From 0bb58a24c54a5c3236f0ef55364d64eca8550a83 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 17 Jul 2015 10:30:14 +0200 Subject: [PATCH 01/10] 1 lass: enable identity --- 1systems/lass/mors.nix | 6 ++++++ 1systems/lass/uriel.nix | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/1systems/lass/mors.nix b/1systems/lass/mors.nix index f724decca..940dc4fdb 100644 --- a/1systems/lass/mors.nix +++ b/1systems/lass/mors.nix @@ -33,6 +33,12 @@ ]; }; } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } ]; networking.hostName = "mors"; diff --git a/1systems/lass/uriel.nix b/1systems/lass/uriel.nix index b8fa899ba..25745d055 100644 --- a/1systems/lass/uriel.nix +++ b/1systems/lass/uriel.nix @@ -24,6 +24,12 @@ ]; }; } + { + imports = [ ../../3modules/tv/identity.nix ]; + tv.identity = { + enable = true; + }; + } ]; networking.hostName = "uriel"; From 7c3ba212ef9fe767a4618f079917938131e64a6c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 17 Jul 2015 10:30:41 +0200 Subject: [PATCH 02/10] 2 lass.git-repos: open port 80 on retiolum --- 2configs/lass/git-repos.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix index 94ab6317d..c0c305b85 100644 --- a/2configs/lass/git-repos.nix +++ b/2configs/lass/git-repos.nix @@ -121,10 +121,20 @@ in { imports = [ ../../3modules/tv/git.nix + ../../3modules/lass/iptables.nix ]; tv.git = { enable = true; inherit repos rules users; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } + ]; + }; + }; + } From f10a77a5633b7cb02585bde00a3233cfd4617136 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 17 Jul 2015 10:32:50 +0200 Subject: [PATCH 03/10] 0 lass.mors: bump rev --- 0make/lass/mors.makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/0make/lass/mors.makefile b/0make/lass/mors.makefile index 892bc2e06..896466a6f 100644 --- a/0make/lass/mors.makefile +++ b/0make/lass/mors.makefile @@ -1,4 +1,4 @@ deploy_host := root@mors nixpkgs_url := https://github.com/Lassulus/nixpkgs -nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90 +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b secrets_dir := /home/lass/secrets/mors From a15a6f93ac12856a532e288d9419feaeb4df951f Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 17 Jul 2015 10:33:11 +0200 Subject: [PATCH 04/10] 2 lass.steam: enable java --- 2configs/lass/steam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/2configs/lass/steam.nix b/2configs/lass/steam.nix index d54873b1f..7d088fc6a 100644 --- a/2configs/lass/steam.nix +++ b/2configs/lass/steam.nix @@ -12,6 +12,7 @@ ##TODO: make steam module hardware.opengl.driSupport32Bit = true; + nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam ]; From e478f140e0e704f9985db039eb178be13af63abb Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 13:29:07 +0200 Subject: [PATCH 05/10] 3 lass.iptables: refactor imports --- 3modules/lass/iptables.nix | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index 6d567ca23..1cd6d3f8e 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }: let inherit (pkgs) writeScript writeText; - inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types; + + inherit (lib) + concatMapStringsSep + concatStringsSep + attrNames + unique + fold + any + attrValues + catAttrs + filter + flatten + length + hasAttr + mkEnableOption + mkOption + mkIf + types + sort; + + elemIsIn = a: as: + any (x: x == a) as; cfg = config.lass.iptables; From 7f30f58a3e2f5e9a7333fa1f5be9c998c6ad098a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 13:55:17 +0200 Subject: [PATCH 06/10] 3 lass.iptables: sort rules by precedence --- 3modules/lass/iptables.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index 1cd6d3f8e..ba05abeb2 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -95,10 +95,12 @@ let }; }; - #buildTable :: iptablesAttrSet` -> str + #buildTable :: iptablesVersion -> iptablesAttrSet` -> str #todo: differentiate by iptables-version - buildTables = iptv: ts: + buildTables = v: ts: let + sortedTable = sort (a: b: a.precedence < b.precedence) ts; + declareChain = t: cn: #TODO: find out what to do whit these count numbers ":${cn} ${t."${cn}".policy} [0:0]"; @@ -106,7 +108,6 @@ let buildChain = tn: cn: #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; - #TODO: sort by precedence #TODO: double check should be unneccessary, refactor! if (hasAttr "rules" ts."${tn}"."${cn}") then if (ts."${tn}"."${cn}".rules == null) then @@ -144,7 +145,7 @@ let "\nCOMMIT"; in concatStringsSep "\n" ([] - ++ map buildTable (attrNames ts) + ++ map buildTable (attrNames sortedTable) ); #===== From 06a969575684ee21179a7d5730bbed2d65c38173 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 13:55:56 +0200 Subject: [PATCH 07/10] 3 lass.iptables: check if target is valid --- 3modules/lass/iptables.nix | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index ba05abeb2..52058821c 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -114,20 +114,18 @@ let "" else concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map buildRule ts."${tn}"."${cn}".rules + ++ map (buildRule tn cn) ts."${tn}"."${cn}".rules ) else "" ; - buildRule = rule: - #TODO implement rule validation-test here - # - #target: - #target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN + buildRule = tn: cn: rule: + #target validation test: + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ ts."${tn}"."${cn}")); - #predicate: + #predicate validation test: #maybe use iptables-test #TODO: howto exit with evaluation error by shellscript? #apperantly not possible from nix because evalatution wouldn't be deterministic. From 5637a9634b0a7e0b3a7379ee0b7f461b55cc91e4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 14:19:41 +0200 Subject: [PATCH 08/10] 2 lass.ircd: disable authentification --- 2configs/lass/ircd.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/2configs/lass/ircd.nix b/2configs/lass/ircd.nix index c57f7dd5c..f71b769fd 100644 --- a/2configs/lass/ircd.nix +++ b/2configs/lass/ircd.nix @@ -83,6 +83,10 @@ channel_target_change = yes; disable_local_channels = no; }; + general { + #maybe we want ident someday? + disable_auth = yes; + }; ''; }; } From 83901e1e475f6bcb6aca0aefbcbebde62339b481 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 14:30:29 +0200 Subject: [PATCH 09/10] 3 lass.iptables sort rules instead of tables --- 3modules/lass/iptables.nix | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index 52058821c..b78879d2c 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -99,26 +99,27 @@ let #todo: differentiate by iptables-version buildTables = v: ts: let - sortedTable = sort (a: b: a.precedence < b.precedence) ts; declareChain = t: cn: #TODO: find out what to do whit these count numbers ":${cn} ${t."${cn}".policy} [0:0]"; buildChain = tn: cn: - #"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}"; + let + sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; - #TODO: double check should be unneccessary, refactor! - if (hasAttr "rules" ts."${tn}"."${cn}") then - if (ts."${tn}"."${cn}".rules == null) then - "" + in + #TODO: double check should be unneccessary, refactor! + if (hasAttr "rules" ts."${tn}"."${cn}") then + if (ts."${tn}"."${cn}".rules == null) then + "" + else + concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] + ++ map (buildRule tn cn) sortedRules + ) else - concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) ts."${tn}"."${cn}".rules - ) - else - "" - ; + "" + ; buildRule = tn: cn: rule: @@ -143,7 +144,7 @@ let "\nCOMMIT"; in concatStringsSep "\n" ([] - ++ map buildTable (attrNames sortedTable) + ++ map buildTable (attrNames ts) ); #===== From 70711515910f5627262f0da0270ab76024811c20 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 18 Jul 2015 14:32:02 +0200 Subject: [PATCH 10/10] 3 lass.iptables: fix broken predicate check --- 3modules/lass/iptables.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3modules/lass/iptables.nix b/3modules/lass/iptables.nix index b78879d2c..c97b9f730 100644 --- a/3modules/lass/iptables.nix +++ b/3modules/lass/iptables.nix @@ -124,7 +124,7 @@ let buildRule = tn: cn: rule: #target validation test: - assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ ts."${tn}"."${cn}")); + assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); #predicate validation test: #maybe use iptables-test