Merge remote-tracking branch 'cd/master'

This commit is contained in:
makefu 2015-10-14 00:17:15 +02:00
commit df3dc3dac1
21 changed files with 269 additions and 44 deletions

View File

@ -138,6 +138,22 @@ let
mkIf (privkey != null) (mkForce [privkey]);
services.openssh.knownHosts =
# GitHub's IPv4 address range is 192.30.252.0/22
# Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
# 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
# Because line length is limited by OPENSSH_LINE_MAX (= 8192),
# we split each /24 into its own entry.
listToAttrs (map
(c: {
name = "github${toString c}";
value = {
hostNames = ["github.com"] ++
map (d: "192.30.${toString c}.${toString d}") (range 0 255);
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
};
})
(range 252 255))
//
mapAttrs
(name: host: {
hostNames =

View File

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
with import ../4lib { inherit lib; };
let
cfg = config.krebs.github-hosts-sync;
@ -21,7 +21,7 @@ let
default = "/var/lib/github-hosts-sync";
};
ssh-identity-file = mkOption {
type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
};
};
@ -41,27 +41,11 @@ let
ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
#! /bin/sh
set -euf
ssh_identity_file_target=$(
case ${cfg.ssh-identity-file} in
*.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
*)
echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
exit 1
esac
)
mkdir -p ${cfg.dataDir}
chown ${user.name}: ${cfg.dataDir}
install \
-o ${user.name} \
-m 0400 \
install -m 0711 -o ${user.name} -d ${cfg.dataDir}
install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
install -m 0400 -o ${user.name} \
${cfg.ssh-identity-file} \
"$ssh_identity_file_target"
ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
'';
ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
};
@ -77,5 +61,8 @@ let
name = "github-hosts-sync";
uid = 3220554646; # genid github-hosts-sync
};
in
out
# TODO move to lib?
fileExtension = s: last (splitString "." s);
in out

View File

@ -147,6 +147,13 @@ types // rec {
merge = mergeOneOption;
};
suffixed-str = suffs:
mkOptionType {
name = "string suffixed by ${concatStringsSep ", " suffs}";
check = x: isString x && any (flip hasSuffix x) suffs;
merge = mergeOneOption;
};
user = submodule {
options = {
mail = mkOption {

View File

@ -13,7 +13,6 @@ rec {
genid = callPackage ./genid {};
get = callPackage ./get {};
github-hosts-sync = callPackage ./github-hosts-sync {};
github-known_hosts = callPackage ./github-known_hosts {};
hashPassword = callPackage ./hashPassword {};
jq = callPackage ./jq {};
krebszones = callPackage ./krebszones {};

View File

@ -16,7 +16,7 @@ stdenv.mkDerivation {
installPhase =
let
ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
coreutils
findutils

View File

@ -1,13 +0,0 @@
{ lib, ... }:
with builtins;
with lib;
let
github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
in
toFile "github-known_hosts"
(concatMapStrings
(i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
(range 0 255))

View File

@ -1 +0,0 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

View File

@ -14,6 +14,9 @@ in {
../2configs/realwallpaper-server.nix
../2configs/privoxy-retiolum.nix
../2configs/git.nix
../2configs/redis.nix
../2configs/go.nix
../2configs/ircd.nix
{
networking.interfaces.enp2s1.ip4 = [
{
@ -44,6 +47,6 @@ in {
};
};
networking.hostName = "echelon";
networking.hostName = config.krebs.build.host.name;
}

View File

@ -24,6 +24,7 @@
../2configs/bitlbee.nix
../2configs/firefoxPatched.nix
../2configs/realwallpaper.nix
../2configs/skype.nix
];
krebs.build = {

View File

@ -31,6 +31,7 @@ let
};
wai-middleware-time = {};
web-routes-wai-custom = {};
go = {};
};
restricted-repos = mapAttrs make-restricted-repo (

16
lass/2configs/go.nix Normal file
View File

@ -0,0 +1,16 @@
{ config, pkgs, ... }:
{
imports = [
../3modules/go.nix
];
environment.systemPackages = [
pkgs.go
];
lass.go = {
enable = true;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
];
}

View File

@ -1,12 +1,15 @@
{ config, pkgs, ... }:
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
];
config.services.charybdis = {
enable = true;
config = ''
serverinfo {
name = "ire.irc.retiolum";
sid = "4z3";
name = "${config.krebs.build.host.name}.irc.retiolum";
sid = "1as";
description = "miep!";
network_name = "irc.retiolum";
network_desc = "Retiolum IRC Network";

8
lass/2configs/redis.nix Normal file
View File

@ -0,0 +1,8 @@
{ config, ... }:
{
config.services.redis = {
enable = true;
bind = "127.0.0.1";
};
}

30
lass/2configs/skype.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
in {
imports = [
../3modules/per-user.nix
];
users.extraUsers = {
skype = {
name = "skype";
uid = 2259819492; #genid skype
description = "user for running skype";
home = "/home/skype";
useDefaultShell = true;
extraGroups = [ "audio" "video" ];
createHome = true;
};
};
lass.per-user.skype.packages = [
pkgs.skype
];
security.sudo.extraConfig = ''
${mainUser.name} ALL=(skype) NOPASSWD: ALL
'';
}

61
lass/3modules/go.nix Normal file
View File

@ -0,0 +1,61 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
let
cfg = config.lass.go;
out = {
options.lass.go = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "Enable go url shortener";
port = mkOption {
type = types.str;
default = "1337";
description = "on which port go should run on";
};
redisKeyPrefix = mkOption {
type = types.str;
default = "go:";
description = "change the Redis key prefix which defaults to `go:`";
};
};
imp = {
users.extraUsers.go = {
name = "go";
uid = 42774411; #genid go
description = "go url shortener user";
home = "/var/lib/go";
createHome = true;
};
systemd.services.go = {
description = "go url shortener";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
go
];
environment = {
PORT = cfg.port;
REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
};
restartIfChanged = true;
serviceConfig = {
User = "go";
Restart = "always";
ExecStart = "${pkgs.go}/bin/go";
};
};
};
in out

View File

@ -13,4 +13,5 @@ rec {
ublock = callPackage ./firefoxPlugins/ublock.nix {};
vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
};
go = callPackage ./go/default.nix {};
}

59
lass/5pkgs/go/default.nix Normal file
View File

@ -0,0 +1,59 @@
{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
with lib;
let
np = nodePackages.override {
generated = ./packages.nix;
self = np;
};
node_env = buildEnv {
name = "node_env";
paths = [
np.redis
np."formidable"
];
pathsToLink = [ "/lib" ];
ignoreCollisions = true;
};
in nodePackages.buildNodePackage {
name = "go";
src = fetchgit {
url = "http://cgit.echelon/go/";
rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
};
phases = [
"unpackPhase"
"installPhase"
];
deps = (filter (v: nixType v == "derivation") (attrValues np));
buildInputs = [
nodejs
nodePackages.redis
np.formidable
makeWrapper
];
installPhase = ''
mkdir -p $out/bin
cp index.js $out/
cat > $out/go << EOF
${nodejs}/bin/node $out/index.js
EOF
chmod +x $out/go
wrapProgram $out/go \
--prefix NODE_PATH : ${node_env}/lib/node_modules
ln -s $out/go /$out/bin/go
'';
}

View File

@ -0,0 +1,44 @@
{ self, fetchurl, fetchgit ? null, lib }:
{
by-spec."formidable"."*" =
self.by-version."formidable"."1.0.17";
by-version."formidable"."1.0.17" = self.buildNodePackage {
name = "formidable-1.0.17";
version = "1.0.17";
bin = false;
src = fetchurl {
url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
name = "formidable-1.0.17.tgz";
sha1 = "ef5491490f9433b705faa77249c99029ae348559";
};
deps = {
};
optionalDependencies = {
};
peerDependencies = [];
os = [ ];
cpu = [ ];
};
"formidable" = self.by-version."formidable"."1.0.17";
by-spec."redis"."*" =
self.by-version."redis"."2.1.0";
by-version."redis"."2.1.0" = self.buildNodePackage {
name = "redis-2.1.0";
version = "2.1.0";
bin = false;
src = fetchurl {
url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
name = "redis-2.1.0.tgz";
sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
};
deps = {
};
optionalDependencies = {
};
peerDependencies = [];
os = [ ];
cpu = [ ];
};
"redis" = self.by-version."redis"."2.1.0";
}

View File

@ -30,6 +30,7 @@ with lib;
#../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix
../2configs/urlwatch.nix
{
imports = [ ../2configs/charybdis.nix ];
tv.charybdis = {

View File

@ -32,7 +32,6 @@ with lib;
../2configs/xserver.nix
../2configs/synaptics.nix # TODO w110er if xserver is enabled
../2configs/test.nix
../2configs/urlwatch.nix
{
environment.systemPackages = with pkgs; [

View File

@ -48,6 +48,9 @@
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
# ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
];
};
}