summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors.nix3
-rw-r--r--lass/1systems/uriel.nix18
-rw-r--r--lass/2configs/downloading.nix67
-rw-r--r--lass/2configs/fastpoke-pages.nix10
-rw-r--r--lass/2configs/wordpress.nix59
-rw-r--r--lass/3modules/folderPerms.nix104
6 files changed, 246 insertions, 15 deletions
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index e7edcccea..e7f8d5276 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -20,6 +20,7 @@
../2configs/new-repos.nix
#../../2configs/tv/synaptics.nix
../2configs/retiolum.nix
+ ../2configs/wordpress.nix
];
krebs.build = {
@@ -29,7 +30,7 @@
deps = {
nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
- rev = "1879a011925c561f0a7fd4043da0768bbff41d0b";
+ rev = "961fd7b7a0f88dde7dac2f7a4c05ee4e1a25381d";
};
secrets = {
url = "/home/lass/secrets/${config.krebs.build.host.name}";
diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix
index 74d995560..041b891b6 100644
--- a/lass/1systems/uriel.nix
+++ b/lass/1systems/uriel.nix
@@ -3,15 +3,15 @@
with builtins;
{
imports = [
- ../../2configs/lass/desktop-base.nix
- ../../2configs/lass/browsers.nix
- ../../2configs/lass/games.nix
- ../../2configs/lass/pass.nix
- ../../2configs/lass/urxvt.nix
- ../../2configs/lass/bird.nix
- ../../2configs/lass/new-repos.nix
- ../../2configs/lass/chromium-patched.nix
- ../../2configs/lass/retiolum.nix
+ ../2configs/desktop-base.nix
+ ../2configs/browsers.nix
+ ../2configs/games.nix
+ ../2configs/pass.nix
+ ../2configs/urxvt.nix
+ ../2configs/bird.nix
+ ../2configs/new-repos.nix
+ ../2configs/chromium-patched.nix
+ ../2configs/retiolum.nix
{
users.extraUsers = {
root = {
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
new file mode 100644
index 000000000..e6d31a6c4
--- /dev/null
+++ b/lass/2configs/downloading.nix
@@ -0,0 +1,67 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ../3modules/iptables.nix
+ ../3modules/folderPerms.nix
+ ];
+
+ users.extraUsers = {
+ download = {
+ name = "download";
+ home = "/var/download";
+ createHome = true;
+ extraGroups = [
+ "download"
+ ];
+ };
+
+ transmission = {
+ extraGroups = [
+ "download"
+ ];
+ };
+ };
+
+ users.extraGroups = {
+ download = {
+ members = [
+ "download"
+ "transmission"
+ ];
+ };
+ };
+
+ services.transmission = {
+ enable = true;
+ settings = {
+ download-dir = "/var/download/finished";
+ incomplete-dir = "/var/download/incoming";
+ incomplete-dir-enabled = true;
+
+ rpc-authentication-required = true;
+ rpc-whitelist-enabled = false;
+ rpc-username = "download";
+ #add rpc-password in secrets
+ rpc-password = "test123";
+ };
+ };
+
+ lass.iptables = {
+ enable = true;
+ tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
+ ];
+ };
+
+ lass.folderPerms = {
+ enable = true;
+ permissions = [
+ {
+ path = "/var/download";
+ permission = "775";
+ owner = "transmission:download";
+ }
+ ];
+ };
+}
diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix
index 9c80fa77a..1c8106a88 100644
--- a/lass/2configs/fastpoke-pages.nix
+++ b/lass/2configs/fastpoke-pages.nix
@@ -20,8 +20,8 @@ let
# 10.243.206.102 ${domain}
#'';
users.extraUsers = {
- "${domain}" = {
- name = "${domain}";
+ ${domain} = {
+ name = domain;
home = "/var/lib/http/${domain}";
createHome = true;
};
@@ -90,9 +90,9 @@ in {
};
};
- services.postgresql = {
- enable = true;
- };
+ #services.postgresql = {
+ # enable = true;
+ #};
#config.services.vsftpd = {
# enable = true;
diff --git a/lass/2configs/wordpress.nix b/lass/2configs/wordpress.nix
new file mode 100644
index 000000000..9458deb38
--- /dev/null
+++ b/lass/2configs/wordpress.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+
+{
+ containers.wordpress = {
+ privateNetwork = true;
+ hostAddress = "192.168.101.1";
+ localAddress = "192.168.101.2";
+
+ config = {
+ imports = [
+ ../3modules/iptables.nix
+ ];
+
+ lass.iptables = {
+ enable = true;
+ tables = {
+ filter.INPUT.policy = "DROP";
+ filter.FORWARD.policy = "DROP";
+ filter.INPUT.rules = [
+ { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+ { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+ { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+ { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
+ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
+ ];
+ };
+ };
+
+ environment.systemPackages = with pkgs; [
+ iptables
+ ];
+
+ services.postgresql = {
+ enable = true;
+ package = pkgs.postgresql;
+ };
+
+ services.httpd = {
+ enable = true;
+ adminAddr = "root@apanowicz.de";
+ extraModules = [
+ { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
+ ];
+ virtualHosts = [
+ {
+ hostName = "wordpress";
+ serverAliases = [ "wordpress" "www.wordpress" ];
+
+ extraSubservices = [
+ {
+ serviceName = "wordpress";
+ }
+ ];
+ }
+ ];
+ };
+ };
+ };
+}
diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix
new file mode 100644
index 000000000..bb0320327
--- /dev/null
+++ b/lass/3modules/folderPerms.nix
@@ -0,0 +1,104 @@
+{ config, lib, pkgs, ... }:
+
+#TODO: implement recursive mode maybe?
+# enable different mods for files and folders
+
+let
+ inherit (pkgs)
+ writeScript
+ ;
+
+ inherit (lib)
+ concatMapStringsSep
+ concatStringsSep
+ mkEnableOption
+ mkIf
+ mkOption
+ types
+ ;
+
+ cfg = config.lass.folderPerms;
+
+ out = {
+ options.lass.folderPerms = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "folder permissions";
+ permissions = mkOption {
+ type = with types; listOf (submodule ({
+ options = {
+ path = mkOption {
+ type = str;
+ };
+ permission = mkOption {
+ type = nullOr str;
+ example = "755";
+ description = ''
+ basically anything that chmod takes as permission
+ '';
+ default = null;
+ };
+ owner = mkOption {
+ type = nullOr str;
+ example = "root:root";
+ description = ''
+ basically anything that chown takes as owner
+ '';
+ default = null;
+ };
+ };
+ }));
+ };
+ };
+
+ imp = {
+ systemd.services.lass-folderPerms = {
+ description = "lass-folderPerms";
+ wantedBy = [ "multi-user.target" ];
+
+ path = with pkgs; [
+ coreutils
+ ];
+
+ restartIfChanged = true;
+
+ serviceConfig = {
+ type = "simple";
+ RemainAfterExit = true;
+ Restart = "always";
+ ExecStart = "@${startScript}";
+ };
+ };
+ };
+
+ startScript = writeScript "lass-folderPerms" ''
+ ${concatMapStringsSep "\n" writeCommand cfg.permissions}
+ '';
+
+ writeCommand = fperm:
+ concatStringsSep "\n" [
+ (buildPermission fperm)
+ (buildOwner fperm)
+ ];
+
+ buildPermission = perm:
+ #TODO: create folder maybe
+ #TODO: check if permission is valid
+ if (perm.permission == null) then
+ ""
+ else
+ "chmod ${perm.permission} ${perm.path}"
+ ;
+
+ buildOwner = perm:
+ #TODO: create folder maybe
+ #TODO: check if owner/group valid
+ if (perm.owner == null) then
+ ""
+ else
+ "chown ${perm.owner} ${perm.path}"
+ ;
+
+in out