From ac64527c5707cca5fc6e6e6ecf3957129cdb32b2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 20:28:21 +0200 Subject: lass: port everything to stockholm --- lass/3modules/default.nix | 8 ++ lass/3modules/iptables.nix | 187 +++++++++++++++++++++++++++++++++++++++++++ lass/3modules/sshkeys.nix | 26 ++++++ lass/3modules/urxvtd.nix | 55 +++++++++++++ lass/3modules/xresources.nix | 57 +++++++++++++ 5 files changed, 333 insertions(+) create mode 100644 lass/3modules/default.nix create mode 100644 lass/3modules/iptables.nix create mode 100644 lass/3modules/sshkeys.nix create mode 100644 lass/3modules/urxvtd.nix create mode 100644 lass/3modules/xresources.nix (limited to 'lass/3modules') diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix new file mode 100644 index 000000000..d4e231ec7 --- /dev/null +++ b/lass/3modules/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} diff --git a/lass/3modules/iptables.nix b/lass/3modules/iptables.nix new file mode 100644 index 000000000..8c6ad3fa1 --- /dev/null +++ b/lass/3modules/iptables.nix @@ -0,0 +1,187 @@ +arg@{ config, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + + inherit (lib) + concatMapStringsSep + concatStringsSep + attrNames + unique + fold + any + attrValues + catAttrs + filter + flatten + length + hasAttr + mkEnableOption + mkOption + mkIf + types + sort; + + elemIsIn = a: as: + any (x: x == a) as; + + cfg = config.lass.iptables; + + out = { + options.lass.iptables = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; + }; + + imp = { + networking.firewall.enable = false; + + systemd.services.lass-iptables = { + description = "lass-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} lass-iptables_start"; + }; + }; + }; + + #buildTable :: iptablesVersion -> iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = v: ts: + let + + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + let + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; + + in + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) + else + "" + ; + + + buildRule = tn: cn: rule: + #target validation test: + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + + #predicate validation test: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; + +in +out + diff --git a/lass/3modules/sshkeys.nix b/lass/3modules/sshkeys.nix new file mode 100644 index 000000000..5f1c60668 --- /dev/null +++ b/lass/3modules/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/lass/3modules/urxvtd.nix b/lass/3modules/urxvtd.nix new file mode 100644 index 000000000..469616a9f --- /dev/null +++ b/lass/3modules/urxvtd.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: + +let +in + +with builtins; +with lib; + +{ + options = { + services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable urxvtd per user"; + }; + users = mkOption { + type = types.listOf types.string; + default = []; + description = "users to run urxvtd for"; + }; + urxvtPackage = mkOption { + type = types.package; + default = pkgs.rxvt_unicode; + description = "urxvt package to use"; + }; + }; + }; + + config = + let + cfg = config.services.urxvtd; + users = cfg.users; + urxvt = cfg.urxvtPackage; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + path = [ pkgs.xlibs.xrdb ]; + environment = { + DISPLAY = ":0"; + URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; + }; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + in + mkIf cfg.enable { + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); + }; +} diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix new file mode 100644 index 000000000..15c5b8b74 --- /dev/null +++ b/lass/3modules/xresources.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +#TODO: +#prefix with Attribute Name +#ex: urxvt + +# +# +with builtins; +with lib; + + +let + + inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (pkgs) writeScript; + +in + +{ + + options = { + services.xresources.enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the automatic loading of Xresources definitions at display-manager start; + ''; + }; + + services.xresources.resources = mkOption { + default = {}; + type = types.attrsOf types.str; + example = { + urxvt = '' + URxvt*scrollBar: false + URxvt*urgentOnBell: true + ''; + }; + description = '' + Xresources definitions. + ''; + }; + }; + + config = + let + cfg = config.services.xresources; + xres = concatStringsSep "\n" (attrValues cfg.resources); + + in mkIf cfg.enable { + services.xserver.displayManager.sessionCommands = '' + echo ${shell-escape xres} | xrdb -merge + ''; + }; + +} -- cgit v1.3.1 From fa175ca26e533b62f3afc11709ef1689647c558c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 28 Jul 2015 22:20:59 +0200 Subject: lass: move everything to user-toplevel pt. 2 --- lass/1systems/cloudkrebs.nix | 1 + lass/1systems/mors.nix | 35 ++++++++++++++++++----------------- lass/1systems/uriel.nix | 1 + lass/2configs/base.nix | 4 ++-- lass/2configs/identity.nix | 4 +++- lass/2configs/mors/retiolum.nix | 21 --------------------- lass/2configs/new-repos.nix | 2 +- lass/2configs/retiolum.nix | 4 ++-- lass/2configs/sshkeys.nix | 2 +- lass/2configs/urxvt.nix | 4 ++-- lass/3modules/xresources.nix | 2 +- 11 files changed, 32 insertions(+), 48 deletions(-) delete mode 100644 lass/2configs/mors/retiolum.nix (limited to 'lass/3modules') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 30a7fb51c..a60024b03 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -24,6 +24,7 @@ ]; krebs.build = { + user = config.krebs.users.lass; target = "root@cloudkrebs"; host = config.krebs.hosts.cloudkrebs; deps = { diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 3519bff66..5bef56682 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -2,27 +2,28 @@ { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/new-repos.nix + ../2configs/desktop-base.nix + ../2configs/programs.nix + ../2configs/bitcoin.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/virtualbox.nix + ../2configs/elster.nix + ../2configs/urxvt.nix + ../2configs/steam.nix + ../2configs/wine.nix + ../2configs/texlive.nix + ../2configs/binary-caches.nix + ../2configs/ircd.nix + ../2configs/chromium-patched.nix + ../2configs/new-repos.nix #../../2configs/tv/synaptics.nix - ../../2configs/lass/retiolum.nix + ../2configs/retiolum.nix ]; krebs.build = { + user = config.krebs.users.lass; target = "root@mors"; host = config.krebs.hosts.mors; deps = { diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 8984004e1..74d995560 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -24,6 +24,7 @@ with builtins; ]; krebs.build = { + user = config.krebs.users.lass; target = "root@uriel"; host = config.krebs.hosts.uriel; deps = { diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8d4a9c896..8379f14e4 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -3,8 +3,8 @@ with lib; { imports = [ - ../../3modules/lass/iptables.nix - ../../2configs/lass/vim.nix + ../3modules/iptables.nix + ../2configs/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix index bfaad14d2..e712b16ac 100644 --- a/lass/2configs/identity.nix +++ b/lass/2configs/identity.nix @@ -1,7 +1,9 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; + imports = [ + ../../tv/3modules/identity.nix + ]; tv.identity = { enable = true; search = "retiolum"; diff --git a/lass/2configs/mors/retiolum.nix b/lass/2configs/mors/retiolum.nix deleted file mode 100644 index 1148bee9c..000000000 --- a/lass/2configs/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = ; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix index 809091b32..64e9a7f14 100644 --- a/lass/2configs/new-repos.nix +++ b/lass/2configs/new-repos.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../tv/lib { inherit lib pkgs; }; +with import ../../tv/4lib { inherit lib pkgs; }; let out = { diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 95890f70e..b8a9cec72 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -2,8 +2,8 @@ { imports = [ - ../../3modules/lass/iptables.nix - ../../tv/configs/exim-retiolum.nix + ../3modules/iptables.nix + ../../tv/2configs/exim-retiolum.nix ]; lass.iptables = { diff --git a/lass/2configs/sshkeys.nix b/lass/2configs/sshkeys.nix index 114a2596b..f6081cf37 100644 --- a/lass/2configs/sshkeys.nix +++ b/lass/2configs/sshkeys.nix @@ -2,7 +2,7 @@ { imports = [ - ../../3modules/lass/sshkeys.nix + ../3modules/sshkeys.nix ]; config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix index a2074ba02..1358dde7a 100644 --- a/lass/2configs/urxvt.nix +++ b/lass/2configs/urxvt.nix @@ -7,8 +7,8 @@ in { imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix + ../3modules/urxvtd.nix + ../3modules/xresources.nix ]; services.urxvtd = { diff --git a/lass/3modules/xresources.nix b/lass/3modules/xresources.nix index 15c5b8b74..074963022 100644 --- a/lass/3modules/xresources.nix +++ b/lass/3modules/xresources.nix @@ -12,7 +12,7 @@ with lib; let - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (import ../../tv/4lib { inherit pkgs lib; }) shell-escape; inherit (pkgs) writeScript; in -- cgit v1.3.1