From 9f2a6465666ee7a69d9261beee0e5ab3cd133933 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 10:09:16 +0100 Subject: krebs: move github known hosts to dedicated file --- krebs/3modules/default.nix | 26 +---------------------- krebs/3modules/github-known-hosts.nix | 40 +++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 25 deletions(-) create mode 100644 krebs/3modules/github-known-hosts.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 2e7c61fb5..0b785c0cc 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -23,6 +23,7 @@ let ./exim-smarthost.nix ./fetchWallpaper.nix ./github-hosts-sync.nix + ./github-known-hosts.nix ./git.nix ./go.nix ./hidden-ssh.nix @@ -238,31 +239,6 @@ let }; }) // - { - github = { - hostNames = [ - "github.com" - # List generated with - # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob - "192.30.252.*" - "192.30.253.*" - "192.30.254.*" - "192.30.255.*" - "185.199.108.*" - "185.199.109.*" - "185.199.110.*" - "185.199.111.*" - "13.229.188.59" - "13.250.177.223" - "18.194.104.89" - "18.195.85.27" - "35.159.8.160" - "52.74.223.119" - ]; - publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; - }; - } - // mapAttrs (name: host: { hostNames = diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix new file mode 100644 index 000000000..def06f17a --- /dev/null +++ b/krebs/3modules/github-known-hosts.nix @@ -0,0 +1,40 @@ +{ + services.openssh.knownHosts.github = { + hostNames = [ + "github.com" + # List generated with + # curl -sS https://api.github.com/meta | jq -r .git[] | nix-shell -p cidr2glob --run cidr2glob | jq -R . + "192.30.252.*" + "192.30.253.*" + "192.30.254.*" + "192.30.255.*" + "185.199.108.*" + "185.199.109.*" + "185.199.110.*" + "185.199.111.*" + "140.82.112.*" + "140.82.113.*" + "140.82.114.*" + "140.82.115.*" + "140.82.116.*" + "140.82.117.*" + "140.82.118.*" + "140.82.119.*" + "140.82.120.*" + "140.82.121.*" + "140.82.122.*" + "140.82.123.*" + "140.82.124.*" + "140.82.125.*" + "140.82.126.*" + "140.82.127.*" + "13.229.188.59" + "13.250.177.223" + "18.194.104.89" + "18.195.85.27" + "35.159.8.160" + "52.74.223.119" + ]; + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; +} -- cgit v1.2.3 From 9082adf6878b5f917efc633cba63932d94942d13 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 10:22:18 +0100 Subject: krebs: move exim aliases to dedicated file --- krebs/3modules/default.nix | 45 --------------------------------------------- 1 file changed, 45 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 0b785c0cc..7b0f4ebf8 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -180,51 +180,6 @@ let ''; }; - krebs.exim-smarthost.internet-aliases = let - format = from: to: { - inherit from; - # TODO assert is-retiolum-mail-address to; - to = concatMapStringsSep "," (getAttr "mail") (toList to); - }; - in mapAttrsToList format (with config.krebs.users; let - brain-ml = [ - lass - makefu - tv - ]; - eloop-ml = spam-ml ++ [ ciko ]; - spam-ml = [ - lass - makefu - tv - ]; - ciko.mail = "ciko@slash16.net"; - in { - "anmeldung@eloop.org" = eloop-ml; - "brain@krebsco.de" = brain-ml; - "cfp@eloop.org" = eloop-ml; - "kontakt@eloop.org" = eloop-ml; - "root@eloop.org" = eloop-ml; - "youtube@eloop.org" = eloop-ml; - "eloop2016@krebsco.de" = eloop-ml; - "eloop2017@krebsco.de" = eloop-ml; - "postmaster@krebsco.de" = spam-ml; # RFC 822 - "lass@krebsco.de" = lass; - "makefu@krebsco.de" = makefu; - "spam@krebsco.de" = spam-ml; - "tv@krebsco.de" = tv; - # XXX These are no internet aliases - # XXX exim-retiolum hosts should be able to relay to retiolum addresses - "lass@retiolum" = lass; - "makefu@retiolum" = makefu; - "spam@retiolum" = spam-ml; - "tv@retiolum" = tv; - "lass@r" = lass; - "makefu@r" = makefu; - "spam@r" = spam-ml; - "tv@r" = tv; - }); - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); -- cgit v1.2.3 From da79d23ebbc0c3fb7c579b366f29fb3744948706 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 10:32:15 +0100 Subject: krebs: move dns stuff to dedicated file --- krebs/3modules/default.nix | 26 ++++++++------------------ krebs/3modules/dns.nix | 12 ++++++++++++ 2 files changed, 20 insertions(+), 18 deletions(-) create mode 100644 krebs/3modules/dns.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 7b0f4ebf8..21d68ef3f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -18,6 +18,7 @@ let ./charybdis.nix ./ci.nix ./current.nix + ./dns.nix ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix @@ -59,12 +60,6 @@ let api = { enable = mkEnableOption "krebs"; - dns = { - providers = mkOption { - type = with types; attrsOf str; - }; - }; - hosts = mkOption { type = with types; attrsOf host; default = {}; @@ -74,13 +69,6 @@ let type = with types; attrsOf user; }; - # XXX is there a better place to define search-domain? - # TODO search-domains :: listOf hostname - search-domain = mkOption { - type = types.hostname; - default = "r"; - }; - sitemap = mkOption { default = {}; type = types.attrsOf types.sitemap.entry; @@ -126,6 +114,8 @@ let w = "hosts"; }; + krebs.dns.search-domain = mkDefault "r"; + krebs.users = { krebs = { home = "/krebs"; @@ -147,7 +137,7 @@ let let aliases = longs ++ shorts; longs = filter check net.aliases; - shorts = let s = ".${cfg.search-domain}"; in + shorts = let s = ".${cfg.dns.search-domain}"; in map (removeSuffix s) (filter (hasSuffix s) longs); in optionals @@ -203,8 +193,8 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.search-domain}") - (filter (hasSuffix ".${cfg.search-domain}") + map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") longs); add-port = a: if net.ssh.port != 22 @@ -228,8 +218,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr config.krebs.search-domain host.nets) { - nets."" = host.nets.${config.krebs.search-domain} // { + (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; }; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix new file mode 100644 index 000000000..b7e2a2cbb --- /dev/null +++ b/krebs/3modules/dns.nix @@ -0,0 +1,12 @@ +with import ; +{ + options = { + krebs.dns.providers = mkOption { + type = types.attrsOf types.str; + }; + + krebs.dns.search-domain = mkOption { + type = types.hostname; + }; + }; +} -- cgit v1.2.3 From 799f132d588f2a5f6c6dabc43e862c90d9efa4b7 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 10:54:01 +0100 Subject: krebs: move retiolum-hosts to dedicated file --- krebs/3modules/default.nix | 24 +----------------------- krebs/3modules/retiolum-hosts.nix | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 23 deletions(-) create mode 100644 krebs/3modules/retiolum-hosts.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 21d68ef3f..ea4d03ad6 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -43,6 +43,7 @@ let ./Reaktor.nix ./realwallpaper.nix ./retiolum-bootstrap.nix + ./retiolum-hosts.nix ./rtorrent.nix ./secret.nix ./setuid.nix @@ -147,29 +148,6 @@ let ) cfg.hosts )); - # TODO dedup with networking.extraHosts - nixpkgs.config.packageOverrides = oldpkgs: - let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in - { - retiolum-hosts = oldpkgs.writeText "retiolum-hosts" '' - ${concatStringsSep "\n" (flatten ( - map (host: - let - net = host.nets.retiolum; - aliases = longs; - longs = filter check net.aliases; - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filter (host: hasAttr "retiolum" host.nets) - (attrValues cfg.hosts))))} - ''; - }; - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); diff --git a/krebs/3modules/retiolum-hosts.nix b/krebs/3modules/retiolum-hosts.nix new file mode 100644 index 000000000..2821d62d1 --- /dev/null +++ b/krebs/3modules/retiolum-hosts.nix @@ -0,0 +1,28 @@ +with import ; +{ config, ... }: let + # TODO dedup functions with networking.extraHosts + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + nixpkgs.config.packageOverrides = super: { + retiolum-hosts = + super.writeText "retiolum-hosts" '' + ${ + concatStringsSep + "\n" + (flatten + (map + (host: let + net = host.nets.retiolum; + aliases = longs; + longs = filter check net.aliases; + in + optionals + (aliases != []) + (map (addr: "${addr} ${toString aliases}") net.addrs)) + (filter (host: hasAttr "retiolum" host.nets) + (attrValues config.krebs.hosts)))) + } + ''; + }; +} -- cgit v1.2.3 From af0463b23493d8c31ce725beb8ff5a2fd0398001 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 11:04:37 +0100 Subject: krebs: move hosts to dedeicated file --- krebs/3modules/default.nix | 25 +------------------------ krebs/3modules/hosts.nix | 36 ++++++++++++++++++++++++++++++++++++ krebs/3modules/retiolum-hosts.nix | 2 +- 3 files changed, 38 insertions(+), 25 deletions(-) create mode 100644 krebs/3modules/hosts.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index ea4d03ad6..bb69bfad3 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./git.nix ./go.nix ./hidden-ssh.nix + ./hosts.nix ./htgen.nix ./iana-etc.nix ./iptables.nix @@ -61,11 +62,6 @@ let api = { enable = mkEnableOption "krebs"; - hosts = mkOption { - type = with types; attrsOf host; - default = {}; - }; - users = mkOption { type = with types; attrsOf user; }; @@ -129,25 +125,6 @@ let }; }; - networking.extraHosts = let - domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); - check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; - in concatStringsSep "\n" (flatten ( - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = longs ++ shorts; - longs = filter check net.aliases; - shorts = let s = ".${cfg.dns.search-domain}"; in - map (removeSuffix s) (filter (hasSuffix s) longs); - in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs) - ) (filterAttrs (name: host: host.aliases != []) host.nets) - ) cfg.hosts - )); - services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix new file mode 100644 index 000000000..a95557b3d --- /dev/null +++ b/krebs/3modules/hosts.nix @@ -0,0 +1,36 @@ +with import ; +{ config, ... }: let + # TODO dedup functions with ./retiolum-hosts.nix + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); +in { + + options = { + krebs.hosts = mkOption { + default = {}; + type = types.attrsOf types.host; + }; + }; + + config = { + networking.extraHosts = + concatStringsSep + "\n" + (flatten + (mapAttrsToList + (hostname: host: + mapAttrsToList + (netname: net: let + aliases = longs ++ shorts; + longs = filter check net.aliases; + shorts = let s = ".${config.krebs.dns.search-domain}"; in + map (removeSuffix s) (filter (hasSuffix s) longs); + in + optionals + (aliases != []) + (map (addr: "${addr} ${toString aliases}") net.addrs)) + (filterAttrs (name: host: host.aliases != []) host.nets)) + config.krebs.hosts)); + }; + +} diff --git a/krebs/3modules/retiolum-hosts.nix b/krebs/3modules/retiolum-hosts.nix index 2821d62d1..ddf85ead7 100644 --- a/krebs/3modules/retiolum-hosts.nix +++ b/krebs/3modules/retiolum-hosts.nix @@ -1,6 +1,6 @@ with import ; { config, ... }: let - # TODO dedup functions with networking.extraHosts + # TODO dedup functions with ./hosts.nix check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: eq "hosts") config.krebs.dns.providers); in { -- cgit v1.2.3 From f1298103173cf1953be0e7c359f10d18894ce770 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 11:51:15 +0100 Subject: krebs hosts: extraHost -> hosts --- krebs/3modules/hosts.nix | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index a95557b3d..0985bb539 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -13,24 +13,23 @@ in { }; config = { - networking.extraHosts = - concatStringsSep - "\n" - (flatten - (mapAttrsToList - (hostname: host: - mapAttrsToList - (netname: net: let + networking.hosts = + filterAttrs + (_name: value: value != []) + (zipAttrsWith + (_: concatLists) + (concatMap + (host: + concatMap + (net: let aliases = longs ++ shorts; longs = filter check net.aliases; shorts = let s = ".${config.krebs.dns.search-domain}"; in map (removeSuffix s) (filter (hasSuffix s) longs); in - optionals - (aliases != []) - (map (addr: "${addr} ${toString aliases}") net.addrs)) - (filterAttrs (name: host: host.aliases != []) host.nets)) - config.krebs.hosts)); + map (addr: { ${addr} = aliases; }) net.addrs) + (attrValues host.nets)) + (attrValues config.krebs.hosts))); }; } -- cgit v1.2.3 From fabef3638584e88be50b10ec1cf3649b98752eac Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 21 Jan 2019 12:11:03 +0100 Subject: reaktor2 service: init --- krebs/3modules/reaktor2.nix | 63 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 krebs/3modules/reaktor2.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix new file mode 100644 index 000000000..b667bcc92 --- /dev/null +++ b/krebs/3modules/reaktor2.nix @@ -0,0 +1,63 @@ +with import ; +{ config, pkgs, ... }: { + + options.krebs.reaktor2 = mkOption { + default = {}; + type = types.attrsOf (types.submodule (self: let + name = self.config._module.args.name; + in { + options = { + nick = mkOption { + default = name; + # TODO types.irc.nickname + type = types.str; + }; + hostname = mkOption { + default = "irc.r"; + type = types.hostname; + }; + port = mkOption { + default = "6667"; + # TODO type = types.service-name + }; + plugins = mkOption { + default = []; + type = types.listOf types.attrs; + }; + stateDir = mkOption { + default = "/var/lib/${self.config.systemd-service-name}"; + readOnly = true; + type = types.absolute-pathname; + }; + systemd-service-name = mkOption { + default = "reaktor2${optionalString (name != "default") "-${name}"}"; + type = types.filename; + }; + }; + })); + }; + + config = { + systemd.services = flip mapAttrs' config.krebs.reaktor2 (_: cfg: + nameValuePair cfg.systemd-service-name { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = cfg.systemd-service-name; + Group = "reaktor2"; + DynamicUser = true; + StateDirectory = cfg.systemd-service-name; + ExecStart = let + configFile = pkgs.writeJSON configFileName configValue; + configFileName = "${cfg.systemd-service-name}.config.json"; + configValue = recursiveUpdate { + logTime = false; + } (removeAttrs cfg ["_module"]); + in "${pkgs.reaktor2}/bin/reaktor ${configFile}"; + Restart = "always"; + RestartSec = "30"; + }; + } + ); + }; +} -- cgit v1.2.3