Merge remote-tracking branch 'lass/master'

This commit is contained in:
tv 2015-07-19 11:18:15 +02:00
commit 5c52fb9e91
7 changed files with 70 additions and 22 deletions

View File

@ -1,4 +1,4 @@
deploy_host := root@mors
nixpkgs_url := https://github.com/Lassulus/nixpkgs
nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90
nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b
secrets_dir := /home/lass/secrets/mors

View File

@ -33,6 +33,12 @@
];
};
}
{
imports = [ ../../3modules/tv/identity.nix ];
tv.identity = {
enable = true;
};
}
];
networking.hostName = "mors";

View File

@ -24,6 +24,12 @@
];
};
}
{
imports = [ ../../3modules/tv/identity.nix ];
tv.identity = {
enable = true;
};
}
];
networking.hostName = "uriel";

View File

@ -121,10 +121,20 @@ in
{
imports = [
../../3modules/tv/git.nix
../../3modules/lass/iptables.nix
];
tv.git = {
enable = true;
inherit repos rules users;
};
lass.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
];
};
};
}

View File

@ -83,6 +83,10 @@
channel_target_change = yes;
disable_local_channels = no;
};
general {
#maybe we want ident someday?
disable_auth = yes;
};
'';
};
}

View File

@ -12,6 +12,7 @@
##TODO: make steam module
hardware.opengl.driSupport32Bit = true;
nixpkgs.config.steam.java = true;
environment.systemPackages = with pkgs; [
steam
];

View File

@ -2,7 +2,28 @@ arg@{ config, lib, pkgs, ... }:
let
inherit (pkgs) writeScript writeText;
inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr mkEnableOption mkOption mkIf types;
inherit (lib)
concatMapStringsSep
concatStringsSep
attrNames
unique
fold
any
attrValues
catAttrs
filter
flatten
length
hasAttr
mkEnableOption
mkOption
mkIf
types
sort;
elemIsIn = a: as:
any (x: x == a) as;
cfg = config.lass.iptables;
@ -74,38 +95,38 @@ let
};
};
#buildTable :: iptablesAttrSet` -> str
#buildTable :: iptablesVersion -> iptablesAttrSet` -> str
#todo: differentiate by iptables-version
buildTables = iptv: ts:
buildTables = v: ts:
let
declareChain = t: cn:
#TODO: find out what to do whit these count numbers
":${cn} ${t."${cn}".policy} [0:0]";
buildChain = tn: cn:
#"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
let
sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules;
#TODO: sort by precedence
#TODO: double check should be unneccessary, refactor!
if (hasAttr "rules" ts."${tn}"."${cn}") then
if (ts."${tn}"."${cn}".rules == null) then
""
in
#TODO: double check should be unneccessary, refactor!
if (hasAttr "rules" ts."${tn}"."${cn}") then
if (ts."${tn}"."${cn}".rules == null) then
""
else
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map (buildRule tn cn) sortedRules
)
else
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map buildRule ts."${tn}"."${cn}".rules
)
else
""
;
""
;
buildRule = rule:
#TODO implement rule validation-test here
#
#target:
#target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
buildRule = tn: cn: rule:
#target validation test:
assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
#predicate:
#predicate validation test:
#maybe use iptables-test
#TODO: howto exit with evaluation error by shellscript?
#apperantly not possible from nix because evalatution wouldn't be deterministic.