Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
d1fa957ed5
@ -164,15 +164,26 @@ in {
|
||||
extraZones = {
|
||||
"krebsco.de" = ''
|
||||
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
|
||||
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
|
||||
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
|
||||
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
|
||||
krebsco.de. 60 IN MX 5 ni
|
||||
krebsco.de. 60 IN TXT v=spf1 mx -all
|
||||
tv 300 IN NS ni
|
||||
'';
|
||||
};
|
||||
nets = {
|
||||
internet = {
|
||||
ip4.addr = "188.68.36.196";
|
||||
ip4 = rec {
|
||||
addr = "188.68.36.196";
|
||||
prefix = "${addr}/32";
|
||||
};
|
||||
ip6 = rec {
|
||||
addr = "2a03:4000:13:4c::1";
|
||||
prefix = "${addr}/64";
|
||||
};
|
||||
aliases = [
|
||||
"ni.i"
|
||||
"cgit.ni.i"
|
||||
|
@ -1,22 +1,103 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, ... }: {
|
||||
{ config, pkgs, ... }: {
|
||||
|
||||
config = {
|
||||
# Implements environment.etc."zones/<zone-name>"
|
||||
environment.etc = let
|
||||
stripEmptyLines = s: (concatStringsSep "\n"
|
||||
(remove "\n" (remove "" (splitString "\n" s)))) + "\n";
|
||||
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
|
||||
([config.krebs.zone-head-config] ++ combined-hosts);
|
||||
combined-hosts =
|
||||
mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
|
||||
in
|
||||
environment.etc =
|
||||
mapAttrs'
|
||||
(name: value: {
|
||||
(name: pkg: {
|
||||
name = "zones/${name}";
|
||||
value.text = stripEmptyLines value;
|
||||
value.source = pkg;
|
||||
})
|
||||
all-zones;
|
||||
pkgs.krebs.zones;
|
||||
|
||||
nixpkgs.overlays = [
|
||||
# Explicit zones generated from config.krebs.hosts.*.extraZones
|
||||
(self: super: let
|
||||
stripEmptyLines = s: (concatStringsSep "\n"
|
||||
(remove "\n" (remove "" (splitString "\n" s)))) + "\n";
|
||||
all-zones = foldAttrs (sum: current: sum + "\n" + current) ""
|
||||
([config.krebs.zone-head-config] ++ combined-hosts);
|
||||
combined-hosts =
|
||||
mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
|
||||
in {
|
||||
krebs = super.krebs or {} // {
|
||||
zones = super.krebs.zones or {} //
|
||||
mapAttrs'
|
||||
(name: value: {
|
||||
name = name;
|
||||
value = self.writeText "${name}.zone" (stripEmptyLines value);
|
||||
})
|
||||
all-zones;
|
||||
};
|
||||
})
|
||||
|
||||
# Implicit zones generated from config.krebs.hosts.*.nets.*.ip{4,6}.addr
|
||||
(self: super: let
|
||||
# record : { name : str, type : enum [ "A" "AAAA" ], data : str }
|
||||
|
||||
# toRecord : record.name -> record.type -> record.data -> record
|
||||
toRecord = name: type: data:
|
||||
{ inherit name type data; };
|
||||
|
||||
# toRecords : str -> host -> [record]
|
||||
toRecords = netname: host:
|
||||
let
|
||||
net = host.nets.${netname};
|
||||
in
|
||||
optionals
|
||||
(hasAttr netname host.nets)
|
||||
(filter
|
||||
(x: x.data != null)
|
||||
(concatLists [
|
||||
(map
|
||||
(name: toRecord name "A" (net.ip4.addr or null))
|
||||
(concatMap
|
||||
(name: [ "${name}." "4.${name}." ])
|
||||
(net.aliases or [])))
|
||||
(map
|
||||
(name: toRecord name "AAAA" (net.ip6.addr or null))
|
||||
(concatMap
|
||||
(name: [ "${name}." "6.${name}." ])
|
||||
(net.aliases or [])))
|
||||
]));
|
||||
|
||||
# formatRecord : record -> str
|
||||
formatRecord = { name, type, data }: "${name} IN ${type} ${data}";
|
||||
|
||||
# writeZone : attrs -> package
|
||||
writeZone =
|
||||
{ name ? "${domain}.zone"
|
||||
, domain ? substring 0 1 netname
|
||||
, nameservers ? [ "ni" ]
|
||||
, netname
|
||||
, hosts ? config.krebs.hosts
|
||||
}:
|
||||
self.writeText name /* bindzone */ ''
|
||||
$TTL 60
|
||||
@ IN SOA ns admin 1 3600 600 86400 60
|
||||
@ IN NS ns
|
||||
${concatMapStringsSep "\n"
|
||||
(name: /* bindzone */ "ns IN CNAME ${name}")
|
||||
nameservers
|
||||
}
|
||||
${concatMapStringsSep
|
||||
"\n"
|
||||
formatRecord
|
||||
(concatMap
|
||||
(toRecords netname)
|
||||
(attrValues hosts))
|
||||
}
|
||||
'';
|
||||
in {
|
||||
krebs = super.krebs or {} // {
|
||||
zones = super.krebs.zones or {} // {
|
||||
i = writeZone { netname = "internet"; };
|
||||
r = writeZone { netname = "retiolum"; };
|
||||
w = writeZone { netname = "wiregrill"; };
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
109
krebs/5pkgs/simple/certaids.nix
Normal file
109
krebs/5pkgs/simple/certaids.nix
Normal file
@ -0,0 +1,109 @@
|
||||
{ pkgs }:
|
||||
|
||||
pkgs.write "certaids" {
|
||||
"/bin/cert2json".link = pkgs.writeDash "cert2json" ''
|
||||
# usage: cert2json < CERT > JSON
|
||||
set -efu
|
||||
|
||||
${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
|
||||
${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text |
|
||||
${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" ''
|
||||
function abort(msg) {
|
||||
print(msg) > "/dev/stderr"
|
||||
exit 1
|
||||
}
|
||||
|
||||
function toJSON(x, type, ret) {
|
||||
type = typeof(x)
|
||||
switch (type) {
|
||||
case "array":
|
||||
if (isArray(x)) return arrayToJSON(x)
|
||||
if (isObject(x)) return objectToJSON(x)
|
||||
abort("cannot render array to JSON", x)
|
||||
case "number":
|
||||
return numberToJSON(x)
|
||||
case "string":
|
||||
return stringToJSON(x)
|
||||
case "strnum":
|
||||
case "unassigned":
|
||||
case "regexp":
|
||||
case "untyped":
|
||||
default:
|
||||
abort("cannot render type: " type)
|
||||
}
|
||||
}
|
||||
|
||||
function isArray(x, i, k) {
|
||||
i = 1
|
||||
for (k in x) {
|
||||
if (k != i++) return 0
|
||||
i++
|
||||
}
|
||||
return 1
|
||||
}
|
||||
|
||||
function isObject(x, k) {
|
||||
for (k in x) {
|
||||
if (typeof(k) != "string") return 0
|
||||
}
|
||||
return 1
|
||||
}
|
||||
|
||||
function arrayToJSON(x, k, ret) {
|
||||
ret = "["
|
||||
for (k in x) {
|
||||
ret=ret toJSON(x[k]) ","
|
||||
}
|
||||
sub(/,$/,"",ret)
|
||||
ret=ret "]"
|
||||
return ret
|
||||
}
|
||||
|
||||
function objectToJSON(x, k,ret) {
|
||||
ret = "{"
|
||||
for (k in x) {
|
||||
ret = ret toJSON(k) ":" toJSON(x[k]) ","
|
||||
}
|
||||
sub(/,$/, "", ret)
|
||||
ret = ret "}"
|
||||
return ret
|
||||
}
|
||||
|
||||
function numberToJSON(x) {
|
||||
return x
|
||||
}
|
||||
|
||||
function stringToJSON(x) {
|
||||
gsub(/\\/, "&&",x)
|
||||
gsub(/\n/, "\\n", x)
|
||||
return "\"" x "\""
|
||||
}
|
||||
|
||||
$1 ~ /^ *(Subject|Issuer):/ {
|
||||
sub(/^ */, "")
|
||||
sub(/: */, ",")
|
||||
key=tolower($1)
|
||||
sub(/[^,]*,/, "")
|
||||
|
||||
# Normalize separators between relative distinguished names.
|
||||
# [1]: RFC2253, 3. Parsing a String back to a Distinguished Name
|
||||
# TODO support any distinguished name
|
||||
gsub(/ *[;,] */, ",")
|
||||
|
||||
for(i = 0; i <= NF; i++) {
|
||||
split($i, a, "=")
|
||||
cache[key][a[1]] = a[2]
|
||||
}
|
||||
}
|
||||
|
||||
/BEGIN CERTIFICATE/,/END CERTIFICATE/{
|
||||
cache["certificate"] = cache["certificate"] $0 "\n"
|
||||
}
|
||||
|
||||
/END CERTIFICATE/{
|
||||
print toJSON(cache)
|
||||
delete cache
|
||||
}
|
||||
''}
|
||||
'';
|
||||
}
|
@ -109,7 +109,6 @@ let {
|
||||
};
|
||||
q = {};
|
||||
reaktor2 = {};
|
||||
regfish = {};
|
||||
stockholm = {
|
||||
cgit.desc = "NixOS configuration";
|
||||
};
|
||||
@ -156,6 +155,7 @@ let {
|
||||
painload = {};
|
||||
push = {};
|
||||
Reaktor = {};
|
||||
regfish = {};
|
||||
with-tmpdir = {};
|
||||
get = {};
|
||||
load-env = {};
|
||||
|
@ -4,22 +4,19 @@ with import <stockholm/lib>;
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enableReload = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts._http = {
|
||||
virtualHosts.${toJSON ""} = {
|
||||
default = true;
|
||||
extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
};
|
||||
|
||||
virtualHosts.default = {
|
||||
locations."= /etc/os-release".extraConfig = ''
|
||||
default_type text/plain;
|
||||
alias /etc/os-release;
|
||||
error_page 400 =444 /;
|
||||
return 444;
|
||||
'';
|
||||
rejectSSL = true;
|
||||
};
|
||||
};
|
||||
tv.iptables = {
|
||||
|
21
tv/5pkgs/override/jc.nix
Normal file
21
tv/5pkgs/override/jc.nix
Normal file
@ -0,0 +1,21 @@
|
||||
self: super:
|
||||
|
||||
let
|
||||
version = "1.21.0";
|
||||
in
|
||||
|
||||
# Prevent downgrades.
|
||||
assert self.lib.versionAtLeast version super.jc.version;
|
||||
|
||||
self.python3.pkgs.toPythonApplication
|
||||
(self.python3.pkgs.jc.overrideAttrs
|
||||
(oldAttrs: {
|
||||
name = "jc-${version}";
|
||||
version = version;
|
||||
src = self.fetchFromGitHub {
|
||||
owner = "kellyjonbrazil";
|
||||
repo = "jc";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-kS42WokR7ZIqIPi8LbX4tmtjn37tckea2ELbuqzTm2o";
|
||||
};
|
||||
}))
|
Loading…
Reference in New Issue
Block a user