diff options
47 files changed, 496 insertions, 366 deletions
@@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user)) $(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_path),,$(error unbound variable: target_path)) -target ?= $(target_user)@$(target_host):$(target_port)$(target_path) - build = \ nix-build \ --no-out-link \ @@ -88,6 +86,8 @@ deploy: nixos-rebuild $(rebuild-command) --show-trace -I $(target_path) # usage: make populate system=foo +populate: populate-target = \ + $(target_user)@$(target_host):$(target_port)$(target_path) ifeq ($(debug),true) populate: populate-flags += --debug endif @@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh) endif populate: $(call evaluate,config.krebs.build.source) --json --strict | \ - populate $(target) $(populate-flags) + populate $(populate-target) $(populate-flags) # usage: make pkgs.populate pkgs:;@$(error no package selected) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index de5be964f..f5190b6ba 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -791,6 +791,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB } // { # hosts only maintained in stockholm, not owned by me muhbaasu = rec { + owner = config.krebs.users.root; cores = 1; nets = { internet = { diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index 57a579bc0..d53482339 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -336,7 +336,6 @@ let pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = / - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index 47767d370..a9868954e 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -8,6 +8,7 @@ let "test-centos7" "test-all-krebs-modules" ] (name: { + owner = config.krebs.users.shared; inherit name; cores = 1; nets = { @@ -34,6 +35,7 @@ let in { hosts = { wolf = { + owner = config.krebs.users.shared; nets = { shack = { ip4.addr = "10.42.2.150" ; diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 49241cc82..c40b9a868 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -1,19 +1,12 @@ -{ config, lib, ... }: +_: -with builtins; -with lib; - -let out = import <stockholm/lib> // rec { - - eq = x: y: x == y; - ne = x: y: x != y; +let + lib = import <stockholm/lib>; +in - mod = x: y: x - y * (x / y); - - addName = name: set: - set // { inherit name; }; +with lib; - addNames = mapAttrs addName; +let out = lib // rec { guard = spec@{ type, value, ... }: assert isOptionType type; @@ -26,12 +19,9 @@ let out = import <stockholm/lib> // rec { ])); types = import ./types.nix { - inherit config; lib = lib // { inherit genid optionalTrace; }; }; - dir.has-default-nix = path: pathExists (path + "/default.nix"); - genid = import ./genid.nix { lib = lib // out; }; genid_signed = x: ((genid x) + 16777216) / 2; git = import ./git.nix { lib = lib // out; }; diff --git a/krebs/4lib/git.nix b/krebs/4lib/git.nix index d50ba2018..005c017a9 100644 --- a/krebs/4lib/git.nix +++ b/krebs/4lib/git.nix @@ -1,7 +1,12 @@ { lib, ... }: +with lib; + let - inherit (lib) addNames escapeShellArg makeSearchPath optionalString; + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; commands = addNames { git-receive-pack = {}; diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 37d44606b..8d6ace2e5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,14 +1,9 @@ -{ config, lib, ... }: +{ lib, ... }: with builtins; with lib; with types; -let - # Inherited attributes are used in submodules that have their own `config`. - inherit (config.krebs) build users; -in - types // rec { host = submodule ({ config, ... }: { @@ -27,7 +22,6 @@ types // rec { owner = mkOption { type = user; - default = users.krebs; }; extraZones = mkOption { @@ -49,10 +43,6 @@ types // rec { ssh.pubkey = mkOption { type = nullOr ssh-pubkey; default = null; - apply = x: - optionalTrace (x == null && config.owner.name == build.user.name) - "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." - x; }; ssh.privkey = mkOption { type = nullOr ssh-privkey; @@ -187,7 +177,6 @@ types // rec { }; owner = mkOption { type = user; - default = users.root; }; group-name = mkOption { type = str; @@ -284,6 +273,7 @@ types // rec { }; mail = mkOption { type = str; # TODO retiolum mail address + default = "${config._module.args.name}@${config.networking.hostName}.r"; }; name = mkOption { type = username; diff --git a/krebs/5pkgs/charybdis/default.nix b/krebs/5pkgs/charybdis/default.nix index f3e6be40e..6968be264 100644 --- a/krebs/5pkgs/charybdis/default.nix +++ b/krebs/5pkgs/charybdis/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation rec { src = fetchgit { url = "https://github.com/atheme/charybdis.git"; rev = "61815bf9324e872f51255e09fe37a8c595f94a60"; - sha256 = "0zsd6xk2cnspc1cvryy2296p3ix4hwjd9k24wmgbh5wzks0wahwy"; + sha256 = "1q9h7j2pm1wsbcybmm7r7hzimp1zda04lw9x2akb26l9p12zgfgc"; }; patches = [ diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index cdab64212..75d1dac82 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -17,7 +17,7 @@ with config.krebs.lib; in {} // import ./builders.nix args // mapAttrs (_: flip callPackage {}) - (filterAttrs (_: dir.has-default-nix) + (filterAttrs (_: dir: pathExists (dir + "/default.nix")) (subdirsOf ./.)) // { empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out"; diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix index 3566de8cd..12cbedc60 100644 --- a/krebs/5pkgs/dic/default.nix +++ b/krebs/5pkgs/dic/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation { src = fetchgit { url = https://github.com/krebscode/painload; rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + sha256 = "0arsfcd8qdrqafw7cxiag7f0kn95nwxxwrs0kdzxxdryfr6l1h07"; }; phases = [ diff --git a/krebs/5pkgs/exim/default.nix b/krebs/5pkgs/exim/default.nix deleted file mode 100644 index 835970555..000000000 --- a/krebs/5pkgs/exim/default.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }: - -stdenv.mkDerivation rec { - name = "exim-4.87"; - - src = fetchurl { - url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2"; - sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl"; - }; - - buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ]; - - preBuild = '' - sed ' - s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin: - s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf: - s:^\(EXIM_USER\)=.*:\1=ref\:nobody: - s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter: - s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes: - s:^EXIM_MONITOR=.*$:# &: - s:^\(FIXED_NEVER_USERS\)=root$:\1=0: - s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes: - s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes: - s:^# \(SUPPORT_TLS\)=.*:\1=yes: - s:^# \(USE_OPENSSL_PC=openssl\)$:\1: - s:^# \(LOG_FILE_PATH=syslog\)$:\1: - s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam: - s:^# \(HAVE_IPV6=yes\)$:\1: - s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown: - s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp: - s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod: - s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv: - s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm: - s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch: - s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl: - #/^\s*#.*/d - #/^\s*$/d - ' < src/EDITME > Local/Makefile - ''; - - installPhase = '' - mkdir -p $out/bin $out/share/man/man8 - cp doc/exim.8 $out/share/man/man8 - - ( cd build-Linux-* - cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \ - exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \ - exinext exiqgrep exiwhat \ - $out/bin ) - - ( cd $out/bin - for i in mailq newaliases rmail rsmtp runq sendmail; do - ln -s exim $i - done ) - ''; - - meta = { - homepage = http://exim.org/; - description = "A mail transfer agent (MTA)"; - license = stdenv.lib.licenses.gpl3; - platforms = stdenv.lib.platforms.linux; - maintainers = [ stdenv.lib.maintainers.tv ]; - }; -} diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix index 741fb5c36..ba776b352 100644 --- a/krebs/5pkgs/haskell-overrides/blessings.nix +++ b/krebs/5pkgs/haskell-overrides/blessings.nix @@ -5,7 +5,7 @@ mkDerivation { src = fetchgit { url = http://cgit.cd.krebsco.de/blessings; rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f"; - sha256 = "b962153e80e51519b52220199d8350b54154833e4bc25a792ecc58898fef3fb2"; + sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc"; }; libraryHaskellDepends = [ base ]; doHaddock = false; diff --git a/krebs/5pkgs/haskell-overrides/email-header.nix b/krebs/5pkgs/haskell-overrides/email-header.nix index 8c62f2f70..b54240809 100644 --- a/krebs/5pkgs/haskell-overrides/email-header.nix +++ b/krebs/5pkgs/haskell-overrides/email-header.nix @@ -7,8 +7,8 @@ mkDerivation { version = "0.3.0"; src = fetchgit { url = "https://github.com/4z3/email-header"; - sha256 = "f33fba567a39b1f2448869b269c26c40d8007599c23ab83bde5b4dfd9fd76ebc"; rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8"; + sha256 = "12j2n3sbvzjnw99gga7kkdygm8n3qx2lh8q26ad6a53xm5whnz59"; }; buildDepends = [ attoparsec base base64-bytestring bytestring case-insensitive diff --git a/krebs/5pkgs/haskell-overrides/scanner.nix b/krebs/5pkgs/haskell-overrides/scanner.nix index b88b9dbe3..5146fa41d 100644 --- a/krebs/5pkgs/haskell-overrides/scanner.nix +++ b/krebs/5pkgs/haskell-overrides/scanner.nix @@ -5,7 +5,7 @@ mkDerivation { src = fetchgit { url = http://cgit.cd.krebsco.de/scanner; rev = "7f091a3bc152ad3974a1873b460fa1759bf8dcad"; - sha256 = "7d123c227777932039d26fc832b8d32a90f04c0bd6b7e8bcff0a6f49a54e0054"; + sha256 = "1lgl158axczsm4fx53fyq1d4116v91jsx4dbz66ka4k1ljqrmhgn"; }; libraryHaskellDepends = [ base ]; license = stdenv.lib.licenses.wtfpl; diff --git a/krebs/5pkgs/much/default.nix b/krebs/5pkgs/much/default.nix index efe84fbf0..61a58b01b 100644 --- a/krebs/5pkgs/much/default.nix +++ b/krebs/5pkgs/much/default.nix @@ -14,7 +14,7 @@ mkDerivation { src = fetchgit { url = "http://cgit.cd.krebsco.de/much"; rev = "045dc986b4de225a927175f81c8ccfdab450202c"; - sha256 = "cec175e3dc32ef93029ee5285f6c4042ce11d637945bc8cec02cb6699d06cc13"; + sha256 = "17jbw7x82a3bgn1qv5k764f103knrf865dmx48h7192vdh8gz766"; }; isLibrary = false; isExecutable = true; diff --git a/krebs/5pkgs/noVNC/default.nix b/krebs/5pkgs/noVNC/default.nix index 629d288ae..45c3afb3a 100644 --- a/krebs/5pkgs/noVNC/default.nix +++ b/krebs/5pkgs/noVNC/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { src = fetchgit { url = https://github.com/kanaka/noVNC; rev = "refs/tags/v0.5.1"; - sha256 = "1azsnppwnrsv3axj0r5bw8lfarkibgz5vhgcyj8dzn4afn98f55w"; + sha256 = "1vckvvfcawgfqmx415r5rnl6k2alx53jbqmsj49kxpbdvvxpb49d"; }; phases = [ diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 26ad316ce..8ce1d5748 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -102,6 +102,11 @@ with config.krebs.lib; device = "/dev/pool/bku"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; #services.udev.extraRules = '' diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1aa4d9b23..1028ca652 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -23,7 +23,7 @@ with config.krebs.lib; ../2configs/teamviewer.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix - ../2configs/c-base.nix + #../2configs/c-base.nix ../2configs/mail.nix ../2configs/krebs-pass.nix ../2configs/repo-sync.nix @@ -54,8 +54,8 @@ with config.krebs.lib; enable = true; package = pkgs.postgresql; }; - virtualisation.docker.enable = true; - users.users.mainUser.extraGroups = [ "docker" ]; + #virtualisation.docker.enable = true; + #users.users.mainUser.extraGroups = [ "docker" ]; } { lass.umts = { @@ -140,6 +140,11 @@ with config.krebs.lib; device = "/dev/big/conf"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' @@ -192,8 +197,12 @@ with config.krebs.lib; urban mk_sql_pair remmina + thunderbird logf + iodine + + macchanger ]; #TODO: fix this shit diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index c7c765302..51d106b5e 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -23,6 +23,7 @@ in { ../2configs/buildbot-standalone.nix ../2configs/repo-sync.nix ../2configs/binary-cache/server.nix + ../2configs/iodined.nix { imports = [ ../2configs/git.nix @@ -119,6 +120,12 @@ in { device = "/dev/pool/bku"; }; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + } { sound.enable = false; @@ -260,6 +267,11 @@ in { { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; } ]; } + { + krebs.repo-sync.timerConfig = { + OnCalendar = "*:0/5"; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index af98c6968..5140591af 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -50,6 +50,11 @@ with builtins; device = "/dev/pool/home-lass"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 16c39280d..aa5286ae0 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -1,33 +1,45 @@ { config, pkgs, ... }: with builtins; +with config.krebs.lib; { imports = [ ../. ../2configs/retiolum.nix - ../2configs/baseX.nix ../2configs/exim-retiolum.nix - ../2configs/browsers.nix - ../2configs/games.nix - ../2configs/pass.nix - ../2configs/bird.nix - ../2configs/git.nix - ../2configs/chromium-patched.nix - ../2configs/bitlbee.nix - ../2configs/weechat.nix - ../2configs/skype.nix { - lass.umts = { + # locke config + time.timeZone = "Europe/Berlin"; + services.xserver.enable = true; + users.users.locke = { + uid = genid "locke"; + home = "/home/locke"; + group = "users"; + createHome = true; + extraGroups = [ + "audio" + "networkmanager" + ]; + useDefaultShell = true; + }; + networking.networkmanager.enable = true; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + environment.systemPackages = with pkgs; [ + firefox + hexchat + networkmanagerapplet + ]; + services.xserver.desktopManager.xfce = { enable = true; - modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; }; } ]; krebs.build.host = config.krebs.hosts.uriel; - networking.wireless.enable = true; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -62,6 +74,11 @@ with builtins; "/boot" = { device = "/dev/sda1"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index 7d3046d43..916e08219 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -23,10 +23,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; startAt = "03:05"; }; - dishfire-http-uriel = { + dishfire-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; startAt = "03:10"; }; dishfire-sql-prism = { @@ -41,10 +41,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; startAt = "03:20"; }; - dishfire-sql-uriel = { + dishfire-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; startAt = "03:25"; }; prism-bitlbee-mors = { @@ -53,10 +53,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; - prism-bitlbee-uriel = { + prism-bitlbee-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; startAt = "03:25"; }; prism-chat-mors = { @@ -65,10 +65,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; startAt = "03:30"; }; - prism-chat-uriel = { + prism-chat-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; startAt = "03:35"; }; prism-sql-mors = { @@ -77,10 +77,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; startAt = "03:40"; }; - prism-sql-uriel = { + prism-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; startAt = "03:45"; }; prism-http-mors = { @@ -89,22 +89,22 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; startAt = "03:50"; }; - prism-http-uriel = { + prism-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; startAt = "03:55"; }; - uriel-home-mors = { + shodan-home-mors = { method = "pull"; - src = { host = config.krebs.hosts.uriel; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + src = { host = config.krebs.hosts.shodan; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; startAt = "04:00"; }; - mors-home-uriel = { + mors-home-shodan = { method = "push"; src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; startAt = "05:00"; }; dishfire-http-helios = { diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index ea79053ce..90f420674 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -1,11 +1,28 @@ { config, lib, pkgs, ... }: +with config.krebs.lib; let - inherit (config.krebs.lib) genid; mainUser = config.users.extraUsers.mainUser; - createChromiumUser = name: extraGroups: packages: - { + + browser-select = pkgs.writeScriptBin "browser-select" '' + BROWSER=$(echo -e "${concatStringsSep "\\n" (attrNames config.lass.browser.paths)}" | ${pkgs.dmenu}/bin/dmenu) + case $BROWSER in + ${concatMapStringsSep "\n" (n: '' + ${n}) + export BIN=${config.lass.browser.paths.${n}}/bin/${n} + ;; + '') (attrNames config.lass.browser.paths)} + esac + $BIN "$@" + ''; + + createChromiumUser = name: extraGroups: + let + bin = pkgs.writeScriptBin name '' + /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@ + ''; + in { users.extraUsers.${name} = { inherit name; inherit extraGroups; @@ -14,19 +31,21 @@ let useDefaultShell = true; createHome = true; }; - krebs.per-user.${name}.packages = packages; + lass.browser.paths.${name} = bin; security.sudo.extraConfig = '' ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; environment.systemPackages = [ - (pkgs.writeScriptBin name '' - /var/setuid-wrappers/sudo -u ${name} -i chromium $@ - '') + bin ]; }; - createFirefoxUser = name: extraGroups: packages: - { + createFirefoxUser = name: extraGroups: + let + bin = pkgs.writeScriptBin name '' + /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@ + ''; + in { users.extraUsers.${name} = { inherit name; inherit extraGroups; @@ -35,14 +54,12 @@ let useDefaultShell = true; createHome = true; }; - krebs.per-user.${name}.packages = packages; + lass.browser.paths.${name} = bin; security.sudo.extraConfig = '' ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; environment.systemPackages = [ - (pkgs.writeScriptBin name '' - /var/setuid-wrappers/sudo -u ${name} -i firefox $@ - '') + bin ]; }; @@ -50,19 +67,26 @@ let in { + lass.browser.select = browser-select; + environment.systemPackages = [ - (pkgs.writeScriptBin "browser-select" '' - BROWSER=$(echo -e "ff\ncr\nwk\nfb\ngm\nflash" | dmenu) - $BROWSER $@ - '') + browser-select ]; imports = [ - ( createFirefoxUser "ff" [ "audio" ] [ pkgs.firefox ] ) - ( createChromiumUser "cr" [ "video" "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "wk" [ "video" "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "fb" [ "video" "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "gm" [ "video" "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "com" [ "video" "audio" ] [ pkgs.chromium ] ) + { + options.lass.browser.select = mkOption { + type = types.path; + }; + options.lass.browser.paths = mkOption { + type = with types; attrsOf path; + }; + } + ( createFirefoxUser "ff" [ "audio" ] ) + ( createChromiumUser "cr" [ "video" "audio" ] ) + ( createChromiumUser "wk" [ "video" "audio" ] ) + ( createChromiumUser "fb" [ "video" "audio" ] ) + ( createChromiumUser "gm" [ "video" "audio" ] ) + ( createChromiumUser "com" [ "video" "audio" ] ) ]; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 5575b7e7b..0b7ca8eaa 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -21,7 +21,6 @@ with config.krebs.lib; root = { openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey config.krebs.users.lass-shodan.pubkey ]; }; @@ -37,7 +36,6 @@ with config.krebs.lib; ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey config.krebs.users.lass-shodan.pubkey ]; }; @@ -69,7 +67,7 @@ with config.krebs.lib; }; }; - nix.useChroot = true; + nix.useSandbox = true; users.mutableUsers = false; @@ -99,6 +97,7 @@ with config.krebs.lib; jq parallel proot + populate #style most @@ -143,15 +142,6 @@ with config.krebs.lib; shopt -s histappend histreedit histverify shopt -s no_empty_cmd_completion complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi ''; promptInit = '' if test $UID = 0; then diff --git a/lass/2configs/iodined.nix b/lass/2configs/iodined.nix new file mode 100644 index 000000000..f67e2ae86 --- /dev/null +++ b/lass/2configs/iodined.nix @@ -0,0 +1,20 @@ +{ pkgs, config, ... }: + +let + # TODO: make this a parameter + domain = "io.lassul.us"; + pw = import <secrets/iodinepw.nix>; +in { + + services.iodine.server = { + enable = true; + domain = domain; + ip = "172.16.10.1/24"; + extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}"; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 53"; target = "ACCEPT";} + ]; + +} diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 9e3fe888c..6e9138b61 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -2,7 +2,7 @@ { krebs.build.source.nixpkgs.git = { - url = https://github.com/lassulus/nixpkgs; - ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74"; + url = https://github.com/nixos/nixpkgs; + ref = "354fd3728952c229fee4f2924737c601d7ab4725"; }; } diff --git a/lass/2configs/tests/dummy-secrets/iodinepw.nix b/lass/2configs/tests/dummy-secrets/iodinepw.nix new file mode 100644 index 000000000..f5e704702 --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/iodinepw.nix @@ -0,0 +1 @@ +"derp" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index d5ad38c07..e05f40d97 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,9 +1,11 @@ { config, pkgs, lib, ... }: let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) genid - ; + genid_signed + ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) ssl servePage @@ -20,6 +22,25 @@ let exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" ''; + check-password = pkgs.writeDash "check-password" '' + read pw + + file="/home/$PAM_USER/.shadow" + + #check if shadow file exists + test -e "$file" || exit 123 + + hash="$(${pkgs.coreutils}/bin/head -1 $file)" + salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')" + + calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)" + if [ "$calc_hash" == $hash ]; then + exit 0 + else + exit 1 + fi + ''; + in { imports = [ ./sqlBackup.nix @@ -122,39 +143,62 @@ in { }; }; - - #services.phpfpm.phpOptions = '' - # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - # sendmail_path = ${sendmail} -t - #''; - services.phpfpm.phpIni = pkgs.runCommand "php.ini" { - options = '' - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - sendmail_path = "${sendmail} -t -i" - always_populate_raw_post_data = -1 - ''; - } '' - cat ${pkgs.php}/etc/php-recommended.ini > $out - echo "$options" >> $out + services.phpfpm.phpOptions = '' + sendmail_path = ${sendmail} -t + upload_max_filesize = 100M + post_max_size = 100M + file_uploads = on ''; # MAIL STUFF # TODO: make into its own module - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Mail"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imap"; target = "ACCEPT"; } - ]; + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Mail"; + sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; + sslServerKey = "/var/lib/acme/lassul.us/key.pem"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } + { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 465"; target = "ACCEPT"; } + ]; + + security.pam.services.exim.text = '' + auth required pam_env.so + auth sufficient pam_exec.so debug expose_authtok ${check-password} + auth sufficient pam_unix.so likeauth nullok + auth required pam_deny.so + account required pam_unix.so + password required pam_cracklib.so retry=3 type= + password sufficient pam_unix.so nullok use_authtok md5shadow + password required pam_deny.so + session required pam_limits.so + session required pam_unix.so + ''; + krebs.exim-smarthost = { + authenticators.PLAIN = '' + driver = plaintext + server_prompts = : + server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" + server_set_id = $auth2 + ''; + authenticators.LOGIN = '' + driver = plaintext + server_prompts = "Username:: : Password::" + server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" + server_set_id = $auth1 + ''; internet-aliases = [ { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "mail@jla-trading.com"; to = "jla-trading"; } + { from = "testuser@lassul.us"; to = "testuser"; } ]; system-aliases = [ ]; + ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.domsen = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 330d8ba86..23f417195 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -167,7 +167,6 @@ rec { pm.max_spare_servers = 3 listen.owner = nginx listen.group = nginx - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes @@ -188,6 +187,7 @@ rec { error_log /tmp/nginx_err.log; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; ''; locations = [ (nameValuePair "/" '' @@ -219,7 +219,6 @@ rec { pm.max_spare_servers = 3 listen.owner = nginx listen.group = nginx - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/lass/2configs/xserver/Xresources.nix b/lass/2configs/xserver/Xresources.nix index 5d3661706..0f04540c3 100644 --- a/lass/2configs/xserver/Xresources.nix +++ b/lass/2configs/xserver/Xresources.nix @@ -11,7 +11,7 @@ pkgs.writeText "Xresources" '' ! ref https://github.com/muennich/urxvt-perls URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select - URxvt.url-select.launcher: browser-select + URxvt.url-select.launcher: ${config.lass.browser.select}/bin/browser-select URxvt.url-select.underline: true URxvt.keysym.M-u: perl:url-select:select_next URxvt.keysym.M-Escape: perl:keyboard-select:activate diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix index 73b148bf7..0f9b1f84a 100644 --- a/lass/2configs/xserver/default.nix +++ b/lass/2configs/xserver/default.nix @@ -1,143 +1,112 @@ -{ config, lib, pkgs, ... }@args: - +{ config, pkgs, ... }@args: with config.krebs.lib; - let - # TODO krebs.build.user - user = config.users.users.mainUser; - - out = { - services.xserver = { - display = 11; - tty = 11; - - synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - }; - - #keyboard stuff - layout = "us"; - xkbVariant = "altgr-intl"; - xkbOptions = "caps:backspace"; + user = config.krebs.build.user; +in { + + environment.systemPackages = [ + pkgs.gitAndTools.qgit + pkgs.mpv + pkgs.sxiv + pkgs.xsel + pkgs.zathura + ]; + + fonts.fonts = [ + pkgs.xlibs.fontschumachermisc + ]; + + services.xserver = { + enable = true; + display = 11; + tty = 11; + + synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; }; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc - ]; + layout = "us"; + xkbVariant = "altgr-intl"; + xkbOptions = "caps:backspace"; + }; - systemd.services.urxvtd = { - wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; - serviceConfig = { - ExecReload = need-reload "urxvtd.service"; - ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; - Restart = "always"; - RestartSec = "2s"; - StartLimitBurst = 0; - User = user.name; - }; - }; + systemd.services.display-manager.enable = false; - krebs.per-user.lass.packages = [ - pkgs.rxvt_unicode_with-plugins - ]; + systemd.services.xmonad = { + wantedBy = [ "multi-user.target" ]; + requires = [ "xserver.service" ]; + environment = { + DISPLAY = ":${toString config.services.xserver.display}"; - systemd.services.display-manager.enable = false; + XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" '' + ${pkgs.xorg.xhost}/bin/xhost +LOCAL: & + ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} & + ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' & + wait + ''; - services.xserver.enable = true; + XMONAD_STATE = "/tmp/xmonad.state"; - systemd.services.xmonad = { - wantedBy = [ "multi-user.target" ]; - requires = [ "xserver.service" ]; - environment = xmonad-environment; - restartIfChanged = true; - serviceConfig = { - ExecStart = "${xmonad-start}/bin/xmonad"; - ExecStop = "${xmonad-stop}/bin/xmonad-stop"; - User = user.name; - WorkingDirectory = user.home; - }; + # XXX JSON is close enough :) + XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ + "dashboard" # we start here + ]); }; - - systemd.services.xserver = { - after = [ - "systemd-udev-settle.service" - "local-fs.target" - "acpid.service" - ]; - reloadIfChanged = true; - environment = xserver-environment; - serviceConfig = { - ExecReload = need-reload "xserver.service"; - ExecStart = "${xserver}/bin/xserver"; - }; + serviceConfig = { + SyslogIdentifier = "xmonad"; + ExecStart = "${pkgs.xmonad-lass}/bin/xmonad"; + ExecStop = pkgs.writeScript "xmonad-stop" '' + #! /bin/sh + ${pkgs.xmonad-lass}/bin/xmonad --shutdown + ${pkgs.coreutils}/bin/sleep 2s + ''; + User = user.name; + WorkingDirectory = user.home; }; }; - xmonad-environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - XMONAD_STATE = "/tmp/xmonad.state"; - - # XXX JSON is close enough :) - XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ - "dashboard" - ]); + systemd.services.xserver = { + after = [ + "systemd-udev-settle.service" + "local-fs.target" + "acpid.service" + ]; + reloadIfChanged = true; + environment = { + XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension. + XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. + LD_LIBRARY_PATH = concatStringsSep ":" ( + [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ] + ++ concatLists (catAttrs "libPath" config.services.xserver.drivers)); + }; + serviceConfig = { + SyslogIdentifier = "xserver"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = toString [ + "${pkgs.xorg.xorgserver}/bin/X" + ":${toString config.services.xserver.display}" + "vt${toString config.services.xserver.tty}" + "-config ${import ./xserver.conf.nix args}" + "-logfile /dev/null -logverbose 0 -verbose 3" + "-nolisten tcp" + "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb" + ]; + }; }; - xmonad-start = pkgs.writeScriptBin "xmonad" '' - #! ${pkgs.bash}/bin/bash - set -efu - export PATH; PATH=${makeSearchPath "bin" ([ - pkgs.rxvt_unicode - ] ++ config.environment.systemPackages)}:/var/setuid-wrappers - settle() {( - # Use PATH for a clean journal - command=''${1##*/} - PATH=''${1%/*}; export PATH - shift - until "$command" "$@"; do - ${pkgs.coreutils}/bin/sleep 1 - done - )&} - settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL: - settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} - settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' - exec ${pkgs.xmonad-lass}/bin/xmonad - ''; - - xmonad-stop = pkgs.writeScriptBin "xmonad-stop" '' - #! /bin/sh - ${pkgs.xmonad-lass}/bin/xmonad --shutdown - ${pkgs.coreutils}/bin/sleep 2s - ''; - - xserver-environment = { - XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension. - XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime. - LD_LIBRARY_PATH = concatStringsSep ":" ( - [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ] - ++ concatLists (catAttrs "libPath" config.services.xserver.drivers)); + systemd.services.urxvtd = { + wantedBy = [ "multi-user.target" ]; + reloadIfChanged = true; + serviceConfig = { + SyslogIdentifier = "urxvtd"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; + Restart = "always"; + RestartSec = "2s"; + StartLimitBurst = 0; + User = user.name; + }; }; - - xserver = pkgs.writeScriptBin "xserver" '' - #! /bin/sh - set -efu - exec ${pkgs.xorg.xorgserver.out}/bin/X \ - :${toString config.services.xserver.display} \ - vt${toString config.services.xserver.tty} \ - -config ${import ./xserver.conf.nix args} \ - -logfile /var/log/X.${toString config.services.xserver.display}.log \ - -nolisten tcp \ - -xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \ - ''; - - need-reload = s: let - pkg = pkgs.writeScriptBin "need-reload" '' - #! /bin/sh - echo "$*" - ''; - in "${pkg}/bin/need-reload ${s}"; - -in out +} diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index b221d7677..aa159be07 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -118,5 +118,4 @@ fi ''; }; - users.defaultUserShell = "/run/current-system/sw/bin/zsh"; } diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 60370b230..6588ca0d3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,9 +3,11 @@ _: imports = [ ./ejabberd ./folderPerms.nix + ./hosts.nix ./mysql-backup.nix ./umts.nix ./urxvtd.nix + ./usershadow.nix ./wordpress_nginx.nix ./xresources.nix ]; diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix new file mode 100644 index 000000000..f2ff10c06 --- /dev/null +++ b/lass/3modules/hosts.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +with config.krebs.lib; + +{ + options.lass.hosts = mkOption { + type = types.attrsOf types.host; + default = + filterAttrs (_: host: host.owner.name == "lass") + config.krebs.hosts; + }; +} diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix index 35d8d04a5..4a79311a4 100644 --- a/lass/3modules/owncloud_nginx.nix +++ b/lass/3modules/owncloud_nginx.nix @@ -111,7 +111,6 @@ let pm.max_spare_servers = 3 listen.owner = ${user} listen.group = ${group} - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix index 01adc0409..7daaba89e 100644 --- a/lass/3modules/umts.nix +++ b/lass/3modules/umts.nix @@ -41,10 +41,6 @@ let wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113 - #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09"; - modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; - - # TODO: currently it is only netzclub umts-bin = pkgs.writeScriptBin "umts" '' #!/bin/sh set -euf diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix new file mode 100644 index 000000000..0e7e718a4 --- /dev/null +++ b/lass/3modules/usershadow.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + + cfg = config.lass.usershadow; + + out = { + options.lass.usershadow = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "usershadow"; + pattern = mkOption { + type = types.str; + default = "/home/%/.shadow"; + }; + }; + + imp = { + environment.systemPackages = [ usershadow ]; + security.pam.services.sshd.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + + security.pam.services.exim.text = '' + auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; + }; + + usershadow = let { + deps = [ + "pwstore-fast" + "bytestring" + ]; + body = pkgs.writeHaskell "passwords" { + executables.verify = { + extra-depends = deps; + text = '' + import Data.Monoid + import System.IO + import Data.Char (chr) + import System.Environment (getEnv, getArgs) + import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.Exit (exitFailure, exitSuccess) + + main :: IO () + main = do + user <- getEnv "PAM_USER" + shadowFilePattern <- head <$> getArgs + let shadowFile = lhs <> user <> tail rhs + (lhs, rhs) = span (/= '%') shadowFilePattern + hash <- readFile shadowFile + password <- takeWhile (/= (chr 0)) <$> hGetLine stdin + let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) + if res then exitSuccess else exitFailure + ''; + }; + executables.passwd = { + extra-depends = deps; + text = '' + import System.Environment (getEnv) + import Crypto.PasswordStore (makePasswordWith, pbkdf2) + import qualified Data.ByteString.Char8 as BS8 + import System.IO (stdin, hSetEcho, putStr) + + main :: IO () + main = do + home <- getEnv "HOME" + putStr "password:" + hSetEcho stdin False + password <- BS8.hGetLine stdin + hash <- makePasswordWith pbkdf2 password 10 + BS8.writeFile (home ++ "/.shadow") hash + ''; + }; + }; + }; + +in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix index 108054cb6..4305a121b 100644 --- a/lass/3modules/wordpress_nginx.nix +++ b/lass/3modules/wordpress_nginx.nix @@ -154,7 +154,6 @@ let pm.max_spare_servers = 3 listen.owner = ${user} listen.group = ${group} - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 3bb88a1a2..96b12b9d4 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -9,7 +9,7 @@ pkgs.writeHaskell "xmonad-lass" { "xmonad-contrib" "xmonad-stockholm" ]; - text = '' + text = /* haskell */ '' {-# LANGUAGE DeriveDataTypeable #-} -- for XS {-# LANGUAGE FlexibleContexts #-} -- for xmonad' {-# LANGUAGE LambdaCase #-} @@ -24,6 +24,7 @@ import Control.Exception import Data.List (isInfixOf) import System.Environment (getArgs, withArgs, getEnv) import System.IO (hPutStrLn, stderr) +import System.Posix.Process (executeFile) import Text.Read (readEither) import XMonad.Actions.CopyWindow (copy, kill1) import XMonad.Actions.CycleWS (toggleWS) @@ -41,12 +42,13 @@ import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNext import XMonad.Layout.NoBorders (smartBorders) import XMonad.Prompt (autoComplete, searchPredicate, XPConfig) import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy) -import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent) import XMonad.Util.EZConfig (additionalKeysP) +import XMonad.Layout.SimpleFloat (simpleFloat) +import XMonad.Stockholm.Shutdown -myTerm :: String -myTerm = "${pkgs.rxvt_unicode}/bin/urxvtc" +urxvtcPath :: FilePath +urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc" myFont :: String myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*" @@ -62,12 +64,14 @@ mainNoArgs = do xmonad' $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ") $ def - { terminal = myTerm + { terminal = urxvtcPath , modMask = mod4Mask , workspaces = workspaces0 , layoutHook = smartBorders $ myLayoutHook , manageHook = placeHook (smart (1,0)) <+> floatNextHook - , startupHook = spawn "echo emit XMonadStartup" + , startupHook = do + path <- liftIO (getEnv "XMONAD_STARTUP_HOOK") + forkFile path [] Nothing , normalBorderColor = "#1c1c1c" , focusedBorderColor = "#f000b0" , handleEventHook = handleShutdownEvent @@ -75,7 +79,7 @@ mainNoArgs = do myLayoutHook = defLayout where - defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) + defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO () @@ -83,7 +87,7 @@ xmonad' conf = do path <- getEnv "XMONAD_STATE" try (readFile path) >>= \case Right content -> do - hPutStrLn stderr ("resuming from " ++ path ++ "; state = " ++ show content) + hPutStrLn stderr ("resuming from " ++ path) withArgs ("--resume" : lines content) (xmonad conf) Left e -> do hPutStrLn stderr (displaySomeException e) @@ -107,7 +111,7 @@ displaySomeException = displayException myKeyMap :: [([Char], X ())] myKeyMap = - [ ("M4-<F11>", spawn "i3lock -i /var/lib/wallpaper/wallpaper -f") + [ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f") , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type") , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%") , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%") @@ -123,8 +127,8 @@ myKeyMap = , ("M4-S-<Backspace>", removeEmptyWorkspace) , ("M4-S-c", kill1) , ("M4-<Esc>", toggleWS) - , ("M4-S-<Enter>", spawn myTerm) - , ("M4-x", floatNext True >> spawn myTerm) + , ("M4-S-<Enter>", spawn urxvtcPath) + , ("M4-x", floatNext True >> spawn urxvtcPath) , ("M4-f", floatNext True) , ("M4-b", sendMessage ToggleStruts) @@ -141,6 +145,10 @@ myKeyMap = , ("M4-S-q", return ()) ] +forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X () +forkFile path args env = + xfork (executeFile path False args env) >> return () + autoXPConfig :: XPConfig autoXPConfig = def { autoComplete = Just 5000 @@ -159,8 +167,6 @@ gridConfig = def , gs_navigate = navNSearch , gs_font = myFont } - ''; }; } - diff --git a/lib/default.nix b/lib/default.nix index 6c607f13b..1f5010853 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,6 +1,10 @@ let lib = import <nixpkgs/lib> // builtins // { shell = import ./shell.nix { inherit lib; }; + + eq = x: y: x == y; + ne = x: y: x != y; + mod = x: y: x - y * (x / y); }; in diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 642593fc4..85ac23e9d 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -24,7 +24,7 @@ with config.krebs.lib; # stockholm gnumake hashPassword - haskellPackages.lentil + #haskellPackages.lentil parallel (pkgs.writeBashBin "im" '' export PATH=${makeSearchPath "bin" (with pkgs; [ @@ -60,7 +60,7 @@ with config.krebs.lib; pass q qrencode - texLive + #texLive tmux #ack @@ -138,6 +138,11 @@ with config.krebs.lib; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; + "/bku" = { + device = "/dev/mapper/xuvga-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; "/home" = { device = "/dev/mapper/xuvga-home"; fsType = "btrfs"; diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index db1bfe5a2..442d7370a 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with config.krebs.lib; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "2568ee3d73bdebd6bab6739adf8a900f3429c8e6"; + ref = "354fd3728952c229fee4f2924737c601d7ab4725"; }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; @@ -37,6 +37,7 @@ with config.krebs.lib; # stockholm dependencies environment.systemPackages = with pkgs; [ git + populate ]; } { @@ -53,6 +54,7 @@ with config.krebs.lib; }; } { + security.hideProcessInformation = true; security.sudo.extraConfig = '' Defaults env_keep+="SSH_CLIENT" Defaults mailto="${config.krebs.users.tv.mail}" @@ -63,13 +65,13 @@ with config.krebs.lib; { # TODO check if both are required: - nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + nix.sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ]; nix.requireSignedBinaryCaches = true; nix.binaryCaches = ["https://cache.nixos.org"]; - nix.useChroot = true; + nix.useSandbox = true; } { nixpkgs.config.allowUnfree = false; diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index c5a3485a2..6cc295dc5 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -5,7 +5,7 @@ ../smartd.nix ]; - boot.loader.gummiboot.enable = true; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.wireless.enable = true; @@ -13,6 +13,8 @@ # Required for Centrino. hardware.enableAllFirmware = true; + hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; + hardware.trackpoint = { enable = true; sensitivity = 220; @@ -41,6 +43,5 @@ services.xserver = { videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; }; } diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix index a84e60b73..6534e2c0e 100644 --- a/tv/2configs/man.nix +++ b/tv/2configs/man.nix @@ -1,10 +1,10 @@ { config, lib, pkgs, ... }: { - environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} '' - ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out ' - s:^NROFF\t.*:& -Wbreak: - ' - ''; + #environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} '' + # ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out ' + # s:^NROFF\t.*:& -Wbreak: + # ' + #''; environment.systemPackages = with pkgs; [ manpages posix_man_pages diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index c81723b20..89937d702 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -31,6 +31,7 @@ with config.krebs.lib; ## other + https://nixos.org/channels/nixos-16.09/git-revision https://nixos.org/channels/nixos-unstable/git-revision ## 2014-10-17 diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 86c5d05d6..16f540488 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -21,7 +21,7 @@ let src = pkgs.fetchgit { url = https://github.com/vito-c/jq.vim; rev = "99d55a300047946a82ecdd7617323a751199ad2d"; - sha256 = "00mmwg4swwmllknzzx07af080lcy7y5i6341rc6c08i2vka48nv9"; + sha256 = "09c94nah47wx0cr556w61h6pfznxld18pfblc3nv51ivbw7cjqyx"; }; }) (pkgs.vimUtils.buildVimPlugin { diff --git a/tv/5pkgs/q/default.nix b/tv/5pkgs/q/default.nix index b19402fa4..f923950f0 100644 --- a/tv/5pkgs/q/default.nix +++ b/tv/5pkgs/q/default.nix @@ -178,6 +178,11 @@ in pkgs.writeBashBin "q" '' set -eu export PATH=/var/empty + (${q-todo}) || : + if [ "$PWD" != "$HOME" ]; then + (HOME=$PWD; ${q-todo}) || : + fi + echo ${q-cal} echo ${q-isodate} @@ -189,8 +194,4 @@ pkgs.writeBashBin "q" '' (${q-online}) & (${q-thermal_zone}) & wait - ${q-todo} - if [ "$PWD" != "$HOME" ]; then - (HOME=$PWD; ${q-todo}) - fi '' |