stockholm/krebs/3modules/default.nix

300 lines
9.1 KiB
Nix
Raw Normal View History

2015-07-24 20:48:00 +02:00
{ config, lib, ... }:
2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
2015-07-24 20:48:00 +02:00
let
cfg = config.krebs;
out = {
imports = [
2017-09-05 22:58:25 +02:00
./announce-activation.nix
./apt-cacher-ng.nix
2015-12-28 19:43:31 +01:00
./backup.nix
./bepasty-server.nix
2015-12-22 19:36:19 +01:00
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
2017-07-27 19:45:45 +02:00
./ci.nix
2015-10-25 14:15:21 +01:00
./current.nix
2016-04-27 01:10:25 +02:00
./exim.nix
2015-08-13 11:46:09 +02:00
./exim-retiolum.nix
2015-08-14 15:48:17 +02:00
./exim-smarthost.nix
./fetchWallpaper.nix
2015-07-24 20:48:00 +02:00
./github-hosts-sync.nix
./git.nix
2015-11-13 01:16:15 +01:00
./go.nix
2017-04-15 18:04:19 +02:00
./hidden-ssh.nix
2017-03-16 20:56:28 +01:00
./htgen.nix
2017-09-21 20:59:38 +02:00
./iana-etc.nix
2015-10-01 22:10:21 +02:00
./iptables.nix
2017-02-07 17:21:25 +01:00
./kapacitor.nix
2017-02-13 14:31:26 +01:00
./monit.nix
2016-03-15 14:37:46 +01:00
./newsbot-js.nix
./nixpkgs.nix
2016-03-15 15:58:45 +01:00
./on-failure.nix
2016-03-05 12:40:20 +01:00
./os-release.nix
2015-11-06 21:37:58 +01:00
./per-user.nix
2016-07-26 21:36:47 +02:00
./power-action.nix
2015-08-31 14:22:21 +02:00
./Reaktor.nix
2015-10-05 14:49:36 +02:00
./realwallpaper.nix
./retiolum-bootstrap.nix
2016-08-24 17:51:22 +02:00
./rtorrent.nix
2016-02-21 05:27:37 +01:00
./secret.nix
2016-02-14 13:26:37 +01:00
./setuid.nix
2017-05-16 22:06:31 +02:00
./tinc.nix
./tinc_graphs.nix
2015-07-24 20:48:00 +02:00
./urlwatch.nix
./repo-sync.nix
./xresources.nix
./zones.nix
2015-07-24 20:48:00 +02:00
];
options.krebs = api;
2016-02-14 16:43:44 +01:00
config = lib.mkIf cfg.enable imp;
2015-07-24 20:48:00 +02:00
};
api = {
enable = mkEnableOption "krebs";
dns = {
providers = mkOption {
type = with types; attrsOf str;
};
};
2015-07-24 21:15:18 +02:00
hosts = mkOption {
type = with types; attrsOf host;
2017-12-05 23:37:19 +01:00
default = {};
};
users = mkOption {
type = with types; attrsOf user;
};
# XXX is there a better place to define search-domain?
# TODO search-domains :: listOf hostname
search-domain = mkOption {
type = types.hostname;
2017-04-13 02:57:11 +02:00
default = "r";
};
2017-08-01 11:27:03 +02:00
sitemap = mkOption {
default = {};
type = types.attrsOf types.sitemap.entry;
};
2015-08-16 23:58:02 +02:00
zone-head-config = mkOption {
type = with types; attrsOf str;
description = ''
The zone configuration head which is being used to create the
zone files. The string for each key is pre-pended to the zone file.
'';
# TODO: configure the default somewhere else,
# maybe use krebs.dns.providers
default = {
# github.io -> 192.30.252.154
2015-08-16 23:58:02 +02:00
"krebsco.de" = ''
$TTL 86400
@ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
IN NS ns19.ovh.net.
IN NS dns19.ovh.net.
IN A 192.30.252.154
IN A 192.30.252.153
'';
};
};
};
2016-02-14 16:43:44 +01:00
imp = lib.mkMerge [
{ krebs = import ./jeschli { inherit config; }; }
2017-07-14 00:17:58 +02:00
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
2016-11-10 22:28:00 +01:00
{ krebs = import ./makefu { inherit config; }; }
{ krebs = import ./mv { inherit config; }; }
2017-01-12 22:21:21 +01:00
{ krebs = import ./nin { inherit config; }; }
2016-11-10 22:28:00 +01:00
{ krebs = import ./tv { inherit config; }; }
{
krebs.dns.providers = {
"krebsco.de" = "zones";
2015-10-18 16:12:14 +02:00
gg23 = "hosts";
2015-11-17 22:15:07 +01:00
shack = "hosts";
2016-02-06 16:21:30 +01:00
i = "hosts";
r = "hosts";
};
2016-02-21 07:39:24 +01:00
krebs.users = {
krebs = {
home = "/krebs";
mail = "spam@krebsco.de";
};
root = {
home = "/root";
pubkey = config.krebs.build.host.ssh.pubkey;
uid = 0;
};
};
networking.extraHosts = let
domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
in concatStringsSep "\n" (flatten (
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = longs ++ shorts;
longs = filter check net.aliases;
shorts = let s = ".${cfg.search-domain}"; in
map (removeSuffix s) (filter (hasSuffix s) longs);
in
2016-11-11 01:50:59 +01:00
optionals
(aliases != [])
(map (addr: "${addr} ${toString aliases}") net.addrs)
) (filterAttrs (name: host: host.aliases != []) host.nets)
) cfg.hosts
));
2015-08-13 22:28:21 +02:00
2017-05-09 23:42:18 +02:00
# TODO dedup with networking.extraHosts
nixpkgs.config.packageOverrides = oldpkgs:
let
domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
in
{
retiolum-hosts = oldpkgs.writeText "retiolum-hosts" ''
${concatStringsSep "\n" (flatten (
map (host:
let
net = host.nets.retiolum;
aliases = longs;
longs = filter check net.aliases;
in
optionals
(aliases != [])
(map (addr: "${addr} ${toString aliases}") net.addrs)
) (filter (host: hasAttr "retiolum" host.nets)
(attrValues cfg.hosts))))}
'';
};
2015-10-05 03:01:21 +02:00
krebs.exim-smarthost.internet-aliases = let
2016-02-21 21:51:11 +01:00
format = from: to: {
inherit from;
2015-10-05 03:01:21 +02:00
# TODO assert is-retiolum-mail-address to;
2016-02-21 21:51:11 +01:00
to = concatMapStringsSep "," (getAttr "mail") (toList to);
};
2015-10-05 03:01:21 +02:00
in mapAttrsToList format (with config.krebs.users; let
2016-12-01 16:57:29 +01:00
eloop-ml = spam-ml ++ [ ciko ];
2015-10-05 03:01:21 +02:00
spam-ml = [
lass
makefu
tv
];
2017-06-18 18:55:07 +02:00
ciko.mail = "ciko@slash16.net";
2015-10-05 03:01:21 +02:00
in {
"anmeldung@eloop.org" = eloop-ml;
"cfp@eloop.org" = eloop-ml;
"kontakt@eloop.org" = eloop-ml;
"root@eloop.org" = eloop-ml;
"eloop2016@krebsco.de" = eloop-ml;
"eloop2017@krebsco.de" = eloop-ml;
2015-10-05 03:03:51 +02:00
"postmaster@krebsco.de" = spam-ml; # RFC 822
2015-10-05 03:29:04 +02:00
"lass@krebsco.de" = lass;
"makefu@krebsco.de" = makefu;
2015-10-05 03:01:21 +02:00
"spam@krebsco.de" = spam-ml;
2015-10-05 03:29:04 +02:00
"tv@krebsco.de" = tv;
2015-10-05 03:06:04 +02:00
# XXX These are no internet aliases
# XXX exim-retiolum hosts should be able to relay to retiolum addresses
"lass@retiolum" = lass;
"makefu@retiolum" = makefu;
"spam@retiolum" = spam-ml;
"tv@retiolum" = tv;
2016-02-21 21:51:11 +01:00
"lass@r" = lass;
"makefu@r" = makefu;
"spam@r" = spam-ml;
"tv@r" = tv;
2015-10-05 03:01:21 +02:00
});
services.openssh.hostKeys =
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) (mkForce [privkey]);
2016-02-07 15:58:49 +01:00
# TODO use imports for merging
services.openssh.knownHosts =
2016-02-07 15:58:49 +01:00
(let inherit (config.krebs.build.host.ssh) pubkey; in
optionalAttrs (pubkey != null) {
localhost = {
hostNames = ["localhost" "127.0.0.1" "::1"];
publicKey = pubkey;
};
})
//
2017-12-12 21:08:50 +01:00
{
github = {
hostNames = [
"github.com"
# List generated with
# curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
2018-02-19 13:42:00 +01:00
"192.30.252.*"
2017-12-12 21:08:50 +01:00
"192.30.253.*"
"192.30.254.*"
"192.30.255.*"
"185.199.108.*"
"185.199.109.*"
"185.199.110.*"
"185.199.111.*"
2018-02-19 13:42:00 +01:00
"13.229.188.59"
"13.250.177.223"
2017-12-12 21:08:50 +01:00
"18.194.104.89"
2018-02-19 13:42:00 +01:00
"18.195.85.27"
2017-12-12 21:08:50 +01:00
"35.159.8.160"
2018-02-19 13:42:00 +01:00
"52.74.223.119"
2017-12-12 21:08:50 +01:00
];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
};
}
2015-10-09 13:18:21 +02:00
//
mapAttrs
(name: host: {
hostNames =
concatLists
(mapAttrsToList
(net-name: net:
let
longs = net.aliases;
shorts =
map (removeSuffix ".${cfg.search-domain}")
(filter (hasSuffix ".${cfg.search-domain}")
longs);
add-port = a:
if net.ssh.port != 22
then "[${a}]:${toString net.ssh.port}"
else a;
in
2016-02-07 06:43:26 +01:00
map add-port (shorts ++ longs ++ net.addrs))
host.nets);
publicKey = host.ssh.pubkey;
})
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
programs.ssh.extraConfig = concatMapStrings
(net: ''
Host ${toString (net.aliases ++ net.addrs)}
Port ${toString net.ssh.port}
'')
(filter
(net: net.ssh.port != 22)
(concatMap (host: attrValues host.nets)
(mapAttrsToList
(_: host: recursiveUpdate host
(optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
nets."" = host.nets.${config.krebs.search-domain} // {
aliases = [host.name];
addrs = [];
};
}))
config.krebs.hosts)));
2015-08-16 23:58:02 +02:00
}
2015-07-24 21:38:41 +02:00
];
in out