summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/makefu/default.nix32
-rw-r--r--makefu/1systems/pornocauster.nix30
-rw-r--r--makefu/2configs/default.nix5
-rw-r--r--makefu/2configs/exim-retiolum.nix3
-rw-r--r--makefu/2configs/git/cgit-retiolum.nix3
-rw-r--r--makefu/2configs/omo-share.nix8
-rw-r--r--makefu/2configs/steam.nix6
-rw-r--r--makefu/2configs/temp-share-samba.nix28
-rw-r--r--makefu/5pkgs/default.nix1
-rw-r--r--makefu/5pkgs/skytraq-logger/default.nix31
l---------makefu/5pkgs/skytraq-logger/result1
-rw-r--r--tv/2configs/xserver/default.nix221
-rw-r--r--tv/5pkgs/ff/default.nix10
13 files changed, 243 insertions, 136 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index a6d4597f7..7d4bef9ad 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -270,8 +270,8 @@ with config.krebs.lib;
'';
};
};
- ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
+ #ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+ #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
};
wbob = rec {
cores = 1;
@@ -409,6 +409,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [
"heidi.r"
+ "heidi.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -424,6 +425,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
+
soundflower = rec {
cores = 1;
nets = {
@@ -594,7 +596,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
};
};
};
-
+ } // { # hosts only maintained in stockholm, not owned by me
+ tpsw = {
+ cores = 2;
+ owner = config.krebs.users.ciko; # main laptop
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.183.236";
+ ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
+ aliases = [ "tpsw.r" "tpsw.retiolum" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAvwYPFAINwV0EH0myFpNzRjVbqXdAmJP616C5JvODklhZWJxFxlKJ
+ Poczl57j2Z+4bonkTrJmsNtSaQLPKYH4H1qfo/lwz7nqEpPi3Xp4Fgts23w36eML
+ WBvbw0fQO9R8zZJIIdRkJ2qqlhZiTlor1Gtlm8Z1RmpKkhL9O6Yzj94VhGLhABVl
+ OsaF2M3PgXJMiLry67jzbAs3+mVaT3iBTzWOaOyREjKQEUg9B9IDxrmZMSWqdXZM
+ 0wfzaCjS40jD73m7tqi7W3tXzAUP4mEeUqkC+NC2Zgm/lJ5B1KPx7AyNqtRLsBLd
+ pIdJs6ng63WV1fyHYUWMYqZk9zB/tQ0b0wIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
};
users = rec {
makefu = {
@@ -615,6 +638,9 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
inherit (makefu) mail pgp;
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
};
+ ciko = {
+ mail = "wieczorek.stefan@googlemail.com";
+ };
exco = {
mail = "dickbutt@excogitation.de";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de";
diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index 88c187758..fa39b121c 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -26,6 +26,7 @@
# services
../2configs/git/brain-retiolum.nix
../2configs/tor.nix
+ ../2configs/steam.nix
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here
@@ -35,23 +36,36 @@
# ../2configs/mediawiki.nix
#../2configs/wordpress.nix
../2configs/nginx/public_html.nix
+
+ # temporary modules
+ # ../2configs/temp/share-samba.nix
+ # ../2configs/temp/elkstack.nix
+ # ../2configs/temp/sabnzbd.nix
];
+
krebs.nginx = {
default404 = false;
servers.default.listen = [ "80 default_server" ];
servers.default.server-names = [ "_" ];
};
- krebs.retiolum.enable = true;
- # steam
- hardware.opengl.driSupport32Bit = true;
- hardware.pulseaudio.support32Bit = true;
+
+ environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
+
+ virtualisation.docker.enable = true;
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
- networking.firewall.allowedTCPPorts = [
- 25
- 80
- ];
+ networking.firewall.allowedTCPPorts = [ 80 ];
+ networking.firewall.allowedUDPPorts = [ 665 ];
krebs.build.host = config.krebs.hosts.pornocauster;
+
+ krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
+ krebs.retiolum = {
+ enable = true;
+ connectTo = [ "omo" "gum" "prism" ];
+ };
+ networking.extraHosts = ''
+ 192.168.1.11 omo.local
+ '';
}
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index afdeec40e..62daed8be 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -22,7 +22,7 @@ with config.krebs.lib;
source = mapAttrs (_: mkDefault) {
nixpkgs = {
url = https://github.com/nixos/nixpkgs;
- rev = "40c586b7ce2c559374df435f46d673baf711c543"; # unstable @ 2016-02-27, tested on wry
+ rev = "63b9785"; # stable @ 2016-06-01
};
secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
stockholm = "/home/makefu/stockholm";
@@ -75,7 +75,7 @@ with config.krebs.lib;
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
-
+ nix.nixPath = [ "/var/src" ];
environment.variables = {
NIX_PATH = mkForce "/var/src";
EDITOR = mkForce "vim";
@@ -126,6 +126,7 @@ with config.krebs.lib;
nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.runCommand "empty" {} "mkdir -p $out";
tinc = pkgs.tinc_pre;
+ gnupg1compat = super.gnupg1compat.override { gnupg = self.gnupg21; };
};
services.cron.enable = false;
diff --git a/makefu/2configs/exim-retiolum.nix b/makefu/2configs/exim-retiolum.nix
index 34943f593..910066e0a 100644
--- a/makefu/2configs/exim-retiolum.nix
+++ b/makefu/2configs/exim-retiolum.nix
@@ -2,9 +2,10 @@
with config.krebs.lib;
{
+ networking.firewall.allowedTCPPorts = [ 25 ];
+
krebs.exim-retiolum.enable = true;
environment.systemPackages = with pkgs; [
msmtp
];
-
}
diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index 0b69dbcaf..44d759488 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -15,6 +15,9 @@ let
tinc_graphs = {
desc = "Tinc Advanced Graph Generation";
};
+ stockholm-init = {
+ desc = "Build new Stockholm hosts";
+ };
cac-api = { };
init-stockholm = {
desc = "Init stuff for stockholm";
diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix
index 08bdd4a40..7e9842e14 100644
--- a/makefu/2configs/omo-share.nix
+++ b/makefu/2configs/omo-share.nix
@@ -69,15 +69,15 @@ in {
browseable = "yes";
"guest ok" = "yes";
};
- usenet-rw = {
- path = "/media/crypt0/usenet";
+ crypt0-rw = {
+ path = "/media/crypt0/";
"read only" = "no";
browseable = "yes";
"guest ok" = "no";
"valid users" = "makefu";
};
- emu-rw = {
- path = "/media/crypt1/emu";
+ crypt1-rw = {
+ path = "/media/crypt1/";
"read only" = "no";
browseable = "yes";
"guest ok" = "no";
diff --git a/makefu/2configs/steam.nix b/makefu/2configs/steam.nix
new file mode 100644
index 000000000..d4ec84abf
--- /dev/null
+++ b/makefu/2configs/steam.nix
@@ -0,0 +1,6 @@
+{pkgs, ...}:
+{
+ environment.systemPackages = [ pkgs.steam ];
+ hardware.opengl.driSupport32Bit = true;
+ hardware.pulseaudio.support32Bit = true;
+}
diff --git a/makefu/2configs/temp-share-samba.nix b/makefu/2configs/temp-share-samba.nix
new file mode 100644
index 000000000..5f21e3bf7
--- /dev/null
+++ b/makefu/2configs/temp-share-samba.nix
@@ -0,0 +1,28 @@
+{config, ... }:{
+ users.users.smbguest = {
+ name = "smbguest";
+ uid = config.ids.uids.smbguest;
+ description = "smb guest user";
+ home = "/var/empty";
+ };
+ services.samba = {
+ enable = true;
+ shares = {
+ share-home = {
+ path = "/home/share/";
+ "read only" = "no";
+ browseable = "yes";
+ "guest ok" = "yes";
+ };
+ };
+ extraConfig = ''
+ guest account = smbguest
+ map to guest = bad user
+ # disable printing
+ load printers = no
+ printing = bsd
+ printcap name = /dev/null
+ disable spoolss = yes
+ '';
+ };
+}
diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix
index 9cd2629de..6d227fa6d 100644
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@@ -13,6 +13,7 @@ in
nodemcu-uploader = callPackage ./nodemcu-uploader {};
tw-upload-plugin = callPackage ./tw-upload-plugin {};
inherit (callPackage ./devpi {}) devpi-web devpi-server;
+ skytraq-logger = callPackage ./skytraq-logger/ {};
taskserver = callPackage ./taskserver {};
};
}
diff --git a/makefu/5pkgs/skytraq-logger/default.nix b/makefu/5pkgs/skytraq-logger/default.nix
new file mode 100644
index 000000000..1ad81594a
--- /dev/null
+++ b/makefu/5pkgs/skytraq-logger/default.nix
@@ -0,0 +1,31 @@
+{ stdenv, lib, pkgs, fetchFromGitHub, ... }:
+stdenv.mkDerivation rec {
+ name = "skytraq-datalogger-${version}";
+ version = "4966a8";
+ src = fetchFromGitHub {
+ owner = "makefu";
+ repo = "skytraq-datalogger";
+ rev = version ;
+ sha256 = "1qaszrs7638kc9x4qq4m1yxqmk8jw7wajywvdk4wc2i007p89v3y";
+ };
+ buildFlags = "CC=gcc";
+ makeFlags = "PREFIX=bin/ DESTDIR=$(out)";
+
+ preInstall = ''
+ mkdir -p $out/bin
+ '';
+ #patchPhase = ''
+ # sed -i -e 's#/usr/bin/gcc#gcc#' -e Makefile
+ #'';
+
+ buildInputs = with pkgs;[
+ curl
+ gnugrep
+ ];
+
+ meta = {
+ homepage = http://github.com/makefu/skytraq-datalogger;
+ description = "datalogger for skytraq";
+ license = lib.licenses.gpl2;
+ };
+}
diff --git a/makefu/5pkgs/skytraq-logger/result b/makefu/5pkgs/skytraq-logger/result
new file mode 120000
index 000000000..b132d6257
--- /dev/null
+++ b/makefu/5pkgs/skytraq-logger/result
@@ -0,0 +1 @@
+/nix/store/xpwdwpw2nkgi16yhpxin2kivaz7z588h-skytraq-datalogger-4966a8 \ No newline at end of file
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index b5b116786..965c3bbe1 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -1,135 +1,126 @@
-{ config, lib, pkgs, ... }@args:
-
+{ config, pkgs, ... }@args:
with config.krebs.lib;
-
let
# TODO krebs.build.user
user = config.users.users.tv;
+in {
+
+ environment.systemPackages = [
+ pkgs.ff
+ pkgs.gitAndTools.qgit
+ pkgs.mpv
+ pkgs.sxiv
+ pkgs.xsel
+ pkgs.zathura
+ ];
+
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ # TODO dedicated group, i.e. with a single user [per-user-setuid]
+ # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+ krebs.setuid.slock = {
+ filename = "${pkgs.slock}/bin/slock";
+ group = "wheel";
+ envp = {
+ DISPLAY = ":${toString config.services.xserver.display}";
+ USER = user.name;
+ };
+ };
- out = {
- services.xserver.display = 11;
- services.xserver.tty = 11;
+ services.xserver = {
+ enable = true;
+ display = 11;
+ tty = 11;
- services.xserver.synaptics = {
+ synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
};
+ };
- fonts.fonts = [
- pkgs.xlibs.fontschumachermisc
- ];
-
- systemd.services.urxvtd = {
- wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
- serviceConfig = {
- ExecReload = need-reload "urxvtd.service";
- ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
- Restart = "always";
- RestartSec = "2s";
- StartLimitBurst = 0;
- User = user.name;
- };
+ systemd.services.display-manager.enable = false;
+
+ systemd.services.xmonad = {
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "xserver.service" ];
+ environment = {
+ DISPLAY = ":${toString config.services.xserver.display}";
+
+ XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+ ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+ ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+ ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+ ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+ wait
+ '';
+
+ XMONAD_STATE = "/tmp/xmonad.state";
+
+ # XXX JSON is close enough :)
+ XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+ "Dashboard" # we start here
+ "23"
+ "cr"
+ "ff"
+ "hack"
+ "im"
+ "mail"
+ "stockholm"
+ "za" "zh" "zj" "zs"
+ ]);
};
-
- environment.systemPackages = [
- pkgs.ff
- pkgs.gitAndTools.qgit
- pkgs.mpv
- pkgs.sxiv
- pkgs.xsel
- pkgs.zathura
- ];
-
- # TODO dedicated group, i.e. with a single user
- # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
- krebs.setuid.slock = {
- filename = "${pkgs.slock}/bin/slock";
- group = "wheel";
- envp = {
- DISPLAY = ":${toString config.services.xserver.display}";
- USER = user.name;
- };
+ serviceConfig = {
+ SyslogIdentifier = "xmonad";
+ ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
+ ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
+ User = user.name;
+ WorkingDirectory = user.home;
};
+ };
- systemd.services.display-manager.enable = false;
-
- services.xserver.enable = true;
-
- systemd.services.xmonad = {
- wantedBy = [ "multi-user.target" ];
- requires = [ "xserver.service" ];
- environment = xmonad-environment;
- serviceConfig = {
- ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
- ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
- User = user.name;
- WorkingDirectory = user.home;
- };
+ systemd.services.xserver = {
+ after = [
+ "systemd-udev-settle.service"
+ "local-fs.target"
+ "acpid.service"
+ ];
+ reloadIfChanged = true;
+ environment = {
+ XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
+ XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+ LD_LIBRARY_PATH = concatStringsSep ":" (
+ [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
+ ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
-
- systemd.services.xserver = {
- after = [
- "systemd-udev-settle.service"
- "local-fs.target"
- "acpid.service"
+ serviceConfig = {
+ SyslogIdentifier = "xserver";
+ ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+ ExecStart = toString [
+ "${pkgs.xorg.xorgserver}/bin/X"
+ ":${toString config.services.xserver.display}"
+ "vt${toString config.services.xserver.tty}"
+ "-config ${import ./xserver.conf.nix args}"
+ "-logfile /dev/null -logverbose 0 -verbose 3"
+ "-nolisten tcp"
+ "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
];
- reloadIfChanged = true;
- environment = xserver-environment;
- serviceConfig = {
- ExecReload = need-reload "xserver.service";
- ExecStart = toString [
- "${pkgs.xorg.xorgserver}/bin/X"
- ":${toString config.services.xserver.display}"
- "vt${toString config.services.xserver.tty}"
- "-config ${import ./xserver.conf.nix args}"
- "-logfile /var/log/X.${toString config.services.xserver.display}.log"
- "-nolisten tcp"
- "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
- ];
- };
};
};
- xmonad-environment = {
- DISPLAY = ":${toString config.services.xserver.display}";
-
- XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
- ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
- ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
- ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
- ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
- wait
- '';
-
- XMONAD_STATE = "/tmp/xmonad.state";
-
- # XXX JSON is close enough :)
- XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
- "Dashboard" # we start here
- "23"
- "cr"
- "ff"
- "hack"
- "im"
- "mail"
- "stockholm"
- "za" "zh" "zj" "zs"
- ]);
- };
-
- xserver-environment = {
- XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
- XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
- LD_LIBRARY_PATH = concatStringsSep ":" (
- [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
- ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
+ systemd.services.urxvtd = {
+ wantedBy = [ "multi-user.target" ];
+ reloadIfChanged = true;
+ serviceConfig = {
+ SyslogIdentifier = "urxvtd";
+ ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+ ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+ Restart = "always";
+ RestartSec = "2s";
+ StartLimitBurst = 0;
+ User = user.name;
+ };
};
-
- need-reload = s: toString [
- "${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload"
- (shell.escape s)
- ];
-
-in out
+}
diff --git a/tv/5pkgs/ff/default.nix b/tv/5pkgs/ff/default.nix
index 2db404030..b1d2c579a 100644
--- a/tv/5pkgs/ff/default.nix
+++ b/tv/5pkgs/ff/default.nix
@@ -1,8 +1,12 @@
{ pkgs, ... }:
-pkgs.writeScriptBin "ff" ''
- #! ${pkgs.bash}/bin/bash
- exec sudo -u ff -i <<EOF
+# TODO use krebs.setuid
+# This requires that we can create setuid executables that can only be accessed
+# by a single user. [per-user-setuid]
+
+# using bash for %q
+pkgs.writeBashBin "ff" ''
+ exec /var/setuid-wrappers/sudo -u ff -i <<EOF
exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
EOF
''