summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/iptables.nix51
-rw-r--r--krebs/3modules/nginx.nix45
-rw-r--r--krebs/3modules/tv/default.nix11
-rw-r--r--krebs/5pkgs/builders.nix16
-rw-r--r--krebs/5pkgs/dic/default.nix4
-rw-r--r--krebs/5pkgs/github-hosts-sync/default.nix1
-rw-r--r--krebs/5pkgs/haskell-overrides/blessings.nix8
-rw-r--r--krebs/5pkgs/painload/default.nix4
-rw-r--r--lass/1systems/helios.nix3
-rw-r--r--lass/2configs/default.nix4
-rw-r--r--lass/2configs/mail.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/repo-sync.nix2
-rw-r--r--lass/2configs/websites/util.nix41
-rw-r--r--lass/3modules/usershadow.nix29
-rw-r--r--tv/1systems/nomic.nix1
-rw-r--r--tv/1systems/wu.nix1
-rw-r--r--tv/1systems/xu.nix2
-rw-r--r--tv/1systems/zu.nix1
-rw-r--r--tv/2configs/backup.nix24
-rw-r--r--tv/2configs/binary-cache/default.nix (renamed from tv/2configs/wu-binary-cache/default.nix)16
-rw-r--r--tv/2configs/default.nix2
-rw-r--r--tv/2configs/git.nix18
-rw-r--r--tv/2configs/wu-binary-cache/client.nix7
-rw-r--r--tv/5pkgs/default.nix5
25 files changed, 193 insertions, 107 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..a4a4de6f9 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
let
inherit (pkgs) writeText;
@@ -7,27 +9,6 @@ let
elem
;
- inherit (lib)
- concatMapStringsSep
- concatStringsSep
- attrNames
- unique
- fold
- any
- attrValues
- catAttrs
- filter
- flatten
- length
- hasAttr
- hasPrefix
- mkEnableOption
- mkOption
- mkIf
- types
- sort
- ;
-
cfg = config.krebs.iptables;
out = {
@@ -65,6 +46,14 @@ let
type = int;
default = 0;
};
+ v4 = mkOption {
+ type = bool;
+ default = true;
+ };
+ v6 = mkOption {
+ type = bool;
+ default = true;
+ };
};
})));
default = null;
@@ -93,7 +82,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} krebs-iptables_start";
+ ExecStart = startScript;
};
};
};
@@ -109,7 +98,8 @@ let
buildChain = tn: cn:
let
- sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+ filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
+ sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in
#TODO: double check should be unneccessary, refactor!
@@ -123,13 +113,6 @@ let
buildRule = tn: cn: rule:
- #target validation test:
- assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
- #predicate validation test:
- #maybe use iptables-test
- #TODO: howto exit with evaluation error by shellscript?
- #apperantly not possible from nix because evalatution wouldn't be deterministic.
"${rule.predicate} -j ${rule.target}";
buildTable = tn:
@@ -149,7 +132,7 @@ let
#=====
- rules4 = iptables-version:
+ rules = iptables-version:
let
#TODO: find out good defaults.
tables-defaults = {
@@ -171,14 +154,14 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "krebs-iptables-rules${toString iptables-version}" ''
+ pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
${buildTables iptables-version tables}
'';
startScript = pkgs.writeDash "krebs-iptables_start" ''
set -euf
- iptables-restore < ${rules4 4}
- ip6tables-restore < ${rules4 6}
+ iptables-restore < ${rules "v4"}
+ ip6tables-restore < ${rules "v6"}
'';
in
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
default = "";
};
ssl = mkOption {
- type = with types; submodule ({
+ type = with types; submodule ({ config, ... }: {
options = {
enable = mkEnableOption "ssl";
+ acmeEnable = mkOption {
+ type = bool;
+ apply = x:
+ if x && config.enable
+ #conflicts because of certificate/certificate_key location
+ then throw "can't use ssl.enable and ssl.acmeEnable together"
+ else x;
+ default = false;
+ description = ''
+ enables automatical generation of lets-encrypt certificates and setting them as certificate
+ conflicts with ssl.enable
+ '';
+ };
certificate = mkOption {
type = str;
};
@@ -95,6 +108,7 @@ let
};
imp = {
+ security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
services.nginx = {
enable = true;
httpConfig = ''
@@ -117,13 +131,24 @@ let
indent = replaceChars ["\n"] ["\n "];
+ to-acme = { server-names, ssl, ... }:
+ optionalAttrs ssl.acmeEnable {
+ email = "lassulus@gmail.com";
+ webroot = "${config.security.acme.directory}/${head server-names}";
+ };
+
to-location = { name, value }: ''
location ${name} {
${indent value}
}
'';
- to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+ to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+ domain = head server-names;
+ acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+ root ${config.security.acme.certs.${domain}.webroot};
+ '');
+ in ''
server {
server_name ${toString (unique server-names)};
${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
ssl_ciphers ${ssl.ciphers};
ssl_protocols ${toString ssl.protocols};
'')}
+ ${optionalString ssl.acmeEnable (indent ''
+ ${optionalString ssl.force_encryption ''
+ if ($scheme = http){
+ return 301 https://$server_name$request_uri;
+ }
+ ''}
+ listen 443 ssl;
+ ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+ ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+ ${optionalString ssl.prefer_server_ciphers ''
+ ssl_prefer_server_ciphers On;
+ ''}
+ ssl_ciphers ${ssl.ciphers};
+ ssl_protocols ${toString ssl.protocols};
+ '')}
${indent extraConfig}
+ ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
${indent (concatMapStrings to-location locations)}
}
'';
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 8e266e1b3..3315dd157 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -78,7 +78,9 @@ with import <stockholm/lib>;
extraZones = {
# TODO generate krebsco.de zone from nets and don't use extraZones at all
"krebsco.de" = ''
+ krebsco.de. 60 IN MX 5 mx23
cd 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
+ mx23 60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
'';
};
nets = {
@@ -213,7 +215,6 @@ with import <stockholm/lib>;
ni = {
extraZones = {
"krebsco.de" = ''
- krebsco.de. 60 IN MX 5 ni
ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
cgit.ni 60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
@@ -351,11 +352,17 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
xu = {
+ binary-cache = {
+ pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
+ };
cores = 4;
nets = {
gg23 = {
ip4.addr = "10.23.1.38";
- aliases = ["xu.gg23"];
+ aliases = [
+ "cache.xu.gg23"
+ "xu.gg23"
+ ];
ssh.port = 11423;
};
retiolum = {
diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix
index 5860b9a15..49d04be4d 100644
--- a/krebs/5pkgs/builders.nix
+++ b/krebs/5pkgs/builders.nix
@@ -37,7 +37,17 @@ rec {
};
};
- writeBash = makeScriptWriter "${pkgs.bash}/bin/bash";
+ writeBash = name: text:
+ assert (with types; either absolute-pathname filename).check name;
+ pkgs.writeOut (baseNameOf name) {
+ ${optionalString (types.absolute-pathname.check name) name} = {
+ check = pkgs.writeDash "shellcheck.sh" ''
+ ${pkgs.haskellPackages.ShellCheck}/bin/shellcheck "$1" || :
+ '';
+ executable = true;
+ text = "#! ${pkgs.bash}/bin/bash\n${text}";
+ };
+ };
writeBashBin = name:
assert types.filename.check name;
@@ -91,6 +101,7 @@ rec {
writers.text =
{ path
+ , check ? null
, executable ? false
, mode ? if executable then "0755" else "0644"
, text
@@ -102,6 +113,9 @@ rec {
var = "file_${hashString "sha1" path}";
val = text;
install = /* sh */ ''
+ ${optionalString (check != null) /* sh */ ''
+ ${check} ''$${var}Path
+ ''}
${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path}
'';
};
diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix
index ea70f34d7..963786f0c 100644
--- a/krebs/5pkgs/dic/default.nix
+++ b/krebs/5pkgs/dic/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
src = fetchgit {
url = http://cgit.ni.krebsco.de/dic;
- rev = "refs/tags/v1.0.0";
- sha256 = "0f3f5dqpw5y79p2k68qw6jdlkrnapqs3nvnc41zwacyhgppiww0k";
+ rev = "refs/tags/v1.0.1";
+ sha256 = "1686mba1z4m7vq70w26qpl00z1cz286c9bya9ql36g6w2pbcs8d3";
};
phases = [
diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index bc4c58bb0..cdfed468c 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -19,6 +19,7 @@ stdenv.mkDerivation {
git
gnugrep
gnused
+ nettools
openssh
socat
]);
diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix
index 5fb57a332..f852b4a44 100644
--- a/krebs/5pkgs/haskell-overrides/blessings.nix
+++ b/krebs/5pkgs/haskell-overrides/blessings.nix
@@ -1,11 +1,11 @@
{ mkDerivation, base, fetchgit, stdenv }:
-mkDerivation {
+mkDerivation rec {
pname = "blessings";
- version = "1.0.0";
+ version = "1.1.0";
src = fetchgit {
url = http://cgit.ni.krebsco.de/blessings;
- rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
- sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
+ rev = "refs/tags/v${version}";
+ sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
};
libraryHaskellDepends = [ base ];
doHaddock = false;
diff --git a/krebs/5pkgs/painload/default.nix b/krebs/5pkgs/painload/default.nix
index 10fd379c0..136ec4394 100644
--- a/krebs/5pkgs/painload/default.nix
+++ b/krebs/5pkgs/painload/default.nix
@@ -2,6 +2,6 @@
fetchgit {
url = https://github.com/krebscode/painload;
- rev = "8df031f810a2776d8c43b03a9793cb49398bd33b";
- sha256 = "03md5k6fmz0j1ny22iw96dzq7cvijbz24ii85i0h2dhcychdp650";
+ rev = "c113487f73713a03b1a139b22bb34b86234d0495";
+ sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
}
diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix
index 82db8ef7b..4472816e3 100644
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@@ -28,6 +28,9 @@ with import <stockholm/lib>;
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
networking.wireless.enable = true;
+ hardware.pulseaudio = {
+ enable = true;
+ };
users.users.ferret = {
uid = genid "ferret";
home = "/home/ferret";
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a7d2a6cef..21a2ec038 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -194,7 +194,9 @@ with import <stockholm/lib>;
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
- { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; }
+ { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+ { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+ { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
};
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index c637b08fb..872acc003 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -12,7 +12,7 @@ let
msmtp = pkgs.writeBashBin "msmtp" ''
${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
- ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
+ ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@"
'';
muttrc = pkgs.writeText "muttrc" ''
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e665b6c6f..caca98746 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
+ ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
};
}
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index baa4bb380..765769936 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -41,7 +41,7 @@ let
mirror.url = "${mirror}${name}";
};
tv = {
- origin.url = "http://cgit.ni.i/${name}";
+ origin.url = "http://cgit.ni.r/${name}";
mirror.url = "${mirror}${name}";
};
lassulus = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 55be8a8d9..3356fe9a8 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -8,28 +8,29 @@ rec {
let
domain = head domains;
in {
- security.acme = {
- certs."${domain}" = {
- email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/challenges/${domain}";
- plugins = [
- "account_key.json"
- "key.pem"
- "fullchain.pem"
- ];
- group = "nginx";
- allowKeysForGroup = true;
- extraDomains = genAttrs domains (_: null);
- };
- };
+ #security.acme = {
+ # certs."${domain}" = {
+ # email = "lassulus@gmail.com";
+ # webroot = "/var/lib/acme/challenges/${domain}";
+ # plugins = [
+ # "account_key.json"
+ # "key.pem"
+ # "fullchain.pem"
+ # ];
+ # group = "nginx";
+ # allowKeysForGroup = true;
+ # extraDomains = genAttrs domains (_: null);
+ # };
+ #};
krebs.nginx.servers."${domain}" = {
+ ssl.acmeEnable = true;
server-names = domains;
- locations = [
- (nameValuePair "/.well-known/acme-challenge" ''
- root /var/lib/acme/challenges/${domain}/;
- '')
- ];
+ #locations = [
+ # (nameValuePair "/.well-known/acme-challenge" ''
+ # root /var/lib/acme/challenges/${domain}/;
+ # '')
+ #];
};
};
@@ -37,7 +38,7 @@ rec {
{
imports = [
( manageCerts domains )
- ( activateACME (head domains) )
+ #( activateACME (head domains) )
];
};
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index a8ab1c52a..c0be053ab 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -70,9 +70,7 @@
extra-depends = deps;
text = ''
import Data.Monoid
- import System.IO
- import Data.Char (chr)
- import System.Environment (getEnv, getArgs)
+ import System.Environment (getArgs)
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
import System.Exit (exitFailure, exitSuccess)
@@ -96,16 +94,29 @@
import System.Environment (getEnv)
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8
- import System.IO (stdin, hSetEcho, putStrLn)
+ import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
+ import Control.Exception (bracket_)
main :: IO ()
main = do
home <- getEnv "HOME"
- putStrLn "password:"
- hSetEcho stdin False
- password <- BS8.hGetLine stdin
- hash <- makePasswordWith pbkdf2 password 10
- BS8.writeFile (home ++ "/.shadow") hash
+ mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
+ putStr "Enter new UNIX password: "
+ hFlush stdout
+ password <- BS8.hGetLine stdin
+ putStrLn ""
+ putStr "Retype new UNIX password: "
+ hFlush stdout
+ password2 <- BS8.hGetLine stdin
+ return $ if password == password2
+ then Just password
+ else Nothing
+ case mb_password of
+ Just password -> do
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ putStrLn "passwd: all authentication tokens updated successfully."
+ Nothing -> putStrLn "Sorry, passwords do not match"
'';
};
};
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 6669b5dcf..7d6a1d682 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -15,7 +15,6 @@ with import <stockholm/lib>;
../2configs/nginx/public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
- ../2configs/wu-binary-cache/client.nix
../2configs/xserver
];
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 19db559f1..d5be57bb8 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -16,7 +16,6 @@ with import <stockholm/lib>;
../2configs/nginx/public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
- ../2configs/wu-binary-cache
../2configs/xserver
{
environment.systemPackages = with pkgs; [
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index a7e0b839d..b6fe6dc5c 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -15,7 +15,7 @@ with import <stockholm/lib>;
../2configs/nginx/public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
- ../2configs/wu-binary-cache/client.nix
+ ../2configs/binary-cache
../2configs/xserver
../2configs/xu-qemu0.nix
{
diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix
index 056652e4b..59e8b1c7f 100644
--- a/tv/1systems/zu.nix
+++ b/tv/1systems/zu.nix
@@ -21,7 +21,6 @@ with import <stockholm/lib>;
../2configs/nginx/public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
- ../2configs/wu-binary-cache/client.nix
../2configs/xserver
{
environment.systemPackages = with pkgs; [
diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 6dd24b32f..7c91b1cf1 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -58,6 +58,18 @@ with import <stockholm/lib>;
dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
startAt = "07:00";
};
+ xu-pull-ni-ejabberd = {
+ method = "pull";
+ src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
+ startAt = "07:00";
+ };
+ xu-pull-ni-home = {
+ method = "pull";
+ src = { host = config.krebs.hosts.ni; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
+ startAt = "07:00";
+ };
zu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.zu; path = "/home"; };
@@ -76,6 +88,18 @@ with import <stockholm/lib>;
dst = { host = config.krebs.hosts.zu; path = "/bku/cd-home"; };
startAt = "06:30";
};
+ zu-pull-ni-ejabberd = {
+ method = "pull";
+ src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
+ dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
+ startAt = "06:00";
+ };
+ zu-pull-ni-home = {
+ method = "pull";
+ src = { host = config.krebs.hosts.ni; path = "/home"; };
+ dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
+ startAt = "06:30";
+ };
} // mapAttrs (_: recursiveUpdate {
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
diff --git a/tv/2configs/wu-binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index f039a552b..5902f1895 100644
--- a/tv/2configs/wu-binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -1,22 +1,30 @@
{ config, lib, pkgs, ... }: with import <stockholm/lib>;
{
- services.nix-serve = assert config.krebs.build.host.name == "wu"; {
+ environment.etc."binary-cache.pubkey".text =
+ config.krebs.build.host.binary-cache.pubkey;
+
+ services.nix-serve = {
enable = true;
- secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+ secretKeyFile = config.krebs.secret.files.binary-cache-seckey.path;
};
+
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
};
- krebs.secret.files.nix-serve-key = {
+
+ krebs.secret.files.binary-cache-seckey = {
path = "/run/secret/nix-serve.key";
owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key";
};
+
krebs.nginx = {
enable = true;
servers.nix-serve = {
- server-names = [ "cache.wu.gg23" ];
+ server-names = [
+ "cache.${config.krebs.build.host.name}.gg23"
+ ];
locations = singleton (nameValuePair "/" ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'');
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index b5b1fc240..8852100e2 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
stockholm.file = "/home/tv/stockholm";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
- ref = "a6728e15cbca1d11553f01d7c3c477ae2debfd8e";
+ ref = "728a9578e31a0f78f6ad07a3a2ec706ec5290f10";
};
} // optionalAttrs host.secure {
secrets-master.file = "/home/tv/secrets/master";
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index b6724f40e..48d738365 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -29,8 +29,10 @@ let
cac-api = {
cgit.desc = "CloudAtCost API command line interface";
};
+ dic = {
+ cgit.desc = "dict.leo.org command line interface";
+ };
get = {};
- hack = {};
load-env = {};
loldns = {
cgit.desc = "toy DNS server";
@@ -40,12 +42,9 @@ let
netcup = {
cgit.desc = "netcup command line interface";
};
- newsbot-js = {};
- nixpkgs = {};
populate = {
cgit.desc = "source code installer";
};
- push = {};
regfish = {};
soundcloud = {
cgit.desc = "SoundCloud command line interface";
@@ -53,8 +52,10 @@ let
stockholm = {
cgit.desc = "NixOS configuration";
};
- with-tmpdir = {};
- } // mapAttrs (_: recursiveUpdate { cgit.section = "2. Haskell libraries"; }) {
+ } // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
+ ni = {
+ };
+ } // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
blessings = {};
mime = {};
quipper = {};
@@ -63,12 +64,15 @@ let
web-routes-wai-custom = {};
xintmap = {};
xmonad-stockholm = {};
- } // mapAttrs (_: recursiveUpdate { cgit.section = "3. museum"; }) {
+ } // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
cgserver = {};
crude-mail-setup = {};
dot-xmonad = {};
+ make-snapshot = {};
nixos-infest = {};
painload = {};
+ push = {};
+ with-tmpdir = {};
});
restricted-repos = mapAttrs make-restricted-repo (
diff --git a/tv/2configs/wu-binary-cache/client.nix b/tv/2configs/wu-binary-cache/client.nix
deleted file mode 100644
index 9634c21d4..000000000
--- a/tv/2configs/wu-binary-cache/client.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-_:
-{
- nix = {
- binaryCaches = ["http://cache.wu.gg23"];
- binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
- };
-}
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index 4eb8a10b4..ae47ab0f3 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -35,9 +35,6 @@ with import <stockholm/lib>;
ff = pkgs.writeDashBi