summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2015-10-14 00:17:15 +0200
committermakefu <github@syntax-fehler.de>2015-10-14 00:17:15 +0200
commitdf3dc3dac1f6c1cc36dbbea506e3d610aa1b417d (patch)
tree038a837b20d267d0ba5aad837884b6a5a9087613
parentf73fe104d84b2f0d2fc3b4f0342c36735b3fb220 (diff)
parent96f4248b65ff1539eded24572ae1805b27c53d50 (diff)
Merge remote-tracking branch 'cd/master'
-rw-r--r--krebs/3modules/default.nix16
-rw-r--r--krebs/3modules/github-hosts-sync.nix35
-rw-r--r--krebs/4lib/types.nix7
-rw-r--r--krebs/5pkgs/default.nix1
-rw-r--r--krebs/5pkgs/github-hosts-sync/default.nix2
-rw-r--r--krebs/5pkgs/github-known_hosts/default.nix13
-rw-r--r--krebs/5pkgs/github-known_hosts/github.ssh.pub1
-rw-r--r--lass/1systems/echelon.nix5
-rw-r--r--lass/1systems/mors.nix1
-rw-r--r--lass/2configs/git.nix1
-rw-r--r--lass/2configs/go.nix16
-rw-r--r--lass/2configs/ircd.nix7
-rw-r--r--lass/2configs/redis.nix8
-rw-r--r--lass/2configs/skype.nix30
-rw-r--r--lass/3modules/go.nix61
-rw-r--r--lass/5pkgs/default.nix1
-rw-r--r--lass/5pkgs/go/default.nix59
-rw-r--r--lass/5pkgs/go/packages.nix44
-rw-r--r--tv/1systems/cd.nix1
-rw-r--r--tv/1systems/wu.nix1
-rw-r--r--tv/2configs/urlwatch.nix3
21 files changed, 269 insertions, 44 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index edfbde9ba..ea1894709 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -138,6 +138,22 @@ let
mkIf (privkey != null) (mkForce [privkey]);
services.openssh.knownHosts =
+ # GitHub's IPv4 address range is 192.30.252.0/22
+ # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+ # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+ # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+ # we split each /24 into its own entry.
+ listToAttrs (map
+ (c: {
+ name = "github${toString c}";
+ value = {
+ hostNames = ["github.com"] ++
+ map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+ publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+ };
+ })
+ (range 252 255))
+ //
mapAttrs
(name: host: {
hostNames =
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index f44fe3ad8..2a1df9e03 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
with builtins;
-with lib;
+with import ../4lib { inherit lib; };
let
cfg = config.krebs.github-hosts-sync;
@@ -21,7 +21,7 @@ let
default = "/var/lib/github-hosts-sync";
};
ssh-identity-file = mkOption {
- type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
+ type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
};
};
@@ -41,27 +41,11 @@ let
ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
#! /bin/sh
set -euf
-
- ssh_identity_file_target=$(
- case ${cfg.ssh-identity-file} in
- *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
- *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
- *)
- echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
- exit 1
- esac
- )
-
- mkdir -p ${cfg.dataDir}
- chown ${user.name}: ${cfg.dataDir}
-
- install \
- -o ${user.name} \
- -m 0400 \
+ install -m 0711 -o ${user.name} -d ${cfg.dataDir}
+ install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
+ install -m 0400 -o ${user.name} \
${cfg.ssh-identity-file} \
- "$ssh_identity_file_target"
-
- ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
+ ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
'';
ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
};
@@ -77,5 +61,8 @@ let
name = "github-hosts-sync";
uid = 3220554646; # genid github-hosts-sync
};
-in
-out
+
+ # TODO move to lib?
+ fileExtension = s: last (splitString "." s);
+
+in out
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 039f803ef..b3d2c8b70 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -147,6 +147,13 @@ types // rec {
merge = mergeOneOption;
};
+ suffixed-str = suffs:
+ mkOptionType {
+ name = "string suffixed by ${concatStringsSep ", " suffs}";
+ check = x: isString x && any (flip hasSuffix x) suffs;
+ merge = mergeOneOption;
+ };
+
user = submodule {
options = {
mail = mkOption {
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 616992b95..c48c3dee8 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -13,7 +13,6 @@ rec {
genid = callPackage ./genid {};
get = callPackage ./get {};
github-hosts-sync = callPackage ./github-hosts-sync {};
- github-known_hosts = callPackage ./github-known_hosts {};
hashPassword = callPackage ./hashPassword {};
jq = callPackage ./jq {};
krebszones = callPackage ./krebszones {};
diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index d69b2b12b..b9dcfa9b8 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
installPhase =
let
- ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
+ ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
coreutils
findutils
diff --git a/krebs/5pkgs/github-known_hosts/default.nix b/krebs/5pkgs/github-known_hosts/default.nix
deleted file mode 100644
index fe5efe413..000000000
--- a/krebs/5pkgs/github-known_hosts/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with builtins;
-with lib;
-
-let
- github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
-in
-
-toFile "github-known_hosts"
- (concatMapStrings
- (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
- (range 0 255))
diff --git a/krebs/5pkgs/github-known_hosts/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub
deleted file mode 100644
index 90f6e2b71..000000000
--- a/krebs/5pkgs/github-known_hosts/github.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index b301b504a..1320e0782 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -14,6 +14,9 @@ in {
../2configs/realwallpaper-server.nix
../2configs/privoxy-retiolum.nix
../2configs/git.nix
+ ../2configs/redis.nix
+ ../2configs/go.nix
+ ../2configs/ircd.nix
{
networking.interfaces.enp2s1.ip4 = [
{
@@ -44,6 +47,6 @@ in {
};
};
- networking.hostName = "echelon";
+ networking.hostName = config.krebs.build.host.name;
}
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 5cc03501f..c0c33828b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -24,6 +24,7 @@
../2configs/bitlbee.nix
../2configs/firefoxPatched.nix
../2configs/realwallpaper.nix
+ ../2configs/skype.nix
];
krebs.build = {
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 595936da5..d63705ab6 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -31,6 +31,7 @@ let
};
wai-middleware-time = {};
web-routes-wai-custom = {};
+ go = {};
};
restricted-repos = mapAttrs make-restricted-repo (
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
new file mode 100644
index 000000000..30d3e6ae5
--- /dev/null
+++ b/lass/2configs/go.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ../3modules/go.nix
+ ];
+ environment.systemPackages = [
+ pkgs.go
+ ];
+ lass.go = {
+ enable = true;
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix
index f71b769fd..de96ad9d6 100644
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@@ -1,12 +1,15 @@
{ config, pkgs, ... }:
{
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
+ ];
config.services.charybdis = {
enable = true;
config = ''
serverinfo {
- name = "ire.irc.retiolum";
- sid = "4z3";
+ name = "${config.krebs.build.host.name}.irc.retiolum";
+ sid = "1as";
description = "miep!";
network_name = "irc.retiolum";
network_desc = "Retiolum IRC Network";
diff --git a/lass/2configs/redis.nix b/lass/2configs/redis.nix
new file mode 100644
index 000000000..8dd8df5c3
--- /dev/null
+++ b/lass/2configs/redis.nix
@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+ config.services.redis = {
+ enable = true;
+ bind = "127.0.0.1";
+ };
+}
diff --git a/lass/2configs/skype.nix b/lass/2configs/skype.nix
new file mode 100644
index 000000000..7e4618a7b
--- /dev/null
+++ b/lass/2configs/skype.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+ mainUser = config.users.extraUsers.mainUser;
+
+in {
+ imports = [
+ ../3modules/per-user.nix
+ ];
+
+ users.extraUsers = {
+ skype = {
+ name = "skype";
+ uid = 2259819492; #genid skype
+ description = "user for running skype";
+ home = "/home/skype";
+ useDefaultShell = true;
+ extraGroups = [ "audio" "video" ];
+ createHome = true;
+ };
+ };
+
+ lass.per-user.skype.packages = [
+ pkgs.skype
+ ];
+
+ security.sudo.extraConfig = ''
+ ${mainUser.name} ALL=(skype) NOPASSWD: ALL
+ '';
+}
diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix
new file mode 100644
index 000000000..aa900f118
--- /dev/null
+++ b/lass/3modules/go.nix
@@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+
+let
+ cfg = config.lass.go;
+
+ out = {
+ options.lass.go = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "Enable go url shortener";
+ port = mkOption {
+ type = types.str;
+ default = "1337";
+ description = "on which port go should run on";
+ };
+ redisKeyPrefix = mkOption {
+ type = types.str;
+ default = "go:";
+ description = "change the Redis key prefix which defaults to `go:`";
+ };
+ };
+
+ imp = {
+ users.extraUsers.go = {
+ name = "go";
+ uid = 42774411; #genid go
+ description = "go url shortener user";
+ home = "/var/lib/go";
+ createHome = true;
+ };
+
+ systemd.services.go = {
+ description = "go url shortener";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ path = with pkgs; [
+ go
+ ];
+
+ environment = {
+ PORT = cfg.port;
+ REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
+ };
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ User = "go";
+ Restart = "always";
+ ExecStart = "${pkgs.go}/bin/go";
+ };
+ };
+ };
+
+in out
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 7427cb620..e3e49e37e 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -13,4 +13,5 @@ rec {
ublock = callPackage ./firefoxPlugins/ublock.nix {};
vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
};
+ go = callPackage ./go/default.nix {};
}
diff --git a/lass/5pkgs/go/default.nix b/lass/5pkgs/go/default.nix
new file mode 100644
index 000000000..3b4468d18
--- /dev/null
+++ b/lass/5pkgs/go/default.nix
@@ -0,0 +1,59 @@
+{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+
+with lib;
+
+let
+ np = nodePackages.override {
+ generated = ./packages.nix;
+ self = np;
+ };
+
+ node_env = buildEnv {
+ name = "node_env";
+ paths = [
+ np.redis
+ np."formidable"
+ ];
+ pathsToLink = [ "/lib" ];
+ ignoreCollisions = true;
+ };
+
+in nodePackages.buildNodePackage {
+ name = "go";
+
+ src = fetchgit {
+ url = "http://cgit.echelon/go/";
+ rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
+ sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
+ };
+
+ phases = [
+ "unpackPhase"
+ "installPhase"
+ ];
+
+ deps = (filter (v: nixType v == "derivation") (attrValues np));
+
+ buildInputs = [
+ nodejs
+ nodePackages.redis
+ np.formidable
+ makeWrapper
+ ];
+
+ installPhase = ''
+ mkdir -p $out/bin
+
+ cp index.js $out/
+ cat > $out/go << EOF
+ ${nodejs}/bin/node $out/index.js
+ EOF
+ chmod +x $out/go
+
+ wrapProgram $out/go \
+ --prefix NODE_PATH : ${node_env}/lib/node_modules
+
+ ln -s $out/go /$out/bin/go
+ '';
+
+}
diff --git a/lass/5pkgs/go/packages.nix b/lass/5pkgs/go/packages.nix
new file mode 100644
index 000000000..9acfd7658
--- /dev/null
+++ b/lass/5pkgs/go/packages.nix
@@ -0,0 +1,44 @@
+{ self, fetchurl, fetchgit ? null, lib }:
+
+{
+ by-spec."formidable"."*" =
+ self.by-version."formidable"."1.0.17";
+ by-version."formidable"."1.0.17" = self.buildNodePackage {
+ name = "formidable-1.0.17";
+ version = "1.0.17";
+ bin = false;
+ src = fetchurl {
+ url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
+ name = "formidable-1.0.17.tgz";
+ sha1 = "ef5491490f9433b705faa77249c99029ae348559";
+ };
+ deps = {
+ };
+ optionalDependencies = {
+ };
+ peerDependencies = [];
+ os = [ ];
+ cpu = [ ];
+ };
+ "formidable" = self.by-version."formidable"."1.0.17";
+ by-spec."redis"."*" =
+ self.by-version."redis"."2.1.0";
+ by-version."redis"."2.1.0" = self.buildNodePackage {
+ name = "redis-2.1.0";
+ version = "2.1.0";
+ bin = false;
+ src = fetchurl {
+ url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
+ name = "redis-2.1.0.tgz";
+ sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
+ };
+ deps = {
+ };
+ optionalDependencies = {
+ };
+ peerDependencies = [];
+ os = [ ];
+ cpu = [ ];
+ };
+ "redis" = self.by-version."redis"."2.1.0";
+}
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 4f66b3592..4f196095b 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -30,6 +30,7 @@ with lib;
#../2configs/consul-server.nix
../2configs/exim-smarthost.nix
../2configs/git.nix
+ ../2configs/urlwatch.nix
{
imports = [ ../2configs/charybdis.nix ];
tv.charybdis = {
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index e54aed056..0ef846f93 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -32,7 +32,6 @@ with lib;
../2configs/xserver.nix
../2configs/synaptics.nix # TODO w110er if xserver is enabled
../2configs/test.nix
- ../2configs/urlwatch.nix
{
environment.systemPackages = with pkgs; [
diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 26e56e09c..c1c5d19d9 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -48,6 +48,9 @@
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
+
+ # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
+ https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
];
};
}