295 lines
9.0 KiB
Nix
295 lines
9.0 KiB
Nix
{ config, lib, ... }:
|
|
|
|
with import <stockholm/lib>;
|
|
let
|
|
cfg = config.krebs;
|
|
|
|
out = {
|
|
imports = [
|
|
./announce-activation.nix
|
|
./apt-cacher-ng.nix
|
|
./backup.nix
|
|
./bepasty-server.nix
|
|
./buildbot/master.nix
|
|
./buildbot/slave.nix
|
|
./build.nix
|
|
./ci.nix
|
|
./current.nix
|
|
./exim.nix
|
|
./exim-retiolum.nix
|
|
./exim-smarthost.nix
|
|
./fetchWallpaper.nix
|
|
./github-hosts-sync.nix
|
|
./git.nix
|
|
./go.nix
|
|
./hidden-ssh.nix
|
|
./htgen.nix
|
|
./iana-etc.nix
|
|
./iptables.nix
|
|
./kapacitor.nix
|
|
./monit.nix
|
|
./newsbot-js.nix
|
|
./nixpkgs.nix
|
|
./on-failure.nix
|
|
./os-release.nix
|
|
./per-user.nix
|
|
./power-action.nix
|
|
./Reaktor.nix
|
|
./realwallpaper.nix
|
|
./retiolum-bootstrap.nix
|
|
./rtorrent.nix
|
|
./secret.nix
|
|
./setuid.nix
|
|
./tinc.nix
|
|
./tinc_graphs.nix
|
|
./urlwatch.nix
|
|
./repo-sync.nix
|
|
./zones.nix
|
|
];
|
|
options.krebs = api;
|
|
config = lib.mkIf cfg.enable imp;
|
|
};
|
|
|
|
api = {
|
|
enable = mkEnableOption "krebs";
|
|
|
|
dns = {
|
|
providers = mkOption {
|
|
type = with types; attrsOf str;
|
|
};
|
|
};
|
|
|
|
hosts = mkOption {
|
|
type = with types; attrsOf host;
|
|
default = {};
|
|
};
|
|
|
|
users = mkOption {
|
|
type = with types; attrsOf user;
|
|
};
|
|
|
|
# XXX is there a better place to define search-domain?
|
|
# TODO search-domains :: listOf hostname
|
|
search-domain = mkOption {
|
|
type = types.hostname;
|
|
default = "r";
|
|
};
|
|
|
|
sitemap = mkOption {
|
|
default = {};
|
|
type = types.attrsOf types.sitemap.entry;
|
|
};
|
|
|
|
zone-head-config = mkOption {
|
|
type = with types; attrsOf str;
|
|
description = ''
|
|
The zone configuration head which is being used to create the
|
|
zone files. The string for each key is pre-pended to the zone file.
|
|
'';
|
|
# TODO: configure the default somewhere else,
|
|
# maybe use krebs.dns.providers
|
|
default = {
|
|
|
|
# github.io -> 192.30.252.154
|
|
"krebsco.de" = ''
|
|
$TTL 86400
|
|
@ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
|
|
IN NS ns19.ovh.net.
|
|
IN NS dns19.ovh.net.
|
|
IN A 192.30.252.154
|
|
IN A 192.30.252.153
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
imp = lib.mkMerge [
|
|
{ krebs = import ./jeschli { inherit config; }; }
|
|
{ krebs = import ./krebs { inherit config; }; }
|
|
{ krebs = import ./lass { inherit config; }; }
|
|
{ krebs = import ./makefu { inherit config; }; }
|
|
{ krebs = import ./mv { inherit config; }; }
|
|
{ krebs = import ./nin { inherit config; }; }
|
|
{ krebs = import ./tv { inherit config; }; }
|
|
{
|
|
krebs.dns.providers = {
|
|
"krebsco.de" = "zones";
|
|
gg23 = "hosts";
|
|
shack = "hosts";
|
|
i = "hosts";
|
|
r = "hosts";
|
|
};
|
|
|
|
krebs.users = {
|
|
krebs = {
|
|
home = "/krebs";
|
|
mail = "spam@krebsco.de";
|
|
};
|
|
root = {
|
|
home = "/root";
|
|
pubkey = config.krebs.build.host.ssh.pubkey;
|
|
uid = 0;
|
|
};
|
|
};
|
|
|
|
networking.extraHosts = let
|
|
domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
|
|
check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
|
|
in concatStringsSep "\n" (flatten (
|
|
mapAttrsToList (hostname: host:
|
|
mapAttrsToList (netname: net:
|
|
let
|
|
aliases = longs ++ shorts;
|
|
longs = filter check net.aliases;
|
|
shorts = let s = ".${cfg.search-domain}"; in
|
|
map (removeSuffix s) (filter (hasSuffix s) longs);
|
|
in
|
|
optionals
|
|
(aliases != [])
|
|
(map (addr: "${addr} ${toString aliases}") net.addrs)
|
|
) (filterAttrs (name: host: host.aliases != []) host.nets)
|
|
) cfg.hosts
|
|
));
|
|
|
|
# TODO dedup with networking.extraHosts
|
|
nixpkgs.config.packageOverrides = oldpkgs:
|
|
let
|
|
domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
|
|
check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
|
|
in
|
|
{
|
|
retiolum-hosts = oldpkgs.writeText "retiolum-hosts" ''
|
|
${concatStringsSep "\n" (flatten (
|
|
map (host:
|
|
let
|
|
net = host.nets.retiolum;
|
|
aliases = longs;
|
|
longs = filter check net.aliases;
|
|
in
|
|
optionals
|
|
(aliases != [])
|
|
(map (addr: "${addr} ${toString aliases}") net.addrs)
|
|
) (filter (host: hasAttr "retiolum" host.nets)
|
|
(attrValues cfg.hosts))))}
|
|
'';
|
|
};
|
|
|
|
krebs.exim-smarthost.internet-aliases = let
|
|
format = from: to: {
|
|
inherit from;
|
|
# TODO assert is-retiolum-mail-address to;
|
|
to = concatMapStringsSep "," (getAttr "mail") (toList to);
|
|
};
|
|
in mapAttrsToList format (with config.krebs.users; let
|
|
eloop-ml = spam-ml ++ [ ciko ];
|
|
spam-ml = [
|
|
lass
|
|
makefu
|
|
tv
|
|
];
|
|
ciko.mail = "ciko@slash16.net";
|
|
in {
|
|
"anmeldung@eloop.org" = eloop-ml;
|
|
"cfp@eloop.org" = eloop-ml;
|
|
"kontakt@eloop.org" = eloop-ml;
|
|
"root@eloop.org" = eloop-ml;
|
|
"eloop2016@krebsco.de" = eloop-ml;
|
|
"eloop2017@krebsco.de" = eloop-ml;
|
|
"postmaster@krebsco.de" = spam-ml; # RFC 822
|
|
"lass@krebsco.de" = lass;
|
|
"makefu@krebsco.de" = makefu;
|
|
"spam@krebsco.de" = spam-ml;
|
|
"tv@krebsco.de" = tv;
|
|
# XXX These are no internet aliases
|
|
# XXX exim-retiolum hosts should be able to relay to retiolum addresses
|
|
"lass@retiolum" = lass;
|
|
"makefu@retiolum" = makefu;
|
|
"spam@retiolum" = spam-ml;
|
|
"tv@retiolum" = tv;
|
|
"lass@r" = lass;
|
|
"makefu@r" = makefu;
|
|
"spam@r" = spam-ml;
|
|
"tv@r" = tv;
|
|
});
|
|
|
|
services.openssh.hostKeys =
|
|
let inherit (config.krebs.build.host.ssh) privkey; in
|
|
mkIf (privkey != null) (mkForce [privkey]);
|
|
|
|
# TODO use imports for merging
|
|
services.openssh.knownHosts =
|
|
(let inherit (config.krebs.build.host.ssh) pubkey; in
|
|
optionalAttrs (pubkey != null) {
|
|
localhost = {
|
|
hostNames = ["localhost" "127.0.0.1" "::1"];
|
|
publicKey = pubkey;
|
|
};
|
|
})
|
|
//
|
|
{
|
|
github = {
|
|
hostNames = [
|
|
"github.com"
|
|
# List generated with
|
|
# curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
|
|
"192.30.253.*"
|
|
"192.30.254.*"
|
|
"192.30.255.*"
|
|
"185.199.108.*"
|
|
"185.199.109.*"
|
|
"185.199.110.*"
|
|
"185.199.111.*"
|
|
"18.195.85.27"
|
|
"18.194.104.89"
|
|
"35.159.8.160"
|
|
];
|
|
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
|
|
};
|
|
}
|
|
//
|
|
mapAttrs
|
|
(name: host: {
|
|
hostNames =
|
|
concatLists
|
|
(mapAttrsToList
|
|
(net-name: net:
|
|
let
|
|
longs = net.aliases;
|
|
shorts =
|
|
map (removeSuffix ".${cfg.search-domain}")
|
|
(filter (hasSuffix ".${cfg.search-domain}")
|
|
longs);
|
|
add-port = a:
|
|
if net.ssh.port != 22
|
|
then "[${a}]:${toString net.ssh.port}"
|
|
else a;
|
|
in
|
|
map add-port (shorts ++ longs ++ net.addrs))
|
|
host.nets);
|
|
|
|
publicKey = host.ssh.pubkey;
|
|
})
|
|
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
|
|
|
|
programs.ssh.extraConfig = concatMapStrings
|
|
(net: ''
|
|
Host ${toString (net.aliases ++ net.addrs)}
|
|
Port ${toString net.ssh.port}
|
|
'')
|
|
(filter
|
|
(net: net.ssh.port != 22)
|
|
(concatMap (host: attrValues host.nets)
|
|
(mapAttrsToList
|
|
(_: host: recursiveUpdate host
|
|
(optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
|
|
nets."" = host.nets.${config.krebs.search-domain} // {
|
|
aliases = [host.name];
|
|
addrs = [];
|
|
};
|
|
}))
|
|
config.krebs.hosts)));
|
|
}
|
|
];
|
|
|
|
in out
|