From 305994b23565b3e0f73922ca219cbcb9872e4daa Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 8 Apr 2015 01:07:01 +0200 Subject: I Like To Move It --- modules/base-cac-CentOS-7-64bit.nix | 27 -- modules/base.nix | 17 - modules/cd/default.nix | 118 +++++ modules/cd/iptables.nix | 75 +++ modules/cd/networking.nix | 14 + modules/ejabberd-cd.nix | 856 --------------------------------- modules/exim-cd.nix | 474 ------------------ modules/exim.nix | 126 ----- modules/hosts.nix | 25 - modules/iptables-cd.nix | 75 --- modules/iptables.nix | 69 --- modules/lass/urxvtd.nix | 68 +++ modules/mu/default.nix | 477 ++++++++++++++++++ modules/networking-cd.nix | 14 - modules/nginx.nix | 30 -- modules/retiolum.nix | 228 --------- modules/sanitize.nix | 8 - modules/synaptics.nix | 14 - modules/tools.nix | 101 ---- modules/tv/base-cac-CentOS-7-64bit.nix | 27 ++ modules/tv/base.nix | 17 + modules/tv/ejabberd.nix | 856 +++++++++++++++++++++++++++++++++ modules/tv/exim-retiolum.nix | 126 +++++ modules/tv/exim-smarthost.nix | 474 ++++++++++++++++++ modules/tv/nginx.nix | 30 ++ modules/tv/retiolum.nix | 228 +++++++++ modules/tv/sanitize.nix | 8 + modules/tv/synaptics.nix | 14 + modules/tv/tools.nix | 101 ++++ modules/tv/urxvt.nix | 24 + modules/tv/users.nix | 221 +++++++++ modules/tv/xserver.nix | 40 ++ modules/urxvt-tv.nix | 24 - modules/urxvtd.nix | 68 --- modules/users.nix | 221 --------- modules/wu/default.nix | 469 ++++++++++++++++++ modules/wu/hosts.nix | 25 + modules/wu/iptables.nix | 69 +++ modules/xserver.nix | 40 -- 39 files changed, 3481 insertions(+), 2417 deletions(-) delete mode 100644 modules/base-cac-CentOS-7-64bit.nix delete mode 100644 modules/base.nix create mode 100644 modules/cd/default.nix create mode 100644 modules/cd/iptables.nix create mode 100644 modules/cd/networking.nix delete mode 100644 modules/ejabberd-cd.nix delete mode 100644 modules/exim-cd.nix delete mode 100644 modules/exim.nix delete mode 100644 modules/hosts.nix delete mode 100644 modules/iptables-cd.nix delete mode 100644 modules/iptables.nix create mode 100644 modules/lass/urxvtd.nix create mode 100644 modules/mu/default.nix delete mode 100644 modules/networking-cd.nix delete mode 100644 modules/nginx.nix delete mode 100644 modules/retiolum.nix delete mode 100644 modules/sanitize.nix delete mode 100644 modules/synaptics.nix delete mode 100644 modules/tools.nix create mode 100644 modules/tv/base-cac-CentOS-7-64bit.nix create mode 100644 modules/tv/base.nix create mode 100644 modules/tv/ejabberd.nix create mode 100644 modules/tv/exim-retiolum.nix create mode 100644 modules/tv/exim-smarthost.nix create mode 100644 modules/tv/nginx.nix create mode 100644 modules/tv/retiolum.nix create mode 100644 modules/tv/sanitize.nix create mode 100644 modules/tv/synaptics.nix create mode 100644 modules/tv/tools.nix create mode 100644 modules/tv/urxvt.nix create mode 100644 modules/tv/users.nix create mode 100644 modules/tv/xserver.nix delete mode 100644 modules/urxvt-tv.nix delete mode 100644 modules/urxvtd.nix delete mode 100644 modules/users.nix create mode 100644 modules/wu/default.nix create mode 100644 modules/wu/hosts.nix create mode 100644 modules/wu/iptables.nix delete mode 100644 modules/xserver.nix (limited to 'modules') diff --git a/modules/base-cac-CentOS-7-64bit.nix b/modules/base-cac-CentOS-7-64bit.nix deleted file mode 100644 index 42ab481..0000000 --- a/modules/base-cac-CentOS-7-64bit.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, pkgs, ... }: - -{ - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - - fileSystems."/" = { - device = "/dev/centos/root"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "xfs"; - }; - - swapDevices = [ - { device = "/dev/centos/swap"; } - ]; -} - diff --git a/modules/base.nix b/modules/base.nix deleted file mode 100644 index 76c8b89..0000000 --- a/modules/base.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - time.timeZone = "Europe/Berlin"; - - nix.maxJobs = 8; - nix.useChroot = true; - # TODO check if both are required: - nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; - - nix.trustedBinaryCaches = [ - "https://cache.nixos.org" - "http://cache.nixos.org" - "http://hydra.nixos.org" - ]; - -} diff --git a/modules/cd/default.nix b/modules/cd/default.nix new file mode 100644 index 0000000..a4e6bbc --- /dev/null +++ b/modules/cd/default.nix @@ -0,0 +1,118 @@ +{ config, pkgs, ... }: + +{ + imports = + [ + + ./iptables.nix + ./networking.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/ejabberd.nix # XXX echtes modul + ../tv/exim-smarthost.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ]; + + # "Developer 2" plan has two vCPUs. + nix.maxJobs = 2; + + + environment.systemPackages = with pkgs; [ + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + security.rtkit.enable = false; + + services.cron.enable = false; + + services.ejabberd-cd = { + enable = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.ntp.enable = false; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + services.retiolum = { + enable = true; + hosts = /etc/nixos/hosts; + privateKeyFile = "/etc/nixos/secrets/cd.retiolum.rsa_key.priv"; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + + sound.enable = false; + + # TODO base + time.timeZone = "UTC"; + + # TODO replace by ./modules/cd-users.nix + users.extraGroups = { + + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + + }; + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEieAihh+o208aeCA14fAtjzyZN/nrpOJt2vZ5VYZp69 deploy@wu" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDYv5OkVrnerkzJwgi7ol7HzcWJf4oWCJTX84trFX5vgJXu1zMvSe+koY8xpnMOd7WHF2wgsjjrFlMuixTrfMPc/OjvG2N1TlnvzlFD8ivTW/AJzDwNxT//niqAYAZ9kmb8e/zE/SyNHSKZcyEKGiiW2+YW9wWHPYRP/XiNEjLP3BeTGScMwWr001V/8m7ne4SGHrE1FbHbHqaBXgqUFgnvzMY3CsfDafODZlj5xSMNGHyLGNNKvu3YR1crcAjbQrBXBdwaArThFxp+e2uWrnffshlks6WtRyR1AFVjc/gxEG74Axq1AHY6EJm2Fw/JdFNiYQ7yyQZHS9bZJYjgnWF tv@nomic" + ]; + }; + + mv = rec { + name = "mv"; + uid = 1338; + group = "users"; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod" + ]; + }; + + }; + + users.mutableUsers = false; + +} diff --git a/modules/cd/iptables.nix b/modules/cd/iptables.nix new file mode 100644 index 0000000..48425e8 --- /dev/null +++ b/modules/cd/iptables.nix @@ -0,0 +1,75 @@ +{ config, pkgs, ... }: + +{ + # + # iptables + # + networking.firewall.enable = false; + system.activationScripts.iptables = + let + log = false; + when = c: f: if c then f else ""; + in + '' + ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + ipXtables() { ip4tables "$@" && ip6tables "$@"; } + + # XXX This fails with the original CAC CentOS 7 kernel. + if ipXtables -vL >/dev/null; then + + # + # nat + # + + # reset tables + ipXtables -t nat -F + ipXtables -t nat -X + + # + ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # + # filter + # + + # reset tables + ipXtables -P INPUT DROP + ipXtables -P FORWARD DROP + ipXtables -F + ipXtables -X + + # create custom chains + ipXtables -N Retiolum + + # INPUT + ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + ipXtables -A INPUT -j ACCEPT -i lo + ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW + + ipXtables -A INPUT -j Retiolum -i retiolum + ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # FORWARD + ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # Retiolum + ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + ip6tables -A Retiolum -j REJECT + fi + ''; +} diff --git a/modules/cd/networking.nix b/modules/cd/networking.nix new file mode 100644 index 0000000..215e208 --- /dev/null +++ b/modules/cd/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/modules/ejabberd-cd.nix b/modules/ejabberd-cd.nix deleted file mode 100644 index e836d2c..0000000 --- a/modules/ejabberd-cd.nix +++ /dev/null @@ -1,856 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) ejabberd writeScript writeScriptBin utillinux; - inherit (lib) makeSearchPath; - - cfg = config.services.ejabberd-cd; - - - -in - -{ - - ####### interface - - options = { - - services.ejabberd-cd = { - - enable = mkOption { - default = false; - description = "Whether to enable ejabberd server"; - }; - - config = mkOption { - type = types.string; - default = ""; - description = '' - TODO - ''; - }; - - user = mkOption { - type = types.string; - default = "ejabberd"; - description = '' - TODO - ''; - }; - - group = mkOption { - type = types.string; - default = "ejabberd"; - description = '' - TODO - ''; - }; - - - # spoolDir = mkOption { - # default = "/var/lib/ejabberd"; - # description = "Location of the spooldir of ejabberd"; - # }; - - # logsDir = mkOption { - # default = "/var/log/ejabberd"; - # description = "Location of the logfile directory of ejabberd"; - # }; - - # confDir = mkOption { - # default = "/var/ejabberd"; - # description = "Location of the config directory of ejabberd"; - # }; - - # virtualHosts = mkOption { - # default = "\"localhost\""; - # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas"; - # }; - - # loadDumps = mkOption { - # default = []; - # description = "Configuration dump that should be loaded on the first startup"; - # example = literalExample "[ ./myejabberd.dump ]"; - # }; - - # config - }; - - }; - - - ####### implementation - - config = - let - my-ejabberdctl = writeScriptBin "ejabberdctl" '' - #! /bin/sh - set -euf - exec env \ - SPOOLDIR=/var/ejabberd \ - EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \ - ${ejabberd}/bin/ejabberdctl \ - --logs /var/ejabberd \ - "$@" - ''; - in - mkIf cfg.enable { - #environment.systemPackages = [ pkgs.ejabberd ]; - - environment = { - etc."ejabberd.cfg".text = '' - %%% - %%% ejabberd configuration file - %%% - %%%' - - %%% The parameters used in this configuration file are explained in more detail - %%% in the ejabberd Installation and Operation Guide. - %%% Please consult the Guide in case of doubts, it is included with - %%% your copy of ejabberd, and is also available online at - %%% http://www.process-one.net/en/ejabberd/docs/ - - %%% This configuration file contains Erlang terms. - %%% In case you want to understand the syntax, here are the concepts: - %%% - %%% - The character to comment a line is % - %%% - %%% - Each term ends in a dot, for example: - %%% override_global. - %%% - %%% - A tuple has a fixed definition, its elements are - %%% enclosed in {}, and separated with commas: - %%% {loglevel, 4}. - %%% - %%% - A list can have as many elements as you want, - %%% and is enclosed in [], for example: - %%% [http_poll, web_admin, tls] - %%% - %%% - A keyword of ejabberd is a word in lowercase. - %%% Strings are enclosed in "" and can contain spaces, dots, ... - %%% {language, "en"}. - %%% {ldap_rootdn, "dc=example,dc=com"}. - %%% - %%% - This term includes a tuple, a keyword, a list, and two strings: - %%% {hosts, ["jabber.example.net", "im.example.com"]}. - %%% - - - %%%. ======================= - %%%' OVERRIDE STORED OPTIONS - - %% - %% Override the old values stored in the database. - %% - - %% - %% Override global options (shared by all ejabberd nodes in a cluster). - %% - %%override_global. - - %% - %% Override local options (specific for this particular ejabberd node). - %% - %%override_local. - - %% - %% Remove the Access Control Lists before new ones are added. - %% - %%override_acls. - - - %%%. ========= - %%%' DEBUGGING - - %% - %% loglevel: Verbosity of log files generated by ejabberd. - %% 0: No ejabberd log at all (not recommended) - %% 1: Critical - %% 2: Error - %% 3: Warning - %% 4: Info - %% 5: Debug - %% - {loglevel, 3}. - - %% - %% watchdog_admins: Only useful for developers: if an ejabberd process - %% consumes a lot of memory, send live notifications to these XMPP - %% accounts. - %% - %%{watchdog_admins, ["bob@example.com"]}. - - - %%%. ================ - %%%' SERVED HOSTNAMES - - %% - %% hosts: Domains served by ejabberd. - %% You can define one or several, for example: - %% {hosts, ["example.net", "example.com", "example.org"]}. - %% - {hosts, ["jabber.viljetic.de"]}. - - %% - %% route_subdomains: Delegate subdomains to other XMPP servers. - %% For example, if this ejabberd serves example.org and you want - %% to allow communication with an XMPP server called im.example.org. - %% - %%{route_subdomains, s2s}. - - - %%%. =============== - %%%' LISTENING PORTS - - %% - %% listen: The ports ejabberd will listen on, which service each is handled - %% by and what options to start it with. - %% - {listen, - [ - - {5222, ejabberd_c2s, [ - - %% - %% If TLS is compiled in and you installed a SSL - %% certificate, specify the full path to the - %% file and uncomment this line: - %% - starttls, - {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}, - - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - - %% - %% ejabberd_service: Interact with external components (transports, ...) - %% - %%{8888, ejabberd_service, [ - %% {access, all}, - %% {shaper_rule, fast}, - %% {ip, {127, 0, 0, 1}}, - %% {hosts, ["icq.example.org", "sms.example.org"], - %% [{password, "secret"}] - %% } - %% ]}, - - %% - %% ejabberd_stun: Handles STUN Binding requests - %% - %%{{3478, udp}, ejabberd_stun, []}, - - {5280, ejabberd_http, [ - %%{request_handlers, - %% [ - %% {["pub", "archive"], mod_http_fileserver} - %% ]}, - captcha, - http_bind, - http_poll, - %%register, - web_admin - ]} - - ]}. - - %% - %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. - %% Allowed values are: false optional required required_trusted - %% You must specify a certificate file. - %% - {s2s_use_starttls, required}. - - %% - %% s2s_certfile: Specify a certificate file. - %% - {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}. - - %% - %% domain_certfile: Specify a different certificate for each served hostname. - %% - %%{domain_certfile, "example.org", "/path/to/example_org.pem"}. - %%{domain_certfile, "example.com", "/path/to/example_com.pem"}. - - %% - %% S2S whitelist or blacklist - %% - %% Default s2s policy for undefined hosts. - %% - %%{s2s_default_policy, allow}. - - %% - %% Allow or deny communication with specific servers. - %% - %%{{s2s_host, "goodhost.org"}, allow}. - %%{{s2s_host, "badhost.org"}, deny}. - - %% - %% Outgoing S2S options - %% - %% Preferred address families (which to try first) and connect timeout - %% in milliseconds. - %% - %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. - - - %%%. ============== - %%%' AUTHENTICATION - - %% - %% auth_method: Method used to authenticate the users. - %% The default method is the internal. - %% If you want to use a different method, - %% comment this line and enable the correct ones. - %% - {auth_method, internal}. - %% - %% Store the plain passwords or hashed for SCRAM: - %%{auth_password_format, plain}. - %%{auth_password_format, scram}. - %% - %% Define the FQDN if ejabberd doesn't detect it: - %%{fqdn, "server3.example.com"}. - - %% - %% Authentication using external script - %% Make sure the script is executable by ejabberd. - %% - %%{auth_method, external}. - %{extauth_program, "$ {ejabberd-auth}"}. - - %% - %% Authentication using ODBC - %% Remember to setup a database in the next section. - %% - %%{auth_method, odbc}. - - %% - %% Authentication using PAM - %% - %%{auth_method, pam}. - %%{pam_service, "pamservicename"}. - - %% - %% Authentication using LDAP - %% - %%{auth_method, ldap}. - %% - %% List of LDAP servers: - %%{ldap_servers, ["localhost"]}. - %% - %% Encryption of connection to LDAP servers: - %%{ldap_encrypt, none}. - %%{ldap_encrypt, tls}. - %% - %% Port to connect to on LDAP servers: - %%{ldap_port, 389}. - %%{ldap_port, 636}. - %% - %% LDAP manager: - %%{ldap_rootdn, "dc=example,dc=com"}. - %% - %% Password of LDAP manager: - %%{ldap_password, "******"}. - %% - %% Search base of LDAP directory: - %%{ldap_base, "dc=example,dc=com"}. - %% - %% LDAP attribute that holds user ID: - %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}. - %% - %% LDAP filter: - %%{ldap_filter, "(objectClass=shadowAccount)"}. - - %% - %% Anonymous login support: - %% auth_method: anonymous - %% anonymous_protocol: sasl_anon | login_anon | both - %% allow_multiple_connections: true | false - %% - %%{host_config, "public.example.org", [{auth_method, anonymous}, - %% {allow_multiple_connections, false}, - %% {anonymous_protocol, sasl_anon}]}. - %% - %% To use both anonymous and internal authentication: - %% - %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}. - - - %%%. ============== - %%%' DATABASE SETUP - - %% ejabberd by default uses the internal Mnesia database, - %% so you do not necessarily need this section. - %% This section provides configuration examples in case - %% you want to use other database backends. - %% Please consult the ejabberd Guide for details on database creation. - - %% - %% MySQL server: - %% - %%{odbc_server, {mysql, "server", "database", "username", "password"}}. - %% - %% If you want to specify the port: - %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}. - - %% - %% PostgreSQL server: - %% - %%{odbc_server, {pgsql, "server", "database", "username", "password"}}. - %% - %% If you want to specify the port: - %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}. - %% - %% If you use PostgreSQL, have a large database, and need a - %% faster but inexact replacement for "select count(*) from users" - %% - %%{pgsql_users_number_estimate, true}. - - %% - %% ODBC compatible or MSSQL server: - %% - %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}. - - %% - %% Number of connections to open to the database for each virtual host - %% - %%{odbc_pool_size, 10}. - - %% - %% Interval to make a dummy SQL request to keep the connections to the - %% database alive. Specify in seconds: for example 28800 means 8 hours - %% - %%{odbc_keepalive_interval, undefined}. - - - %%%. =============== - %%%' TRAFFIC SHAPERS - - %% - %% The "normal" shaper limits traffic speed to 1000 B/s - %% - {shaper, normal, {maxrate, 1000}}. - - %% - %% The "fast" shaper limits traffic speed to 50000 B/s - %% - {shaper, fast, {maxrate, 50000}}. - - %% - %% This option specifies the maximum number of elements in the queue - %% of the FSM. Refer to the documentation for details. - %% - {max_fsm_queue, 1000}. - - - %%%. ==================== - %%%' ACCESS CONTROL LISTS - - %% - %% The 'admin' ACL grants administrative privileges to XMPP accounts. - %% You can put here as many accounts as you want. - %% - %%{acl, admin, {user, "aleksey", "localhost"}}. - %%{acl, admin, {user, "ermine", "example.org"}}. - - %% - %% Blocked users - %% - %%{acl, blocked, {user, "baduser", "example.org"}}. - %%{acl, blocked, {user, "test"}}. - - %% - %% Local users: don't modify this line. - %% - {acl, local, {user_regexp, ""}}. - - %% - %% More examples of ACLs - %% - %%{acl, jabberorg, {server, "jabber.org"}}. - %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}. - %%{acl, test, {user_regexp, "^test"}}. - %%{acl, test, {user_glob, "test*"}}. - - %% - %% Define specific ACLs in a virtual host. - %% - %%{host_config, "localhost", - %% [ - %% {acl, admin, {user, "bob-local", "localhost"}} - %% ] - %%}. - - - %%%. ============ - %%%' ACCESS RULES - - %% Maximum number of simultaneous sessions allowed for a single user: - {access, max_user_sessions, [{10, all}]}. - - %% Maximum number of offline messages that users can have: - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - - %% This rule allows access only for local users: - {access, local, [{allow, local}]}. - - %% Only non-blocked users can use c2s connections: - {access, c2s, [{deny, blocked}, - {allow, all}]}. - - %% For C2S connections, all users except admins use the "normal" shaper - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - - %% All S2S connections use the "fast" shaper - {access, s2s_shaper, [{fast, all}]}. - - %% Only admins can send announcement messages: - {access, announce, [{allow, admin}]}. - - %% Only admins can use the configuration interface: - {access, configure, [{allow, admin}]}. - - %% Admins of this server are also admins of the MUC service: - {access, muc_admin, [{allow, admin}]}. - - %% Only accounts of the local ejabberd server can create rooms: - {access, muc_create, [{allow, local}]}. - - %% All users are allowed to use the MUC service: - {access, muc, [{allow, all}]}. - - %% Only accounts on the local ejabberd server can create Pubsub nodes: - {access, pubsub_createnode, [{allow, local}]}. - - %% In-band registration allows registration of any possible username. - %% To disable in-band registration, replace 'allow' with 'deny'. - {access, register, [{allow, all}]}. - - %% By default the frequency of account registrations from the same IP - %% is limited to 1 account every 10 minutes. To disable, specify: infinity - %%{registration_timeout, 600}. - - %% - %% Define specific Access Rules in a virtual host. - %% - %%{host_config, "localhost", - %% [ - %% {access, c2s, [{allow, admin}, {deny, all}]}, - %% {access, register, [{deny, all}]} - %% ] - %%}. - - - %%%. ================ - %%%' DEFAULT LANGUAGE - - %% - %% language: Default language used for server messages. - %% - {language, "en"}. - - %% - %% Set a different default language in a virtual host. - %% - %%{host_config, "localhost", - %% [{language, "ru"}] - %%}. - - - %%%. ======= - %%%' CAPTCHA - - %% - %% Full path to a script that generates the image. - %% - %%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}. - - %% - %% Host for the URL and port where ejabberd listens for CAPTCHA requests. - %% - %%{captcha_host, "example.org:5280"}. - - %% - %% Limit CAPTCHA calls per minute for JID/IP to avoid DoS. - %% - %%{captcha_limit, 5}. - - %%%. ======= - %%%' MODULES - - %% - %% Modules enabled in all ejabberd virtual hosts. - %% - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, % recommends mod_adhoc - {mod_blocking,[]}, % requires mod_privacy - {mod_caps, []}, - {mod_configure,[]}, % requires mod_adhoc - {mod_disco, []}, - %%{mod_echo, [{host, "echo.localhost"}]}, - {mod_irc, []}, - {mod_http_bind, []}, - %%{mod_http_fileserver, [ - %% {docroot, "/var/www"}, - %% {accesslog, "/var/log/ejabberd/access.log"} - %% ]}, - {mod_last, []}, - {mod_muc, [ - %%{host, "conference.@HOST@"}, - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - %%{mod_muc_log,[]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - %%{mod_pres_counter,[{count, 5}, {interval, 60}]}, - {mod_privacy, []}, - {mod_private, []}, - %%{mod_proxy65,[]}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant - %%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps - ]}, - {mod_register, [ - %% - %% Protect In-Band account registrations with CAPTCHA. - %% - %%{captcha_protected, true}, - - %% - %% Set the minimum informational entropy for passwords. - %% - %%{password_strength, 32}, - - %% - %% After successful registration, the user receives - %% a message with this subject and body. - %% - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - - %% - %% When a user registers, send a notification to - %% these XMPP accounts. - %% - %%{registration_watchers, ["admin1@example.org"]}, - - %% - %% Only clients in the server machine can register accounts - %% - {ip_access, [{allow, "127.0.0.0/8"}, - {deny, "0.0.0.0/0"}]}, - - %% - %% Local c2s or remote s2s users cannot register accounts - %% - %%{access_from, deny}, - - {access, register} - ]}, - %%{mod_register_web, [ - %% - %% When a user registers, send a notification to - %% these XMPP accounts. - %% - %%{registration_watchers, ["admin1@example.org"]} - %% ]}, - {mod_roster, []}, - %%{mod_service_log,[]}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. - - %% - %% Enable modules with custom options in a specific virtual host - %% - %%{host_config, "localhost", - %% [{{add, modules}, - %% [ - %% {mod_echo, [{host, "mirror.localhost"}]} - %% ] - %% } - %% ]}. - - - %%%. - %%%' - - %%% $Id$ - - %%% Local Variables: - %%% mode: erlang - %%% End: - %%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker: - ''; - # TODO properly configured wrapper - systemPackages = [ my-ejabberdctl ]; - }; - #exim_user = ${cfg.user} - #exim_group = ${cfg.group} - #exim_path = /var/setuid-wrappers/exim - #spool_directory = ${cfg.spoolDir} - #${cfg.config} - - users.extraUsers = singleton { - name = "ejabberd"; - description = "TODO"; - uid = 405222; - group = "ejabberd"; - home = "/var/ejabberd"; - createHome = true; - }; - - users.extraGroups = singleton { - name = "ejabberd"; - gid = 405222; - }; - - #security.setuidPrograms = [ "exim" ]; - - systemd.services.ejabberd = { - description = "ejabberd XMPP Daemon"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - reloadIfChanged = true; - serviceConfig = { - ExecStart = "${my-ejabberdctl}/bin/ejabberdctl start"; - ExecStop = "${my-ejabberdctl}/bin/ejabberdctl stop"; - ExecReload = "${my-ejabberdctl}/bin/ejabberdctl restart"; - Type = "oneshot"; - RemainAfterExit = "yes"; - RestartSec = 5; - LimitNOFILE = 16000; - User = "ejabberd"; - Group = "ejabberd"; - }; - }; - - systemd.services.ejabberd-prepare = { - description = "ejabberd XMPP Preparetion Service"; - requiredBy = [ "ejabberd.service" ]; - serviceConfig = { - Type = "oneshot"; - RestartSec = 5; - ExecStart = "${writeScript "ejabberd-prepare" - '' - #! /bin/sh - set -euf - chown ejabberd: /etc/nixos/secrets/ejabberd.cd.retiolum.pem - '' - }"; - }; - }; - - - - }; - - #config = mkIf cfg.enable { - # environment.systemPackages = [ pkgs.ejabberd ]; - - # jobs.ejabberd = - # { description = "EJabberd server"; - - # startOn = "started network-interfaces"; - # stopOn = "stopping network-interfaces"; - - # environment = { - # PATH = "$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; - # }; - - # preStart = - # '' - # PATH="$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; - # - # # Initialise state data - # mkdir -p ${cfg.logsDir} - - # if ! test -d ${cfg.spoolDir} - # then - # initialize=1 - # cp -av ${pkgs.ejabberd}/var/lib/ejabberd /var/lib - # fi - - # #if ! test -d ${cfg.confDir} - # #then - # # mkdir -p ${cfg.confDir} - # # cp ${pkgs.ejabberd}/etc/ejabberd/* ${cfg.confDir} - # # sed -e 's|{hosts, \["localhost"\]}.|{hosts, \[${cfg.virtualHosts}\]}.|' ${pkgs.ejabberd}/etc/ejabberd/ejabberd.cfg > ${cfg.confDir}/ejabberd.cfg - # #fi - # mkdir -p ${cfg.confDir} - - - # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} start - - # ${if cfg.loadDumps == [] then "" else - # '' - # if [ "$initialize" = "1" ] - # then - # # Wait until the ejabberd server is available for use - # count=0 - # while ! ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} status - # do - # if [ $count -eq 30 ] - # then - # echo "Tried 30 times, giving up..." - # exit 1 - # fi - - # echo "Ejabberd daemon not yet started. Waiting for 1 second..." - # count=$((count++)) - # sleep 1 - # done - - # ${concatMapStrings (dump: - # '' - # echo "Importing dump: ${dump}" - - # if [ -f ${dump} ] - # then - # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load ${dump} - # elif [ -d ${dump} ] - # then - # for i in ${dump}/ejabberd-dump/* - # do - # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load $i - # done - # fi - # '') cfg.loadDumps} - # fi - # ''} - # ''; - - # postStop = - # '' - # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} stop - # ''; - # }; - - # security.pam.services.ejabberd = {}; - - #}; - -} diff --git a/modules/exim-cd.nix b/modules/exim-cd.nix deleted file mode 100644 index a4c47b3..0000000 --- a/modules/exim-cd.nix +++ /dev/null @@ -1,474 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (builtins) toFile; - inherit (pkgs.lib.attrsets) mapAttrs; - inherit (pkgs.lib.strings) concatMapStringsSep; -in - -{ - services.exim = - let - retiolumHostname = "${config.networking.hostName}.retiolum"; - - internet-aliases = [ - { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } - - # (mindestens) lisp-stammtisch und elli haben die: - { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } - - { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } - - { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } - - # TODO killme (wo wird die benutzt?) - { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } - - { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } - ]; - - system-aliases = [ - { from = "mailer-daemon"; to = "postmaster"; } - { from = "postmaster"; to = "root"; } - { from = "nobody"; to = "root"; } - { from = "hostmaster"; to = "root"; } - { from = "usenet"; to = "root"; } - { from = "news"; to = "root"; } - { from = "webmaster"; to = "root"; } - { from = "www"; to = "root"; } - { from = "ftp"; to = "root"; } - { from = "abuse"; to = "root"; } - { from = "noc"; to = "root"; } - { from = "security"; to = "root"; } - { from = "root"; to = "tv"; } - { from = "mirko"; to = "mv"; } - ]; - - to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); - lsearch = - mapAttrs (name: set: toFile name (to-lsearch set)) { - inherit internet-aliases; - inherit system-aliases; - }; - in - { - enable = true; - config = - '' - primary_hostname = ${retiolumHostname} - - # HOST_REDIR contains the real destinations for "local_domains". - #HOST_REDIR = /etc/exim4/host_redirect - - - # Domains not listed in local_domains need to be deliverable remotely. - # XXX We abuse local_domains to mean "domains, we're the gateway for". - domainlist local_domains = @ : localhost - #: viljetic.de : SHACK_REDIR_HOSTNAME - domainlist relay_to_domains = - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - - # av_scanner = clamd:/tmp/clamd - # spamd_address = 127.0.0.1 783 - - # tls_advertise_hosts = * - # tls_certificate = /etc/ssl/exim.crt - # tls_privatekey = /etc/ssl/exim.pem - # (debian) tls_verify_certificates (to check client certs) - - # daemon_smtp_ports = 25 : 465 : 587 - # tls_on_connect_ports = 465 - - # qualify_domain defaults to primary_hostname - # qualify_recipient defaults to qualify_domain - - # allow_domain_literals - - never_users = root - - host_lookup = * - - # ident callbacks for all incoming SMTP calls - rfc1413_hosts = * - rfc1413_query_timeout = 5s - - # sender_unqualified_hosts = - # recipient_unqualified_hosts = - - # percent_hack_domains = - - # arch & debian - #ignore_bounce_errors_after = 2d - #timeout_frozen_after = 7d - # debian - #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full - #freeze_tell = postmaster - #trusted_users = uucp - # arch - #split_spool_directory = true - - log_selector = -queue_run +address_rewrite +all_parents +queue_time - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false - - begin acl - - acl_check_rcpt: - # Accept if the source is local SMTP (i.e. not over TCP/IP). - # We do this by testing for an empty sending host field. - accept hosts = : - # arch & debian: - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - ## feature RETIOLUM_MAIL - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - # debian: control = submission/sender_retain - # arch & debian: - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - accept message = relay not permitted 2 - recipients = lsearch;${lsearch.internet-aliases} - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require - message = unknown user - verify = recipient/callout - - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example - # - # warn dnslists = black.list.example - # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain - # log_message = found in $dnslist_domain - - # Client SMTP Authorization (csa) checks on the sending host. - # Such checks do DNS lookups for special SRV records. - # require verify = csa - - accept - - - acl_check_data: - # see av_scanner - #deny malware = * - # message = This message contains a virus ($malware_name). - - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. - # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report - - # feature HELO_REWRITE - # XXX note that the public ip (162.219.5.183) resolves to viljetic.de - warn - sender_domains = viljetic.de : shackspace.de - set acl_m_special_dom = $sender_address_domain - - accept - - - begin routers - - # feature RETIOLUM_MAIL - retiolum: - debug_print = "R: retiolum for $local_part@$domain" - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = retiolum_smtp - route_list = ^.* $0 byname - no_more - - internet_aliases: - debug_print = "R: internet_aliases for $local_part@$domain" - driver = redirect - data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} - - dnslookup: - debug_print = "R: dnslookup for $local_part@$domain" - driver = dnslookup - domains = ! +local_domains - transport = remote_smtp - ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 - # if ipv6-enabled then instead use: - # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 - - # (debian) same_domain_copy_routing = yes - # (debian) ignore private rfc1918 and APIPA addresses - # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ - # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ - # 255.255.255.255 - - # Fail and bounce if the router does not find the domain in the DNS. - # I.e. no more routers are tried. - # There are a few cases where a dnslookup router will decline to accept an - # address; if such a router is expected to handle "all remaining non-local - # domains", then it is important to set no_more. - no_more - - # XXX this is only used because these "well known aliases" goto tv@cd.retiolum - # TODO bounce everything, there is no @cd.retiolum - system_aliases: - debug_print = "R: system_aliases for $local_part@$domain" - driver = redirect - data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} - - # TODO this is only b/c mv here... send mv's mails somewhere else... - local_user: - debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user - - begin transports - - retiolum_smtp: - driver = smtp - retry_include_ip_address = false - # serialize_hosts = TODO-all-slow-hosts - - remote_smtp: - driver = smtp - # debian has also stuff for tls, headers_rewrite and more here - - # feature HELO_REWRITE - # XXX note that the public ip (162.219.5.183) resolves to viljetic.de - helo_data = ''${if eq{$acl_m_special_dom}{} \ - {$primary_hostname} \ - {$acl_m_special_dom} } - - home_maildir: - driver = appendfile - maildir_format - maildir_use_size_file - directory = $home/Mail - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - begin rewrite - begin authenticators - ''; - - - # group = mail - # mode = 0660 - - - #address_pipe: - # driver = pipe - # return_output - # - #address_file: - # driver = appendfile - # delivery_date_add - # envelope_to_add - # return_path_add - # - #address_reply: - # driver = autoreply - - - #maildrop_pipe: - # debug_print = "T: maildrop_pipe for $local_part@$domain" - # driver = pipe - # path = "/bin:/usr/bin:/usr/local/bin" - # command = "/usr/bin/maildrop" - # return_path_add - # delivery_date_add - # envelope_to_add - - - - - - ##begin retry - # Address or Domain Error Retries - - # Our host_redirect destinations might be offline a lot. - # TODO define fallback destinations(?) - #lsearch;${lsearch.internet-aliases} * F,42d,1m - - - ## begin rewrite - - # just in case (shackspace.de should already do this) - #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T - - - ## begin authenticators - #PLAIN: - # driver = plaintext - # server_set_id = $auth2 - # server_prompts = : - # server_condition = Authentication is not yet configured - # server_advertise_condition = ''${if def:tls_in_cipher } - - #LOGIN: - # driver = plaintext - # server_set_id = $auth1 - # server_prompts = <| Username: | Password: - # server_condition = Authentication is not yet configured - # server_advertise_condition = ''${if def:tls_in_cipher } - - - - }; - -} - -# config = '' -# primary_hostname = ${retiolumHostname} -# domainlist local_domains = @ : localhost -# domainlist relay_to_domains = *.retiolum -# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 -# -# acl_smtp_rcpt = acl_check_rcpt -# acl_smtp_data = acl_check_data -# -# host_lookup = * -# rfc1413_hosts = * -# rfc1413_query_timeout = 5s -# -# log_file_path = syslog -# syslog_timestamp = false -# syslog_duplication = false -# -# begin acl -# -# acl_check_rcpt: -# accept hosts = : -# control = dkim_disable_verify -# -# deny message = Restricted characters in address -# domains = +local_domains -# local_parts = ^[.] : ^.*[@%!/|] -# -# deny message = Restricted characters in address -# domains = !+local_domains -# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ -# -# accept local_parts = postmaster -# domains = +local_domains -# -# #accept -# # hosts = *.retiolum -# # domains = *.retiolum -# # control = dkim_disable_verify -# -# #require verify = sender -# -# accept hosts = +relay_from_hosts -# control = submission -# control = dkim_disable_verify -# -# accept authenticated = * -# control = submission -# control = dkim_disable_verify -# -# require message = relay not permitted -# domains = +local_domains : +relay_to_domains -# -# require verify = recipient -# -# accept -# -# -# acl_check_data: -# accept -# -# -# begin routers -# -# retiolum: -# driver = manualroute -# domains = ! ${retiolumHostname} : *.retiolum -# transport = remote_smtp -# route_list = ^.* $0 byname -# no_more -# -# nonlocal: -# debug_print = "R: nonlocal for $local_part@$domain" -# driver = redirect -# domains = ! +local_domains -# allow_fail -# data = :fail: Mailing to remote domains not supported -# no_more -# -# local_user: -# # debug_print = "R: local_user for $local_part@$domain" -# driver = accept -# check_local_user -# # local_part_suffix = +* : -* -# # local_part_suffix_optional -# transport = home_maildir -# cannot_route_message = Unknown user -# -# -# begin transports -# -# remote_smtp: -# driver = smtp -# -# home_maildir: -# driver = appendfile -# maildir_format -# directory = $home/Maildir -# directory_mode = 0700 -# delivery_date_add -# envelope_to_add -# return_path_add -# # group = mail -# # mode = 0660 -# -# begin retry -# *.retiolum * F,42d,1m -# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h -# -# begin rewrite -# -# begin authenticators -# ''; -# }; -#} diff --git a/modules/exim.nix b/modules/exim.nix deleted file mode 100644 index e80358f..0000000 --- a/modules/exim.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.exim = - # This configuration makes only sense for retiolum-enabled hosts. - # TODO modular configuration - assert config.services.retiolum.enable; - let - # TODO get the hostname from config.services.retiolum. - retiolumHostname = "${config.networking.hostName}.retiolum"; - in - { enable = true; - config = '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum - hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - - host_lookup = * - rfc1413_hosts = * - rfc1413_query_timeout = 5s - - log_file_path = syslog - syslog_timestamp = false - syslog_duplication = false - - begin acl - - acl_check_rcpt: - accept hosts = : - control = dkim_disable_verify - - deny message = Restricted characters in address - domains = +local_domains - local_parts = ^[.] : ^.*[@%!/|] - - deny message = Restricted characters in address - domains = !+local_domains - local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ - - accept local_parts = postmaster - domains = +local_domains - - #accept - # hosts = *.retiolum - # domains = *.retiolum - # control = dkim_disable_verify - - #require verify = sender - - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify - - accept authenticated = * - control = submission - control = dkim_disable_verify - - require message = relay not permitted - domains = +local_domains : +relay_to_domains - - require verify = recipient - - accept - - - acl_check_data: - accept - - - begin routers - - retiolum: - driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum - transport = remote_smtp - route_list = ^.* $0 byname - no_more - - nonlocal: - debug_print = "R: nonlocal for $local_part@$domain" - driver = redirect - domains = ! +local_domains - allow_fail - data = :fail: Mailing to remote domains not supported - no_more - - local_user: - # debug_print = "R: local_user for $local_part@$domain" - driver = accept - check_local_user - # local_part_suffix = +* : -* - # local_part_suffix_optional - transport = home_maildir - cannot_route_message = Unknown user - - - begin transports - - remote_smtp: - driver = smtp - - home_maildir: - driver = appendfile - maildir_format - directory = $home/Maildir - directory_mode = 0700 - delivery_date_add - envelope_to_add - return_path_add - # group = mail - # mode = 0660 - - begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h - - begin rewrite - - begin authenticators - ''; - }; -} diff --git a/modules/hosts.nix b/modules/hosts.nix deleted file mode 100644 index f59f87c..0000000 --- a/modules/hosts.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.extraHosts = - '' - 192.168.1.1 wrt.gg23 wrt - 192.168.1.11 mors.gg23 - 192.168.1.12 uriel.gg23 - 192.168.1.23 raspi.gg23 raspi - 192.168.1.37 wu.gg23 - 192.168.1.110 nomic.gg23 - 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker - - 127.0.0.1 dev.zalora.sg www.dev.zalora.sg bob.dev.zalora.sg static.dev.zalora.sg - 127.0.0.1 dev.zalora.com.my www.dev.zalora.com.my bob.dev.zalora.com.my static.dev.zalora.com.my - 127.0.0.1 dev.zalora.com.ph www.dev.zalora.com.ph bob.dev.zalora.com.ph static.dev.zalora.com.ph - 127.0.0.1 dev.zalora.vn www.dev.zalora.vn bob.dev.zalora.vn static.dev.zalora.vn - 127.0.0.1 dev.zalora.co.id www.dev.zalora.co.id bob.dev.zalora.co.id static.dev.zalora.co.id - 127.0.0.1 dev.zalora.co.th www.dev.zalora.co.th bob.dev.zalora.co.th static.dev.zalora.co.th - 127.0.0.1 dev.zalora.com.hk www.dev.zalora.com.hk bob.dev.zalora.com.hk static.dev.zalora.com.hk - - 54.93.104.95 eu-dev.hk.zalora.net www.eu-dev.hk.zalora.net bob.eu-dev.hk.zalora.net static.eu-dev.hk.zalora.net - 54.93.104.95 eu-dev.sg.zalora.net www.eu-dev.sg.zalora.net bob.eu-dev.sg.zalora.net static.eu-dev.sg.zalora.net - ''; -} diff --git a/modules/iptables-cd.nix b/modules/iptables-cd.nix deleted file mode 100644 index 48425e8..0000000 --- a/modules/iptables-cd.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, pkgs, ... }: - -{ - # - # iptables - # - networking.firewall.enable = false; - system.activationScripts.iptables = - let - log = false; - when = c: f: if c then f else ""; - in - '' - ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - ipXtables() { ip4tables "$@" && ip6tables "$@"; } - - # XXX This fails with the original CAC CentOS 7 kernel. - if ipXtables -vL >/dev/null; then - - # - # nat - # - - # reset tables - ipXtables -t nat -F - ipXtables -t nat -X - - # - ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # - # filter - # - - # reset tables - ipXtables -P INPUT DROP - ipXtables -P FORWARD DROP - ipXtables -F - ipXtables -X - - # create custom chains - ipXtables -N Retiolum - - # INPUT - ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - ipXtables -A INPUT -j ACCEPT -i lo - ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW - - ipXtables -A INPUT -j Retiolum -i retiolum - ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # FORWARD - ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # Retiolum - ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - ip6tables -A Retiolum -j REJECT - fi - ''; -} diff --git a/modules/iptables.nix b/modules/iptables.nix deleted file mode 100644 index ee40343..0000000 --- a/modules/iptables.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, pkgs, ... }: - -{ - # - # iptables - # - networking.firewall.enable = false; - system.activationScripts.iptables = - let - log = false; - when = c: f: if c then f else ""; - in - '' - ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - ipXtables() { ip4tables "$@"; ip6tables "$@"; } - - # - # nat - # - - # reset tables - ipXtables -t nat -F - ipXtables -t nat -X - - # - ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # - # filter - # - - # reset tables - ipXtables -P INPUT DROP - ipXtables -P FORWARD DROP - ipXtables -F - ipXtables -X - - # create custom chains - ipXtables -N Retiolum - - # INPUT - ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - ipXtables -A INPUT -j ACCEPT -i lo - ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW - ipXtables -A INPUT -j Retiolum -i retiolum - ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # FORWARD - ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # Retiolum - ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - - ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - ip6tables -A Retiolum -j REJECT - - ''; -} diff --git a/modules/lass/urxvtd.nix b/modules/lass/urxvtd.nix new file mode 100644 index 0000000..a62e64a --- /dev/null +++ b/modules/lass/urxvtd.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +let + inherit (import ../../lib { inherit pkgs; }) shell-escape; + inherit (pkgs) writeScript; +in + +with builtins; +with lib; + +{ + options = { + services.urxvtd = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable urxvtd per user"; + }; + users = mkOption { + type = types.listOf types.string; + default = []; + description = "users to run urxvtd for"; + }; + urxvtPackage = mkOption { + type = types.package; + default = pkgs.rxvt_unicode; + description = "urxvt package to use"; + }; + xresources = mkOption { + type = types.string; + default = ""; + description = '' + X server resources for urxvt. + ''; + }; + }; + }; + + config = + let + cfg = config.services.urxvtd; + users = cfg.users; + urxvt = cfg.urxvtPackage; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + path = [ pkgs.xlibs.xrdb ]; + environment = { + DISPLAY = ":0"; + URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; + }; + serviceConfig = { + Restart = "always"; + User = user; + ExecStartPre = writeScript "urxvtd-prestart" '' + #!/bin/sh + echo ${shell-escape cfg.xresources} | xrdb -merge + ''; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + in + mkIf cfg.enable { + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); + }; +} diff --git a/modules/mu/default.nix b/modules/mu/default.nix new file mode 100644 index 0000000..baec9bf --- /dev/null +++ b/modules/mu/default.nix @@ -0,0 +1,477 @@ +# TODO maybe give RT-stuff only to group rt or sth. + +{ config, pkgs, ... }: + +let + lib = import ../../lib { inherit pkgs; }; + + inherit (lib) majmin; +in + +{ + imports = [ + + ../tv/exim-retiolum.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ]; + + time.timeZone = "Europe/Berlin"; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + + # hardware configuration + boot.initrd.luks.devices = [ + { name = "vgmu1"; device = "/dev/sda2"; } + ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ]; + boot.initrd.availableKernelModules = [ "ahci" ]; + #boot.kernelParams = [ + # "intel_pstate=enable" + #]; + boot.kernelModules = [ "fbcon" "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + #boot.kernelPackages = pkgs.linuxPackages_3_17; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + ''; + + fileSystems = { + "/" = { + device = "/dev/vgmu1/nixroot"; + fsType = "ext4"; + options = "defaults,noatime"; + }; + "/home" = { + device = "/dev/vgmu1/home"; + options = "defaults,noatime"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + swapDevices =[ ]; + + nix.maxJobs = 8; + nix.useChroot = true; + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.opengl.driSupport32Bit = true; + + hardware.pulseaudio.enable = true; + + hardware.enableAllFirmware = true; + + # Use the gummiboot efi boot loader. + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "mu"; + #networking.wireless.enable = true; + networking.networkmanager.enable = true; + + networking.extraHosts = '' + ''; + + #system.activationScripts.powertopTunables = + # '' + # #echo 1 > /sys/module/snd_hda_intel/parameters/power_save + # echo 1500 > /proc/sys/vm/dirty_writeback_centisecs + # (cd /sys/bus/pci/devices + # for i in *; do + # echo auto > $i/power/control # defaults to 'on' + # done) + # # TODO maybe do this via udev or systemd + # # ref https://wiki.archlinux.org/index.php/Wake-on-LAN + # # disable wol this cannot find ethtool + # # TODO (cd /sys/class/net + # # TODO for i in *; do + # # TODO if ethtool $i | grep -q Wake-on && + # # TODO ! ethtool $i | grep -q 'Wake-on: d'; then + # # TODO ethtool -s $i wol d + # # TODO fi + # # TODO done) + # ${pkgs.ethtool}/sbin/ethtool -s en0 wol d + # ''; + + environment.systemPackages = with pkgs; [ + slock + tinc + iptables + vim + gimp + xsane + firefoxWrapper + chromiumDev + skype + libreoffice + kde4.l10n.de + kde4.networkmanagement + pidgin-with-plugins + pidginotr + + kde4.print_manager + #foomatic_filters + #gutenprint + #cups_pdf_filter + #ghostscript + ]; + + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + environment.variables.VIM = "/etc/vim"; + + i18n.defaultLocale = "de_DE.UTF-8"; + + environment.shellAliases = { + # alias cal='cal -m3' + bc = "bc -q"; + gp = "gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + 2000) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + ''; + }; + + + programs.ssh.startAgent = false; + + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + security.pam.loginLimits = [ + # for jack + { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } + { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } + ]; + + #services.haveged.enable = true; + #security.rngd.enable = true; + + services.retiolum = { + enable = true; + hosts = /etc/nixos/hosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + + security.rtkit.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + #services.dbus.enable = true; # rqd4 wpa_supplicant + + services.sshd.enable = true; + + # vixiecron sucks + services.cron.enable = false; + services.fcron.enable = true; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + #services.logind.extraConfig = '' + # HandleHibernateKey=ignore + # HandleLidSwitch=ignore + # HandlePowerKey=ignore + # HandleSuspendKey=ignore + #''; + #services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + # Enable CUPS to print documents. + # services.printing.enable = true; + services.printing = { + enable = true; + #drivers = [ + # #pkgs.foomatic_filters + # #pkgs.gutenprint + # #pkgs.cups_pdf_filter + # #pkgs.ghostscript + #]; + #cupsdConf = '' + # LogLevel debug2 + #''; + }; + + # Enable the X11 windowing system. + services.xserver.enable = true; + #services.xserver.display = 11; + #services.xserver.tty = 11; + services.xserver.layout = "de"; + services.xserver.xkbOptions = "eurosign:e"; + + # TODO this is host specific + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + #accelFactor = "0.035"; + #additionalOptions = '' + # Option "FingerHigh" "60" + # Option "FingerLow" "60" + #''; + }; + + services.xserver.desktopManager.kde4.enable = true; + services.xserver.displayManager.auto = { + enable = true; + user = "vv"; + }; + + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.mutableUsers = false; + users.extraGroups = + { + }; + users.extraUsers = + { + tv = { + uid = 1337; + name = "tv"; + group = "users"; + home = "/home/tv"; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + createHome = true; + }; + + vv = { + uid = 2000; + name = "vv"; + home = "/home/vv"; + createHome = true; + group = "users"; + useDefaultShell = true; + extraGroups = [ + "audio" + "video" + "networkmanager" + ]; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + # TODO services.smartd + # TODO services.statsd + # TODO services.tor + # TODO write arandr + # TODO what does system.copySystemConfiguration (we need some kind of bku scheme) + # TODO systemd.timers instead of cron(??) + + virtualisation.libvirtd.enable = true; + + # + # iptables + # + networking.firewall.enable = false; + system.activationScripts.iptables = + let + log = false; + when = c: f: if c then f else ""; + in + '' + ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # + # nat + # + + # reset tables + ipXtables -t nat -F + ipXtables -t nat -X + + # + ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # + # filter + # + + # reset tables + ipXtables -P INPUT DROP + ipXtables -P FORWARD DROP + ipXtables -F + ipXtables -X + + # create custom chains + ipXtables -N Retiolum + + # INPUT + ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + ipXtables -A INPUT -j ACCEPT -i lo + ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + ipXtables -A INPUT -j Retiolum -i retiolum + ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # FORWARD + ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # Retiolum + ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + ip6tables -A Retiolum -j REJECT + + ''; + + + + + #system.replaceRuntimeDependencies = with pkgs; + # let + # bashVulnPatches = [ + # (fetchurl { + # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048"; + # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km"; + # }) + # (fetchurl { + # url = "file:///etc/nixos/bash-20140926.patch"; + # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4"; + # }) + # ]; + # in + # [ + # { + # original = bash; + # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bashInteractive; + # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bitlbee; + # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: { + # configureFlags = [ + # "--gcov=1" + # "--otr=1" + # "--ssl=gnutls" + # ]; + # }); + # } + #]; + + +} diff --git a/modules/networking-cd.nix b/modules/networking-cd.nix deleted file mode 100644 index 215e208..0000000 --- a/modules/networking-cd.nix +++ /dev/null @@ -1,14 +0,0 @@ -{...}: -{ - networking.hostName = "cd"; - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.219.7.216"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "162.219.7.1"; - networking.nameservers = [ - "8.8.8.8" - ]; -} diff --git a/modules/nginx.nix b/modules/nginx.nix deleted file mode 100644 index 8b42061..0000000 --- a/modules/nginx.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.nginx = - let - name = config.networking.hostName; - qname = "${name}.retiolum"; - in - { - enable = true; - httpConfig = '' - sendfile on; - server { - listen 80; - server_name ${name} ${qname} localhost; - root /srv/http/${name}; - location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/public_html$2; - } - } - types { - text/css css; - text/html html; - image/svg+xml svg; - } - default_type text/html; - charset utf-8; - ''; - }; -} diff --git a/modules/retiolum.nix b/modules/retiolum.nix deleted file mode 100644 index 578547a..0000000 --- a/modules/retiolum.nix +++ /dev/null @@ -1,228 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -{ - - ###### interface - - options = { - services.retiolum = { - - enable = mkOption { - type = types.bool; - default = false; - description = "Enable tinc daemon for Retiolum."; - }; - - name = mkOption { - type = types.string; - default = config.networking.hostName; - # Description stolen from tinc.conf(5). - description = '' - This is the name which identifies this tinc daemon. It must - be unique for the virtual private network this daemon will - connect to. The Name may only consist of alphanumeric and - underscore characters. If Name starts with a $, then the - contents of the environment variable that follows will be - used. In that case, invalid characters will be converted to - underscores. If Name is $HOST, but no such environment - variable exist, the hostname will be read using the - gethostnname() system call This is the name which identifies - the this tinc daemon. - ''; - }; - - generateEtcHosts = mkOption { - type = types.string; - default = "both"; - description = '' - If set to short, long, or both, - then generate entries in /etc/hosts from subnets. - ''; - }; - - network = mkOption { - type = types.string; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - derive the name of the user account under which tincd runs, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - default = null; - description = '' - Hosts package or path to use. - If a path is given, then it will be used to generate an ad-hoc package. - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.string; - default = "/etc/tinc/retiolum/rsa_key.priv"; - description = "Generate file with tincd -K."; - }; - - connectTo = mkOption { - type = types.listOf types.string; - default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = "TODO describe me"; - }; - - }; - }; - - - ###### implementation - - config = - let - cfg = config.services.retiolum; - tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up <&2 - exit 23 - ''; - - rebuild = - '' - nixpkgs=''${nixpkgs-/home/tv/src/nixpkgs} - nixos-rebuild \ - --show-trace \ - -I nixpkgs="$nixpkgs" \ - switch \ - 2>&1 \ - | sed ${shell-escape '' - s|"\(/home/tv/src/config/[^":]*\)"|\1| - s|^trace:\s*\(.*\)|\1| - ''} - ''; - - }; - - wrap = script: - '' - #! /bin/sh - set -euf - ${script} - ''; - #lib=$lib - #export PATH=$bin:${makeSearchPath "bin" buildInputs} - - buildScript = name: script: - builtins.trace "building ${name}" - '' - echo ${shell-escape script} > $bin/${shell-escape name} - chmod +x $bin/${shell-escape name} - ''; - - - - tools = pkgs.stdenv.mkDerivation rec { - name = "tools"; - src = /var/empty; - - buildInputs = []; - - - buildPhase = - '' - mkdir $out - - bin=$out/bin - mkdir $bin - - ${concatStringsSep "\n" (attrValues (mapAttrs buildScript scripts))} - - ''; - #'' - #mkdir $out - - #lib=$out/lib - #cp -r lib $lib - - #bin=$out/bin - #mkdir $bin - #${concatStringsSep "\n" (attrValues (mapAttrs (name: script: - # '' - # { - # echo '#! /bin/sh' - # echo 'set -euf' - # echo "lib=$lib" - # echo "export PATH=$bin:${makeSearchPath "bin" buildInputs}" - # echo ${shell-escape script} - # } > $bin/${name} - # chmod +x $bin/${name} - # '') scripts))} - #''; - installPhase = ":"; - }; - -in - -{ - environment.systemPackages = [ tools ]; -} diff --git a/modules/tv/base-cac-CentOS-7-64bit.nix b/modules/tv/base-cac-CentOS-7-64bit.nix new file mode 100644 index 0000000..42ab481 --- /dev/null +++ b/modules/tv/base-cac-CentOS-7-64bit.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: + +{ + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; +} + diff --git a/modules/tv/base.nix b/modules/tv/base.nix new file mode 100644 index 0000000..76c8b89 --- /dev/null +++ b/modules/tv/base.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + time.timeZone = "Europe/Berlin"; + + nix.maxJobs = 8; + nix.useChroot = true; + # TODO check if both are required: + nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + +} diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix new file mode 100644 index 0000000..e836d2c --- /dev/null +++ b/modules/tv/ejabberd.nix @@ -0,0 +1,856 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) ejabberd writeScript writeScriptBin utillinux; + inherit (lib) makeSearchPath; + + cfg = config.services.ejabberd-cd; + + + +in + +{ + + ####### interface + + options = { + + services.ejabberd-cd = { + + enable = mkOption { + default = false; + description = "Whether to enable ejabberd server"; + }; + + config = mkOption { + type = types.string; + default = ""; + description = '' + TODO + ''; + }; + + user = mkOption { + type = types.string; + default = "ejabberd"; + description = '' + TODO + ''; + }; + + group = mkOption { + type = types.string; + default = "ejabberd"; + description = '' + TODO + ''; + }; + + + # spoolDir = mkOption { + # default = "/var/lib/ejabberd"; + # description = "Location of the spooldir of ejabberd"; + # }; + + # logsDir = mkOption { + # default = "/var/log/ejabberd"; + # description = "Location of the logfile directory of ejabberd"; + # }; + + # confDir = mkOption { + # default = "/var/ejabberd"; + # description = "Location of the config directory of ejabberd"; + # }; + + # virtualHosts = mkOption { + # default = "\"localhost\""; + # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas"; + # }; + + # loadDumps = mkOption { + # default = []; + # description = "Configuration dump that should be loaded on the first startup"; + # example = literalExample "[ ./myejabberd.dump ]"; + # }; + + # config + }; + + }; + + + ####### implementation + + config = + let + my-ejabberdctl = writeScriptBin "ejabberdctl" '' + #! /bin/sh + set -euf + exec env \ + SPOOLDIR=/var/ejabberd \ + EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \ + ${ejabberd}/bin/ejabberdctl \ + --logs /var/ejabberd \ + "$@" + ''; + in + mkIf cfg.enable { + #environment.systemPackages = [ pkgs.ejabberd ]; + + environment = { + etc."ejabberd.cfg".text = '' + %%% + %%% ejabberd configuration file + %%% + %%%' + + %%% The parameters used in this configuration file are explained in more detail + %%% in the ejabberd Installation and Operation Guide. + %%% Please consult the Guide in case of doubts, it is included with + %%% your copy of ejabberd, and is also available online at + %%% http://www.process-one.net/en/ejabberd/docs/ + + %%% This configuration file contains Erlang terms. + %%% In case you want to understand the syntax, here are the concepts: + %%% + %%% - The character to comment a line is % + %%% + %%% - Each term ends in a dot, for example: + %%% override_global. + %%% + %%% - A tuple has a fixed definition, its elements are + %%% enclosed in {}, and separated with commas: + %%% {loglevel, 4}. + %%% + %%% - A list can have as many elements as you want, + %%% and is enclosed in [], for example: + %%% [http_poll, web_admin, tls] + %%% + %%% - A keyword of ejabberd is a word in lowercase. + %%% Strings are enclosed in "" and can contain spaces, dots, ... + %%% {language, "en"}. + %%% {ldap_rootdn, "dc=example,dc=com"}. + %%% + %%% - This term includes a tuple, a keyword, a list, and two strings: + %%% {hosts, ["jabber.example.net", "im.example.com"]}. + %%% + + + %%%. ======================= + %%%' OVERRIDE STORED OPTIONS + + %% + %% Override the old values stored in the database. + %% + + %% + %% Override global options (shared by all ejabberd nodes in a cluster). + %% + %%override_global. + + %% + %% Override local options (specific for this particular ejabberd node). + %% + %%override_local. + + %% + %% Remove the Access Control Lists before new ones are added. + %% + %%override_acls. + + + %%%. ========= + %%%' DEBUGGING + + %% + %% loglevel: Verbosity of log files generated by ejabberd. + %% 0: No ejabberd log at all (not recommended) + %% 1: Critical + %% 2: Error + %% 3: Warning + %% 4: Info + %% 5: Debug + %% + {loglevel, 3}. + + %% + %% watchdog_admins: Only useful for developers: if an ejabberd process + %% consumes a lot of memory, send live notifications to these XMPP + %% accounts. + %% + %%{watchdog_admins, ["bob@example.com"]}. + + + %%%. ================ + %%%' SERVED HOSTNAMES + + %% + %% hosts: Domains served by ejabberd. + %% You can define one or several, for example: + %% {hosts, ["example.net", "example.com", "example.org"]}. + %% + {hosts, ["jabber.viljetic.de"]}. + + %% + %% route_subdomains: Delegate subdomains to other XMPP servers. + %% For example, if this ejabberd serves example.org and you want + %% to allow communication with an XMPP server called im.example.org. + %% + %%{route_subdomains, s2s}. + + + %%%. =============== + %%%' LISTENING PORTS + + %% + %% listen: The ports ejabberd will listen on, which service each is handled + %% by and what options to start it with. + %% + {listen, + [ + + {5222, ejabberd_c2s, [ + + %% + %% If TLS is compiled in and you installed a SSL + %% certificate, specify the full path to the + %% file and uncomment this line: + %% + starttls, + {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}, + + {access, c2s}, + {shaper, c2s_shaper}, + {max_stanza_size, 65536} + ]}, + + {5269, ejabberd_s2s_in, [ + {shaper, s2s_shaper}, + {max_stanza_size, 131072} + ]}, + + %% + %% ejabberd_service: Interact with external components (transports, ...) + %% + %%{8888, ejabberd_service, [ + %% {access, all}, + %% {shaper_rule, fast}, + %% {ip, {127, 0, 0, 1}}, + %% {hosts, ["icq.example.org", "sms.example.org"], + %% [{password, "secret"}] + %% } + %% ]}, + + %% + %% ejabberd_stun: Handles STUN Binding requests + %% + %%{{3478, udp}, ejabberd_stun, []}, + + {5280, ejabberd_http, [ + %%{request_handlers, + %% [ + %% {["pub", "archive"], mod_http_fileserver} + %% ]}, + captcha, + http_bind, + http_poll, + %%register, + web_admin + ]} + + ]}. + + %% + %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. + %% Allowed values are: false optional required required_trusted + %% You must specify a certificate file. + %% + {s2s_use_starttls, required}. + + %% + %% s2s_certfile: Specify a certificate file. + %% + {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}. + + %% + %% domain_certfile: Specify a different certificate for each served hostname. + %% + %%{domain_certfile, "example.org", "/path/to/example_org.pem"}. + %%{domain_certfile, "example.com", "/path/to/example_com.pem"}. + + %% + %% S2S whitelist or blacklist + %% + %% Default s2s policy for undefined hosts. + %% + %%{s2s_default_policy, allow}. + + %% + %% Allow or deny communication with specific servers. + %% + %%{{s2s_host, "goodhost.org"}, allow}. + %%{{s2s_host, "badhost.org"}, deny}. + + %% + %% Outgoing S2S options + %% + %% Preferred address families (which to try first) and connect timeout + %% in milliseconds. + %% + %%{outgoing_s2s_options, [ipv4, ipv6], 10000}. + + + %%%. ============== + %%%' AUTHENTICATION + + %% + %% auth_method: Method used to authenticate the users. + %% The default method is the internal. + %% If you want to use a different method, + %% comment this line and enable the correct ones. + %% + {auth_method, internal}. + %% + %% Store the plain passwords or hashed for SCRAM: + %%{auth_password_format, plain}. + %%{auth_password_format, scram}. + %% + %% Define the FQDN if ejabberd doesn't detect it: + %%{fqdn, "server3.example.com"}. + + %% + %% Authentication using external script + %% Make sure the script is executable by ejabberd. + %% + %%{auth_method, external}. + %{extauth_program, "$ {ejabberd-auth}"}. + + %% + %% Authentication using ODBC + %% Remember to setup a database in the next section. + %% + %%{auth_method, odbc}. + + %% + %% Authentication using PAM + %% + %%{auth_method, pam}. + %%{pam_service, "pamservicename"}. + + %% + %% Authentication using LDAP + %% + %%{auth_method, ldap}. + %% + %% List of LDAP servers: + %%{ldap_servers, ["localhost"]}. + %% + %% Encryption of connection to LDAP servers: + %%{ldap_encrypt, none}. + %%{ldap_encrypt, tls}. + %% + %% Port to connect to on LDAP servers: + %%{ldap_port, 389}. + %%{ldap_port, 636}. + %% + %% LDAP manager: + %%{ldap_rootdn, "dc=example,dc=com"}. + %% + %% Password of LDAP manager: + %%{ldap_password, "******"}. + %% + %% Search base of LDAP directory: + %%{ldap_base, "dc=example,dc=com"}. + %% + %% LDAP attribute that holds user ID: + %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}. + %% + %% LDAP filter: + %%{ldap_filter, "(objectClass=shadowAccount)"}. + + %% + %% Anonymous login support: + %% auth_method: anonymous + %% anonymous_protocol: sasl_anon | login_anon | both + %% allow_multiple_connections: true | false + %% + %%{host_config, "public.example.org", [{auth_method, anonymous}, + %% {allow_multiple_connections, false}, + %% {anonymous_protocol, sasl_anon}]}. + %% + %% To use both anonymous and internal authentication: + %% + %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}. + + + %%%. ============== + %%%' DATABASE SETUP + + %% ejabberd by default uses the internal Mnesia database, + %% so you do not necessarily need this section. + %% This section provides configuration examples in case + %% you want to use other database backends. + %% Please consult the ejabberd Guide for details on database creation. + + %% + %% MySQL server: + %% + %%{odbc_server, {mysql, "server", "database", "username", "password"}}. + %% + %% If you want to specify the port: + %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}. + + %% + %% PostgreSQL server: + %% + %%{odbc_server, {pgsql, "server", "database", "username", "password"}}. + %% + %% If you want to specify the port: + %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}. + %% + %% If you use PostgreSQL, have a large database, and need a + %% faster but inexact replacement for "select count(*) from users" + %% + %%{pgsql_users_number_estimate, true}. + + %% + %% ODBC compatible or MSSQL server: + %% + %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}. + + %% + %% Number of connections to open to the database for each virtual host + %% + %%{odbc_pool_size, 10}. + + %% + %% Interval to make a dummy SQL request to keep the connections to the + %% database alive. Specify in seconds: for example 28800 means 8 hours + %% + %%{odbc_keepalive_interval, undefined}. + + + %%%. =============== + %%%' TRAFFIC SHAPERS + + %% + %% The "normal" shaper limits traffic speed to 1000 B/s + %% + {shaper, normal, {maxrate, 1000}}. + + %% + %% The "fast" shaper limits traffic speed to 50000 B/s + %% + {shaper, fast, {maxrate, 50000}}. + + %% + %% This option specifies the maximum number of elements in the queue + %% of the FSM. Refer to the documentation for details. + %% + {max_fsm_queue, 1000}. + + + %%%. ==================== + %%%' ACCESS CONTROL LISTS + + %% + %% The 'admin' ACL grants administrative privileges to XMPP accounts. + %% You can put here as many accounts as you want. + %% + %%{acl, admin, {user, "aleksey", "localhost"}}. + %%{acl, admin, {user, "ermine", "example.org"}}. + + %% + %% Blocked users + %% + %%{acl, blocked, {user, "baduser", "example.org"}}. + %%{acl, blocked, {user, "test"}}. + + %% + %% Local users: don't modify this line. + %% + {acl, local, {user_regexp, ""}}. + + %% + %% More examples of ACLs + %% + %%{acl, jabberorg, {server, "jabber.org"}}. + %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}. + %%{acl, test, {user_regexp, "^test"}}. + %%{acl, test, {user_glob, "test*"}}. + + %% + %% Define specific ACLs in a virtual host. + %% + %%{host_config, "localhost", + %% [ + %% {acl, admin, {user, "bob-local", "localhost"}} + %% ] + %%}. + + + %%%. ============ + %%%' ACCESS RULES + + %% Maximum number of simultaneous sessions allowed for a single user: + {access, max_user_sessions, [{10, all}]}. + + %% Maximum number of offline messages that users can have: + {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. + + %% This rule allows access only for local users: + {access, local, [{allow, local}]}. + + %% Only non-blocked users can use c2s connections: + {access, c2s, [{deny, blocked}, + {allow, all}]}. + + %% For C2S connections, all users except admins use the "normal" shaper + {access, c2s_shaper, [{none, admin}, + {normal, all}]}. + + %% All S2S connections use the "fast" shaper + {access, s2s_shaper, [{fast, all}]}. + + %% Only admins can send announcement messages: + {access, announce, [{allow, admin}]}. + + %% Only admins can use the configuration interface: + {access, configure, [{allow, admin}]}. + + %% Admins of this server are also admins of the MUC service: + {access, muc_admin, [{allow, admin}]}. + + %% Only accounts of the local ejabberd server can create rooms: + {access, muc_create, [{allow, local}]}. + + %% All users are allowed to use the MUC service: + {access, muc, [{allow, all}]}. + + %% Only accounts on the local ejabberd server can create Pubsub nodes: + {access, pubsub_createnode, [{allow, local}]}. + + %% In-band registration allows registration of any possible username. + %% To disable in-band registration, replace 'allow' with 'deny'. + {access, register, [{allow, all}]}. + + %% By default the frequency of account registrations from the same IP + %% is limited to 1 account every 10 minutes. To disable, specify: infinity + %%{registration_timeout, 600}. + + %% + %% Define specific Access Rules in a virtual host. + %% + %%{host_config, "localhost", + %% [ + %% {access, c2s, [{allow, admin}, {deny, all}]}, + %% {access, register, [{deny, all}]} + %% ] + %%}. + + + %%%. ================ + %%%' DEFAULT LANGUAGE + + %% + %% language: Default language used for server messages. + %% + {language, "en"}. + + %% + %% Set a different default language in a virtual host. + %% + %%{host_config, "localhost", + %% [{language, "ru"}] + %%}. + + + %%%. ======= + %%%' CAPTCHA + + %% + %% Full path to a script that generates the image. + %% + %%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}. + + %% + %% Host for the URL and port where ejabberd listens for CAPTCHA requests. + %% + %%{captcha_host, "example.org:5280"}. + + %% + %% Limit CAPTCHA calls per minute for JID/IP to avoid DoS. + %% + %%{captcha_limit, 5}. + + %%%. ======= + %%%' MODULES + + %% + %% Modules enabled in all ejabberd virtual hosts. + %% + {modules, + [ + {mod_adhoc, []}, + {mod_announce, [{access, announce}]}, % recommends mod_adhoc + {mod_blocking,[]}, % requires mod_privacy + {mod_caps, []}, + {mod_configure,[]}, % requires mod_adhoc + {mod_disco, []}, + %%{mod_echo, [{host, "echo.localhost"}]}, + {mod_irc, []}, + {mod_http_bind, []}, + %%{mod_http_fileserver, [ + %% {docroot, "/var/www"}, + %% {accesslog, "/var/log/ejabberd/access.log"} + %% ]}, + {mod_last, []}, + {mod_muc, [ + %%{host, "conference.@HOST@"}, + {access, muc}, + {access_create, muc_create}, + {access_persistent, muc_create}, + {access_admin, muc_admin} + ]}, + %%{mod_muc_log,[]}, + {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, + {mod_ping, []}, + %%{mod_pres_counter,[{count, 5}, {interval, 60}]}, + {mod_privacy, []}, + {mod_private, []}, + %%{mod_proxy65,[]}, + {mod_pubsub, [ + {access_createnode, pubsub_createnode}, + {ignore_pep_from_offline, true}, % reduces resource comsumption, but XEP incompliant + %%{ignore_pep_from_offline, false}, % XEP compliant, but increases resource comsumption + {last_item_cache, false}, + {plugins, ["flat", "hometree", "pep"]} % pep requires mod_caps + ]}, + {mod_register, [ + %% + %% Protect In-Band account registrations with CAPTCHA. + %% + %%{captcha_protected, true}, + + %% + %% Set the minimum informational entropy for passwords. + %% + %%{password_strength, 32}, + + %% + %% After successful registration, the user receives + %% a message with this subject and body. + %% + {welcome_message, {"Welcome!", + "Hi.\nWelcome to this XMPP server."}}, + + %% + %% When a user registers, send a notification to + %% these XMPP accounts. + %% + %%{registration_watchers, ["admin1@example.org"]}, + + %% + %% Only clients in the server machine can register accounts + %% + {ip_access, [{allow, "127.0.0.0/8"}, + {deny, "0.0.0.0/0"}]}, + + %% + %% Local c2s or remote s2s users cannot register accounts + %% + %%{access_from, deny}, + + {access, register} + ]}, + %%{mod_register_web, [ + %% + %% When a user registers, send a notification to + %% these XMPP accounts. + %% + %%{registration_watchers, ["admin1@example.org"]} + %% ]}, + {mod_roster, []}, + %%{mod_service_log,[]}, + {mod_shared_roster,[]}, + {mod_stats, []}, + {mod_time, []}, + {mod_vcard, []}, + {mod_version, []} + ]}. + + %% + %% Enable modules with custom options in a specific virtual host + %% + %%{host_config, "localhost", + %% [{{add, modules}, + %% [ + %% {mod_echo, [{host, "mirror.localhost"}]} + %% ] + %% } + %% ]}. + + + %%%. + %%%' + + %%% $Id$ + + %%% Local Variables: + %%% mode: erlang + %%% End: + %%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker: + ''; + # TODO properly configured wrapper + systemPackages = [ my-ejabberdctl ]; + }; + #exim_user = ${cfg.user} + #exim_group = ${cfg.group} + #exim_path = /var/setuid-wrappers/exim + #spool_directory = ${cfg.spoolDir} + #${cfg.config} + + users.extraUsers = singleton { + name = "ejabberd"; + description = "TODO"; + uid = 405222; + group = "ejabberd"; + home = "/var/ejabberd"; + createHome = true; + }; + + users.extraGroups = singleton { + name = "ejabberd"; + gid = 405222; + }; + + #security.setuidPrograms = [ "exim" ]; + + systemd.services.ejabberd = { + description = "ejabberd XMPP Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + reloadIfChanged = true; + serviceConfig = { + ExecStart = "${my-ejabberdctl}/bin/ejabberdctl start"; + ExecStop = "${my-ejabberdctl}/bin/ejabberdctl stop"; + ExecReload = "${my-ejabberdctl}/bin/ejabberdctl restart"; + Type = "oneshot"; + RemainAfterExit = "yes"; + RestartSec = 5; + LimitNOFILE = 16000; + User = "ejabberd"; + Group = "ejabberd"; + }; + }; + + systemd.services.ejabberd-prepare = { + description = "ejabberd XMPP Preparetion Service"; + requiredBy = [ "ejabberd.service" ]; + serviceConfig = { + Type = "oneshot"; + RestartSec = 5; + ExecStart = "${writeScript "ejabberd-prepare" + '' + #! /bin/sh + set -euf + chown ejabberd: /etc/nixos/secrets/ejabberd.cd.retiolum.pem + '' + }"; + }; + }; + + + + }; + + #config = mkIf cfg.enable { + # environment.systemPackages = [ pkgs.ejabberd ]; + + # jobs.ejabberd = + # { description = "EJabberd server"; + + # startOn = "started network-interfaces"; + # stopOn = "stopping network-interfaces"; + + # environment = { + # PATH = "$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; + # }; + + # preStart = + # '' + # PATH="$PATH:${pkgs.ejabberd}/sbin:${pkgs.ejabberd}/bin:${pkgs.coreutils}/bin:${pkgs.bash}/bin:${pkgs.gnused}/bin"; + # + # # Initialise state data + # mkdir -p ${cfg.logsDir} + + # if ! test -d ${cfg.spoolDir} + # then + # initialize=1 + # cp -av ${pkgs.ejabberd}/var/lib/ejabberd /var/lib + # fi + + # #if ! test -d ${cfg.confDir} + # #then + # # mkdir -p ${cfg.confDir} + # # cp ${pkgs.ejabberd}/etc/ejabberd/* ${cfg.confDir} + # # sed -e 's|{hosts, \["localhost"\]}.|{hosts, \[${cfg.virtualHosts}\]}.|' ${pkgs.ejabberd}/etc/ejabberd/ejabberd.cfg > ${cfg.confDir}/ejabberd.cfg + # #fi + # mkdir -p ${cfg.confDir} + + + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} start + + # ${if cfg.loadDumps == [] then "" else + # '' + # if [ "$initialize" = "1" ] + # then + # # Wait until the ejabberd server is available for use + # count=0 + # while ! ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} status + # do + # if [ $count -eq 30 ] + # then + # echo "Tried 30 times, giving up..." + # exit 1 + # fi + + # echo "Ejabberd daemon not yet started. Waiting for 1 second..." + # count=$((count++)) + # sleep 1 + # done + + # ${concatMapStrings (dump: + # '' + # echo "Importing dump: ${dump}" + + # if [ -f ${dump} ] + # then + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load ${dump} + # elif [ -d ${dump} ] + # then + # for i in ${dump}/ejabberd-dump/* + # do + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} load $i + # done + # fi + # '') cfg.loadDumps} + # fi + # ''} + # ''; + + # postStop = + # '' + # ejabberdctl --config-dir ${cfg.confDir} --logs ${cfg.logsDir} --spool ${cfg.spoolDir} stop + # ''; + # }; + + # security.pam.services.ejabberd = {}; + + #}; + +} diff --git a/modules/tv/exim-retiolum.nix b/modules/tv/exim-retiolum.nix new file mode 100644 index 0000000..e80358f --- /dev/null +++ b/modules/tv/exim-retiolum.nix @@ -0,0 +1,126 @@ +{ config, pkgs, ... }: + +{ + services.exim = + # This configuration makes only sense for retiolum-enabled hosts. + # TODO modular configuration + assert config.services.retiolum.enable; + let + # TODO get the hostname from config.services.retiolum. + retiolumHostname = "${config.networking.hostName}.retiolum"; + in + { enable = true; + config = '' + primary_hostname = ${retiolumHostname} + domainlist local_domains = @ : localhost + domainlist relay_to_domains = *.retiolum + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + host_lookup = * + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + accept hosts = : + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require verify = recipient + + accept + + + acl_check_data: + accept + + + begin routers + + retiolum: + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = remote_smtp + route_list = ^.* $0 byname + no_more + + nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + + local_user: + # debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + + begin transports + + remote_smtp: + driver = smtp + + home_maildir: + driver = appendfile + maildir_format + directory = $home/Maildir + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + # group = mail + # mode = 0660 + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + + begin authenticators + ''; + }; +} diff --git a/modules/tv/exim-smarthost.nix b/modules/tv/exim-smarthost.nix new file mode 100644 index 0000000..a4c47b3 --- /dev/null +++ b/modules/tv/exim-smarthost.nix @@ -0,0 +1,474 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) toFile; + inherit (pkgs.lib.attrsets) mapAttrs; + inherit (pkgs.lib.strings) concatMapStringsSep; +in + +{ + services.exim = + let + retiolumHostname = "${config.networking.hostName}.retiolum"; + + internet-aliases = [ + { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + + { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + + { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + + { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + ]; + + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + + to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}"); + lsearch = + mapAttrs (name: set: toFile name (to-lsearch set)) { + inherit internet-aliases; + inherit system-aliases; + }; + in + { + enable = true; + config = + '' + primary_hostname = ${retiolumHostname} + + # HOST_REDIR contains the real destinations for "local_domains". + #HOST_REDIR = /etc/exim4/host_redirect + + + # Domains not listed in local_domains need to be deliverable remotely. + # XXX We abuse local_domains to mean "domains, we're the gateway for". + domainlist local_domains = @ : localhost + #: viljetic.de : SHACK_REDIR_HOSTNAME + domainlist relay_to_domains = + hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37 + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data + + # av_scanner = clamd:/tmp/clamd + # spamd_address = 127.0.0.1 783 + + # tls_advertise_hosts = * + # tls_certificate = /etc/ssl/exim.crt + # tls_privatekey = /etc/ssl/exim.pem + # (debian) tls_verify_certificates (to check client certs) + + # daemon_smtp_ports = 25 : 465 : 587 + # tls_on_connect_ports = 465 + + # qualify_domain defaults to primary_hostname + # qualify_recipient defaults to qualify_domain + + # allow_domain_literals + + never_users = root + + host_lookup = * + + # ident callbacks for all incoming SMTP calls + rfc1413_hosts = * + rfc1413_query_timeout = 5s + + # sender_unqualified_hosts = + # recipient_unqualified_hosts = + + # percent_hack_domains = + + # arch & debian + #ignore_bounce_errors_after = 2d + #timeout_frozen_after = 7d + # debian + #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full + #freeze_tell = postmaster + #trusted_users = uucp + # arch + #split_spool_directory = true + + log_selector = -queue_run +address_rewrite +all_parents +queue_time + log_file_path = syslog + syslog_timestamp = false + syslog_duplication = false + + begin acl + + acl_check_rcpt: + # Accept if the source is local SMTP (i.e. not over TCP/IP). + # We do this by testing for an empty sending host field. + accept hosts = : + # arch & debian: + control = dkim_disable_verify + + deny message = Restricted characters in address + domains = +local_domains + local_parts = ^[.] : ^.*[@%!/|] + + deny message = Restricted characters in address + domains = !+local_domains + local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ + + accept local_parts = postmaster + domains = +local_domains + + ## feature RETIOLUM_MAIL + #accept + # hosts = *.retiolum + # domains = *.retiolum + # control = dkim_disable_verify + + #require verify = sender + + accept hosts = +relay_from_hosts + control = submission + # debian: control = submission/sender_retain + # arch & debian: + control = dkim_disable_verify + + accept authenticated = * + control = submission + control = dkim_disable_verify + + accept message = relay not permitted 2 + recipients = lsearch;${lsearch.internet-aliases} + + require message = relay not permitted + domains = +local_domains : +relay_to_domains + + require + message = unknown user + verify = recipient/callout + + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example + # + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain + + # Client SMTP Authorization (csa) checks on the sending host. + # Such checks do DNS lookups for special SRV records. + # require verify = csa + + accept + + + acl_check_data: + # see av_scanner + #deny malware = * + # message = This message contains a virus ($malware_name). + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You may also need to set the spamd_address + # option above. + # + # warn spam = nobody + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + warn + sender_domains = viljetic.de : shackspace.de + set acl_m_special_dom = $sender_address_domain + + accept + + + begin routers + + # feature RETIOLUM_MAIL + retiolum: + debug_print = "R: retiolum for $local_part@$domain" + driver = manualroute + domains = ! ${retiolumHostname} : *.retiolum + transport = retiolum_smtp + route_list = ^.* $0 byname + no_more + + internet_aliases: + debug_print = "R: internet_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}} + + dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 + # if ipv6-enabled then instead use: + # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 + + # (debian) same_domain_copy_routing = yes + # (debian) ignore private rfc1918 and APIPA addresses + # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + # 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + # 255.255.255.255 + + # Fail and bounce if the router does not find the domain in the DNS. + # I.e. no more routers are tried. + # There are a few cases where a dnslookup router will decline to accept an + # address; if such a router is expected to handle "all remaining non-local + # domains", then it is important to set no_more. + no_more + + # XXX this is only used because these "well known aliases" goto tv@cd.retiolum + # TODO bounce everything, there is no @cd.retiolum + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + + # TODO this is only b/c mv here... send mv's mails somewhere else... + local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + check_local_user + # local_part_suffix = +* : -* + # local_part_suffix_optional + transport = home_maildir + cannot_route_message = Unknown user + + begin transports + + retiolum_smtp: + driver = smtp + retry_include_ip_address = false + # serialize_hosts = TODO-all-slow-hosts + + remote_smtp: + driver = smtp + # debian has also stuff for tls, headers_rewrite and more here + + # feature HELO_REWRITE + # XXX note that the public ip (162.219.5.183) resolves to viljetic.de + helo_data = ''${if eq{$acl_m_special_dom}{} \ + {$primary_hostname} \ + {$acl_m_special_dom} } + + home_maildir: + driver = appendfile + maildir_format + maildir_use_size_file + directory = $home/Mail + directory_mode = 0700 + delivery_date_add + envelope_to_add + return_path_add + + begin retry + *.retiolum * F,42d,1m + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + + begin rewrite + begin authenticators + ''; + + + # group = mail + # mode = 0660 + + + #address_pipe: + # driver = pipe + # return_output + # + #address_file: + # driver = appendfile + # delivery_date_add + # envelope_to_add + # return_path_add + # + #address_reply: + # driver = autoreply + + + #maildrop_pipe: + # debug_print = "T: maildrop_pipe for $local_part@$domain" + # driver = pipe + # path = "/bin:/usr/bin:/usr/local/bin" + # command = "/usr/bin/maildrop" + # return_path_add + # delivery_date_add + # envelope_to_add + + + + + + ##begin retry + # Address or Domain Error Retries + + # Our host_redirect destinations might be offline a lot. + # TODO define fallback destinations(?) + #lsearch;${lsearch.internet-aliases} * F,42d,1m + + + ## begin rewrite + + # just in case (shackspace.de should already do this) + #tv@shackspace.de tv@SHACK_REDIR_HOSTNAME T + + + ## begin authenticators + #PLAIN: + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + #LOGIN: + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: + # server_condition = Authentication is not yet configured + # server_advertise_condition = ''${if def:tls_in_cipher } + + + + }; + +} + +# config = '' +# primary_hostname = ${retiolumHostname} +# domainlist local_domains = @ : localhost +# domainlist relay_to_domains = *.retiolum +# hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 +# +# acl_smtp_rcpt = acl_check_rcpt +# acl_smtp_data = acl_check_data +# +# host_lookup = * +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s +# +# log_file_path = syslog +# syslog_timestamp = false +# syslog_duplication = false +# +# begin acl +# +# acl_check_rcpt: +# accept hosts = : +# control = dkim_disable_verify +# +# deny message = Restricted characters in address +# domains = +local_domains +# local_parts = ^[.] : ^.*[@%!/|] +# +# deny message = Restricted characters in address +# domains = !+local_domains +# local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ +# +# accept local_parts = postmaster +# domains = +local_domains +# +# #accept +# # hosts = *.retiolum +# # domains = *.retiolum +# # control = dkim_disable_verify +# +# #require verify = sender +# +# accept hosts = +relay_from_hosts +# control = submission +# control = dkim_disable_verify +# +# accept authenticated = * +# control = submission +# control = dkim_disable_verify +# +# require message = relay not permitted +# domains = +local_domains : +relay_to_domains +# +# require verify = recipient +# +# accept +# +# +# acl_check_data: +# accept +# +# +# begin routers +# +# retiolum: +# driver = manualroute +# domains = ! ${retiolumHostname} : *.retiolum +# transport = remote_smtp +# route_list = ^.* $0 byname +# no_more +# +# nonlocal: +# debug_print = "R: nonlocal for $local_part@$domain" +# driver = redirect +# domains = ! +local_domains +# allow_fail +# data = :fail: Mailing to remote domains not supported +# no_more +# +# local_user: +# # debug_print = "R: local_user for $local_part@$domain" +# driver = accept +# check_local_user +# # local_part_suffix = +* : -* +# # local_part_suffix_optional +# transport = home_maildir +# cannot_route_message = Unknown user +# +# +# begin transports +# +# remote_smtp: +# driver = smtp +# +# home_maildir: +# driver = appendfile +# maildir_format +# directory = $home/Maildir +# directory_mode = 0700 +# delivery_date_add +# envelope_to_add +# return_path_add +# # group = mail +# # mode = 0660 +# +# begin retry +# *.retiolum * F,42d,1m +# * * F,2h,15m; G,16h,1h,1.5; F,4d,6h +# +# begin rewrite +# +# begin authenticators +# ''; +# }; +#} diff --git a/modules/tv/nginx.nix b/modules/tv/nginx.nix new file mode 100644 index 0000000..8b42061 --- /dev/null +++ b/modules/tv/nginx.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: + +{ + services.nginx = + let + name = config.networking.hostName; + qname = "${name}.retiolum"; + in + { + enable = true; + httpConfig = '' + sendfile on; + server { + listen 80; + server_name ${name} ${qname} localhost; + root /srv/http/${name}; + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + } + } + types { + text/css css; + text/html html; + image/svg+xml svg; + } + default_type text/html; + charset utf-8; + ''; + }; +} diff --git a/modules/tv/retiolum.nix b/modules/tv/retiolum.nix new file mode 100644 index 0000000..578547a --- /dev/null +++ b/modules/tv/retiolum.nix @@ -0,0 +1,228 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + + ###### interface + + options = { + services.retiolum = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable tinc daemon for Retiolum."; + }; + + name = mkOption { + type = types.string; + default = config.networking.hostName; + # Description stolen from tinc.conf(5). + description = '' + This is the name which identifies this tinc daemon. It must + be unique for the virtual private network this daemon will + connect to. The Name may only consist of alphanumeric and + underscore characters. If Name starts with a $, then the + contents of the environment variable that follows will be + used. In that case, invalid characters will be converted to + underscores. If Name is $HOST, but no such environment + variable exist, the hostname will be read using the + gethostnname() system call This is the name which identifies + the this tinc daemon. + ''; + }; + + generateEtcHosts = mkOption { + type = types.string; + default = "both"; + description = '' + If set to short, long, or both, + then generate entries in /etc/hosts from subnets. + ''; + }; + + network = mkOption { + type = types.string; + default = "retiolum"; + description = '' + The tinc network name. + It is used to generate long host entries, + derive the name of the user account under which tincd runs, + and name the TUN device. + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + default = null; + description = '' + Hosts package or path to use. + If a path is given, then it will be used to generate an ad-hoc package. + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + + privateKeyFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.string; + default = "/etc/tinc/retiolum/rsa_key.priv"; + description = "Generate file with tincd -K."; + }; + + connectTo = mkOption { + type = types.listOf types.string; + default = [ "fastpoke" "pigstarter" "kheurop" ]; + description = "TODO describe me"; + }; + + }; + }; + + + ###### implementation + + config = + let + cfg = config.services.retiolum; + tinc = cfg.tincPackage; + hostsType = builtins.typeOf cfg.hosts; + hosts = + if hostsType == "package" then + # use package as is + cfg.hosts + else if hostsType == "path" then + # use path to generate a package + pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out + ''; + } + else + abort "The option `services.retiolum.hosts' must be set to a package or a path" + ; + iproute = cfg.iproutePackage; + + retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" + { } + '' + generate() { + (cd ${hosts} + printf \'\' + for i in `ls`; do + names=$(hostnames $i) + for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do + names="$names $(hostnames $j)" + done + sed -En ' + s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p + ' $i + done | sort + printf \'\' + ) + } + + case ${cfg.generateEtcHosts} in + short) + hostnames() { echo "$1"; } + generate + ;; + long) + hostnames() { echo "$1.${cfg.network}"; } + generate + ;; + both) + hostnames() { echo "$1.${cfg.network} $1"; } + generate + ;; + *) + echo '""' + ;; + esac > $out + ''); + + + confDir = pkgs.runCommand "retiolum" { + # TODO text + executable = true; + preferLocalBuild = true; + } '' + set -euf + + mkdir -p $out + + ln -s ${hosts} $out/hosts + + cat > $out/tinc.conf < $out/tinc-up <&2 + exit 23 + ''; + + rebuild = + '' + nixpkgs=''${nixpkgs-/home/tv/src/nixpkgs} + nixos-rebuild \ + --show-trace \ + -I nixpkgs="$nixpkgs" \ + switch \ + 2>&1 \ + | sed ${shell-escape '' + s|"\(/home/tv/src/config/[^":]*\)"|\1| + s|^trace:\s*\(.*\)|\1| + ''} + ''; + + }; + + wrap = script: + '' + #! /bin/sh + set -euf + ${script} + ''; + #lib=$lib + #export PATH=$bin:${makeSearchPath "bin" buildInputs} + + buildScript = name: script: + builtins.trace "building ${name}" + '' + echo ${shell-escape script} > $bin/${shell-escape name} + chmod +x $bin/${shell-escape name} + ''; + + + + tools = pkgs.stdenv.mkDerivation rec { + name = "tools"; + src = /var/empty; + + buildInputs = []; + + + buildPhase = + '' + mkdir $out + + bin=$out/bin + mkdir $bin + + ${concatStringsSep "\n" (attrValues (mapAttrs buildScript scripts))} + + ''; + #'' + #mkdir $out + + #lib=$out/lib + #cp -r lib $lib + + #bin=$out/bin + #mkdir $bin + #${concatStringsSep "\n" (attrValues (mapAttrs (name: script: + # '' + # { + # echo '#! /bin/sh' + # echo 'set -euf' + # echo "lib=$lib" + # echo "export PATH=$bin:${makeSearchPath "bin" buildInputs}" + # echo ${shell-escape script} + # } > $bin/${name} + # chmod +x $bin/${name} + # '') scripts))} + #''; + installPhase = ":"; + }; + +in + +{ + environment.systemPackages = [ tools ]; +} diff --git a/modules/tv/urxvt.nix b/modules/tv/urxvt.nix new file mode 100644 index 0000000..a975812 --- /dev/null +++ b/modules/tv/urxvt.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: + + with builtins; + +let + users = [ "tv" ]; + urxvt = pkgs.rxvt_unicode; + mkService = user: { + description = "urxvt terminal daemon"; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + serviceConfig = { + Restart = "always"; + User = user; + ExecStart = "${urxvt}/bin/urxvtd"; + }; + }; + +in + +{ + environment.systemPackages = [ urxvt ]; + systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); +} diff --git a/modules/tv/users.nix b/modules/tv/users.nix new file mode 100644 index 0000000..f42ba33 --- /dev/null +++ b/modules/tv/users.nix @@ -0,0 +1,221 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) attrValues; + inherit (pkgs.lib) concatMap filterAttrs mapAttrs concatStringsSep; + + + users = { + tv = { + uid = 1337; + group = "users"; + extraGroups = [ + "audio" + "video" + "wheel" + ]; + }; + + ff = { + uid = 13378001; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + cr = { + uid = 13378002; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + vimb = { + uid = 13378003; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + fa = { + uid = 2300001; + group = "tv-sub"; + }; + + rl = { + uid = 2300002; + group = "tv-sub"; + }; + + btc-bitcoind = { + uid = 2301001; + group = "tv-sub"; + }; + + btc-electrum = { + uid = 2301002; + group = "tv-sub"; + }; + + ltc-litecoind = { + uid = 2301101; + group = "tv-sub"; + }; + + eth = { + uid = 2302001; + group = "tv-sub"; + }; + + emse-hsdb = { + uid = 4200101; + group = "tv-sub"; + }; + + wine = { + uid = 13370400; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # dwarffortress + df = { + uid = 13370401; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined + FTL = { + uid = 13370402; + #group = "tv-sub"; + extraGroups = [ + "audio" + "video" + "bumblebee" + ]; + }; + + freeciv = { + uid = 13370403; + group = "tv-sub"; + }; + + xr = { + uid = 13370061; + group = "tv-sub"; + extraGroups = [ + "audio" + "video" + ]; + }; + + "23" = { + uid = 13370023; + group = "tv-sub"; + }; + + electrum = { + uid = 13370102; + group = "tv-sub"; + }; + + Reaktor = { + uid = 4230010; + group = "tv-sub"; + }; + + gitolite = { + uid = 7700; + }; + + skype = { + uid = 6660001; + group = "tv-sub"; + extraGroups = [ + "audio" + ]; + }; + + onion = { + uid = 6660010; + group = "tv-sub"; + }; + + zalora = { + uid = 1000301; + group = "tv-sub"; + extraGroups = [ + "audio" + # TODO remove vboxusers when hardening is active + "vboxusers" + "video" + ]; + }; + + }; + + + extraUsers = + mapAttrs (name: user: user // { + inherit name; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + }) users; + + + extraGroups = { + tv-sub.gid = 1337; + }; + + + sudoers = + let + inherit (builtins) filter hasAttr; + inherit (import ../../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; + + hasMaster = { group ? "", ... }: + isSuffixOf "-sub" group; + + masterOf = user : removeSuffix "-sub" user.group; + in + concatStringsSep "\n" + (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") + (filter hasMaster (attrValues extraUsers))); + +in + + +{ + imports = [ + + ]; + + users.defaultUserShell = "/run/current-system/sw/bin/bash"; + users.extraGroups = extraGroups; + users.extraUsers = extraUsers; + users.mutableUsers = false; + + security.sudo.extraConfig = + '' + Defaults mailto="tv@wu.retiolum" + ${sudoers} + ''; +} diff --git a/modules/tv/xserver.nix b/modules/tv/xserver.nix new file mode 100644 index 0000000..897dbcc --- /dev/null +++ b/modules/tv/xserver.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: + +{ + services.xserver.enable = true; + + + #fonts.enableFontConfig = true; + #fonts.enableFontDir = true; + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + #services.xfs.enable = true; + #services.xserver.useXFS = "unix/:7100"; + + services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; + + #services.xserver.display = 11; + #services.xserver.tty = 11; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + #services.xserver.multitouch.enable = true; + + services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ + X11-xshape + ]; + services.xserver.windowManager.xmonad.enable = true; + services.xserver.windowManager.xmonad.enableContribAndExtras = true; + services.xserver.windowManager.default = "xmonad"; + services.xserver.desktopManager.default = "none"; + services.xserver.desktopManager.xterm.enable = false; + + services.xserver.displayManager.slim.enable = true; + #services.xserver.displayManager.auto.enable = true; + #services.xserver.displayManager.auto.user = "tv"; + #services.xserver.displayManager.job.logsXsession = true; + + + services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; +} diff --git a/modules/urxvt-tv.nix b/modules/urxvt-tv.nix deleted file mode 100644 index a975812..0000000 --- a/modules/urxvt-tv.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: - - with builtins; - -let - users = [ "tv" ]; - urxvt = pkgs.rxvt_unicode; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - serviceConfig = { - Restart = "always"; - User = user; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - -in - -{ - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); -} diff --git a/modules/urxvtd.nix b/modules/urxvtd.nix deleted file mode 100644 index 7eb471e..0000000 --- a/modules/urxvtd.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (import ../lib { inherit pkgs; }) shell-escape; - inherit (pkgs) writeScript; -in - -with builtins; -with lib; - -{ - options = { - services.urxvtd = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable urxvtd per user"; - }; - users = mkOption { - type = types.listOf types.string; - default = []; - description = "users to run urxvtd for"; - }; - urxvtPackage = mkOption { - type = types.package; - default = pkgs.rxvt_unicode; - description = "urxvt package to use"; - }; - xresources = mkOption { - type = types.string; - default = ""; - description = '' - X server resources for urxvt. - ''; - }; - }; - }; - - config = - let - cfg = config.services.urxvtd; - users = cfg.users; - urxvt = cfg.urxvtPackage; - mkService = user: { - description = "urxvt terminal daemon"; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - path = [ pkgs.xlibs.xrdb ]; - environment = { - DISPLAY = ":0"; - URXVT_PERL_LIB = "${urxvt}/lib/urxvt/perl"; - }; - serviceConfig = { - Restart = "always"; - User = user; - ExecStartPre = writeScript "urxvtd-prestart" '' - #!/bin/sh - echo ${shell-escape cfg.xresources} | xrdb -merge - ''; - ExecStart = "${urxvt}/bin/urxvtd"; - }; - }; - in - mkIf cfg.enable { - environment.systemPackages = [ urxvt ]; - systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users); - }; -} diff --git a/modules/users.nix b/modules/users.nix deleted file mode 100644 index 79a00e3..0000000 --- a/modules/users.nix +++ /dev/null @@ -1,221 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (builtins) attrValues; - inherit (pkgs.lib) concatMap filterAttrs mapAttrs concatStringsSep; - - - users = { - tv = { - uid = 1337; - group = "users"; - extraGroups = [ - "audio" - "video" - "wheel" - ]; - }; - - ff = { - uid = 13378001; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - ]; - }; - - cr = { - uid = 13378002; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - vimb = { - uid = 13378003; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - fa = { - uid = 2300001; - group = "tv-sub"; - }; - - rl = { - uid = 2300002; - group = "tv-sub"; - }; - - btc-bitcoind = { - uid = 2301001; - group = "tv-sub"; - }; - - btc-electrum = { - uid = 2301002; - group = "tv-sub"; - }; - - ltc-litecoind = { - uid = 2301101; - group = "tv-sub"; - }; - - eth = { - uid = 2302001; - group = "tv-sub"; - }; - - emse-hsdb = { - uid = 4200101; - group = "tv-sub"; - }; - - wine = { - uid = 13370400; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - # dwarffortress - df = { - uid = 13370401; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined - FTL = { - uid = 13370402; - #group = "tv-sub"; - extraGroups = [ - "audio" - "video" - "bumblebee" - ]; - }; - - freeciv = { - uid = 13370403; - group = "tv-sub"; - }; - - xr = { - uid = 13370061; - group = "tv-sub"; - extraGroups = [ - "audio" - "video" - ]; - }; - - "23" = { - uid = 13370023; - group = "tv-sub"; - }; - - electrum = { - uid = 13370102; - group = "tv-sub"; - }; - - Reaktor = { - uid = 4230010; - group = "tv-sub"; - }; - - gitolite = { - uid = 7700; - }; - - skype = { - uid = 6660001; - group = "tv-sub"; - extraGroups = [ - "audio" - ]; - }; - - onion = { - uid = 6660010; - group = "tv-sub"; - }; - - zalora = { - uid = 1000301; - group = "tv-sub"; - extraGroups = [ - "audio" - # TODO remove vboxusers when hardening is active - "vboxusers" - "video" - ]; - }; - - }; - - - extraUsers = - mapAttrs (name: user: user // { - inherit name; - home = "/home/${name}"; - createHome = true; - useDefaultShell = true; - }) users; - - - extraGroups = { - tv-sub.gid = 1337; - }; - - - sudoers = - let - inherit (builtins) filter hasAttr; - inherit (import ../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; - - hasMaster = { group ? "", ... }: - isSuffixOf "-sub" group; - - masterOf = user : removeSuffix "-sub" user.group; - in - concatStringsSep "\n" - (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL") - (filter hasMaster (attrValues extraUsers))); - -in - - -{ - imports = [ - - ]; - - users.defaultUserShell = "/run/current-system/sw/bin/bash"; - users.extraGroups = extraGroups; - users.extraUsers = extraUsers; - users.mutableUsers = false; - - security.sudo.extraConfig = - '' - Defaults mailto="tv@wu.retiolum" - ${sudoers} - ''; -} diff --git a/modules/wu/default.nix b/modules/wu/default.nix new file mode 100644 index 0000000..f586552 --- /dev/null +++ b/modules/wu/default.nix @@ -0,0 +1,469 @@ +{ config, pkgs, ... }: + +let + lib = import ../../lib { inherit pkgs; }; + + inherit (lib) majmin; +in + +{ + imports = [ + ./hosts.nix + ./iptables.nix + ../tv/base.nix + ../tv/exim-retiolum.nix + ../tv/nginx.nix + ../tv/retiolum.nix + ../tv/sanitize.nix + ../tv/synaptics.nix + #../tv/tools.nix + ../tv/urxvt.nix + ../tv/users.nix + ../tv/xserver.nix + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" + + # for jack + KERNEL=="rtc0", GROUP="audio" + KERNEL=="hpet", GROUP="audio" + ''; + + #services.virtualbox.enable = true; + #services.virtualboxGuest.enable = false; + services.virtualboxHost.enable = true; + #services.virtualboxHost.addNetworkInterface = false; + #systemd.services.vboxnet = + # let + # remove_vboxnets = '' + # for i in $(cd /sys/class/net && ls | grep ^vboxnet); do + # VBoxManage hostonlyif remove $i + # done + # ''; + # in { + # wantedBy = [ "multi-user.target" ]; + # requires = [ "dev-vboxnetctl.device" ]; + # after = [ "dev-vboxnetctl.device" ]; + # path = with pkgs; [ + # linuxPackages.virtualbox + # nettools + # ]; + # postStop = remove_vboxnets; + # script = '' + # ${remove_vboxnets} # just in case... + # VBoxManage hostonlyif create # vboxnet0 + # ifconfig vboxnet0 up 169.254.13.37/16 + # ''; + # serviceConfig = { + # Type = "oneshot"; + # PrivateTmp = true; + # RemainAfterExit = "yes"; + # }; + # environment.VBOX_USER_HOME = "/tmp"; + # }; + + + services.bitlbee.enable = true; + + #services.rabbitmq = { + # enable = true; + # cookie = "f00f"; + # plugins = [ + # "rabbitmq_management" + # ]; + #}; + + + #services.elasticsearch.enable = true; + + #services.cgserver = { + # enable = true; + # httpPort = 8003; + # #flushLog = false; + # #cgroupRoot = "/sys/fs/cgroup"; + # #user = "zalora"; + #}; + + + + + #services.tlsdated = { + # enable = true; + # extraOptions = "-p"; + #}; + + services.tor.enable = true; + services.tor.client.enable = true; + + + + # hardware configuration + boot.initrd.luks.devices = [ + { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; } + ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "xts" ]; + boot.initrd.availableKernelModules = [ "ahci" ]; + #boot.kernelParams = [ + # "intel_pstate=enable" + #]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # 2014-12-17 pkgs.linuxPackages_3_14 is known good + boot.kernelPackages = pkgs.linuxPackages_3_18; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.extraModprobeConfig = '' + options kvm_intel nested=1 + ''; + + fileSystems = { + "/" = { + device = "/dev/mapper/vg840-wuroot"; + fsType = "btrfs"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/home" = { + device = "/dev/mapper/home"; + options = "defaults,noatime,ssd,compress=lzo"; + }; + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = "nosuid,nodev,noatime"; + }; + }; + + swapDevices =[ ]; + + + nixpkgs.config.firefox.enableAdobeFlash = true; + nixpkgs.config.chromium.enablePepperFlash = true; + + nixpkgs.config.allowUnfree = true; + hardware.bumblebee.enable = true; # TODO this is host specific + hardware.bumblebee.group = "video"; + #services.xserver.videoDrivers = [ "nvidia" ]; + hardware.opengl.driSupport32Bit = true; + + hardware.pulseaudio.enable = true; + + hardware.enableAllFirmware = true; + + # Use the gummiboot efi boot loader. + boot.loader.gummiboot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "wu"; + networking.wireless.enable = true; + + + # Select internationalisation properties. + # i18n = { + # consoleFont = "lat9w-16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + system.activationScripts.powertopTunables = + '' + echo 1 > /sys/module/snd_hda_intel/parameters/power_save + echo 1500 > /proc/sys/vm/dirty_writeback_centisecs + (cd /sys/bus/pci/devices + for i in *; do + echo auto > $i/power/control # defaults to 'on' + done) + # TODO maybe do this via udev or systemd + # ref https://wiki.archlinux.org/index.php/Wake-on-LAN + # disable wol this cannot find ethtool + # TODO (cd /sys/class/net + # TODO for i in *; do + # TODO if ethtool $i | grep -q Wake-on && + # TODO ! ethtool $i | grep -q 'Wake-on: d'; then + # TODO ethtool -s $i wol d + # TODO fi + # TODO done) + ${pkgs.ethtool}/sbin/ethtool -s en0 wol d + ''; + + environment.systemPackages = with pkgs; [ + xlibs.fontschumachermisc + slock + ethtool + #firefoxWrapper # with plugins + #chromiumDevWrapper + tinc + iptables + vim + #jack2 + ]; + + + environment.etc."vim/vimrc".text = '' + set nocp + ''; + environment.etc."vim/vim${majmin pkgs.vim.version}".source = + "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}"; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + ''; + environment.variables.VIM = "/etc/vim"; + + environment.shellAliases = { + # alias cal='cal -m3' + bc = "bc -q"; + gp = "gp -q"; + df = "df -h"; + du = "du -h"; + # alias grep='grep --color=auto' + + # TODO alias cannot contain #\' + # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep"; + + # alias la='ls -lA' + lAtr = "ls -lAtr"; + # alias ll='ls -l' + ls = "ls -h --color=auto --group-directories-first"; + # alias vim='vim -p' + # alias vi='vim' + # alias view='vim -R' + dmesg = "dmesg -L --reltime"; + }; + + + programs.bash = { + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + # TODO source bridge + ''; + promptInit = '' + case $UID in + 0) + PS1='\[\e[1;31m\]\w\[\e[0m\] ' + ;; + 1337) + PS1='\[\e[1;32m\]\w\[\e[0m\] ' + ;; + *) + PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' + ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\e[35m\]\h'" $PS1" + fi + if test -n "$SSH_AGENT_PID"; then + PS1="ssh-agent[$SSH_AGENT_PID] $PS1" + fi + ''; + }; + + + programs.ssh.startAgent = false; + + + security.setuidPrograms = [ + "sendmail" # for cron + "slock" + ]; + + # TODO + # Currently ./run doesn't know about certificates + #security.pki.certificateFiles = [ + # ./certs/zalora-ca.crt + #]; + + #security.pam.loginLimits = [ + # # for jack + # { domain = "@audio"; item = "memlock"; type = "-"; value = "unlimited"; } + # { domain = "@audio"; item = "rtprio"; type = "-"; value = "99"; } + #]; + + #services.haveged.enable = true; + #security.rngd.enable = true; + + #services.privoxy = { + # enable = true; + # extraConfig = '' + # actionsfile /etc/privoxy/easylist.script.action + # actionsfile /etc/privoxy/easylistgermany.script.action + # filterfile /etc/privoxy/easylist.script.filter + # filterfile /etc/privoxy/easylistgermany.script.filter + # ''; + #}; + + services.retiolum = { + enable = true; + hosts = /etc/nixos/hosts; + connectTo = [ + "gum" + "pigstarter" + ]; + }; + + # TODO + #services.tinc = { + # enable = true; + # network = "retiolum"; + # hosts = /home/tv/krebs/hosts; + # privateKeyFile = /etc/tinc/retiolum/rsa_key.priv; + # connectTo = [ "fastpoke" "pigstarter" "kheurop" ]; + #}; + + + security.rtkit.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + #services.dbus.enable = true; # rqd4 wpa_supplicant + + # vixiecron sucks + services.cron.enable = false; + services.fcron.enable = true; + + services.logind.extraConfig = '' + HandleHibernateKey=ignore + HandleLidSwitch=ignore + HandlePowerKey=ignore + HandleSuspendKey=ignore + ''; + + # Enable the OpenSSH daemon. + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + # services.printing.enable = true; + services.printing = { + enable = true; + #extraConf = '' + # LogLevel debug + #''; + drivers = with pkgs; [ + #cups_filters + #foomatic_filters + #gutenprint + #hplip + ]; + }; + + + + #services.kmscon.enable = true; + + + # TODO virtualisation.libvirtd.enable = true; + # users.extraUsers.tv.extraGroups += [ "libvirtd" ] + + + + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + + #systemd.timers.chargeMon = { + # wantedBy = [ "multi-user.target" ]; + # timerConfig.OnCalendar = "*-*-* *:*:00"; + #}; + #systemd.services.chargeMon = { + # path = [ ]; + # environment = { + # ac_online = "/sys/class/power_supply/AC/online"; + # charge_now = "/sys/class/power_supply/BAT/charge_now"; + # charge_full = "/sys/class/power_supply/BAT/charge_full"; + # }; + # serviceConfig = { + # User = "nobody"; + # Type = "oneshot"; + # }; + # script = '' + # if test $(cat $ac_online) == 1; then + # echo "AC is online" + # exit + # fi + # cat $charge_now + # ''; + #}; + + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" # does this work with mounted /tmp? + ]; + + # TODO services.smartd + # TODO services.statsd + # TODO services.tor + # TODO write arandr + # TODO what does system.copySystemConfiguration (we need some kind of bku scheme) + # TODO systemd.timers instead of cron(??) + + virtualisation.libvirtd.enable = true; + + + + + #system.replaceRuntimeDependencies = with pkgs; + # let + # bashVulnPatches = [ + # (fetchurl { + # url = "mirror://gnu/bash/bash-4.2-patches/bash42-048"; + # sha256 = "091xk1ms7ycnczsl3fx461gjhj69j6ycnfijlymwj6mj60ims6km"; + # }) + # (fetchurl { + # url = "file:///etc/nixos/bash-20140926.patch"; + # sha256 = "0gdwnimsbi4vh5l46krss4wjrgbch94skn4y2w3rpvb1w4jypha4"; + # }) + # ]; + # in + # [ + # { + # original = bash; + # replacement = pkgs.lib.overrideDerivation bash (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bashInteractive; + # replacement = pkgs.lib.overrideDerivation bashInteractive (oldAttrs: { + # patches = oldAttrs.patches ++ bashVulnPatches; + # }); + # } + # { + # original = bitlbee; + # replacement = pkgs.lib.overrideDerivation bitlbee (oldAttrs: { + # configureFlags = [ + # "--gcov=1" + # "--otr=1" + # "--ssl=gnutls" + # ]; + # }); + # } + #]; + + +} diff --git a/modules/wu/hosts.nix b/modules/wu/hosts.nix new file mode 100644 index 0000000..f59f87c --- /dev/null +++ b/modules/wu/hosts.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +{ + networking.extraHosts = + '' + 192.168.1.1 wrt.gg23 wrt + 192.168.1.11 mors.gg23 + 192.168.1.12 uriel.gg23 + 192.168.1.23 raspi.gg23 raspi + 192.168.1.37 wu.gg23 + 192.168.1.110 nomic.gg23 + 192.168.1.124 schnabeldrucker.gg23 schnabeldrucker + + 127.0.0.1 dev.zalora.sg www.dev.zalora.sg bob.dev.zalora.sg static.dev.zalora.sg + 127.0.0.1 dev.zalora.com.my www.dev.zalora.com.my bob.dev.zalora.com.my static.dev.zalora.com.my + 127.0.0.1 dev.zalora.com.ph www.dev.zalora.com.ph bob.dev.zalora.com.ph static.dev.zalora.com.ph + 127.0.0.1 dev.zalora.vn www.dev.zalora.vn bob.dev.zalora.vn static.dev.zalora.vn + 127.0.0.1 dev.zalora.co.id www.dev.zalora.co.id bob.dev.zalora.co.id static.dev.zalora.co.id + 127.0.0.1 dev.zalora.co.th www.dev.zalora.co.th bob.dev.zalora.co.th static.dev.zalora.co.th + 127.0.0.1 dev.zalora.com.hk www.dev.zalora.com.hk bob.dev.zalora.com.hk static.dev.zalora.com.hk + + 54.93.104.95 eu-dev.hk.zalora.net www.eu-dev.hk.zalora.net bob.eu-dev.hk.zalora.net static.eu-dev.hk.zalora.net + 54.93.104.95 eu-dev.sg.zalora.net www.eu-dev.sg.zalora.net bob.eu-dev.sg.zalora.net static.eu-dev.sg.zalora.net + ''; +} diff --git a/modules/wu/iptables.nix b/modules/wu/iptables.nix new file mode 100644 index 0000000..ee40343 --- /dev/null +++ b/modules/wu/iptables.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + # + # iptables + # + networking.firewall.enable = false; + system.activationScripts.iptables = + let + log = false; + when = c: f: if c then f else ""; + in + '' + ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } + ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } + ipXtables() { ip4tables "$@"; ip6tables "$@"; } + + # + # nat + # + + # reset tables + ipXtables -t nat -F + ipXtables -t nat -X + + # + ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 + ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh + + # + # filter + # + + # reset tables + ipXtables -P INPUT DROP + ipXtables -P FORWARD DROP + ipXtables -F + ipXtables -X + + # create custom chains + ipXtables -N Retiolum + + # INPUT + ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + ipXtables -A INPUT -j ACCEPT -i lo + ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW + ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW + ipXtables -A INPUT -j Retiolum -i retiolum + ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} + + # FORWARD + ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} + + # Retiolum + ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request + ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request + + + ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} + ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable + ip6tables -A Retiolum -j REJECT + + ''; +} diff --git a/modules/xserver.nix b/modules/xserver.nix deleted file mode 100644 index 897dbcc..0000000 --- a/modules/xserver.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.xserver.enable = true; - - - #fonts.enableFontConfig = true; - #fonts.enableFontDir = true; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; - #services.xfs.enable = true; - #services.xserver.useXFS = "unix/:7100"; - - services.xserver.displayManager.desktopManagerHandlesLidAndPower = true; - - #services.xserver.display = 11; - #services.xserver.tty = 11; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; - - #services.xserver.multitouch.enable = true; - - services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [ - X11-xshape - ]; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.windowManager.xmonad.enableContribAndExtras = true; - services.xserver.windowManager.default = "xmonad"; - services.xserver.desktopManager.default = "none"; - services.xserver.desktopManager.xterm.enable = false; - - services.xserver.displayManager.slim.enable = true; - #services.xserver.displayManager.auto.enable = true; - #services.xserver.displayManager.auto.user = "tv"; - #services.xserver.displayManager.job.logsXsession = true; - - - services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ]; -} -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/7e200000.lock: No such file or directory (2)