diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/cabal/config.nix | 35 | ||||
| -rw-r--r-- | lass/1systems/cabal/source.nix | 4 | ||||
| -rw-r--r-- | lass/1systems/helios/config.nix | 4 | ||||
| -rw-r--r-- | lass/1systems/mors/config.nix | 24 | ||||
| -rw-r--r-- | lass/2configs/browsers.nix | 86 | ||||
| -rw-r--r-- | lass/2configs/exim-smarthost.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/mail.nix | 14 | ||||
| -rw-r--r-- | lass/2configs/privoxy.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/security-workarounds.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/websites/fritz.nix | 3 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 1 | ||||
| -rw-r--r-- | lass/3modules/screenlock.nix | 4 | ||||
| -rw-r--r-- | lass/3modules/xjail.nix | 87 | ||||
| -rw-r--r-- | lass/5pkgs/xephyrify/default.nix | 30 |
15 files changed, 216 insertions, 86 deletions
diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix new file mode 100644 index 000000000..7eba86c52 --- /dev/null +++ b/lass/1systems/cabal/config.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ... }: + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + + <stockholm/lass/2configs/mouse.nix> + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/exim-retiolum.nix> + <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/browsers.nix> + <stockholm/lass/2configs/programs.nix> + <stockholm/lass/2configs/fetchWallpaper.nix> + <stockholm/lass/2configs/backups.nix> + <stockholm/lass/2configs/games.nix> + <stockholm/lass/2configs/bitcoin.nix> + ]; + + krebs.build.host = config.krebs.hosts.cabal; + + #fileSystems = { + # "/bku" = { + # device = "/dev/mapper/pool-bku"; + # fsType = "btrfs"; + # options = ["defaults" "noatime" "ssd" "compress=lzo"]; + # }; + #}; + + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" + # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + #''; +} diff --git a/lass/1systems/cabal/source.nix b/lass/1systems/cabal/source.nix new file mode 100644 index 000000000..5d9507f3d --- /dev/null +++ b/lass/1systems/cabal/source.nix @@ -0,0 +1,4 @@ +import <stockholm/lass/source.nix> { + name = "cabal"; + secure = true; +} diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index c4d99cb2c..e64cfbe79 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -131,7 +131,7 @@ with import <stockholm/lib>; ]; services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal + ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal ''; networking.hostName = lib.mkForce "BLN02NB0162"; @@ -168,8 +168,6 @@ with import <stockholm/lib>; '') ]; - lass.screenlock.command = "${pkgs.i3lock}/bin/i3lock -i /home/lass/lock.png -t -f"; - programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cbb71ab24..f77bc64c2 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -170,31 +170,11 @@ with import <stockholm/lib>; export PATH=${makeBinPath [ pkgs.bash pkgs.coreutils - pkgs.nix - (pkgs.writeDashBin "is-git-crypt-locked" '' - magic=$(dd status=none if="$1" skip=1 bs=1 count=8) - test "$magic" = GITCRYPT - '') + pkgs.nixUnstable ]} cd ~/stockholm export SYSTEM="$1" - if is-git-crypt-locked ~/secrets/ready; then - echo 'secrets are crypted' >&2 - exit 23 - else - exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' - fi - ''; - predeploy = pkgs.writeDash "predeploy" '' - set -eu - export PATH=${makeBinPath [ - pkgs.bash - pkgs.coreutils - pkgs.nix - ]} - cd ~/stockholm - export SYSTEM="$1" - exec nix-shell -I stockholm="$PWD" --run 'test --system="$SYSTEM" --target="$SYSTEM/var/test/" --force-populate' + exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' ''; }; diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index cbbd54b6b..75a86db6a 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -21,58 +21,55 @@ let $BIN "$@" ''; - createChromiumUser = name: extraGroups: precedence: - let - bin = pkgs.writeScriptBin name '' - /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@ - ''; - in { - users.extraUsers.${name} = { - inherit name; - inherit extraGroups; - home = "/home/${name}"; - uid = genid name; - useDefaultShell = true; - createHome = true; + createChromiumUser = name: groups: precedence: + { + lass.xjail.${name} = { + user = name; + script = pkgs.writeDash name '' + ${pkgs.chromium}/bin/chromium "$@" + ''; + inherit groups; + }; + environment.systemPackages = [ config.lass.xjail-bins.${name} ]; + lass.browser.paths.${name} = { + path = config.lass.xjail-bins.${name}; + inherit precedence; + }; + }; + + createFirefoxUser = name: groups: precedence: + { + lass.xjail.${name} = { + user = name; + script = pkgs.writeDash name '' + ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@" + ''; + inherit groups; }; + environment.systemPackages = [ config.lass.xjail-bins.${name} ]; lass.browser.paths.${name} = { - path = bin; + path = config.lass.xjail-bins.${name}; inherit precedence; }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(${name}) NOPASSWD: ALL - ''; - environment.systemPackages = [ - bin - ]; }; - createFirefoxUser = name: extraGroups: precedence: - let - bin = pkgs.writeScriptBin name '' - /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@ - ''; - in { - users.extraUsers.${name} = { - inherit name; - inherit extraGroups; - home = "/home/${name}"; - uid = genid name; - useDefaultShell = true; - createHome = true; + createQuteUser = name: groups: precedence: + { + lass.xjail.${name} = { + user = name; + script = pkgs.writeDash name '' + ${pkgs.qutebrowser}/bin/qutebrowser "$@" + ''; + inherit groups; }; + environment.systemPackages = [ config.lass.xjail-bins.${name} ]; lass.browser.paths.${name} = { - path = bin; + path = config.lass.xjail-bins.${name}; inherit precedence; }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(${name}) NOPASSWD: ALL - ''; - environment.systemPackages = [ - bin - ]; }; + #TODO: abstract this in { @@ -110,12 +107,13 @@ in { })); }; } + ( createQuteUser "qb" [ "audio" ] 20 ) ( createFirefoxUser "ff" [ "audio" ] 10 ) - ( createChromiumUser "cr" [ "video" "audio" ] 9 ) + ( createChromiumUser "cr" [ "audio" ] 9 ) ( createChromiumUser "gm" [ "video" "audio" ] 8 ) - ( createChromiumUser "wk" [ "video" "audio" ] 0 ) - ( createChromiumUser "fb" [ "video" "audio" ] 0 ) - ( createChromiumUser "com" [ "video" "audio" ] 0 ) + ( createChromiumUser "wk" [ "audio" ] 0 ) + ( createChromiumUser "fb" [ "audio" ] 0 ) + ( createChromiumUser "com" [ "audio" ] 0 ) ( createChromiumUser "fin" [] (-1) ) ]; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index ae652722a..4455d2761 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -78,6 +78,7 @@ with import <stockholm/lib>; { from = "github@lassul.us"; to = lass.mail; } { from = "ovh@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; } + { from = "allygator@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 03d39ef75..b9682c5ee 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -8,6 +8,16 @@ let logfile ~/.msmtp.log account prism host prism.r + account c-base + from lassulus@c-base.org + host c-mail.c-base.org + port 465 + tls on + tls_starttls off + tls_fingerprint 8C:10:A6:AB:1F:82:C4:8F:B1:B4:22:D5:8B:8B:49:9B:59:0B:22:A4 + auth on + user lassulus + passwordeval pass show c-base/pass account default: prism ''; @@ -36,9 +46,11 @@ let ]; dezentrale = [ "to:dezentrale.space" ]; dhl = [ "to:dhl@lassul.us" ]; + eloop = [ "to:eloop.org" ]; github = [ "to:github@lassul.us" ]; gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; + lugs = [ "to:lugs@lug-s.org" ]; nix-devel = [ "to:nix-devel@googlegroups.com" ]; patreon = [ "to:patreon@lassul.us" ]; paypal = [ "to:paypal@lassul.us" ]; @@ -65,7 +77,7 @@ let # gpg source ${pkgs.neomutt}/share/doc/mutt/samples/gpg.rc set pgp_use_gpg_agent = yes - set pgp_sign_as = 0x976A7E4D + set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D set crypt_autosign = yes set crypt_replyencrypt = yes set crypt_verify_sig = yes diff --git a/lass/2configs/privoxy.nix b/lass/2configs/privoxy.nix index 33e8d1e46..e0a086421 100644 --- a/lass/2configs/privoxy.nix +++ b/lass/2configs/privoxy.nix @@ -3,10 +3,5 @@ { services.privoxy = { enable = true; - extraConfig = '' - #use polipo - forward / localhost:8123 - ''; }; - services.polipo.enable = true; } diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix index c3d07d5fe..537c8a59b 100644 --- a/lass/2configs/security-workarounds.nix +++ b/lass/2configs/security-workarounds.nix @@ -5,6 +5,4 @@ with import <stockholm/lib>; boot.extraModprobeConfig = '' install dccp /run/current-system/sw/bin/false ''; - - boot.kernelPackages = pkgs.linuxPackages_latest; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 9ece2af77..7a72499c9 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -49,6 +49,7 @@ in { "www.ubikmedia.eu" "www.youthtube.xyz" "www.ubikmedia.de" + "www.joemisch.com" "www.weirdwednesday.de" "aldona2.ubikmedia.de" @@ -63,6 +64,7 @@ in { "weirdwednesday.ubikmedia.de" "freemonkey.ubikmedia.de" "jarugadesign.ubikmedia.de" + "crypto4art.ubikmedia.de" ]) ]; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index aa57a9857..14d6ce9ec 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -12,9 +12,8 @@ let ; msmtprc = pkgs.writeText "msmtprc" '' - account localhost + account default host localhost - account default: localhost ''; sendmail = pkgs.writeDash "msmtp" '' diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index fd77b2262..0c10e1ec2 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -11,6 +11,7 @@ _: ./screenlock.nix ./umts.nix ./usershadow.nix + ./xjail.nix ./xserver ]; } diff --git a/lass/3modules/screenlock.nix b/lass/3modules/screenlock.nix index e16ce9868..29c3861f2 100644 --- a/lass/3modules/screenlock.nix +++ b/lass/3modules/screenlock.nix @@ -14,7 +14,7 @@ let enable = mkEnableOption "screenlock"; command = mkOption { type = types.str; - default = "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f"; + default = "${pkgs.xlockmore}/bin/xlock -mode life1d -size 1"; }; }; @@ -28,7 +28,7 @@ let serviceConfig = { SyslogIdentifier = "screenlock"; ExecStart = cfg.command; - Type = "forking"; + Type = "simple"; User = "lass"; }; }; diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix new file mode 100644 index 000000000..af851760b --- /dev/null +++ b/lass/3modules/xjail.nix @@ -0,0 +1,87 @@ +{ config, pkgs, ... }: + +with import <stockholm/lib>; +{ + options.lass.xjail = mkOption { + type = types.attrsOf (types.submodule ({ config, ...}: { + options = { + user = mkOption { + type = types.string; + default = "nobody"; + }; + groups = mkOption { + type = types.listOf types.str; + default = []; + }; + name = mkOption { + type = types.string; + default = config._module.args.name; + }; + display = mkOption { + type = types.string; + default = toString (genid_signed config._module.args.name); + }; + script = mkOption { + type = types.path; + default = pkgs.writeScript "echo_lol" "echo lol"; + }; + from = mkOption { + type = types.string; + default = "lass"; + }; + }; + })); + default = {}; + }; + + options.lass.xjail-bins = mkOption { + type = types.attrsOf types.path; + }; + + # implementation + config = { + + users.users = mapAttrs' (_: cfg: + nameValuePair cfg.name { + uid = genid cfg.name; + home = "/home/${cfg.name}"; + useDefaultShell = true; + createHome = true; + extraGroups = cfg.groups; + } + ) config.lass.xjail; + + users.groups = mapAttrs' (_: cfg: + nameValuePair cfg.name { + members = [ + cfg.name + cfg.from + ]; + } + ) config.lass.xjail; + + security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: + # TODO allow just the right script with sudo + "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" + ) config.lass.xjail)); + + lass.xjail-bins = mapAttrs' (name: cfg: + let + sudo-wrapper = pkgs.writeScript name '' + /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" + ''; + in nameValuePair name (pkgs.writeScriptBin cfg.name '' + export NDISPLAY=${cfg.display} + DISPLAY=:$NDISPLAY ${pkgs.xorg.xrandr}/bin/xrandr + if test $? -eq 0; then + echo xephyr already running + export DISPLAY=:$NDISPLAY + ${sudo-wrapper} "$@" + else + echo xephyr not running + DROP_TO_USER=${cfg.name} ${pkgs.xephyrify}/bin/xephyrify ${sudo-wrapper} "$@" + fi + '') + ) config.lass.xjail; + }; +} diff --git a/lass/5pkgs/xephyrify/default.nix b/lass/5pkgs/xephyrify/default.nix index 8b18ea949..8d6036843 100644 --- a/lass/5pkgs/xephyrify/default.nix +++ b/lass/5pkgs/xephyrify/default.nix @@ -2,15 +2,18 @@ let - minimalXmonad = writeHaskell "minimalXmonad" { + xephyrify-xmonad = writeHaskell "xephyrify-xmonad" { executables.xmonad = { extra-depends = [ "containers" + "unix" "xmonad" ]; text = /* haskell */ '' module Main where import XMonad + import Data.Monoid + import System.Posix.Process (executeFile) import qualified Data.Map as Map main :: IO () @@ -21,8 +24,18 @@ let , keys = myKeys , normalBorderColor = "#000000" , focusedBorderColor = "#000000" + , handleEventHook = myEventHook } + myEventHook :: Event -> X All + + myEventHook (ConfigureEvent { ev_event_type = 22 }) = do + spawn "${xorg.xrandr}/bin/xrandr >/dev/null 2>&1" + return (All True) + + myEventHook _ = do + return (All True) + myLayoutHook = Full myKeys _ = Map.fromList [] ''; @@ -30,13 +43,20 @@ let }; in writeDashBin "xephyrify" '' - NDISPLAY=:$(${coreutils}/bin/shuf -i 100-65536 -n 1) + NDISPLAY=''${NDISPLAY:-$(${coreutils}/bin/shuf -i 100-65536 -n 1)} echo "using DISPLAY $NDISPLAY" - ${xorg.xorgserver}/bin/Xephyr -br -ac -reset -terminate -resizeable $NDISPLAY & + ${xorg.xorgserver}/bin/Xephyr -br -ac -reset -terminate -resizeable -dpi 60 -nolisten local :$NDISPLAY & + if test -n $DROP_TO_USER; then + sleep 1 + ls /tmp/.X11-unix/ + id + ${coreutils}/bin/chgrp "$DROP_TO_USER" "/tmp/.X11-unix/X$NDISPLAY" + ${coreutils}/bin/chmod 770 "/tmp/.X11-unix/X$NDISPLAY" + fi XEPHYR_PID=$! - DISPLAY=$NDISPLAY ${minimalXmonad}/bin/xmonad & + DISPLAY=:$NDISPLAY ${xephyrify-xmonad}/bin/xmonad & XMONAD_PID=$! - DISPLAY=$NDISPLAY ${virtualgl}/bin/vglrun "$@" + DISPLAY=:$NDISPLAY ${virtualgl}/bin/vglrun "$@" kill $XMONAD_PID kill $XEPHYR_PID '' |