Merge remote-tracking branch 'ni/master'

This commit is contained in:
lassulus 2021-12-25 20:08:03 +01:00
commit 9f194012bd
8 changed files with 72 additions and 134 deletions

View File

@ -24,13 +24,8 @@ let
type = types.str;
};
private_key = mkOption {
type = types.secret-file;
default = {
name = "exim.dkim_private_key/${config.domain}";
path = "/run/krebs.secret/${config.domain}.dkim_private_key";
owner.name = "exim";
source-path = toString <secrets> + "/${config.domain}.dkim.priv";
};
type = types.absolute-pathname;
default = toString <secrets> + "/${config.domain}.dkim.priv";
defaultText = "secrets/domain.dkim.priv";
};
selector = mkOption {
@ -111,24 +106,13 @@ let
};
imp = {
krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
name = "exim.dkim_private_key/${dkim.domain}";
value = dkim.private_key;
}));
systemd.services = mkIf (cfg.dkim != []) {
exim = {
after = flip map cfg.dkim (dkim:
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
partOf = flip map cfg.dkim (dkim:
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
};
};
krebs.systemd.services.exim = {};
systemd.services.exim.serviceConfig.LoadCredential =
map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
krebs.exim = {
enable = true;
config = /* exim */ ''
keep_environment =
keep_environment = CREDENTIALS_DIRECTORY
primary_hostname = ${cfg.primary_hostname}
@ -242,8 +226,9 @@ let
${optionalString (cfg.dkim != []) (indent /* exim */ ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}}
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
dkim_strict = true
'')}
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
@ -281,10 +266,6 @@ let
inherit (cfg) internet-aliases;
inherit (cfg) system-aliases;
} // optionalAttrs (cfg.dkim != []) {
dkim_private_key = flip map cfg.dkim (dkim: {
from = dkim.domain;
to = dkim.private_key.path;
});
dkim_selector = flip map cfg.dkim (dkim: {
from = dkim.domain;
to = dkim.selector;

View File

@ -122,13 +122,9 @@ let
};
privateKeyFile = mkOption {
type = types.secret-file;
default = {
name = "repo-sync-key";
path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key";
};
type = types.absolute-pathname;
default = toString <secrets> + "/repo-sync.ssh.key";
defaultText = "secrets/repo-sync.ssh.key";
};
unitConfig = mkOption {
@ -144,14 +140,16 @@ let
};
imp = {
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.user.name;
description = "repo-sync user";
isSystemUser = true;
};
users.groups.${cfg.user.name} = {};
systemd.timers = mapAttrs' (name: repo:
nameValuePair "repo-sync-${name}" {
description = "repo-sync timer";
@ -160,6 +158,10 @@ let
}
) cfg.repos;
krebs.systemd.services = mapAttrs' (name: _:
nameValuePair "repo-sync-${name}" {}
) cfg.repos;
systemd.services = mapAttrs' (name: repo:
let
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
@ -168,16 +170,10 @@ let
});
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
after = [
config.krebs.secret.files.repo-sync-key.service
"network.target"
];
partOf = [
config.krebs.secret.files.repo-sync-key.service
];
after = [ "network.target" ];
environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
REPONAME = "${name}.git";
};
@ -185,6 +181,7 @@ let
serviceConfig = {
Type = "simple";
PermissionsStartOnly = true;
LoadCredential = "ssh_key:${cfg.privateKeyFile}";
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir;
User = "repo-sync";

View File

@ -31,7 +31,8 @@
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
config.systemd.services.${serviceName}.serviceConfig.LoadCredential);
(lib.toList
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
}
) config.krebs.systemd.services;

View File

@ -61,13 +61,13 @@ in toFile "charybdis.conf" ''
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */
ssl_private_key = ${toJSON cfg.ssl_private_key.path};
ssl_private_key = "/tmp/credentials/ssl_private_key";
/* ssl_cert: certificate for our ssl server */
ssl_cert = ${toJSON cfg.ssl_cert};
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
ssl_dh_params = ${toJSON cfg.ssl_dh_params.path};
ssl_dh_params = "/tmp/credentials/ssl_dh_params";
/* ssld_count: number of ssld processes you want to start, if you
* have a really busy server, using N-1 where N is the number of

View File

@ -15,22 +15,12 @@ in {
type = types.path;
};
ssl_dh_params = mkOption {
type = types.secret-file;
default = {
name = "charybdis-ssl_dh_params";
path = "${cfg.user.home}/dh.pem";
owner = cfg.user;
source-path = toString <secrets> + "/charybdis.dh.pem";
};
type = types.absolute-pathname;
default = toString <secrets> + "/charybdis.dh.pem";
};
ssl_private_key = mkOption {
type = types.secret-file;
default = {
name = "charybdis-ssl_private_key";
path = "${cfg.user.home}/ssl.key.pem";
owner = cfg.user;
source-path = toString <secrets> + "/charybdis.key.pem";
};
type = types.absolute-pathname;
default = toString <secrets> + "/charybdis.key.pem";
};
sslport = mkOption {
type = types.int;
@ -46,22 +36,13 @@ in {
};
config = lib.mkIf cfg.enable {
krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params;
krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key;
environment.etc."charybdis-ircd.motd".text = cfg.motd;
krebs.systemd.services.charybdis = {};
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
after = [
config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
"network-online.target"
];
partOf = [
config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
];
after = [ "network-online.target" ];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};
@ -70,21 +51,30 @@ in {
User = cfg.user.name;
PrivateTmp = true;
Restart = "always";
ExecStartPre =
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd";
ExecStartPre = [
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
];
ExecStart = toString [
"${pkgs.charybdis}/bin/charybdis"
"-configfile ${import ./config.nix args}"
"-foreground"
"-logfile /dev/stderr"
];
LoadCredential = [
"ssl_dh_params:${cfg.ssl_dh_params}"
"ssl_private_key:${cfg.ssl_private_key}"
];
};
};
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.user.name;
isSystemUser = true;
};
users.groups.${cfg.user.name} = {};
};
}

View File

@ -48,6 +48,9 @@ in /* yaml */ ''
- "::1/128"
- "::FFFF:127.0.0.1/128"
certfiles:
- /tmp/credentials/certfile
hosts: ${toJSON config.hosts}
language: "en"
@ -58,9 +61,8 @@ in /* yaml */ ''
ip: "::"
module: ejabberd_c2s
shaper: c2s_shaper
certfile: ${toJSON config.certfile.path}
ciphers: ${toJSON ciphers}
dhfile: ${toJSON config.dhfile.path}
dhfile: /var/lib/ejabberd/dhfile
protocol_options: ${toJSON protocol_options}
starttls: true
starttls_required: true
@ -109,9 +111,8 @@ in /* yaml */ ''
mod_http_api: {}
s2s_access: s2s
s2s_certfile: ${toJSON config.s2s_certfile.path}
s2s_ciphers: ${toJSON ciphers}
s2s_dhfile: ${toJSON config.dhfile.path}
s2s_dhfile: /var/lib/ejabberd/dhfile
s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false
s2s_use_starttls: required

View File

@ -16,22 +16,8 @@ in {
options.tv.ejabberd = {
enable = mkEnableOption "tv.ejabberd";
certfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user;
source-path = toString <secrets> + "/ejabberd.pem";
};
};
dhfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user;
source-path = "/dev/null";
};
type = types.absolute-pathname;
default = toString <secrets> + "/ejabberd.pem";
};
hosts = mkOption {
type = with types; listOf str;
@ -61,10 +47,6 @@ in {
config.krebs.users.tv.mail
];
};
s2s_certfile = mkOption {
type = types.secret-file;
default = cfg.certfile;
};
user = mkOption {
type = types.user;
default = {
@ -90,27 +72,24 @@ in {
})
];
krebs.secret.files = {
ejabberd-certfile = cfg.certfile;
ejabberd-s2s_certfile = cfg.s2s_certfile;
};
krebs.systemd.services.ejabberd = {};
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
after = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
after = [ "network.target" ];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
ExecStart = pkgs.writeDash "ejabberd" ''
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
${gen-dhparam} /var/lib/ejabberd/dhfile
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
'';
LoadCredential = [
"certfile:${cfg.certfile}"
];
PermissionsStartOnly = true;
PrivateTmp = true;
SyslogIdentifier = "ejabberd";
StateDirectory = "ejabberd";
User = cfg.user.name;
TimeoutStartSec = 60;
};
@ -119,7 +98,10 @@ in {
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.user.name;
isSystemUser = true;
};
users.groups.${cfg.user.name} = {};
};
}

View File

@ -11,17 +11,12 @@ in {
};
enable = mkEnableOption "tv.x0vncserver";
pwfile = mkOption {
default = {
name = "x0vncserver-pwfile";
owner = cfg.user;
path = "${cfg.user.home}/.vncpasswd";
source-path = toString <secrets> + "/vncpasswd";
};
default = toString <secrets> + "/vncpasswd";
description = ''
Use vncpasswd to edit pwfile.
See: nix-shell -p tigervnc --run 'man vncpasswd'
'';
type = types.secret-file;
type = types.absolute-pathname;
};
rfbport = mkOption {
default = 5900;
@ -33,26 +28,17 @@ in {
};
};
config = mkIf cfg.enable {
krebs.secret.files = {
x0vncserver-pwfile = cfg.pwfile;
};
krebs.systemd.services.x0vncserver = {};
systemd.services.x0vncserver = {
after = [
config.krebs.secret.files.x0vncserver-pwfile.service
"graphical.target"
];
partOf = [
config.krebs.secret.files.x0vncserver-pwfile.service
];
requires = [
"graphical.target"
];
after = [ "graphical.target" ];
requires = [ "graphical.target" ];
serviceConfig = {
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
"-display ${cfg.display}"
"-passwordfile ${cfg.pwfile.path}"
"-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile"
"-rfbport ${toString cfg.rfbport}"
]}";
LoadCredential = "ssh_key:${cfg.pwfile}";
User = cfg.user.name;
};
};