diff options
Diffstat (limited to 'krebs/3modules')
| -rw-r--r-- | krebs/3modules/github/known-hosts.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/hosts.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/iptables.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/per-user.nix | 7 | ||||
| -rw-r--r-- | krebs/3modules/permown.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/reaktor2.nix | 6 | ||||
| -rw-r--r-- | krebs/3modules/setuid.nix | 7 | ||||
| -rw-r--r-- | krebs/3modules/ssh.nix | 38 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 20 | ||||
| -rw-r--r-- | krebs/3modules/urlwatch.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/zones.nix | 3 |
11 files changed, 67 insertions, 31 deletions
diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 51aeefb9f..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,7 +2,6 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28,12 @@ in { }; }) (filterAttrs (_: per-user: per-user.packages != []) cfg); - profiles = ["/etc/per-user/$LOGNAME"]; + + # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get + # replaced by @{PAM_USER} the way $USER does. + # See <nixpkgs/nixos/modules/config/system-environment.nix> + #profiles = ["/etc/per-user/$LOGNAME"]; + profiles = ["/etc/per-user/$USER"]; }; }; } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index d65ce2a31..51f5cb752 100644 --- a/krebs/3modules/permown.nix +++ b/krebs/3modules/permown.nix @@ -73,6 +73,12 @@ with lib; { pkgs.findutils pkgs.inotify-tools ]; + # TODO + # der code könnte aber bisschen vorbereitet werden, damit man später einfach file-modes einbauen kann + # die drei finds müssten zu `find "$ROOT_PATH" -exec ${permown}` {} \;` werden + # und der while-block zu: + # ${permown} "$path" (egal ob vor oder nach dem if test -d) + # und dann müsste man danach nur das permown script bearbeiten serviceConfig = { ExecStart = pkgs.writeDash "permown" '' set -efu diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix index b977df99a..d552178f9 100644 --- a/krebs/3modules/reaktor2.nix +++ b/krebs/3modules/reaktor2.nix @@ -69,6 +69,12 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { Group = "reaktor2"; DynamicUser = true; StateDirectory = cfg.username; + #ExecStartPre = [ + # (pkgs.writeDash "test-dynamic-user" '' + # set -efux + # ${pkgs.coreutils}/bin/id + # '') + #]; ExecStart = let configFile = pkgs.writers.writeJSON configFileName configValue; configFileName = "${cfg.systemd-service-name}.config.json"; diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index ce41548ae..d13fcccaa 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -33,7 +33,7 @@ let }; capabilities = mkOption { default = []; - type = types.listOf types.str; + type = types.listOf types.str; # TODO }; owner = mkOption { default = "root"; @@ -52,6 +52,8 @@ let merge = mergeOneOption; }; }; + # TODO clear non-standard wrapperDirs + # TODO? allow only wrapperDirs below /run/wrappers? wrapperDir = mkOption { default = config.security.wrapperDir; type = types.absolute-pathname; @@ -73,13 +75,16 @@ let chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' + set -x ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} + set +x ''} ''; })); }; imp = { + # run after "wrappers" so config.security.wrapperDir can be hijacked. systemd.services."krebs.setuid" = { wantedBy = [ "suid-sgid-wrappers.service" ]; after = [ "suid-sgid-wrappers.service" ]; diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index aba825c29..012b365fb 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -62,24 +62,26 @@ let } ])); - programs.ssh.extraConfig = concatMapStrings - (net: '' - Host ${toString (net.aliases ++ net.addrs)} - Port ${toString net.ssh.port} - '') - (filter - (net: net.ssh.port != 22) - (concatMap (host: attrValues host.nets) - (mapAttrsToList - (_: host: recursiveUpdate host - (optionalAttrs (cfg.dns.search-domain != null && - hasAttr cfg.dns.search-domain host.nets) { - nets."" = host.nets.${cfg.dns.search-domain} // { - aliases = [host.name]; - addrs = []; - }; - })) - config.krebs.hosts))); + programs.ssh.extraConfig = + mkBefore/*<-KILLME*/ + (concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { + nets."" = host.nets.${cfg.dns.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts)))); } ]; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 02b3eeb9d..65f4f6a2b 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,6 @@ -{ config, pkgs, lib, ... }: -with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { +{ config, pkgs, lib, ... }: let + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); +in with slib; { options.krebs.tinc = mkOption { default = {}; description = '' @@ -235,13 +236,14 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { "$CREDENTIALS_DIRECTORY"/rsa_key.priv \ /etc/tinc/${netname}/ ''; - ExecStart = "+" + toString [ - "${cfg.tincPackage}/sbin/tincd" - "-D" - "-U ${cfg.username}" - "-d 0" - "-n ${netname}" - ]; + ExecStart = "+" + pkgs.writers.writeDash "tinc-${netname}" '' + set -efu + exec ${cfg.tincPackage}/sbin/tincd \ + -D \ + -U ${cfg.username} \ + -d 0 \ + -n ${netname} + ''; SyslogIdentifier = netname; DynamicUser = true; User = cfg.username; diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 8d3bdfbe0..b2c264a06 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -214,6 +214,7 @@ let }; filter = mkOption { default = null; + # TODO nullOr subtypes.filter type = with types; nullOr (either str (listOf (pkgs.formats.json {}).type)); diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 51e559d88..6ac2ebac2 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -10,7 +10,8 @@ with lib; { default = { "krebsco.de" = /* bindzone */ '' $TTL 60 - @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. |