From b4ca66d23ab27f742d49057f28b7b4e03d7dfabe Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 25 May 2016 11:06:22 +0200
Subject: [PATCH 1/5] tv xserver: refactor
---
tv/2configs/xserver/default.nix | 223 +++++++++++++++-----------------
tv/5pkgs/default.nix | 1 +
2 files changed, 107 insertions(+), 117 deletions(-)
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index b5b116786..10db7f57d 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -1,135 +1,124 @@
-{ config, lib, pkgs, ... }@args:
-
+{ config, pkgs, ... }@args:
with config.krebs.lib;
-
let
# TODO krebs.build.user
user = config.users.users.tv;
+in {
- out = {
- services.xserver.display = 11;
- services.xserver.tty = 11;
+ environment.systemPackages = [
+ pkgs.ff
+ pkgs.gitAndTools.qgit
+ pkgs.mpv
+ pkgs.sxiv
+ pkgs.xsel
+ pkgs.zathura
+ ];
- services.xserver.synaptics = {
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ # TODO dedicated group, i.e. with a single user
+ # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+ krebs.setuid.slock = {
+ filename = "${pkgs.slock}/bin/slock";
+ group = "wheel";
+ envp = {
+ DISPLAY = ":${toString config.services.xserver.display}";
+ USER = user.name;
+ };
+ };
+
+ services.xserver = {
+ enable = true;
+ display = 11;
+ tty = 11;
+
+ synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
};
+ };
- fonts.fonts = [
- pkgs.xlibs.fontschumachermisc
+ systemd.services.display-manager.enable = false;
+
+ systemd.services.xmonad = {
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "xserver.service" ];
+ environment = {
+ DISPLAY = ":${toString config.services.xserver.display}";
+
+ XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+ ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+ ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+ ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+ ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+ wait
+ '';
+
+ XMONAD_STATE = "/tmp/xmonad.state";
+
+ # XXX JSON is close enough :)
+ XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+ "Dashboard" # we start here
+ "23"
+ "cr"
+ "ff"
+ "hack"
+ "im"
+ "mail"
+ "stockholm"
+ "za" "zh" "zj" "zs"
+ ]);
+ };
+ serviceConfig = {
+ ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
+ ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
+ User = user.name;
+ WorkingDirectory = user.home;
+ };
+ };
+
+ systemd.services.xserver = {
+ after = [
+ "systemd-udev-settle.service"
+ "local-fs.target"
+ "acpid.service"
];
-
- systemd.services.urxvtd = {
- wantedBy = [ "multi-user.target" ];
- reloadIfChanged = true;
- serviceConfig = {
- ExecReload = need-reload "urxvtd.service";
- ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
- Restart = "always";
- RestartSec = "2s";
- StartLimitBurst = 0;
- User = user.name;
- };
+ reloadIfChanged = true;
+ environment = {
+ XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
+ XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+ LD_LIBRARY_PATH = concatStringsSep ":" (
+ [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
+ ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
-
- environment.systemPackages = [
- pkgs.ff
- pkgs.gitAndTools.qgit
- pkgs.mpv
- pkgs.sxiv
- pkgs.xsel
- pkgs.zathura
- ];
-
- # TODO dedicated group, i.e. with a single user
- # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
- krebs.setuid.slock = {
- filename = "${pkgs.slock}/bin/slock";
- group = "wheel";
- envp = {
- DISPLAY = ":${toString config.services.xserver.display}";
- USER = user.name;
- };
- };
-
- systemd.services.display-manager.enable = false;
-
- services.xserver.enable = true;
-
- systemd.services.xmonad = {
- wantedBy = [ "multi-user.target" ];
- requires = [ "xserver.service" ];
- environment = xmonad-environment;
- serviceConfig = {
- ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
- ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
- User = user.name;
- WorkingDirectory = user.home;
- };
- };
-
- systemd.services.xserver = {
- after = [
- "systemd-udev-settle.service"
- "local-fs.target"
- "acpid.service"
+ serviceConfig = {
+ SyslogIdentifier = "xserver";
+ ExecReload = "${pkgs.need-reload}/bin/need-reload xserver.service";
+ ExecStart = toString [
+ "${pkgs.xorg.xorgserver}/bin/X"
+ ":${toString config.services.xserver.display}"
+ "vt${toString config.services.xserver.tty}"
+ "-config ${import ./xserver.conf.nix args}"
+ "-logfile /var/log/X.${toString config.services.xserver.display}.log"
+ "-nolisten tcp"
+ "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
];
- reloadIfChanged = true;
- environment = xserver-environment;
- serviceConfig = {
- ExecReload = need-reload "xserver.service";
- ExecStart = toString [
- "${pkgs.xorg.xorgserver}/bin/X"
- ":${toString config.services.xserver.display}"
- "vt${toString config.services.xserver.tty}"
- "-config ${import ./xserver.conf.nix args}"
- "-logfile /var/log/X.${toString config.services.xserver.display}.log"
- "-nolisten tcp"
- "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
- ];
- };
};
};
- xmonad-environment = {
- DISPLAY = ":${toString config.services.xserver.display}";
-
- XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
- ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
- ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
- ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
- ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
- wait
- '';
-
- XMONAD_STATE = "/tmp/xmonad.state";
-
- # XXX JSON is close enough :)
- XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
- "Dashboard" # we start here
- "23"
- "cr"
- "ff"
- "hack"
- "im"
- "mail"
- "stockholm"
- "za" "zh" "zj" "zs"
- ]);
+ systemd.services.urxvtd = {
+ wantedBy = [ "multi-user.target" ];
+ reloadIfChanged = true;
+ serviceConfig = {
+ ExecReload = "${pkgs.need-reload}/bin/need-reload urxvtd.service";
+ ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+ Restart = "always";
+ RestartSec = "2s";
+ StartLimitBurst = 0;
+ User = user.name;
+ };
};
-
- xserver-environment = {
- XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
- XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
- LD_LIBRARY_PATH = concatStringsSep ":" (
- [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
- ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
- };
-
- need-reload = s: toString [
- "${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload"
- (shell.escape s)
- ];
-
-in out
+}
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index 05dc02887..dc6082a44 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -17,6 +17,7 @@
erlang = pkgs.erlangR16;
};
ff = pkgs.callPackage ./ff {};
+ need-reload = pkgs.writeDashBin "need-reload" ''echo "$*"'';
viljetic-pages = pkgs.callPackage ./viljetic-pages {};
xmonad-tv = import ./xmonad-tv.nix { inherit pkgs; };
};
From 82220a1fc4a4fa4de21b33f5ce0591b2b859474a Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 25 May 2016 11:06:40 +0200
Subject: [PATCH 2/5] tv xserver: log to journal instead of file
This is a partial backport of NixOS/nixpkgs d84741a.
---
tv/2configs/xserver/default.nix | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 10db7f57d..0eafd246b 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -95,14 +95,13 @@ in {
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
serviceConfig = {
- SyslogIdentifier = "xserver";
ExecReload = "${pkgs.need-reload}/bin/need-reload xserver.service";
ExecStart = toString [
"${pkgs.xorg.xorgserver}/bin/X"
":${toString config.services.xserver.display}"
"vt${toString config.services.xserver.tty}"
"-config ${import ./xserver.conf.nix args}"
- "-logfile /var/log/X.${toString config.services.xserver.display}.log"
+ "-logfile /dev/null -logverbose 0 -verbose 3"
"-nolisten tcp"
"-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
];
From 438a445ab64da557526fc896ca14a797afe14a40 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 25 May 2016 11:15:59 +0200
Subject: [PATCH 3/5] tv xserver: normalize syslog identifiers
---
tv/2configs/xserver/default.nix | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 0eafd246b..9e718a48f 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -73,6 +73,7 @@ in {
]);
};
serviceConfig = {
+ SyslogIdentifier = "xmonad";
ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
User = user.name;
@@ -95,6 +96,7 @@ in {
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
serviceConfig = {
+ SyslogIdentifier = "xserver";
ExecReload = "${pkgs.need-reload}/bin/need-reload xserver.service";
ExecStart = toString [
"${pkgs.xorg.xorgserver}/bin/X"
@@ -112,6 +114,7 @@ in {
wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
serviceConfig = {
+ SyslogIdentifier = "urxvtd";
ExecReload = "${pkgs.need-reload}/bin/need-reload urxvtd.service";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
From 6370d2c2e2249f04202b88b35d0c945ce38b5fb8 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 25 May 2016 11:16:38 +0200
Subject: [PATCH 4/5] tv xserver: replace need-reload by echo
---
tv/2configs/xserver/default.nix | 4 ++--
tv/5pkgs/default.nix | 1 -
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 9e718a48f..a4f2499ff 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -97,7 +97,7 @@ in {
};
serviceConfig = {
SyslogIdentifier = "xserver";
- ExecReload = "${pkgs.need-reload}/bin/need-reload xserver.service";
+ ExecReload = "${pkgs.coreutils}/bin/echo NOP";
ExecStart = toString [
"${pkgs.xorg.xorgserver}/bin/X"
":${toString config.services.xserver.display}"
@@ -115,7 +115,7 @@ in {
reloadIfChanged = true;
serviceConfig = {
SyslogIdentifier = "urxvtd";
- ExecReload = "${pkgs.need-reload}/bin/need-reload urxvtd.service";
+ ExecReload = "${pkgs.coreutils}/bin/echo NOP";
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
Restart = "always";
RestartSec = "2s";
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index dc6082a44..05dc02887 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -17,7 +17,6 @@
erlang = pkgs.erlangR16;
};
ff = pkgs.callPackage ./ff {};
- need-reload = pkgs.writeDashBin "need-reload" ''echo "$*"'';
viljetic-pages = pkgs.callPackage ./viljetic-pages {};
xmonad-tv = import ./xmonad-tv.nix { inherit pkgs; };
};
From 8ec65b04dc5010f910bf67f1db8a78bd844202b0 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 25 May 2016 11:29:20 +0200
Subject: [PATCH 5/5] tv ff: use abspath to sudo
---
tv/2configs/xserver/default.nix | 2 +-
tv/5pkgs/ff/default.nix | 10 +++++++---
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index a4f2499ff..965c3bbe1 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -18,7 +18,7 @@ in {
pkgs.xlibs.fontschumachermisc
];
- # TODO dedicated group, i.e. with a single user
+ # TODO dedicated group, i.e. with a single user [per-user-setuid]
# TODO krebs.setuid.slock.path vs /var/setuid-wrappers
krebs.setuid.slock = {
filename = "${pkgs.slock}/bin/slock";
diff --git a/tv/5pkgs/ff/default.nix b/tv/5pkgs/ff/default.nix
index 2db404030..b1d2c579a 100644
--- a/tv/5pkgs/ff/default.nix
+++ b/tv/5pkgs/ff/default.nix
@@ -1,8 +1,12 @@
{ pkgs, ... }:
-pkgs.writeScriptBin "ff" ''
- #! ${pkgs.bash}/bin/bash
- exec sudo -u ff -i <<EOF
+# TODO use krebs.setuid
+# This requires that we can create setuid executables that can only be accessed
+# by a single user. [per-user-setuid]
+
+# using bash for %q
+pkgs.writeBashBin "ff" ''
+ exec /var/setuid-wrappers/sudo -u ff -i <<EOF
exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
EOF
''