Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2022-02-01 13:54:09 +01:00
commit c564c4f0f4
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
10 changed files with 78 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
krebs/3modules/acl.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }: let
parents = dir:
if dir == "/" then
[ dir ]
else
[ dir ] ++ parents (builtins.dirOf dir)
;
in {
options.krebs.acl = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
options = {
rule = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
default = lib.mkOption {
type = lib.types.bool;
default = !config.parents;
};
recursive = lib.mkOption {
type = lib.types.bool;
default = !config.parents;
};
parents = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
apply ACL to every parent folder
'';
};
};
})));
default = {};
};
config = {
systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" {
wantedBy = [ "multi-user.target" ];
path = [
pkgs.acl
pkgs.coreutils
];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings (
lib.mapAttrsToList (_: rule: ''
setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))}
'') rules
));
RemainAfterExit = true;
Type = "simple";
};
}) config.krebs.acl;
};
}

2
krebs/3modules/ci.nix
View File

@ -166,6 +166,8 @@ let
nick = "buildbot|${hostname}", nick = "buildbot|${hostname}",
notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ],
channels = [{"channel": "#xxx"}], channels = [{"channel": "#xxx"}],
showBlameList = True,
authz={'force': True},
) )
'']; ''];

15
krebs/3modules/default.nix
View File

@ -6,6 +6,7 @@ let
out = { out = {
imports = [ imports = [
./acl.nix
./airdcpp.nix ./airdcpp.nix
./announce-activation.nix ./announce-activation.nix
./apt-cacher-ng.nix ./apt-cacher-ng.nix
@ -19,13 +20,13 @@ let
./current.nix ./current.nix
./dns.nix ./dns.nix
./ergo.nix ./ergo.nix
./exim.nix
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix ./exim-smarthost.nix
./exim.nix
./fetchWallpaper.nix ./fetchWallpaper.nix
./git.nix
./github-hosts-sync.nix ./github-hosts-sync.nix
./github-known-hosts.nix ./github-known-hosts.nix
./git.nix
./go.nix ./go.nix
./hidden-ssh.nix ./hidden-ssh.nix
./hosts.nix ./hosts.nix
@ -38,11 +39,12 @@ let
./nixpkgs.nix ./nixpkgs.nix
./on-failure.nix ./on-failure.nix
./os-release.nix ./os-release.nix
./permown.nix
./per-user.nix ./per-user.nix
./permown.nix
./power-action.nix ./power-action.nix
./reaktor2.nix ./reaktor2.nix
./realwallpaper.nix ./realwallpaper.nix
./repo-sync.nix
./retiolum-bootstrap.nix ./retiolum-bootstrap.nix
./rtorrent.nix ./rtorrent.nix
./secret.nix ./secret.nix
@ -55,7 +57,6 @@ let
./tinc_graphs.nix ./tinc_graphs.nix
./upstream ./upstream
./urlwatch.nix ./urlwatch.nix
./repo-sync.nix
./xresources.nix ./xresources.nix
./zones.nix ./zones.nix
]; ];
@ -102,13 +103,13 @@ let
imp = lib.mkMerge [ imp = lib.mkMerge [
{ krebs = import ./external { inherit config; }; } { krebs = import ./external { inherit config; }; }
{ krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; } { krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; } { krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; } { krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; } { krebs = import ./makefu { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; }
{ krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; } { krebs = import ./tv { inherit config; }; }
{ {
krebs.dns.providers = { krebs.dns.providers = {

25
krebs/3modules/external/mic92.nix vendored
View File

@ -279,25 +279,6 @@ in {
''; '';
}; };
}; };
philipsaendig = {
owner = config.krebs.users.mic92;
nets.retiolum = {
ip4.addr = "10.243.29.193";
aliases = [
"philipsaendig.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX
5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl
4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl
+wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF
Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S
oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
yasmin = { yasmin = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets.internet = { nets.internet = {
@ -306,7 +287,6 @@ in {
aliases = [ "yasmin.i" ]; aliases = [ "yasmin.i" ];
}; };
nets.retiolum = { nets.retiolum = {
ip4.addr = "10.243.29.197";
aliases = [ aliases = [
"yasmin.r" "yasmin.r"
]; ];
@ -414,7 +394,6 @@ in {
}; };
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.29.195";
aliases = [ "bill.r" ]; aliases = [ "bill.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -445,7 +424,6 @@ in {
}; };
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.29.173";
aliases = [ "nardole.r" ]; aliases = [ "nardole.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -470,7 +448,6 @@ in {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = { nets = {
retiolum = { retiolum = {
ip4.addr = "10.243.29.171";
aliases = [ aliases = [
"rock.r" "rock.r"
]; ];
@ -736,7 +713,6 @@ in {
}; };
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.29.198";
aliases = [ "ryan.r" ]; aliases = [ "ryan.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -764,7 +740,6 @@ in {
}; };
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.29.199";
aliases = [ "graham.r" ]; aliases = [ "graham.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----

3
krebs/3modules/makefu/default.nix
View File

@ -219,6 +219,9 @@ in {
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.213"; ip4.addr = "10.243.0.213";
# never connect via gum (he eats your packets!)
tinc.weight = 9001;
aliases = [ aliases = [
"gum.r" "gum.r"
"backup.makefu.r" "backup.makefu.r"

2
krebs/3modules/sync-containers.nix
View File

@ -97,7 +97,7 @@ in {
${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || :
''; '';
services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
devices = ctr.peers; devices = ctr.peers;
ignorePerms = false; ignorePerms = false;
})) cfg.containers); })) cfg.containers);

5
krebs/3modules/tinc.nix
View File

@ -48,7 +48,7 @@ with import <stockholm/lib>;
}; };
extraConfig = mkOption { extraConfig = mkOption {
type = types.str; type = types.lines;
default = ""; default = "";
description = '' description = ''
Extra Configuration to be appended to tinc.conf Extra Configuration to be appended to tinc.conf
@ -233,6 +233,7 @@ with import <stockholm/lib>;
cfg.iproutePackage cfg.iproutePackage
cfg.tincPackage cfg.tincPackage
]; ];
reloadIfChanged = true;
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
LoadCredential = filter (x: x != "") [ LoadCredential = filter (x: x != "") [
@ -260,7 +261,7 @@ with import <stockholm/lib>;
"-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
"--pidfile=/var/run/tinc.${netname}.pid" "--pidfile=/var/run/tinc.${netname}.pid"
]; ];
ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart";
SyslogIdentifier = netname; SyslogIdentifier = netname;
}; };
}) config.krebs.tinc; }) config.krebs.tinc;

3
lass/2configs/retiolum.nix
View File

@ -28,9 +28,6 @@
''; '';
}; };
# never connect via gum (he eats our packets!)
krebs.hosts.gum.nets.retiolum.tinc.weight = 9000;
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre; tinc = pkgs.tinc_pre;
}; };

8
lass/2configs/sync/the_playlist.nix
View File

@ -1,9 +1,9 @@
{ {
services.syncthing.folders.the_playlist = { services.syncthing.folders.the_playlist = {
path = "/home/lass/tmp/the_playlist"; path = "/home/lass/tmp/the_playlist";
devices = [ "mors" "phone" "prism" ]; devices = [ "mors" "phone" "prism" "omo" ];
}; };
lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};
lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; krebs.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {};
} }

4
lib/types.nix
View File

@ -7,7 +7,7 @@ let
mkOptionType optional optionalAttrs optionals range splitString mkOptionType optional optionalAttrs optionals range splitString
stringLength substring test testString typeOf; stringLength substring test testString typeOf;
inherit (lib.types) inherit (lib.types)
attrsOf bool either enum int listOf nullOr path str submodule; attrsOf bool either enum int lines listOf nullOr path str submodule;
in in
rec { rec {
@ -211,7 +211,7 @@ rec {
extraConfig = mkOption { extraConfig = mkOption {
description = "Extra Configuration to be appended to the hosts file"; description = "Extra Configuration to be appended to the hosts file";
default = ""; default = "";
type = str; type = lines;
}; };
port = mkOption { port = mkOption {
type = int; type = int;