From 716a2fc6e842ff051df6de1999b5b97780f2d2cd Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 30 Jun 2016 00:52:35 +0200 Subject: tv iptables: add input-*-accept-udp --- tv/1systems/cd.nix | 8 ++++---- tv/1systems/mkdir.nix | 4 ++-- tv/1systems/rmdir.nix | 4 ++-- tv/2configs/default.nix | 2 +- tv/2configs/exim-retiolum.nix | 2 +- tv/2configs/exim-smarthost.nix | 2 +- tv/2configs/nginx/default.nix | 2 +- tv/2configs/nginx/public_html.nix | 2 +- tv/2configs/retiolum.nix | 2 +- tv/3modules/iptables.nix | 24 ++++++++++++++++++------ 10 files changed, 32 insertions(+), 20 deletions(-) (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 32d956b8a..a46edb4d9 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -18,7 +18,7 @@ with config.krebs.lib; enable = true; ssl_cert = ../Zcerts/charybdis_cd.crt.pem; }; - tv.iptables.input-retiolum-accept-new-tcp = [ + tv.iptables.input-retiolum-accept-tcp = [ config.tv.charybdis.port config.tv.charybdis.sslport ]; @@ -28,14 +28,14 @@ with config.krebs.lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; - tv.iptables.input-internet-accept-new-tcp = [ + tv.iptables.input-internet-accept-tcp = [ "xmpp-client" "xmpp-server" ]; } { krebs.github-hosts-sync.enable = true; - tv.iptables.input-internet-accept-new-tcp = + tv.iptables.input-internet-accept-tcp = singleton config.krebs.github-hosts-sync.port; } { @@ -57,7 +57,7 @@ with config.krebs.lib; root ${pkgs.viljetic-pages}; ''); }; - tv.iptables.input-internet-accept-new-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = singleton "http"; } ]; diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index f46ed9547..dcec1e200 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,12 +22,12 @@ in { tv.iptables = { enable = true; - input-internet-accept-new-tcp = [ + input-internet-accept-tcp = [ "ssh" "tinc" "smtp" ]; - input-retiolum-accept-new-tcp = [ + input-retiolum-accept-tcp = [ "http" ]; }; diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 25fae2c36..34f926020 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -22,12 +22,12 @@ in { tv.iptables = { enable = true; - input-internet-accept-new-tcp = [ + input-internet-accept-tcp = [ "ssh" "tinc" "smtp" ]; - input-retiolum-accept-new-tcp = [ + input-retiolum-accept-tcp = [ "http" ]; }; diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 741955eee..2eab8d1db 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -174,7 +174,7 @@ with config.krebs.lib; { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; + tv.iptables.input-internet-accept-tcp = singleton "ssh"; } { diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 9197a3c30..ad355f8b4 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -4,5 +4,5 @@ with config.krebs.lib; { krebs.exim-retiolum.enable = true; - tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; + tv.iptables.input-retiolum-accept-tcp = singleton "smtp"; } diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 3616a8f52..351b54da1 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -43,5 +43,5 @@ with config.krebs.lib; { from = "mirko"; to = "mv"; } ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; + tv.iptables.input-internet-accept-tcp = singleton "smtp"; } diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix index 1fac65a31..d0d07d5ca 100644 --- a/tv/2configs/nginx/default.nix +++ b/tv/2configs/nginx/default.nix @@ -12,6 +12,6 @@ with config.krebs.lib; ]; }; tv.iptables = optionalAttrs config.krebs.nginx.enable { - input-retiolum-accept-new-tcp = singleton "http"; + input-retiolum-accept-tcp = singleton "http"; }; } diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix index 15a3b5482..858f16563 100644 --- a/tv/2configs/nginx/public_html.nix +++ b/tv/2configs/nginx/public_html.nix @@ -11,5 +11,5 @@ with config.krebs.lib; '') ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "http"; + tv.iptables.input-internet-accept-tcp = singleton "http"; } diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index e1598d792..ec3508d90 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -13,5 +13,5 @@ with config.krebs.lib; "ire" ]; }; - tv.iptables.input-internet-accept-new-tcp = singleton "tinc"; + tv.iptables.input-internet-accept-tcp = singleton "tinc"; } diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index c0e71f24d..4b1d1ef87 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -17,12 +17,22 @@ let default = "retiolum"; }; - input-internet-accept-new-tcp = mkOption { + input-internet-accept-tcp = mkOption { type = with types; listOf (either int str); default = []; }; - input-retiolum-accept-new-tcp = mkOption { + input-internet-accept-udp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-tcp = mkOption { + type = with types; listOf (either int str); + default = []; + }; + + input-retiolum-accept-udp = mkOption { type = with types; listOf (either int str); default = []; }; @@ -83,8 +93,8 @@ let ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"; ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"; }."ip${toString iptables-version}tables"; - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; + accept-tcp = port: "-p tcp -m tcp --dport ${port} -j ACCEPT"; + accept-udp = port: "-p udp -m udp --dport ${port} -j ACCEPT"; in pkgs.writeText "tv-iptables-rules${toString iptables-version}" '' *nat @@ -112,13 +122,15 @@ let "-i lo -j ACCEPT" ] ++ optional (cfg.accept-echo-request == "internet") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-internet-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-internet-accept-udp)) ++ ["-i retiolum -j Retiolum"] )} ${formatTable cfg.extra.filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request - ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) + ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp)) + ++ map accept-udp (unique (map toString cfg.input-retiolum-accept-udp)) ++ { ip4tables = [ "-p tcp -j REJECT --reject-with tcp-reset" -- cgit v1.2.3 From 2f65d9c19752a808bc49a8e6bf675ae6b6916a3c Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 30 Jun 2016 01:05:21 +0200 Subject: tv: use tinc_pre --- tv/1systems/mu.nix | 2 +- tv/1systems/wu.nix | 2 +- tv/1systems/xu.nix | 2 +- tv/2configs/retiolum.nix | 3 ++- 4 files changed, 5 insertions(+), 4 deletions(-) (limited to 'tv') diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index 06da15ecc..ec208a0bd 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -76,7 +76,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ slock - tinc + tinc_pre iptables vim gimp diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index cebd7c9e4..6bb544371 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -153,7 +153,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ ethtool - tinc + tinc_pre iptables #jack2 ]; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 6ba7ab327..a3a242c46 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -163,7 +163,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ ethtool - tinc + tinc_pre iptables #jack2 diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index ec3508d90..6e05b1489 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: with config.krebs.lib; @@ -12,6 +12,7 @@ with config.krebs.lib; "cd" "ire" ]; + tincPackage = pkgs.tinc_pre; }; tv.iptables.input-internet-accept-tcp = singleton "tinc"; } -- cgit v1.2.3 From c275ae7523b36e03019c18f3b99248bd04af875d Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 30 Jun 2016 01:09:39 +0200 Subject: tv iptables: input-internet-accept-udp tinc --- tv/2configs/retiolum.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'tv') diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index 6e05b1489..f79454157 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -15,4 +15,5 @@ with config.krebs.lib; tincPackage = pkgs.tinc_pre; }; tv.iptables.input-internet-accept-tcp = singleton "tinc"; + tv.iptables.input-internet-accept-udp = singleton "tinc"; } -- cgit v1.2.3 From 0c7a44139fba572487fe853310b6d88a6ffa21c3 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 30 Jun 2016 01:34:25 +0200 Subject: xu,wu: s/gnupg21/gnupg1compat+&/ --- tv/1systems/wu.nix | 2 +- tv/1systems/xu.nix | 2 +- tv/5pkgs/default.nix | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) (limited to 'tv') diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 6bb544371..d115e274b 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -38,7 +38,7 @@ with config.krebs.lib; dic file get - gnupg21 + gnupg1compat haskellPackages.hledger htop jq diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index a3a242c46..7277f5cb7 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -49,7 +49,7 @@ with config.krebs.lib; cac-api dic file - gnupg21 + gnupg1compat haskellPackages.hledger htop jq diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 607980807..affb535ef 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -16,6 +16,10 @@ erlang = pkgs.erlangR16; }; ff = pkgs.callPackage ./ff {}; + gnupg = + if elem config.krebs.build.host.name ["xu" "wu"] + then super.gnupg21 + else super.gnupg; q = pkgs.callPackage ./q {}; viljetic-pages = pkgs.callPackage ./viljetic-pages {}; xmonad-tv = import ./xmonad-tv.nix { inherit pkgs; }; -- cgit v1.2.3