From bc19167a422d3ada9ad747c34e70fc9cfbb6bc9a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 11 Aug 2015 23:39:57 +0200 Subject: hosts: add missing hosts from painload --- Zhosts/eulerwalk | 11 +++++++++++ Zhosts/tmpd | 11 +++++++++++ Zhosts/tsp | 16 ++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 Zhosts/eulerwalk create mode 100644 Zhosts/tmpd create mode 100644 Zhosts/tsp diff --git a/Zhosts/eulerwalk b/Zhosts/eulerwalk new file mode 100644 index 000000000..b6dbf43e0 --- /dev/null +++ b/Zhosts/eulerwalk @@ -0,0 +1,11 @@ +Subnet = 10.243.176.249 +Subnet = 42:7429:4e08:14cf:fb5d:9c17:76e5:ddcb + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAv0GyX62KaykRkN9f6ZgtAOPk1rr+ZFG6Il24crrkIJgx0He+VVjr +XgXE7EaVwNjNm/7nIhGGWbCzravDIrRzQXzY+IQIzXwSPKv0WZkqFHZj122SIt9L +QKtkGnECA136uH3AqbXoxhsz2FnuDunZ6gKAi6XIlq5Qr2Nyv0qKKaM0zTZZ4pI5 +PqsNfV6r2gc3jo/tOuxVgG86dMAEHLMdwjdBE6/49daGXyhsGG7Gh93c8UlyFKyt +r6LC+4Oc1MCMtCbxsmE/iZWJtpUHAcQDzTcAynP916xg1PBLhczfWFCPR0LXOQGe +MYSv34G0gZqPmkNJryi1MEFZ61zo/SiO9wIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/Zhosts/tmpd b/Zhosts/tmpd new file mode 100644 index 000000000..52db6b258 --- /dev/null +++ b/Zhosts/tmpd @@ -0,0 +1,11 @@ +Subnet = 10.243.235.99 +Subnet = 42:cd60:2f4b:3382:b9ba:74d7:5a13:ceb7 + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAwSNjd1jYjsx+8JDRUV9QXhyMOrAIOMtKUGo/+Ufr+jHIY7h2BlQS +6Jy7xjZv6zmHhEenhWs+P4qUCASXJPtZ7URgelA4NgkfVMsbgUQDM6VDZr0JwYXq +csmp/9vxWRRbaNifG9x5+N50tMh9E5rMmDCV9ySWr3DAvDQckKAjfMtys2EWajW2 +sM02mXtMPAy5QgKNRvSbIVDnRjJyZpCkc5xNhv2rl7k+6RZltcec4IarIlnu5nv5 +f1cTAlPaWwGuyyXZeyFbzD0IAGJeWzCkt8+F8kOobRXJQbgDqYWLdH5BXagxBX4g +VpDZTwdWU6oGph8m4kCg4vJCW1/XYOU1aQIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/Zhosts/tsp b/Zhosts/tsp new file mode 100644 index 000000000..314abb3f5 --- /dev/null +++ b/Zhosts/tsp @@ -0,0 +1,16 @@ +Subnet = 10.243.0.212 +Subnet = 42:f9f1:0000:0000:0000:0000:0000:0002 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAwW+RjRcp3uarkfXZ+FcCYY2GFcfI595GDpLRuiS/YQAB3JZEirHi +HFhDJN80fZ9qHqtq9Af462xSx+cIb282TxAqCM1Z9buipOcYTYo0m8xIqkT10dB3 +mR87B+Ed1H6G3J6isdwEb9ZMegyGIIeyR53FJQYMZXjxdJbAmGMDKqjZSk1D5mo+ +n5Vx3lGzTuDy84VyphfO2ypG48RHCxHUAx4Yt3o84LKoiy/y5E66jaowCOjZ6SqG +R0cymuhoBhMIk2xAXk0Qn7MZ1AOm9N7Wru7FXyoLc7B3+Gb0/8jXOJciysTG7+Gr +Txza6fJvq2FaH8iBnfezSELmicIYhc8Ynlq4xElcHhQEmRTQavVe/LDhJ0i6xJSi +aOu0njnK+9xK+MyDkB7n8dO1Iwnn7aG4n3CjVBB4BDO08lrovD3zdpDX0xhWgPRo +ReOJ3heRO/HsVpzxKlqraKWoHuOXXcREfU9cj3F6CRd0ECOhqtFMEr6TnuSc8GaE +KCKxY1oN45NbEFOCv2XKd2wEZFH37LFO6xxzSRr1DbVuKRYIPjtOiFKpwN1TIT8v +XGzTT4TJpBGnq0jfhFwhVjfCjLuGj29MCkvg0nqObQ07qYrjdQI4W1GnGOuyXkvQ +teyxjUXYbp0doTGxKvQaTWp+JapeEaJPN2MDOhrRFjPrzgo3aW9+97UCAwEAAQ== +-----END RSA PUBLIC KEY----- -- cgit v1.2.3 From 9f92ba455c4b13f4d960bae65cd577c9aad30dc4 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 12:08:36 +0200 Subject: krebs.exim-retiolum: assert krebs.retiolum.enable --- krebs/3modules/exim-retiolum.nix | 182 +++++++++++++++++++-------------------- 1 file changed, 91 insertions(+), 91 deletions(-) diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 71c091917..e1315d8c8 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -8,11 +8,7 @@ let out = { options.krebs.exim-retiolum = api; config = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - mkIf cfg.enable ( - #assert config.krebs.retiolum.enable; - imp); + mkIf cfg.enable imp; }; api = { @@ -20,121 +16,125 @@ let }; imp = { - services.exim = { - enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.krebs.retiolum.enable; + { + enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false - begin acl + begin acl - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - accept local_parts = postmaster - domains = +local_domains + accept local_parts = postmaster + domains = +local_domains - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify - #require verify = sender + #require verify = sender - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify - accept authenticated = * - control = submission - control = dkim_disable_verify + accept authenticated = * + control = submission + control = dkim_disable_verify - require message = relay not permitted - domains = +local_domains : +relay_to_domains + require message = relay not permitted + domains = +local_domains : +relay_to_domains - require verify = recipient + require verify = recipient - accept + accept - acl_check_data: - accept + acl_check_data: + accept - begin routers + begin routers - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user - begin transports + begin transports - remote_smtp: - driver = smtp + remote_smtp: + driver = smtp - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - begin rewrite + begin rewrite - begin authenticators - ''; - }; + begin authenticators + ''; + }; }; # TODO get the hostname from somewhere else. -- cgit v1.2.3 From eee4142d06f9d5c35af70a647af7fe71adefdaa2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:25:40 +0200 Subject: lass 3: add folderPerms.nix --- lass/3modules/folderPerms.nix | 107 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 lass/3modules/folderPerms.nix diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix new file mode 100644 index 000000000..789fd48dc --- /dev/null +++ b/lass/3modules/folderPerms.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +let + inherit (pkgs) + writeScript + ; + + inherit (lib) + concatMapStringsSep + concatStringsSep + mkEnableOption + mkIf + mkOption + types + ; + + cfg = config.lass.folderPerms; + + out = { + options.lass.folderPerms = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "folder permissions"; + permissions = mkOption { + type = with types; listOf (submodule ({ + options = { + path = mkOption { + type = str; + }; + permission = mkOption { + type = nullOr str; + example = "755"; + description = '' + basically anything that chmod takes as permission + ''; + default = null; + }; + owner = mkOption { + type = nullOr str; + example = "root:root"; + description = '' + basically anything that chown takes as owner + ''; + default = null; + }; + recursive = mkOption { + type = bool; + default = false; + }; + }; + })); + }; + }; + + imp = { + systemd.services.lass-folderPerms = { + description = "lass-folderPerms"; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ + coreutils + ]; + + restartIfChanged = true; + + serviceConfig = { + type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript}"; + }; + }; + }; + + startScript = writeScript "lass-folderPerms" '' + ${concatMapStringsSep "\n" writeCommand cfg.permissions} + ''; + + writeCommand = fperm: + concatStringsSep "\n" [ + (buildPermission fperm) + (buildOwner fperm) + ]; + + buildPermission = perm: + if (perm.permission == null) then + "" + else + if perm.recursive then + "chmod -R ${perm.permission} ${perm.path}" + else + "chmod ${perm.permission} ${perm.path}" + ; + + buildOwner = perm: + if (perm.owner == null) then + "" + else + if perm.recursive then + "chown -R ${perm.owner} ${perm.path}" + else + "chown ${perm.owner} ${perm.path}" + ; + +in out -- cgit v1.2.3 From e30ee0f14bce976f38f9954dd4432368bd978822 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:26:07 +0200 Subject: lass 2: add downloading.nix --- lass/2configs/downloading.nix | 67 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 lass/2configs/downloading.nix diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix new file mode 100644 index 000000000..e6d31a6c4 --- /dev/null +++ b/lass/2configs/downloading.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../3modules/iptables.nix + ../3modules/folderPerms.nix + ]; + + users.extraUsers = { + download = { + name = "download"; + home = "/var/download"; + createHome = true; + extraGroups = [ + "download" + ]; + }; + + transmission = { + extraGroups = [ + "download" + ]; + }; + }; + + users.extraGroups = { + download = { + members = [ + "download" + "transmission" + ]; + }; + }; + + services.transmission = { + enable = true; + settings = { + download-dir = "/var/download/finished"; + incomplete-dir = "/var/download/incoming"; + incomplete-dir-enabled = true; + + rpc-authentication-required = true; + rpc-whitelist-enabled = false; + rpc-username = "download"; + #add rpc-password in secrets + rpc-password = "test123"; + }; + }; + + lass.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } + ]; + }; + + lass.folderPerms = { + enable = true; + permissions = [ + { + path = "/var/download"; + permission = "775"; + owner = "transmission:download"; + } + ]; + }; +} -- cgit v1.2.3 From dd43270cebcd88f1f4a06b15e5f94434f68993c5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:28:19 +0200 Subject: lass 1: repair uriel --- lass/1systems/uriel.nix | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 74d995560..041b891b6 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -3,15 +3,15 @@ with builtins; { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/bird.nix - ../../2configs/lass/new-repos.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/retiolum.nix + ../2configs/desktop-base.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/urxvt.nix + ../2configs/bird.nix + ../2configs/new-repos.nix + ../2configs/chromium-patched.nix + ../2configs/retiolum.nix { users.extraUsers = { root = { -- cgit v1.2.3 From 44f0a81ff0b2b399e90cda6e5eddf1e3a2cd9552 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:29:14 +0200 Subject: lass 1: bump rev --- lass/1systems/mors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e7edcccea..e4bc1622f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -29,7 +29,7 @@ deps = { nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + rev = "961fd7b7a0f88dde7dac2f7a4c05ee4e1a25381d"; }; secrets = { url = "/home/lass/secrets/${config.krebs.build.host.name}"; -- cgit v1.2.3 From fa7f1946c39b0223b5a3ea31414fa48b14952660 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:29:37 +0200 Subject: lass 2: remove unneded " --- lass/2configs/fastpoke-pages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix index 9c80fa77a..bcf80114c 100644 --- a/lass/2configs/fastpoke-pages.nix +++ b/lass/2configs/fastpoke-pages.nix @@ -20,8 +20,8 @@ let # 10.243.206.102 ${domain} #''; users.extraUsers = { - "${domain}" = { - name = "${domain}"; + ${domain} = { + name = domain; home = "/var/lib/http/${domain}"; createHome = true; }; -- cgit v1.2.3 From aee18a93d39b617d3f857cc9c8db3c82474ba10b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:30:50 +0200 Subject: lass 2 fastpoke-pages: disable postgresql --- lass/2configs/fastpoke-pages.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix index bcf80114c..1c8106a88 100644 --- a/lass/2configs/fastpoke-pages.nix +++ b/lass/2configs/fastpoke-pages.nix @@ -90,9 +90,9 @@ in { }; }; - services.postgresql = { - enable = true; - }; + #services.postgresql = { + # enable = true; + #}; #config.services.vsftpd = { # enable = true; -- cgit v1.2.3 From db4b55527d527158bd4e7f93128668e646f2cf1f Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 13 Aug 2015 22:31:40 +0200 Subject: krebs/3: add cd extraZones --- krebs/3modules/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d77d00c05..9ad9c9f91 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -455,6 +455,13 @@ let cd = { cores = 2; dc = "tv"; #dc = "cac"; + extraZones = { + "de.krebsco" = '' + mx23 IN A ${elemAt nets.internet.addrs4 0} + cd IN A ${elemAt nets.internet.addrs4 0} + krebsco.de. IN MX 5 mx23 + ''; + }; nets = rec { internet = { addrs4 = ["162.219.7.216"]; -- cgit v1.2.3 From 434581244077cf97cec96cca5e5cb5a18cd15ad1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:32:03 +0200 Subject: lass 2: add wordpress.nix --- lass/2configs/wordpress.nix | 59 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 lass/2configs/wordpress.nix diff --git a/lass/2configs/wordpress.nix b/lass/2configs/wordpress.nix new file mode 100644 index 000000000..9458deb38 --- /dev/null +++ b/lass/2configs/wordpress.nix @@ -0,0 +1,59 @@ +{ config, pkgs, ... }: + +{ + containers.wordpress = { + privateNetwork = true; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.2"; + + config = { + imports = [ + ../3modules/iptables.nix + ]; + + lass.iptables = { + enable = true; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + iptables + ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql; + }; + + services.httpd = { + enable = true; + adminAddr = "root@apanowicz.de"; + extraModules = [ + { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; } + ]; + virtualHosts = [ + { + hostName = "wordpress"; + serverAliases = [ "wordpress" "www.wordpress" ]; + + extraSubservices = [ + { + serviceName = "wordpress"; + } + ]; + } + ]; + }; + }; + }; +} -- cgit v1.2.3 From dbd69c4e956bc1c88b379c273a5ea5b4ceea8813 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Aug 2015 22:32:46 +0200 Subject: lass 1 mors: enable wordpress --- lass/1systems/mors.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e4bc1622f..e7f8d5276 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -20,6 +20,7 @@ ../2configs/new-repos.nix #../../2configs/tv/synaptics.nix ../2configs/retiolum.nix + ../2configs/wordpress.nix ]; krebs.build = { -- cgit v1.2.3 From f5fa77fb7363ada9386ea8900de49e7ab6faed9b Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 14 Aug 2015 15:20:53 +0200 Subject: krebs 3: add lass's mails --- krebs/3modules/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 9ad9c9f91..ec433dce8 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -309,9 +309,11 @@ let users = addNames { lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + mail = "lass@mors.retiolum"; }; uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + mail = "uriel@mors.retiolum"; }; }; }; -- cgit v1.2.3 From f36177cf91fa7db20f7e30e84910fb9efd82b975 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 14 Aug 2015 15:41:49 +0200 Subject: lass 3 folderPerms: remove recursive option --- lass/3modules/folderPerms.nix | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix index 789fd48dc..bb0320327 100644 --- a/lass/3modules/folderPerms.nix +++ b/lass/3modules/folderPerms.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +#TODO: implement recursive mode maybe? +# enable different mods for files and folders + let inherit (pkgs) writeScript @@ -45,10 +48,6 @@ let ''; default = null; }; - recursive = mkOption { - type = bool; - default = false; - }; }; })); }; @@ -85,23 +84,21 @@ let ]; buildPermission = perm: + #TODO: create folder maybe + #TODO: check if permission is valid if (perm.permission == null) then "" else - if perm.recursive then - "chmod -R ${perm.permission} ${perm.path}" - else - "chmod ${perm.permission} ${perm.path}" + "chmod ${perm.permission} ${perm.path}" ; buildOwner = perm: + #TODO: create folder maybe + #TODO: check if owner/group valid if (perm.owner == null) then "" else - if perm.recursive then - "chown -R ${perm.owner} ${perm.path}" - else - "chown ${perm.owner} ${perm.path}" + "chown ${perm.owner} ${perm.path}" ; in out -- cgit v1.2.3 From e8825282a610553fc5c8ca02c2549464c3546bfc Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 14 Aug 2015 15:48:17 +0200 Subject: {tv 2 => krebs 3} exim-smarthost --- krebs/3modules/default.nix | 1 + krebs/3modules/exim-smarthost.nix | 219 ++++++++++++++++++ tv/1systems/cd.nix | 54 ++++- tv/2configs/exim-smarthost.nix | 475 -------------------------------------- 4 files changed, 273 insertions(+), 476 deletions(-) create mode 100644 krebs/3modules/exim-smarthost.nix delete mode 100644 tv/2configs/exim-smarthost.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 9ad9c9f91..ba501d227 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -7,6 +7,7 @@ let out = { imports = [ ./exim-retiolum.nix + ./exim-smarthost.nix ./github-hosts-sync.nix ./git.nix ./nginx.nix diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix new file mode 100644 index 000000000..a564430ea --- /dev/null +++ b/krebs/3modules/exim-smarthost.nix @@ -0,0 +1,219 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.exim-smarthost; + + out = { + options.krebs.exim-smarthost = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.exim-smarthost"; + + internet-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + }; + + relay_from_hosts = mkOption { + type = with types; listOf str; + default = []; + }; + + primary_hostname = mkOption { + type = types.str; + default = "${config.networking.hostName}.retiolum"; + }; + + sender_domains = mkOption { + type = with types; listOf str; + default = []; + }; + + system-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + }; + }; + + imp = { + services.exim = { + enable = true; + config = '' + primary_hostname = ${cfg.primary_hostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + domainlist relay_to_domains = + hostlist relay_from_hosts = <;${concatStringsSep ";" ( + [ + "127.0.0.1" + "::1" + ] + ++ + cfg.relay_from_hosts + )} + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + never_users = root + + host_lookup = * + + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + accept + + + acl_check_data: + warn + sender_domains = ${concatStringsSep ":" cfg.sender_domains} + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${cfg.primary_hostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + no_more + + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + + remote_smtp: + driver = smtp + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + }; + }; + + + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit (cfg) internet-aliases; + inherit (cfg) system-aliases; + }; + + to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}"); + +in +out diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 54292eb83..cef87c03e 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -30,7 +30,6 @@ in ../2configs/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/consul-server.nix - ../2configs/exim-smarthost.nix ../2configs/git.nix { imports = [ ../2configs/charybdis.nix ]; @@ -45,6 +44,59 @@ in hosts = [ "jabber.viljetic.de" ]; }; } + { + krebs.exim-smarthost = { + enable = true; + primary_hostname = "${config.networking.hostName}.retiolum"; + sender_domains = [ + "shackspace.de" + "viljetic.de" + ]; + relay_from_hosts = [ + "10.243.13.37" + ]; + internet-aliases = with config.krebs.users; [ + { from = "tomislav@viljetic.de"; to = tv.mail; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = tv.mail; } + + { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } + + { from = "mirko@viljetic.de"; to = mv.mail; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = tv.mail; } + + # TODO lists@smtp.retiolum [consul] + { from = "postmaster@krebsco.de"; to = tv.mail; } + + { from = "spam@krebsco.de"; + to = pkgs.lib.concatStringsSep "," [ + tv.mail + lass.mail + makefu.mail + ]; + } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + }; + } { krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix deleted file mode 100644 index c93189b8a..000000000 --- a/tv/2configs/exim-smarthost.nix +++ /dev/null @@ -1,475 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (builtins) toFile; - inherit (pkgs.lib.attrsets) mapAttrs; - inherit (pkgs.lib.strings) concatMapStringsSep; -in - -{ - services.exim = - let - retiolumHostname = "${config.networking.hostName}.retiolum"; - - internet-aliases = with config.krebs.users; [ - { from = "tomislav@viljetic.de"; to = tv.mail; } - - # (mindestens) lisp-stammtisch und elli haben die: - { from = "tv@viljetic.de"; to = tv.mail; } - - { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } - - { from = "mirko@viljetic.de"; to = mv.mail; } - - # TODO killme (wo wird die benutzt?) - { from = "tv@cd.retiolum"; to = tv.mail; } - - # TODO lists@smtp.retiolum [consul] - { from = "postmaster@krebsco.de"; to = tv.mail; } - ]; - - system-aliases = [ - { from = "mailer-daemon"; to = "postmaster"; } - { from = "postmaster"; to = "root"; } - { from = "nobody"; to = "root"; } - { from = "hostmaster"; to = "root"; } - { from = "usenet"; to = "root"; } - { from = "news"; to = "root"; } - { from = "webmaster"; to = "root"; } - { from = "www"; to = "root"; } - { from = "ftp"; to = "root"; } - { from = "abuse"; to = "root"; } - { from = "noc"; to = "root"; } - { from = "security"; to = "root"; } - { from = "root"; to = "tv"; } - { from = "mirko"; to = "mv"; } - ]; - - to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); - lsearch = - mapAttrs (name: set: toFile name (to-lsearch set)) { - inherit internet-aliases; - inherit system-aliases; - }; - in - { - enable = true; - config = - '' - primary_hostname = ${retiolumHostname} - - # HOST_REDIR contains the real destinations for "local_domains". - #HOST_REDIR = /etc/exim4/host_redirect - - - # Domains not listed in local_domains need to be deliverable remotely. - # XXX We abuse local_domains to mean "domains, we're the gateway for". - domainlist local_domains = @ : localhost - #: viljetic.de : SHACK_REDIR_HOSTNAME - domainlist relay_to_domains = - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - - # av_scanner = clamd:/tmp/clamd - # spamd_address = 127.0.0.1 783 - - # tls_advertise_hosts = * - # tls_certificate = /etc/ssl/exim.crt - # tls_privatekey = /etc/ssl/exim.pem - # (debian) tls_verify_certificates (to check client certs) - - # daemon_smtp_ports = 25 : 465 : 587 - # tls_on_connect_ports = 465 - - # qualify_domain defaults to primary_hostname - # qualify_recipient defaults to qualify_domain - - # allow_domain_literals - - never_users = root - - host_lookup = * - - # ident callbacks for all incoming SMTP calls - rfc1413_hosts = * - rfc1413_query_timeout = 5s - - # sender_unqualified_hosts = - # recipient_unqualified_hosts = - - # percent_hack_domains = - - # arch & debian - #ignore_bounce_errors_after = 2d - #timeout_frozen_after = 7d - # debian - #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full - #freeze_tell = postmaster - #trusted_users = uucp - # arch - #split_spool_directory = true - - log_selector = -queue_run +address_rewrite +all_parents +queue_time - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false - - begin acl - - acl_check_rcpt: - # Accept if the source is local SMTP (i.e. not over TCP/IP). - # We do this by testing for an empty sending host field. - accept hosts = : - # arch & debian: - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - ## feature RETIOLUM_MAIL - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - # debian: control = submission/sender_retain - # arch & debian: - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - accept message = relay not permitted 2 - recipients = lsearch;${lsearch.internet-aliases} - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require - message = unknown user - verify = recipient/callout - - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example - # - # warn dnslists = black.list.example - # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain - # log_message = found in $dnslist_domain - - # Client SMTP Authorization (csa) checks on the sending host. - # Such checks do DNS lookups for special SRV records. - # require verify = csa - - accept - - - acl_check_data: - # see av_scanner - #deny malware = * - # message = This message contains a virus ($malware_name). - - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. - # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report - - # feature HELO_REWRITE - # XXX note that the public ip (162.219.5.183) resolves to viljetic.de - warn - sender_domains = viljetic.de : shackspace.de - set acl_m_special_dom = $sender_address_domain - - accept - - - begin routers - - # feature RETIOLUM_MAIL - retiolum: - debug_print = "R: retiolum for $local_part@$domain" - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = retiolum_smtp - route_list = ^.* $0 byname - no_more - - internet_aliases: - debug_print = "R: internet_aliases for $local_part@$domain" - driver = redirect - data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} - - dnslookup: - debug_print = "R: dnslookup for $local_part@$domain" - driver = dnslookup - domains = ! +local_domains - transport = remote_smtp - ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 - # if ipv6-enabled then instead use: - # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 - - # (debian) same_domain_copy_routing = yes - # (debian) ignore private rfc1918 and APIPA addresses - # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ - # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ - # 255.255.255.255 - - # Fail and bounce if the router does not find the domain in the DNS. - # I.e. no more routers are tried. - # There are a few cases where a dnslookup router will decline to accept an - # address; if such a router is expected to handle "all remaining non-local - # domains", then it is important to set no_more. - no_more - - # XXX this is only used because these "well known aliases" goto tv@cd.retiolum - # TODO bounce everything, there is no @cd.retiolum - system_aliases: - debug_print = "R: system_aliases for $local_part@$domain" - driver = redirect - data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} - - # TODO this is only b/c mv here... send mv's mails somewhere else... - local_user: - debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user - - begin transports - - retiolum_smtp: - driver = smtp - retry_include_ip_address = false - # serialize_hosts = TODO-all-slow-hosts - - remote_smtp: - driver = smtp - # debian has also stuff for tls, headers_rewrite and more here - - # feature HELO_REWRITE - # XXX note that the public ip (162.219.5.183) resolves to viljetic.de - helo_data = ''${if eq{$acl_m_special_dom}{} \ - {$primary_hostname} \ - {$acl_m_special_dom} } - - home_maildir: - driver = appendfile - maildir_format - maildir_use_size_file - directory = $home/Mail - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - begin rewrite - begin authenticators - ''; - - - # group = mail - # mode = 0660 - - - #address_pipe: - # driver = pipe - # return_output - # - #address_file: - # driver = appendfile - # delivery_date_add - # envelope_to_add - # return_path_add - # - #address_reply: - # driver = autoreply - - - #maildrop_pipe: - # debug_print = "T: maildrop_pipe for $local_part@$domain" - # driver = pipe - # path = "/bin:/usr/bin:/usr/local/bin" - # command = "/usr/bin/maildrop" - # return_path_add - # delivery_date_add - # envelope_to_add - - - - - - ##begin retry - # Address or Domain Error Retries - - # Our host_redirect destinations might be offline a lot. - # TODO define fallback destinations(?) - #lsearch;${lsearch.internet-aliases} * F,42d,1m - - - ## begin rewrite - - # just in case (shackspace.de should already do this) - #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T - - - ## begin authenticators - #PLAIN: - # driver = plaintext - # server_set_id = $auth2 - # server_prompts = : - # server_condition = Authentication is not yet configured - # server_advertise_condition = ''${if def:tls_in_cipher } - - #LOGIN: - # driver = plaintext - # server_set_id = $auth1 - # server_prompts = <| Username: | Password: - # server_condition = Authentication is not yet configured - # server_advertise_condition = ''${if def:tls_in_cipher } - - - - }; - -} - -# config = '' -# primary_hostname = ${retiolumHostname} -# domainlist local_domains = @ : localhost -# domainlist relay_to_domains = *.retiolum -# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 -# -# acl_smtp_rcpt = acl_check_rcpt -# acl_smtp_data = acl_check_data -# -# host_lookup = * -# rfc1413_hosts = * -# rfc1413_query_timeout = 5s -# -# log_file_path = syslog -# syslog_timestamp = false -# syslog_duplication = false -# -# begin acl -# -# acl_check_rcpt: -# accept hosts = : -# control = dkim_disable_verify -# -# deny message = Restricted characters in address -# domains = +local_domains -# local_parts = ^[.] : ^.*[@%!/|] -# -# deny message = Restricted characters in address -# domains = !+local_domains -# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ -# -# accept local_parts = postmaster -# domains = +local_domains -# -# #accept -# # hosts = *.retiolum -# # domains = *.retiolum -# # control = dkim_disable_verify -# -# #require verify = sender -# -# accept hosts = +relay_from_hosts -# control = submission -# control = dkim_disable_verify -# -# accept authenticated = * -# control = submission -# control = dkim_disable_verify -# -# require message = relay not permitted -# domains = +local_domains : +relay_to_domains -# -# require verify = recipient -# -# accept -# -# -# acl_check_data: -# accept -# -# -# begin routers -# -# retiolum: -# driver = manualroute -# domains = ! ${retiolumHostname} : *.retiolum -# transport = remote_smtp -# route_list = ^.* $0 byname -# no_more -# -# nonlocal: -# debug_print = "R: nonlocal for $local_part@$domain" -# driver = redirect -# domains = ! +local_domains -# allow_fail -# data = :fail: Mailing to remote domains not supported -# no_more -# -# local_user: -# # debug_print = "R: local_user for $local_part@$domain" -# driver = accept -# check_local_user -# # local_part_suffix = +* : -* -# # local_part_suffix_optional -# transport = home_maildir -# cannot_route_message = Unknown user -# -# -# begin transports -# -# remote_smtp: -# driver = smtp -# -# home_maildir: -# driver = appendfile -# maildir_format -# directory = $home/Maildir -# directory_mode = 0700 -# delivery_date_add -# envelope_to_add -# return_path_add -# # group = mail -# # mode = 0660 -# -# begin retry -# *.retiolum * F,42d,1m -# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h -# -# begin rewrite -# -# begin authenticators -# ''; -# }; -#} -- cgit v1.2.3 From 1ecc4b79fd96c413ba265617db690869ce0bd63e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 14 Aug 2015 15:48:57 +0200 Subject: tv: krebs.exim-retiolum. *enable* = true --- tv/1systems/nomic.nix | 2 +- tv/1systems/wu.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 896c1ad29..6418cdc5e 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -38,7 +38,7 @@ with lib; }; } { - krebs.exim-retiolum = true; + krebs.exim-retiolum.enable = true; } { krebs.nginx = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index a5cbde3ec..20dbca12f 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -165,7 +165,7 @@ in }; } { - krebs.exim-retiolum = true; + krebs.exim-retiolum.enable = true; } { krebs.nginx = { -- cgit v1.2.3 From c950117e0ce7b4d038f613475066a2cdb0e592e3 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 14 Aug 2015 15:50:09 +0200 Subject: tv cd: lass has no mail configure yet --- tv/1systems/cd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index cef87c03e..659b95065 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -74,7 +74,7 @@ in { from = "spam@krebsco.de"; to = pkgs.lib.concatStringsSep "," [ tv.mail - lass.mail + "lass@mors.retiolum" makefu.mail ]; } -- cgit v1.2.3