summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/daedalus/config.nix3
-rw-r--r--lass/1systems/helios/config.nix23
-rw-r--r--lass/1systems/mors/config.nix34
-rw-r--r--lass/1systems/prism/config.nix9
-rw-r--r--lass/2configs/baseX.nix23
-rw-r--r--lass/2configs/dcso-vpn.nix44
-rw-r--r--lass/2configs/default.nix1
-rw-r--r--lass/2configs/dns-stuff.nix9
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/mail.nix7
-rw-r--r--lass/2configs/pass.nix3
-rw-r--r--lass/2configs/reaktor-krebs.nix25
-rw-r--r--lass/2configs/reaktor-retiolum.nix15
-rw-r--r--lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem0
-rw-r--r--lass/2configs/tests/dummy-secrets/dcsovpn/cert.key0
-rw-r--r--lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem0
-rw-r--r--lass/2configs/tests/dummy-secrets/dcsovpn/login.txt0
-rw-r--r--lass/2configs/vim.nix5
-rw-r--r--lass/2configs/websites/lassulus.nix37
-rw-r--r--lass/2configs/xresources.nix6
-rw-r--r--lass/3modules/ejabberd/config.nix218
-rw-r--r--lass/3modules/ejabberd/default.nix41
-rw-r--r--lass/5pkgs/xmonad-lass.nix36
-rw-r--r--lass/source.nix2
24 files changed, 333 insertions, 210 deletions
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index e1bce5da8..7b90ebb63 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -9,6 +9,8 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
+ <stockholm/lass/2configs/games.nix>
+ <stockholm/lass/2configs/steam.nix>
{
# bubsy config
users.users.bubsy = {
@@ -34,6 +36,7 @@ with import <stockholm/lib>;
hexchat
networkmanagerapplet
libreoffice
+ audacity
];
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
index 6ff3fbb86..6db6f8fd1 100644
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@@ -11,6 +11,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/otp-ssh.nix>
<stockholm/lass/2configs/git.nix>
+ <stockholm/lass/2configs/dcso-vpn.nix>
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
@@ -44,7 +45,9 @@ with import <stockholm/lib>;
{
services.xserver.dpi = 200;
fonts.fontconfig.dpi = 200;
- lass.myFont = "-schumacher-clean-*-*-*-*-25-*-*-*-*-*-iso10646-1";
+ lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
+ lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola";
+ lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
}
{ #TAPIR, AGATIS, sentral, a3 - foo
services.redis.enable = true;
@@ -94,4 +97,22 @@ with import <stockholm/lib>;
programs.ssh.startAgent = lib.mkForce true;
services.tlp.enable = true;
+
+ services.xserver.videoDrivers = [ "nvidia" ];
+ services.xserver.xrandrHeads = [
+ { output = "DP-0.8"; }
+ { output = "DP-4"; monitorConfig = ''Option "Rotate" "right"''; }
+ { output = "DP-2"; primary = true; }
+ ];
+
+ security.pki.certificateFiles = [
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
+
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
+ (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+ ];
}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 8b90cce77..610bfef8e 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -157,4 +157,38 @@ with import <stockholm/lib>;
krebs.repo-sync.timerConfig = {
OnCalendar = "00:37";
};
+
+ environment.shellAliases = {
+ deploy = pkgs.writeDash "deploy" ''
+ set -eu
+ export PATH=${makeBinPath [
+ pkgs.bash
+ pkgs.coreutils
+ pkgs.nix
+ (pkgs.writeDashBin "is-git-crypt-locked" ''
+ magic=$(dd status=none if="$1" skip=1 bs=1 count=8)
+ test "$magic" = GITCRYPT
+ '')
+ ]}
+ cd ~/stockholm
+ export SYSTEM="$1"
+ if is-git-crypt-locked ~/secrets/ready; then
+ echo 'secrets are crypted' >&2
+ exit 23
+ else
+ exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
+ fi
+ '';
+ predeploy = pkgs.writeDash "predeploy" ''
+ set -eu
+ export PATH=${makeBinPath [
+ pkgs.bash
+ pkgs.coreutils
+ pkgs.nix
+ ]}
+ cd ~/stockholm
+ export SYSTEM="$1"
+ exec nix-shell -I stockholm="$PWD" --run 'test --system="$SYSTEM" --target="$SYSTEM/var/test/" --force-populate'
+ '';
+ };
}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 8e44b113b..30d5c8dab 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -230,8 +230,6 @@ in {
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
- <stockholm/lass/2configs/reaktor-krebs.nix>
- <stockholm/lass/2configs/reaktor-retiolum.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
{ # quasi bepasty.nix
@@ -267,6 +265,13 @@ in {
alias /var/realwallpaper/realwallpaper.png;
'';
}
+ {
+ services.minecraft-server.enable = true;
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
+ ];
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index f6390ce4d..9d4ad8c6a 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -28,9 +28,19 @@ in {
'';
}
{ #font magic
- options.lass.myFont = mkOption {
- type = types.str;
- default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
+ options.lass.fonts = {
+ regular = mkOption {
+ type = types.str;
+ default = "xft:Hack-Regular:pixelsize=11,xft:Symbola";
+ };
+ bold = mkOption {
+ type = types.str;
+ default = "xft:Hack-Bold:pixelsize=11,xft:Symbola";
+ };
+ italic = mkOption {
+ type = types.str;
+ default = "xft:Hack-RegularOblique:pixelsize=11,xft:Symbol";
+ };
};
}
];
@@ -82,8 +92,11 @@ in {
termite
];
- fonts.fonts = [
- pkgs.xlibs.fontschumachermisc
+ fonts.fonts = with pkgs; [
+ hack-font
+ hasklig
+ symbola
+ xlibs.fontschumachermisc
];
services.xserver = {
diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix
new file mode 100644
index 000000000..0a5623bf0
--- /dev/null
+++ b/lass/2configs/dcso-vpn.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ ... }:
+
+{
+
+ users.extraUsers = {
+ dcsovpn = rec {
+ name = "dcsovpn";
+ uid = genid "dcsovpn";
+ description = "user for running dcso openvpn";
+ home = "/home/${name}";
+ };
+ };
+
+ users.extraGroups.dcsovpn.gid = genid "dcsovpn";
+
+ services.openvpn.servers = {
+ dcso = {
+ config = ''
+ client
+ dev tun
+ tun-mtu 1356
+ mssfix
+ proto udp
+ float
+ remote 217.111.55.41 1194
+ nobind
+ user dcsovpn
+ group dcsovpn
+ persist-key
+ persist-tun
+ ca ${toString <secrets/dcsovpn/ca.pem>}
+ cert ${toString <secrets/dcsovpn/cert.pem>}
+ key ${toString <secrets/dcsovpn/cert.key>}
+ verb 3
+ mute 20
+ auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
+ route-method exe
+ route-delay 2
+ '';
+ updateResolvConf = true;
+ };
+ };
+}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index e96f4dc7e..f745dc4a1 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -119,6 +119,7 @@ with import <stockholm/lib>;
aria2
#neat utils
+ file
kpaste
krebspaste
mosh
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
index 0c96e6e91..e305145f5 100644
--- a/lass/2configs/dns-stuff.nix
+++ b/lass/2configs/dns-stuff.nix
@@ -4,7 +4,12 @@ with import <stockholm/lib>;
services.dnscrypt-proxy = {
enable = true;
localAddress = "127.1.0.1";
- resolverName = "cs-de";
+ customResolver = {
+ address = config.krebs.hosts.gum.nets.internet.ip4.addr;
+ port = 15251;
+ name = "2.dnscrypt-cert.euer.krebsco.de";
+ key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
+ };
};
services.dnsmasq = {
enable = true;
@@ -17,8 +22,6 @@ with import <stockholm/lib>;
all-servers
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
- address=/blog/127.0.0.1
- address=/blog/::1
rebind-domain-ok=/onion/
server=/.onion/127.0.0.1#9053
port=53
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index 00f318e51..ad015180a 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,6 +3,6 @@
with import <stockholm/lib>;
{
nix.gc = {
- automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+ automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
};
}
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 7a9881186..91127f737 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -74,12 +74,9 @@ let
virtual-mailboxes \
"Unread" "notmuch://?query=tag:unread"\
"INBOX" "notmuch://?query=tag:inbox \
- and NOT tag:killed \
- and NOT to:shackspace \
- and NOT to:c-base \
- and NOT from:security-alert@hpe.com \
and NOT to:nix-devel\
- and NOT to:radio"\
+ and NOT to:shackspace\
+ and NOT to:c-base" \
"shack" "notmuch://?query=to:shackspace"\
"c-base" "notmuch://?query=to:c-base"\
"security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 5bd2f2f7f..1c253a6c5 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -3,7 +3,8 @@
{
krebs.per-user.lass.packages = with pkgs; [
pass
- gnupg1
+ gnupg
];
+ programs.gnupg.agent.enable = true;
}
diff --git a/lass/2configs/reaktor-krebs.nix b/lass/2configs/reaktor-krebs.nix
deleted file mode 100644
index 6b17b457d..000000000
--- a/lass/2configs/reaktor-krebs.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
-
-{
- krebs.Reaktor.krebs = {
- nickname = "Reaktor|krebs";
- channels = [
- "#krebs"
- "#nixos-wiki"
- ];
- extraEnviron = {
- REAKTOR_HOST = "irc.freenode.org";
- };
- plugins = with pkgs.ReaktorPlugins; [
- sed-plugin
- wiki-todo-add
- wiki-todo-done
- wiki-todo-show
- ];
- };
- services.nginx.virtualHosts."lassul.us".locations."/wiki-todo".extraConfig = ''
- default_type "text/plain";
- alias /var/lib/Reaktor/state/wiki-todo;
- '';
-}
diff --git a/lass/2configs/reaktor-retiolum.nix b/lass/2configs/reaktor-retiolum.nix
deleted file mode 100644
index 144b7d484..000000000
--- a/lass/2configs/reaktor-retiolum.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
-
-{
- krebs.Reaktor.retiolum = {
- nickname = "Reaktor|lass";
- channels = [ "#xxx" ];
- extraEnviron = {
- REAKTOR_HOST = "irc.r";
- };
- plugins = with pkgs.ReaktorPlugins; [
- sed-plugin
- ];
- };
-}
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 71c3aaada..698344b09 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -97,10 +97,13 @@ let
noremap <esc>[b <nop> | noremap! <esc>[b <nop>
noremap <esc>[c <nop> | noremap! <esc>[c <nop>
noremap <esc>[d <nop> | noremap! <esc>[d <nop>
- vnoremap u <nop>
+
+ let g:ackprg = 'ag --vimgrep'
+ cnoreabbrev Ack Ack!
'';
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+ pkgs.vimPlugins.ack-vim
pkgs.vimPlugins.Gundo
pkgs.vimPlugins.Syntastic
pkgs.vimPlugins.undotree
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 17c39a5f4..6e185a4d6 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -73,17 +73,6 @@ in {
allowKeysForGroup = true;
group = "lasscert";
};
- certs."cgit.lassul.us" = {
- email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/acme-challenges";
- plugins = [
- "account_key.json"
- "key.pem"
- "fullchain.pem"
- ];
- group = "nginx";
- allowKeysForGroup = true;
- };
};
krebs.tinc_graphs.enable = true;
@@ -119,8 +108,8 @@ in {
];
services.nginx.virtualHosts."lassul.us" = {
+ addSSL = true;
enableACME = true;
- serverAliases = [ "lassul.us" ];
locations."/".extraConfig = ''
root /srv/http/lassul.us;
'';
@@ -158,30 +147,12 @@ in {
in ''
alias ${initscript};
'';
-
- enableSSL = true;
- extraConfig = ''
- listen 80;
- listen [::]:80;
- '';
- sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
- sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
services.nginx.virtualHosts.cgit = {
- serverAliases = [
- "cgit.lassul.us"
- ];
- locations."/.well-known/acme-challenge".extraConfig = ''
- root /var/lib/acme/acme-challenges;
- '';
- enableSSL = true;
- extraConfig = ''
- listen 80;
- listen [::]:80;
- '';
- sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
+ serverName = "cgit.lassul.us";
+ addSSL = true;
+ enableACME = true;
};
users.users.blog = {
diff --git a/lass/2configs/xresources.nix b/lass/2configs/xresources.nix
index adbcd353d..a3c54f3a1 100644
--- a/lass/2configs/xresources.nix
+++ b/lass/2configs/xresources.nix
@@ -8,8 +8,10 @@ let
URxvt*scrollBar: false
URxvt*urgentOnBell: true
URxvt*SaveLines: 4096
- URxvt*font: ${config.lass.myFont}
- URxvt*boldFont: ${config.lass.myFont}
+
+ URxvt.font: ${config.lass.fonts.regular}
+ URxvt.boldFont: ${config.lass.fonts.bold}
+ URxvt.italicFont: ${config.lass.fonts.italic}
! ref https://github.com/muennich/urxvt-perls
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index b1fca08d3..68bcfa340 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
- cfg = config.lass.ejabberd;
+with import <stockholm/lib>;
+{ config, ... }: let
- # XXX this is a placeholder that happens to work the default strings.
- toErlang = builtins.toJSON;
-in toFile "ejabberd.conf" ''
- {loglevel, 3}.
- {hosts, ${toErlang cfg.hosts}}.
- {listen,
- [
- {5222, ejabberd_c2s, [
- starttls,
- {certfile, ${toErlang cfg.certfile.path}},
- {access, c2s},
- {shaper, c2s_shaper},
- {max_stanza_size, 65536}
- ]},
- {5269, ejabberd_s2s_in, [
- {shaper, s2s_shaper},
- {max_stanza_size, 131072}
- ]},
- {5280, ejabberd_http, [
- captcha,
- http_bind,
- http_poll,
- web_admin
- ]}
- ]}.
- {s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
- {auth_method, internal}.
- {shaper, normal, {maxrate, 1000}}.
- {shaper, fast, {maxrate, 50000}}.
- {max_fsm_queue, 1000}.
- {acl, local, {user_regexp, ""}}.
- {access, max_user_sessions, [{10, all}]}.
- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
- {access, local, [{allow, local}]}.
- {access, c2s, [{deny, blocked},
- {allow, all}]}.
- {access, c2s_shaper, [{none, admin},
- {normal, all}]}.
- {access, s2s_shaper, [{fast, all}]}.
- {access, announce, [{allow, admin}]}.
- {access, configure, [{allow, admin}]}.
- {access, muc_admin, [{allow, admin}]}.
- {access, muc_create, [{allow, local}]}.
- {access, muc, [{allow, all}]}.
- {access, pubsub_createnode, [{allow, local}]}.
- {access, register, [{allow, local}]}.
- {language, "en"}.
- {modules,
- [
- {mod_adhoc, []},
- {mod_announce, [{access, announce}]},
- {mod_blocking,[]},
- {mod_caps, []},
- {mod_configure,[]},
- {mod_disco, []},
- {mod_irc, []},
- {mod_http_bind, []},
- {mod_last, []},
- {mod_muc, [
- {access, muc},
- {access_create, muc_create},
- {access_persistent, muc_create},
- {access_admin, muc_admin}
- ]},
- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
- {mod_ping, []},
- {mod_privacy, []},
- {mod_private, []},
- {mod_pubsub, [
- {access_createnode, pubsub_createnode},
- {ignore_pep_from_offline, true},
- {last_item_cache, false},
- {plugins, ["flat", "hometree", "pep"]}
- ]},
- {mod_register, [
- {welcome_message, {"Welcome!",
- "Hi.\nWelcome to this XMPP server."}},
- {ip_access, [{allow, "127.0.0.0/8"},
- {allow, "0.0.0.0/0"}]},
- {access, register}
- ]},
- {mod_roster, []},
- {mod_shared_roster,[]},
- {mod_stats, []},
- {mod_time, []},
- {mod_vcard, []},
- {mod_version, []}
- ]}.
+ # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
+
+ ciphers = concatStringsSep ":" [
+ "ECDHE-ECDSA-AES256-GCM-SHA384"
+ "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ "ECDHE-RSA-CHACHA20-POLY1305"
+ "ECDHE-ECDSA-AES128-GCM-SHA256"
+ "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-SHA384"
+ "ECDHE-RSA-AES256-SHA384"
+ "ECDHE-ECDSA-AES128-SHA256"
+ "ECDHE-RSA-AES128-SHA256"
+ ];
+
+ protocol_options = [
+ "no_sslv2"
+ "no_sslv3"
+ "no_tlsv1"
+ "no_tlsv1_10"
+ ];
+
+in /* yaml */ ''
+
+ access_rules:
+ announce:
+ - allow: admin
+ local:
+ - allow: local
+ configure:
+ - allow: admin
+ register:
+ - allow
+ s2s:
+ - allow
+ trusted_network:
+ - allow: loopback
+
+ acl:
+ local:
+ user_regexp: ""
+ loopback:
+ ip:
+ - "127.0.0.0/8"
+ - "::1/128"
+ - "::FFFF:127.0.0.1/128"
+
+ hosts: ${toJSON config.hosts}
+
+ language: "en"
+
+ listen:
+ -
+ port: 5222
+ ip: "::"
+ module: ejabberd_c2s
+ shaper: c2s_shaper
+ certfile: ${toJSON config.certfile.path}
+ ciphers: ${toJSON ciphers}
+ dhfile: ${toJSON config.dhfile.path}
+ protocol_options: ${toJSON protocol_options}
+ starttls: true
+ starttls_required: true
+ tls: false
+ tls_compression: false
+ max_stanza_size: 65536
+ -
+ port: 5269
+ ip: "::"
+ module: ejabberd_s2s_in
+ shaper: s2s_shaper
+ max_stanza_size: 131072
+
+ loglevel: 4
+
+ modules:
+ mod_adhoc: {}
+ mod_admin_extra: {}
+ mod_announce:
+ access: announce
+ mod_caps: {}
+ mod_carboncopy: {}
+ mod_client_state: {}
+ mod_configure: {}
+ mod_disco: {}
+ mod_echo: {}
+ mod_irc: {}
+ mod_bosh: {}
+ mod_last: {}
+ mod_offline:
+ access_max_user_messages: max_user_offline_messages
+ mod_ping: {}
+ mod_privacy: {}
+ mod_private: {}
+ mod_register:
+ access_from: deny
+ access: register
+ ip_access: trusted_network
+ registration_watchers: ${toJSON config.registration_watchers}
+ mod_roster: {}
+ mod_shared_roster: {}
+ mod_stats: {}
+ mod_time: {}
+ mod_vcard:
+ search: false
+ mod_version: {}
+ mod_http_api: {}
+
+ s2s_access: s2s
+ s2s_certfile: ${toJSON config.s2s_certfile.path}
+ s2s_ciphers: ${toJSON ciphers}
+ s2s_dhfile: ${toJSON config.dhfile.path}
+ s2s_protocol_options: ${toJSON protocol_options}
+ s2s_tls_compression: false
+ s2s_use_starttls: required
+
+ shaper_rules:
+ max_user_offline_messages:
+ - 5000: admin
+ - 100
+ max_user_sessions: 10
+ c2s_shaper:
+ - none: admin
+ - normal
+ s2s_shaper: fast
''
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index e2fba5ff5..4838a9093 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -1,5 +1,16 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
cfg = config.lass.ejabberd;
+
+ gen-dhparam = pkgs.writeDash "gen-dhparam" ''
+ set -efu
+ path=$1
+ bits=2048
+ # TODO regenerate dhfile after some time?
+ if ! test -e "$path"; then
+ ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
+ fi
+ '';
+
in {
options.lass.ejabberd = {
enable = mkEnableOption "lass.ejabberd";
@@ -11,20 +22,36 @@ in {
source-path = "/var/lib/acme/lassul.us/full.pem";
};
};
+ dhfile = mkOption {
+ type = types.secret-file;
+ default = {
+ path = "${cfg.user.home}/dhparams.pem";
+ owner = cfg.user;
+ source-path = "/dev/null";
+ };
+ };
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberdctl = mkOption {
type = types.package;
default = pkgs.writeDashBin "ejabberdctl" ''
- set -efu
- export SPOOLDIR=${shell.escape cfg.user.home}
- export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
exec ${pkgs.ejabberd}/bin/ejabberdctl \
+ --config ${toFile "ejabberd.yaml" (import ./config.nix {
+ inherit pkgs;
+ config = cfg;
+ })} \
--logs ${shell.escape cfg.user.home} \
+ --spool ${shell.escape cfg.user.home} \
"$@"
'';
};
+ registration_watchers = mkOption {
+ type = types.listOf types.str;
+ default = [
+ config.krebs.users.tv.mail
+ ];
+ };
s2s_certfile = mkOption {
type = types.secret-file;
default = cfg.certfile;
@@ -50,12 +77,12 @@ in {
requires = [ "secret.service" ];
after = [ "network.target" "secret.service" ];
serviceConfig = {
- Type = "oneshot";
- RemainAfterExit = "yes";
- PermissionsStartOnly = "true";
+ ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
+ ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
+ PermissionsStartOnly = true;
SyslogIdentifier = "ejabberd";
User = cfg.user.name;
- ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+ TimeoutStartSec = 60;
};
};
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 0a2945c21..997b60b8f 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS)
import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
import XMonad.Actions.DynamicWorkspaces (withWorkspace)
import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Act