diff options
Diffstat (limited to 'old/modules/tv')
31 files changed, 3167 insertions, 0 deletions
diff --git a/old/modules/tv/base-cac-CentOS-7-64bit.nix b/old/modules/tv/base-cac-CentOS-7-64bit.nix new file mode 100644 index 000000000..42ab481b3 --- /dev/null +++ b/old/modules/tv/base-cac-CentOS-7-64bit.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +{ + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; +} + diff --git a/old/modules/tv/base.nix b/old/modules/tv/base.nix new file mode 100644 index 000000000..94f3609cc --- /dev/null +++ b/old/modules/tv/base.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: + +{ + time.timeZone = "Europe/Berlin"; + + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + + nix.useChroot = true; +} diff --git a/old/modules/tv/config/consul-client.nix b/old/modules/tv/config/consul-client.nix new file mode 100644 index 000000000..0a8bf4d75 --- /dev/null +++ b/old/modules/tv/config/consul-client.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + imports = [ ./consul-server.nix ]; + + tv.consul = { + server = pkgs.lib.mkForce false; + }; +} diff --git a/old/modules/tv/config/consul-server.nix b/old/modules/tv/config/consul-server.nix new file mode 100644 index 000000000..4cedbd349 --- /dev/null +++ b/old/modules/tv/config/consul-server.nix @@ -0,0 +1,22 @@ +{ config, ... }: + +{ + imports = [ ../../tv/consul ]; + tv.consul = rec { + enable = true; + + inherit (config.tv.identity) self; + inherit (self) dc; + + server = true; + + hosts = with config.tv.identity.hosts; [ + # TODO get this list automatically from each host where tv.consul.enable is true + cd + mkdir + nomic + rmdir + #wu + ]; + }; +} diff --git a/old/modules/tv/consul/default.nix b/old/modules/tv/consul/default.nix new file mode 100644 index 000000000..2ee6fb8c2 --- /dev/null +++ b/old/modules/tv/consul/default.nix @@ -0,0 +1,121 @@ +{ config, lib, pkgs, ... }: + +# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect +# but -bootstrap +# TODO consul-bootstrap HOST that actually does is +# TODO tools to inspect state of a cluster in outage state + +with builtins; +with lib; +let + cfg = config.tv.consul; + + out = { + imports = [ ../../tv/iptables ]; + options.tv.consul = api; + config = mkIf cfg.enable (mkMerge [ + imp + { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; } + # TODO udp for 8301 + ]); + }; + + api = { + # TODO inherit (lib) api.options.enable; oder so + enable = mkOption { + type = types.bool; + default = false; + description = "enable tv.consul"; + }; + dc = mkOption { + type = types.unspecified; + }; + hosts = mkOption { + type = with types; listOf unspecified; + }; + encrypt-file = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/etc/consul/encrypt.json"; + }; + data-dir = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/var/lib/consul"; + }; + self = mkOption { + type = types.unspecified; + }; + server = mkOption { + type = types.bool; + default = false; + }; + GOMAXPROCS = mkOption { + type = types.int; + default = cfg.self.cores; + }; + }; + + consul-config = { + datacenter = cfg.dc; + data_dir = cfg.data-dir; + log_level = "INFO"; + #node_name = + server = cfg.server; + bind_addr = cfg.self.addr; # TODO cfg.addr + enable_syslog = true; + retry_join = map (getAttr "addr") (filter (host: host.fqdn != cfg.self.fqdn) cfg.hosts); + leave_on_terminate = true; + } // optionalAttrs cfg.server { + bootstrap_expect = length cfg.hosts; + leave_on_terminate = false; + }; + + imp = { + environment.systemPackages = with pkgs; [ + consul + ]; + + systemd.services.consul = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + consul + ]; + environment = { + GOMAXPROCS = toString cfg.GOMAXPROCS; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "consul"; + User = user.name; + PrivateTmp = "true"; + Restart = "always"; + ExecStartPre = pkgs.writeScript "consul-init" '' + #! /bin/sh + mkdir -p ${cfg.data-dir} + chown consul: ${cfg.data-dir} + ''; + ExecStart = pkgs.writeScript "consul-service" '' + #! /bin/sh + set -euf + exec >/dev/null + exec consul agent \ + -config-file=${toFile "consul.json" (toJSON consul-config)} \ + -config-file=${cfg.encrypt-file} \ + ''; + #-node=${cfg.self.fqdn} \ + #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "consul"; + uid = 2983239726; # genid consul + }; + +in +out diff --git a/old/modules/tv/ejabberd.nix b/old/modules/tv/ejabberd.nix new file mode 100644 index 000000000..54a9aad0f --- /dev/null +++ b/old/modules/tv/ejabberd.nix @@ -0,0 +1,867 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) ejabberd writeScript writeScriptBin utillinux; + inherit (lib) makeSearchPath; + + cfg = config.services.ejabberd-cd; + + # XXX this is a placeholder that happens to work the default strings. + toErlang = builtins.toJSON; + +in + +{ + + ####### interface + + options = { + + services.ejabberd-cd = { + + enable = mkOption { + default = false; + description = "Whether to enable ejabberd server"; + }; + + certFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.string; + default = "/etc/ejabberd/ejabberd.pem"; + description = '' + TODO + ''; + }; + + config = mkOption { + type = types.string; + default = ""; + description = '' + TODO + ''; + }; + + user = mkOption { + type = types.string; + default = "ejabberd"; + description = '' + TODO + ''; + }; + + group = mkOption { + type = types.string; + default = "ejabberd"; + description = '' + TODO + ''; + }; + + + # spoolDir = mkOption { + # default = "/var/lib/ejabberd"; + # description = "Location of the spooldir of ejabberd"; + # }; + + # logsDir = mkOption { + # default = "/var/log/ejabberd"; + # description = "Location of the logfile directory of ejabberd"; + # }; + + # confDir = mkOption { + # default = "/var/ejabberd"; + # description = "Location of the config directory of ejabberd"; + # }; + + # virtualHosts = mkOption { + # default = "\"localhost\""; + # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas"; + # }; + + # loadDumps = mkOption { + # default = []; + # description = "Configuration dump that should be loaded on the first startup"; + # example = literalExample "[ ./myejabberd.dump ]"; + # }; + + # config + }; + + }; + + + ####### implementation + + config = + let + my-ejabberdctl = writeScriptBin "ejabberdctl" '' + #! /bin/sh + set -euf + exec env \ + SPOOLDIR=/var/ejabberd \ + EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \ + ${ejabberd}/bin/ejabberdctl \ + --logs /var/ejabberd \ + "$@" + ''; + in + mkIf cfg.enable { + #environment.systemPackages = [ pkgs.ejabberd ]; + + environment = { + etc."ejabberd.cfg".text = '' + %%% + %%% ejabberd configuration file + %%% + %%%' + + %%% The parameters used in this configuration file are explained in more detail + %%% in the ejabberd Installation and Operation Guide. + %%% Please consult the Guide in case of doubts, it is included with + %%% your copy of ejabberd, and is also available online at + %%% http://www.process-one.net/en/ejabberd/docs/ + + %%% This configuration file contains Erlang terms. + %%% In case you want to understand the syntax, here are the concepts: + %%% + %%% - The character to comment a line is % + %%% + %%% - Each term ends in a dot, for example: + %%% override_global. + %%% + %%% - A tuple has a fixed definition, its elements are + %%% enclosed in {}, and separated with commas: + %%% {loglevel, 4}. + %%% + %%% - A list can have as many elements as you want, + %%% and is enclosed in [], for example: + %%% [http_poll, web_admin, tls] + %%% + %%% - A keyword of ejabberd is a word in lowercase. + %%% Strings are enclosed in "" and can contain spaces, dots, ... + %%% {language, "en"}. + %%% {ldap_rootdn, "dc=example,dc=com"}. + %%% + %%% - This term includes a tuple, a keyword, a list, and two strings: + %%% {hosts, ["jabber.example.net", "im.example.com"]}. + %%% + + + %%%. ======================= + %%%' OVERRIDE STORED OPTIONS + + %% + %% Override the old values stored in the database. + %% + + %% + %% Override global options (shared by all ejabberd nodes in a cluster). + %% + %%override_global. + + %% + %% Override local options (specific for this particular ejabberd node). + %% + %%override_local. + + %% + %% Remove the Access Control Lists before new ones are added. + %% + %%override_acls. + + + %%%. ========= + %%%' DEBUGGING + + %% + %% loglevel: Verbosity of log files generated by ejabberd. + %% 0: No ejabberd log at all (not recommended) + %% 1: Critical + %% 2: Error + %% 3: Warning + %% 4: Info + %% 5: Debug + %% + {loglevel, 3}. + + %% + %% watchdog_admins: Only useful for developers: if an ejabberd process + %% consumes a lot of memory, send live notifications to these XMPP + %% accounts. + %% + %%{watchdog_admins, ["bob@example.com"]}. + + + %%%. ================ + %%%' SERVED HOSTNAMES + + %% + %% hosts: Domains served by ejabberd. + %% You can define one or several, for example: + %% {hosts, ["example.net", "example.com", "example.org"]}. + %% + {hosts, ["jabber.viljetic.de"]}. + + %% + %% route_subdomains: Delegate subdomains to other XMPP servers. + %% For example, if this ejabberd serves example.org and you want + %% to allow communication with an XMPP server called im.example.org. + %% + %%{route_subdomains, s2s}. + + + %%%. =============== + %%%' LISTENING PORTS + + %% + %% listen: The ports ejabberd will listen on, which service each is handled + %% by and what options to start it with. + %% + {listen, + [ + + {5222, ejabberd_c2s, [ + + %% + %% If TLS is compiled in and you installed a SSL + %% certificate, specify the full path to the + %% file and uncomment this line: + %% + starttls, + {certfile, ${toErlang cfg.certFile}}, + + {access, c2s}, + {shaper, c2s_shaper}, + {max_stanza_size, 65536} + ]}, + + {5269, ejabberd_s2s_in, [ + {shaper, s2s_shaper}, + {max_stanza_size, 131072} + ]}, + + %% + %% ejabberd_service: Interact with external components (transports, ...) + %% + %%{8888, ejabberd_service, [ + %% {access, all}, + %% {shaper_rule, fast}, + %% {ip, {127, 0, 0, 1}}, + %% {hosts, ["icq.example.org", "sms.example.org"], + %% [{password, "secret"}] + %% } + %% ]}, + + %% + %% ejabberd_stun: Handles STUN Binding requests + %% + %%{{3478, udp}, ejabberd_stun, []}, + + {5280, ejabberd_http, [ + %%{request_handlers, + %% [ + %% {["pub", "archive"], mod_http_fileserver} + %% ]}, + captcha, + http_bind, + http_poll, + %%register, + web_admin + ]} + + ]}. + + %% + %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. + %% Allowed values are: false optional required required_trusted + %% You must specify a certificate file. + %% + {s2s_use_starttls, required}. + + %% + %% s2s_certfile: Specify a certificate file. + %% + {s2s_certfile, ${toErlang cfg.certFile}}. + + %% + %% domain_certfile: Specify a different certificate for each served hostname. + %% + %%{domain_certfile, "example.org", "/path/to/example_org.pem"}. + %%{domain_certfile, "example.com", "/path/to/example_com.pem"}. + + %% + %% S2S whitelist or blacklist + %% + %% Default s2s policy for undefined hosts. + %% + %%{s2s_default_policy, allow}. + + %% + %% Allow or deny communication with specific servers. + %% + %%{{s2s_host, "goodhost.org"}, allow}. + %%{{s2s_host, "badhost.org"}, deny}. + + %% + %% Outgoing S2S options + %% + %% Preferred address families (which to try first) and connect timeout + %% in milliseconds. + %% + %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. + + + %%%. ============== + %%%' AUTHENTICATION + + %% + %% auth_method: Method used to authenticate the users. + %% The default method is the internal. + %% If you want to use a different method, + %% comment this line and enable the correct ones. + %% + {auth_method, internal}. + %% + %% Store the plain passwords or hashed for SCRAM: + %%{auth_password_format, plain}. + %%{auth_password_format, scram}. + %% + %% Define the FQDN if ejabberd doesn't detect it: + %%{fqdn, "server3.example.com"}. + + %% + %% Authentication using external script + %% Make sure the script is executable by ejabberd. + %% + %%{auth_method, external}. + %{extauth_program, "$ {ejabberd-auth}"}. + + %% + %% Authentication using ODBC + %% Remember to setup a database in the next section. + %% + %%{auth_method, odbc}. + + %% + %% Authentication using PAM + %% + %%{auth_method, pam}. + %%{pam_service, "pamservicename"}. + + %% + %% Authentication using LDAP + %% + %%{auth_method, ldap}. + %% + %% List of LDAP servers: + %%{ldap_servers, ["localhost"]}. + %% + %% Encryption of connection to LDAP servers: + %%{ldap_encrypt, none}. + %%{ldap_encrypt, tls}. + %% + %% Port to connect to on LDAP servers: + %%{ldap_port, 389}. + %%{ldap_port, 636}. + %% + %% LDAP manager: + %%{ldap_rootdn, "dc=example,dc=com"}. + %% + %% Password of LDAP manager: + %%{ldap_password, "******"}. + %% + %% Search base of LDAP directory: + %%{ldap_base, "dc=example,dc=com"}. + %% + %% LDAP attribute that holds user ID: + %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}. + %% + %% LDAP filter: + %%{ldap_filter, "(objectClass=shadowAccount)"}. + + %% + %% Anonymous login support: + %% auth_method: anonymous + %% anonymous_protocol: sasl_anon | login_anon | both + %% allow_multiple_connections: true | false + %% + %%{host_config, "public.example.org", [{auth_method, anonymous}, + %% {allow_multiple_connections, false}, + %% {anonymous_protocol, sasl_anon}]}. + %% + %% To use both anonymous and internal authentication: + %% + %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}. + + + %%%. ============== + %%%' DATABASE SETUP + + %% ejabberd by default uses the internal Mnesia database, + %% so you do not necessarily need this section. + %% This section provides configuration examples in case + %% you want to use other database backends. + %% Please consult the ejabberd Guide for details on database creation. + + %% + %% MySQL server: + %% + %%{odbc_server, {mysql, "server", "database", "username", "password"}}. + %% + %% If you want to specify the port: + %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}. + + %% + %% PostgreSQL server: + %% + %%{odbc_server, {pgsql, "server", "database", "username", "password"}}. + %% + %% If you want to specify the port: + %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}. + %% + %% If you use PostgreSQL, have a large database, and need a + %% faster but inexact replacement for "select count(*) from users" + %% + %%{pgsql_users_number_estimate, true}. + + %% + %% ODBC compatible or MSSQL server: + %% + %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}. + + %% + %% Number of connections to open to the database for each virtual host + %% + %%{odbc_pool_size, 10}. + + %% + %% Interval to make a dummy SQL request to keep the connections to the + %% database alive. Specify in seconds: for example 28800 means 8 hours + %% + %%{odbc_keepalive_interval, undefined}. + + + %%%. =============== + %%%' TRAFFIC SHAPERS + + %% + %% The "normal" shaper limits traffic speed to 1000 B/s + %% + {shaper, normal, {maxrate, 1000}}. + + %% + %% The "fast" shaper limits traffic speed to 50000 B/s + %% + {shaper, fast, {maxrate, 50000}}. + + %% + %% This option specifies the maximum number of elements in the queue + %% of the FSM. Refer to the documentation for details. + %% + {max_fsm_queue, 1000}. + + + %%%. ==================== + %%%' ACCESS CONTROL LISTS + + %% + %% The 'admin' ACL grants administrative privileges to XMPP accounts. + %% You can put here as many accounts as you want. + %% + %%{acl, admin, {user, "aleksey", "localhost"}}. + %%{acl, admin, {user, "ermine", "example.org"}}. + + %% + %% Blocked users + %% + %%{acl, blocked, {user, "baduser", "example.org"}}. + %%{acl, blocked, {user, "test"}}. + + %% + %% Local users: don't modify this line. + %% + {acl, local, {user_regexp, ""}}. + + %% + %% More examples of ACLs + %% + %%{acl, jabberorg, {server, "jabber.org"}}. + %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}. + %%{acl, test, {user_regexp, "^test"}}. + %%{acl, test, {user_glob, "test*"}}. + + %% + %% Define specific ACLs in a virtual host. + %% + %%{host_config, "localhost", + %% [ + %% {acl, admin, {user, "bob-local", "localhost"}} + %% ] + %%}. + + + %%%. ============ + %%%' ACCESS RULES + + %% Maximum number of simultaneous sessions allowed for a single user: + {access, max_user_sessions, [{10, all}]}. + + %% Maximum number of offline messages that users can have: + {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. + + %% This rule allows access only for local users: + {access, local, [{allow, local}]}. + + %% Only non-blocked users can use c2s connections: + {access, c2s, [{deny, blocked}, + {allow, all}]}. + + %% For C2S connections, all users except admins use the "normal" shaper + {access, c2s_shaper, [{none, admin}, + {normal, all}]}. + + %% All S2S connections use the "fast" shaper + {access, s2s_shaper, [{fast, all}]}. + + %% Only admins can send announcement messages: + {access, announce, [{allow, admin}]}. + + %% Only admins can use the configuration interface: + {access, configure, [{allow, admin}]}. + + %% Admins of this server are also admins of the MUC service: + {access, muc_admin, [{allow, admin}]}. + + %% Only accounts of the local ejabberd server can create rooms: + {access, muc_create, [{allow, local}]}. + + %% All users are allowed to use the MUC service: + {access, muc, [{allow, all}]}. + + %% Only accounts on the local ejabberd server can create Pubsub nodes: + {access, pubsub_createnode, [{allow, local}]}. + + %% In-band registration allows registration of any possible username. + %% To disable in-band registration, replace 'allow' with 'deny'. + {access, register, [{allow, all}]}. + + %% By default the frequency of account registrations from the same IP + %% is limited to 1 account every 10 minutes. To disable, specify: infinity + %%{registration_timeout, 600}. + + %% + %% Define specific Access Rules in a virtual host. + %% + %%{host_config, "localhost", + %% [ + %% {access, c2s, [{allow, admin}, {deny, all}]}, + %% {access, register, [{deny, all}]} + %% ] + %%}. + + + %%%. ================ + %%%' DEFAULT LANGUAGE + + %% + %% language: Default language used for server messages. + %% + {language, "en"}. + + %% + %% Set a different default language in a virtual host. + %% + %%{host_config, "localhost", + %% [{language, "ru"}] + %%}. + + + %%%. ======= + %%%' CAPTCHA + + %% + %% Full path to a script that generates the image. + %% + %%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}. + + %% + %% Host for the URL and port where ejabberd listens for CAPTCHA requests. + %% + %%{captcha_host, "example.org:5280"}. + + %% + %% Limit CAPTCHA calls per minute for JID/IP to avoid DoS. + %% + %%{captcha_limit, 5}. + + %%%. ======= + %%%' MODULES + + %% + %% Modules enabled in all ejabberd virtual hosts. + %% + {modules, + [ + {mod_adhoc, []}, + {mod_announce, [{access, announce}]}, % recommends mod_adhoc + {mod_blocking,[]}, % requires mod_privacy + {mod_caps, []}, + {mod_configure,[]}, % requires mod_adhoc + {mod_disco, []}, + %%{mod_echo, [{host, "echo.localhost"}]}, + {mod_irc, []}, + {mod_http_bind, []}, + %%{mod_http_fileserver, [ + %% {docroot, "/var/www"}, + %% {accesslog, "/var/log/ejabberd/access.log"} + %% ]}, + {mod_last, []}, + {mod_muc, [ + %%{host, "conference.@HOST@"}, + {access, muc}, + {access_create, muc_create}, + {access_persistent, muc_create}, + {access_admin, muc_admin} + ]}, + %%{mod_muc_log,[]}, + {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, + {mod_ping, []}, + %%{mod_pres_counter,[{count, 5}, {interval, 60}]}, + {mod_privacy, []}, + {mod_private, []}, + %%{mod_proxy65,[]}, + {mod_pubsub, [ + {access_createnode, pubsub_createnode}, + {ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant + %%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption + {last_item_cache, false}, + {plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps + ]}, + {mod_register, [ + %% + %% Protect In-Band account registrations with CAPTCHA. + %% + %%{captcha_protected, true}, + + %% + %% Set the minimum informational entropy for passwords. + %% + %%{password_strength, 32}, + + %% + %% After successful registration, the user receives + %% a message with this subject and body. + %% + {welcome_message, {"Welcome!", + "Hi.\nWelcome to this XMPP server."}}, + + %% + %% When a user registers, send a notification to + %% these XMPP accounts. + %% + %%{registration_watchers, ["admin1@example.org"]}, + + %% + %% Only clients in the server machine can register accounts + %% + {ip_access, [{allow, "127.0.0.0/8"}, + {deny, "0.0.0.0/0"}]}, + + %% + %% Local c2s or remote s2s users cannot register accounts + %% + %%{access_from, deny}, + + {access, register} + ]}, + %%{mod_register_web, [ + %% + %% When a user registers, send a notification to + %% these XMPP accounts. + %% + %%{registration_watchers, ["admin1@example.org"]} + %% ]}, + {mod_roster, []}, + %%{mod_service_log,[]}, + {mod_shared_roster,[]}, + {mod_stats, []}, + {mod_time, []}, + {mod_vcard, []}, + {mod_version, []} + ]}. + + %% + %% Enable modules with custom options in a specific virtual host + %% + %%{host_config, "localhost", + %% [{{add, modules}, + %% [ + %% {mod_echo, [{host, "mirror.localhost"}]} + %% ] + %% } + %% ]}. + + + %%%. + %%%' + + %%% $Id$ + + %%% Local Variables: + %%% mode: erlang + %%% End: + %%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker: + ''; + # TODO properly configured wrapper + systemPackages = [ my-ejabberdctl ]; + }; + #exim_user = ${cfg.user} + #exim_group = ${cfg.group} + #exim_path = /var/setuid-wrappers/exim + #spool_directory = ${cfg.spoolDir} + #${cfg.config} + + users.extraUsers = singleton { + name = "ejabberd"; + description = "TODO"; + uid = 405222; + group = "ejabberd"; + home = "/var/ejabberd"; + createHome = true; + }; + + users.extraGroups = singleton { + name = "ejabberd"; + gid = 405222; + }; + + #security.setuidPrograms = [ "exim" ]; + + systemd.services.ejabberd = { + description = "ejabberd XMPP Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + reloadIfChanged = true; + serviceConfig = { + ExecStart = "${my-ejabberdctl}/bin/ejabberdctl start"; + ExecStop = "${my-ejabberdctl}/bin/ejabberdctl stop"; + ExecReload = "${my-ejabberdctl}/bin/ejabberdctl restart"; + Type = "oneshot"; + RemainAfterExit = "yes"; + RestartSec = 5; + LimitNOFILE = 16000; + User = "ejabberd"; + Group = "ejabberd"; + }; + }; + + systemd.services.ejabberd-prepare = { + description = "ejabberd XMPP Preparetion Service"; + requiredBy = [ "ejabberd.service" ]; + serviceConfig = { + Type = "oneshot"; + RestartSec = 5; + ExecStart = "${writeScript "ejabberd-prepare" + '' + #! /bin/sh + set -euf + chown ejabberd: /etc/nixos/secrets/ejabberd.cd.retiolum.pem + '' + }"; + }; + }; + + + + }; + + #config = mkIf cfg.enable { + # environment.systemPackages = [ pkgs.ejabberd ]; + + # jobs.ejabberd = + # { description = "EJabberd server"; + + # startOn = "started network-interfaces"; + # stopOn = "stopping network-interfaces"; + + # environment = { + # PATH = "$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; + # }; + + # preStart = + # '' + # PATH="$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; + # + # # Initialise state data + # mkdir -p ${cfg.logsDir} + + # if ! test -d ${cfg.spoolDir} + # then + # initialize=1 + # cp -av ${pkgs.ejabberd}/var/lib/ejabberd /var/lib + # fi + + # #if ! test -d ${cfg.confDir} + # #then + # # mkdir -p ${cfg.confDir} + # # cp ${pkgs.ejabberd}/etc/ejabberd/* ${cfg.confDir} + # # sed -e 's|{hosts, \["localhost"\]}.|{hosts, \[${cfg.virtualHosts}\]}.|' ${pkgs.ejabberd}/etc/ejabberd/ejabberd.cfg > ${cfg.confDir}/ejabberd.cfg + # #fi + # mkdir -p ${cfg.confDir} + + + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} start + + # ${if cfg.loadDumps == [] then "" else + # '' + # if [ "$initialize" = "1" ] + # then + # # Wait until the ejabberd server is available for use + # count=0 + # while ! ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} status + # do + # if [ $count -eq 30 ] + # then + # echo "Tried 30 times, giving up..." + # exit 1 + # fi + + # echo "Ejabberd daemon not yet started. Waiting for 1 second..." + # count=$((count++)) + # sleep 1 + # done + + # ${concatMapStrings (dump: + # '' + # echo "Importing dump: ${dump}" + + # if [ -f ${dump} ] + # then + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load ${dump} + # elif [ -d ${dump} ] + # then + # for i in ${dump}/ejabberd-dump/* + # do + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load $i + # done + # fi + # '') cfg.loadDumps} + # fi + # ''} + # ''; + + # postStop = + # '' + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} stop + # ''; + # }; + + # security.pam.services.ejabberd = {}; + + #}; + +} diff --git a/old/modules/tv/environment.nix b/old/modules/tv/environment.nix new file mode 100644 index 000000000..9e5a819a9 --- /dev/null +++ b/old/modules/tv/environment.nix @@ -0,0 +1,93 @@ +{ pkgs, ... }: + +let + lib = import ../../lib { lib = pkgs.lib; inherit pkgs; }; + + inherit (lib) majmin; +in + +{ + imports = [ + { + imports = [ ../tv/users ]; + tv.users.tv.packages = with pkgs; [ + ascii + mpv + ]; + } + ]; + + environment.systemPackages = with pkgs; [ + vim + ]; + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + + environment.shellAliases = { + # alias cal='cal -m3' + gp = "${pkgs.pari}/bin/gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + environment.variables.VIM = "/etc/vim"; + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + programs.ssh.startAgent = false; +} diff --git a/old/modules/tv/exim-retiolum.nix b/old/modules/tv/exim-retiolum.nix new file mode 100644 index 000000000..efab5cf32 --- /dev/null +++ b/old/modules/tv/exim-retiolum.nix @@ -0,0 +1,126 @@ +{ config, pkgs, ... }: + +{ + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.tv.retiolum.enable; + let + # TODO get the hostname from config.tv.retiolum. + retiolumHostname = "${config.networking.hostName}.retiolum"; + in + { enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; +} diff --git a/old/modules/tv/exim-smarthost.nix b/old/modules/tv/exim-smarthost.nix new file mode 100644 index 000000000..a4c47b399 --- /dev/null +++ b/old/modules/tv/exim-smarthost.nix @@ -0,0 +1,474 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) toFile; + inherit (pkgs.lib.attrsets) mapAttrs; + inherit (pkgs.lib.strings) concatMapStringsSep; +in + +{ + services.exim = + let + retiolumHostname = "${config.networking.hostName}.retiolum"; + + internet-aliases = [ + { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + + { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + + { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + + { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + ]; + + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + + to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); + lsearch = + mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit internet-aliases; + inherit system-aliases; + }; + in + { + enable = true; + config = + '' + primary_hostname = ${retiolumHostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + #: viljetic.de : SHACK_REDIR_HOSTNAME + domainlist relay_to_domains = + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + # av_scanner = clamd:/tmp/clamd + # spamd_address = 127.0.0.1 783 + + # tls_advertise_hosts = * + # tls_certificate = /etc/ssl/exim.crt + # tls_privatekey = /etc/ssl/exim.pem + # (debian) tls_verify_certificates (to check client certs) + + # daemon_smtp_ports = 25 : 465 : 587 + # tls_on_connect_ports = 465 + + # qualify_domain defaults to primary_hostname + # qualify_recipient defaults to qualify_domain + + # allow_domain_literals + + never_users = root + + host_lookup = * + + # ident callbacks for all incoming SMTP calls + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + # sender_unqualified_hosts = + # recipient_unqualified_hosts = + + # percent_hack_domains = + + # arch & debian + #ignore_bounce_errors_after = 2d + #timeout_frozen_after = 7d + # debian + #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + #freeze_tell = postmaster + #trusted_users = uucp + # arch + #split_spool_directory = true + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : + # arch & debian: + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + ## feature RETIOLUM_MAIL + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + # debian: control = submission/sender_retain + # arch & debian: + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + + # Client SMTP Authorization (csa) checks on the sending host. + # Such checks do DNS lookups for special SRV records. + # require verify = csa + + accept + + + acl_check_data: + # see av_scanner + #deny malware = * + # message = This message contains a virus ($malware_name). + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You may also need to set the spamd_address + # option above. + # + # warn spam = nobody + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + warn + sender_domains = viljetic.de : shackspace.de + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + # if ipv6-enabled then instead use: + # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + + # (debian) same_domain_copy_routing = yes + # (debian) ignore private rfc1918 and APIPA addresses + # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + # 255.255.255.255 + + # Fail and bounce if the router does not find the domain in the DNS. + # I.e. no more routers are tried. + # There are a few cases where a dnslookup router will decline to accept an + # address; if such a router is expected to handle "all remaining non-local + # domains", then it is important to set no_more. + no_more + + # XXX this is only used because these "well known aliases" goto tv@cd.retiolum + # TODO bounce everything, there is no @cd.retiolum + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + # TODO this is only b/c mv here... send mv's mails somewhere else... + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + # serialize_hosts = TODO-all-slow-hosts + + remote_smtp: + driver = smtp + # debian has also stuff for tls, headers_rewrite and more here + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + + + # group = mail + # mode = 0660 + + + #address_pipe: + # driver = pipe + # return_output + # + #address_file: + # driver = appendfile + # delivery_date_add + # envelope_to_add + # return_path_add + # + #address_reply: + # driver = autoreply + + + #maildrop_pipe: + # debug_print = "T: maildrop_pipe for $local_part@$domain" + # driver = pipe + # path = "/bin:/usr/bin:/usr/local/bin" + # command = "/usr/bin/maildrop" + # return_path_add + # delivery_date_add + # envelope_to_add + + + + + + ##begin retry + # Address or Domain Error Retries + + # Our host_redirect destinations might be offline a lot. + # TODO define fallback destinations(?) + #lsearch;${lsearch.internet-aliases} * F,42d,1m + + + ## begin rewrite + + # just in case (shackspace.de should already do this) + #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T + + + ## begin authenticators + #PLAIN: + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + #LOGIN: + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + + + }; + +} + +# config = '' +# primary_hostname = ${retiolumHostname} +# domainlist local_domains = @ : localhost +# domainlist relay_to_domains = *.retiolum +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 +# +# acl_smtp_rcpt = acl_check_rcpt +# acl_smtp_data = acl_check_data +# +# host_lookup = * +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s +# +# log_file_path = syslog +# syslog_timestamp = false +# syslog_duplication = false +# +# begin acl +# +# acl_check_rcpt: +# accept hosts = : +# control = dkim_disable_verify +# +# deny message = Restricted characters in address +# domains = +local_domains +# local_parts = ^[.] : ^.*[@%!/|] +# +# deny message = Restricted characters in address +# domains = !+local_domains +# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ +# +# accept local_parts = postmaster +# domains = +local_domains +# +# #accept +# # hosts = *.retiolum +# # domains = *.retiolum +# # control = dkim_disable_verify +# +# #require verify = sender +# +# accept hosts = +relay_from_hosts +# control = submission +# control = dkim_disable_verify +# +# accept authenticated = * +# control = submission +# control = dkim_disable_verify +# +# require message = relay not permitted +# domains = +local_domains : +relay_to_domains +# +# require verify = recipient +# +# accept +# +# +# acl_check_data: +# accept +# +# +# begin routers +# +# retiolum: +# driver = manualroute +# domains = ! ${retiolumHostname} : *.retiolum +# transport = remote_smtp +# route_list = ^.* $0 byname +# no_more +# +# nonlocal: +# debug_print = "R: nonlocal for $local_part@$domain" +# driver = redirect +# domains = ! +local_domains +# allow_fail +# data = :fail: Mailing to remote domains not supported +# no_more +# +# local_user: +# # debug_print = "R: local_user for $local_part@$domain" +# driver = accept +# check_local_user +# # local_part_suffix = +* : -* +# # local_part_suffix_optional +# transport = home_maildir +# cannot_route_message = Unknown user +# +# +# begin transports +# +# remote_smtp: +# driver = smtp +# +# home_maildir: +# driver = appendfile +# maildir_format +# directory = $home/Maildir +# directory_mode = 0700 +# delivery_date_add +# envelope_to_add +# return_path_add +# # group = mail +# # mode = 0660 +# +# begin retry +# *.retiolum * F,42d,1m +# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h +# +# begin rewrite +# +# begin authenticators +# ''; +# }; +#} diff --git a/old/modules/tv/git/cgit.nix b/old/modules/tv/git/cgit.nix new file mode 100644 index 000000000..747a93135 --- /dev/null +++ b/old/modules/tv/git/cgit.nix @@ -0,0 +1,93 @@ +{ cfg, config, lib, pkgs, ... }: + +let + inherit (builtins) attrValues filter getAttr; + inherit (lib) concatMapStringsSep mkIf optionalString; + + location = lib.nameValuePair; # TODO this is also in modules/wu/default.nix + + isPublicRepo = getAttr "public"; # TODO this is also in ./default.nix +in + +{ + users.extraUsers = lib.singleton { + name = "fcgiwrap"; + uid = 2851179180; # genid fcgiwrap + group = "fcgiwrap"; + home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); + }; + + users.extraGroups = lib.singleton { + name = "fcgiwrap"; + gid = 2851179180; # genid fcgiwrap + }; + + services.fcgiwrap = { + enable = true; + user = "fcgiwrap"; + group = "fcgiwrap"; + # socketAddress = "/run/fcgiwrap.sock" (default) + # socketType = "unix" (default) + }; + + environment.etc."cgitrc".text = '' + css=/cgit-static/cgit.css + logo=/cgit-static/cgit.png + + # if you do not want that webcrawler (like google) index your site + robots=noindex, nofollow + + virtual-root=/cgit + + # TODO make this nicer (and/or somewhere else) + cache-root=/tmp/cgit + + cache-size=1000 + enable-commit-graph=1 + enable-index-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + enable-remote-branches=1 + + root-title=public repositories at ${config.networking.hostName} + root-desc=keep calm and engage + + snapshots=0 + max-stats=year + + ${concatMapStringsSep "\n" (repo: '' + repo.url=${repo.name} + repo.path=${cfg.dataDir}/${repo.name} + ${optionalString (repo.section != null) "repo.section=${repo.section}"} + ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} + '') (filter isPublicRepo (attrValues cfg.repos))} + ''; + + system.activationScripts.cgit = '' + mkdir -m 0700 -p /tmp/cgit + chown fcgiwrap: /tmp/cgit + ''; + + tv.nginx = { + enable = true; + retiolum-locations = [ + (location "/cgit/" '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_split_path_info ^(/cgit/?)(.+)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + '') + (location "= /cgit" '' + return 301 /cgit/; + '') + (location "/cgit-static/" '' + root ${pkgs.cgit}/cgit; + rewrite ^/cgit-static(/.*)$ $1 break; + '') + ]; + }; +} diff --git a/old/modules/tv/git/config.nix b/old/modules/tv/git/config.nix new file mode 100644 index 000000000..4f44c3839 --- /dev/null +++ b/old/modules/tv/git/config.nix @@ -0,0 +1,272 @@ +arg@{ cfg, lib, pkgs, ... }: + +let + inherit (builtins) head tail typeOf; + inherit (lib) + attrValues concatStringsSep concatMapStringsSep escapeShellArg filter + getAttr hasAttr hasPrefix lessThan makeSearchPath mapAttrsToList + optional optionalString removePrefix singleton sort unique; + inherit (pkgs) linkFarm writeScript; + + ensureList = x: + if typeOf x == "list" then x else [x]; + + getName = x: x.name; + + isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix + + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + # TODO assert name + # TODO assert pubkey + let + options = concatStringsSep "," [ + ''command="exec ${git-ssh-command} ${name}"'' + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + in + "${options} ${pubkey}"; + + # [case-pattern] -> shell-script + # Create a shell script that succeeds (exit 0) when all its arguments + # match the case patterns (in the given order). + makeAuthorizeScript = + let + # TODO escape + to-pattern = x: concatStringsSep "|" (ensureList x); + go = i: ps: + if ps == [] + then "exit 0" + else '' + case ''$${toString i} in ${to-pattern (head ps)}) + ${go (i + 1) (tail ps)} + esac''; + in + patterns: '' + #! /bin/sh + set -euf + ${concatStringsSep "\n" (map (go 1) patterns)} + exit -1 + ''; + + reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); + + # TODO makeGitHooks that uses runCommand instead of scriptFarm? + scriptFarm = + farm-name: scripts: + let + makeScript = script-name: script-string: { + name = script-name; + path = writeScript "${farm-name}_${script-name}" script-string; + }; + in + linkFarm farm-name (mapAttrsToList makeScript scripts); + + + git-ssh-command = writeScript "git-ssh-command" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + git + gnugrep + gnused + systemd + ])} + + abort() { + echo "error: $1" >&2 + systemd-cat -p err -t git echo "error: $1" + exit -1 + } + + GIT_SSH_USER=$1 + + systemd-cat -p info -t git echo \ + "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" + + # References: The Base Definitions volume of + # POSIX.1‐2013, Section 3.278, Portable Filename Character Set + portable_filename_bre="^[A-Za-z0-9._-]\\+$" + + command=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read command') + + GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read reponame') + + ${cfg.etcDir}/authorize-command \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ + || abort 'access denied' + + repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO + + systemd-cat -p info -t git \ + echo "authorized exec $command $repodir" + + export GIT_SSH_USER + export GIT_SSH_REPO + exec "$command" "$repodir" + ''; + + init-script = writeScript "git-init" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + gawk + git + gnugrep + gnused + ])} + + dataDir=${escapeShellArg cfg.dataDir} + mkdir -p "$dataDir" + + # Notice how the presence of hooks symlinks determine whether + # we manage a repositry or not. + + # Make sure that no existing repository has hooks. We can delete + # symlinks because we assume we created them. + find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete + bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) + if echo "$bad_hooks" | grep -q .; then + printf 'error: unknown hooks:\n%s\n' \ + "$(echo "$bad_hooks" | sed 's/^/ /')" \ + >&2 + exit -1 + fi + + # Initialize repositories. + ${concatMapStringsSep "\n" (repo: + let + hooks = scriptFarm "git-hooks" (makeHooks repo); + in + '' + reponame=${escapeShellArg repo.name} + repodir=$dataDir/$reponame + mode=${toString (if isPublicRepo repo then 0711 else 0700)} + if ! test -d "$repodir"; then + mkdir -m "$mode" "$repodir" + git init --bare --template=/var/empty "$repodir" + chown -R git:nogroup "$repodir" + fi + ln -s ${hooks} "$repodir/hooks" + '' + ) (attrValues cfg.repos)} + + # Warn about repositories that exist but aren't mentioned in the + # current configuration (and thus didn't receive a hooks symlink). + unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ + -type d \! -exec test -e '{}/hooks' \; -print) + if echo "$unknown_repos" | grep -q .; then + printf 'warning: stale repositories:\n%s\n' \ + "$(echo "$unknown_repos" | sed 's/^/ /')" \ + >&2 + fi + ''; + + makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { + pre-receive = '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils # env + git + systemd + ])} + + accept() { + #systemd-cat -p info -t git echo "authorized $1" + accept_string="''${accept_string+$accept_string + }authorized $1" + } + reject() { + #systemd-cat -p err -t git echo "denied $1" + #echo 'access denied' >&2 + #exit_code=-1 + reject_string="''${reject_string+$reject_string + }access denied: $1" + } + + empty=0000000000000000000000000000000000000000 + + accept_string= + reject_string= + while read oldrev newrev ref; do + + if [ $oldrev = $empty ]; then + receive_mode=create + elif [ $newrev = $empty ]; then + receive_mode=delete + elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then + receive_mode=fast-forward + else + receive_mode=non-fast-forward + fi + + if ${cfg.etcDir}/authorize-push \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then + accept "$receive_mode $ref" + else + reject "$receive_mode $ref" + fi + done + + if [ -n "$reject_string" ]; then + systemd-cat -p err -t git echo "$reject_string" + exit -1 + fi + + systemd-cat -p info -t git echo "$accept_string" + + ${optionalString (hasAttr "post-receive" repo.hooks) '' + # custom post-receive hook + ${repo.hooks.post-receive}''} + ''; + }; + + etc-base = + assert (hasPrefix "/etc/" cfg.etcDir); + removePrefix "/etc/" cfg.etcDir; +in + +{ + system.activationScripts.git-init = "${init-script}"; + + # TODO maybe put all scripts here and then use PATH? + environment.etc."${etc-base}".source = + scriptFarm "git-ssh-authorizers" { + authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (map getName perm.allow-commands) + ]) cfg.rules); + + authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (ensureList perm.allow-receive-ref) + (map getName perm.allow-receive-modes) + ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); + }; + + users.extraUsers = singleton { + description = "Git repository hosting user"; + name = "git"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + uid = 112606723; # genid git + }; +} diff --git a/old/modules/tv/git/default.nix b/old/modules/tv/git/default.nix new file mode 100644 index 000000000..17bc3738b --- /dev/null +++ b/old/modules/tv/git/default.nix @@ -0,0 +1,27 @@ +arg@{ config, pkgs, lib, ... }: + +let + inherit (lib) mkIf mkMerge; + + cfg = config.tv.git; + arg' = arg // { inherit cfg; }; +in + +# TODO unify logging of shell scripts to user and journal +# TODO move all scripts to ${etcDir}, so ControlMaster connections +# immediately pick up new authenticators +# TODO when authorized_keys changes, then restart ssh +# (or kill already connected users somehow) + +{ + imports = [ + ../../tv/nginx + ]; + + options.tv.git = import ./options.nix arg'; + + config = mkIf cfg.enable (mkMerge [ + (import ./config.nix arg') + (mkIf cfg.cgit (import ./cgit.nix arg')) + ]); +} diff --git a/old/modules/tv/git/options.nix b/old/modules/tv/git/options.nix new file mode 100644 index 000000000..c251d7d4c --- /dev/null +++ b/old/modules/tv/git/options.nix @@ -0,0 +1,93 @@ +{ lib, ... }: + +let + inherit (lib) literalExample mkOption types; +in + +{ + enable = mkOption { + type = types.bool; + default = false; + description = "Enable Git repository hosting."; + }; + cgit = mkOption { + type = types.bool; + default = true; + description = "Enable cgit."; # TODO better desc; talk about nginx + }; + dataDir = mkOption { + type = types.str; + default = "/var/lib/git"; + description = "Directory used to store repositories."; + }; + etcDir = mkOption { + type = types.str; + default = "/etc/git"; + }; + rules = mkOption { + type = types.unspecified; + }; + repos = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository description. + ''; + }; + section = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository section. + ''; + }; + name = mkOption { + type = types.str; + description = '' + Repository name. + ''; + }; + hooks = mkOption { + type = types.attrsOf types.str; + description = '' + Repository-specific hooks. + ''; + }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Allow everybody to read the repository via HTTP if cgit enabled. + ''; + # TODO allow every configured user to fetch the repository via SSH. + }; + }; + })); + + default = {}; + + example = literalExample '' + { + testing = { + name = "testing"; + hooks.post-update = ''' + #! /bin/sh + set -euf + echo post-update hook: $* >&2 + '''; + }; + testing2 = { name = "testing2"; }; + } + ''; + + description = '' + Repositories. + ''; + }; + users = mkOption { + type = types.unspecified; + }; +} diff --git a/old/modules/tv/git/public.nix b/old/modules/tv/git/public.nix new file mode 100644 index 000000000..de6ed7fdf --- /dev/null +++ b/old/modules/tv/git/public.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: + +let + inherit (builtins) map readFile; + inherit (lib) concatMap listToAttrs; + # TODO lib should already include our stuff + inherit (import ../../../lib { inherit lib pkgs; }) addNames git; + + public-git-repos = [ + (public "cgserver") + (public "crude-mail-setup") + (public "dot-xmonad") + (public "hack") + (public "load-env") + (public "make-snapshot") + (public "mime") + (public "much") + (public "nixos-infest") + (public "nixpkgs") + (public "painload") + (public "regfish") + (public' { + name = "shitment"; + desc = "turn all the computers into one computer!"; + }) + (public "wai-middleware-time") + (public "web-routes-wai-custom") + ]; + + users = addNames { + tv = { pubkey = readFile <pubkeys/tv_wu.ssh.pub>; }; + lass = { pubkey = readFile <pubkeys/lass.ssh.pub>; }; + uriel = { pubkey = readFile <pubkeys/uriel.ssh.pub>; }; + makefu = { pubkey = readFile <pubkeys/makefu.ssh.pub>; }; + }; + + repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos); + + rules = concatMap ({ rules, ... }: rules) public-git-repos; + + public' = { name, desc }: + let + x = public name; + in + x // { repo = x.repo // { inherit desc; }; }; + + public = repo-name: + rec { + repo = { + name = repo-name; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; # TODO make this the default + channel = "#retiolum"; + server = "ire.retiolum"; + }; + }; + public = true; + }; + rules = with git; with users; [ + { user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } + { user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } + ]; + }; + +in + +{ + imports = [ + ./. + ]; + tv.git = { + enable = true; + inherit repos rules users; + }; +} diff --git a/old/modules/tv/identity/default.nix b/old/modules/tv/identity/default.nix new file mode 100644 index 000000000..7cf90de01 --- /dev/null +++ b/old/modules/tv/identity/default.nix @@ -0,0 +1,71 @@ +{ lib, ... }: + +with lib; + +let + + cfg = config.tv.identity; + + out = { + options.tv.identity = api; + #config = mkIf cfg.enable imp; + }; + + api = { + enable = mkOption { + type = types.bool; + default = false; + }; + self = mkOption { + type = types.unspecified; + }; + hosts = mkOption { + type = with types; attrsOf unspecified; + default = { + cd = { + #dc = "cac"; + dc = "tv"; + fqdn = "cd.retiolum"; + addr = "10.243.113.222"; + #addr6 = "42:4522:25f8:36bb:8ccb:0150:231a:2af3"; + #internet-addr = "162.219.5.183"; + cores = 2; + }; + mkdir = { + #dc = "cac"; + dc = "tv"; + fqdn = "mkdir.retiolum"; + addr = "10.243.113.223"; + cores = 1; + }; + nomic = { + #dc = "gg"; + dc = "tv"; + fqdn = "nomic.retiolum"; + addr = "10.243.0.110"; + cores = 2; + }; + rmdir = { + #dc = "cac"; + dc = "tv"; + fqdn = "rmdir.retiolum"; + addr = "10.243.113.224"; + #addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5"; + cores = 1; + }; + wu = { + #dc = "gg"; + dc = "tv"; + fqdn = "wu.retiolum"; + addr = "10.243.13.37"; + cores = 8; + }; + }; + }; + }; + + #imp = { + #}; + +in +out diff --git a/old/modules/tv/iptables/config.nix b/old/modules/tv/iptables/config.nix new file mode 100644 index 000000000..a525cfa5d --- /dev/null +++ b/old/modules/tv/iptables/config.nix @@ -0,0 +1,93 @@ +{ cfg, lib, pkgs, ... }: + +let + inherit (pkgs) writeScript writeText; + inherit (lib) concatMapStringsSep; + + accept-new-tcp = port: + "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + + rules = iptables-version: + writeText "tv-iptables-rules${toString iptables-version}" '' + *nat + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] + ++ [ + "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" + "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" + ] + )} + COMMIT + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + :Retiolum - [0:0] + ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] + ++ [ + "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" + "-i lo -j ACCEPT" + ] + ++ map accept-new-tcp cfg.input-internet-accept-new-tcp + ++ ["-i retiolum -j Retiolum"] + )} + ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] + ++ { + ip4tables = [ + "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" + ]; + ip6tables = [ + "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" + ]; + }."ip${toString iptables-version}tables" + ++ map accept-new-tcp cfg.input-retiolum-accept-new-tcp + ++ { + ip4tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp-port-unreachable" + "-j REJECT --reject-with icmp-proto-unreachable" + ]; + ip6tables = [ + "-p tcp -j REJECT --reject-with tcp-reset" + "-p udp -j REJECT --reject-with icmp6-port-unreachable" + "-j REJECT" + ]; + }."ip${toString iptables-version}tables" + )} + COMMIT + ''; + + startScript = writeScript "tv-iptables_start" '' + #! /bin/sh + set -euf + iptables-restore < ${rules 4} + ip6tables-restore < ${rules 6} + ''; +in + +{ + networking.firewall.enable = false; + + systemd.services.tv-iptables = { + description = "tv-iptables"; + wantedBy = [ "network-pre.target" ]; + before = [ "network-pre.target" ]; + after = [ "systemd-modules-load.service" ]; + + path = with pkgs; [ + iptables + ]; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + RemainAfterExit = true; + Restart = "always"; + ExecStart = "@${startScript} tv-iptables_start"; + }; + }; +} diff --git a/old/modules/tv/iptables/default.nix b/old/modules/tv/iptables/default.nix new file mode 100644 index 000000000..cf27a26ac --- /dev/null +++ b/old/modules/tv/iptables/default.nix @@ -0,0 +1,11 @@ +arg@{ config, lib, pkgs, ... }: + +let + cfg = config.tv.iptables; + arg' = arg // { inherit cfg; }; +in + +{ + options.tv.iptables = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/tv/iptables/options.nix b/old/modules/tv/iptables/options.nix new file mode 100644 index 000000000..1adffebdb --- /dev/null +++ b/old/modules/tv/iptables/options.nix @@ -0,0 +1,29 @@ +{ lib, ... }: + +let + inherit (lib) mkOption types; +in + +{ + enable = mkOption { + type = types.bool; + default = false; + description = "Enable iptables."; + }; + + input-internet-accept-new-tcp = mkOption { + type = with types; listOf str; + default = []; + description = '' + TCP ports, accepting incoming connections from anywhere. + ''; + }; + + input-retiolum-accept-new-tcp = mkOption { + type = with types; listOf str; + default = []; + description = '' + TCP ports, accepting incoming connections from Retiolum. + ''; + }; +} diff --git a/old/modules/tv/nginx/config.nix b/old/modules/tv/nginx/config.nix new file mode 100644 index 000000000..4bfd8ad28 --- /dev/null +++ b/old/modules/tv/nginx/config.nix @@ -0,0 +1,49 @@ +{ cfg, config, lib, pkgs, ... }: + +let + inherit (lib) concatStrings replaceChars; + + indent = replaceChars ["\n"] ["\n "]; + + to-location = { name, value }: '' + location ${name} { + ${indent value} + } + ''; +in + +{ + services.nginx = + let + name = config.tv.retiolum.name; + qname = "${name}.retiolum"; + in + assert config.tv.retiolum.enable; + { + enable = true; + httpConfig = '' + include ${pkgs.nginx}/conf/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + server { + listen 80 default_server; + server_name _; + location / { + return 404; + } + } + server { + listen 80; + server_name ${name} ${qname}; + + ${indent (concatStrings (map to-location cfg.retiolum-locations))} + + location / { + return 404; + } + } + ''; + }; +} diff --git a/old/modules/tv/nginx/default.nix b/old/modules/tv/nginx/default.nix new file mode 100644 index 000000000..49133fbb3 --- /dev/null +++ b/old/modules/tv/nginx/default.nix @@ -0,0 +1,11 @@ +arg@{ config, pkgs, lib, ... }: + +let + cfg = config.tv.nginx; + arg' = arg // { inherit cfg; }; +in + +{ + options.tv.nginx = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/tv/nginx/options.nix b/old/modules/tv/nginx/options.nix new file mode 100644 index 000000000..ddfb38049 --- /dev/null +++ b/old/modules/tv/nginx/options.nix @@ -0,0 +1,21 @@ +{ lib, ... }: + +let + inherit (lib) mkOption types; +in + +{ + enable = mkOption { + type = types.bool; + default = false; + description = "Enable nginx."; + }; + + retiolum-locations = mkOption { + type = with types; listOf (attrsOf str); + default = []; + description = '' + TODO + ''; + }; +} diff --git a/old/modules/tv/retiolum/config.nix b/old/modules/tv/retiolum/config.nix new file mode 100644 index 000000000..f1d227f6b --- /dev/null +++ b/old/modules/tv/retiolum/config.nix @@ -0,0 +1,130 @@ +{ cfg, config, lib, pkgs, ... }: + +let + inherit (lib) concatStrings singleton; + + tinc = cfg.tincPackage; + hostsType = builtins.typeOf cfg.hosts; + hosts = + if hostsType == "package" then + # use package as is + cfg.hosts + else if hostsType == "path" then + # use path to generate a package + pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out + ''; + } + else + abort "The option `services.retiolum.hosts' must be set to a package or a path" + ; + iproute = cfg.iproutePackage; + + retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" + { } + '' + generate() { + (cd ${hosts} + printf \'\' + for i in `ls`; do + names=$(hostnames $i) + for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do + names="$names $(hostnames $j)" + done + sed -En ' + s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p + ' $i + done | sort + printf \'\' + ) + } + + case ${cfg.generateEtcHosts} in + short) + hostnames() { echo "$1"; } + generate + ;; + long) + hostnames() { echo "$1.${cfg.network}"; } + generate + ;; + both) + hostnames() { echo "$1.${cfg.network} $1"; } + generate + ;; + *) + echo '""' + ;; + esac > $out + ''); + + + confDir = pkgs.runCommand "retiolum" { + # TODO text + executable = true; + preferLocalBuild = true; + } '' + set -euf + + mkdir -p $out + + ln -s ${hosts} $out/hosts + + cat > $out/tinc.conf <<EOF + Name = ${cfg.name} + Device = /dev/net/tun + Interface = ${cfg.network} + ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privateKeyFile} + EOF + + # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up + cat > $out/tinc-up <<EOF + host=$out/hosts/${cfg.name} + ${iproute}/sbin/ip link set \$INTERFACE up + + addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host) + if [ -n "\$addr4" ];then + ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE + ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE + fi + addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host) + ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE + ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE + EOF + + chmod +x $out/tinc-up + ''; + + + user = cfg.network + "-tinc"; + +in + +{ + environment.systemPackages = [ tinc hosts iproute ]; + + networking.extraHosts = retiolumExtraHosts; + + systemd.services.retiolum = { + description = "Tinc daemon for Retiolum"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ tinc iproute ]; + serviceConfig = { + # TODO we cannot chroot (-R) b/c we use symlinks to hosts + # and the private key. + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; + SyslogIdentifier = "retiolum-tincd"; + }; + }; + + users.extraUsers = singleton { + name = user; + uid = 2961822815; # bin/genid retiolum-tinc + }; +} diff --git a/old/modules/tv/retiolum/default.nix b/old/modules/tv/retiolum/default.nix new file mode 100644 index 000000000..93b0be097 --- /dev/null +++ b/old/modules/tv/retiolum/default.nix @@ -0,0 +1,11 @@ +arg@{ config, pkgs, lib, ... }: + +let + cfg = config.tv.retiolum; + arg' = arg // { inherit cfg; }; +in + +{ + options.tv.retiolum = import ./options.nix arg'; + config = lib.mkIf cfg.enable (import ./config.nix arg'); +} diff --git a/old/modules/tv/retiolum/options.nix b/old/modules/tv/retiolum/options.nix new file mode 100644 index 000000000..a06cbecef --- /dev/null +++ b/old/modules/tv/retiolum/options.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkOption types; +in + +{ + enable = mkOption { + type = types.bool; + default = false; + description = "Enable tinc daemon for Retiolum."; + }; + + name = mkOption { + type = types.string; + default = config.networking.hostName; + # Description stolen from tinc.conf(5). + description = '' + This is the name which identifies this tinc daemon. It must + be unique for the virtual private network this daemon will + connect to. The Name may only consist of alphanumeric and + underscore characters. If Name starts with a $, then the + contents of the environment variable that follows will be + used. In that case, invalid characters will be converted to + underscores. If Name is $HOST, but no such environment + variable exist, the hostname will be read using the + gethostnname() system call This is the name which identifies + the this tinc daemon. + ''; + }; + + generateEtcHosts = mkOption { + type = types.string; + default = "both"; + description = '' + If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>, + then generate entries in <filename>/etc/hosts</filename> from subnets. + ''; + }; + + network = mkOption { + type = types.string; + default = "retiolum"; + description = '' + The tinc network name. + It is used to generate long host entries, + derive the name of the user account under which tincd runs, + and name the TUN device. + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + default = null; + description = '' + Hosts package or path to use. + If a path is given, then it will be used to generate an ad-hoc package. + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + + privateKeyFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.string; + default = "/etc/tinc/retiolum/rsa_key.priv"; + description = "Generate file with <literal>tincd -K</literal>."; + }; + + connectTo = mkOption { + type = types.listOf types.string; + default = [ "fastpoke" "pigstarter" "kheurop" ]; + description = "TODO describe me"; + }; + +} diff --git a/old/modules/tv/sanitize.nix b/old/modules/tv/sanitize.nix new file mode 100644 index 000000000..173341452 --- /dev/null +++ b/old/modules/tv/sanitize.nix @@ -0,0 +1,12 @@ +{ ... }: + +{ + nixpkgs.config.packageOverrides = pkgs: + { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; +} diff --git a/old/modules/tv/smartd.nix b/old/modules/tv/smartd.nix new file mode 100644 index 000000000..2e9d955d1 --- /dev/null +++ b/old/modules/tv/smartd.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + services.smartd = { + enable = true; + devices = [ + { + device = "DEVICESCAN"; + options = toString [ + "-a" + "-m tv@wu.retiolum" + "-s (O/../.././09|S/../.././04|L/../../6/05)" + ]; + } + ]; + }; +} diff --git a/old/modules/tv/synaptics.nix b/old/modules/tv/synaptics.nix new file mode 100644 index 000000000..c47cb9deb --- /dev/null +++ b/old/modules/tv/synaptics.nix @@ -0,0 +1,14 @@ +{ config, pkgs, ... }: + +{ + # TODO this is host specific + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; + }; +} diff --git a/old/modules/tv/urlwatch/default.nix b/old/modules/tv/urlwatch/default.nix new file mode 100644 index 000000000..87ec289f7 --- /dev/null +++ b/old/modules/tv/urlwatch/default.nix @@ -0,0 +1,158 @@ +{ config, lib, pkgs, ... }: + +# TODO multiple users +# TODO inform about unused caches +# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" +# TODO hooks.py + +let + inherit (builtins) toFile; + inherit (lib) + concatStringsSep escapeShellArg mkIf mkOption optionals singleton types; + inherit (pkgs) writeScript; + + cfg = config.tv.urlwatch; + + api = { + dataDir = mkOption { + type = types.str; + default = "/var/lib/urlwatch"; + description = '' + Directory where the urlwatch service should store its state. + ''; + }; + enable = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable the urlwatch service. + If enabled, then create a timer that calls urlwatch and sends mails + whenever something has changed or an error occurs. + ''; + }; + from = mkOption { + type = types.str; + default = "${cfg.user}@${config.networking.hostName}.retiolum"; + description = '' + Content of the From: header of the generated mails. + ''; + }; + mailto = mkOption { + type = types.str; + description = '' + Content of the To: header of the generated mails. [AKA recipient :)] + ''; + }; + onCalendar = mkOption { + type = types.str; + description = '' + Run urlwatch at this interval. + The format is described in systemd.time(7), CALENDAR EVENTS. + ''; + example = "04:23"; + }; + urls = mkOption { + type = with types; listOf str; + description = "URL to watch."; + example = [ + https://nixos.org/channels/nixos-unstable/git-revision + ]; + }; + user = mkOption { + type = types.str; + default = "urlwatch"; + description = "User under which urlwatch runs."; + }; + }; + + urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); + + impl = { + systemd.timers.urlwatch = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.onCalendar; + Persistent = "true"; + }; + }; + systemd.services.urlwatch = { + path = with pkgs; [ + coreutils + gnused + urlwatch + ]; + environment = { + HOME = cfg.dataDir; + LC_ALL = "en_US.UTF-8"; + LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive"; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + }; + serviceConfig = { + User = cfg.user; + PermissionsStartOnly = "true"; + PrivateTmp = "true"; + Type = "oneshot"; + ExecStartPre = + writeScript "urlwatch-prestart" '' + #! /bin/sh + set -euf + + dataDir=$HOME + user=${escapeShellArg cfg.user} + + if ! test -e "$dataDir"; then + mkdir -m 0700 -p "$dataDir" + chown "$user": "$dataDir" + fi + ''; + ExecStart = writeScript "urlwatch" '' + #! /bin/sh + set -euf + + from=${escapeShellArg cfg.from} + mailto=${escapeShellArg cfg.mailto} + urlsFile=${escapeShellArg urlsFile} + user=${escapeShellArg cfg.user} + + cd /tmp + + urlwatch -e --urls="$urlsFile" > changes 2>&1 || : + + if test -s changes; then + date=$(date -R) + subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ + | tr \\n \ ) + { + echo "Date: $date" + echo "From: $from" + echo "Subject: $subject" + echo "To: $mailto" + echo + cat changes + } | /var/setuid-wrappers/sendmail -t + fi + ''; + }; + }; + users.extraUsers = optionals (cfg.user == "urlwatch") (singleton { + name = "urlwatch"; + uid = 3450919516; # bin/genid urlwatch + }); + }; + +in + +{ + # TODO + #imports = [ + # ./exim + #]; + #config = mkIf cfg.enable + # (if config.tv.exim.enable + # then impl + # else throw "tv.exim must be enabled when enabling tv.urlwatch"); + + options.tv.urlwatch = api; + + config = impl; +} diff --git a/old/modules/tv/urxvt.nix b/old/modules/tv/urxvt.nix new file mode 100644 index 000000000..a97581248 --- /dev/null +++ b/old/modules/tv/urxvt.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + + with builtins; + +let + users = [ "tv" ]; + urxvt = pkgs.rxvt_unicode; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + +in + +{ + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); +} diff --git a/old/modules/tv/users/default.nix b/old/modules/tv/users/default.nix new file mode 100644 index 000000000..719f57d70 --- /dev/null +++ b/old/modules/tv/users/default.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.tv.users; + + opts = { + enable = mkOption { + default = true; + type = types.bool; + description = '' + If set to false, TODO... + ''; + }; + + packages = mkOption { + default = []; + #example = literalExample "[ pkgs.firefox pkgs.thunderbird ]"; + type = with types; listOf path; + description = '' + TODO this description is for environment.systemPackages + The set of packages that appear in + /run/current-system/sw. These packages are + automatically available to all users, and are + automatically updated every time you rebuild the system + configuration. (The latter is the main difference with + installing them in the default profile, + <filename>/nix/var/nix/profiles/default</filename>. + ''; + }; + }; +in + +{ + options.tv.users = mkOption { + default = {}; + type = with types; attrsOf optionSet; + options = [ opts ]; + description = '' + TODO + ''; + }; + + config = { + system.activationScripts."tv.users" = + let + bindir = name: packages: + pkgs.symlinkJoin "${name}-bindir" (map (path: path + "/" + "bin") packages); + in + '' + mkdir -m 0755 -p /run/tv.users + # TODO delete old + # TODO detect collisions + # TODO don't link .xxx-wrapped + ${concatStrings (mapAttrsToList (name: { packages, ... }: '' + mkdir -m 0755 -p /run/tv.users/${name} + ln -snf ${bindir name packages} /run/tv.users/${name}/bin + '') cfg)} + ''; + environment.shellInit = '' + # XXX lower precedence than ~/bin + PATH=/run/tv.users/$LOGNAME/bin:$PATH + export PATH + ''; + }; +} diff --git a/old/modules/tv/xserver.nix b/old/modules/tv/xserver.nix new file mode 100644 index 000000000..897dbcc28 --- /dev/null +++ b/old/modules/tv/xserver.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +{ + services.xserver.enable = true; + + + #fonts.enableFontConfig = true; + #fonts.enableFontDir = true; + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + #services.xfs.enable = true; + #services.xserver.useXFS = "unix/:7100"; + + services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; + + #services.xserver.display = 11; + #services.xserver.tty = 11; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + #services.xserver.multitouch.enable = true; + + services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.windowManager.xmonad.enableContribAndExtras = true; + services.xserver.windowManager.default = "xmonad"; + services.xserver.desktopManager.default = "none"; + services.xserver.desktopManager.xterm.enable = false; + + services.xserver.displayManager.slim.enable = true; + #services.xserver.displayManager.auto.enable = true; + #services.xserver.displayManager.auto.user = "tv"; + #services.xserver.displayManager.job.logsXsession = true; + + + services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; +} |