Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2022-02-01 13:54:09 +01:00
commit c564c4f0f4
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
10 changed files with 78 additions and 44 deletions

55
krebs/3modules/acl.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }: let
parents = dir:
if dir == "/" then
[ dir ]
else
[ dir ] ++ parents (builtins.dirOf dir)
;
in {
options.krebs.acl = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
options = {
rule = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
default = lib.mkOption {
type = lib.types.bool;
default = !config.parents;
};
recursive = lib.mkOption {
type = lib.types.bool;
default = !config.parents;
};
parents = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
apply ACL to every parent folder
'';
};
};
})));
default = {};
};
config = {
systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" {
wantedBy = [ "multi-user.target" ];
path = [
pkgs.acl
pkgs.coreutils
];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings (
lib.mapAttrsToList (_: rule: ''
setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))}
'') rules
));
RemainAfterExit = true;
Type = "simple";
};
}) config.krebs.acl;
};
}

View file

@ -166,6 +166,8 @@ let
nick = "buildbot|${hostname}",
notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ],
channels = [{"channel": "#xxx"}],
showBlameList = True,
authz={'force': True},
)
''];

View file

@ -6,6 +6,7 @@ let
out = {
imports = [
./acl.nix
./airdcpp.nix
./announce-activation.nix
./apt-cacher-ng.nix
@ -19,13 +20,13 @@ let
./current.nix
./dns.nix
./ergo.nix
./exim.nix
./exim-retiolum.nix
./exim-smarthost.nix
./exim.nix
./fetchWallpaper.nix
./git.nix
./github-hosts-sync.nix
./github-known-hosts.nix
./git.nix
./go.nix
./hidden-ssh.nix
./hosts.nix
@ -38,11 +39,12 @@ let
./nixpkgs.nix
./on-failure.nix
./os-release.nix
./permown.nix
./per-user.nix
./permown.nix
./power-action.nix
./reaktor2.nix
./realwallpaper.nix
./repo-sync.nix
./retiolum-bootstrap.nix
./rtorrent.nix
./secret.nix
@ -55,7 +57,6 @@ let
./tinc_graphs.nix
./upstream
./urlwatch.nix
./repo-sync.nix
./xresources.nix
./zones.nix
];
@ -102,13 +103,13 @@ let
imp = lib.mkMerge [
{ krebs = import ./external { inherit config; }; }
{ krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; }
{ krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; }
{
krebs.dns.providers = {

View file

@ -279,25 +279,6 @@ in {
'';
};
};
philipsaendig = {
owner = config.krebs.users.mic92;
nets.retiolum = {
ip4.addr = "10.243.29.193";
aliases = [
"philipsaendig.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX
5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl
4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl
+wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF
Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S
oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
yasmin = {
owner = config.krebs.users.mic92;
nets.internet = {
@ -306,7 +287,6 @@ in {
aliases = [ "yasmin.i" ];
};
nets.retiolum = {
ip4.addr = "10.243.29.197";
aliases = [
"yasmin.r"
];
@ -414,7 +394,6 @@ in {
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.195";
aliases = [ "bill.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -445,7 +424,6 @@ in {
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.173";
aliases = [ "nardole.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -470,7 +448,6 @@ in {
owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
aliases = [
"rock.r"
];
@ -736,7 +713,6 @@ in {
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.198";
aliases = [ "ryan.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -764,7 +740,6 @@ in {
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.199";
aliases = [ "graham.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----

View file

@ -219,6 +219,9 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.0.213";
# never connect via gum (he eats your packets!)
tinc.weight = 9001;
aliases = [
"gum.r"
"backup.makefu.r"

View file

@ -97,7 +97,7 @@ in {
${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || :
'';
services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
services.syncthing.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
devices = ctr.peers;
ignorePerms = false;
})) cfg.containers);

View file

@ -48,7 +48,7 @@ with import <stockholm/lib>;
};
extraConfig = mkOption {
type = types.str;
type = types.lines;
default = "";
description = ''
Extra Configuration to be appended to tinc.conf
@ -233,6 +233,7 @@ with import <stockholm/lib>;
cfg.iproutePackage
cfg.tincPackage
];
reloadIfChanged = true;
serviceConfig = {
Restart = "always";
LoadCredential = filter (x: x != "") [
@ -260,7 +261,7 @@ with import <stockholm/lib>;
"-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key"
"--pidfile=/var/run/tinc.${netname}.pid"
];
ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload";
ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart";
SyslogIdentifier = netname;
};
}) config.krebs.tinc;

View file

@ -28,9 +28,6 @@
'';
};
# never connect via gum (he eats our packets!)
krebs.hosts.gum.nets.retiolum.tinc.weight = 9000;
nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre;
};

View file

@ -1,9 +1,9 @@
{
services.syncthing.folders.the_playlist = {
path = "/home/lass/tmp/the_playlist";
devices = [ "mors" "phone" "prism" ];
devices = [ "mors" "phone" "prism" "omo" ];
};
lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};
lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {};
krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};
krebs.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {};
}

View file

@ -7,7 +7,7 @@ let
mkOptionType optional optionalAttrs optionals range splitString
stringLength substring test testString typeOf;
inherit (lib.types)
attrsOf bool either enum int listOf nullOr path str submodule;
attrsOf bool either enum int lines listOf nullOr path str submodule;
in
rec {
@ -211,7 +211,7 @@ rec {
extraConfig = mkOption {
description = "Extra Configuration to be appended to the hosts file";
default = "";
type = str;
type = lines;
};
port = mkOption {
type = int;