Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
1ba49c0ffe
@ -1,15 +1,17 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
let
|
{ config, pkgs, lib, ... }: let
|
||||||
cfg = config.krebs.exim-retiolum;
|
cfg = config.krebs.exim-retiolum;
|
||||||
|
|
||||||
out = {
|
# Due to improvements to the JSON notation, braces around top-level objects
|
||||||
options.krebs.exim-retiolum = api;
|
# are not necessary^Wsupported by rspamd's parser when including files:
|
||||||
config = lib.mkIf cfg.enable imp;
|
# https://github.com/rspamd/rspamd/issues/2674
|
||||||
};
|
toMostlyJSON = value:
|
||||||
|
assert typeOf value == "set";
|
||||||
|
(s: substring 1 (stringLength s - 2) s)
|
||||||
|
(toJSON value);
|
||||||
|
|
||||||
api = {
|
in {
|
||||||
|
options.krebs.exim-retiolum = {
|
||||||
enable = mkEnableOption "krebs.exim-retiolum";
|
enable = mkEnableOption "krebs.exim-retiolum";
|
||||||
local_domains = mkOption {
|
local_domains = mkOption {
|
||||||
type = with types; listOf hostname;
|
type = with types; listOf hostname;
|
||||||
@ -28,22 +30,70 @@ let
|
|||||||
"*.r"
|
"*.r"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
rspamd = {
|
||||||
|
enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
|
||||||
|
default = false;
|
||||||
};
|
};
|
||||||
|
locals = {
|
||||||
imp = {
|
logging = {
|
||||||
|
level = mkOption {
|
||||||
|
type = types.enum [
|
||||||
|
"error"
|
||||||
|
"warning"
|
||||||
|
"notice"
|
||||||
|
"info"
|
||||||
|
"debug"
|
||||||
|
"silent"
|
||||||
|
];
|
||||||
|
default = "notice";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
options = {
|
||||||
|
local_networks = mkOption {
|
||||||
|
type = types.listOf types.cidr;
|
||||||
|
default = [
|
||||||
|
config.krebs.build.host.nets.retiolum.ip4.prefix
|
||||||
|
config.krebs.build.host.nets.retiolum.ip6.prefix
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
imports = [
|
||||||
|
{
|
||||||
|
config = lib.mkIf cfg.rspamd.enable {
|
||||||
|
services.rspamd.enable = true;
|
||||||
|
services.rspamd.locals =
|
||||||
|
mapAttrs'
|
||||||
|
(name: value: nameValuePair "${name}.inc" {
|
||||||
|
text = toMostlyJSON value;
|
||||||
|
})
|
||||||
|
cfg.rspamd.locals;
|
||||||
|
users.users.${config.krebs.exim.user.name}.extraGroups = [
|
||||||
|
config.services.rspamd.group
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
config = lib.mkIf cfg.enable {
|
||||||
krebs.exim = {
|
krebs.exim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config =
|
config =
|
||||||
# This configuration makes only sense for retiolum-enabled hosts.
|
# This configuration makes only sense for retiolum-enabled hosts.
|
||||||
# TODO modular configuration
|
# TODO modular configuration
|
||||||
assert config.krebs.tinc.retiolum.enable;
|
assert config.krebs.tinc.retiolum.enable;
|
||||||
''
|
/* exim */ ''
|
||||||
keep_environment =
|
keep_environment =
|
||||||
|
|
||||||
primary_hostname = ${cfg.primary_hostname}
|
primary_hostname = ${cfg.primary_hostname}
|
||||||
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
|
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
|
||||||
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
|
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
|
||||||
|
|
||||||
|
${optionalString cfg.rspamd.enable /* exim */ ''
|
||||||
|
spamd_address = /run/rspamd/rspamd.sock variant=rspamd
|
||||||
|
''}
|
||||||
|
|
||||||
acl_smtp_rcpt = acl_check_rcpt
|
acl_smtp_rcpt = acl_check_rcpt
|
||||||
acl_smtp_data = acl_check_data
|
acl_smtp_data = acl_check_data
|
||||||
|
|
||||||
@ -72,6 +122,24 @@ let
|
|||||||
|
|
||||||
|
|
||||||
acl_check_data:
|
acl_check_data:
|
||||||
|
${optionalString cfg.rspamd.enable /* exim */ ''
|
||||||
|
accept condition = ''${if eq{$interface_port}{587}}
|
||||||
|
|
||||||
|
warn remove_header = ${concatStringsSep " : " [
|
||||||
|
"x-spam"
|
||||||
|
"x-spam-report"
|
||||||
|
"x-spam-score"
|
||||||
|
]}
|
||||||
|
|
||||||
|
warn
|
||||||
|
spam = nobody:true
|
||||||
|
|
||||||
|
warn
|
||||||
|
condition = ''${if !eq{$spam_action}{no action}}
|
||||||
|
add_header = X-Spam: Yes
|
||||||
|
add_header = X-Spam-Report: $spam_report
|
||||||
|
add_header = X-Spam-Score: $spam_score
|
||||||
|
''}
|
||||||
accept
|
accept
|
||||||
|
|
||||||
|
|
||||||
@ -118,4 +186,4 @@ let
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in out
|
}
|
||||||
|
@ -121,7 +121,7 @@ let
|
|||||||
};
|
};
|
||||||
krebs.exim = {
|
krebs.exim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = /* exim */ ''
|
||||||
keep_environment =
|
keep_environment =
|
||||||
|
|
||||||
primary_hostname = ${cfg.primary_hostname}
|
primary_hostname = ${cfg.primary_hostname}
|
||||||
@ -233,7 +233,7 @@ let
|
|||||||
|
|
||||||
remote_smtp:
|
remote_smtp:
|
||||||
driver = smtp
|
driver = smtp
|
||||||
${optionalString (cfg.dkim != []) (indent ''
|
${optionalString (cfg.dkim != []) (indent /* exim */ ''
|
||||||
dkim_canon = relaxed
|
dkim_canon = relaxed
|
||||||
dkim_domain = $sender_address_domain
|
dkim_domain = $sender_address_domain
|
||||||
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
||||||
@ -262,7 +262,7 @@ let
|
|||||||
|
|
||||||
begin rewrite
|
begin rewrite
|
||||||
begin authenticators
|
begin authenticators
|
||||||
${concatStringsSep "\n" (mapAttrsToList (name: text: ''
|
${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ ''
|
||||||
${name}:
|
${name}:
|
||||||
${indent text}
|
${indent text}
|
||||||
'') cfg.authenticators)}
|
'') cfg.authenticators)}
|
||||||
|
@ -37,7 +37,7 @@ in {
|
|||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
environment = {
|
environment = {
|
||||||
etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" ''
|
etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ ''
|
||||||
exim_user = ${cfg.user.name}
|
exim_user = ${cfg.user.name}
|
||||||
exim_group = ${cfg.group.name}
|
exim_group = ${cfg.group.name}
|
||||||
exim_path = /run/wrappers/bin/exim
|
exim_path = /run/wrappers/bin/exim
|
||||||
|
134
krebs/3modules/external/default.nix
vendored
134
krebs/3modules/external/default.nix
vendored
@ -229,6 +229,35 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
inspector = {
|
||||||
|
owner = config.krebs.users.Mic92;
|
||||||
|
nets = rec {
|
||||||
|
internet = {
|
||||||
|
ip4.addr = "141.76.44.154";
|
||||||
|
aliases = [ "inspector.i" ];
|
||||||
|
};
|
||||||
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
|
ip4.addr = "10.243.29.172";
|
||||||
|
aliases = [ "inspector.r" ];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
|
||||||
|
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
|
||||||
|
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
|
||||||
|
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
|
||||||
|
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
|
||||||
|
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
|
||||||
|
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
|
||||||
|
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
|
||||||
|
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
|
||||||
|
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
|
||||||
|
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
justraute = {
|
justraute = {
|
||||||
owner = config.krebs.users.raute; # laptop
|
owner = config.krebs.users.raute; # laptop
|
||||||
nets = {
|
nets = {
|
||||||
@ -241,6 +270,30 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
matchbox = {
|
||||||
|
owner = config.krebs.users.Mic92;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.29.176";
|
||||||
|
aliases = [ "matchbox.r" ];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
|
||||||
|
VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
|
||||||
|
nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
|
||||||
|
TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
|
||||||
|
TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
|
||||||
|
yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
|
||||||
|
4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
|
||||||
|
Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
|
||||||
|
bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
|
||||||
|
nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
|
||||||
|
/vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
qubasa = {
|
qubasa = {
|
||||||
owner = config.krebs.users.qubasa;
|
owner = config.krebs.users.qubasa;
|
||||||
nets = {
|
nets = {
|
||||||
@ -411,55 +464,52 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
inspector = {
|
uppreisn = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.ilmu;
|
||||||
nets = rec {
|
nets = {
|
||||||
internet = {
|
|
||||||
ip4.addr = "141.76.44.154";
|
|
||||||
aliases = [ "inspector.i" ];
|
|
||||||
};
|
|
||||||
retiolum = {
|
retiolum = {
|
||||||
via = internet;
|
ip4.addr = "10.243.42.13";
|
||||||
ip4.addr = "10.243.29.172";
|
aliases = [ "ilmu.r" ];
|
||||||
aliases = [ "inspector.r" ];
|
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax
|
||||||
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
|
BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt
|
||||||
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
|
gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea
|
||||||
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
|
gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv
|
||||||
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
|
qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j
|
||||||
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
|
ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b
|
||||||
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
|
WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei
|
||||||
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
|
STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI
|
||||||
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
|
d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0
|
||||||
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
|
fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo
|
||||||
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
|
9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq
|
||||||
-----END RSA PUBLIC KEY-----
|
lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
matchbox = {
|
unnamed = {
|
||||||
owner = config.krebs.users.Mic92;
|
owner = config.krebs.users.pie_;
|
||||||
nets = {
|
nets = {
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.176";
|
ip4.addr = "10.243.3.14";
|
||||||
aliases = [ "matchbox.r" ];
|
aliases = [ "unnamed.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
|
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ
|
||||||
VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
|
2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx
|
||||||
nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
|
ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH
|
||||||
TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
|
GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW
|
||||||
TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
|
X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y
|
||||||
yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
|
5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD
|
||||||
4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
|
PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct
|
||||||
Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
|
3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY
|
||||||
bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
|
gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M
|
||||||
nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
|
jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a
|
||||||
/vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
|
MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm
|
||||||
-----END RSA PUBLIC KEY-----
|
OxwCRYLtEweku7HLhUVTnDkCAwEAAQ==
|
||||||
|
-----END PUBLIC KEY-----
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -495,6 +545,9 @@ in {
|
|||||||
mail = "dickbutt@excogitation.de";
|
mail = "dickbutt@excogitation.de";
|
||||||
pubkey = ssh-for "exco";
|
pubkey = ssh-for "exco";
|
||||||
};
|
};
|
||||||
|
ilmu = {
|
||||||
|
mail = "ilmu@rishi.is";
|
||||||
|
};
|
||||||
jan = {
|
jan = {
|
||||||
mail = "jan.heidbrink@posteo.de";
|
mail = "jan.heidbrink@posteo.de";
|
||||||
};
|
};
|
||||||
@ -527,5 +580,6 @@ in {
|
|||||||
};
|
};
|
||||||
filly = {
|
filly = {
|
||||||
};
|
};
|
||||||
|
pie_ = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -2,40 +2,69 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
cfg = config.krebs.syncthing;
|
kcfg = config.krebs.syncthing;
|
||||||
|
scfg = config.services.syncthing;
|
||||||
|
|
||||||
devices = mapAttrsToList (name: peer: {
|
devices = mapAttrsToList (name: peer: {
|
||||||
name = name;
|
name = name;
|
||||||
deviceID = peer.id;
|
deviceID = peer.id;
|
||||||
addresses = peer.addresses;
|
addresses = peer.addresses;
|
||||||
}) cfg.peers;
|
}) kcfg.peers;
|
||||||
|
|
||||||
folders = mapAttrsToList ( _: folder: {
|
folders = mapAttrsToList ( _: folder: {
|
||||||
inherit (folder) path id type;
|
inherit (folder) path id type;
|
||||||
devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
|
devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers;
|
||||||
rescanIntervalS = folder.rescanInterval;
|
rescanIntervalS = folder.rescanInterval;
|
||||||
fsWatcherEnabled = folder.watch;
|
fsWatcherEnabled = folder.watch;
|
||||||
fsWatcherDelayS = folder.watchDelay;
|
fsWatcherDelayS = folder.watchDelay;
|
||||||
|
ignoreDelete = folder.ignoreDelete;
|
||||||
ignorePerms = folder.ignorePerms;
|
ignorePerms = folder.ignorePerms;
|
||||||
}) cfg.folders;
|
}) kcfg.folders;
|
||||||
|
|
||||||
getApiKey = pkgs.writeDash "getAPIKey" ''
|
getApiKey = pkgs.writeDash "getAPIKey" ''
|
||||||
${pkgs.libxml2}/bin/xmllint \
|
${pkgs.libxml2}/bin/xmllint \
|
||||||
--xpath 'string(configuration/gui/apikey)'\
|
--xpath 'string(configuration/gui/apikey)'\
|
||||||
${config.services.syncthing.configDir}/config.xml
|
${scfg.configDir}/config.xml
|
||||||
'';
|
'';
|
||||||
|
|
||||||
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
|
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
|
||||||
set -efu
|
set -efu
|
||||||
|
|
||||||
|
# XXX this assumes the GUI address to be "IPv4 address and port"
|
||||||
|
host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)}
|
||||||
|
port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)}
|
||||||
|
|
||||||
# wait for service to restart
|
# wait for service to restart
|
||||||
${pkgs.untilport}/bin/untilport localhost 8384
|
${pkgs.untilport}/bin/untilport "$host" "$port"
|
||||||
|
|
||||||
API_KEY=$(${getApiKey})
|
API_KEY=$(${getApiKey})
|
||||||
CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config)
|
|
||||||
echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] as $in | $in * {
|
_curl() {
|
||||||
"devices": (${builtins.toJSON devices}${optionalString (! cfg.overridePeers) " + $in.devices"}),
|
${pkgs.curl}/bin/curl \
|
||||||
"folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + $in.folders"})
|
-Ss \
|
||||||
}' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @-
|
-H "X-API-Key: $API_KEY" \
|
||||||
${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST
|
"http://$host:$port/rest""$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
old_config=$(_curl /system/config)
|
||||||
|
new_config=${shell.escape (toJSON {
|
||||||
|
inherit devices folders;
|
||||||
|
})}
|
||||||
|
new_config=$(${pkgs.jq}/bin/jq -en \
|
||||||
|
--argjson old_config "$old_config" \
|
||||||
|
--argjson new_config "$new_config" \
|
||||||
|
'
|
||||||
|
$old_config * $new_config
|
||||||
|
${optionalString (!kcfg.overridePeers) ''
|
||||||
|
* { devices: $old_config.devices }
|
||||||
|
''}
|
||||||
|
${optionalString (!kcfg.overrideFolders) ''
|
||||||
|
* { folders: $old_config.folders }
|
||||||
|
''}
|
||||||
|
'
|
||||||
|
)
|
||||||
|
echo $new_config | _curl /system/config -d @-
|
||||||
|
_curl /system/restart -X POST
|
||||||
'';
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
@ -129,6 +158,11 @@ in
|
|||||||
default = 10;
|
default = 10;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ignoreDelete = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
|
||||||
ignorePerms = mkOption {
|
ignorePerms = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
@ -139,19 +173,19 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = (mkIf cfg.enable) {
|
config = mkIf kcfg.enable {
|
||||||
|
|
||||||
systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
|
systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
|
||||||
preStart = ''
|
preStart = ''
|
||||||
${optionalString (cfg.cert != null) ''
|
${optionalString (kcfg.cert != null) ''
|
||||||
cp ${toString cfg.cert} ${config.services.syncthing.configDir}/cert.pem
|
cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
|
||||||
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/cert.pem
|
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
|
||||||
chmod 400 ${config.services.syncthing.configDir}/cert.pem
|
chmod 400 ${scfg.configDir}/cert.pem
|
||||||
''}
|
''}
|
||||||
${optionalString (cfg.key != null) ''
|
${optionalString (kcfg.key != null) ''
|
||||||
cp ${toString cfg.key} ${config.services.syncthing.configDir}/key.pem
|
cp ${toString kcfg.key} ${scfg.configDir}/key.pem
|
||||||
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/key.pem
|
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
|
||||||
chmod 400 ${config.services.syncthing.configDir}/key.pem
|
chmod 400 ${scfg.configDir}/key.pem
|
||||||
''}
|
''}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
@ -161,7 +195,7 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = config.services.syncthing.user;
|
User = scfg.user;
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
ExecStart = updateConfig;
|
ExecStart = updateConfig;
|
||||||
|
@ -7,5 +7,6 @@ with import <stockholm/lib>;
|
|||||||
pkgs.eximlog
|
pkgs.eximlog
|
||||||
];
|
];
|
||||||
krebs.exim-retiolum.enable = true;
|
krebs.exim-retiolum.enable = true;
|
||||||
|
krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic";
|
||||||
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
|
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
|
||||||
}
|
}
|
||||||
|
@ -130,6 +130,7 @@ with import <stockholm/lib>;
|
|||||||
c = {};
|
c = {};
|
||||||
cabal = {};
|
cabal = {};
|
||||||
diff = {};
|
diff = {};
|
||||||
|
exim = {};
|
||||||
haskell = {};
|
haskell = {};
|
||||||
jq.extraStart = alts [
|
jq.extraStart = alts [
|
||||||
(writer "Jq")
|
(writer "Jq")
|
||||||
|
Loading…
Reference in New Issue
Block a user