diff options
33 files changed, 66 insertions, 747 deletions
@@ -1,6 +1,6 @@ # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq . -with import ./lib; let + lib = pkgs.lib; pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; }; system = import <nixpkgs/nixos/lib/eval-config.nix> { @@ -16,9 +16,9 @@ let } ; - ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts; + ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts; build = host: owner: - ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build";}); + ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${builtins.getEnv "HOME"}/stockholm-build";}); -in mapAttrs (n: h: build n h.owner.name) ci-systems +in lib.mapAttrs (n: h: build n h.owner.name) ci-systems diff --git a/flake.lock b/flake.lock index b11c289b4..c7b051683 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1760516981, - "narHash": "sha256-4AYTAH7WDL6C6WKktc9UEQRiav6oPzVpKuFWRyYeuTQ=", + "lastModified": 1768927382, + "narHash": "sha256-qdmb8Pm73PADLgO8Q06QfyPbEQS6el9Si+dGQc3TB1I=", "owner": "Mic92", "repo": "buildbot-nix", - "rev": "01dfc9a07c070092e3187be8edbd2243a9e301a5", + "rev": "eb4e904a8dc1aa12a964752e4fd9977c6aead724", "type": "github" }, "original": { @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1758022363, - "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", + "lastModified": 1768476106, + "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", + "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb", "type": "github" }, "original": { @@ -87,7 +87,9 @@ "nix-writers": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1677612737, @@ -105,26 +107,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677608380, - "narHash": "sha256-k82O23qBAK+43X0KSBjsMYXG2x4kWWXeAmpPTc2KRGY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4aba90e89f6d4ac6138939961f62842bd94ec929", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1768886240, + "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", "type": "github" }, "original": { @@ -138,7 +125,7 @@ "inputs": { "buildbot-nix": "buildbot-nix", "nix-writers": "nix-writers", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" } }, "treefmt-nix": { @@ -149,11 +136,11 @@ ] }, "locked": { - "lastModified": 1758728421, - "narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=", + "lastModified": 1768158989, + "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1", + "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca", "type": "github" }, "original": { @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-writers.url = "git+https://cgit.krebsco.de/nix-writers"; + nix-writers.inputs.nixpkgs.follows = "nixpkgs"; # disko.url = "github:nix-community/disko"; # disko.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.url = "github:Mic92/buildbot-nix"; diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index 9df79afbf..e92aeec93 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -251,6 +251,8 @@ in { wikisearch IN A ${nets.internet.ip4.addr} work.euer IN A ${nets.internet.ip4.addr} shop.euer IN A ${nets.internet.ip4.addr} + matrix.euer IN A ${nets.internet.ip4.addr} + element.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. nixos.unstable IN CNAME krebscode.github.io. diff --git a/kartei/tv/hosts/fu.nix b/kartei/tv/hosts/fu.nix index f33da59c9..c3f2f9297 100644 --- a/kartei/tv/hosts/fu.nix +++ b/kartei/tv/hosts/fu.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu"; - syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ"; } diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix index c09749302..5841c72d5 100644 --- a/kartei/tv/hosts/leg.nix +++ b/kartei/tv/hosts/leg.nix @@ -23,5 +23,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg"; - syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU"; } diff --git a/kartei/tv/hosts/pi.nix b/kartei/tv/hosts/pi.nix index 991bc0086..cfcc71a28 100644 --- a/kartei/tv/hosts/pi.nix +++ b/kartei/tv/hosts/pi.nix @@ -1,4 +1,3 @@ { nets.wiregrill.ip4.addr = "10.244.3.102"; - syncthing.id = "NLR6FLV-2MJQSZ6-4M5QBBB-X2UM225-YGB6IYW-F2EGFV6-D7ZDCWY-27EQAAM"; } diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix index 4d312105f..abbcc08dc 100644 --- a/kartei/tv/hosts/zoppo.nix +++ b/kartei/tv/hosts/zoppo.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo"; - syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ"; } diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 91071ec85..655192077 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -5,6 +5,17 @@ ../../../krebs ../../../krebs/2configs ../../../krebs/2configs/nginx.nix + { + # Cherry-pick services.nginx.recommendedTlsSettings to fix: + # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform + services.nginx.recommendedTlsSettings = lib.mkForce false; + services.nginx.appendHttpConfig = '' + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_prefer_server_ciphers off; + ''; + } ../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/ircd.nix diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 0c361cc42..8e03e3b52 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -31,7 +31,7 @@ ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - ../../2configs/shack/drivedroid.nix + #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing) # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected @@ -70,7 +70,7 @@ # ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - ../../2configs/shack/mobile.mpd.nix + #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.) # hass.shack ../../2configs/shack/glados diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 32452e010..c51d3c651 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; }; enable = true; repos = { disko.urls = [ - "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" "http://cgit.orange.r/disko" ]; @@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; }; "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.orange.r/stockholm" ]; diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index a797673c9..937a20c29 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -17,8 +17,8 @@ }; hardware.opengl.extraPackages = [ - pkgs.vaapiIntel - pkgs.vaapiVdpau + pkgs.intel-vaapi-driver + pkgs.libva-vdpau-driver ]; services.xserver = { diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index e7d348d50..600f7cd6d 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -235,20 +235,20 @@ let env.TASKDATA = "${stateDir}/${name}"; commands = rec { add.filename = pkgs.writers.writeDash "${name}-task-add" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1" ''; list.filename = pkgs.writers.writeDash "${name}-task-list" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \ + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \ | ${pkgs.jq}/bin/jq -r ' .[] | select(.id != 0) | "\(.id) \(.description)" ' ''; delete.filename = pkgs.writers.writeDash "${name}-task-delete" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1" ''; del = delete; done.filename = pkgs.writers.writeDash "${name}-task-done" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1" ''; }; }; @@ -456,7 +456,7 @@ in { printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' - TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export + TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export exit ;; esac diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index a488fdfea..1c7ed4719 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519"; }; imports = [ @@ -107,9 +107,10 @@ in { desc = "take all computers hostage, they love it"; section = "configuration"; remotes = { - makefu = "http://cgit.gum.r/stockholm"; - tv = "http://cgit.ni.r/stockholm"; + krebs = "https://github.com/krebs/stockholm"; lassulus = "http://cgit.orange.r/stockholm"; + makefu = "https://cgit.euer.krebsco.de/makefu/stockholm.git"; + tv = "http://cgit.ni.r/stockholm"; }; }) ({ krebs.git = defineRepo { diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index 66a4095db..eba6cc83b 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -3,7 +3,7 @@ with import ../../../lib/pure.nix { inherit lib; }; let pkg = pkgs.stdenv.mkDerivation { - name = "worlddomination-2020-12-01"; + name = "worlddomination-2025-04-02"; src = pkgs.fetchFromGitHub { owner = "shackspace"; repo = "worlddomination"; @@ -11,9 +11,8 @@ let sha256 = "sha256-AbRqxxY6hYNg4qkk/akuw4f+wJh4nx1hfEA4Lp5B+1E="; }; buildInputs = [ - (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - LinkHeader aiocoap grequests paramiko @@ -31,16 +30,6 @@ let pythonPackages = pkgs.python3Packages; # https://github.com/chrysn/aiocoap - LinkHeader = pythonPackages.buildPythonPackage { - name = "LinkHeader-0.4.3"; - src = pkgs.fetchurl { url = "https://files.pythonhosted.org/packages/27/d4/eb1da743b2dc825e936ef1d9e04356b5701e3a9ea022c7aaffdf4f6b0594/LinkHeader-0.4.3.tar.gz"; sha256 = "7fbbc35c0ba3fbbc530571db7e1c886e7db3d718b29b345848ac9686f21b50c3"; }; - propagatedBuildInputs = [ ]; - meta = with pkgs.lib; { - homepage = ""; - license = licenses.bsdOriginal; - description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; - }; - }; wdpath = "/usr/worlddomination/wd.lst"; esphost = "10.42.24.7"; # esp8266 afrihost = "10.42.25.201"; # africa diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 1f029276a..18fe46a98 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -50,7 +50,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=30 + pollInterval=30 ) '') repo.urls ) cfg.repos; diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 13c4ecaec..ad9ceccbe 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -15,7 +15,7 @@ in { secret-file else secret-file // { - source-path = "${config.krebs.secret.directory}/secret-file.source-path"; + source-path = "${config.krebs.secret.directory}/${secret-file.source-path}"; } ); }; diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix index 872f04db2..cbffeb6f3 100644 --- a/krebs/3modules/sync-containers3.nix +++ b/krebs/3modules/sync-containers3.nix @@ -358,9 +358,7 @@ in { networking.useNetworkd = true; services.resolved = { enable = true; - extraConfig = '' - Domains=~. - ''; + settings.Resolve.Domains = [ "~." ]; }; systemd.network = { enable = true; diff --git a/krebs/5pkgs/simple/K_belwagen.nix b/krebs/5pkgs/simple/K_belwagen.nix deleted file mode 100644 index 2f64bb09d..000000000 --- a/krebs/5pkgs/simple/K_belwagen.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ lib, pkgs, stdenv }: - -stdenv.mkDerivation { - pname = "K_belwagen"; - version = "1.0"; - - src = pkgs.painload; - sourceRoot = "source/K_belwagen"; - - buildInputs = [ - pkgs.jack1 - pkgs.pkg-config - ]; - - patchPhase = '' - sed -i ' - s@^cd@# &@ - s@^make@# &@ - s@^jackd@# &@ - s@^trap@# &@ - - s@^set.*@&\nPATH=${lib.makeBinPath [ - pkgs.bc - pkgs.coreutils - ]}; export PATH@ - - s@\./a\.out@'"$out"'/lib/a.out@ - ' alarm - ''; - - installPhase = '' - mkdir -p $out/lib - mkdir -p $out/bin - - cp alarm $out/bin - cp a.out $out/lib - ''; -} diff --git a/krebs/5pkgs/simple/certaids.nix b/krebs/5pkgs/simple/certaids.nix deleted file mode 100644 index 094868680..000000000 --- a/krebs/5pkgs/simple/certaids.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ pkgs }: - -let - cert2json = pkgs.writeDash "cert2json" '' - # usage: cert2json < CERT > JSON - set -efu - - ${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin | - ${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text | - ${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" '' - function abort(msg) { - print(msg) > "/dev/stderr" - exit 1 - } - - function toJSON(x, type, ret) { - type = typeof(x) - switch (type) { - case "array": - if (isArray(x)) return arrayToJSON(x) - if (isObject(x)) return objectToJSON(x) - abort("cannot render array to JSON", x) - case "number": - return numberToJSON(x) - case "string": - return stringToJSON(x) - case "strnum": - case "unassigned": - case "regexp": - case "untyped": - default: - abort("cannot render type: " type) - } - } - - function isArray(x, i, k) { - i = 1 - for (k in x) { - if (k != i++) return 0 - i++ - } - return 1 - } - - function isObject(x, k) { - for (k in x) { - if (typeof(k) != "string") return 0 - } - return 1 - } - - function arrayToJSON(x, k, ret) { - ret = "[" - for (k in x) { - ret=ret toJSON(x[k]) "," - } - sub(/,$/,"",ret) - ret=ret "]" - return ret - } - - function objectToJSON(x, k,ret) { - ret = "{" - for (k in x) { - ret = ret toJSON(k) ":" toJSON(x[k]) "," - } - sub(/,$/, "", ret) - ret = ret "}" - return ret - } - - function numberToJSON(x) { - return x - } - - function stringToJSON(x) { - gsub(/\\/, "&&",x) - gsub(/\n/, "\\n", x) - return "\"" x "\"" - } - - $1 ~ /^ *(Subject|Issuer):/ { - sub(/^ */, "") - sub(/: */, ",") - key=tolower($1) - sub(/[^,]*,/, "") - - # Normalize separators between relative distinguished names. - # [1]: RFC2253, 3. Parsing a String back to a Distinguished Name - # TODO support any distinguished name - gsub(/ *[;,] */, ",") - - for(i = 0; i <= NF; i++) { - split($i, a, "=") - cache[key][a[1]] = a[2] - } - } - - /BEGIN CERTIFICATE/,/END CERTIFICATE/{ - cache["certificate"] = cache["certificate"] $0 "\n" - } - - /END CERTIFICATE/{ - print toJSON(cache) - delete cache - } - ''} - ''; -in - -pkgs.runCommand "certaids" {} '' - mkdir -p $out/bin - ln -s ${cert2json} $out/bin/cert2json -'' diff --git a/krebs/5pkgs/simple/collectd-connect-time/default.nix b/krebs/5pkgs/simple/collectd-connect-time/default.nix index 525388029..abbfae40a 100644 --- a/krebs/5pkgs/simple/collectd-connect-time/default.nix +++ b/krebs/5pkgs/simple/collectd-connect-time/default.nix @@ -1,8 +1,10 @@ -{lib, pkgs, pythonPackages, fetchurl, ... }: +{lib, pkgs, python3Packages, fetchurl, ... }: -pythonPackages.buildPythonPackage rec { +python3Packages.buildPythonPackage rec { name = "collectd-connect-time-${version}"; version = "0.3.0"; + pyproject = true; + build-system = [ python3Packages.setuptools ]; src = fetchurl { url = "https://pypi.python.org/packages/source/c/collectd-connect-time/collectd-connect-time-${version}.tar.gz"; sha256 = "0vvrf9py9bwc8hk3scxwg4x2j8jlp2qva0mv4q8d9m4b4mk99c95"; diff --git a/krebs/5pkgs/simple/dic/default.nix b/krebs/5pkgs/simple/dic/default.nix deleted file mode 100644 index 39402c012..000000000 --- a/krebs/5pkgs/simple/dic/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ fetchgit, lib, stdenv -, coreutils, curl, gnugrep, gnused, util-linux -}: - -stdenv.mkDerivation { - name = "dic"; - - src = fetchgit { - url = https://cgit.ni.krebsco.de/dic; - rev = "refs/tags/v1.1.1"; - sha256 = "1gbj967a5hj53fdkkxijqgwnl9hb8kskz0cmpjq7v65ffz3v6vag"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - path = lib.makeBinPath [ - coreutils - curl - gnused - gnugrep - util-linux - ]; - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n PATH=${path}; export PATH,' \ - < ./dic \ - > $out/bin/dic - - chmod +x $out/bin/dic - ''; -} diff --git a/krebs/5pkgs/simple/ecrypt/default.nix b/krebs/5pkgs/simple/ecrypt/default.nix deleted file mode 100644 index f83f8cfe7..000000000 --- a/krebs/5pkgs/simple/ecrypt/default.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ pkgs, lib }: - -#usage: ecrypt mount /var/crypted /var/unencrypted -pkgs.writers.writeDashBin "ecrypt" '' - set -euf - - PATH=${lib.makeBinPath (with pkgs; [ - coreutils - ecryptfs - gnused - gnugrep - jq - mount - keyutils - umount - ])} - - # turn echo back on if killed - trap 'stty echo' INT - - case "$1" in - init) - shift - mkdir -p "$1" "$2" - - # abort if src or dest are not empty - if [ -e "$1"/.cfg.json ]; then - echo 'source dir is already configured, aborting' - exit 1 - elif ls -1qA "$2" | grep -q .; then - echo 'destination dir is not empty, aborting' - exit 1 - else - # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails - echo 4 | ecryptfs-manager - stty -echo - printf "passphrase: " - read passphrase - stty echo - sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/') - mount -t ecryptfs \ - -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \ - "$1" "$2" - - # add sig to json state file - jq -n --arg sig "$sig" '{ "sig": $sig }' > "$1"/.cfg.json - fi - ;; - - mount) - shift - if ! [ -e "$1"/.cfg.json ]; then - echo '.cfg.json missing in src' - exit 1 - fi - old_sig=$(cat "$1"/.cfg.json | jq -r .sig) - - # check if key is already in keyring, otherwise add it - - if keyctl list @u | grep -q "$old_sig"; then - echo 'pw already saved' - else - # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails - echo 4 | ecryptfs-manager - stty -echo - printf "passphrase: " - read passphrase - stty echo - new_sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/') - - # check if passphrase matches sig - if [ "$old_sig" != "$new_sig" ]; then - echo 'passphrase does not match sig, bailing out' - new_keyid=$(keyctl list @u | grep "$new_sig" | sed 's/\([0-9]*\).*/\1/') - keyctl revoke "$new_keyid" - keyctl unlink "$new_keyid" - exit 1 - fi - fi - - sig=$old_sig - keyid=$(keyctl list @u | grep "$sig" | sed 's/\([0-9]*\).*/\1/') - if (ls -1qA "$2" | grep -q .); then - echo 'destination is not empty, bailing out' - exit 1 - else - mount -i -t ecryptfs \ - -o ecryptfs_passthrough=no,verbose=no,ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \ - "$1" "$2" - fi - ;; - - unmount) - shift - - sig=$(cat "$1"/.cfg.json | jq -r .sig) - keyid=$(keyctl list @u | grep "$sig" | sed 's/\s*\([0-9]*\).*/\1/') - - umount "$2" || : - keyctl revoke "$keyid" - keyctl unlink "$keyid" - ;; - - *) - echo 'usage: - ecrypt init /tmp/src/ /tmp/dst/ - ecrypt mount /tmp/src/ /tmp/dst/ - ecrypt unmount /tmp/src/ /tmp/dst/ - ' - esac -'' diff --git a/krebs/5pkgs/simple/eximlog. |