From d629bee9546fa6ed6a018f2b6d491a851ad12738 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 13 Jul 2015 13:39:49 +0200 Subject: "rebase" --- old/modules/lass/base.nix | 61 ++++++++++------ old/modules/lass/desktop-base.nix | 30 +++++++- old/modules/lass/iptables/config.nix | 119 +++++++++++++++++++++++++++++++ old/modules/lass/iptables/default.nix | 11 +++ old/modules/lass/iptables/options.nix | 44 ++++++++++++ old/modules/lass/ircd.nix | 27 ++++--- old/modules/lass/retiolum-cloudkrebs.nix | 21 ------ old/modules/lass/retiolum-mors.nix | 21 ------ old/modules/lass/retiolum-uriel.nix | 21 ------ old/modules/lass/vim.nix | 2 + old/modules/lass/xserver-lass.nix | 43 ----------- 11 files changed, 261 insertions(+), 139 deletions(-) create mode 100644 old/modules/lass/iptables/config.nix create mode 100644 old/modules/lass/iptables/default.nix create mode 100644 old/modules/lass/iptables/options.nix delete mode 100644 old/modules/lass/retiolum-cloudkrebs.nix delete mode 100644 old/modules/lass/retiolum-mors.nix delete mode 100644 old/modules/lass/retiolum-uriel.nix delete mode 100644 old/modules/lass/xserver-lass.nix (limited to 'old/modules/lass') diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix index 3a8d879eb..159372a24 100644 --- a/old/modules/lass/base.nix +++ b/old/modules/lass/base.nix @@ -3,6 +3,7 @@ { imports = [ ./sshkeys.nix + ./iptables ]; nix.useChroot = true; @@ -65,6 +66,10 @@ ''; }; + security.setuidPrograms = [ + "sendmail" + ]; + services.gitolite = { enable = true; dataDir = "/home/gitolite"; @@ -84,27 +89,41 @@ RuntimeMaxUse=128M ''; - networking.firewall = { + lass.iptables = { enable = true; - - allowedTCPPorts = [ - 22 - ]; - - extraCommands = '' - iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A INPUT -j ACCEPT -i lo - iptables -A INPUT -j ACCEPT -p icmp - - #iptables -N Retiolum - iptables -A INPUT -j Retiolum -i retiolum - iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - iptables -A Retiolum -j REJECT - ''; - - extraStopCommands = "iptables -F"; + tables = { + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]; + }; }; + + #Networking.firewall = { + # enable = true; + + # allowedTCPPorts = [ + # 22 + # ]; + + # extraCommands = '' + # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # iptables -A INPUT -j ACCEPT -i lo + # #http://serverfault.com/questions/84963/why-not-block-icmp + # iptables -A INPUT -j ACCEPT -p icmp + + # #TODO: fix Retiolum firewall + # #iptables -N RETIOLUM + # #iptables -A INPUT -j RETIOLUM -i retiolum + # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset + # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable + # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable + # #iptables -A RETIOLUM -j REJECT + # ''; + #}; } diff --git a/old/modules/lass/desktop-base.nix b/old/modules/lass/desktop-base.nix index 94184548e..ee7a94bc9 100644 --- a/old/modules/lass/desktop-base.nix +++ b/old/modules/lass/desktop-base.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -{ +let + mainUser = config.users.extraUsers.mainUser; +in { imports = [ ./base.nix ]; @@ -34,4 +36,30 @@ xlibs.fontschumachermisc ]; + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + services.xserver = { + enable = true; + + windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + windowManager.xmonad.enable = true; + windowManager.xmonad.enableContribAndExtras = true; + windowManager.default = "xmonad"; + desktopManager.default = "none"; + desktopManager.xterm.enable = false; + displayManager.slim.enable = true; + displayManager.auto.enable = true; + displayManager.auto.user = mainUser.name; + + layout = "us,de"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl,nodeadkeys"; + xkbOptions = "grp:caps_toggle"; + + }; + } diff --git a/old/modules/lass/iptables/config.nix b/old/modules/lass/iptables/config.nix new file mode 100644 index 000000000..be521feb9 --- /dev/null +++ b/old/modules/lass/iptables/config.nix @@ -0,0 +1,119 @@ +{ cfg, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr; + +#===== new api v4 + + #buildTable :: iptablesAttrSet` -> str + #todo: differentiate by iptables-version + buildTables = iptv: ts: + let + declareChain = t: cn: + #TODO: find out what to do whit these count numbers + ":${cn} ${t."${cn}".policy} [0:0]"; + + buildChain = tn: cn: + #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; + + #TODO: sort by precedence + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map buildRule ts."${tn}"."${cn}".rules + ) + else + "" + ; + + + buildRule = rule: + #TODO implement rule validation-test here + # + #target: + #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN + + #predicate: + #maybe use iptables-test + #TODO: howto exit with evaluation error by shellscript? + #apperantly not possible from nix because evalatution wouldn't be deterministic. + "${rule.predicate} -j ${rule.target}"; + + buildTable = tn: + "*${tn}\n" + + concatStringsSep "\n" ([] + ++ map (declareChain ts."${tn}") (attrNames ts."${tn}") + ) + + #this looks dirty, find a better way to do this (maybe optionalString) + concatStringsSep "" ([] + ++ map (buildChain tn) (attrNames ts."${tn}") + ) + + "\nCOMMIT"; + in + concatStringsSep "\n" ([] + ++ map buildTable (attrNames ts) + ); + +#===== + + rules4 = iptables-version: + let + #TODO: find out good defaults. + tables-defaults = { + nat.PREROUTING.policy = "ACCEPT"; + nat.INPUT.policy = "ACCEPT"; + nat.OUTPUT.policy = "ACCEPT"; + nat.POSTROUTING.policy = "ACCEPT"; + filter.INPUT.policy = "ACCEPT"; + filter.FORWARD.policy = "ACCEPT"; + filter.OUTPUT.policy = "ACCEPT"; + + #if someone specifies any other rules on this chain, the default rules get lost. + #is this wanted beahiviour or a bug? + #TODO: implement abstraction of rules + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]; + }; + tables = tables-defaults // cfg.tables; + + in + writeText "lass-iptables-rules${toString iptables-version}" '' + ${buildTables iptables-version tables} + ''; + + startScript = writeScript "lass-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules4 4} + ip6tables-restore < ${rules4 6} + ''; +in + +{ + networking.firewall.enable = false; + + systemd.services.lass-iptables = { + description = "lass-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} lass-iptables_start"; + }; + }; +} diff --git a/old/modules/lass/iptables/default.nix b/old/modules/lass/iptables/default.nix new file mode 100644 index 000000000..7d46d4563 --- /dev/null +++ b/old/modules/lass/iptables/default.nix @@ -0,0 +1,11 @@ +arg@{ config, lib, pkgs, ... }: + +let + cfg = config.lass.iptables; + arg' = arg // { inherit cfg; }; +in + +{ + options.lass.iptables = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/lass/iptables/options.nix b/old/modules/lass/iptables/options.nix new file mode 100644 index 000000000..eb3bfc011 --- /dev/null +++ b/old/modules/lass/iptables/options.nix @@ -0,0 +1,44 @@ +{ lib, ... }: + +let + inherit (lib) mkEnableOption mkOption types; +in + +{ + enable = mkEnableOption "iptables"; + + #tables.filter.INPUT = { + # policy = "DROP"; + # rules = [ + # { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; } + # ]; + #}; + #new api + tables = mkOption { + type = with types; attrsOf (attrsOf (submodule ({ + options = { + policy = mkOption { + type = str; + default = "-"; + }; + rules = mkOption { + type = nullOr (listOf (submodule ({ + options = { + predicate = mkOption { + type = str; + }; + target = mkOption { + type = str; + }; + precedence = mkOption { + type = int; + default = 0; + }; + }; + }))); + default = null; + }; + }; + }))); + }; +} diff --git a/old/modules/lass/ircd.nix b/old/modules/lass/ircd.nix index 3c9e25718..c57f7dd5c 100644 --- a/old/modules/lass/ircd.nix +++ b/old/modules/lass/ircd.nix @@ -20,7 +20,7 @@ #ssl_dh_params = "etc/dh.pem"; #ssld_count = 1; - #default_max_clients = 1024; + default_max_clients = 10000; #nicklen = 30; }; @@ -40,23 +40,28 @@ sslport = 9999; }; - auth { - user = "*@*"; - class = "users"; - }; - class "users" { ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 10; - number_per_ip_global = 50; + number_per_ident = 200; + number_per_ip = 200; + number_per_ip_global = 500; cidr_ipv4_bitlen = 24; cidr_ipv6_bitlen = 64; - number_per_cidr = 200; - max_number = 3000; + number_per_cidr = 9000; + max_number = 10000; sendq = 400 kbytes; }; + exempt { + ip = "127.0.0.1"; + }; + + auth { + user = "*@*"; + class = "users"; + flags = exceed_limit; + }; + channel { use_invex = yes; use_except = yes; diff --git a/old/modules/lass/retiolum-cloudkrebs.nix b/old/modules/lass/retiolum-cloudkrebs.nix deleted file mode 100644 index 1f035271d..000000000 --- a/old/modules/lass/retiolum-cloudkrebs.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum.nix - ]; - - services.retiolum = { - enable = true; - hosts = ../../hosts; - privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/old/modules/lass/retiolum-mors.nix b/old/modules/lass/retiolum-mors.nix deleted file mode 100644 index 61a7856c1..000000000 --- a/old/modules/lass/retiolum-mors.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum.nix - ]; - - services.retiolum = { - enable = true; - hosts = ../../hosts; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/old/modules/lass/retiolum-uriel.nix b/old/modules/lass/retiolum-uriel.nix deleted file mode 100644 index 11dc61c11..000000000 --- a/old/modules/lass/retiolum-uriel.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum.nix - ]; - - services.retiolum = { - enable = true; - hosts = ../../hosts; - privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/old/modules/lass/vim.nix b/old/modules/lass/vim.nix index e1cff0d24..3fe45e1d1 100644 --- a/old/modules/lass/vim.nix +++ b/old/modules/lass/vim.nix @@ -56,6 +56,8 @@ in { vnoremap < >gv + nmap q :buffer + "Tabwidth set ts=2 sts=2 sw=2 et diff --git a/old/modules/lass/xserver-lass.nix b/old/modules/lass/xserver-lass.nix deleted file mode 100644 index 5c2d169bb..000000000 --- a/old/modules/lass/xserver-lass.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - services.xserver.enable = true; - - - #fonts.enableFontConfig = true; - #fonts.enableFontDir = true; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - #services.xfs.enable = true; - #services.xserver.useXFS = "unix/:7100"; - - #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; - - #services.xserver.display = 11; - #services.xserver.tty = 11; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - #services.xserver.multitouch.enable = true; - - services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.windowManager.xmonad.enableContribAndExtras = true; - services.xserver.windowManager.default = "xmonad"; - services.xserver.desktopManager.default = "none"; - services.xserver.desktopManager.xterm.enable = false; - - services.xserver.displayManager.slim.enable = true; - services.xserver.displayManager.auto.enable = true; - services.xserver.displayManager.auto.user = mainUser.name; - #services.xserver.displayManager.job.logsXsession = true; - - services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; - -} -- cgit v1.2.3