From 2499c472a08783d1cc1105c9b4c48b04f8062b5b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 5 Aug 2015 16:55:10 +0200
Subject: fix ip of tsp (211 is already in use)

---
 krebs/3modules/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e677ba5ea..4644e59eb 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -311,7 +311,7 @@ let
         dc = "makefu"; #x200
         nets = {
           retiolum = {
-            addrs4 = ["10.243.0.211"];
+            addrs4 = ["10.243.0.212"];
             addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0002"];
             aliases = [
               "tsp.retiolum"
-- 
cgit v1.2.3


From 0862e949f6b736c76b601acd3b17262521175c31 Mon Sep 17 00:00:00 2001
From: makefu <makefu@tsp>
Date: Wed, 12 Aug 2015 16:58:21 +0200
Subject: tsp: 2 cores

---
 krebs/3modules/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 4644e59eb..a533fcf64 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -307,7 +307,7 @@ let
         };
       };
       tsp = {
-        cores = 4;
+        cores = 2;
         dc = "makefu"; #x200
         nets = {
           retiolum = {
-- 
cgit v1.2.3


From 7c578b1cad5d33c4a2773459ef62a8a72c585972 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 13 Aug 2015 11:46:09 +0200
Subject: {tv 2 => krebs 3}/exim-retiolum

---
 krebs/3modules/default.nix       |   1 +
 krebs/3modules/exim-retiolum.nix | 142 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 143 insertions(+)
 create mode 100644 krebs/3modules/exim-retiolum.nix

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e677ba5ea..fd795a036 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
 
   out = {
     imports = [
+      ./exim-retiolum.nix
       ./github-hosts-sync.nix
       ./git.nix
       ./nginx.nix
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
new file mode 100644
index 000000000..09372f074
--- /dev/null
+++ b/krebs/3modules/exim-retiolum.nix
@@ -0,0 +1,142 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.krebs.exim-retiolum;
+
+  out = {
+    options.krebs.exim-retiolum = api;
+    config =
+      # This configuration makes only sense for retiolum-enabled hosts.
+      # TODO modular configuration
+      assert config.krebs.retiolum.enable;
+      mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "krebs.exim-retiolum";
+  };
+
+  imp = {
+    services.exim = {
+      enable = true;
+      config = ''
+        primary_hostname = ${retiolumHostname}
+        domainlist local_domains    = @ : localhost
+        domainlist relay_to_domains = *.retiolum
+        hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+
+        acl_smtp_rcpt = acl_check_rcpt
+        acl_smtp_data = acl_check_data
+
+        host_lookup = *
+        rfc1413_hosts = *
+        rfc1413_query_timeout = 5s
+
+        log_file_path = syslog
+        syslog_timestamp = false
+        syslog_duplication = false
+
+        begin acl
+
+        acl_check_rcpt:
+          accept  hosts = :
+                  control = dkim_disable_verify
+
+          deny    message       = Restricted characters in address
+                  domains       = +local_domains
+                  local_parts   = ^[.] : ^.*[@%!/|]
+
+          deny    message       = Restricted characters in address
+                  domains       = !+local_domains
+                  local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+          accept  local_parts   = postmaster
+                  domains       = +local_domains
+
+          #accept
+          #  hosts = *.retiolum
+          #  domains = *.retiolum
+          #  control = dkim_disable_verify
+
+          #require verify        = sender
+
+          accept  hosts         = +relay_from_hosts
+                  control       = submission
+                  control       = dkim_disable_verify
+
+          accept  authenticated = *
+                  control       = submission
+                  control       = dkim_disable_verify
+
+          require message = relay not permitted
+                  domains = +local_domains : +relay_to_domains
+
+          require verify = recipient
+
+          accept
+
+
+        acl_check_data:
+          accept
+
+
+        begin routers
+
+        retiolum:
+          driver = manualroute
+          domains = ! ${retiolumHostname} : *.retiolum
+          transport = remote_smtp
+          route_list = ^.* $0 byname
+          no_more
+
+        nonlocal:
+          debug_print = "R: nonlocal for $local_part@$domain"
+          driver = redirect
+          domains = ! +local_domains
+          allow_fail
+          data = :fail: Mailing to remote domains not supported
+          no_more
+
+        local_user:
+          # debug_print = "R: local_user for $local_part@$domain"
+          driver = accept
+          check_local_user
+        # local_part_suffix = +* : -*
+        # local_part_suffix_optional
+          transport = home_maildir
+          cannot_route_message = Unknown user
+
+
+        begin transports
+
+        remote_smtp:
+          driver = smtp
+
+        home_maildir:
+          driver = appendfile
+          maildir_format
+          directory = $home/Maildir
+          directory_mode = 0700
+          delivery_date_add
+          envelope_to_add
+          return_path_add
+        # group = mail
+        # mode = 0660
+
+        begin retry
+        *.retiolum             *           F,42d,1m
+        *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+        begin rewrite
+
+        begin authenticators
+      '';
+    };
+  };
+
+  # TODO get the hostname from somewhere else.
+  retiolumHostname = "${config.networking.hostName}.retiolum";
+in
+out
-- 
cgit v1.2.3


From ab2d3f96be09e4a77f33b7ce2f3b96dbc9b57c39 Mon Sep 17 00:00:00 2001
From: makefu <makefu@tsp>
Date: Thu, 13 Aug 2015 12:02:26 +0200
Subject: services: add pigstarter

---
 krebs/3modules/default.nix | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

(limited to 'krebs')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index a533fcf64..8573c5a05 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -164,7 +164,7 @@ let
     { krebs = tv-imp; }
     {
       krebs.dns.providers = {
-        de.krebsco = "ovh";
+        de.krebsco = "zones";
         internet = "hosts";
         retiolum = "hosts";
       };
@@ -334,6 +334,43 @@ let
           };
         };
       };
+      pigstarter = {
+        cores = 1;
+        dc = "makefu"; #x200
+        nets = {
+          internet = {
+            addrs4 = ["192.40.56.122"];
+            addrs6 = ["2604:2880::841f:72c"];
+            aliases = [
+              "pigstarter.internet"
+            ];
+            zones = [
+              { "pigstarter.krebsco.de" = "A";}
+              { "io.krebsco.de" = "NS";}
+              { "io.krebsco.de" = "A";}
+              { "mx42.krebsco.de" = "MX";}
+              { "mx42.krebsco.de" = "A";}
+            ];
+          };
+          retiolum = {
+            addrs4 = ["10.243.0.153"];
+            addrs6 = ["42:9143:b4c0:f981:6030:7aa2:8bc5:4110"];
+            aliases = [
+              "pigstarter.retiolum"
+            ];
+            tinc.pubkey = ''
+              -----BEGIN RSA PUBLIC KEY-----
+              MIIBCgKCAQEA/efJuJRLUIZROe3QE8WYTD/zyNGRh9I2/yw+5It9HSNVDMIOV1FZ
+              9PaspsC+YQSBUQRN8SJ95G4RM6TIn/+ei7LiUYsf1Ik+uEOpP5EPthXqvdJEeswv
+              3QFwbpBeOMNdvmGvQLeR1uJKVyf39iep1wWGOSO1sLtUA+skUuN38QKc1BPASzFG
+              4ATM6rd2Tkt8+9hCeoePJdLr3pXat9BBuQIxImgx7m5EP02SH1ndb2wttQeAi9cE
+              DdJadpzOcEgFatzXP3SoKVV9loRHz5HhV4WtAqBIkDvgjj2j+NnXolAUY25Ix+kv
+              sfqfIw5aNLoIX4kDhuDEVBIyoc7/ofSbkQIDAQAB
+              -----END RSA PUBLIC KEY-----
+              '';
+          };
+        };
+      };
     };
     users = addNames {
       makefu = {
-- 
cgit v1.2.3


From 6b9a70d2d0d4e773d60251acec2ab882c8dd56d7 Mon Sep 17 00:00:00 2001
From: makefu <makefu@tsp>
Date: Thu, 13 Aug 2015 12:03:59 +0200
Subject: types: add zones

---
 krebs/4lib/types.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'krebs')

diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 92410dd58..975c36b08 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -20,6 +20,7 @@ types // rec {
         type = attrsOf net;
         apply = x: assert hasAttr "retiolum" x; x;
       };
+
       secure = mkOption {
         type = bool;
         default = false;
@@ -73,6 +74,11 @@ types // rec {
         }));
         default = null;
       };
+      zones = mkOption {
+        default = [];
+        # TODO: string is either MX, NS, A or AAAA
+        type = with types; listOf (attrsOf str);
+      };
     };
   });
 
-- 
cgit v1.2.3