From 47ef169276fcb500a3764c050dbeca1f7fc4a18b Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:28 +0100 Subject: krebs.hosts.*: set owner --- krebs/4lib/types.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d0a537467..d63080b99 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,15 @@ types // rec { default = {}; }; + owner = mkOption { + type = user; + # TODO proper user + default = { + name = "krebs"; + mail = "spam@krebsco.de"; + }; + }; + extraZones = mkOption { default = {}; # TODO: string is either MX, NS, A or AAAA -- cgit v1.3.1 From dbe2ece8ad962d654bc34f3a7c4802768df71ebb Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:50 +0100 Subject: krebs.hosts.*.infest: RIP --- krebs/4lib/types.nix | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d63080b99..7fb206928 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -35,19 +35,6 @@ types // rec { type = with types; attrsOf string; }; - infest = { - addr = mkOption { - type = str; - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.addr' is used. It was replaced by the `target' argument to `make` or `get`. See Makefile for more information."; - }; - port = mkOption { - type = int; - default = 22; - # TODO replacement: allow target with port, SSH-style: [lol]:666 - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.port' is used. It's gone without replacement."; - }; - }; - secure = mkOption { type = bool; default = false; -- cgit v1.3.1 From b5fbca3a365b1188c1274e3288ba39a88ecad2e3 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:27:37 +0100 Subject: krebs.secret: init --- krebs/3modules/default.nix | 1 + krebs/3modules/secret.nix | 39 +++++++++++++++++++++++++++++++++++++++ krebs/4lib/types.nix | 13 +++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 krebs/3modules/secret.nix (limited to 'krebs/4lib/types.nix') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index c06f3754e..df1c7db63 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./realwallpaper.nix ./retiolum-bootstrap.nix ./retiolum.nix + ./secret.nix ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix new file mode 100644 index 000000000..46802a661 --- /dev/null +++ b/krebs/3modules/secret.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.krebs.secret; +in { + options.krebs.secret = { + files = mkOption { + type = with types; attrsOf secret-file; + default = {}; + }; + }; + config = lib.mkIf (cfg.files != {}) { + systemd.services.secret = let + # TODO fail if two files have the same path but differ otherwise + files = unique (map (flip removeAttrs ["_module"]) + (attrValues cfg.files)); + in { + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + SyslogIdentifier = "secret"; + ExecStart = pkgs.writeDash "install-secret-files" '' + exit_code=0 + ${concatMapStringsSep "\n" (file: '' + ${pkgs.coreutils}/bin/install \ + -D \ + --compare \ + --verbose \ + --mode=${shell.escape file.mode} \ + --owner=${shell.escape file.owner-name} \ + --group=${shell.escape file.group-name} \ + ${shell.escape file.source-path} \ + ${shell.escape file.path} \ + || exit_code=1 + '') files} + exit $exit_code + ''; + }; + }; + }; +} diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7fb206928..55301add5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -143,6 +143,19 @@ types // rec { merge = mergeOneOption; }; + secret-file = submodule ({ config, ... }: { + options = { + path = mkOption { type = str; }; + mode = mkOption { type = str; default = "0400"; }; + owner-name = mkOption { type = str; default = "root"; }; + group-name = mkOption { type = str; default = "root"; }; + source-path = mkOption { + type = str; + default = toString + "/${config._module.args.name}"; + }; + }; + }); + suffixed-str = suffs: mkOptionType { name = "string suffixed by ${concatStringsSep ", " suffs}"; -- cgit v1.3.1 From e4d427602c229a782297a74b50b2f67524e9e0d6 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:38:09 +0100 Subject: krebs.types.user: add home :: absolute-pathname --- krebs/4lib/types.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 55301add5..41af1cd4f 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -165,6 +165,10 @@ types // rec { user = submodule ({ config, ... }: { options = { + home = mkOption { + type = absolute-pathname; + default = "/home/${config.name}"; + }; mail = mkOption { type = str; # TODO retiolum mail address }; @@ -226,6 +230,21 @@ types // rec { merge = mergeOneOption; }; + # POSIX.1‐2013, 3.2 Absolute Pathname + # TODO normalize slashes + # TODO two slashes + absolute-pathname = mkOptionType { + name = "POSIX absolute pathname"; + check = s: pathname.check s && substring 0 1 s == "/"; + }; + + # POSIX.1‐2013, 3.267 Pathname + # TODO normalize slashes + pathname = mkOptionType { + name = "POSIX pathname"; + check = s: isString s && all filename.check (splitString "/" s); + }; + # POSIX.1-2013, 3.431 User Name username = mkOptionType { name = "POSIX username"; -- cgit v1.3.1 From 05be525be6d0896b155da7305b2cee950fb3530e Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:56:57 +0100 Subject: krebs.types.user: add uid :: int --- krebs/3modules/tv/default.nix | 1 + krebs/4lib/default.nix | 2 +- krebs/4lib/types.nix | 4 ++++ tv/2configs/default.nix | 4 ++-- tv/3modules/charybdis/default.nix | 3 +-- tv/3modules/ejabberd/default.nix | 3 +-- 6 files changed, 10 insertions(+), 7 deletions(-) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 1a9198b4e..b0011ccf7 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -354,6 +354,7 @@ with config.krebs.lib; tv = { mail = "tv@nomic.retiolum"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu"; + uid = 1337; # TODO use default }; tv-nomic = { inherit (tv) mail; diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index d5b6d03ac..8e5cab71f 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -15,7 +15,7 @@ let out = rec { addNames = mapAttrs addName; - types = import ./types.nix { inherit lib; }; + types = import ./types.nix { lib = lib // { inherit genid; }; }; dir.has-default-nix = path: pathExists (path + "/default.nix"); diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 41af1cd4f..422627296 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -179,6 +179,10 @@ types // rec { pubkey = mkOption { type = str; }; + uid = mkOption { + type = int; + default = genid config.name; + }; }; }); diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 13699a3d5..5a1e90bc4 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -40,8 +40,8 @@ with config.krebs.lib; mutableUsers = false; users = { tv = { + inherit (config.krebs.users.tv) home uid; isNormalUser = true; - uid = 1337; extraGroups = [ "tv" ]; }; }; @@ -124,7 +124,7 @@ with config.krebs.lib; 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; - 1337) + ${toString config.krebs.users.tv.uid}) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; *) diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 5cb0c55b7..87cb37ef4 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -73,9 +73,8 @@ in { }; users.users.${cfg.user.name} = { - inherit (cfg.user) home name; + inherit (cfg.user) home name uid; createHome = true; - uid = genid cfg.user.name; }; }; } diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 4077da286..da108eb52 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -60,9 +60,8 @@ in { }; users.users.${cfg.user.name} = { - inherit (cfg.user) home name; + inherit (cfg.user) home name uid; createHome = true; - uid = genid cfg.user.name; }; }; } -- cgit v1.3.1 From e3ddf995e92985ee14dab5735ac55045c166aaaf Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 07:18:13 +0100 Subject: krebs types.secret-file: owner-name -> owner :: user --- krebs/3modules/default.nix | 7 +++++++ krebs/3modules/secret.nix | 2 +- krebs/4lib/types.nix | 10 ++++++++-- tv/3modules/charybdis/default.nix | 4 ++-- tv/3modules/ejabberd/default.nix | 2 +- 5 files changed, 19 insertions(+), 6 deletions(-) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index df1c7db63..7a343d333 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -104,6 +104,13 @@ let retiolum = "hosts"; }; + krebs.users.root = { + home = "/root"; + name = "root"; + pubkey = config.krebs.build.host.ssh.pubkey; + uid = 0; + }; + networking.extraHosts = concatStringsSep "\n" (flatten ( mapAttrsToList (hostname: host: mapAttrsToList (netname: net: diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 46802a661..579f375f3 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -25,7 +25,7 @@ in { --compare \ --verbose \ --mode=${shell.escape file.mode} \ - --owner=${shell.escape file.owner-name} \ + --owner=${shell.escape file.owner.name} \ --group=${shell.escape file.group-name} \ ${shell.escape file.source-path} \ ${shell.escape file.path} \ diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 422627296..7792b31d5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -147,8 +147,14 @@ types // rec { options = { path = mkOption { type = str; }; mode = mkOption { type = str; default = "0400"; }; - owner-name = mkOption { type = str; default = "root"; }; - group-name = mkOption { type = str; default = "root"; }; + owner = mkOption { + type = user; + default = config.krebs.users.root; + }; + group-name = mkOption { + type = str; + default = "root"; + }; source-path = mkOption { type = str; default = toString + "/${config._module.args.name}"; diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 87cb37ef4..3af971cd4 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -18,7 +18,7 @@ in { type = types.secret-file; default = { path = "${cfg.user.home}/dh.pem"; - owner-name = "charybdis"; + owner = cfg.user; source-path = toString + "/charybdis.dh.pem"; }; }; @@ -26,7 +26,7 @@ in { type = types.secret-file; default = { path = "${cfg.user.home}/ssl.key.pem"; - owner-name = "charybdis"; + owner = cfg.user; source-path = toString + "/charybdis.key.pem"; }; }; diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index da108eb52..95ea24be1 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -7,7 +7,7 @@ in { type = types.secret-file; default = { path = "${cfg.user.home}/ejabberd.pem"; - owner-name = "ejabberd"; + owner = cfg.user; source-path = toString + "/ejabberd.pem"; }; }; -- cgit v1.3.1 From 67e5fddc0bfe624c6b53b673582e92a28cf530f9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 07:39:24 +0100 Subject: krebs.users.krebs: init --- krebs/3modules/default.nix | 15 ++++++++++----- krebs/3modules/git.nix | 6 ++++-- krebs/3modules/lib.nix | 2 +- krebs/4lib/default.nix | 7 +++++-- krebs/4lib/types.nix | 11 ++++------- 5 files changed, 24 insertions(+), 17 deletions(-) (limited to 'krebs/4lib/types.nix') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 7a343d333..aeeabfe53 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -104,11 +104,16 @@ let retiolum = "hosts"; }; - krebs.users.root = { - home = "/root"; - name = "root"; - pubkey = config.krebs.build.host.ssh.pubkey; - uid = 0; + krebs.users = { + krebs = { + home = "/krebs"; + mail = "spam@krebsco.de"; + }; + root = { + home = "/root"; + pubkey = config.krebs.build.host.ssh.pubkey; + uid = 0; + }; }; networking.extraHosts = concatStringsSep "\n" (flatten ( diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index a9542718d..0cc2f11c9 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -232,13 +232,15 @@ let ]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules)); }; - users.extraUsers = singleton rec { + # TODO cfg.user + users.users.git = rec { description = "Git repository hosting user"; name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - config.krebs.users; + (filterAttrs (_: user: isString user.pubkey) + config.krebs.users); uid = genid name; }; }; diff --git a/krebs/3modules/lib.nix b/krebs/3modules/lib.nix index b19f275b5..ccd6a6afa 100644 --- a/krebs/3modules/lib.nix +++ b/krebs/3modules/lib.nix @@ -10,6 +10,6 @@ let type = types.attrs; }; imp = { - krebs.lib = lib // import ../4lib { inherit lib; } // builtins; + krebs.lib = lib // import ../4lib { inherit config lib; } // builtins; }; in out diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 8e5cab71f..e23e42b19 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: with builtins; with lib; @@ -15,7 +15,10 @@ let out = rec { addNames = mapAttrs addName; - types = import ./types.nix { lib = lib // { inherit genid; }; }; + types = import ./types.nix { + inherit config; + lib = lib // { inherit genid; }; + }; dir.has-default-nix = path: pathExists (path + "/default.nix"); diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7792b31d5..fcb6ff3d3 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: with builtins; with lib; @@ -22,11 +22,7 @@ types // rec { owner = mkOption { type = user; - # TODO proper user - default = { - name = "krebs"; - mail = "spam@krebsco.de"; - }; + default = config.krebs.users.krebs; }; extraZones = mkOption { @@ -183,7 +179,8 @@ types // rec { default = config._module.args.name; }; pubkey = mkOption { - type = str; + type = nullOr str; + default = null; }; uid = mkOption { type = int; -- cgit v1.3.1