Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2017-10-07 11:08:13 +02:00
commit 8290c6507e
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
46 changed files with 320 additions and 316 deletions

View file

@ -1,4 +1,4 @@
{ config, ... }:
{ config, pkgs, ... }:
let
url = "https://git.shackspace.de/";
# generate token from CI-token via:
@ -6,7 +6,7 @@ let
## cat /etc/gitlab-runner/config.toml
token = import <secrets/shackspace-gitlab-ci-token.nix> ;
in {
systemd.services.gitlab-runner.path = [
systemd.services.gitlab-runner.path = [
"/run/wrappers" # /run/wrappers/bin/su
"/" # /bin/sh
];
@ -16,19 +16,18 @@ in {
enable = true;
# configFile, configOptions and gracefulTimeout not yet in stable
# gracefulTimeout = "120min";
configText = ''
concurrent = 1
check_interval = 0
[[runners]]
name = "krebs-shell"
url = "${url}"
token = "${token}"
executor = "shell"
shell = "sh"
environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
[runners.cache]
configFile = pkgs.writeText "gitlab-runner.cfg" ''
concurrent = 1
check_interval = 0
[[runners]]
name = "krebs-shell"
url = "${url}"
token = "${token}"
executor = "shell"
shell = "sh"
environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
[runners.cache]
'';
};
}

View file

@ -92,6 +92,7 @@
};
general {
#maybe we want ident someday?
default_floodcount = 1000;
disable_auth = yes;
throttle_duration = 1;
throttle_count = 1000;

View file

@ -12,7 +12,7 @@ let
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
requests2
requests
paramiko
python
]))

View file

@ -12,7 +12,7 @@ let
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
requests2
requests
python
]))
];

View file

@ -37,7 +37,7 @@ let
docopt
LinkHeader
aiocoap
requests2
requests
paramiko
python
]))

View file

@ -3,7 +3,7 @@
with import <stockholm/lib>;
let
gunicorn = pkgs.pythonPackages.gunicorn;
bepasty = pkgs.pythonPackages.bepasty-server;
bepasty = pkgs.bepasty;
gevent = pkgs.pythonPackages.gevent;
python = pkgs.pythonPackages.python;
cfg = config.krebs.bepasty;

View file

@ -160,6 +160,8 @@ let
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
set -efux
#remove garbage from old versions
rm -r ${workdir}
mkdir -p ${workdir}/info
cp ${buildbot-slave-init} ${workdir}/buildbot.tac
echo ${contact} > ${workdir}/info/admin

View file

@ -432,8 +432,13 @@ with import <stockholm/lib>;
eddie = {
ci = false;
external = true;
nets = {
nets = rec {
internet = {
ip4.addr = "129.215.90.4";
aliases = [ "eddie.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.170";
ip6.addr = "42:4992:6a6d:700::1";
aliases = [ "eddie.r" ];
@ -485,8 +490,13 @@ with import <stockholm/lib>;
inspector = {
ci = false;
external = true;
nets = {
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
ip6.addr = "42:4992:6a6d:800::1";
aliases = [ "inspector.r" ];

View file

@ -1 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact

View file

@ -1,5 +1,5 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
{ config, pkgs, ... }:
let
out = {
options.krebs.tinc = api;
@ -11,7 +11,7 @@ let
description = ''
define a tinc network
'';
type = with types; attrsOf (submodule (tinc: {
type = types.attrsOf (types.submodule (tinc: {
options = let
netname = tinc.config._module.args.name;
in {
@ -116,7 +116,7 @@ let
phases = [ "installPhase" ];
installPhase = ''
mkdir $out
${concatStrings (lib.mapAttrsToList (_: host: ''
${concatStrings (mapAttrsToList (_: host: ''
echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
> $out/${shell.escape host.name}
'') tinc.config.hosts)}

View file

@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec {
propagatedBuildInputs = with pkgs;[
python3Packages.docopt
python3Packages.requests2
python3Packages.requests
];
src = fetchurl {
url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";

View file

@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec {
propagatedBuildInputs = [
python_magic
click
requests2
requests
];
src = fetchFromGitHub {

View file

@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec {
propagatedBuildInputs = with python3Packages; [
docopt
requests2
requests
beautifulsoup4
];
}

View file

@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec {
propagatedBuildInputs = with pythonPackages; [
twisted
pyopenssl
requests2
requests
service-identity
];
}

View file

@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec {
minidb
pycodestyle
pyyaml
requests2
requests
];
meta = {

View file

@ -14,6 +14,6 @@ in
stockholm.file = toString <stockholm>;
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09
ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02
};
}

View file

@ -11,6 +11,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/otp-ssh.nix>
<stockholm/lass/2configs/git.nix>
<stockholm/lass/2configs/dcso-vpn.nix>
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
@ -94,4 +95,17 @@ with import <stockholm/lib>;
programs.ssh.startAgent = lib.mkForce true;
services.tlp.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
];
}

View file

@ -115,7 +115,12 @@ in {
};
services.nginx.virtualHosts."hackerfleet.de-s" = {
serverName = "hackerfleet.de";
port = 443;
listen = [
{
addr = "0.0.0.0";
port = 443;
}
];
serverAliases = [
"*.hackerfleet.de"
];

View file

@ -31,7 +31,6 @@ in {
} //
genAttrs ext-doms (ext-dom: {
nginx = {
enableSSL = true;
forceSSL = true;
enableACME = true;
};

View file

@ -25,12 +25,15 @@ in {
environment = {
DISPLAY = ":0";
};
path = with pkgs; [
qt5.full
];
serviceConfig = {
SyslogIdentifier = "copyq";
ExecStart = "${pkgs.copyq}/bin/copyq";
ExecStartPost = copyqConfig;
Restart = "always";
RestartSec = "2s";
RestartSec = "15s";
StartLimitBurst = 0;
User = "lass";
};

View file

@ -0,0 +1,44 @@
with import <stockholm/lib>;
{ ... }:
{
users.extraUsers = {
dcsovpn = rec {
name = "dcsovpn";
uid = genid "dcsovpn";
description = "user for running dcso openvpn";
home = "/home/${name}";
};
};
users.extraGroups.dcsovpn.gid = genid "dcsovpn";
services.openvpn.servers = {
dcso = {
config = ''
client
dev tun
tun-mtu 1356
mssfix
proto udp
float
remote 217.111.55.41 1194
nobind
user dcsovpn
group dcsovpn
persist-key
persist-tun
ca ${toString <secrets/dcsovpn/ca.pem>}
cert ${toString <secrets/dcsovpn/cert.pem>}
key ${toString <secrets/dcsovpn/cert.key>}
verb 3
mute 20
auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
route-method exe
route-delay 2
'';
updateResolvConf = true;
};
};
}

View file

@ -3,6 +3,6 @@
with import <stockholm/lib>;
{
nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
};
}

View file

@ -3,7 +3,8 @@
{
krebs.per-user.lass.packages = with pkgs; [
pass
gnupg1
gnupg
];
programs.gnupg.agent.enable = true;
}

View file

@ -73,17 +73,6 @@ in {
allowKeysForGroup = true;
group = "lasscert";
};
certs."cgit.lassul.us" = {
email = "lassulus@gmail.com";
webroot = "/var/lib/acme/acme-challenges";
plugins = [
"account_key.json"
"key.pem"
"fullchain.pem"
];
group = "nginx";
allowKeysForGroup = true;
};
};
krebs.tinc_graphs.enable = true;
@ -119,8 +108,8 @@ in {
];
services.nginx.virtualHosts."lassul.us" = {
addSSL = true;
enableACME = true;
serverAliases = [ "lassul.us" ];
locations."/".extraConfig = ''
root /srv/http/lassul.us;
'';
@ -158,30 +147,12 @@ in {
in ''
alias ${initscript};
'';
enableSSL = true;
extraConfig = ''
listen 80;
listen [::]:80;
'';
sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
services.nginx.virtualHosts.cgit = {
serverAliases = [
"cgit.lassul.us"
];
locations."/.well-known/acme-challenge".extraConfig = ''
root /var/lib/acme/acme-challenges;
'';
enableSSL = true;
extraConfig = ''
listen 80;
listen [::]:80;
'';
sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
serverName = "cgit.lassul.us";
addSSL = true;
enableACME = true;
};
users.users.blog = {

View file

@ -3,12 +3,13 @@
{
krebs.secret.files.mysql_rootPassword = {
path = "${config.services.mysql.dataDir}/mysql_rootPassword";
owner.name = "root";
owner.name = "mysql";
source-path = toString <secrets> + "/mysql_rootPassword";
};
services.mysql = {
enable = true;
dataDir = "/var/mysql";
package = pkgs.mariadb;
rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
};

View file

@ -21,6 +21,11 @@ in {
];
};
# mosh
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
#systemd.services.chat = {
# description = "chat environment setup";
# after = [ "network.target" ];

View file

@ -5,7 +5,7 @@ let
in {
krebs.per-user.wine.packages = with pkgs; [
wineFull
wine
#(wineFull.override { wineBuild = "wine64"; })
];
users.users= {

View file

@ -1,93 +1,129 @@
{ config, ... }: with import <stockholm/lib>; let
cfg = config.lass.ejabberd;
with import <stockholm/lib>;
{ config, ... }: let
# XXX this is a placeholder that happens to work the default strings.
toErlang = builtins.toJSON;
in toFile "ejabberd.conf" ''
{loglevel, 3}.
{hosts, ${toErlang cfg.hosts}}.
{listen,
[
{5222, ejabberd_c2s, [
starttls,
{certfile, ${toErlang cfg.certfile.path}},
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5280, ejabberd_http, [
captcha,
http_bind,
http_poll,
web_admin
]}
]}.
{s2s_use_starttls, required}.
{s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
{auth_method, internal}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{max_fsm_queue, 1000}.
{acl, local, {user_regexp, ""}}.
{access, max_user_sessions, [{10, all}]}.
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc_create, [{allow, local}]}.
{access, muc, [{allow, all}]}.
{access, pubsub_createnode, [{allow, local}]}.
{access, register, [{allow, local}]}.
{language, "en"}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]},
{mod_blocking,[]},
{mod_caps, []},
{mod_configure,[]},
{mod_disco, []},
{mod_irc, []},
{mod_http_bind, []},
{mod_last, []},
{mod_muc, [
{access, muc},
{access_create, muc_create},
{access_persistent, muc_create},
{access_admin, muc_admin}
]},
{mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
{mod_ping, []},
{mod_privacy, []},
{mod_private, []},
{mod_pubsub, [
{access_createnode, pubsub_createnode},
{ignore_pep_from_offline, true},
{last_item_cache, false},
{plugins, ["flat", "hometree", "pep"]}
]},
{mod_register, [
{welcome_message, {"Welcome!",
"Hi.\nWelcome to this XMPP server."}},
{ip_access, [{allow, "127.0.0.0/8"},
{allow, "0.0.0.0/0"}]},
{access, register}
]},
{mod_roster, []},
{mod_shared_roster,[]},
{mod_stats, []},
{mod_time, []},
{mod_vcard, []},
{mod_version, []}
]}.
# See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
ciphers = concatStringsSep ":" [
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256"
"ECDHE-ECDSA-AES256-SHA384"
"ECDHE-RSA-AES256-SHA384"
"ECDHE-ECDSA-AES128-SHA256"
"ECDHE-RSA-AES128-SHA256"
];
protocol_options = [
"no_sslv2"
"no_sslv3"
"no_tlsv1"
"no_tlsv1_10"
];
in /* yaml */ ''
access_rules:
announce:
- allow: admin
local:
- allow: local
configure:
- allow: admin
register:
- allow
s2s:
- allow
trusted_network:
- allow: loopback
acl:
local:
user_regexp: ""
loopback:
ip:
- "127.0.0.0/8"
- "::1/128"
- "::FFFF:127.0.0.1/128"
hosts: ${toJSON config.hosts}
language: "en"
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
shaper: c2s_shaper
certfile: ${toJSON config.certfile.path}
ciphers: ${toJSON ciphers}
dhfile: ${toJSON config.dhfile.path}
protocol_options: ${toJSON protocol_options}
starttls: true
starttls_required: true
tls: false
tls_compression: false
max_stanza_size: 65536
-
port: 5269
ip: "::"
module: ejabberd_s2s_in
shaper: s2s_shaper
max_stanza_size: 131072
loglevel: 4
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
mod_disco: {}
mod_echo: {}
mod_irc: {}
mod_bosh: {}
mod_last: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_register:
access_from: deny
access: register
ip_access: trusted_network
registration_watchers: ${toJSON config.registration_watchers}
mod_roster: {}
mod_shared_roster: {}
mod_stats: {}
mod_time: {}
mod_vcard:
search: false
mod_version: {}
mod_http_api: {}
s2s_access: s2s
s2s_certfile: ${toJSON config.s2s_certfile.path}
s2s_ciphers: ${toJSON ciphers}
s2s_dhfile: ${toJSON config.dhfile.path}
s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false
s2s_use_starttls: required
shaper_rules:
max_user_offline_messages:
- 5000: admin
- 100
max_user_sessions: 10
c2s_shaper:
- none: admin
- normal
s2s_shaper: fast
''

View file

@ -1,5 +1,16 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
cfg = config.lass.ejabberd;
gen-dhparam = pkgs.writeDash "gen-dhparam" ''
set -efu
path=$1
bits=2048
# TODO regenerate dhfile after some time?
if ! test -e "$path"; then
${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
fi
'';
in {
options.lass.ejabberd = {
enable = mkEnableOption "lass.ejabberd";
@ -11,20 +22,36 @@ in {
source-path = "/var/lib/acme/lassul.us/full.pem";
};
};
dhfile = mkOption {
type = types.secret-file;
default = {
path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user;
source-path = "/dev/null";
};
};
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberdctl = mkOption {
type = types.package;
default = pkgs.writeDashBin "ejabberdctl" ''
set -efu
export SPOOLDIR=${shell.escape cfg.user.home}
export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
exec ${pkgs.ejabberd}/bin/ejabberdctl \
--config ${toFile "ejabberd.yaml" (import ./config.nix {
inherit pkgs;
config = cfg;
})} \
--logs ${shell.escape cfg.user.home} \
--spool ${shell.escape cfg.user.home} \
"$@"
'';
};
registration_watchers = mkOption {
type = types.listOf types.str;
default = [
config.krebs.users.tv.mail
];
};
s2s_certfile = mkOption {
type = types.secret-file;
default = cfg.certfile;
@ -50,12 +77,12 @@ in {
requires = [ "secret.service" ];
after = [ "network.target" "secret.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
PermissionsStartOnly = "true";
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
PermissionsStartOnly = true;
SyslogIdentifier = "ejabberd";
User = cfg.user.name;
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
TimeoutStartSec = 60;
};
};

View file

@ -4,9 +4,6 @@
nixpkgs.config.packageOverrides = rec {
acronym = pkgs.callPackage ./acronym/default.nix {};
dpass = pkgs.callPackage ./dpass {};
ejabberd = pkgs.callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
firefoxPlugins = {
noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};

View file

@ -1,28 +0,0 @@
{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
stdenv.mkDerivation rec {
version = "2.1.13";
name = "ejabberd-${version}";
src = fetchurl {
url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
};
buildInputs = [ expat erlang zlib openssl pam ];
patchPhase = ''
sed -i \
-e "s|erl \\\|${erlang}/bin/erl \\\|" \
-e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
src/ejabberdctl.template
'';
preConfigure = ''
cd src
'';
configureFlags = ["--enable-pam"];
meta = {
description = "Open-source XMPP application server written in Erlang";
license = stdenv.lib.licenses.gpl2;
homepage = http://www.ejabberd.im;
maintainers = [ lib.maintainers.sander ];
};
}

View file

@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS)
import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
import XMonad.Actions.DynamicWorkspaces (withWorkspace)
import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
import XMonad.Actions.UpdatePointer (updatePointer)
import XMonad.Hooks.FloatNext (floatNext)
import XMonad.Hooks.FloatNext (floatNextHook)
import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@ -63,14 +64,15 @@ mainNoArgs = do
xmonad'
$ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
$ def
{ terminal = urxvtcPath
, modMask = mod4Mask
, layoutHook = smartBorders $ myLayoutHook
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
{ terminal = urxvtcPath
, modMask = mod4Mask
, layoutHook = smartBorders $ myLayoutHook
, logHook = updatePointer (0.25, 0.25) (0.25, 0.25)
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
, normalBorderColor = "#1c1c1c"
, focusedBorderColor = "#f000b0"
, handleEventHook = handleShutdownEvent
, workspaces = [ "dashboard" ]
, handleEventHook = handleShutdownEvent
, workspaces = [ "dashboard", "sys", "wp" ]
} `additionalKeysP` myKeyMap
myLayoutHook = defLayout
@ -119,7 +121,7 @@ myKeyMap =
, ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts)
, ("M4-v", withWorkspace autoXPConfig (windows . W.view))
, ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView))
, ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift))
, ("M4-C-v", withWorkspace autoXPConfig (windows . copy))
@ -131,12 +133,12 @@ myKeyMap =
, ("M4-S-q", return ())
, ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
, ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
, ("M4-<F1>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
, ("M4-<F2>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
, ("M4-<F3>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
, ("M4-<F4>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
, ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
, ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
, ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
, ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
]
forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()

View file

@ -9,13 +9,8 @@ in
{
nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
nixpkgs.git = {
url = http://cgit.lassul.us/nixpkgs;
# nixos-17.03
# + copytoram:
# 87a4615 & 334ac4f
# + acme permissions for groups
# fd7a8f1
ref = "2d3b4fe";
url = https://github.com/nixos/nixpkgs;
ref = "1987983";
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;

View file

@ -9,8 +9,8 @@ in
{
nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
nixpkgs.git = {
# nixos-17.03
ref = mkDefault "3d04a557b72aa0987d9bf079e1445280b6bfd907";
# nixos-17.09
ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
url = https://github.com/NixOS/nixpkgs;
};
secrets.file = getAttr builder {

View file

@ -1,4 +1,4 @@
import <stockholm/tv/source.nix> {
name = "alnus";
override.nixpkgs.git.ref = "9b948ea439ddbaa26740ce35543e7e35d2aa6d18";
override.nixpkgs.git.ref = "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
}

View file

@ -52,11 +52,13 @@ with import <stockholm/lib>;
networking.networkmanager.enable = true;
environment.systemPackages = with pkgs; [
(pkgs.kdeApplications.callPackage
(import <nixpkgs/pkgs/applications/kde/kde-locale-5.nix> "de" {})
{})
chromium
firefoxWrapper
gimp
iptables
kdeApplications.l10n.de.qt5
libreoffice
pidginotr
pidgin-with-plugins

View file

@ -45,5 +45,4 @@ with import <stockholm/lib>;
];
};
systemd.services.cups.serviceConfig.PrivateTmp = true;
}

View file

@ -100,7 +100,7 @@ let {
);
irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
channel = "#krebs";
channel = "#xxx";
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
server = "irc.r";

View file

@ -13,6 +13,14 @@ foldl' mergeAttrs {}
//
{
brscan4 = overrideDerivation super.brscan4 (original: rec {
name = "brscan4-0.4.4-4";
src = super.fetchurl {
url = "http://download.brother.com/welcome/dlf006645/${name}.amd64.deb";
sha256 = "0xy5px96y1saq9l80vwvfn6anr2q42qlxdhm6ci2a0diwib5q9fd";
};
});
# TODO use XDG_RUNTIME_DIR?
cr = self.writeDashBin "cr" ''
set -efu
@ -32,7 +40,7 @@ foldl' mergeAttrs {}
exec ${self.firefoxWrapper}/bin/firefox "$@"
'';
gnupg = self.gnupg21;
gnupg = self.gnupg22;
# https://github.com/NixOS/nixpkgs/issues/16113
wvdial = let

View file

@ -1,45 +0,0 @@
{ coreutils, dpkg, fetchurl, gnugrep, gnused, makeWrapper, mfcl2700dnlpr,
perl, stdenv }:
stdenv.mkDerivation rec {
name = "mfcl2700dncupswrapper-${meta.version}";
src = fetchurl {
url = "http://download.brother.com/welcome/dlf102086/${name}.i386.deb";
sha256 = "07w48mah0xbv4h8vsh1qd5cd4b463bx8y6gc5x9pfgsxsy6h6da1";
};
nativeBuildInputs = [ dpkg makeWrapper ];
phases = [ "installPhase" ];
installPhase = ''
dpkg-deb -x $src $out
basedir=${mfcl2700dnlpr}/opt/brother/Printers/MFCL2700DN
dir=$out/opt/brother/Printers/MFCL2700DN
substituteInPlace $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \
--replace /usr/bin/perl ${perl}/bin/perl \
--replace "basedir =~" "basedir = \"$basedir\"; #" \
--replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #"
wrapProgram $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \
--prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]}
mkdir -p $out/lib/cups/filter
mkdir -p $out/share/cups/model
ln $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN $out/lib/cups/filter
ln $dir/cupswrapper/brother-MFCL2700DN-cups-en.ppd $out/share/cups/model
'';
meta = {
description = "Brother MFC-L2700DN CUPS wrapper driver";
homepage = "http://www.brother.com/";
license = stdenv.lib.licenses.gpl2Plus;
maintainers = [ stdenv.lib.maintainers.tv ];
platforms = stdenv.lib.platforms.linux;
version = "3.2.0-1";
};
}

View file

@ -1,44 +0,0 @@
{ coreutils, dpkg, fetchurl, ghostscript, gnugrep, gnused, pkgsi686Linux, makeWrapper, perl, stdenv, which }:
stdenv.mkDerivation rec {
name = "mfcl2700dnlpr-${meta.version}";
src = fetchurl {
url = "http://download.brother.com/welcome/dlf102085/${name}.i386.deb";
sha256 = "170qdzxlqikzvv2wphvfb37m19mn13az4aj88md87ka3rl5knk4m";
};
nativeBuildInputs = [ dpkg makeWrapper ];
phases = [ "installPhase" ];
installPhase = ''
dpkg-deb -x $src $out
dir=$out/opt/brother/Printers/MFCL2700DN
substituteInPlace $dir/lpd/filter_MFCL2700DN \
--replace /usr/bin/perl ${perl}/bin/perl \
--replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \
--replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #"
wrapProgram $dir/lpd/filter_MFCL2700DN \
--prefix PATH : ${stdenv.lib.makeBinPath [
coreutils ghostscript gnugrep gnused which
]}
interpreter=${pkgsi686Linux.stdenv.cc.libc.out}/lib/ld-linux.so.2
patchelf --set-interpreter "$interpreter" $dir/inf/braddprinter
patchelf --set-interpreter "$interpreter" $dir/lpd/brprintconflsr3
patchelf --set-interpreter "$interpreter" $dir/lpd/rawtobr3
'';
meta = {
description = "Brother MFC-L2700DN LPR driver";
homepage = "http://www.brother.com/";
license = stdenv.lib.licenses.unfree;
maintainers = [ stdenv.lib.maintainers.tv ];
platforms = stdenv.lib.platforms.linux;
version = "3.2.0-1";
};
}

View file

@ -9,8 +9,8 @@ in
{
nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix";
nixpkgs.git = {
# nixos-17.03
ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
# nixos-17.09
ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
url = https://github.com/NixOS/nixpkgs;
};
secrets.file = getAttr builder {