Merge remote-tracking branch 'cd/master'
This commit is contained in:
commit
df3dc3dac1
@ -138,6 +138,22 @@ let
|
||||
mkIf (privkey != null) (mkForce [privkey]);
|
||||
|
||||
services.openssh.knownHosts =
|
||||
# GitHub's IPv4 address range is 192.30.252.0/22
|
||||
# Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
|
||||
# 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
|
||||
# Because line length is limited by OPENSSH_LINE_MAX (= 8192),
|
||||
# we split each /24 into its own entry.
|
||||
listToAttrs (map
|
||||
(c: {
|
||||
name = "github${toString c}";
|
||||
value = {
|
||||
hostNames = ["github.com"] ++
|
||||
map (d: "192.30.${toString c}.${toString d}") (range 0 255);
|
||||
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
|
||||
};
|
||||
})
|
||||
(range 252 255))
|
||||
//
|
||||
mapAttrs
|
||||
(name: host: {
|
||||
hostNames =
|
||||
|
@ -1,7 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
with import ../4lib { inherit lib; };
|
||||
let
|
||||
cfg = config.krebs.github-hosts-sync;
|
||||
|
||||
@ -21,7 +21,7 @@ let
|
||||
default = "/var/lib/github-hosts-sync";
|
||||
};
|
||||
ssh-identity-file = mkOption {
|
||||
type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
|
||||
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
|
||||
default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
|
||||
};
|
||||
};
|
||||
@ -41,27 +41,11 @@ let
|
||||
ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
|
||||
#! /bin/sh
|
||||
set -euf
|
||||
|
||||
ssh_identity_file_target=$(
|
||||
case ${cfg.ssh-identity-file} in
|
||||
*.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
|
||||
*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
|
||||
*)
|
||||
echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
|
||||
exit 1
|
||||
esac
|
||||
)
|
||||
|
||||
mkdir -p ${cfg.dataDir}
|
||||
chown ${user.name}: ${cfg.dataDir}
|
||||
|
||||
install \
|
||||
-o ${user.name} \
|
||||
-m 0400 \
|
||||
install -m 0711 -o ${user.name} -d ${cfg.dataDir}
|
||||
install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
|
||||
install -m 0400 -o ${user.name} \
|
||||
${cfg.ssh-identity-file} \
|
||||
"$ssh_identity_file_target"
|
||||
|
||||
ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
|
||||
${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
|
||||
'';
|
||||
ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
|
||||
};
|
||||
@ -77,5 +61,8 @@ let
|
||||
name = "github-hosts-sync";
|
||||
uid = 3220554646; # genid github-hosts-sync
|
||||
};
|
||||
in
|
||||
out
|
||||
|
||||
# TODO move to lib?
|
||||
fileExtension = s: last (splitString "." s);
|
||||
|
||||
in out
|
||||
|
@ -147,6 +147,13 @@ types // rec {
|
||||
merge = mergeOneOption;
|
||||
};
|
||||
|
||||
suffixed-str = suffs:
|
||||
mkOptionType {
|
||||
name = "string suffixed by ${concatStringsSep ", " suffs}";
|
||||
check = x: isString x && any (flip hasSuffix x) suffs;
|
||||
merge = mergeOneOption;
|
||||
};
|
||||
|
||||
user = submodule {
|
||||
options = {
|
||||
mail = mkOption {
|
||||
|
@ -13,7 +13,6 @@ rec {
|
||||
genid = callPackage ./genid {};
|
||||
get = callPackage ./get {};
|
||||
github-hosts-sync = callPackage ./github-hosts-sync {};
|
||||
github-known_hosts = callPackage ./github-known_hosts {};
|
||||
hashPassword = callPackage ./hashPassword {};
|
||||
jq = callPackage ./jq {};
|
||||
krebszones = callPackage ./krebszones {};
|
||||
|
@ -16,7 +16,7 @@ stdenv.mkDerivation {
|
||||
|
||||
installPhase =
|
||||
let
|
||||
ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
|
||||
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
|
||||
coreutils
|
||||
findutils
|
||||
|
@ -1,13 +0,0 @@
|
||||
{ lib, ... }:
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
|
||||
let
|
||||
github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
|
||||
in
|
||||
|
||||
toFile "github-known_hosts"
|
||||
(concatMapStrings
|
||||
(i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
|
||||
(range 0 255))
|
@ -1 +0,0 @@
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
|
@ -14,6 +14,9 @@ in {
|
||||
../2configs/realwallpaper-server.nix
|
||||
../2configs/privoxy-retiolum.nix
|
||||
../2configs/git.nix
|
||||
../2configs/redis.nix
|
||||
../2configs/go.nix
|
||||
../2configs/ircd.nix
|
||||
{
|
||||
networking.interfaces.enp2s1.ip4 = [
|
||||
{
|
||||
@ -44,6 +47,6 @@ in {
|
||||
};
|
||||
};
|
||||
|
||||
networking.hostName = "echelon";
|
||||
networking.hostName = config.krebs.build.host.name;
|
||||
|
||||
}
|
||||
|
@ -24,6 +24,7 @@
|
||||
../2configs/bitlbee.nix
|
||||
../2configs/firefoxPatched.nix
|
||||
../2configs/realwallpaper.nix
|
||||
../2configs/skype.nix
|
||||
];
|
||||
|
||||
krebs.build = {
|
||||
|
@ -31,6 +31,7 @@ let
|
||||
};
|
||||
wai-middleware-time = {};
|
||||
web-routes-wai-custom = {};
|
||||
go = {};
|
||||
};
|
||||
|
||||
restricted-repos = mapAttrs make-restricted-repo (
|
||||
|
16
lass/2configs/go.nix
Normal file
16
lass/2configs/go.nix
Normal file
@ -0,0 +1,16 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
../3modules/go.nix
|
||||
];
|
||||
environment.systemPackages = [
|
||||
pkgs.go
|
||||
];
|
||||
lass.go = {
|
||||
enable = true;
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
@ -1,12 +1,15 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
|
||||
];
|
||||
config.services.charybdis = {
|
||||
enable = true;
|
||||
config = ''
|
||||
serverinfo {
|
||||
name = "ire.irc.retiolum";
|
||||
sid = "4z3";
|
||||
name = "${config.krebs.build.host.name}.irc.retiolum";
|
||||
sid = "1as";
|
||||
description = "miep!";
|
||||
network_name = "irc.retiolum";
|
||||
network_desc = "Retiolum IRC Network";
|
||||
|
8
lass/2configs/redis.nix
Normal file
8
lass/2configs/redis.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{ config, ... }:
|
||||
|
||||
{
|
||||
config.services.redis = {
|
||||
enable = true;
|
||||
bind = "127.0.0.1";
|
||||
};
|
||||
}
|
30
lass/2configs/skype.nix
Normal file
30
lass/2configs/skype.nix
Normal file
@ -0,0 +1,30 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
let
|
||||
mainUser = config.users.extraUsers.mainUser;
|
||||
|
||||
in {
|
||||
imports = [
|
||||
../3modules/per-user.nix
|
||||
];
|
||||
|
||||
users.extraUsers = {
|
||||
skype = {
|
||||
name = "skype";
|
||||
uid = 2259819492; #genid skype
|
||||
description = "user for running skype";
|
||||
home = "/home/skype";
|
||||
useDefaultShell = true;
|
||||
extraGroups = [ "audio" "video" ];
|
||||
createHome = true;
|
||||
};
|
||||
};
|
||||
|
||||
lass.per-user.skype.packages = [
|
||||
pkgs.skype
|
||||
];
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
${mainUser.name} ALL=(skype) NOPASSWD: ALL
|
||||
'';
|
||||
}
|
61
lass/3modules/go.nix
Normal file
61
lass/3modules/go.nix
Normal file
@ -0,0 +1,61 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with builtins;
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.lass.go;
|
||||
|
||||
out = {
|
||||
options.lass.go = api;
|
||||
config = mkIf cfg.enable imp;
|
||||
};
|
||||
|
||||
api = {
|
||||
enable = mkEnableOption "Enable go url shortener";
|
||||
port = mkOption {
|
||||
type = types.str;
|
||||
default = "1337";
|
||||
description = "on which port go should run on";
|
||||
};
|
||||
redisKeyPrefix = mkOption {
|
||||
type = types.str;
|
||||
default = "go:";
|
||||
description = "change the Redis key prefix which defaults to `go:`";
|
||||
};
|
||||
};
|
||||
|
||||
imp = {
|
||||
users.extraUsers.go = {
|
||||
name = "go";
|
||||
uid = 42774411; #genid go
|
||||
description = "go url shortener user";
|
||||
home = "/var/lib/go";
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
systemd.services.go = {
|
||||
description = "go url shortener";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
path = with pkgs; [
|
||||
go
|
||||
];
|
||||
|
||||
environment = {
|
||||
PORT = cfg.port;
|
||||
REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
|
||||
};
|
||||
|
||||
restartIfChanged = true;
|
||||
|
||||
serviceConfig = {
|
||||
User = "go";
|
||||
Restart = "always";
|
||||
ExecStart = "${pkgs.go}/bin/go";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
in out
|
@ -13,4 +13,5 @@ rec {
|
||||
ublock = callPackage ./firefoxPlugins/ublock.nix {};
|
||||
vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
|
||||
};
|
||||
go = callPackage ./go/default.nix {};
|
||||
}
|
||||
|
59
lass/5pkgs/go/default.nix
Normal file
59
lass/5pkgs/go/default.nix
Normal file
@ -0,0 +1,59 @@
|
||||
{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
np = nodePackages.override {
|
||||
generated = ./packages.nix;
|
||||
self = np;
|
||||
};
|
||||
|
||||
node_env = buildEnv {
|
||||
name = "node_env";
|
||||
paths = [
|
||||
np.redis
|
||||
np."formidable"
|
||||
];
|
||||
pathsToLink = [ "/lib" ];
|
||||
ignoreCollisions = true;
|
||||
};
|
||||
|
||||
in nodePackages.buildNodePackage {
|
||||
name = "go";
|
||||
|
||||
src = fetchgit {
|
||||
url = "http://cgit.echelon/go/";
|
||||
rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
|
||||
sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
|
||||
};
|
||||
|
||||
phases = [
|
||||
"unpackPhase"
|
||||
"installPhase"
|
||||
];
|
||||
|
||||
deps = (filter (v: nixType v == "derivation") (attrValues np));
|
||||
|
||||
buildInputs = [
|
||||
nodejs
|
||||
nodePackages.redis
|
||||
np.formidable
|
||||
makeWrapper
|
||||
];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
|
||||
cp index.js $out/
|
||||
cat > $out/go << EOF
|
||||
${nodejs}/bin/node $out/index.js
|
||||
EOF
|
||||
chmod +x $out/go
|
||||
|
||||
wrapProgram $out/go \
|
||||
--prefix NODE_PATH : ${node_env}/lib/node_modules
|
||||
|
||||
ln -s $out/go /$out/bin/go
|
||||
'';
|
||||
|
||||
}
|
44
lass/5pkgs/go/packages.nix
Normal file
44
lass/5pkgs/go/packages.nix
Normal file
@ -0,0 +1,44 @@
|
||||
{ self, fetchurl, fetchgit ? null, lib }:
|
||||
|
||||
{
|
||||
by-spec."formidable"."*" =
|
||||
self.by-version."formidable"."1.0.17";
|
||||
by-version."formidable"."1.0.17" = self.buildNodePackage {
|
||||
name = "formidable-1.0.17";
|
||||
version = "1.0.17";
|
||||
bin = false;
|
||||
src = fetchurl {
|
||||
url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
|
||||
name = "formidable-1.0.17.tgz";
|
||||
sha1 = "ef5491490f9433b705faa77249c99029ae348559";
|
||||
};
|
||||
deps = {
|
||||
};
|
||||
optionalDependencies = {
|
||||
};
|
||||
peerDependencies = [];
|
||||
os = [ ];
|
||||
cpu = [ ];
|
||||
};
|
||||
"formidable" = self.by-version."formidable"."1.0.17";
|
||||
by-spec."redis"."*" =
|
||||
self.by-version."redis"."2.1.0";
|
||||
by-version."redis"."2.1.0" = self.buildNodePackage {
|
||||
name = "redis-2.1.0";
|
||||
version = "2.1.0";
|
||||
bin = false;
|
||||
src = fetchurl {
|
||||
url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
|
||||
name = "redis-2.1.0.tgz";
|
||||
sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
|
||||
};
|
||||
deps = {
|
||||
};
|
||||
optionalDependencies = {
|
||||
};
|
||||
peerDependencies = [];
|
||||
os = [ ];
|
||||
cpu = [ ];
|
||||
};
|
||||
"redis" = self.by-version."redis"."2.1.0";
|
||||
}
|
@ -30,6 +30,7 @@ with lib;
|
||||
#../2configs/consul-server.nix
|
||||
../2configs/exim-smarthost.nix
|
||||
../2configs/git.nix
|
||||
../2configs/urlwatch.nix
|
||||
{
|
||||
imports = [ ../2configs/charybdis.nix ];
|
||||
tv.charybdis = {
|
||||
|
@ -32,7 +32,6 @@ with lib;
|
||||
../2configs/xserver.nix
|
||||
../2configs/synaptics.nix # TODO w110er if xserver is enabled
|
||||
../2configs/test.nix
|
||||
../2configs/urlwatch.nix
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
|
@ -48,6 +48,9 @@
|
||||
#http://hackage.haskell.org/package/transformers
|
||||
#http://hackage.haskell.org/package/web-routes-wai
|
||||
#http://hackage.haskell.org/package/web-page
|
||||
|
||||
# ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
|
||||
https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
|
||||
];
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user