Merge remote-tracking branch 'cd/master'

krebs/5pkgs/get/default.nix

@@ -1,12 +1,12 @@
 { coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }:
 
 stdenv.mkDerivation {
-  name = "get-1.4.0";
+  name = "get-1.4.1";
 
   src = fetchgit {
     url = http://cgit.cd.krebsco.de/get;
-    rev = "08757d47c480c130d69270855c6c0371f6b7d385";
+    rev = "41c0c35805ec1708729f73d14650d8ebc94a405b";
-    sha256 = "7c609e2cde7a071bbf62241a7bea60313fdbf076b9f7b3d97226417e13e5ba9d";
+    sha256 = "0rx1qsbb4py14795yhhqwlvaibj2569fqm7x2671l868xi59h9f9";
   };
 
   phases = [

tv/1systems/cd.nix

@@ -18,7 +18,7 @@ with config.krebs.lib;
         enable = true;
         ssl_cert = ../Zcerts/charybdis_cd.crt.pem;
       };
-      tv.iptables.input-retiolum-accept-new-tcp = [
+      tv.iptables.input-retiolum-accept-tcp = [
         config.tv.charybdis.port
         config.tv.charybdis.sslport
       ];
@@ -28,14 +28,14 @@ with config.krebs.lib;
         enable = true;
         hosts = [ "jabber.viljetic.de" ];
       };
-      tv.iptables.input-internet-accept-new-tcp = [
+      tv.iptables.input-internet-accept-tcp = [
         "xmpp-client"
         "xmpp-server"
       ];
     }
     {
       krebs.github-hosts-sync.enable = true;
-      tv.iptables.input-internet-accept-new-tcp =
+      tv.iptables.input-internet-accept-tcp =
         singleton config.krebs.github-hosts-sync.port;
     }
     {
@@ -57,7 +57,7 @@ with config.krebs.lib;
           root ${pkgs.viljetic-pages};
         '');
       };
-      tv.iptables.input-internet-accept-new-tcp = singleton "http";
+      tv.iptables.input-internet-accept-tcp = singleton "http";
     }
   ];
 

tv/1systems/mkdir.nix

@@ -22,12 +22,12 @@ in
     {
       tv.iptables = {
         enable = true;
-        input-internet-accept-new-tcp = [
+        input-internet-accept-tcp = [
           "ssh"
           "tinc"
           "smtp"
         ];
-        input-retiolum-accept-new-tcp = [
+        input-retiolum-accept-tcp = [
           "http"
         ];
       };

tv/1systems/mu.nix

@@ -76,7 +76,7 @@ with config.krebs.lib;
 
   environment.systemPackages = with pkgs; [
     slock
-    tinc
+    tinc_pre
     iptables
     vim
     gimp

tv/1systems/rmdir.nix

@@ -22,12 +22,12 @@ in
     {
       tv.iptables = {
         enable = true;
-        input-internet-accept-new-tcp = [
+        input-internet-accept-tcp = [
           "ssh"
           "tinc"
           "smtp"
         ];
-        input-retiolum-accept-new-tcp = [
+        input-retiolum-accept-tcp = [
           "http"
         ];
       };

tv/1systems/wu.nix

@@ -38,7 +38,7 @@ with config.krebs.lib;
         dic
         file
         get
-        gnupg21
+        gnupg1compat
         haskellPackages.hledger
         htop
         jq
@@ -153,7 +153,7 @@ with config.krebs.lib;
 
   environment.systemPackages = with pkgs; [
     ethtool
-    tinc
+    tinc_pre
     iptables
     #jack2
   ];

tv/1systems/xu.nix

@@ -49,7 +49,7 @@ with config.krebs.lib;
         cac-api
         dic
         file
-        gnupg21
+        gnupg1compat
         haskellPackages.hledger
         htop
         jq
@@ -163,7 +163,7 @@ with config.krebs.lib;
 
   environment.systemPackages = with pkgs; [
     ethtool
-    tinc
+    tinc_pre
     iptables
     #jack2
 

tv/2configs/default.nix

@@ -174,7 +174,7 @@ with config.krebs.lib;
           { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
-      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
+      tv.iptables.input-internet-accept-tcp = singleton "ssh";
     }
 
     {

tv/2configs/exim-retiolum.nix

@@ -4,5 +4,5 @@ with config.krebs.lib;
 
 {
   krebs.exim-retiolum.enable = true;
-  tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+  tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
 }

tv/2configs/exim-smarthost.nix

@@ -43,5 +43,5 @@ with config.krebs.lib;
       { from = "mirko"; to = "mv"; }
     ];
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
+  tv.iptables.input-internet-accept-tcp = singleton "smtp";
 }

tv/2configs/nginx/default.nix

@@ -12,6 +12,6 @@ with config.krebs.lib;
     ];
   };
   tv.iptables = optionalAttrs config.krebs.nginx.enable {
-    input-retiolum-accept-new-tcp = singleton "http";
+    input-retiolum-accept-tcp = singleton "http";
   };
 }

tv/2configs/nginx/public_html.nix

@@ -11,5 +11,5 @@ with config.krebs.lib;
       '')
     ];
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "http";
+  tv.iptables.input-internet-accept-tcp = singleton "http";
 }

tv/2configs/retiolum.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 with config.krebs.lib;
 
@@ -12,6 +12,8 @@ with config.krebs.lib;
       "cd"
       "ire"
     ];
+    tincPackage = pkgs.tinc_pre;
   };
-  tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
+  tv.iptables.input-internet-accept-tcp = singleton "tinc";
+  tv.iptables.input-internet-accept-udp = singleton "tinc";
 }

tv/3modules/iptables.nix

@@ -17,12 +17,22 @@ let
       default = "retiolum";
     };
 
-    input-internet-accept-new-tcp = mkOption {
+    input-internet-accept-tcp = mkOption {
       type = with types; listOf (either int str);
       default = [];
     };
 
-    input-retiolum-accept-new-tcp = mkOption {
+    input-internet-accept-udp = mkOption {
+      type = with types; listOf (either int str);
+      default = [];
+    };
+
+    input-retiolum-accept-tcp = mkOption {
+      type = with types; listOf (either int str);
+      default = [];
+    };
+
+    input-retiolum-accept-udp = mkOption {
       type = with types; listOf (either int str);
       default = [];
     };
@@ -83,8 +93,8 @@ let
       ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
       ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
     }."ip${toString iptables-version}tables";
-    accept-new-tcp = port:
+    accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT";
-      "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+    accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT";
   in
     pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
       *nat
@@ -112,13 +122,15 @@ let
           "-i lo -j ACCEPT"
         ]
         ++ optional (cfg.accept-echo-request == "internet") accept-echo-request
-        ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
+        ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp))
+        ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp))
         ++ ["-i retiolum -j Retiolum"]
       )}
       ${formatTable cfg.extra.filter}
       ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
         ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
-        ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
+        ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp))
+        ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp))
         ++ {
           ip4tables = [
             "-p tcp -j REJECT --reject-with tcp-reset"

tv/5pkgs/default.nix

@@ -16,6 +16,10 @@
       erlang = pkgs.erlangR16;
     };
     ff = pkgs.callPackage ./ff {};
+    gnupg =
+      if elem config.krebs.build.host.name ["xu" "wu"]
+        then super.gnupg21
+        else super.gnupg;
     q = pkgs.callPackage ./q {};
     viljetic-pages = pkgs.callPackage ./viljetic-pages {};
     xmonad-tv = import ./xmonad-tv.nix { inherit pkgs; };