diff options
Diffstat (limited to 'lass')
24 files changed, 333 insertions, 210 deletions
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index e1bce5da8..7b90ebb63 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -9,6 +9,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/backups.nix> + <stockholm/lass/2configs/games.nix> + <stockholm/lass/2configs/steam.nix> { # bubsy config users.users.bubsy = { @@ -34,6 +36,7 @@ with import <stockholm/lib>; hexchat networkmanagerapplet libreoffice + audacity ]; services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index 6ff3fbb86..6db6f8fd1 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -11,6 +11,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/git.nix> + <stockholm/lass/2configs/dcso-vpn.nix> { # automatic hardware detection boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -44,7 +45,9 @@ with import <stockholm/lib>; { services.xserver.dpi = 200; fonts.fontconfig.dpi = 200; - lass.myFont = "-schumacher-clean-*-*-*-*-25-*-*-*-*-*-iso10646-1"; + lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola"; + lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola"; + lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol"; } { #TAPIR, AGATIS, sentral, a3 - foo services.redis.enable = true; @@ -94,4 +97,22 @@ with import <stockholm/lib>; programs.ssh.startAgent = lib.mkForce true; services.tlp.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.xrandrHeads = [ + { output = "DP-0.8"; } + { output = "DP-4"; monitorConfig = ''Option "Rotate" "right"''; } + { output = "DP-2"; primary = true; } + ]; + + security.pki.certificateFiles = [ + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) + ]; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 8b90cce77..610bfef8e 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -157,4 +157,38 @@ with import <stockholm/lib>; krebs.repo-sync.timerConfig = { OnCalendar = "00:37"; }; + + environment.shellAliases = { + deploy = pkgs.writeDash "deploy" '' + set -eu + export PATH=${makeBinPath [ + pkgs.bash + pkgs.coreutils + pkgs.nix + (pkgs.writeDashBin "is-git-crypt-locked" '' + magic=$(dd status=none if="$1" skip=1 bs=1 count=8) + test "$magic" = GITCRYPT + '') + ]} + cd ~/stockholm + export SYSTEM="$1" + if is-git-crypt-locked ~/secrets/ready; then + echo 'secrets are crypted' >&2 + exit 23 + else + exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' + fi + ''; + predeploy = pkgs.writeDash "predeploy" '' + set -eu + export PATH=${makeBinPath [ + pkgs.bash + pkgs.coreutils + pkgs.nix + ]} + cd ~/stockholm + export SYSTEM="$1" + exec nix-shell -I stockholm="$PWD" --run 'test --system="$SYSTEM" --target="$SYSTEM/var/test/" --force-populate' + ''; + }; } diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 8e44b113b..30d5c8dab 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -230,8 +230,6 @@ in { <stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/reaktor-coders.nix> - <stockholm/lass/2configs/reaktor-krebs.nix> - <stockholm/lass/2configs/reaktor-retiolum.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> { # quasi bepasty.nix @@ -267,6 +265,13 @@ in { alias /var/realwallpaper/realwallpaper.png; ''; } + { + services.minecraft-server.enable = true; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } + { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index f6390ce4d..9d4ad8c6a 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -28,9 +28,19 @@ in { ''; } { #font magic - options.lass.myFont = mkOption { - type = types.str; - default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1"; + options.lass.fonts = { + regular = mkOption { + type = types.str; + default = "xft:Hack-Regular:pixelsize=11,xft:Symbola"; + }; + bold = mkOption { + type = types.str; + default = "xft:Hack-Bold:pixelsize=11,xft:Symbola"; + }; + italic = mkOption { + type = types.str; + default = "xft:Hack-RegularOblique:pixelsize=11,xft:Symbol"; + }; }; } ]; @@ -82,8 +92,11 @@ in { termite ]; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc + fonts.fonts = with pkgs; [ + hack-font + hasklig + symbola + xlibs.fontschumachermisc ]; services.xserver = { diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix new file mode 100644 index 000000000..0a5623bf0 --- /dev/null +++ b/lass/2configs/dcso-vpn.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ ... }: + +{ + + users.extraUsers = { + dcsovpn = rec { + name = "dcsovpn"; + uid = genid "dcsovpn"; + description = "user for running dcso openvpn"; + home = "/home/${name}"; + }; + }; + + users.extraGroups.dcsovpn.gid = genid "dcsovpn"; + + services.openvpn.servers = { + dcso = { + config = '' + client + dev tun + tun-mtu 1356 + mssfix + proto udp + float + remote 217.111.55.41 1194 + nobind + user dcsovpn + group dcsovpn + persist-key + persist-tun + ca ${toString <secrets/dcsovpn/ca.pem>} + cert ${toString <secrets/dcsovpn/cert.pem>} + key ${toString <secrets/dcsovpn/cert.key>} + verb 3 + mute 20 + auth-user-pass ${toString <secrets/dcsovpn/login.txt>} + route-method exe + route-delay 2 + ''; + updateResolvConf = true; + }; + }; +} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index e96f4dc7e..f745dc4a1 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -119,6 +119,7 @@ with import <stockholm/lib>; aria2 #neat utils + file kpaste krebspaste mosh diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix index 0c96e6e91..e305145f5 100644 --- a/lass/2configs/dns-stuff.nix +++ b/lass/2configs/dns-stuff.nix @@ -4,7 +4,12 @@ with import <stockholm/lib>; services.dnscrypt-proxy = { enable = true; localAddress = "127.1.0.1"; - resolverName = "cs-de"; + customResolver = { + address = config.krebs.hosts.gum.nets.internet.ip4.addr; + port = 15251; + name = "2.dnscrypt-cert.euer.krebsco.de"; + key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; + }; }; services.dnsmasq = { enable = true; @@ -17,8 +22,6 @@ with import <stockholm/lib>; all-servers dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - address=/blog/127.0.0.1 - address=/blog/::1 rebind-domain-ok=/onion/ server=/.onion/127.0.0.1#9053 port=53 diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 00f318e51..ad015180a 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ]; + automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; }; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 7a9881186..91127f737 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -74,12 +74,9 @@ let virtual-mailboxes \ "Unread" "notmuch://?query=tag:unread"\ "INBOX" "notmuch://?query=tag:inbox \ - and NOT tag:killed \ - and NOT to:shackspace \ - and NOT to:c-base \ - and NOT from:security-alert@hpe.com \ and NOT to:nix-devel\ - and NOT to:radio"\ + and NOT to:shackspace\ + and NOT to:c-base" \ "shack" "notmuch://?query=to:shackspace"\ "c-base" "notmuch://?query=to:c-base"\ "security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\ diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 5bd2f2f7f..1c253a6c5 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -3,7 +3,8 @@ { krebs.per-user.lass.packages = with pkgs; [ pass - gnupg1 + gnupg ]; + programs.gnupg.agent.enable = true; } diff --git a/lass/2configs/reaktor-krebs.nix b/lass/2configs/reaktor-krebs.nix deleted file mode 100644 index 6b17b457d..000000000 --- a/lass/2configs/reaktor-krebs.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; - -{ - krebs.Reaktor.krebs = { - nickname = "Reaktor|krebs"; - channels = [ - "#krebs" - "#nixos-wiki" - ]; - extraEnviron = { - REAKTOR_HOST = "irc.freenode.org"; - }; - plugins = with pkgs.ReaktorPlugins; [ - sed-plugin - wiki-todo-add - wiki-todo-done - wiki-todo-show - ]; - }; - services.nginx.virtualHosts."lassul.us".locations."/wiki-todo".extraConfig = '' - default_type "text/plain"; - alias /var/lib/Reaktor/state/wiki-todo; - ''; -} diff --git a/lass/2configs/reaktor-retiolum.nix b/lass/2configs/reaktor-retiolum.nix deleted file mode 100644 index 144b7d484..000000000 --- a/lass/2configs/reaktor-retiolum.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; - -{ - krebs.Reaktor.retiolum = { - nickname = "Reaktor|lass"; - channels = [ "#xxx" ]; - extraEnviron = { - REAKTOR_HOST = "irc.r"; - }; - plugins = with pkgs.ReaktorPlugins; [ - sed-plugin - ]; - }; -} diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 71c3aaada..698344b09 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -97,10 +97,13 @@ let noremap <esc>[b <nop> | noremap! <esc>[b <nop> noremap <esc>[c <nop> | noremap! <esc>[c <nop> noremap <esc>[d <nop> | noremap! <esc>[d <nop> - vnoremap u <nop> + + let g:ackprg = 'ag --vimgrep' + cnoreabbrev Ack Ack! ''; extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ + pkgs.vimPlugins.ack-vim pkgs.vimPlugins.Gundo pkgs.vimPlugins.Syntastic pkgs.vimPlugins.undotree diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 17c39a5f4..6e185a4d6 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -73,17 +73,6 @@ in { allowKeysForGroup = true; group = "lasscert"; }; - certs."cgit.lassul.us" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/acme-challenges"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - }; }; krebs.tinc_graphs.enable = true; @@ -119,8 +108,8 @@ in { ]; services.nginx.virtualHosts."lassul.us" = { + addSSL = true; enableACME = true; - serverAliases = [ "lassul.us" ]; locations."/".extraConfig = '' root /srv/http/lassul.us; ''; @@ -158,30 +147,12 @@ in { in '' alias ${initscript}; ''; - - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/lassul.us/key.pem"; }; services.nginx.virtualHosts.cgit = { - serverAliases = [ - "cgit.lassul.us" - ]; - locations."/.well-known/acme-challenge".extraConfig = '' - root /var/lib/acme/acme-challenges; - ''; - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; + serverName = "cgit.lassul.us"; + addSSL = true; + enableACME = true; }; users.users.blog = { diff --git a/lass/2configs/xresources.nix b/lass/2configs/xresources.nix index adbcd353d..a3c54f3a1 100644 --- a/lass/2configs/xresources.nix +++ b/lass/2configs/xresources.nix @@ -8,8 +8,10 @@ let URxvt*scrollBar: false URxvt*urgentOnBell: true URxvt*SaveLines: 4096 - URxvt*font: ${config.lass.myFont} - URxvt*boldFont: ${config.lass.myFont} + + URxvt.font: ${config.lass.fonts.regular} + URxvt.boldFont: ${config.lass.fonts.bold} + URxvt.italicFont: ${config.lass.fonts.italic} ! ref https://github.com/muennich/urxvt-perls URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix index b1fca08d3..68bcfa340 100644 --- a/lass/3modules/ejabberd/config.nix +++ b/lass/3modules/ejabberd/config.nix @@ -1,93 +1,129 @@ -{ config, ... }: with import <stockholm/lib>; let - cfg = config.lass.ejabberd; +with import <stockholm/lib>; +{ config, ... }: let - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; -in toFile "ejabberd.conf" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, local}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - {ip_access, [{allow, "127.0.0.0/8"}, - {allow, "0.0.0.0/0"}]}, - {access, register} - ]}, - {mod_roster, []}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. + # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + + ciphers = concatStringsSep ":" [ + "ECDHE-ECDSA-AES256-GCM-SHA384" + "ECDHE-RSA-AES256-GCM-SHA384" + "ECDHE-ECDSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" + "ECDHE-ECDSA-AES128-GCM-SHA256" + "ECDHE-RSA-AES128-GCM-SHA256" + "ECDHE-ECDSA-AES256-SHA384" + "ECDHE-RSA-AES256-SHA384" + "ECDHE-ECDSA-AES128-SHA256" + "ECDHE-RSA-AES128-SHA256" + ]; + + protocol_options = [ + "no_sslv2" + "no_sslv3" + "no_tlsv1" + "no_tlsv1_10" + ]; + +in /* yaml */ '' + + access_rules: + announce: + - allow: admin + local: + - allow: local + configure: + - allow: admin + register: + - allow + s2s: + - allow + trusted_network: + - allow: loopback + + acl: + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + hosts: ${toJSON config.hosts} + + language: "en" + + listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + shaper: c2s_shaper + certfile: ${toJSON config.certfile.path} + ciphers: ${toJSON ciphers} + dhfile: ${toJSON config.dhfile.path} + protocol_options: ${toJSON protocol_options} + starttls: true + starttls_required: true + tls: false + tls_compression: false + max_stanza_size: 65536 + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + shaper: s2s_shaper + max_stanza_size: 131072 + + loglevel: 4 + + modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_echo: {} + mod_irc: {} + mod_bosh: {} + mod_last: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_register: + access_from: deny + access: register + ip_access: trusted_network + registration_watchers: ${toJSON config.registration_watchers} + mod_roster: {} + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_version: {} + mod_http_api: {} + + s2s_access: s2s + s2s_certfile: ${toJSON config.s2s_certfile.path} + s2s_ciphers: ${toJSON ciphers} + s2s_dhfile: ${toJSON config.dhfile.path} + s2s_protocol_options: ${toJSON protocol_options} + s2s_tls_compression: false + s2s_use_starttls: required + + shaper_rules: + max_user_offline_messages: + - 5000: admin + - 100 + max_user_sessions: 10 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast '' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix index e2fba5ff5..4838a9093 100644 --- a/lass/3modules/ejabberd/default.nix +++ b/lass/3modules/ejabberd/default.nix @@ -1,5 +1,16 @@ { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let cfg = config.lass.ejabberd; + + gen-dhparam = pkgs.writeDash "gen-dhparam" '' + set -efu + path=$1 + bits=2048 + # TODO regenerate dhfile after some time? + if ! test -e "$path"; then + ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" + fi + ''; + in { options.lass.ejabberd = { enable = mkEnableOption "lass.ejabberd"; @@ -11,20 +22,36 @@ in { source-path = "/var/lib/acme/lassul.us/full.pem"; }; }; + dhfile = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/dhparams.pem"; + owner = cfg.user; + source-path = "/dev/null"; + }; + }; hosts = mkOption { type = with types; listOf str; }; pkgs.ejabberdctl = mkOption { type = types.package; default = pkgs.writeDashBin "ejabberdctl" '' - set -efu - export SPOOLDIR=${shell.escape cfg.user.home} - export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)} exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --config ${toFile "ejabberd.yaml" (import ./config.nix { + inherit pkgs; + config = cfg; + })} \ --logs ${shell.escape cfg.user.home} \ + --spool ${shell.escape cfg.user.home} \ "$@" ''; }; + registration_watchers = mkOption { + type = types.listOf types.str; + default = [ + config.krebs.users.tv.mail + ]; + }; s2s_certfile = mkOption { type = types.secret-file; default = cfg.certfile; @@ -50,12 +77,12 @@ in { requires = [ "secret.service" ]; after = [ "network.target" "secret.service" ]; serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - PermissionsStartOnly = "true"; + ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; + ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; + PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start"; + TimeoutStartSec = 60; }; }; diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 0a2945c21..997b60b8f 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS) import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace) import XMonad.Actions.DynamicWorkspaces (withWorkspace) import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch) +import XMonad.Actions.UpdatePointer (updatePointer) import XMonad.Hooks |