Merge remote-tracking branch 'ni/master'

This commit is contained in:
lassulus 2022-08-23 11:28:45 +02:00
commit d1fa957ed5
6 changed files with 243 additions and 24 deletions

View File

@ -164,15 +164,26 @@ in {
extraZones = {
"krebsco.de" = ''
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
krebsco.de. 60 IN MX 5 ni
krebsco.de. 60 IN TXT v=spf1 mx -all
tv 300 IN NS ni
'';
};
nets = {
internet = {
ip4.addr = "188.68.36.196";
ip4 = rec {
addr = "188.68.36.196";
prefix = "${addr}/32";
};
ip6 = rec {
addr = "2a03:4000:13:4c::1";
prefix = "${addr}/64";
};
aliases = [
"ni.i"
"cgit.ni.i"

View File

@ -1,22 +1,103 @@
with import <stockholm/lib>;
{ config, ... }: {
{ config, pkgs, ... }: {
config = {
# Implements environment.etc."zones/<zone-name>"
environment.etc = let
stripEmptyLines = s: (concatStringsSep "\n"
(remove "\n" (remove "" (splitString "\n" s)))) + "\n";
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
([config.krebs.zone-head-config] ++ combined-hosts);
combined-hosts =
mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
in
environment.etc =
mapAttrs'
(name: value: {
(name: pkg: {
name = "zones/${name}";
value.text = stripEmptyLines value;
value.source = pkg;
})
all-zones;
pkgs.krebs.zones;
nixpkgs.overlays = [
# Explicit zones generated from config.krebs.hosts.*.extraZones
(self: super: let
stripEmptyLines = s: (concatStringsSep "\n"
(remove "\n" (remove "" (splitString "\n" s)))) + "\n";
all-zones = foldAttrs (sum: current: sum + "\n" + current) ""
([config.krebs.zone-head-config] ++ combined-hosts);
combined-hosts =
mapAttrsToList (name: getAttr "extraZones") config.krebs.hosts;
in {
krebs = super.krebs or {} // {
zones = super.krebs.zones or {} //
mapAttrs'
(name: value: {
name = name;
value = self.writeText "${name}.zone" (stripEmptyLines value);
})
all-zones;
};
})
# Implicit zones generated from config.krebs.hosts.*.nets.*.ip{4,6}.addr
(self: super: let
# record : { name : str, type : enum [ "A" "AAAA" ], data : str }
# toRecord : record.name -> record.type -> record.data -> record
toRecord = name: type: data:
{ inherit name type data; };
# toRecords : str -> host -> [record]
toRecords = netname: host:
let
net = host.nets.${netname};
in
optionals
(hasAttr netname host.nets)
(filter
(x: x.data != null)
(concatLists [
(map
(name: toRecord name "A" (net.ip4.addr or null))
(concatMap
(name: [ "${name}." "4.${name}." ])
(net.aliases or [])))
(map
(name: toRecord name "AAAA" (net.ip6.addr or null))
(concatMap
(name: [ "${name}." "6.${name}." ])
(net.aliases or [])))
]));
# formatRecord : record -> str
formatRecord = { name, type, data }: "${name} IN ${type} ${data}";
# writeZone : attrs -> package
writeZone =
{ name ? "${domain}.zone"
, domain ? substring 0 1 netname
, nameservers ? [ "ni" ]
, netname
, hosts ? config.krebs.hosts
}:
self.writeText name /* bindzone */ ''
$TTL 60
@ IN SOA ns admin 1 3600 600 86400 60
@ IN NS ns
${concatMapStringsSep "\n"
(name: /* bindzone */ "ns IN CNAME ${name}")
nameservers
}
${concatMapStringsSep
"\n"
formatRecord
(concatMap
(toRecords netname)
(attrValues hosts))
}
'';
in {
krebs = super.krebs or {} // {
zones = super.krebs.zones or {} // {
i = writeZone { netname = "internet"; };
r = writeZone { netname = "retiolum"; };
w = writeZone { netname = "wiregrill"; };
};
};
})
];
};
}

View File

@ -0,0 +1,109 @@
{ pkgs }:
pkgs.write "certaids" {
"/bin/cert2json".link = pkgs.writeDash "cert2json" ''
# usage: cert2json < CERT > JSON
set -efu
${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text |
${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" ''
function abort(msg) {
print(msg) > "/dev/stderr"
exit 1
}
function toJSON(x, type, ret) {
type = typeof(x)
switch (type) {
case "array":
if (isArray(x)) return arrayToJSON(x)
if (isObject(x)) return objectToJSON(x)
abort("cannot render array to JSON", x)
case "number":
return numberToJSON(x)
case "string":
return stringToJSON(x)
case "strnum":
case "unassigned":
case "regexp":
case "untyped":
default:
abort("cannot render type: " type)
}
}
function isArray(x, i, k) {
i = 1
for (k in x) {
if (k != i++) return 0
i++
}
return 1
}
function isObject(x, k) {
for (k in x) {
if (typeof(k) != "string") return 0
}
return 1
}
function arrayToJSON(x, k, ret) {
ret = "["
for (k in x) {
ret=ret toJSON(x[k]) ","
}
sub(/,$/,"",ret)
ret=ret "]"
return ret
}
function objectToJSON(x, k,ret) {
ret = "{"
for (k in x) {
ret = ret toJSON(k) ":" toJSON(x[k]) ","
}
sub(/,$/, "", ret)
ret = ret "}"
return ret
}
function numberToJSON(x) {
return x
}
function stringToJSON(x) {
gsub(/\\/, "&&",x)
gsub(/\n/, "\\n", x)
return "\"" x "\""
}
$1 ~ /^ *(Subject|Issuer):/ {
sub(/^ */, "")
sub(/: */, ",")
key=tolower($1)
sub(/[^,]*,/, "")
# Normalize separators between relative distinguished names.
# [1]: RFC2253, 3. Parsing a String back to a Distinguished Name
# TODO support any distinguished name
gsub(/ *[;,] */, ",")
for(i = 0; i <= NF; i++) {
split($i, a, "=")
cache[key][a[1]] = a[2]
}
}
/BEGIN CERTIFICATE/,/END CERTIFICATE/{
cache["certificate"] = cache["certificate"] $0 "\n"
}
/END CERTIFICATE/{
print toJSON(cache)
delete cache
}
''}
'';
}

View File

@ -109,7 +109,6 @@ let {
};
q = {};
reaktor2 = {};
regfish = {};
stockholm = {
cgit.desc = "NixOS configuration";
};
@ -156,6 +155,7 @@ let {
painload = {};
push = {};
Reaktor = {};
regfish = {};
with-tmpdir = {};
get = {};
load-env = {};

View File

@ -4,22 +4,19 @@ with import <stockholm/lib>;
{
services.nginx = {
enableReload = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts._http = {
virtualHosts.${toJSON ""} = {
default = true;
extraConfig = ''
return 404;
'';
};
virtualHosts.default = {
locations."= /etc/os-release".extraConfig = ''
default_type text/plain;
alias /etc/os-release;
error_page 400 =444 /;
return 444;
'';
rejectSSL = true;
};
};
tv.iptables = {

21
tv/5pkgs/override/jc.nix Normal file
View File

@ -0,0 +1,21 @@
self: super:
let
version = "1.21.0";
in
# Prevent downgrades.
assert self.lib.versionAtLeast version super.jc.version;
self.python3.pkgs.toPythonApplication
(self.python3.pkgs.jc.overrideAttrs
(oldAttrs: {
name = "jc-${version}";
version = version;
src = self.fetchFromGitHub {
owner = "kellyjonbrazil";
repo = "jc";
rev = "v${version}";
sha256 = "sha256-kS42WokR7ZIqIPi8LbX4tmtjn37tckea2ELbuqzTm2o";
};
}))