Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
b94fc3265b
@ -1,5 +1,7 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (pkgs) writeText;
|
inherit (pkgs) writeText;
|
||||||
|
|
||||||
@ -7,27 +9,6 @@ let
|
|||||||
elem
|
elem
|
||||||
;
|
;
|
||||||
|
|
||||||
inherit (lib)
|
|
||||||
concatMapStringsSep
|
|
||||||
concatStringsSep
|
|
||||||
attrNames
|
|
||||||
unique
|
|
||||||
fold
|
|
||||||
any
|
|
||||||
attrValues
|
|
||||||
catAttrs
|
|
||||||
filter
|
|
||||||
flatten
|
|
||||||
length
|
|
||||||
hasAttr
|
|
||||||
hasPrefix
|
|
||||||
mkEnableOption
|
|
||||||
mkOption
|
|
||||||
mkIf
|
|
||||||
types
|
|
||||||
sort
|
|
||||||
;
|
|
||||||
|
|
||||||
cfg = config.krebs.iptables;
|
cfg = config.krebs.iptables;
|
||||||
|
|
||||||
out = {
|
out = {
|
||||||
@ -65,6 +46,14 @@ let
|
|||||||
type = int;
|
type = int;
|
||||||
default = 0;
|
default = 0;
|
||||||
};
|
};
|
||||||
|
v4 = mkOption {
|
||||||
|
type = bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
v6 = mkOption {
|
||||||
|
type = bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
})));
|
})));
|
||||||
default = null;
|
default = null;
|
||||||
@ -93,7 +82,7 @@ let
|
|||||||
Type = "simple";
|
Type = "simple";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
ExecStart = "@${startScript} krebs-iptables_start";
|
ExecStart = startScript;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -109,7 +98,8 @@ let
|
|||||||
|
|
||||||
buildChain = tn: cn:
|
buildChain = tn: cn:
|
||||||
let
|
let
|
||||||
sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
|
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
|
||||||
|
sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
|
||||||
|
|
||||||
in
|
in
|
||||||
#TODO: double check should be unneccessary, refactor!
|
#TODO: double check should be unneccessary, refactor!
|
||||||
@ -123,13 +113,6 @@ let
|
|||||||
|
|
||||||
|
|
||||||
buildRule = tn: cn: rule:
|
buildRule = tn: cn: rule:
|
||||||
#target validation test:
|
|
||||||
assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
|
|
||||||
|
|
||||||
#predicate validation test:
|
|
||||||
#maybe use iptables-test
|
|
||||||
#TODO: howto exit with evaluation error by shellscript?
|
|
||||||
#apperantly not possible from nix because evalatution wouldn't be deterministic.
|
|
||||||
"${rule.predicate} -j ${rule.target}";
|
"${rule.predicate} -j ${rule.target}";
|
||||||
|
|
||||||
buildTable = tn:
|
buildTable = tn:
|
||||||
@ -149,7 +132,7 @@ let
|
|||||||
|
|
||||||
#=====
|
#=====
|
||||||
|
|
||||||
rules4 = iptables-version:
|
rules = iptables-version:
|
||||||
let
|
let
|
||||||
#TODO: find out good defaults.
|
#TODO: find out good defaults.
|
||||||
tables-defaults = {
|
tables-defaults = {
|
||||||
@ -171,14 +154,14 @@ let
|
|||||||
tables = tables-defaults // cfg.tables;
|
tables = tables-defaults // cfg.tables;
|
||||||
|
|
||||||
in
|
in
|
||||||
writeText "krebs-iptables-rules${toString iptables-version}" ''
|
pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
|
||||||
${buildTables iptables-version tables}
|
${buildTables iptables-version tables}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
startScript = pkgs.writeDash "krebs-iptables_start" ''
|
startScript = pkgs.writeDash "krebs-iptables_start" ''
|
||||||
set -euf
|
set -euf
|
||||||
iptables-restore < ${rules4 4}
|
iptables-restore < ${rules "v4"}
|
||||||
ip6tables-restore < ${rules4 6}
|
ip6tables-restore < ${rules "v6"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
|
@ -53,9 +53,22 @@ let
|
|||||||
default = "";
|
default = "";
|
||||||
};
|
};
|
||||||
ssl = mkOption {
|
ssl = mkOption {
|
||||||
type = with types; submodule ({
|
type = with types; submodule ({ config, ... }: {
|
||||||
options = {
|
options = {
|
||||||
enable = mkEnableOption "ssl";
|
enable = mkEnableOption "ssl";
|
||||||
|
acmeEnable = mkOption {
|
||||||
|
type = bool;
|
||||||
|
apply = x:
|
||||||
|
if x && config.enable
|
||||||
|
#conflicts because of certificate/certificate_key location
|
||||||
|
then throw "can't use ssl.enable and ssl.acmeEnable together"
|
||||||
|
else x;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
enables automatical generation of lets-encrypt certificates and setting them as certificate
|
||||||
|
conflicts with ssl.enable
|
||||||
|
'';
|
||||||
|
};
|
||||||
certificate = mkOption {
|
certificate = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
};
|
};
|
||||||
@ -95,6 +108,7 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
|
security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
httpConfig = ''
|
httpConfig = ''
|
||||||
@ -117,13 +131,24 @@ let
|
|||||||
|
|
||||||
indent = replaceChars ["\n"] ["\n "];
|
indent = replaceChars ["\n"] ["\n "];
|
||||||
|
|
||||||
|
to-acme = { server-names, ssl, ... }:
|
||||||
|
optionalAttrs ssl.acmeEnable {
|
||||||
|
email = "lassulus@gmail.com";
|
||||||
|
webroot = "${config.security.acme.directory}/${head server-names}";
|
||||||
|
};
|
||||||
|
|
||||||
to-location = { name, value }: ''
|
to-location = { name, value }: ''
|
||||||
location ${name} {
|
location ${name} {
|
||||||
${indent value}
|
${indent value}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
|
to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
|
||||||
|
domain = head server-names;
|
||||||
|
acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
|
||||||
|
root ${config.security.acme.certs.${domain}.webroot};
|
||||||
|
'');
|
||||||
|
in ''
|
||||||
server {
|
server {
|
||||||
server_name ${toString (unique server-names)};
|
server_name ${toString (unique server-names)};
|
||||||
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
|
||||||
@ -142,7 +167,23 @@ let
|
|||||||
ssl_ciphers ${ssl.ciphers};
|
ssl_ciphers ${ssl.ciphers};
|
||||||
ssl_protocols ${toString ssl.protocols};
|
ssl_protocols ${toString ssl.protocols};
|
||||||
'')}
|
'')}
|
||||||
|
${optionalString ssl.acmeEnable (indent ''
|
||||||
|
${optionalString ssl.force_encryption ''
|
||||||
|
if ($scheme = http){
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
''}
|
||||||
|
listen 443 ssl;
|
||||||
|
ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
|
||||||
|
ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
|
||||||
|
${optionalString ssl.prefer_server_ciphers ''
|
||||||
|
ssl_prefer_server_ciphers On;
|
||||||
|
''}
|
||||||
|
ssl_ciphers ${ssl.ciphers};
|
||||||
|
ssl_protocols ${toString ssl.protocols};
|
||||||
|
'')}
|
||||||
${indent extraConfig}
|
${indent extraConfig}
|
||||||
|
${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
|
||||||
${indent (concatMapStrings to-location locations)}
|
${indent (concatMapStrings to-location locations)}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
@ -78,7 +78,9 @@ with import <stockholm/lib>;
|
|||||||
extraZones = {
|
extraZones = {
|
||||||
# TODO generate krebsco.de zone from nets and don't use extraZones at all
|
# TODO generate krebsco.de zone from nets and don't use extraZones at all
|
||||||
"krebsco.de" = ''
|
"krebsco.de" = ''
|
||||||
|
krebsco.de. 60 IN MX 5 mx23
|
||||||
cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
|
cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
|
||||||
|
mx23 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
nets = {
|
nets = {
|
||||||
@ -213,7 +215,6 @@ with import <stockholm/lib>;
|
|||||||
ni = {
|
ni = {
|
||||||
extraZones = {
|
extraZones = {
|
||||||
"krebsco.de" = ''
|
"krebsco.de" = ''
|
||||||
krebsco.de. 60 IN MX 5 ni
|
|
||||||
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||||
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||||
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||||
@ -351,11 +352,17 @@ with import <stockholm/lib>;
|
|||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
|
||||||
};
|
};
|
||||||
xu = {
|
xu = {
|
||||||
|
binary-cache = {
|
||||||
|
pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
|
||||||
|
};
|
||||||
cores = 4;
|
cores = 4;
|
||||||
nets = {
|
nets = {
|
||||||
gg23 = {
|
gg23 = {
|
||||||
ip4.addr = "10.23.1.38";
|
ip4.addr = "10.23.1.38";
|
||||||
aliases = ["xu.gg23"];
|
aliases = [
|
||||||
|
"cache.xu.gg23"
|
||||||
|
"xu.gg23"
|
||||||
|
];
|
||||||
ssh.port = 11423;
|
ssh.port = 11423;
|
||||||
};
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
|
@ -37,7 +37,17 @@ rec {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
writeBash = makeScriptWriter "${pkgs.bash}/bin/bash";
|
writeBash = name: text:
|
||||||
|
assert (with types; either absolute-pathname filename).check name;
|
||||||
|
pkgs.writeOut (baseNameOf name) {
|
||||||
|
${optionalString (types.absolute-pathname.check name) name} = {
|
||||||
|
check = pkgs.writeDash "shellcheck.sh" ''
|
||||||
|
${pkgs.haskellPackages.ShellCheck}/bin/shellcheck "$1" || :
|
||||||
|
'';
|
||||||
|
executable = true;
|
||||||
|
text = "#! ${pkgs.bash}/bin/bash\n${text}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
writeBashBin = name:
|
writeBashBin = name:
|
||||||
assert types.filename.check name;
|
assert types.filename.check name;
|
||||||
@ -91,6 +101,7 @@ rec {
|
|||||||
|
|
||||||
writers.text =
|
writers.text =
|
||||||
{ path
|
{ path
|
||||||
|
, check ? null
|
||||||
, executable ? false
|
, executable ? false
|
||||||
, mode ? if executable then "0755" else "0644"
|
, mode ? if executable then "0755" else "0644"
|
||||||
, text
|
, text
|
||||||
@ -102,6 +113,9 @@ rec {
|
|||||||
var = "file_${hashString "sha1" path}";
|
var = "file_${hashString "sha1" path}";
|
||||||
val = text;
|
val = text;
|
||||||
install = /* sh */ ''
|
install = /* sh */ ''
|
||||||
|
${optionalString (check != null) /* sh */ ''
|
||||||
|
${check} ''$${var}Path
|
||||||
|
''}
|
||||||
${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path}
|
${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -5,8 +5,8 @@ stdenv.mkDerivation {
|
|||||||
|
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = http://cgit.ni.krebsco.de/dic;
|
url = http://cgit.ni.krebsco.de/dic;
|
||||||
rev = "refs/tags/v1.0.0";
|
rev = "refs/tags/v1.0.1";
|
||||||
sha256 = "0f3f5dqpw5y79p2k68qw6jdlkrnapqs3nvnc41zwacyhgppiww0k";
|
sha256 = "1686mba1z4m7vq70w26qpl00z1cz286c9bya9ql36g6w2pbcs8d3";
|
||||||
};
|
};
|
||||||
|
|
||||||
phases = [
|
phases = [
|
||||||
|
@ -19,6 +19,7 @@ stdenv.mkDerivation {
|
|||||||
git
|
git
|
||||||
gnugrep
|
gnugrep
|
||||||
gnused
|
gnused
|
||||||
|
nettools
|
||||||
openssh
|
openssh
|
||||||
socat
|
socat
|
||||||
]);
|
]);
|
||||||
|
@ -1,11 +1,11 @@
|
|||||||
{ mkDerivation, base, fetchgit, stdenv }:
|
{ mkDerivation, base, fetchgit, stdenv }:
|
||||||
mkDerivation {
|
mkDerivation rec {
|
||||||
pname = "blessings";
|
pname = "blessings";
|
||||||
version = "1.0.0";
|
version = "1.1.0";
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = http://cgit.ni.krebsco.de/blessings;
|
url = http://cgit.ni.krebsco.de/blessings;
|
||||||
rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
|
rev = "refs/tags/v${version}";
|
||||||
sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
|
sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
|
||||||
};
|
};
|
||||||
libraryHaskellDepends = [ base ];
|
libraryHaskellDepends = [ base ];
|
||||||
doHaddock = false;
|
doHaddock = false;
|
||||||
|
@ -2,6 +2,6 @@
|
|||||||
|
|
||||||
fetchgit {
|
fetchgit {
|
||||||
url = https://github.com/krebscode/painload;
|
url = https://github.com/krebscode/painload;
|
||||||
rev = "8df031f810a2776d8c43b03a9793cb49398bd33b";
|
rev = "c113487f73713a03b1a139b22bb34b86234d0495";
|
||||||
sha256 = "03md5k6fmz0j1ny22iw96dzq7cvijbz24ii85i0h2dhcychdp650";
|
sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
|
||||||
}
|
}
|
||||||
|
@ -28,6 +28,9 @@ with import <stockholm/lib>;
|
|||||||
services.xserver.enable = true;
|
services.xserver.enable = true;
|
||||||
services.xserver.desktopManager.xfce.enable = true;
|
services.xserver.desktopManager.xfce.enable = true;
|
||||||
networking.wireless.enable = true;
|
networking.wireless.enable = true;
|
||||||
|
hardware.pulseaudio = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
users.users.ferret = {
|
users.users.ferret = {
|
||||||
uid = genid "ferret";
|
uid = genid "ferret";
|
||||||
home = "/home/ferret";
|
home = "/home/ferret";
|
||||||
|
@ -194,7 +194,9 @@ with import <stockholm/lib>;
|
|||||||
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
|
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
|
||||||
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
|
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
|
||||||
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
|
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
|
||||||
{ predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; }
|
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
|
||||||
|
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
|
||||||
|
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -12,7 +12,7 @@ let
|
|||||||
|
|
||||||
msmtp = pkgs.writeBashBin "msmtp" ''
|
msmtp = pkgs.writeBashBin "msmtp" ''
|
||||||
${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
|
${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
|
||||||
${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
|
${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
muttrc = pkgs.writeText "muttrc" ''
|
muttrc = pkgs.writeText "muttrc" ''
|
||||||
|
@ -3,6 +3,6 @@
|
|||||||
{
|
{
|
||||||
krebs.build.source.nixpkgs.git = {
|
krebs.build.source.nixpkgs.git = {
|
||||||
url = https://github.com/nixos/nixpkgs;
|
url = https://github.com/nixos/nixpkgs;
|
||||||
ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
|
ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -41,7 +41,7 @@ let
|
|||||||
mirror.url = "${mirror}${name}";
|
mirror.url = "${mirror}${name}";
|
||||||
};
|
};
|
||||||
tv = {
|
tv = {
|
||||||
origin.url = "http://cgit.ni.i/${name}";
|
origin.url = "http://cgit.ni.r/${name}";
|
||||||
mirror.url = "${mirror}${name}";
|
mirror.url = "${mirror}${name}";
|
||||||
};
|
};
|
||||||
lassulus = {
|
lassulus = {
|
||||||
|
@ -8,28 +8,29 @@ rec {
|
|||||||
let
|
let
|
||||||
domain = head domains;
|
domain = head domains;
|
||||||
in {
|
in {
|
||||||
security.acme = {
|
#security.acme = {
|
||||||
certs."${domain}" = {
|
# certs."${domain}" = {
|
||||||
email = "lassulus@gmail.com";
|
# email = "lassulus@gmail.com";
|
||||||
webroot = "/var/lib/acme/challenges/${domain}";
|
# webroot = "/var/lib/acme/challenges/${domain}";
|
||||||
plugins = [
|
# plugins = [
|
||||||
"account_key.json"
|
# "account_key.json"
|
||||||
"key.pem"
|
# "key.pem"
|
||||||
"fullchain.pem"
|
# "fullchain.pem"
|
||||||
];
|
# ];
|
||||||
group = "nginx";
|
# group = "nginx";
|
||||||
allowKeysForGroup = true;
|
# allowKeysForGroup = true;
|
||||||
extraDomains = genAttrs domains (_: null);
|
# extraDomains = genAttrs domains (_: null);
|
||||||
};
|
# };
|
||||||
};
|
#};
|
||||||
|
|
||||||
krebs.nginx.servers."${domain}" = {
|
krebs.nginx.servers."${domain}" = {
|
||||||
|
ssl.acmeEnable = true;
|
||||||
server-names = domains;
|
server-names = domains;
|
||||||
locations = [
|
#locations = [
|
||||||
(nameValuePair "/.well-known/acme-challenge" ''
|
# (nameValuePair "/.well-known/acme-challenge" ''
|
||||||
root /var/lib/acme/challenges/${domain}/;
|
# root /var/lib/acme/challenges/${domain}/;
|
||||||
'')
|
# '')
|
||||||
];
|
#];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -37,7 +38,7 @@ rec {
|
|||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
( manageCerts domains )
|
( manageCerts domains )
|
||||||
( activateACME (head domains) )
|
#( activateACME (head domains) )
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -70,9 +70,7 @@
|
|||||||
extra-depends = deps;
|
extra-depends = deps;
|
||||||
text = ''
|
text = ''
|
||||||
import Data.Monoid
|
import Data.Monoid
|
||||||
import System.IO
|
import System.Environment (getArgs)
|
||||||
import Data.Char (chr)
|
|
||||||
import System.Environment (getEnv, getArgs)
|
|
||||||
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
|
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
|
||||||
import qualified Data.ByteString.Char8 as BS8
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
import System.Exit (exitFailure, exitSuccess)
|
import System.Exit (exitFailure, exitSuccess)
|
||||||
@ -96,16 +94,29 @@
|
|||||||
import System.Environment (getEnv)
|
import System.Environment (getEnv)
|
||||||
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
|
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
|
||||||
import qualified Data.ByteString.Char8 as BS8
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
import System.IO (stdin, hSetEcho, putStrLn)
|
import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
|
||||||
|
import Control.Exception (bracket_)
|
||||||
|
|
||||||
main :: IO ()
|
main :: IO ()
|
||||||
main = do
|
main = do
|
||||||
home <- getEnv "HOME"
|
home <- getEnv "HOME"
|
||||||
putStrLn "password:"
|
mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
|
||||||
hSetEcho stdin False
|
putStr "Enter new UNIX password: "
|
||||||
|
hFlush stdout
|
||||||
password <- BS8.hGetLine stdin
|
password <- BS8.hGetLine stdin
|
||||||
|
putStrLn ""
|
||||||
|
putStr "Retype new UNIX password: "
|
||||||
|
hFlush stdout
|
||||||
|
password2 <- BS8.hGetLine stdin
|
||||||
|
return $ if password == password2
|
||||||
|
then Just password
|
||||||
|
else Nothing
|
||||||
|
case mb_password of
|
||||||
|
Just password -> do
|
||||||
hash <- makePasswordWith pbkdf2 password 10
|
hash <- makePasswordWith pbkdf2 password 10
|
||||||
BS8.writeFile (home ++ "/.shadow") hash
|
BS8.writeFile (home ++ "/.shadow") hash
|
||||||
|
putStrLn "passwd: all authentication tokens updated successfully."
|
||||||
|
Nothing -> putStrLn "Sorry, passwords do not match"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -15,7 +15,6 @@ with import <stockholm/lib>;
|
|||||||
../2configs/nginx/public_html.nix
|
../2configs/nginx/public_html.nix
|
||||||
../2configs/pulse.nix
|
../2configs/pulse.nix
|
||||||
../2configs/retiolum.nix
|
../2configs/retiolum.nix
|
||||||
../2configs/wu-binary-cache/client.nix
|
|
||||||
../2configs/xserver
|
../2configs/xserver
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -16,7 +16,6 @@ with import <stockholm/lib>;
|
|||||||
../2configs/nginx/public_html.nix
|
../2configs/nginx/public_html.nix
|
||||||
../2configs/pulse.nix
|
../2configs/pulse.nix
|
||||||
../2configs/retiolum.nix
|
../2configs/retiolum.nix
|
||||||
../2configs/wu-binary-cache
|
|
||||||
../2configs/xserver
|
../2configs/xserver
|
||||||
{
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -15,7 +15,7 @@ with import <stockholm/lib>;
|
|||||||
../2configs/nginx/public_html.nix
|
../2configs/nginx/public_html.nix
|
||||||
../2configs/pulse.nix
|
../2configs/pulse.nix
|
||||||
../2configs/retiolum.nix
|
../2configs/retiolum.nix
|
||||||
../2configs/wu-binary-cache/client.nix
|
../2configs/binary-cache
|
||||||
../2configs/xserver
|
../2configs/xserver
|
||||||
../2configs/xu-qemu0.nix
|
../2configs/xu-qemu0.nix
|
||||||
{
|
{
|
||||||
|
@ -21,7 +21,6 @@ with import <stockholm/lib>;
|
|||||||
../2configs/nginx/public_html.nix
|
../2configs/nginx/public_html.nix
|
||||||
../2configs/pulse.nix
|
../2configs/pulse.nix
|
||||||
../2configs/retiolum.nix
|
../2configs/retiolum.nix
|
||||||
../2configs/wu-binary-cache/client.nix
|
|
||||||
../2configs/xserver
|
../2configs/xserver
|
||||||
{
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -58,6 +58,18 @@ with import <stockholm/lib>;
|
|||||||
dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
|
dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
|
||||||
startAt = "07:00";
|
startAt = "07:00";
|
||||||
};
|
};
|
||||||
|
xu-pull-ni-ejabberd = {
|
||||||
|
method = "pull";
|
||||||
|
src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
|
||||||
|
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
|
||||||
|
startAt = "07:00";
|
||||||
|
};
|
||||||
|
xu-pull-ni-home = {
|
||||||
|
method = "pull";
|
||||||
|
src = { host = config.krebs.hosts.ni; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
|
||||||
|
startAt = "07:00";
|
||||||
|
};
|
||||||
zu-home-xu = {
|
zu-home-xu = {
|
||||||
method = "push";
|
method = "push";
|
||||||
src = { host = config.krebs.hosts.zu; path = "/home"; };
|
src = { host = config.krebs.hosts.zu; path = "/home"; };
|
||||||
@ -76,6 +88,18 @@ with import <stockholm/lib>;
|
|||||||
dst = { host = config.krebs.hosts.zu; path = "/bku/cd-home"; };
|
dst = { host = config.krebs.hosts.zu; path = "/bku/cd-home"; };
|
||||||
startAt = "06:30";
|
startAt = "06:30";
|
||||||
};
|
};
|
||||||
|
zu-pull-ni-ejabberd = {
|
||||||
|
method = "pull";
|
||||||
|
src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
|
||||||
|
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
|
||||||
|
startAt = "06:00";
|
||||||
|
};
|
||||||
|
zu-pull-ni-home = {
|
||||||
|
method = "pull";
|
||||||
|
src = { host = config.krebs.hosts.ni; path = "/home"; };
|
||||||
|
dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
|
||||||
|
startAt = "06:30";
|
||||||
|
};
|
||||||
} // mapAttrs (_: recursiveUpdate {
|
} // mapAttrs (_: recursiveUpdate {
|
||||||
snapshots = {
|
snapshots = {
|
||||||
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
|
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
|
||||||
|
@ -1,22 +1,30 @@
|
|||||||
{ config, lib, pkgs, ... }: with import <stockholm/lib>;
|
{ config, lib, pkgs, ... }: with import <stockholm/lib>;
|
||||||
{
|
{
|
||||||
services.nix-serve = assert config.krebs.build.host.name == "wu"; {
|
environment.etc."binary-cache.pubkey".text =
|
||||||
|
config.krebs.build.host.binary-cache.pubkey;
|
||||||
|
|
||||||
|
services.nix-serve = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
|
secretKeyFile = config.krebs.secret.files.binary-cache-seckey.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.nix-serve = {
|
systemd.services.nix-serve = {
|
||||||
requires = ["secret.service"];
|
requires = ["secret.service"];
|
||||||
after = ["secret.service"];
|
after = ["secret.service"];
|
||||||
};
|
};
|
||||||
krebs.secret.files.nix-serve-key = {
|
|
||||||
|
krebs.secret.files.binary-cache-seckey = {
|
||||||
path = "/run/secret/nix-serve.key";
|
path = "/run/secret/nix-serve.key";
|
||||||
owner.name = "nix-serve";
|
owner.name = "nix-serve";
|
||||||
source-path = toString <secrets> + "/nix-serve.key";
|
source-path = toString <secrets> + "/nix-serve.key";
|
||||||
};
|
};
|
||||||
|
|
||||||
krebs.nginx = {
|
krebs.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
servers.nix-serve = {
|
servers.nix-serve = {
|
||||||
server-names = [ "cache.wu.gg23" ];
|
server-names = [
|
||||||
|
"cache.${config.krebs.build.host.name}.gg23"
|
||||||
|
];
|
||||||
locations = singleton (nameValuePair "/" ''
|
locations = singleton (nameValuePair "/" ''
|
||||||
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
||||||
'');
|
'');
|
@ -14,7 +14,7 @@ with import <stockholm/lib>;
|
|||||||
stockholm.file = "/home/tv/stockholm";
|
stockholm.file = "/home/tv/stockholm";
|
||||||
nixpkgs.git = {
|
nixpkgs.git = {
|
||||||
url = https://github.com/NixOS/nixpkgs;
|
url = https://github.com/NixOS/nixpkgs;
|
||||||
ref = "a6728e15cbca1d11553f01d7c3c477ae2debfd8e";
|
ref = "728a9578e31a0f78f6ad07a3a2ec706ec5290f10";
|
||||||
};
|
};
|
||||||
} // optionalAttrs host.secure {
|
} // optionalAttrs host.secure {
|
||||||
secrets-master.file = "/home/tv/secrets/master";
|
secrets-master.file = "/home/tv/secrets/master";
|
||||||
|
@ -29,8 +29,10 @@ let
|
|||||||
cac-api = {
|
cac-api = {
|
||||||
cgit.desc = "CloudAtCost API command line interface";
|
cgit.desc = "CloudAtCost API command line interface";
|
||||||
};
|
};
|
||||||
|
dic = {
|
||||||
|
cgit.desc = "dict.leo.org command line interface";
|
||||||
|
};
|
||||||
get = {};
|
get = {};
|
||||||
hack = {};
|
|
||||||
load-env = {};
|
load-env = {};
|
||||||
loldns = {
|
loldns = {
|
||||||
cgit.desc = "toy DNS server";
|
cgit.desc = "toy DNS server";
|
||||||
@ -40,12 +42,9 @@ let
|
|||||||
netcup = {
|
netcup = {
|
||||||
cgit.desc = "netcup command line interface";
|
cgit.desc = "netcup command line interface";
|
||||||
};
|
};
|
||||||
newsbot-js = {};
|
|
||||||
nixpkgs = {};
|
|
||||||
populate = {
|
populate = {
|
||||||
cgit.desc = "source code installer";
|
cgit.desc = "source code installer";
|
||||||
};
|
};
|
||||||
push = {};
|
|
||||||
regfish = {};
|
regfish = {};
|
||||||
soundcloud = {
|
soundcloud = {
|
||||||
cgit.desc = "SoundCloud command line interface";
|
cgit.desc = "SoundCloud command line interface";
|
||||||
@ -53,8 +52,10 @@ let
|
|||||||
stockholm = {
|
stockholm = {
|
||||||
cgit.desc = "NixOS configuration";
|
cgit.desc = "NixOS configuration";
|
||||||
};
|
};
|
||||||
with-tmpdir = {};
|
} // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
|
||||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "2. Haskell libraries"; }) {
|
ni = {
|
||||||
|
};
|
||||||
|
} // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
|
||||||
blessings = {};
|
blessings = {};
|
||||||
mime = {};
|
mime = {};
|
||||||
quipper = {};
|
quipper = {};
|
||||||
@ -63,12 +64,15 @@ let
|
|||||||
web-routes-wai-custom = {};
|
web-routes-wai-custom = {};
|
||||||
xintmap = {};
|
xintmap = {};
|
||||||
xmonad-stockholm = {};
|
xmonad-stockholm = {};
|
||||||
} // mapAttrs (_: recursiveUpdate { cgit.section = "3. museum"; }) {
|
} // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
|
||||||
cgserver = {};
|
cgserver = {};
|
||||||
crude-mail-setup = {};
|
crude-mail-setup = {};
|
||||||
dot-xmonad = {};
|
dot-xmonad = {};
|
||||||
|
make-snapshot = {};
|
||||||
nixos-infest = {};
|
nixos-infest = {};
|
||||||
painload = {};
|
painload = {};
|
||||||
|
push = {};
|
||||||
|
with-tmpdir = {};
|
||||||
});
|
});
|
||||||
|
|
||||||
restricted-repos = mapAttrs make-restricted-repo (
|
restricted-repos = mapAttrs make-restricted-repo (
|
||||||
|
@ -1,7 +0,0 @@
|
|||||||
_:
|
|
||||||
{
|
|
||||||
nix = {
|
|
||||||
binaryCaches = ["http://cache.wu.gg23"];
|
|
||||||
binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
|
|
||||||
};
|
|
||||||
}
|
|
@ -35,9 +35,6 @@ with import <stockholm/lib>;
|
|||||||
ff = pkgs.writeDashBin "ff" ''
|
ff = pkgs.writeDashBin "ff" ''
|
||||||
exec ${pkgs.firefoxWrapper}/bin/firefox "$@"
|
exec ${pkgs.firefoxWrapper}/bin/firefox "$@"
|
||||||
'';
|
'';
|
||||||
gnupg =
|
gnupg = pkgs.gnupg21;
|
||||||
if elem config.krebs.build.host.name ["xu" "wu"]
|
|
||||||
then super.gnupg21
|
|
||||||
else super.gnupg;
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user