Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
5c52fb9e91
@ -1,4 +1,4 @@
|
||||
deploy_host := root@mors
|
||||
nixpkgs_url := https://github.com/Lassulus/nixpkgs
|
||||
nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90
|
||||
nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b
|
||||
secrets_dir := /home/lass/secrets/mors
|
||||
|
@ -33,6 +33,12 @@
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [ ../../3modules/tv/identity.nix ];
|
||||
tv.identity = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
networking.hostName = "mors";
|
||||
|
@ -24,6 +24,12 @@
|
||||
];
|
||||
};
|
||||
}
|
||||
{
|
||||
imports = [ ../../3modules/tv/identity.nix ];
|
||||
tv.identity = {
|
||||
enable = true;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
networking.hostName = "uriel";
|
||||
|
@ -121,10 +121,20 @@ in
|
||||
{
|
||||
imports = [
|
||||
../../3modules/tv/git.nix
|
||||
../../3modules/lass/iptables.nix
|
||||
];
|
||||
|
||||
tv.git = {
|
||||
enable = true;
|
||||
inherit repos rules users;
|
||||
};
|
||||
|
||||
lass.iptables = {
|
||||
tables = {
|
||||
filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -83,6 +83,10 @@
|
||||
channel_target_change = yes;
|
||||
disable_local_channels = no;
|
||||
};
|
||||
general {
|
||||
#maybe we want ident someday?
|
||||
disable_auth = yes;
|
||||
};
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
@ -12,6 +12,7 @@
|
||||
##TODO: make steam module
|
||||
hardware.opengl.driSupport32Bit = true;
|
||||
|
||||
nixpkgs.config.steam.java = true;
|
||||
environment.systemPackages = with pkgs; [
|
||||
steam
|
||||
];
|
||||
|
@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
inherit (pkgs) writeScript writeText;
|
||||
inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types;
|
||||
|
||||
inherit (lib)
|
||||
concatMapStringsSep
|
||||
concatStringsSep
|
||||
attrNames
|
||||
unique
|
||||
fold
|
||||
any
|
||||
attrValues
|
||||
catAttrs
|
||||
filter
|
||||
flatten
|
||||
length
|
||||
hasAttr
|
||||
mkEnableOption
|
||||
mkOption
|
||||
mkIf
|
||||
types
|
||||
sort;
|
||||
|
||||
elemIsIn = a: as:
|
||||
any (x: x == a) as;
|
||||
|
||||
cfg = config.lass.iptables;
|
||||
|
||||
@ -74,38 +95,38 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
#buildTable :: iptablesAttrSet` -> str
|
||||
#buildTable :: iptablesVersion -> iptablesAttrSet` -> str
|
||||
#todo: differentiate by iptables-version
|
||||
buildTables = iptv: ts:
|
||||
buildTables = v: ts:
|
||||
let
|
||||
|
||||
declareChain = t: cn:
|
||||
#TODO: find out what to do whit these count numbers
|
||||
":${cn} ${t."${cn}".policy} [0:0]";
|
||||
|
||||
buildChain = tn: cn:
|
||||
#"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
|
||||
let
|
||||
sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules;
|
||||
|
||||
#TODO: sort by precedence
|
||||
#TODO: double check should be unneccessary, refactor!
|
||||
if (hasAttr "rules" ts."${tn}"."${cn}") then
|
||||
if (ts."${tn}"."${cn}".rules == null) then
|
||||
""
|
||||
in
|
||||
#TODO: double check should be unneccessary, refactor!
|
||||
if (hasAttr "rules" ts."${tn}"."${cn}") then
|
||||
if (ts."${tn}"."${cn}".rules == null) then
|
||||
""
|
||||
else
|
||||
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
|
||||
++ map (buildRule tn cn) sortedRules
|
||||
)
|
||||
else
|
||||
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
|
||||
++ map buildRule ts."${tn}"."${cn}".rules
|
||||
)
|
||||
else
|
||||
""
|
||||
;
|
||||
""
|
||||
;
|
||||
|
||||
|
||||
buildRule = rule:
|
||||
#TODO implement rule validation-test here
|
||||
#
|
||||
#target:
|
||||
#target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
|
||||
buildRule = tn: cn: rule:
|
||||
#target validation test:
|
||||
assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
|
||||
|
||||
#predicate:
|
||||
#predicate validation test:
|
||||
#maybe use iptables-test
|
||||
#TODO: howto exit with evaluation error by shellscript?
|
||||
#apperantly not possible from nix because evalatution wouldn't be deterministic.
|
||||
|
Loading…
Reference in New Issue
Block a user