From 1bbeb858db245ef1a95a298de704d384ca4aa4b8 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Oct 2017 00:45:27 +0200 Subject: exim-{retiolum,smarthost} module: simplify ACL --- krebs/3modules/exim-retiolum.nix | 69 +++++++++------------------------------ krebs/3modules/exim-smarthost.nix | 45 ++++++++++--------------- 2 files changed, 33 insertions(+), 81 deletions(-) diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index ca363c8d7..e08024977 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -43,7 +43,6 @@ let primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -61,41 +60,15 @@ let begin acl acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - #accept - # hosts = *.r - # domains = *.r - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require verify = recipient + deny + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + message = restricted characters in address accept + domains = +local_domains : +relay_to_domains + + deny + message = relay not permitted acl_check_data: @@ -104,29 +77,19 @@ let begin routers - retiolum: - driver = manualroute - domains = ! +local_domains : +relay_to_domains - transport = remote_smtp - route_list = ^.* $0 byname - no_more - - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - - local_user: - # debug_print = "R: local_user for $local_part@$domain" + local: driver = accept + domains = +local_domains check_local_user - # local_part_suffix = +* : -* + # local_part_suffix = +* # local_part_suffix_optional transport = home_maildir - cannot_route_message = Unknown user + + remote: + driver = manualroute + domains = +relay_to_domains + transport = remote_smtp + route_list = ^.* $0 byname begin transports diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index dd4a7ccc9..5f93ae937 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -157,39 +157,28 @@ let begin acl acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify + deny + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + message = restricted characters in address - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - accept message = relay not permitted 2 - recipients = lsearch*@;${lsearch.internet-aliases} + accept + recipients = lsearch*@;${lsearch.internet-aliases} - require message = relay not permitted - domains = +local_domains : +relay_to_domains + accept + authenticated = * + control = dkim_disable_verify + control = submission - require - message = unknown user - verify = recipient/callout + accept + control = dkim_disable_verify + control = submission + hosts = +relay_from_hosts accept + domains = +local_domains : +relay_to_domains + + deny + message = relay not permitted acl_check_data: -- cgit v1.2.3 From 0f7fd225086da5a666d9c56ee86f9662820a7182 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Oct 2017 02:39:49 +0200 Subject: tv xmonad: use default layout for im --- tv/5pkgs/simple/xmonad-tv/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tv/5pkgs/simple/xmonad-tv/default.nix b/tv/5pkgs/simple/xmonad-tv/default.nix index 5ac8f8372..f73175bb1 100644 --- a/tv/5pkgs/simple/xmonad-tv/default.nix +++ b/tv/5pkgs/simple/xmonad-tv/default.nix @@ -80,7 +80,7 @@ mainNoArgs = do , modMask = mod4Mask , keys = myKeys , workspaces = workspaces0 - , layoutHook = smartBorders $ myLayout + , layoutHook = smartBorders $ FixedColumn 1 20 80 10 ||| Full -- , handleEventHook = myHandleEventHooks <+> handleTimerEvent --, handleEventHook = handleTimerEvent , manageHook = placeHook (smart (1,0)) <+> floatNextHook @@ -91,10 +91,6 @@ mainNoArgs = do , focusedBorderColor = "#f000b0" , handleEventHook = handleShutdownEvent } - where - myLayout = - (onWorkspace "im" $ reflectVert $ Mirror $ Tall 1 (3/100) (12/13)) - (FixedColumn 1 20 80 10 ||| Full) xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO () -- cgit v1.2.3 From 8b55369fa72e1b4b518a41cc221420910c924108 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Oct 2017 22:55:38 +0200 Subject: krebs exim-smarthost: add eloop2017@krebsco.de --- krebs/3modules/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 48cf7971b..c89f3229d 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -202,6 +202,7 @@ let "kontakt@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml; "eloop2016@krebsco.de" = eloop-ml; + "eloop2017@krebsco.de" = eloop-ml; "postmaster@krebsco.de" = spam-ml; # RFC 822 "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; -- cgit v1.2.3 From a15736cbb0f23e74b47decc363a4cbf45850a0c4 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 17 Oct 2017 20:01:53 +0200 Subject: quote: init --- krebs/5pkgs/simple/quote.nix | 13 +++++++++++++ shell.nix | 13 +------------ 2 files changed, 14 insertions(+), 12 deletions(-) create mode 100644 krebs/5pkgs/simple/quote.nix diff --git a/krebs/5pkgs/simple/quote.nix b/krebs/5pkgs/simple/quote.nix new file mode 100644 index 000000000..7731e14bf --- /dev/null +++ b/krebs/5pkgs/simple/quote.nix @@ -0,0 +1,13 @@ +{ jq, writeDashBin }: + +# usage: quote [ARGS...] +writeDashBin "quote" '' + set -efu + prefix= + for x; do + y=$(${jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"') + echo -n "$prefix$y" + prefix=' ' + done + echo +'' diff --git a/shell.nix b/shell.nix index c9b197a26..6448c1586 100644 --- a/shell.nix +++ b/shell.nix @@ -143,18 +143,6 @@ let ''} ''); - # usage: quote [ARGS...] - cmds.quote = pkgs.writeDash "cmds.quote" '' - set -efu - prefix= - for x; do - y=$(${pkgs.jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"') - echo -n "$prefix$y" - prefix=' ' - done - echo - ''; - init.env = pkgs.writeText "init.env" /* sh */ '' export quiet export system @@ -243,6 +231,7 @@ in pkgs.stdenv.mkDerivation { fi export PATH=${lib.makeBinPath [ pkgs.populate + pkgs.quote shell.cmdspkg ]} -- cgit v1.2.3 From 27d37b22995c469048e2ae4dc8ff46f49b3542d7 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 17 Oct 2017 20:06:16 +0200 Subject: withGetopt: export WITHGETOPT_ORIG_ARGS --- krebs/5pkgs/simple/withGetopt.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/krebs/5pkgs/simple/withGetopt.nix b/krebs/5pkgs/simple/withGetopt.nix index 196e6765a..179051bdf 100644 --- a/krebs/5pkgs/simple/withGetopt.nix +++ b/krebs/5pkgs/simple/withGetopt.nix @@ -1,5 +1,5 @@ with import ; -{ utillinux, writeDash }: +{ coreutils, quote, utillinux, writeDash }: opt-spec: cmd-spec: let @@ -43,6 +43,9 @@ in writeDash wrapper-name '' unset ${opt.varname} '') opts)} + WITHGETOPT_ORIG_ARGS=$(${quote}/bin/quote "$@") + export WITHGETOPT_ORIG_ARGS + args=$(${utillinux}/bin/getopt \ -l ${shell.escape (concatMapStringsSep "," -- cgit v1.2.3 From 19839ff2d8c3c4278a19b343bd0b18fe9a5e0388 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 17 Oct 2017 20:17:27 +0200 Subject: shell: proxy call original cmdline remotely --- shell.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/shell.nix b/shell.nix index 6448c1586..53b0f964a 100644 --- a/shell.nix +++ b/shell.nix @@ -20,7 +20,7 @@ let set -efu . ${init.env} - . ${init.proxy opts} + . ${init.proxy "deploy" opts} # Use system's nixos-rebuild, which is not self-contained export PATH=/run/current-system/sw/bin @@ -55,7 +55,7 @@ let # TODO inline prepare.sh? fi - . ${init.proxy opts} + . ${init.proxy "install" opts} # Reset PATH because we need access to nixos-install. # TODO provide nixos-install instead of relying on prepare.sh @@ -93,7 +93,7 @@ let export dummy_secrets=true . ${init.env} - . ${init.proxy opts} + . ${init.proxy "test" opts} exec ${utils.build} config.system.build.toplevel ''); @@ -159,7 +159,7 @@ let export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)" ''; - init.proxy = opts: pkgs.writeText "init.proxy" /* sh */ '' + init.proxy = command: opts: pkgs.writeText "init.proxy" /* sh */ '' if \test "''${using_proxy-}" != true; then source=$(get-source "$source_file") @@ -182,7 +182,8 @@ let opts )} \ using_proxy=true \ - $(quote "$0" "$@") + ${lib.shell.escape command} \ + $WITHGETOPT_ORIG_ARGS \ ")" fi fi -- cgit v1.2.3 From 3c810fef8ac062689a76de26b782d57692ddac90 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 17 Oct 2017 20:25:20 +0200 Subject: populate: 1.2.4 -> 1.2.5 --- krebs/5pkgs/simple/populate/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/5pkgs/simple/populate/default.nix b/krebs/5pkgs/simple/populate/default.nix index 3989585ab..78ee2f042 100644 --- a/krebs/5pkgs/simple/populate/default.nix +++ b/krebs/5pkgs/simple/populate/default.nix @@ -13,12 +13,12 @@ in stdenv.mkDerivation rec { name = "populate"; - version = "1.2.4"; + version = "1.2.5"; src = fetchgit { url = http://cgit.ni.krebsco.de/populate; rev = "refs/tags/v${version}"; - sha256 = "0az41vaxfwrh9l19z3cbc7in8pylrnyc0xkzk6773xg2nj4g8a28"; + sha256 = "10s4x117zp5whqq991xzw1i2jc1xhl580kx8hhzv8f1b4c9carx1"; }; phases = [ -- cgit v1.2.3