328,7 @@ let \ | syn match TabStop containedin=ALL /\t\+/ \ | syn keyword Todo containedin=ALL TODO - au BufRead,BufNewFile *.hs so ${hs.vim} - - au BufRead,BufNewFile *.nix so ${nix.vim} + au BufRead,BufNewFile *.nix set ft=nix au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile @@ -199,149 +361,5 @@ let noremap <esc>[d <nop> | noremap! <esc>[d <nop> vnoremap u <nop> ''; - - hs.vim = pkgs.writeText "hs.vim" '' - syn region String start=+\[[[:alnum:]]*|+ end=+|]+ - - hi link ConId Identifier - hi link VarId Identifier - hi link hsDelimiter Delimiter - ''; - - nix.vim = pkgs.writeText "nix.vim" '' - setf nix - - " Ref <nix/src/libexpr/lexer.l> - syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/ - syn match NixINT /\<[0-9]\+\>/ - syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/ - syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/ - syn region NixSTRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - syn region NixIND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - - syn match NixOther /[():/;=.,?\[\]]/ - - syn match NixCommentMatch /\(^\|\s\)#.*/ - syn region NixCommentRegion start="/\*" end="\*/" - - hi link NixCode Statement - hi link NixData Constant - hi link NixComment Comment - - hi link NixCommentMatch NixComment - hi link NixCommentRegion NixComment - hi link NixID NixCode - hi link NixINT NixData - hi link NixPATH NixData - hi link NixHPATH NixData - hi link NixSPATH NixData - hi link NixURI NixData - hi link NixSTRING NixData - hi link NixIND_STRING NixData - - hi link NixEnter NixCode - hi link NixOther NixCode - hi link NixQuote NixData - - syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings - syn cluster nix_ind_strings contains=NixIND_STRING - syn cluster nix_strings contains=NixSTRING - - ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let - startAlts = filter isString [ - ''/\* ${lang} \*/'' - extraStart - ]; - sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; - in /* vim */ '' - syn include @nix_${lang}_syntax syntax/${lang}.vim - unlet b:current_syntax - - syn match nix_${lang}_sigil - \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X - \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING - \ transparent - - syn region nix_${lang}_region_STRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn region nix_${lang}_region_IND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn cluster nix_ind_strings - \ add=nix_${lang}_region_IND_STRING - - syn cluster nix_strings - \ add=nix_${lang}_region_STRING - - syn cluster nix_has_dollar_curly - \ add=@nix_${lang}_syntax - '') { - c = {}; - cabal = {}; - haskell = {}; - sh.extraStart = concatStringsSep ''\|'' [ - ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'' - ''[a-z]*Phase[ \t\r\n]*='' - ]; - vim.extraStart = - ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; - })} - - " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY. - syn clear shVarAssign - - syn region nixINSIDE_DOLLAR_CURLY - \ matchgroup=NixEnter - \ start="[$]{" - \ end="}" - \ contains=TOP - \ containedin=@nix_has_dollar_curly - \ transparent - - syn region nix_inside_curly - \ matchgroup=NixEnter - \ start="{" - \ end="}" - \ contains=TOP - \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly - \ transparent - - syn match NixQuote /'''\([''$']\|\\.\)/he=s+2 - \ containedin=@nix_ind_strings - \ contained - - syn match NixQuote /\\./he=s+1 - \ containedin=@nix_strings - \ contained - - syn sync fromstart - - let b:current_syntax = "nix" - - set isk=@,48-57,_,192-255,-,' - ''; in out diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index c0e71f24d..4b1d1ef87 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -17,12 +17,22 @@ let default = "retiolum"; }; - input-internet-accept-new-tcp = mkOption { + input-internet-accept-tcp = mkOption { type = with types; listOf (either int str); default = []; }; - input-retiolum-accept-new-tcp = mkOption { + input-internet-accept-udp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-udp = mkOption { type = with types; listOf (either int str); default = []; }; @@ -83,8 +93,8 @@ let ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; }."ip${toString iptables-version}tables"; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT"; + accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT"; in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat @@ -112,13 +122,15 @@ let "-i lo -j ACCEPT" ] ++ optional (cfg.accept-echo-request == "internet") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp)) ++ ["-i retiolum -j Retiolum"] )} ${formatTable cfg.extra.filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp)) ++ { ip4tables = [ "-p tcp -j REJECT --reject-with tcp-reset" diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 607980807..affb535ef 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -16,6 +16,10 @@ erlang = pkgs.erlangR16; }; ff = pkgs.callPackage ./ff {}; + gnupg = + if elem config.krebs.build.host.name ["xu" "wu"] + then super.gnupg21 + else super.gnupg; q = pkgs.callPackage ./q {}; viljetic-pages = pkgs.callPackage ./viljetic-pages {}; xmonad-tv = import ./xmonad-tv.nix { inherit pkgs; }; |