This commit is contained in:
lassulus 2015-07-13 13:39:49 +02:00
parent 02261729c0
commit d629bee954
19 changed files with 602 additions and 180 deletions

View File

@ -3,7 +3,7 @@
{
imports = [
../tv/base-cac-CentOS-7-64bit.nix
../lass/retiolum-cloudkrebs.nix
./retiolum.nix
./networking.nix
../../secrets/cloudkrebs-pw.nix
../lass/sshkeys.nix
@ -18,8 +18,10 @@
nix.maxJobs = 1;
#activationScripts
#split up and move into base
#tmpfiles Unknown group 'lock' workaround:
users.extraGroups = {
lock.gid = 10001;
};
#TODO move into modules
users.extraUsers = {

View File

@ -2,10 +2,10 @@
{
imports = [
../tv/retiolum.nix
../tv/retiolum
];
services.retiolum = {
tv.retiolum = {
enable = true;
hosts = ../../hosts;
privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv";

View File

@ -3,6 +3,7 @@
{
imports = [
./sshkeys.nix
./iptables
];
nix.useChroot = true;
@ -65,6 +66,10 @@
'';
};
security.setuidPrograms = [
"sendmail"
];
services.gitolite = {
enable = true;
dataDir = "/home/gitolite";
@ -84,27 +89,41 @@
RuntimeMaxUse=128M
'';
networking.firewall = {
lass.iptables = {
enable = true;
allowedTCPPorts = [
22
];
extraCommands = ''
iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j ACCEPT -p icmp
#iptables -N Retiolum
iptables -A INPUT -j Retiolum -i retiolum
iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
iptables -A Retiolum -j REJECT
'';
extraStopCommands = "iptables -F";
tables = {
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-i lo"; target = "ACCEPT"; }
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ predicate = "-p icmp"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
];
};
};
#Networking.firewall = {
# enable = true;
# allowedTCPPorts = [
# 22
# ];
# extraCommands = ''
# iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
# iptables -A INPUT -j ACCEPT -i lo
# #http://serverfault.com/questions/84963/why-not-block-icmp
# iptables -A INPUT -j ACCEPT -p icmp
# #TODO: fix Retiolum firewall
# #iptables -N RETIOLUM
# #iptables -A INPUT -j RETIOLUM -i retiolum
# #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
# #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset
# #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable
# #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable
# #iptables -A RETIOLUM -j REJECT
# '';
#};
}

View File

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
let
mainUser = config.users.extraUsers.mainUser;
in {
imports = [
./base.nix
];
@ -34,4 +36,30 @@
xlibs.fontschumachermisc
];
fonts.fonts = [
pkgs.xlibs.fontschumachermisc
];
services.xserver = {
enable = true;
windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
X11-xshape
];
windowManager.xmonad.enable = true;
windowManager.xmonad.enableContribAndExtras = true;
windowManager.default = "xmonad";
desktopManager.default = "none";
desktopManager.xterm.enable = false;
displayManager.slim.enable = true;
displayManager.auto.enable = true;
displayManager.auto.user = mainUser.name;
layout = "us,de";
xkbModel = "evdev";
xkbVariant = "altgr-intl,nodeadkeys";
xkbOptions = "grp:caps_toggle";
};
}

View File

@ -0,0 +1,119 @@
{ cfg, lib, pkgs, ... }:
let
inherit (pkgs) writeScript writeText;
inherit (lib) concatMapStringsSep concatStringsSep attrNames unique fold any attrValues catAttrs filter flatten length hasAttr;
#===== new api v4
#buildTable :: iptablesAttrSet` -> str
#todo: differentiate by iptables-version
buildTables = iptv: ts:
let
declareChain = t: cn:
#TODO: find out what to do whit these count numbers
":${cn} ${t."${cn}".policy} [0:0]";
buildChain = tn: cn:
#"${concatStringsSep " " ((attrNames t."${cn}") ++ [cn])}";
#TODO: sort by precedence
#TODO: double check should be unneccessary, refactor!
if (hasAttr "rules" ts."${tn}"."${cn}") then
if (ts."${tn}"."${cn}".rules == null) then
""
else
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map buildRule ts."${tn}"."${cn}".rules
)
else
""
;
buildRule = rule:
#TODO implement rule validation-test here
#
#target:
#target needs to be an existing chain (in the same table) or ACCEPT, REJECT, DROP, LOG, QUEUE, RETURN
#predicate:
#maybe use iptables-test
#TODO: howto exit with evaluation error by shellscript?
#apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
"*${tn}\n" +
concatStringsSep "\n" ([]
++ map (declareChain ts."${tn}") (attrNames ts."${tn}")
) +
#this looks dirty, find a better way to do this (maybe optionalString)
concatStringsSep "" ([]
++ map (buildChain tn) (attrNames ts."${tn}")
) +
"\nCOMMIT";
in
concatStringsSep "\n" ([]
++ map buildTable (attrNames ts)
);
#=====
rules4 = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
nat.PREROUTING.policy = "ACCEPT";
nat.INPUT.policy = "ACCEPT";
nat.OUTPUT.policy = "ACCEPT";
nat.POSTROUTING.policy = "ACCEPT";
filter.INPUT.policy = "ACCEPT";
filter.FORWARD.policy = "ACCEPT";
filter.OUTPUT.policy = "ACCEPT";
#if someone specifies any other rules on this chain, the default rules get lost.
#is this wanted beahiviour or a bug?
#TODO: implement abstraction of rules
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
];
};
tables = tables-defaults // cfg.tables;
in
writeText "lass-iptables-rules${toString iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = writeScript "lass-iptables_start" ''
#! /bin/sh
set -euf
iptables-restore < ${rules4 4}
ip6tables-restore < ${rules4 6}
'';
in
{
networking.firewall.enable = false;
systemd.services.lass-iptables = {
description = "lass-iptables";
wantedBy = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = with pkgs; [
iptables
];
restartIfChanged = true;
serviceConfig = {
Type = "simple";
RemainAfterExit = true;
Restart = "always";
ExecStart = "@${startScript} lass-iptables_start";
};
};
}

View File

@ -0,0 +1,11 @@
arg@{ config, lib, pkgs, ... }:
let
cfg = config.lass.iptables;
arg' = arg // { inherit cfg; };
in
{
options.lass.iptables = import ./options.nix arg';
config = lib.mkIf cfg.enable (import ./config.nix arg');
}

View File

@ -0,0 +1,44 @@
{ lib, ... }:
let
inherit (lib) mkEnableOption mkOption types;
in
{
enable = mkEnableOption "iptables";
#tables.filter.INPUT = {
# policy = "DROP";
# rules = [
# { predicate = "-i retiolum"; target = "ACCEPT"; priority = -10; }
# ];
#};
#new api
tables = mkOption {
type = with types; attrsOf (attrsOf (submodule ({
options = {
policy = mkOption {
type = str;
default = "-";
};
rules = mkOption {
type = nullOr (listOf (submodule ({
options = {
predicate = mkOption {
type = str;
};
target = mkOption {
type = str;
};
precedence = mkOption {
type = int;
default = 0;
};
};
})));
default = null;
};
};
})));
};
}

View File

@ -20,7 +20,7 @@
#ssl_dh_params = "etc/dh.pem";
#ssld_count = 1;
#default_max_clients = 1024;
default_max_clients = 10000;
#nicklen = 30;
};
@ -40,21 +40,26 @@
sslport = 9999;
};
class "users" {
ping_time = 2 minutes;
number_per_ident = 200;
number_per_ip = 200;
number_per_ip_global = 500;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 9000;
max_number = 10000;
sendq = 400 kbytes;
};
exempt {
ip = "127.0.0.1";
};
auth {
user = "*@*";
class = "users";
};
class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 3000;
sendq = 400 kbytes;
flags = exceed_limit;
};
channel {

View File

@ -1,21 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
../tv/retiolum.nix
];
services.retiolum = {
enable = true;
hosts = ../../hosts;
privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
connectTo = [
"fastpoke"
"gum"
"ire"
];
};
networking.firewall.allowedTCPPorts = [ 655 ];
networking.firewall.allowedUDPPorts = [ 655 ];
}

View File

@ -56,6 +56,8 @@ in {
vnoremap < <gv
vnoremap > >gv
nmap <esc>q :buffer
"Tabwidth
set ts=2 sts=2 sw=2 et

View File

@ -1,43 +0,0 @@
{ config, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
in {
services.xserver.enable = true;
#fonts.enableFontConfig = true;
#fonts.enableFontDir = true;
fonts.fonts = [
pkgs.xlibs.fontschumachermisc
];
#services.xfs.enable = true;
#services.xserver.useXFS = "unix/:7100";
#services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
#services.xserver.display = 11;
#services.xserver.tty = 11;
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
#services.xserver.multitouch.enable = true;
services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
X11-xshape
];
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.xmonad.enableContribAndExtras = true;
services.xserver.windowManager.default = "xmonad";
services.xserver.desktopManager.default = "none";
services.xserver.desktopManager.xterm.enable = false;
services.xserver.displayManager.slim.enable = true;
services.xserver.displayManager.auto.enable = true;
services.xserver.displayManager.auto.user = mainUser.name;
#services.xserver.displayManager.job.logsXsession = true;
services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
}

View File

@ -5,8 +5,7 @@
../lass/xresources.nix
../lass/desktop-base.nix
../lass/programs.nix
../lass/retiolum-mors.nix
../lass/xserver-lass.nix
./retiolum.nix
../tv/synaptics.nix
../lass/bitcoin.nix
../lass/browsers.nix
@ -31,7 +30,7 @@
nixpkgs = {
url = "https://github.com/Lassulus/nixpkgs";
rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
};
networking.hostName = "mors";
@ -110,6 +109,7 @@
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
#activationScripts
#split up and move into base
system.activationScripts.powertopTunables = ''
@ -141,10 +141,18 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
system.activationScripts.trackpoint = ''
echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
'';
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
#system.activationScripts.trackpoint = ''
# echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed'
# echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity'
#'';
services.xserver = {
videoDriver = "intel";
@ -201,6 +209,9 @@
];
};
services.mongodb = {
enable = true;
};
#services.ircdHybrid = {
# enable = true;

View File

@ -1,71 +1,130 @@
{ config, lib, pkgs, ... }:
let
inherit (builtins) map readFile;
inherit (lib) concatMap listToAttrs;
# TODO lib should already include our stuff
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
x-repos = [
(krebs-private "brain")
(public "painload")
(public "shitment")
(public "wai-middleware-time")
(public "web-routes-wai-custom")
(secret "pass")
(tv-lass "emse-drywall")
(tv-lass "emse-hsdb")
];
users = addNames {
tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
makefu = { pubkey = "xxx"; };
};
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
rules = concatMap ({ rules, ... }: rules) x-repos;
krebs-private = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
public = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
public = true;
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
secret = repo-name:
rec {
repo = {
name = repo-name;
hooks = {};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
tv-lass = repo-name:
rec {
repo = {
name = repo-name;
hooks = {};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv ];
repo = [ repo ];
perm = fetch;
}
];
};
in
{
imports = [
../tv/git
];
services.git =
let
inherit (builtins) readFile;
# TODO lib should already include our stuff
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
krebs-private = name: desc:
{
inherit desc;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
}
in rec {
enable = true;
users = addNames {
tv = { pubkey = readFile <pubkeys/tv.ssh.pub>; };
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
uriel = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
makefu = { pubkey = "xxx"; };
};
repos = addNames {
shitment = {
desc = "shitment repository";
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
public = true;
};
testing = {
desc = "testing repository";
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#repository";
server = "ire.retiolum";
};
};
public = true;
};
};
rules = with git; with users; with repos; [
{ user = lass;
repo = [ testing shitment ];
perm = push master [ non-fast-forward create delete merge ];
}
{ user = [ tv uriel makefu ];
repo = [ testing shitment ];
perm = fetch;
}
];
};
tv.git = {
enable = true;
inherit repos rules users;
};
}

View File

@ -0,0 +1,12 @@
{
lib.file.url = ../../lib;
modules.file.url = ../../modules;
nixpkgs.git = {
url = https://github.com/Lassulus/nixpkgs;
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
cache = ../../tmp/git-cache;
};
pubkeys.file.url = ../../pubkeys;
retiolum-hosts.file.url = ../../hosts;
secrets.file.url = ../../secrets;
}

View File

@ -35,6 +35,15 @@
extraConfig = "option hook.post-receive = irc-announce";
};
emse-drywall = {
users = {
lass = "RW+";
uriel = "R";
tv = "R";
};
extraConfig = "option hook.post-receive = irc-announce";
};
emse-hsdb = {
users = {
lass = "RW+";

View File

@ -2,12 +2,12 @@
{
imports = [
../tv/retiolum.nix
../tv/retiolum
];
services.retiolum = {
tv.retiolum = {
enable = true;
hosts = ../../hosts;
hosts = <retiolum-hosts>;
privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv";
connectTo = [
"fastpoke"

View File

@ -3,8 +3,7 @@
{
imports = [
../lass/desktop-base.nix
../lass/retiolum-uriel.nix
../lass/xserver-lass.nix
./retiolum.nix
../lass/browsers.nix
../lass/programs.nix
../lass/games.nix
@ -18,11 +17,12 @@
../lass/bird.nix
./repos.nix
../lass/chromium-patched.nix
./git.nix
];
nixpkgs = {
url = "https://github.com/Lassulus/nixpkgs";
rev = "45c99e522dcc4ef24cf71dbe38d94a308cb30530";
rev = "7ef800430789252dac47f0b67e75a6b9bb616397";
};
networking.hostName = "uriel";
@ -106,6 +106,10 @@
environment.systemPackages = with pkgs; [
];
#for google hangout
users.extraUsers.google.extraGroups = [ "audio" "video" ];
#users.extraGroups = {
# loot = {

130
old/modules/uriel/git.nix Normal file
View File

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
let
inherit (builtins) map readFile;
inherit (lib) concatMap listToAttrs;
# TODO lib should already include our stuff
inherit (import ../../lib { inherit lib pkgs; }) addNames git;
x-repos = [
(krebs-private "brain")
(public "painload")
(public "shitment")
(public "wai-middleware-time")
(public "web-routes-wai-custom")
(secret "pass")
(tv-lass "emse-drywall")
(tv-lass "emse-hsdb")
];
users = addNames {
tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; };
lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; };
uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; };
makefu = { pubkey = "xxx"; };
};
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos);
rules = concatMap ({ rules, ... }: rules) x-repos;
krebs-private = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
public = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "ire.retiolum";
};
};
public = true;
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
secret = repo-name:
rec {
repo = {
name = repo-name;
hooks = {};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
tv-lass = repo-name:
rec {
repo = {
name = repo-name;
hooks = {};
};
rules = with git; with users; [
{ user = lass;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ tv ];
repo = [ repo ];
perm = fetch;
}
];
};
in
{
imports = [
../tv/git
];
tv.git = {
enable = true;
inherit repos rules users;
};
}

View File

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
{
imports = [
../tv/retiolum
../lass/iptables
];
tv.retiolum = {
enable = true;
hosts = ../../hosts;
privateKeyFile = "/etc/nixos/secrets/uriel.retiolum.rsa_key.priv";
connectTo = [
"fastpoke"
"gum"
"ire"
];
};
#networking.firewall.allowedTCPPorts = [ 655 ];
#networking.firewall.allowedUDPPorts = [ 655 ];
#lass.iptables = {
# #input-internet-accept-new-tcp = [ "tinc" ];
# #input-internet-accept-new-udp = [ "tinc" ];
# tables.retiolum = {
# interfaces = [ "retiolum" "wl0" ];
# allowed-tcp = [ "tinc" ];
# allowed-udp = [ "tinc" ];
# };
#};
}