summaryrefslogtreecommitdiffstats
path: root/tv
diff options
context:
space:
mode:
Diffstat (limited to 'tv')
-rw-r--r--tv/1systems/caxi/config.nix25
-rw-r--r--tv/1systems/caxi/source.nix3
-rw-r--r--tv/2configs/vim.nix1
-rw-r--r--tv/3modules/ejabberd/config.nix218
-rw-r--r--tv/3modules/ejabberd/default.nix42
-rw-r--r--tv/5pkgs/default.nix35
-rw-r--r--tv/5pkgs/ejabberd/default.nix28
-rw-r--r--tv/5pkgs/simple/djbdns/default.nix (renamed from tv/5pkgs/djbdns/default.nix)0
-rw-r--r--tv/5pkgs/simple/q/default.nix (renamed from tv/5pkgs/q/default.nix)0
-rw-r--r--tv/5pkgs/simple/viljetic-pages/default.nix (renamed from tv/5pkgs/viljetic-pages/default.nix)0
-rw-r--r--tv/5pkgs/simple/viljetic-pages/index.html (renamed from tv/5pkgs/viljetic-pages/index.html)0
-rw-r--r--tv/5pkgs/simple/viljetic-pages/logo.xpm (renamed from tv/5pkgs/viljetic-pages/logo.xpm)0
-rw-r--r--tv/5pkgs/simple/xmonad-tv/default.nix (renamed from tv/5pkgs/xmonad-tv/default.nix)0
13 files changed, 174 insertions, 178 deletions
diff --git a/tv/1systems/caxi/config.nix b/tv/1systems/caxi/config.nix
deleted file mode 100644
index b136d1ade..000000000
--- a/tv/1systems/caxi/config.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, ... }:
-
-with import <stockholm/lib>;
-
-{
- krebs.build.host = config.krebs.hosts.caxi;
-
- imports = [
- <stockholm/tv>
- <stockholm/tv/2configs/hw/CAC-Developer-1.nix>
- <stockholm/tv/2configs/fs/CAC-CentOS-7-64bit.nix>
- <stockholm/tv/2configs/retiolum.nix>
- ];
-
- networking = let
- inherit (config.krebs.build.host.nets.internet) ip4;
- in {
- interfaces.enp2s1.ip4 = singleton {
- address = ip4.addr;
- prefixLength = fromJSON (head (match ".*/([0-9]+)" ip4.prefix));
- };
- defaultGateway = head (match "([^/]*)\.0/[0-9]+" ip4.prefix) + ".1";
- nameservers = ["8.8.8.8"];
- };
-}
diff --git a/tv/1systems/caxi/source.nix b/tv/1systems/caxi/source.nix
deleted file mode 100644
index bc875b768..000000000
--- a/tv/1systems/caxi/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/tv/source.nix> {
- name = "caxi";
-}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index 7849b6f2d..f0b1cf520 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -230,6 +230,7 @@ let {
''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''
''[a-z]*Phase[ \t\r\n]*=''
];
+ yaml = {};
vim.extraStart =
''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
xdefaults = {};
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
index 29c38fbe4..68bcfa340 100644
--- a/tv/3modules/ejabberd/config.nix
+++ b/tv/3modules/ejabberd/config.nix
@@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
- cfg = config.tv.ejabberd;
+with import <stockholm/lib>;
+{ config, ... }: let
- # XXX this is a placeholder that happens to work the default strings.
- toErlang = builtins.toJSON;
-in toFile "ejabberd.conf" ''
- {loglevel, 3}.
- {hosts, ${toErlang cfg.hosts}}.
- {listen,
- [
- {5222, ejabberd_c2s, [
- starttls,
- {certfile, ${toErlang cfg.certfile.path}},
- {access, c2s},
- {shaper, c2s_shaper},
- {max_stanza_size, 65536}
- ]},
- {5269, ejabberd_s2s_in, [
- {shaper, s2s_shaper},
- {max_stanza_size, 131072}
- ]},
- {5280, ejabberd_http, [
- captcha,
- http_bind,
- http_poll,
- web_admin
- ]}
- ]}.
- {s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
- {auth_method, internal}.
- {shaper, normal, {maxrate, 1000}}.
- {shaper, fast, {maxrate, 50000}}.
- {max_fsm_queue, 1000}.
- {acl, local, {user_regexp, ""}}.
- {access, max_user_sessions, [{10, all}]}.
- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
- {access, local, [{allow, local}]}.
- {access, c2s, [{deny, blocked},
- {allow, all}]}.
- {access, c2s_shaper, [{none, admin},
- {normal, all}]}.
- {access, s2s_shaper, [{fast, all}]}.
- {access, announce, [{allow, admin}]}.
- {access, configure, [{allow, admin}]}.
- {access, muc_admin, [{allow, admin}]}.
- {access, muc_create, [{allow, local}]}.
- {access, muc, [{allow, all}]}.
- {access, pubsub_createnode, [{allow, local}]}.
- {access, register, [{allow, all}]}.
- {language, "en"}.
- {modules,
- [
- {mod_adhoc, []},
- {mod_announce, [{access, announce}]},
- {mod_blocking,[]},
- {mod_caps, []},
- {mod_configure,[]},
- {mod_disco, []},
- {mod_irc, []},
- {mod_http_bind, []},
- {mod_last, []},
- {mod_muc, [
- {access, muc},
- {access_create, muc_create},
- {access_persistent, muc_create},
- {access_admin, muc_admin}
- ]},
- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
- {mod_ping, []},
- {mod_privacy, []},
- {mod_private, []},
- {mod_pubsub, [
- {access_createnode, pubsub_createnode},
- {ignore_pep_from_offline, true},
- {last_item_cache, false},
- {plugins, ["flat", "hometree", "pep"]}
- ]},
- {mod_register, [
- {welcome_message, {"Welcome!",
- "Hi.\nWelcome to this XMPP server."}},
- {ip_access, [{allow, "127.0.0.0/8"},
- {deny, "0.0.0.0/0"}]},
- {access, register}
- ]},
- {mod_roster, []},
- {mod_shared_roster,[]},
- {mod_stats, []},
- {mod_time, []},
- {mod_vcard, []},
- {mod_version, []}
- ]}.
+ # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
+
+ ciphers = concatStringsSep ":" [
+ "ECDHE-ECDSA-AES256-GCM-SHA384"
+ "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ "ECDHE-RSA-CHACHA20-POLY1305"
+ "ECDHE-ECDSA-AES128-GCM-SHA256"
+ "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-SHA384"
+ "ECDHE-RSA-AES256-SHA384"
+ "ECDHE-ECDSA-AES128-SHA256"
+ "ECDHE-RSA-AES128-SHA256"
+ ];
+
+ protocol_options = [
+ "no_sslv2"
+ "no_sslv3"
+ "no_tlsv1"
+ "no_tlsv1_10"
+ ];
+
+in /* yaml */ ''
+
+ access_rules:
+ announce:
+ - allow: admin
+ local:
+ - allow: local
+ configure:
+ - allow: admin
+ register:
+ - allow
+ s2s:
+ - allow
+ trusted_network:
+ - allow: loopback
+
+ acl:
+ local:
+ user_regexp: ""
+ loopback:
+ ip:
+ - "127.0.0.0/8"
+ - "::1/128"
+ - "::FFFF:127.0.0.1/128"
+
+ hosts: ${toJSON config.hosts}
+
+ language: "en"
+
+ listen:
+ -
+ port: 5222
+ ip: "::"
+ module: ejabberd_c2s
+ shaper: c2s_shaper
+ certfile: ${toJSON config.certfile.path}
+ ciphers: ${toJSON ciphers}
+ dhfile: ${toJSON config.dhfile.path}
+ protocol_options: ${toJSON protocol_options}
+ starttls: true
+ starttls_required: true
+ tls: false
+ tls_compression: false
+ max_stanza_size: 65536
+ -
+ port: 5269
+ ip: "::"
+ module: ejabberd_s2s_in
+ shaper: s2s_shaper
+ max_stanza_size: 131072
+
+ loglevel: 4
+
+ modules:
+ mod_adhoc: {}
+ mod_admin_extra: {}
+ mod_announce:
+ access: announce
+ mod_caps: {}
+ mod_carboncopy: {}
+ mod_client_state: {}
+ mod_configure: {}
+ mod_disco: {}
+ mod_echo: {}
+ mod_irc: {}
+ mod_bosh: {}
+ mod_last: {}
+ mod_offline:
+ access_max_user_messages: max_user_offline_messages
+ mod_ping: {}
+ mod_privacy: {}
+ mod_private: {}
+ mod_register:
+ access_from: deny
+ access: register
+ ip_access: trusted_network
+ registration_watchers: ${toJSON config.registration_watchers}
+ mod_roster: {}
+ mod_shared_roster: {}
+ mod_stats: {}
+ mod_time: {}
+ mod_vcard:
+ search: false
+ mod_version: {}
+ mod_http_api: {}
+
+ s2s_access: s2s
+ s2s_certfile: ${toJSON config.s2s_certfile.path}
+ s2s_ciphers: ${toJSON ciphers}
+ s2s_dhfile: ${toJSON config.dhfile.path}
+ s2s_protocol_options: ${toJSON protocol_options}
+ s2s_tls_compression: false
+ s2s_use_starttls: required
+
+ shaper_rules:
+ max_user_offline_messages:
+ - 5000: admin
+ - 100
+ max_user_sessions: 10
+ c2s_shaper:
+ - none: admin
+ - normal
+ s2s_shaper: fast
''
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 4d3493d78..d7b8deb7e 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -1,5 +1,17 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
+
cfg = config.tv.ejabberd;
+
+ gen-dhparam = pkgs.writeDash "gen-dhparam" ''
+ set -efu
+ path=$1
+ bits=2048
+ # TODO regenerate dhfile after some time?
+ if ! test -e "$path"; then
+ ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
+ fi
+ '';
+
in {
options.tv.ejabberd = {
enable = mkEnableOption "tv.ejabberd";
@@ -11,20 +23,36 @@ in {
source-path = toString <secrets> + "/ejabberd.pem";
};
};
+ dhfile = mkOption {
+ type = types.secret-file;
+ default = {
+ path = "${cfg.user.home}/dhparams.pem";
+ owner = cfg.user;
+ source-path = "/dev/null";
+ };
+ };
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberdctl = mkOption {
type = types.package;
default = pkgs.writeDashBin "ejabberdctl" ''
- set -efu
- export SPOOLDIR=${shell.escape cfg.user.home}
- export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
exec ${pkgs.ejabberd}/bin/ejabberdctl \
+ --config ${toFile "ejabberd.yaml" (import ./config.nix {
+ inherit pkgs;
+ config = cfg;
+ })} \
--logs ${shell.escape cfg.user.home} \
+ --spool ${shell.escape cfg.user.home} \
"$@"
'';
};
+ registration_watchers = mkOption {
+ type = types.listOf types.str;
+ default = [
+ config.krebs.users.tv.mail
+ ];
+ };
s2s_certfile = mkOption {
type = types.secret-file;
default = cfg.certfile;
@@ -50,12 +78,12 @@ in {
requires = [ "secret.service" ];
after = [ "network.target" "secret.service" ];
serviceConfig = {
- Type = "oneshot";
- RemainAfterExit = "yes";
- PermissionsStartOnly = "true";
+ ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
+ ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
+ PermissionsStartOnly = true;
SyslogIdentifier = "ejabberd";
User = cfg.user.name;
- ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+ TimeoutStartSec = 60;
};
};
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index 284e42a79..8a7a613ba 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -1,22 +1,18 @@
with import <stockholm/lib>;
-self: super: let
- # This callPackage will try to detect obsolete overrides.
- callPackage = path: args: let
- override = super.callPackage path args;
- upstream = optionalAttrs (override ? "name")
- (super.${(parseDrvName override.name).name} or {});
- in if upstream ? "name" &&
- override ? "name" &&
- compareVersions upstream.name override.name != -1
- then
- trace
- "Upstream `${upstream.name}' gets overridden by `${override.name}'."
- override
- else override;
+self: super:
-in {
+# Import files and subdirectories like they are overlays.
+foldl' mergeAttrs {}
+ (map
+ (name: import (./. + "/${name}") self super)
+ (filter
+ (name: name != "default.nix" && !hasPrefix "." name)
+ (attrNames (readDir ./.))))
+//
+
+{
# TODO use XDG_RUNTIME_DIR?
cr = self.writeDashBin "cr" ''
set -efu
@@ -28,10 +24,6 @@ in {
"$@"
'';
- ejabberd = callPackage ./ejabberd {
- erlang = self.erlangR16;
- };
-
ff = self.writeDashBin "ff" ''
exec ${self.firefoxWrapper}/bin/firefox "$@"
'';
@@ -46,9 +38,4 @@ in {
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
in nixpkgs-1509.wvdial;
-
}
-
-// mapAttrs (_: flip callPackage {})
- (filterAttrs (_: dir: pathExists (dir + "/default.nix"))
- (subdirsOf ./.))
diff --git a/tv/5pkgs/ejabberd/default.nix b/tv/5pkgs/ejabberd/default.nix
deleted file mode 100644
index 3a77c5cd1..000000000
--- a/tv/5pkgs/ejabberd/default.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
-
-stdenv.mkDerivation rec {
- version = "2.1.13";
- name = "ejabberd-${version}";
- src = fetchurl {
- url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
- sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
- };
- buildInputs = [ expat erlang zlib openssl pam ];
- patchPhase = ''
- sed -i \
- -e "s|erl \\\|${erlang}/bin/erl \\\|" \
- -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
- src/ejabberdctl.template
- '';
- preConfigure = ''
- cd src
- '';
- configureFlags = ["--enable-pam"];
-
- meta = {
- description = "Open-source XMPP application server written in Erlang";
- license = stdenv.lib.licenses.gpl2;
- homepage = http://www.ejabberd.im;
- maintainers = [ lib.maintainers.sander ];
- };
-}
diff --git a/tv/5pkgs/djbdns/default.nix b/tv/5pkgs/simple/djbdns/default.nix
index ad5a530bd..ad5a530bd 100644
--- a/tv/5pkgs/djbdns/default.nix
+++ b/tv/5pkgs/simple/djbdns/default.nix
diff --git a/tv/5pkgs/q/default.nix b/tv/5pkgs/simple/q/default.nix
index 2e7aa5cf2..2e7aa5cf2 100644
--- a/tv/5pkgs/q/default.nix
+++ b/tv/5pkgs/simple/q/default.nix
diff --git a/tv/5pkgs/viljetic-pages/default.nix b/tv/5pkgs/simple/viljetic-pages/default.nix
index 1ae55cca7..1ae55cca7 100644
--- a/tv/5pkgs/viljetic-pages/default.nix
+++ b/tv/5pkgs/simple/viljetic-pages/default.nix
diff --git a/tv/5pkgs/viljetic-pages/index.html b/tv/5pkgs/simple/viljetic-pages/index.html
index c06b3f97b..c06b3f97b 100644
--- a/tv/5pkgs/viljetic-pages/index.html
+++ b/tv/5pkgs/simple/viljetic-pages/index.html
diff --git a/tv/5pkgs/viljetic-pages/logo.xpm b/tv/5pkgs/simple/viljetic-pages/logo.xpm
index bb263dad9..bb263dad9 100644
--- a/tv/5pkgs/viljetic-pages/logo.xpm
+++ b/tv/5pkgs/simple/viljetic-pages/logo.xpm
diff --git a/tv/5pkgs/xmonad-tv/default.nix b/tv/5pkgs/simple/xmonad-tv/default.nix
index 5ac8f8372..5ac8f8372 100644
--- a/tv/5pkgs/xmonad-tv/default.nix
+++ b/tv/5pkgs/simple/xmonad-tv/default.nix