From acd91d2263840c6c4b97195239c4e1a1f8287cdf Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 12:19:47 +0100 Subject: [PATCH 01/13] krebs modules: reorder main imports --- krebs/3modules/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index b58b52038..cc4f4d492 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -19,13 +19,13 @@ let ./current.nix ./dns.nix ./ergo.nix - ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix + ./exim.nix ./fetchWallpaper.nix + ./git.nix ./github-hosts-sync.nix ./github-known-hosts.nix - ./git.nix ./go.nix ./hidden-ssh.nix ./hosts.nix @@ -38,11 +38,12 @@ let ./nixpkgs.nix ./on-failure.nix ./os-release.nix - ./permown.nix ./per-user.nix + ./permown.nix ./power-action.nix ./reaktor2.nix ./realwallpaper.nix + ./repo-sync.nix ./retiolum-bootstrap.nix ./rtorrent.nix ./secret.nix @@ -55,7 +56,6 @@ let ./tinc_graphs.nix ./upstream ./urlwatch.nix - ./repo-sync.nix ./xresources.nix ./zones.nix ]; From 109f6ab1c5bef23922c6e96b3f3f2dedc81b6d78 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 27 Jan 2022 12:20:31 +0100 Subject: [PATCH 02/13] krebs modules: reorder externals --- krebs/3modules/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index cc4f4d492..e8f0d35e4 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -102,13 +102,13 @@ let imp = lib.mkMerge [ { krebs = import ./external { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./jeschli { inherit config; }; } { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./external/palo.nix { inherit config; }; } - { krebs = import ./external/mic92.nix { inherit config; }; } - { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { From 8c81dde1f3b3ce8edcad2ca42ff973c06c13d788 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 28 Jan 2022 23:34:21 +0100 Subject: [PATCH 03/13] l: add acl module --- lass/3modules/acl.nix | 64 +++++++++++++++++++++++++++++++++++++++ lass/3modules/default.nix | 1 + 2 files changed, 65 insertions(+) create mode 100644 lass/3modules/acl.nix diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix new file mode 100644 index 000000000..b87ca2e08 --- /dev/null +++ b/lass/3modules/acl.nix @@ -0,0 +1,64 @@ +{ config, lib, pkgs, ... }: let + generateACLs = attrs: + lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' + mkdir -p "${path}" + ${generateRules rules path} + '') attrs; + + generateRules = rules: path: + lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + ); + + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.lass.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = lib.mkIf (config.lass.acl != {}) { + systemd.services.set_acl = { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = generateACLs config.lass.acl; + RemainAfterExit = true; + Type = "oneshot"; + }; + }; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 570bb45be..0373bd44c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix From 088ff202cc41d516279ea8671d76c1716589df7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 28 Jan 2022 10:13:51 +0100 Subject: [PATCH 04/13] mic92: drop ipv4 for yasmin, nardole, bill, graham, ryan --- krebs/3modules/external/mic92.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 27a2beed6..45a139d8c 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -306,7 +306,6 @@ in { aliases = [ "yasmin.i" ]; }; nets.retiolum = { - ip4.addr = "10.243.29.197"; aliases = [ "yasmin.r" ]; @@ -414,7 +413,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.195"; aliases = [ "bill.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -445,7 +443,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.173"; aliases = [ "nardole.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -736,7 +733,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.198"; aliases = [ "ryan.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -764,7 +760,6 @@ in { }; retiolum = { via = internet; - ip4.addr = "10.243.29.199"; aliases = [ "graham.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- From 248b3459c7102b094987b8ce9c798f001faacde9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 28 Jan 2022 10:36:12 +0100 Subject: [PATCH 05/13] mic92: drop philipsaendig, drop rock ip4 --- krebs/3modules/external/mic92.nix | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 45a139d8c..dd6f4f456 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -279,25 +279,6 @@ in { ''; }; }; - philipsaendig = { - owner = config.krebs.users.mic92; - nets.retiolum = { - ip4.addr = "10.243.29.193"; - aliases = [ - "philipsaendig.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX - 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl - 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl - +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF - Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S - oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; yasmin = { owner = config.krebs.users.mic92; nets.internet = { @@ -467,7 +448,6 @@ in { owner = config.krebs.users.mic92; nets = { retiolum = { - ip4.addr = "10.243.29.171"; aliases = [ "rock.r" ]; From 57341fa82f22806032e5411261a7bba6d0c5384f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:14:21 +0100 Subject: [PATCH 06/13] l acl: use a simple unit per path --- lass/3modules/acl.nix | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix index b87ca2e08..81eeae920 100644 --- a/lass/3modules/acl.nix +++ b/lass/3modules/acl.nix @@ -1,19 +1,4 @@ { config, lib, pkgs, ... }: let - generateACLs = attrs: - lib.mapAttrsToList (path: rules: pkgs.writeDash "acl-${builtins.baseNameOf path}" '' - mkdir -p "${path}" - ${generateRules rules path} - '') attrs; - - generateRules = rules: path: - lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - ); - parents = dir: if dir == "/" then [ dir ] @@ -48,17 +33,23 @@ in { default = {}; }; config = lib.mkIf (config.lass.acl != {}) { - systemd.services.set_acl = { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { wantedBy = [ "multi-user.target" ]; path = [ pkgs.acl pkgs.coreutils ]; serviceConfig = { - ExecStart = generateACLs config.lass.acl; + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); RemainAfterExit = true; - Type = "oneshot"; + Type = "simple"; }; - }; + }) config.lass.acl; }; } From fca55dd3e94fed2a9d903341f0ffa79bc42f062d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:14:53 +0100 Subject: [PATCH 07/13] tinc: restart via reload for less downtimes --- krebs/3modules/tinc.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..4a54d2950 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -233,6 +233,7 @@ with import ; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +261,7 @@ with import ; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; From 510bfbc9b22416359a116f9cdbab74207372b2f5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 19:23:36 +0100 Subject: [PATCH 08/13] sync-containers: remove obsolete .decalartive --- krebs/3modules/ci.nix | 2 ++ krebs/3modules/sync-containers.nix | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index 822dbab61..5efe41786 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -166,6 +166,8 @@ let nick = "buildbot|${hostname}", notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, ) '']; diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index e47f9a3a7..e2caa0834 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -97,7 +97,7 @@ in { ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ devices = ctr.peers; ignorePerms = false; })) cfg.containers); From 9597300c4dc47c32fb2a8ec86e8e91657b78cc07 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 20:50:32 +0100 Subject: [PATCH 09/13] types.tinc.extraConfig: str -> lines --- lib/types.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/types.nix b/lib/types.nix index 318e2f237..f312b734b 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -7,7 +7,7 @@ let mkOptionType optional optionalAttrs optionals range splitString stringLength substring test testString typeOf; inherit (lib.types) - attrsOf bool either enum int listOf nullOr path str submodule; + attrsOf bool either enum int lines listOf nullOr path str submodule; in rec { @@ -211,7 +211,7 @@ rec { extraConfig = mkOption { description = "Extra Configuration to be appended to the hosts file"; default = ""; - type = str; + type = lines; }; port = mkOption { type = int; From 7ec575267cb7d8e7f6636911ececddccac062ab6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 29 Jan 2022 23:45:55 +0100 Subject: [PATCH 10/13] tinc.extraConfig: str -> lines --- krebs/3modules/tinc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 4a54d2950..31371af59 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -48,7 +48,7 @@ with import ; }; extraConfig = mkOption { - type = types.str; + type = types.lines; default = ""; description = '' Extra Configuration to be appended to tinc.conf From 100b6fc2438db6ca2c7abe0ad525be3b1dd64895 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 30 Jan 2022 10:47:23 +0100 Subject: [PATCH 11/13] move acl module to krebs --- {lass => krebs}/3modules/acl.nix | 6 +++--- krebs/3modules/default.nix | 1 + lass/2configs/sync/the_playlist.nix | 6 +++--- lass/3modules/default.nix | 1 - 4 files changed, 7 insertions(+), 7 deletions(-) rename {lass => krebs}/3modules/acl.nix (93%) diff --git a/lass/3modules/acl.nix b/krebs/3modules/acl.nix similarity index 93% rename from lass/3modules/acl.nix rename to krebs/3modules/acl.nix index 81eeae920..9cdbb6cff 100644 --- a/lass/3modules/acl.nix +++ b/krebs/3modules/acl.nix @@ -6,7 +6,7 @@ [ dir ] ++ parents (builtins.dirOf dir) ; in { - options.lass.acl = lib.mkOption { + options.krebs.acl = lib.mkOption { type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { options = { rule = lib.mkOption { @@ -32,7 +32,7 @@ in { }))); default = {}; }; - config = lib.mkIf (config.lass.acl != {}) { + config = { systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { wantedBy = [ "multi-user.target" ]; path = [ @@ -50,6 +50,6 @@ in { RemainAfterExit = true; Type = "simple"; }; - }) config.lass.acl; + }) config.krebs.acl; }; } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index e8f0d35e4..fc57d8188 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./acl.nix ./airdcpp.nix ./announce-activation.nix ./apt-cacher-ng.nix diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index 5bbf790a7..d8b17d239 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -3,7 +3,7 @@ path = "/home/lass/tmp/the_playlist"; devices = [ "mors" "phone" "prism" ]; }; - lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; - lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; - lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; + krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; } diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0373bd44c..570bb45be 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,7 +1,6 @@ _: { imports = [ - ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix From af2faf380358fca09ee429690875c89eb965ea82 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 30 Jan 2022 10:52:13 +0100 Subject: [PATCH 12/13] l the_playlist: share with omo --- lass/2configs/sync/the_playlist.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix index d8b17d239..c01a11cc3 100644 --- a/lass/2configs/sync/the_playlist.nix +++ b/lass/2configs/sync/the_playlist.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.the_playlist = { path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" ]; + devices = [ "mors" "phone" "prism" "omo" ]; }; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; From be042e3446905e2517b530403bacc63b6de49d34 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 Feb 2022 13:52:21 +0100 Subject: [PATCH 13/13] gum.r: set weight to over 9000 we do this so we never route via gum, which tends to eat our packets and makes it impossible to connect to other peers via gum. --- krebs/3modules/makefu/default.nix | 3 +++ lass/2configs/retiolum.nix | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index b3c09db78..f87802b45 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -219,6 +219,9 @@ in { retiolum = { via = internet; ip4.addr = "10.243.0.213"; + # never connect via gum (he eats your packets!) + tinc.weight = 9001; + aliases = [ "gum.r" "backup.makefu.r" diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index a305d3e18..d4d97a889 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -28,9 +28,6 @@ ''; }; - # never connect via gum (he eats our packets!) - krebs.hosts.gum.nets.retiolum.tinc.weight = 9000; - nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };