diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index e08024977..118a8b2d5 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,15 +1,17 @@ -{ config, pkgs, lib, ... }: - with import ; -let +{ config, pkgs, lib, ... }: let cfg = config.krebs.exim-retiolum; - out = { - options.krebs.exim-retiolum = api; - config = lib.mkIf cfg.enable imp; - }; + # Due to improvements to the JSON notation, braces around top-level objects + # are not necessary^Wsupported by rspamd's parser when including files: + # https://github.com/rspamd/rspamd/issues/2674 + toMostlyJSON = value: + assert typeOf value == "set"; + (s: substring 1 (stringLength s - 2) s) + (toJSON value); - api = { +in { + options.krebs.exim-retiolum = { enable = mkEnableOption "krebs.exim-retiolum"; local_domains = mkOption { type = with types; listOf hostname; @@ -28,22 +30,70 @@ let "*.r" ]; }; + rspamd = { + enable = mkEnableOption "krebs.exim-retiolum.rspamd" // { + default = false; + }; + locals = { + logging = { + level = mkOption { + type = types.enum [ + "error" + "warning" + "notice" + "info" + "debug" + "silent" + ]; + default = "notice"; + }; + }; + options = { + local_networks = mkOption { + type = types.listOf types.cidr; + default = [ + config.krebs.build.host.nets.retiolum.ip4.prefix + config.krebs.build.host.nets.retiolum.ip6.prefix + ]; + }; + }; + }; + }; }; - - imp = { + imports = [ + { + config = lib.mkIf cfg.rspamd.enable { + services.rspamd.enable = true; + services.rspamd.locals = + mapAttrs' + (name: value: nameValuePair "${name}.inc" { + text = toMostlyJSON value; + }) + cfg.rspamd.locals; + users.users.${config.krebs.exim.user.name}.extraGroups = [ + config.services.rspamd.group + ]; + }; + } + ]; + config = lib.mkIf cfg.enable { krebs.exim = { enable = true; config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration assert config.krebs.tinc.retiolum.enable; - '' + /* exim */ '' keep_environment = primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} + ${optionalString cfg.rspamd.enable /* exim */ '' + spamd_address = /run/rspamd/rspamd.sock variant=rspamd + ''} + acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -72,6 +122,24 @@ let acl_check_data: + ${optionalString cfg.rspamd.enable /* exim */ '' + accept condition = ''${if eq{$interface_port}{587}} + + warn remove_header = ${concatStringsSep " : " [ + "x-spam" + "x-spam-report" + "x-spam-score" + ]} + + warn + spam = nobody:true + + warn + condition = ''${if !eq{$spam_action}{no action}} + add_header = X-Spam: Yes + add_header = X-Spam-Report: $spam_report + add_header = X-Spam-Score: $spam_score + ''} accept @@ -118,4 +186,4 @@ let ''; }; }; -in out +} diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 5f93ae937..e988fb563 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -121,7 +121,7 @@ let }; krebs.exim = { enable = true; - config = '' + config = /* exim */ '' keep_environment = primary_hostname = ${cfg.primary_hostname} @@ -233,7 +233,7 @@ let remote_smtp: driver = smtp - ${optionalString (cfg.dkim != []) (indent '' + ${optionalString (cfg.dkim != []) (indent /* exim */ '' dkim_canon = relaxed dkim_domain = $sender_address_domain dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} @@ -262,7 +262,7 @@ let begin rewrite begin authenticators - ${concatStringsSep "\n" (mapAttrsToList (name: text: '' + ${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ '' ${name}: ${indent text} '') cfg.authenticators)} diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index cfcbbc438..83d88cb0d 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -37,7 +37,7 @@ in { }; config = lib.mkIf cfg.enable { environment = { - etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" '' + etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ '' exim_user = ${cfg.user.name} exim_group = ${cfg.group.name} exim_path = /run/wrappers/bin/exim diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index ac656f463..1720811d9 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -229,6 +229,35 @@ in { }; }; }; + inspector = { + owner = config.krebs.users.Mic92; + nets = rec { + internet = { + ip4.addr = "141.76.44.154"; + aliases = [ "inspector.i" ]; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.29.172"; + aliases = [ "inspector.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG + EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ + 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF + m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw + WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd + eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 + OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau + ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x + B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG + q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj + 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; justraute = { owner = config.krebs.users.raute; # laptop nets = { @@ -241,6 +270,30 @@ in { }; }; }; + matchbox = { + owner = config.krebs.users.Mic92; + nets = { + retiolum = { + ip4.addr = "10.243.29.176"; + aliases = [ "matchbox.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m + VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w + nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u + TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE + TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1 + yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO + 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4 + Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/ + bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4 + nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR + /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; qubasa = { owner = config.krebs.users.qubasa; nets = { @@ -411,56 +464,53 @@ in { }; }; }; - inspector = { - owner = config.krebs.users.Mic92; - nets = rec { - internet = { - ip4.addr = "141.76.44.154"; - aliases = [ "inspector.i" ]; - }; + uppreisn = { + owner = config.krebs.users.ilmu; + nets = { retiolum = { - via = internet; - ip4.addr = "10.243.29.172"; - aliases = [ "inspector.r" ]; + ip4.addr = "10.243.42.13"; + aliases = [ "ilmu.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG - EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ - 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF - m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw - WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd - eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03 - OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau - ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x - B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG - q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj - 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ== - -----END RSA PUBLIC KEY----- + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax + BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt + gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea + gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv + qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j + ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b + WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei + STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI + d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0 + fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo + 9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq + lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ== + -----END PUBLIC KEY----- ''; }; }; }; - matchbox = { - owner = config.krebs.users.Mic92; + unnamed = { + owner = config.krebs.users.pie_; nets = { retiolum = { - ip4.addr = "10.243.29.176"; - aliases = [ "matchbox.r" ]; + ip4.addr = "10.243.3.14"; + aliases = [ "unnamed.r" ]; tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m - VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w - nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u - TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE - TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1 - yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO - 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4 - Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/ - bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4 - nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR - /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ + 2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx + ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH + GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW + X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y + 5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD + PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct + 3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY + gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M + jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a + MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm + OxwCRYLtEweku7HLhUVTnDkCAwEAAQ== + -----END PUBLIC KEY----- + ''; }; }; }; @@ -495,6 +545,9 @@ in { mail = "dickbutt@excogitation.de"; pubkey = ssh-for "exco"; }; + ilmu = { + mail = "ilmu@rishi.is"; + }; jan = { mail = "jan.heidbrink@posteo.de"; }; @@ -527,5 +580,6 @@ in { }; filly = { }; + pie_ = {}; }; } diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix index 9c6acfb0c..939c8fddf 100644 --- a/krebs/3modules/syncthing.nix +++ b/krebs/3modules/syncthing.nix @@ -2,40 +2,69 @@ let - cfg = config.krebs.syncthing; + kcfg = config.krebs.syncthing; + scfg = config.services.syncthing; devices = mapAttrsToList (name: peer: { name = name; deviceID = peer.id; addresses = peer.addresses; - }) cfg.peers; + }) kcfg.peers; folders = mapAttrsToList ( _: folder: { inherit (folder) path id type; - devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers; + devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers; rescanIntervalS = folder.rescanInterval; fsWatcherEnabled = folder.watch; fsWatcherDelayS = folder.watchDelay; + ignoreDelete = folder.ignoreDelete; ignorePerms = folder.ignorePerms; - }) cfg.folders; + }) kcfg.folders; getApiKey = pkgs.writeDash "getAPIKey" '' ${pkgs.libxml2}/bin/xmllint \ --xpath 'string(configuration/gui/apikey)'\ - ${config.services.syncthing.configDir}/config.xml + ${scfg.configDir}/config.xml ''; updateConfig = pkgs.writeDash "merge-syncthing-config" '' set -efu + + # XXX this assumes the GUI address to be "IPv4 address and port" + host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)} + port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)} + # wait for service to restart - ${pkgs.untilport}/bin/untilport localhost 8384 + ${pkgs.untilport}/bin/untilport "$host" "$port" + API_KEY=$(${getApiKey}) - CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config) - echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] as $in | $in * { - "devices": (${builtins.toJSON devices}${optionalString (! cfg.overridePeers) " + $in.devices"}), - "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + $in.folders"}) - }' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @- - ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST + + _curl() { + ${pkgs.curl}/bin/curl \ + -Ss \ + -H "X-API-Key: $API_KEY" \ + "http://$host:$port/rest""$@" + } + + old_config=$(_curl /system/config) + new_config=${shell.escape (toJSON { + inherit devices folders; + })} + new_config=$(${pkgs.jq}/bin/jq -en \ + --argjson old_config "$old_config" \ + --argjson new_config "$new_config" \ + ' + $old_config * $new_config + ${optionalString (!kcfg.overridePeers) '' + * { devices: $old_config.devices } + ''} + ${optionalString (!kcfg.overrideFolders) '' + * { folders: $old_config.folders } + ''} + ' + ) + echo $new_config | _curl /system/config -d @- + _curl /system/restart -X POST ''; in @@ -129,6 +158,11 @@ in default = 10; }; + ignoreDelete = mkOption { + type = types.bool; + default = false; + }; + ignorePerms = mkOption { type = types.bool; default = true; @@ -139,19 +173,19 @@ in }; }; - config = (mkIf cfg.enable) { + config = mkIf kcfg.enable { - systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) { + systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) { preStart = '' - ${optionalString (cfg.cert != null) '' - cp ${toString cfg.cert} ${config.services.syncthing.configDir}/cert.pem - chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/cert.pem - chmod 400 ${config.services.syncthing.configDir}/cert.pem + ${optionalString (kcfg.cert != null) '' + cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem + chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem + chmod 400 ${scfg.configDir}/cert.pem ''} - ${optionalString (cfg.key != null) '' - cp ${toString cfg.key} ${config.services.syncthing.configDir}/key.pem - chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/key.pem - chmod 400 ${config.services.syncthing.configDir}/key.pem + ${optionalString (kcfg.key != null) '' + cp ${toString kcfg.key} ${scfg.configDir}/key.pem + chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem + chmod 400 ${scfg.configDir}/key.pem ''} ''; }; @@ -161,7 +195,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { - User = config.services.syncthing.user; + User = scfg.user; RemainAfterExit = true; Type = "oneshot"; ExecStart = updateConfig; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 8b34b16cf..3d4ada46b 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -7,5 +7,6 @@ with import ; pkgs.eximlog ]; krebs.exim-retiolum.enable = true; + krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic"; tv.iptables.input-retiolum-accept-tcp = singleton "smtp"; } diff --git a/tv/5pkgs/vim/nix.nix b/tv/5pkgs/vim/nix.nix index a58a45b2d..747ab0bc0 100644 --- a/tv/5pkgs/vim/nix.nix +++ b/tv/5pkgs/vim/nix.nix @@ -130,6 +130,7 @@ with import ; c = {}; cabal = {}; diff = {}; + exim = {}; haskell = {}; jq.extraStart = alts [ (writer "Jq")