diff options
Diffstat (limited to 'tv')
-rw-r--r-- | tv/1systems/caxi/config.nix | 25 | ||||
-rw-r--r-- | tv/1systems/caxi/source.nix | 3 | ||||
-rw-r--r-- | tv/2configs/vim.nix | 1 | ||||
-rw-r--r-- | tv/3modules/ejabberd/config.nix | 218 | ||||
-rw-r--r-- | tv/3modules/ejabberd/default.nix | 42 | ||||
-rw-r--r-- | tv/5pkgs/default.nix | 35 | ||||
-rw-r--r-- | tv/5pkgs/ejabberd/default.nix | 28 | ||||
-rw-r--r-- | tv/5pkgs/simple/djbdns/default.nix (renamed from tv/5pkgs/djbdns/default.nix) | 0 | ||||
-rw-r--r-- | tv/5pkgs/simple/q/default.nix (renamed from tv/5pkgs/q/default.nix) | 0 | ||||
-rw-r--r-- | tv/5pkgs/simple/viljetic-pages/default.nix (renamed from tv/5pkgs/viljetic-pages/default.nix) | 0 | ||||
-rw-r--r-- | tv/5pkgs/simple/viljetic-pages/index.html (renamed from tv/5pkgs/viljetic-pages/index.html) | 0 | ||||
-rw-r--r-- | tv/5pkgs/simple/viljetic-pages/logo.xpm (renamed from tv/5pkgs/viljetic-pages/logo.xpm) | 0 | ||||
-rw-r--r-- | tv/5pkgs/simple/xmonad-tv/default.nix (renamed from tv/5pkgs/xmonad-tv/default.nix) | 0 |
13 files changed, 174 insertions, 178 deletions
diff --git a/tv/1systems/caxi/config.nix b/tv/1systems/caxi/config.nix deleted file mode 100644 index b136d1ade..000000000 --- a/tv/1systems/caxi/config.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: - -with import <stockholm/lib>; - -{ - krebs.build.host = config.krebs.hosts.caxi; - - imports = [ - <stockholm/tv> - <stockholm/tv/2configs/hw/CAC-Developer-1.nix> - <stockholm/tv/2configs/fs/CAC-CentOS-7-64bit.nix> - <stockholm/tv/2configs/retiolum.nix> - ]; - - networking = let - inherit (config.krebs.build.host.nets.internet) ip4; - in { - interfaces.enp2s1.ip4 = singleton { - address = ip4.addr; - prefixLength = fromJSON (head (match ".*/([0-9]+)" ip4.prefix)); - }; - defaultGateway = head (match "([^/]*)\.0/[0-9]+" ip4.prefix) + ".1"; - nameservers = ["8.8.8.8"]; - }; -} diff --git a/tv/1systems/caxi/source.nix b/tv/1systems/caxi/source.nix deleted file mode 100644 index bc875b768..000000000 --- a/tv/1systems/caxi/source.nix +++ /dev/null @@ -1,3 +0,0 @@ -import <stockholm/tv/source.nix> { - name = "caxi"; -} diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 7849b6f2d..f0b1cf520 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -230,6 +230,7 @@ let { ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'' ''[a-z]*Phase[ \t\r\n]*='' ]; + yaml = {}; vim.extraStart = ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; xdefaults = {}; diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index 29c38fbe4..68bcfa340 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -1,93 +1,129 @@ -{ config, ... }: with import <stockholm/lib>; let - cfg = config.tv.ejabberd; +with import <stockholm/lib>; +{ config, ... }: let - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; -in toFile "ejabberd.conf" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, all}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - {ip_access, [{allow, "127.0.0.0/8"}, - {deny, "0.0.0.0/0"}]}, - {access, register} - ]}, - {mod_roster, []}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. + # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + + ciphers = concatStringsSep ":" [ + "ECDHE-ECDSA-AES256-GCM-SHA384" + "ECDHE-RSA-AES256-GCM-SHA384" + "ECDHE-ECDSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" + "ECDHE-ECDSA-AES128-GCM-SHA256" + "ECDHE-RSA-AES128-GCM-SHA256" + "ECDHE-ECDSA-AES256-SHA384" + "ECDHE-RSA-AES256-SHA384" + "ECDHE-ECDSA-AES128-SHA256" + "ECDHE-RSA-AES128-SHA256" + ]; + + protocol_options = [ + "no_sslv2" + "no_sslv3" + "no_tlsv1" + "no_tlsv1_10" + ]; + +in /* yaml */ '' + + access_rules: + announce: + - allow: admin + local: + - allow: local + configure: + - allow: admin + register: + - allow + s2s: + - allow + trusted_network: + - allow: loopback + + acl: + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + hosts: ${toJSON config.hosts} + + language: "en" + + listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + shaper: c2s_shaper + certfile: ${toJSON config.certfile.path} + ciphers: ${toJSON ciphers} + dhfile: ${toJSON config.dhfile.path} + protocol_options: ${toJSON protocol_options} + starttls: true + starttls_required: true + tls: false + tls_compression: false + max_stanza_size: 65536 + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + shaper: s2s_shaper + max_stanza_size: 131072 + + loglevel: 4 + + modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_echo: {} + mod_irc: {} + mod_bosh: {} + mod_last: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_register: + access_from: deny + access: register + ip_access: trusted_network + registration_watchers: ${toJSON config.registration_watchers} + mod_roster: {} + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_version: {} + mod_http_api: {} + + s2s_access: s2s + s2s_certfile: ${toJSON config.s2s_certfile.path} + s2s_ciphers: ${toJSON ciphers} + s2s_dhfile: ${toJSON config.dhfile.path} + s2s_protocol_options: ${toJSON protocol_options} + s2s_tls_compression: false + s2s_use_starttls: required + + shaper_rules: + max_user_offline_messages: + - 5000: admin + - 100 + max_user_sessions: 10 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast '' diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 4d3493d78..d7b8deb7e 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -1,5 +1,17 @@ { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let + cfg = config.tv.ejabberd; + + gen-dhparam = pkgs.writeDash "gen-dhparam" '' + set -efu + path=$1 + bits=2048 + # TODO regenerate dhfile after some time? + if ! test -e "$path"; then + ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" + fi + ''; + in { options.tv.ejabberd = { enable = mkEnableOption "tv.ejabberd"; @@ -11,20 +23,36 @@ in { source-path = toString <secrets> + "/ejabberd.pem"; }; }; + dhfile = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/dhparams.pem"; + owner = cfg.user; + source-path = "/dev/null"; + }; + }; hosts = mkOption { type = with types; listOf str; }; pkgs.ejabberdctl = mkOption { type = types.package; default = pkgs.writeDashBin "ejabberdctl" '' - set -efu - export SPOOLDIR=${shell.escape cfg.user.home} - export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)} exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --config ${toFile "ejabberd.yaml" (import ./config.nix { + inherit pkgs; + config = cfg; + })} \ --logs ${shell.escape cfg.user.home} \ + --spool ${shell.escape cfg.user.home} \ "$@" ''; }; + registration_watchers = mkOption { + type = types.listOf types.str; + default = [ + config.krebs.users.tv.mail + ]; + }; s2s_certfile = mkOption { type = types.secret-file; default = cfg.certfile; @@ -50,12 +78,12 @@ in { requires = [ "secret.service" ]; after = [ "network.target" "secret.service" ]; serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - PermissionsStartOnly = "true"; + ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; + ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; + PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start"; + TimeoutStartSec = 60; }; }; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 284e42a79..8a7a613ba 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -1,22 +1,18 @@ with import <stockholm/lib>; -self: super: let - # This callPackage will try to detect obsolete overrides. - callPackage = path: args: let - override = super.callPackage path args; - upstream = optionalAttrs (override ? "name") - (super.${(parseDrvName override.name).name} or {}); - in if upstream ? "name" && - override ? "name" && - compareVersions upstream.name override.name != -1 - then - trace - "Upstream `${upstream.name}' gets overridden by `${override.name}'." - override - else override; +self: super: -in { +# Import files and subdirectories like they are overlays. +foldl' mergeAttrs {} + (map + (name: import (./. + "/${name}") self super) + (filter + (name: name != "default.nix" && !hasPrefix "." name) + (attrNames (readDir ./.)))) +// + +{ # TODO use XDG_RUNTIME_DIR? cr = self.writeDashBin "cr" '' set -efu @@ -28,10 +24,6 @@ in { "$@" ''; - ejabberd = callPackage ./ejabberd { - erlang = self.erlangR16; - }; - ff = self.writeDashBin "ff" '' exec ${self.firefoxWrapper}/bin/firefox "$@" ''; @@ -46,9 +38,4 @@ in { sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73"; }) {}; in nixpkgs-1509.wvdial; - } - -// mapAttrs (_: flip callPackage {}) - (filterAttrs (_: dir: pathExists (dir + "/default.nix")) - (subdirsOf ./.)) diff --git a/tv/5pkgs/ejabberd/default.nix b/tv/5pkgs/ejabberd/default.nix deleted file mode 100644 index 3a77c5cd1..000000000 --- a/tv/5pkgs/ejabberd/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}: - -stdenv.mkDerivation rec { - version = "2.1.13"; - name = "ejabberd-${version}"; - src = fetchurl { - url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; - sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8"; - }; - buildInputs = [ expat erlang zlib openssl pam ]; - patchPhase = '' - sed -i \ - -e "s|erl \\\|${erlang}/bin/erl \\\|" \ - -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \ - src/ejabberdctl.template - ''; - preConfigure = '' - cd src - ''; - configureFlags = ["--enable-pam"]; - - meta = { - description = "Open-source XMPP application server written in Erlang"; - license = stdenv.lib.licenses.gpl2; - homepage = http://www.ejabberd.im; - maintainers = [ lib.maintainers.sander ]; - }; -} diff --git a/tv/5pkgs/djbdns/default.nix b/tv/5pkgs/simple/djbdns/default.nix index ad5a530bd..ad5a530bd 100644 --- a/tv/5pkgs/djbdns/default.nix +++ b/tv/5pkgs/simple/djbdns/default.nix diff --git a/tv/5pkgs/q/default.nix b/tv/5pkgs/simple/q/default.nix index 2e7aa5cf2..2e7aa5cf2 100644 --- a/tv/5pkgs/q/default.nix +++ b/tv/5pkgs/simple/q/default.nix diff --git a/tv/5pkgs/viljetic-pages/default.nix b/tv/5pkgs/simple/viljetic-pages/default.nix index 1ae55cca7..1ae55cca7 100644 --- a/tv/5pkgs/viljetic-pages/default.nix +++ b/tv/5pkgs/simple/viljetic-pages/default.nix diff --git a/tv/5pkgs/viljetic-pages/index.html b/tv/5pkgs/simple/viljetic-pages/index.html index c06b3f97b..c06b3f97b 100644 --- a/tv/5pkgs/viljetic-pages/index.html +++ b/tv/5pkgs/simple/viljetic-pages/index.html diff --git a/tv/5pkgs/viljetic-pages/logo.xpm b/tv/5pkgs/simple/viljetic-pages/logo.xpm index bb263dad9..bb263dad9 100644 --- a/tv/5pkgs/viljetic-pages/logo.xpm +++ b/tv/5pkgs/simple/viljetic-pages/logo.xpm diff --git a/tv/5pkgs/xmonad-tv/default.nix b/tv/5pkgs/simple/xmonad-tv/default.nix index 5ac8f8372..5ac8f8372 100644 --- a/tv/5pkgs/xmonad-tv/default.nix +++ b/tv/5pkgs/simple/xmonad-tv/default.nix |