summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbin/copy-secrets2
-rw-r--r--modules/cd/default.nix24
-rw-r--r--modules/mkdir/default.nix26
-rw-r--r--modules/rmdir/default.nix28
-rw-r--r--modules/tv/exim-retiolum.nix4
-rw-r--r--modules/tv/nginx/config.nix4
-rw-r--r--modules/tv/retiolum.nix228
-rw-r--r--modules/tv/retiolum/config.nix131
-rw-r--r--modules/tv/retiolum/default.nix11
-rw-r--r--modules/tv/retiolum/options.nix87
-rw-r--r--modules/wu/default.nix31
11 files changed, 284 insertions, 292 deletions
diff --git a/bin/copy-secrets b/bin/copy-secrets
index 5ef94b09c..f38e9249e 100755
--- a/bin/copy-secrets
+++ b/bin/copy-secrets
@@ -15,7 +15,7 @@ if ! test -e "$secrets_rsync"; then
exit # nothing to do
fi
-retiolum_secret=$(nixos-query $system_name services.retiolum.privateKeyFile)
+retiolum_secret=$(nixos-query $system_name tv.retiolum.privateKeyFile)
retiolum_uid=$(nixos-query $system_name users.extraUsers.retiolum-tinc.uid)
ejabberd_secret=/etc/ejabberd/ejabberd.pem
diff --git a/modules/cd/default.nix b/modules/cd/default.nix
index 21d9565f8..016f88324 100644
--- a/modules/cd/default.nix
+++ b/modules/cd/default.nix
@@ -16,7 +16,6 @@ in
../tv/ejabberd.nix # XXX echtes modul
../tv/exim-smarthost.nix
../tv/git/public.nix
- ../tv/retiolum.nix
../tv/sanitize.nix
{
imports = [ ../tv/iptables ];
@@ -34,6 +33,18 @@ in
];
};
}
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
];
# "Developer 2" plan has two vCPUs.
@@ -80,16 +91,5 @@ in
permitRootLogin = "yes";
};
- services.retiolum = {
- enable = true;
- hosts = <retiolum-hosts>;
- privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
- connectTo = [
- "fastpoke"
- "pigstarter"
- "ire"
- ];
- };
-
sound.enable = false;
}
diff --git a/modules/mkdir/default.nix b/modules/mkdir/default.nix
index 9dc426dfe..964a3c4b2 100644
--- a/modules/mkdir/default.nix
+++ b/modules/mkdir/default.nix
@@ -15,7 +15,6 @@ in
../tv/base-cac-CentOS-7-64bit.nix
../tv/exim-smarthost.nix
../tv/git/public.nix
- ../tv/retiolum.nix
../tv/sanitize.nix
{
imports = [ ../tv/iptables ];
@@ -33,6 +32,19 @@ in
];
};
}
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "cd"
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
];
nix.maxJobs = 1;
@@ -74,17 +86,5 @@ in
permitRootLogin = "yes";
};
- services.retiolum = {
- enable = true;
- hosts = <retiolum-hosts>;
- privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
- connectTo = [
- "cd"
- "fastpoke"
- "pigstarter"
- "ire"
- ];
- };
-
sound.enable = false;
}
diff --git a/modules/rmdir/default.nix b/modules/rmdir/default.nix
index 9879fadfa..346618a04 100644
--- a/modules/rmdir/default.nix
+++ b/modules/rmdir/default.nix
@@ -15,7 +15,6 @@ in
../tv/base-cac-CentOS-7-64bit.nix
../tv/exim-smarthost.nix
../tv/git/public.nix
- ../tv/retiolum.nix
../tv/sanitize.nix
{
imports = [ ../tv/iptables ];
@@ -33,6 +32,20 @@ in
];
};
}
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "cd"
+ "mkdir"
+ "fastpoke"
+ "pigstarter"
+ "ire"
+ ];
+ };
+ }
];
nix.maxJobs = 1;
@@ -74,18 +87,5 @@ in
permitRootLogin = "yes";
};
- services.retiolum = {
- enable = true;
- hosts = <retiolum-hosts>;
- privateKeyFile = "/etc/tinc/retiolum/rsa_key.priv";
- connectTo = [
- "cd"
- "rmdir"
- "fastpoke"
- "pigstarter"
- "ire"
- ];
- };
-
sound.enable = false;
}
diff --git a/modules/tv/exim-retiolum.nix b/modules/tv/exim-retiolum.nix
index e80358fcd..efab5cf32 100644
--- a/modules/tv/exim-retiolum.nix
+++ b/modules/tv/exim-retiolum.nix
@@ -4,9 +4,9 @@
services.exim =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
- assert config.services.retiolum.enable;
+ assert config.tv.retiolum.enable;
let
- # TODO get the hostname from config.services.retiolum.
+ # TODO get the hostname from config.tv.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum";
in
{ enable = true;
diff --git a/modules/tv/nginx/config.nix b/modules/tv/nginx/config.nix
index e5c3dd152..4bfd8ad28 100644
--- a/modules/tv/nginx/config.nix
+++ b/modules/tv/nginx/config.nix
@@ -15,10 +15,10 @@ in
{
services.nginx =
let
- name = config.services.retiolum.name;
+ name = config.tv.retiolum.name;
qname = "${name}.retiolum";
in
- assert config.services.retiolum.enable;
+ assert config.tv.retiolum.enable;
{
enable = true;
httpConfig = ''
diff --git a/modules/tv/retiolum.nix b/modules/tv/retiolum.nix
deleted file mode 100644
index 578547af6..000000000
--- a/modules/tv/retiolum.nix
+++ /dev/null
@@ -1,228 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
- ###### interface
-
- options = {
- services.retiolum = {
-
- enable = mkOption {
- type = types.bool;
- default = false;
- description = "Enable tinc daemon for Retiolum.";
- };
-
- name = mkOption {
- type = types.string;
- default = config.networking.hostName;
- # Description stolen from tinc.conf(5).
- description = ''
- This is the name which identifies this tinc daemon. It must
- be unique for the virtual private network this daemon will
- connect to. The Name may only consist of alphanumeric and
- underscore characters. If Name starts with a $, then the
- contents of the environment variable that follows will be
- used. In that case, invalid characters will be converted to
- underscores. If Name is $HOST, but no such environment
- variable exist, the hostname will be read using the
- gethostnname() system call This is the name which identifies
- the this tinc daemon.
- '';
- };
-
- generateEtcHosts = mkOption {
- type = types.string;
- default = "both";
- description = ''
- If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>,
- then generate entries in <filename>/etc/hosts</filename> from subnets.
- '';
- };
-
- network = mkOption {
- type = types.string;
- default = "retiolum";
- description = ''
- The tinc network name.
- It is used to generate long host entries,
- derive the name of the user account under which tincd runs,
- and name the TUN device.
- '';
- };
-
- tincPackage = mkOption {
- type = types.package;
- default = pkgs.tinc;
- description = "Tincd package to use.";
- };
-
- hosts = mkOption {
- default = null;
- description = ''
- Hosts package or path to use.
- If a path is given, then it will be used to generate an ad-hoc package.
- '';
- };
-
- iproutePackage = mkOption {
- type = types.package;
- default = pkgs.iproute;
- description = "Iproute2 package to use.";
- };
-
-
- privateKeyFile = mkOption {
- # TODO if it's types.path then it gets copied to /nix/store with
- # bad unsafe permissions...
- type = types.string;
- default = "/etc/tinc/retiolum/rsa_key.priv";
- description = "Generate file with <literal>tincd -K</literal>.";
- };
-
- connectTo = mkOption {
- type = types.listOf types.string;
- default = [ "fastpoke" "pigstarter" "kheurop" ];
- description = "TODO describe me";
- };
-
- };
- };
-
-
- ###### implementation
-
- config =
- let
- cfg = config.services.retiolum;
- tinc = cfg.tincPackage;
- hostsType = builtins.typeOf cfg.hosts;
- hosts =
- if hostsType == "package" then
- # use package as is
- cfg.hosts
- else if hostsType == "path" then
- # use path to generate a package
- pkgs.stdenv.mkDerivation {
- name = "custom-retiolum-hosts";
- src = cfg.hosts;
- installPhase = ''
- mkdir $out
- find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
- '';
- }
- else
- abort "The option `services.retiolum.hosts' must be set to a package or a path"
- ;
- iproute = cfg.iproutePackage;
-
- retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
- { }
- ''
- generate() {
- (cd ${hosts}
- printf \'\'
- for i in `ls`; do
- names=$(hostnames $i)
- for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do
- names="$names $(hostnames $j)"
- done
- sed -En '
- s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p
- ' $i
- done | sort
- printf \'\'
- )
- }
-
- case ${cfg.generateEtcHosts} in
- short)
- hostnames() { echo "$1"; }
- generate
- ;;
- long)
- hostnames() { echo "$1.${cfg.network}"; }
- generate
- ;;
- both)
- hostnames() { echo "$1.${cfg.network} $1"; }
- generate
- ;;
- *)
- echo '""'
- ;;
- esac > $out
- '');
-
-
- confDir = pkgs.runCommand "retiolum" {
- # TODO text
- executable = true;
- preferLocalBuild = true;
- } ''
- set -euf
-
- mkdir -p $out
-
- ln -s ${hosts} $out/hosts
-
- cat > $out/tinc.conf <<EOF
- Name = ${cfg.name}
- Device = /dev/net/tun
- Interface = ${cfg.network}
- ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
- PrivateKeyFile = ${cfg.privateKeyFile}
- EOF
-
- # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
- cat > $out/tinc-up <<EOF
- host=$out/hosts/${cfg.name}
- ${iproute}/sbin/ip link set \$INTERFACE up
-
- addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
- if [ -n "\$addr4" ];then
- ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
- ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
- fi
- addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
- ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
- ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
- EOF
-
- chmod +x $out/tinc-up
- '';
-
-
- user = cfg.network + "-tinc";
-
- in
-
- mkIf cfg.enable {
- environment.systemPackages = [ tinc hosts iproute ];
-
- networking.extraHosts = retiolumExtraHosts;
-
- systemd.services.retiolum = {
- description = "Tinc daemon for Retiolum";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- path = [ tinc iproute ];
- serviceConfig = {
- # TODO we cannot chroot (-R) b/c we use symlinks to hosts
- # and the private key.
- ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
- SyslogIdentifier = "retiolum-tincd";
- };
- restartIfChanged = true;
- };
-
- users.extraUsers = singleton {
- name = user;
- uid = 42; # TODO config.ids.uids.retiolum
- };
-
- };
-
-}
diff --git a/modules/tv/retiolum/config.nix b/modules/tv/retiolum/config.nix
new file mode 100644
index 000000000..9d774c051
--- /dev/null
+++ b/modules/tv/retiolum/config.nix
@@ -0,0 +1,131 @@
+{ cfg, config, lib, pkgs, ... }:
+
+let
+ inherit (lib) concatStrings singleton;
+
+ tinc = cfg.tincPackage;
+ hostsType = builtins.typeOf cfg.hosts;
+ hosts =
+ if hostsType == "package" then
+ # use package as is
+ cfg.hosts
+ else if hostsType == "path" then
+ # use path to generate a package
+ pkgs.stdenv.mkDerivation {
+ name = "custom-retiolum-hosts";
+ src = cfg.hosts;
+ installPhase = ''
+ mkdir $out
+ find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
+ '';
+ }
+ else
+ abort "The option `services.retiolum.hosts' must be set to a package or a path"
+ ;
+ iproute = cfg.iproutePackage;
+
+ retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
+ { }
+ ''
+ generate() {
+ (cd ${hosts}
+ printf \'\'
+ for i in `ls`; do
+ names=$(hostnames $i)
+ for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do
+ names="$names $(hostnames $j)"
+ done
+ sed -En '
+ s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p
+ ' $i
+ done | sort
+ printf \'\'
+ )
+ }
+
+ case ${cfg.generateEtcHosts} in
+ short)
+ hostnames() { echo "$1"; }
+ generate
+ ;;
+ long)
+ hostnames() { echo "$1.${cfg.network}"; }
+ generate
+ ;;
+ both)
+ hostnames() { echo "$1.${cfg.network} $1"; }
+ generate
+ ;;
+ *)
+ echo '""'
+ ;;
+ esac > $out
+ '');
+
+
+ confDir = pkgs.runCommand "retiolum" {
+ # TODO text
+ executable = true;
+ preferLocalBuild = true;
+ } ''
+ set -euf
+
+ mkdir -p $out
+
+ ln -s ${hosts} $out/hosts
+
+ cat > $out/tinc.conf <<EOF
+ Name = ${cfg.name}
+ Device = /dev/net/tun
+ Interface = ${cfg.network}
+ ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
+ PrivateKeyFile = ${cfg.privateKeyFile}
+ EOF
+
+ # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
+ cat > $out/tinc-up <<EOF
+ host=$out/hosts/${cfg.name}
+ ${iproute}/sbin/ip link set \$INTERFACE up
+
+ addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
+ if [ -n "\$addr4" ];then
+ ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
+ ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
+ fi
+ addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
+ ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
+ ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
+ EOF
+
+ chmod +x $out/tinc-up
+ '';
+
+
+ user = cfg.network + "-tinc";
+
+in
+
+{
+ environment.systemPackages = [ tinc hosts iproute ];
+
+ networking.extraHosts = retiolumExtraHosts;
+
+ systemd.services.retiolum = {
+ description = "Tinc daemon for Retiolum";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ path = [ tinc iproute ];
+ serviceConfig = {
+ # TODO we cannot chroot (-R) b/c we use symlinks to hosts
+ # and the private key.
+ ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
+ SyslogIdentifier = "retiolum-tincd";
+ };
+ restartIfChanged = true;
+ };
+
+ users.extraUsers = singleton {
+ name = user;
+ uid = 2961822815; # bin/genid retiolum-tinc
+ };
+}
diff --git a/modules/tv/retiolum/default.nix b/modules/tv/retiolum/default.nix
new file mode 100644
index 000000000..93b0be097
--- /dev/null
+++ b/modules/tv/retiolum/default.nix
@@ -0,0 +1,11 @@
+arg@{ config, pkgs, lib, ... }:
+
+let
+ cfg = config.tv.retiolum;
+ arg' = arg // { inherit cfg; };
+in
+
+{
+ options.tv.retiolum = import ./options.nix arg';
+ config = lib.mkIf cfg.enable (import ./config.nix arg');
+}
diff --git a/modules/tv/retiolum/options.nix b/modules/tv/retiolum/options.nix
new file mode 100644
index 000000000..a06cbecef
--- /dev/null
+++ b/modules/tv/retiolum/options.nix
@@ -0,0 +1,87 @@
+{ config, lib, pkgs, ... }:
+
+let
+ inherit (lib) mkOption types;
+in
+
+{
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Enable tinc daemon for Retiolum.";
+ };
+
+ name = mkOption {
+ type = types.string;
+ default = config.networking.hostName;
+ # Description stolen from tinc.conf(5).
+ description = ''
+ This is the name which identifies this tinc daemon. It must
+ be unique for the virtual private network this daemon will
+ connect to. The Name may only consist of alphanumeric and
+ underscore characters. If Name starts with a $, then the
+ contents of the environment variable that follows will be
+ used. In that case, invalid characters will be converted to
+ underscores. If Name is $HOST, but no such environment
+ variable exist, the hostname will be read using the
+ gethostnname() system call This is the name which identifies
+ the this tinc daemon.
+ '';
+ };
+
+ generateEtcHosts = mkOption {
+ type = types.string;
+ default = "both";
+ description = ''
+ If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>,
+ then generate entries in <filename>/etc/hosts</filename> from subnets.
+ '';
+ };
+
+ network = mkOption {
+ type = types.string;
+ default = "retiolum";
+ description = ''
+ The tinc network name.
+ It is used to generate long host entries,
+ derive the name of the user account under which tincd runs,
+ and name the TUN device.
+ '';
+ };
+
+ tincPackage = mkOption {
+ type = types.package;
+ default = pkgs.tinc;
+ description = "Tincd package to use.";
+ };
+
+ hosts = mkOption {
+ default = null;
+ description = ''
+ Hosts package or path to use.
+ If a path is given, then it will be used to generate an ad-hoc package.
+ '';
+ };
+
+ iproutePackage = mkOption {
+ type = types.package;
+ default = pkgs.iproute;
+ description = "Iproute2 package to use.";
+ };
+
+
+ privateKeyFile = mkOption {
+ # TODO if it's types.path then it gets copied to /nix/store with
+ # bad unsafe permissions...
+ type = types.string;
+ default = "/etc/tinc/retiolum/rsa_key.priv";
+ description = "Generate file with <literal>tincd -K</literal>.";
+ };
+
+ connectTo = mkOption {
+ type = types.listOf types.string;
+ default = [ "fastpoke" "pigstarter" "kheurop" ];
+ description = "TODO describe me";
+ };
+
+}
diff --git a/modules/wu/default.nix b/modules/wu/default.nix
index f72314696..54b8587c5 100644
--- a/modules/wu/default.nix
+++ b/modules/wu/default.nix
@@ -14,7 +14,6 @@ in
../common/nixpkgs.nix
../tv/base.nix
../tv/exim-retiolum.nix
- ../tv/retiolum.nix
../tv/sanitize.nix
../tv/smartd.nix
../tv/synaptics.nix
@@ -44,6 +43,17 @@ in
];
};
}
+ {
+ imports = [ ../tv/retiolum ];
+ tv.retiolum = {
+ enable = true;
+ hosts = <retiolum-hosts>;
+ connectTo = [
+ "gum"
+ "pigstarter"
+ ];
+ };
+ }
];
nix.maxJobs = 8;
@@ -342,25 +352,6 @@ in
# '';
#};
- services.retiolum = {
- enable = true;
- hosts = <retiolum-hosts>;
- connectTo = [
- "gum"
- "pigstarter"
- ];
- };
-
- # TODO
- #services.tinc = {
- # enable = true;
- # network = "retiolum";
- # hosts = /home/tv/krebs/hosts;
- # privateKeyFile = /etc/tinc/retiolum/rsa_key.priv;
- # connectTo = [ "fastpoke" "pigstarter" "kheurop" ];
- #};
-
-
security.rtkit.enable = false;
services.nscd.enable = false;
services.ntp.enable = false;