From 1bbeb858db245ef1a95a298de704d384ca4aa4b8 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 16 Oct 2017 00:45:27 +0200
Subject: [PATCH 1/7] exim-{retiolum,smarthost} module: simplify ACL
---
krebs/3modules/exim-retiolum.nix | 69 +++++++------------------------
krebs/3modules/exim-smarthost.nix | 51 +++++++++--------------
2 files changed, 36 insertions(+), 84 deletions(-)
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index ca363c8d7..e08024977 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -43,7 +43,6 @@ let
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
- hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@@ -61,41 +60,15 @@ let
begin acl
acl_check_rcpt:
- accept hosts = :
- control = dkim_disable_verify
-
- deny message = Restricted characters in address
- domains = +local_domains
- local_parts = ^[.] : ^.*[@%!/|]
-
- deny message = Restricted characters in address
- domains = !+local_domains
- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-
- accept local_parts = postmaster
- domains = +local_domains
-
- #accept
- # hosts = *.r
- # domains = *.r
- # control = dkim_disable_verify
-
- #require verify = sender
-
- accept hosts = +relay_from_hosts
- control = submission
- control = dkim_disable_verify
-
- accept authenticated = *
- control = submission
- control = dkim_disable_verify
-
- require message = relay not permitted
- domains = +local_domains : +relay_to_domains
-
- require verify = recipient
+ deny
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+ message = restricted characters in address
accept
+ domains = +local_domains : +relay_to_domains
+
+ deny
+ message = relay not permitted
acl_check_data:
@@ -104,29 +77,19 @@ let
begin routers
- retiolum:
- driver = manualroute
- domains = ! +local_domains : +relay_to_domains
- transport = remote_smtp
- route_list = ^.* $0 byname
- no_more
-
- nonlocal:
- debug_print = "R: nonlocal for $local_part@$domain"
- driver = redirect
- domains = ! +local_domains
- allow_fail
- data = :fail: Mailing to remote domains not supported
- no_more
-
- local_user:
- # debug_print = "R: local_user for $local_part@$domain"
+ local:
driver = accept
+ domains = +local_domains
check_local_user
- # local_part_suffix = +* : -*
+ # local_part_suffix = +*
# local_part_suffix_optional
transport = home_maildir
- cannot_route_message = Unknown user
+
+ remote:
+ driver = manualroute
+ domains = +relay_to_domains
+ transport = remote_smtp
+ route_list = ^.* $0 byname
begin transports
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index dd4a7ccc9..5f93ae937 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -157,39 +157,28 @@ let
begin acl
acl_check_rcpt:
- accept hosts = :
- control = dkim_disable_verify
-
- deny message = Restricted characters in address
- domains = +local_domains
- local_parts = ^[.] : ^.*[@%!/|]
-
- deny message = Restricted characters in address
- domains = !+local_domains
- local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-
- accept local_parts = postmaster
- domains = +local_domains
-
- accept hosts = +relay_from_hosts
- control = submission
- control = dkim_disable_verify
-
- accept authenticated = *
- control = submission
- control = dkim_disable_verify
-
- accept message = relay not permitted 2
- recipients = lsearch*@;${lsearch.internet-aliases}
-
- require message = relay not permitted
- domains = +local_domains : +relay_to_domains
-
- require
- message = unknown user
- verify = recipient/callout
+ deny
+ local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+ message = restricted characters in address
accept
+ recipients = lsearch*@;${lsearch.internet-aliases}
+
+ accept
+ authenticated = *
+ control = dkim_disable_verify
+ control = submission
+
+ accept
+ control = dkim_disable_verify
+ control = submission
+ hosts = +relay_from_hosts
+
+ accept
+ domains = +local_domains : +relay_to_domains
+
+ deny
+ message = relay not permitted
acl_check_data:
From 0f7fd225086da5a666d9c56ee86f9662820a7182 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 16 Oct 2017 02:39:49 +0200
Subject: [PATCH 2/7] tv xmonad: use default layout for im
---
tv/5pkgs/simple/xmonad-tv/default.nix | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/tv/5pkgs/simple/xmonad-tv/default.nix b/tv/5pkgs/simple/xmonad-tv/default.nix
index 5ac8f8372..f73175bb1 100644
--- a/tv/5pkgs/simple/xmonad-tv/default.nix
+++ b/tv/5pkgs/simple/xmonad-tv/default.nix
@@ -80,7 +80,7 @@ mainNoArgs = do
, modMask = mod4Mask
, keys = myKeys
, workspaces = workspaces0
- , layoutHook = smartBorders $ myLayout
+ , layoutHook = smartBorders $ FixedColumn 1 20 80 10 ||| Full
-- , handleEventHook = myHandleEventHooks <+> handleTimerEvent
--, handleEventHook = handleTimerEvent
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
@@ -91,10 +91,6 @@ mainNoArgs = do
, focusedBorderColor = "#f000b0"
, handleEventHook = handleShutdownEvent
}
- where
- myLayout =
- (onWorkspace "im" $ reflectVert $ Mirror $ Tall 1 (3/100) (12/13))
- (FixedColumn 1 20 80 10 ||| Full)
xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()
From 8b55369fa72e1b4b518a41cc221420910c924108 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 16 Oct 2017 22:55:38 +0200
Subject: [PATCH 3/7] krebs exim-smarthost: add eloop2017@krebsco.de
---
krebs/3modules/default.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 48cf7971b..c89f3229d 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -202,6 +202,7 @@ let
"kontakt@eloop.org" = eloop-ml;
"root@eloop.org" = eloop-ml;
"eloop2016@krebsco.de" = eloop-ml;
+ "eloop2017@krebsco.de" = eloop-ml;
"postmaster@krebsco.de" = spam-ml; # RFC 822
"lass@krebsco.de" = lass;
"makefu@krebsco.de" = makefu;
From a15736cbb0f23e74b47decc363a4cbf45850a0c4 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 17 Oct 2017 20:01:53 +0200
Subject: [PATCH 4/7] quote: init
---
krebs/5pkgs/simple/quote.nix | 13 +++++++++++++
shell.nix | 13 +------------
2 files changed, 14 insertions(+), 12 deletions(-)
create mode 100644 krebs/5pkgs/simple/quote.nix
diff --git a/krebs/5pkgs/simple/quote.nix b/krebs/5pkgs/simple/quote.nix
new file mode 100644
index 000000000..7731e14bf
--- /dev/null
+++ b/krebs/5pkgs/simple/quote.nix
@@ -0,0 +1,13 @@
+{ jq, writeDashBin }:
+
+# usage: quote [ARGS...]
+writeDashBin "quote" ''
+ set -efu
+ prefix=
+ for x; do
+ y=$(${jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"')
+ echo -n "$prefix$y"
+ prefix=' '
+ done
+ echo
+''
diff --git a/shell.nix b/shell.nix
index c9b197a26..6448c1586 100644
--- a/shell.nix
+++ b/shell.nix
@@ -143,18 +143,6 @@ let
''}
'');
- # usage: quote [ARGS...]
- cmds.quote = pkgs.writeDash "cmds.quote" ''
- set -efu
- prefix=
- for x; do
- y=$(${pkgs.jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"')
- echo -n "$prefix$y"
- prefix=' '
- done
- echo
- '';
-
init.env = pkgs.writeText "init.env" /* sh */ ''
export quiet
export system
@@ -243,6 +231,7 @@ in pkgs.stdenv.mkDerivation {
fi
export PATH=${lib.makeBinPath [
pkgs.populate
+ pkgs.quote
shell.cmdspkg
]}
From 27d37b22995c469048e2ae4dc8ff46f49b3542d7 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 17 Oct 2017 20:06:16 +0200
Subject: [PATCH 5/7] withGetopt: export WITHGETOPT_ORIG_ARGS
---
krebs/5pkgs/simple/withGetopt.nix | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/krebs/5pkgs/simple/withGetopt.nix b/krebs/5pkgs/simple/withGetopt.nix
index 196e6765a..179051bdf 100644
--- a/krebs/5pkgs/simple/withGetopt.nix
+++ b/krebs/5pkgs/simple/withGetopt.nix
@@ -1,5 +1,5 @@
with import <stockholm/lib>;
-{ utillinux, writeDash }:
+{ coreutils, quote, utillinux, writeDash }:
opt-spec: cmd-spec: let
@@ -43,6 +43,9 @@ in writeDash wrapper-name ''
unset ${opt.varname}
'') opts)}
+ WITHGETOPT_ORIG_ARGS=$(${quote}/bin/quote "$@")
+ export WITHGETOPT_ORIG_ARGS
+
args=$(${utillinux}/bin/getopt \
-l ${shell.escape
(concatMapStringsSep ","
From 19839ff2d8c3c4278a19b343bd0b18fe9a5e0388 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 17 Oct 2017 20:17:27 +0200
Subject: [PATCH 6/7] shell: proxy call original cmdline remotely
---
shell.nix | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/shell.nix b/shell.nix
index 6448c1586..53b0f964a 100644
--- a/shell.nix
+++ b/shell.nix
@@ -20,7 +20,7 @@ let
set -efu
. ${init.env}
- . ${init.proxy opts}
+ . ${init.proxy "deploy" opts}
# Use system's nixos-rebuild, which is not self-contained
export PATH=/run/current-system/sw/bin
@@ -55,7 +55,7 @@ let
# TODO inline prepare.sh?
fi
- . ${init.proxy opts}
+ . ${init.proxy "install" opts}
# Reset PATH because we need access to nixos-install.
# TODO provide nixos-install instead of relying on prepare.sh
@@ -93,7 +93,7 @@ let
export dummy_secrets=true
. ${init.env}
- . ${init.proxy opts}
+ . ${init.proxy "test" opts}
exec ${utils.build} config.system.build.toplevel
'');
@@ -159,7 +159,7 @@ let
export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
'';
- init.proxy = opts: pkgs.writeText "init.proxy" /* sh */ ''
+ init.proxy = command: opts: pkgs.writeText "init.proxy" /* sh */ ''
if \test "''${using_proxy-}" != true; then
source=$(get-source "$source_file")
@@ -182,7 +182,8 @@ let
opts
)} \
using_proxy=true \
- $(quote "$0" "$@")
+ ${lib.shell.escape command} \
+ $WITHGETOPT_ORIG_ARGS \
")"
fi
fi
From 3c810fef8ac062689a76de26b782d57692ddac90 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 17 Oct 2017 20:25:20 +0200
Subject: [PATCH 7/7] populate: 1.2.4 -> 1.2.5
---
krebs/5pkgs/simple/populate/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/krebs/5pkgs/simple/populate/default.nix b/krebs/5pkgs/simple/populate/default.nix
index 3989585ab..78ee2f042 100644
--- a/krebs/5pkgs/simple/populate/default.nix
+++ b/krebs/5pkgs/simple/populate/default.nix
@@ -13,12 +13,12 @@ in
stdenv.mkDerivation rec {
name = "populate";
- version = "1.2.4";
+ version = "1.2.5";
src = fetchgit {
url = http://cgit.ni.krebsco.de/populate;
rev = "refs/tags/v${version}";
- sha256 = "0az41vaxfwrh9l19z3cbc7in8pylrnyc0xkzk6773xg2nj4g8a28";
+ sha256 = "10s4x117zp5whqq991xzw1i2jc1xhl580kx8hhzv8f1b4c9carx1";
};
phases = [