{ config, lib, ... }: with config.krebs.lib; let cfg = config.krebs; out = { imports = [ ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix ./buildbot/master.nix ./buildbot/slave.nix ./build.nix ./current.nix ./exim-retiolum.nix ./exim-smarthost.nix ./fetchWallpaper.nix ./github-hosts-sync.nix ./git.nix ./go.nix ./iptables.nix ./lib.nix ./nginx.nix ./nixpkgs.nix ./per-user.nix ./Reaktor.nix ./realwallpaper.nix ./retiolum-bootstrap.nix ./retiolum.nix ./secret.nix ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix ./repo-sync.nix ]; options.krebs = api; config = lib.mkIf cfg.enable imp; }; api = { enable = mkEnableOption "krebs"; dns = { providers = mkOption { # TODO with types; tree dns.label dns.provider, so we can merge. # Currently providers can only be merged if aliases occur just once. type = with types; attrsOf unspecified; }; }; hosts = mkOption { type = with types; attrsOf host; }; users = mkOption { type = with types; attrsOf user; }; # XXX is there a better place to define search-domain? # TODO search-domains :: listOf hostname search-domain = mkOption { type = types.hostname; default = "retiolum"; }; zone-head-config = mkOption { type = with types; attrsOf str; description = '' The zone configuration head which is being used to create the zone files. The string for each key is pre-pended to the zone file. ''; # TODO: configure the default somewhere else, # maybe use krebs.dns.providers default = { # github.io -> 192.30.252.154 "krebsco.de" = '' $TTL 86400 @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) IN NS ns19.ovh.net. IN NS dns19.ovh.net. IN A 192.30.252.154 IN A 192.30.252.153 ''; }; }; }; imp = lib.mkMerge [ { krebs = import ./lass { inherit config lib; }; } { krebs = import ./makefu { inherit config lib; }; } { krebs = import ./miefda { inherit config lib; }; } { krebs = import ./mv { inherit config lib; }; } { krebs = import ./shared { inherit config lib; }; } { krebs = import ./tv { inherit config lib; }; } { krebs.dns.providers = { de.krebsco = "zones"; gg23 = "hosts"; shack = "hosts"; i = "hosts"; internet = "hosts"; r = "hosts"; retiolum = "hosts"; }; krebs.users = { krebs = { home = "/krebs"; mail = "spam@krebsco.de"; }; root = { home = "/root"; pubkey = config.krebs.build.host.ssh.pubkey; uid = 0; }; }; networking.extraHosts = concatStringsSep "\n" (flatten ( mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let aliases = longs ++ shorts; providers = dns.split-by-provider net.aliases cfg.dns.providers; longs = providers.hosts; shorts = let s = ".${cfg.search-domain}"; in map (removeSuffix s) (filter (hasSuffix s) longs); in map (addr: "${addr} ${toString aliases}") net.addrs ) (filterAttrs (name: host: host.aliases != []) host.nets) ) cfg.hosts )); # Implements environment.etc."zones/" environment.etc = let stripEmptyLines = s: (concatStringsSep "\n" (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" ([cfg.zone-head-config] ++ combined-hosts); combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair ("zones/" + name) { text=(stripEmptyLines value); }) all-zones; krebs.exim-smarthost.internet-aliases = let format = from: to: # TODO assert is-retiolum-mail-address to; { inherit from; to = if typeOf to == "list" then concatMapStringsSep "," (getAttr "mail") to else to.mail; }; in mapAttrsToList format (with config.krebs.users; let spam-ml = [ lass makefu tv ]; in { "postmaster@krebsco.de" = spam-ml; # RFC 822 "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; "spam@krebsco.de" = spam-ml; "tv@krebsco.de" = tv; # XXX These are no internet aliases # XXX exim-retiolum hosts should be able to relay to retiolum addresses "lass@retiolum" = lass; "makefu@retiolum" = makefu; "spam@retiolum" = spam-ml; "tv@retiolum" = tv; }); services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in mkIf (privkey != null) (mkForce [privkey]); # TODO use imports for merging services.openssh.knownHosts = (let inherit (config.krebs.build.host.ssh) pubkey; in optionalAttrs (pubkey != null) { localhost = { hostNames = ["localhost" "127.0.0.1" "::1"]; publicKey = pubkey; }; }) // # GitHub's IPv4 address range is 192.30.252.0/22 # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses) # Because line length is limited by OPENSSH_LINE_MAX (= 8192), # we split each /24 into its own entry. listToAttrs (map (c: { name = "github${toString c}"; value = { hostNames = ["github.com"] ++ map (d: "192.30.${toString c}.${toString d}") (range 0 255); publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; }; }) (range 252 255)) // mapAttrs (name: host: { hostNames = concatLists (mapAttrsToList (net-name: net: let longs = net.aliases; shorts = map (removeSuffix ".${cfg.search-domain}") (filter (hasSuffix ".${cfg.search-domain}") longs); add-port = a: if net.ssh.port != null then "[${a}]:${toString net.ssh.port}" else a; in map add-port (shorts ++ longs ++ net.addrs)) host.nets); publicKey = host.ssh.pubkey; }) (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); } ]; in out