Merge remote-tracking branch 'cd/master'

2015-10-14 00:17:15 +02:00 · 2015-10-14 00:17:15 +02:00 · df3dc3dac1
commit df3dc3dac1
parent f73fe104d8 96f4248b65
21 changed files with 269 additions and 44 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -138,6 +138,22 @@ let
        mkIf (privkey != null) (mkForce [privkey]);

      services.openssh.knownHosts =
+        # GitHub's IPv4 address range is 192.30.252.0/22
+        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+        # we split each /24 into its own entry.
+        listToAttrs (map
+          (c: {
+            name = "github${toString c}";
+            value = {
+              hostNames = ["github.com"] ++
+                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+            };
+          })
+          (range 252 255))
+        //
        mapAttrs
          (name: host: {
            hostNames =
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:

 with builtins;
-with lib;
+with import ../4lib { inherit lib; };
 let
  cfg = config.krebs.github-hosts-sync;

@ -21,7 +21,7 @@ let
      default = "/var/lib/github-hosts-sync";
    };
    ssh-identity-file = mkOption {
-      type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
+      type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
      default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
    };
  };
@ -41,27 +41,11 @@ let
        ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
          #! /bin/sh
          set -euf
-
-          ssh_identity_file_target=$(
-            case ${cfg.ssh-identity-file} in
-              *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
-              *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
-              *)
-                echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
-                exit 1
-            esac
-          )
-
-          mkdir -p ${cfg.dataDir}
-          chown ${user.name}: ${cfg.dataDir}
-
-          install \
-            -o ${user.name} \
-            -m 0400 \
+          install -m 0711 -o ${user.name} -d ${cfg.dataDir}
+          install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
+          install -m 0400 -o ${user.name} \
            ${cfg.ssh-identity-file} \
-            "$ssh_identity_file_target"
-
-          ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
+            ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
        '';
        ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
      };
@ -77,5 +61,8 @@ let
    name = "github-hosts-sync";
    uid = 3220554646; # genid github-hosts-sync
  };
-in
-out
+
+  # TODO move to lib?
+  fileExtension = s: last (splitString "." s);
+
+in out
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@ -147,6 +147,13 @@ types // rec {
    merge = mergeOneOption;
  };

+  suffixed-str = suffs:
+    mkOptionType {
+      name = "string suffixed by ${concatStringsSep ", " suffs}";
+      check = x: isString x && any (flip hasSuffix x) suffs;
+      merge = mergeOneOption;
+    };
+
  user = submodule {
    options = {
      mail = mkOption {
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@ -13,7 +13,6 @@ rec {
  genid = callPackage ./genid {};
  get = callPackage ./get {};
  github-hosts-sync = callPackage ./github-hosts-sync {};
-  github-known_hosts = callPackage ./github-known_hosts {};
  hashPassword = callPackage ./hashPassword {};
  jq = callPackage ./jq {};
  krebszones = callPackage ./krebszones {};
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation {

  installPhase =
    let
-      ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
+      ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
      path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
        coreutils
        findutils
--- a/krebs/5pkgs/github-known_hosts/default.nix
+++ b/krebs/5pkgs/github-known_hosts/default.nix
@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with builtins;
-with lib;
-
-let
-  github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
-in
-
-toFile "github-known_hosts"
-  (concatMapStrings
-    (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
-    (range 0 255))
--- a/krebs/5pkgs/github-known_hosts/github.ssh.pub
+++ b/krebs/5pkgs/github-known_hosts/github.ssh.pub
@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@ -14,6 +14,9 @@ in {
    ../2configs/realwallpaper-server.nix
    ../2configs/privoxy-retiolum.nix
    ../2configs/git.nix
+    ../2configs/redis.nix
+    ../2configs/go.nix
+    ../2configs/ircd.nix
    {
      networking.interfaces.enp2s1.ip4 = [
        {
@ -44,6 +47,6 @@ in {
    };
  };

-  networking.hostName = "echelon";
+  networking.hostName = config.krebs.build.host.name;

 }
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@ -24,6 +24,7 @@
    ../2configs/bitlbee.nix
    ../2configs/firefoxPatched.nix
    ../2configs/realwallpaper.nix
+    ../2configs/skype.nix
  ];

  krebs.build = {
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@ -31,6 +31,7 @@ let
    };
    wai-middleware-time = {};
    web-routes-wai-custom = {};
+    go = {};
  };

  restricted-repos = mapAttrs make-restricted-repo (
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../3modules/go.nix
+  ];
+  environment.systemPackages = [
+    pkgs.go
+  ];
+  lass.go = {
+    enable = true;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
+  ];
+}
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@ -1,12 +1,15 @@
 { config, pkgs, ... }:

 {
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
+  ];
  config.services.charybdis = {
    enable = true;
    config = ''
      serverinfo {
-        name = "ire.irc.retiolum";
-        sid = "4z3";
+        name = "${config.krebs.build.host.name}.irc.retiolum";
+        sid = "1as";
        description = "miep!";
        network_name = "irc.retiolum";
        network_desc = "Retiolum IRC Network";
--- a/lass/2configs/redis.nix
+++ b/lass/2configs/redis.nix
@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  config.services.redis = {
+    enable = true;
+    bind = "127.0.0.1";
+  };
+}
--- a/lass/2configs/skype.nix
+++ b/lass/2configs/skype.nix
@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+
+in {
+  imports = [
+    ../3modules/per-user.nix
+  ];
+
+  users.extraUsers = {
+    skype = {
+      name = "skype";
+      uid = 2259819492; #genid skype
+      description = "user for running skype";
+      home = "/home/skype";
+      useDefaultShell = true;
+      extraGroups = [ "audio" "video" ];
+      createHome = true;
+    };
+  };
+
+  lass.per-user.skype.packages = [
+    pkgs.skype
+  ];
+
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(skype) NOPASSWD: ALL
+  '';
+}
--- a/lass/3modules/go.nix
+++ b/lass/3modules/go.nix
@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+
+let
+  cfg = config.lass.go;
+
+  out = {
+    options.lass.go = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "Enable go url shortener";
+    port = mkOption {
+      type = types.str;
+      default = "1337";
+      description = "on which port go should run on";
+    };
+    redisKeyPrefix = mkOption {
+      type = types.str;
+      default = "go:";
+      description = "change the Redis key prefix which defaults to `go:`";
+    };
+  };
+
+  imp = {
+    users.extraUsers.go = {
+      name = "go";
+      uid = 42774411; #genid go
+      description = "go url shortener user";
+      home = "/var/lib/go";
+      createHome = true;
+    };
+
+    systemd.services.go = {
+      description = "go url shortener";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        go
+      ];
+
+      environment = {
+        PORT = cfg.port;
+        REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
+      };
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        User = "go";
+        Restart = "always";
+        ExecStart = "${pkgs.go}/bin/go";
+      };
+    };
+  };
+
+in out
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -13,4 +13,5 @@ rec {
    ublock = callPackage ./firefoxPlugins/ublock.nix {};
    vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
  };
+  go = callPackage ./go/default.nix {};
 }
--- a/lass/5pkgs/go/default.nix
+++ b/lass/5pkgs/go/default.nix
@ -0,0 +1,59 @@
+{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+
+with lib;
+
+let
+  np = nodePackages.override {
+    generated = ./packages.nix;
+    self = np;
+  };
+
+  node_env = buildEnv {
+    name = "node_env";
+    paths = [
+      np.redis
+      np."formidable"
+    ];
+    pathsToLink = [ "/lib" ];
+    ignoreCollisions = true;
+  };
+
+in nodePackages.buildNodePackage {
+  name = "go";
+
+  src = fetchgit {
+    url = "http://cgit.echelon/go/";
+    rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
+    sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
+  };
+
+  phases = [
+    "unpackPhase"
+    "installPhase"
+  ];
+
+  deps = (filter (v: nixType v == "derivation") (attrValues np));
+
+  buildInputs = [
+    nodejs
+    nodePackages.redis
+    np.formidable
+    makeWrapper
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+
+    cp index.js $out/
+    cat > $out/go << EOF
+      ${nodejs}/bin/node $out/index.js
+    EOF
+    chmod +x $out/go
+
+    wrapProgram $out/go \
+      --prefix NODE_PATH : ${node_env}/lib/node_modules
+
+     ln -s $out/go /$out/bin/go
+  '';
+
+}
--- a/lass/5pkgs/go/packages.nix
+++ b/lass/5pkgs/go/packages.nix
@ -0,0 +1,44 @@
+{ self, fetchurl, fetchgit ? null, lib }:
+
+{
+  by-spec."formidable"."*" =
+    self.by-version."formidable"."1.0.17";
+  by-version."formidable"."1.0.17" = self.buildNodePackage {
+    name = "formidable-1.0.17";
+    version = "1.0.17";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
+      name = "formidable-1.0.17.tgz";
+      sha1 = "ef5491490f9433b705faa77249c99029ae348559";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "formidable" = self.by-version."formidable"."1.0.17";
+  by-spec."redis"."*" =
+    self.by-version."redis"."2.1.0";
+  by-version."redis"."2.1.0" = self.buildNodePackage {
+    name = "redis-2.1.0";
+    version = "2.1.0";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
+      name = "redis-2.1.0.tgz";
+      sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "redis" = self.by-version."redis"."2.1.0";
+}
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@ -30,6 +30,7 @@ with lib;
    #../2configs/consul-server.nix
    ../2configs/exim-smarthost.nix
    ../2configs/git.nix
+    ../2configs/urlwatch.nix
    {
      imports = [ ../2configs/charybdis.nix ];
      tv.charybdis = {
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@ -32,7 +32,6 @@ with lib;
    ../2configs/xserver.nix
    ../2configs/synaptics.nix # TODO w110er if xserver is enabled
    ../2configs/test.nix
-    ../2configs/urlwatch.nix
    {
      environment.systemPackages = with pkgs; [

--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@ -48,6 +48,9 @@
      #http://hackage.haskell.org/package/transformers
      #http://hackage.haskell.org/package/web-routes-wai
      #http://hackage.haskell.org/package/web-page
+
+      # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
+      https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
    ];
  };
 }
				`@ -1 +0,0 @@`
				`ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==`