diff --git a/krebs/2configs/gitlab-runner-shackspace.nix b/krebs/2configs/gitlab-runner-shackspace.nix index d9b4cd589..f4247b6da 100644 --- a/krebs/2configs/gitlab-runner-shackspace.nix +++ b/krebs/2configs/gitlab-runner-shackspace.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let url = "https://git.shackspace.de/"; # generate token from CI-token via: @@ -6,7 +6,7 @@ let ## cat /etc/gitlab-runner/config.toml token = import ; in { - systemd.services.gitlab-runner.path = [ + systemd.services.gitlab-runner.path = [ "/run/wrappers" # /run/wrappers/bin/su "/" # /bin/sh ]; @@ -16,19 +16,18 @@ in { enable = true; # configFile, configOptions and gracefulTimeout not yet in stable # gracefulTimeout = "120min"; - configText = '' - concurrent = 1 - check_interval = 0 - - [[runners]] - name = "krebs-shell" - url = "${url}" - token = "${token}" - executor = "shell" - shell = "sh" - environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"] - [runners.cache] + configFile = pkgs.writeText "gitlab-runner.cfg" '' + concurrent = 1 + check_interval = 0 + [[runners]] + name = "krebs-shell" + url = "${url}" + token = "${token}" + executor = "shell" + shell = "sh" + environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"] + [runners.cache] ''; }; } diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 116337733..38f58952e 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -92,6 +92,7 @@ }; general { #maybe we want ident someday? + default_floodcount = 1000; disable_auth = yes; throttle_duration = 1; throttle_count = 1000; diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix index 7e8d278f6..19768cb2e 100644 --- a/krebs/2configs/shack/muell_caller.nix +++ b/krebs/2configs/shack/muell_caller.nix @@ -12,7 +12,7 @@ let buildInputs = [ (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - requests2 + requests paramiko python ])) diff --git a/krebs/2configs/shack/radioactive.nix b/krebs/2configs/shack/radioactive.nix index 378b54056..566146d6e 100644 --- a/krebs/2configs/shack/radioactive.nix +++ b/krebs/2configs/shack/radioactive.nix @@ -12,7 +12,7 @@ let buildInputs = [ (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - requests2 + requests python ])) ]; diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index d0f9f5fa6..828b6cd70 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -37,7 +37,7 @@ let docopt LinkHeader aiocoap - requests2 + requests paramiko python ])) diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 0ca13366b..dd29a4e17 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -3,7 +3,7 @@ with import ; let gunicorn = pkgs.pythonPackages.gunicorn; - bepasty = pkgs.pythonPackages.bepasty-server; + bepasty = pkgs.bepasty; gevent = pkgs.pythonPackages.gevent; python = pkgs.pythonPackages.python; cfg = config.krebs.bepasty; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 544f9c4e0..0af553c5d 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -160,6 +160,8 @@ let # TODO: maybe also prepare buildbot.tac? ExecStartPre = pkgs.writeDash "buildbot-master-init" '' set -efux + #remove garbage from old versions + rm -r ${workdir} mkdir -p ${workdir}/info cp ${buildbot-slave-init} ${workdir}/buildbot.tac echo ${contact} > ${workdir}/info/admin diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4b553fac2..534eac716 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -432,8 +432,13 @@ with import ; eddie = { ci = false; external = true; - nets = { + nets = rec { + internet = { + ip4.addr = "129.215.90.4"; + aliases = [ "eddie.i" ]; + }; retiolum = { + via = internet; ip4.addr = "10.243.29.170"; ip6.addr = "42:4992:6a6d:700::1"; aliases = [ "eddie.r" ]; @@ -485,8 +490,13 @@ with import ; inspector = { ci = false; external = true; - nets = { + nets = rec { + internet = { + ip4.addr = "141.76.44.154"; + aliases = [ "inspector.i" ]; + }; retiolum = { + via = internet; ip4.addr = "10.243.29.172"; ip6.addr = "42:4992:6a6d:800::1"; aliases = [ "inspector.r" ]; diff --git a/krebs/3modules/lass/ssh/android.rsa b/krebs/3modules/lass/ssh/android.rsa index b39f7ce1e..f5190f45c 100644 --- a/krebs/3modules/lass/ssh/android.rsa +++ b/krebs/3modules/lass/ssh/android.rsa @@ -1 +1 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 8af15c13b..b032f3148 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,5 @@ -{ config, pkgs, lib, ... }: with import ; +{ config, pkgs, ... }: let out = { options.krebs.tinc = api; @@ -11,7 +11,7 @@ let description = '' define a tinc network ''; - type = with types; attrsOf (submodule (tinc: { + type = types.attrsOf (types.submodule (tinc: { options = let netname = tinc.config._module.args.name; in { @@ -116,7 +116,7 @@ let phases = [ "installPhase" ]; installPhase = '' mkdir $out - ${concatStrings (lib.mapAttrsToList (_: host: '' + ${concatStrings (mapAttrsToList (_: host: '' echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ > $out/${shell.escape host.name} '') tinc.config.hosts)} diff --git a/krebs/5pkgs/simple/Reaktor/default.nix b/krebs/5pkgs/simple/Reaktor/default.nix index fc3710820..6989bb02b 100644 --- a/krebs/5pkgs/simple/Reaktor/default.nix +++ b/krebs/5pkgs/simple/Reaktor/default.nix @@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec { propagatedBuildInputs = with pkgs;[ python3Packages.docopt - python3Packages.requests2 + python3Packages.requests ]; src = fetchurl { url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz"; diff --git a/krebs/5pkgs/simple/bepasty-client-cli/default.nix b/krebs/5pkgs/simple/bepasty-client-cli/default.nix index c58e637b3..7811ef5fc 100644 --- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix +++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix @@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec { propagatedBuildInputs = [ python_magic click - requests2 + requests ]; src = fetchFromGitHub { diff --git a/krebs/5pkgs/simple/cac-panel/default.nix b/krebs/5pkgs/simple/cac-panel/default.nix index fd4799535..57f58f4de 100644 --- a/krebs/5pkgs/simple/cac-panel/default.nix +++ b/krebs/5pkgs/simple/cac-panel/default.nix @@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec { propagatedBuildInputs = with python3Packages; [ docopt - requests2 + requests beautifulsoup4 ]; } diff --git a/krebs/5pkgs/simple/treq/default.nix b/krebs/5pkgs/simple/treq/default.nix index 20387b9cb..7cb826a51 100644 --- a/krebs/5pkgs/simple/treq/default.nix +++ b/krebs/5pkgs/simple/treq/default.nix @@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec { propagatedBuildInputs = with pythonPackages; [ twisted pyopenssl - requests2 + requests service-identity ]; } diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix index 509555669..adaefbc4d 100644 --- a/krebs/5pkgs/simple/urlwatch/default.nix +++ b/krebs/5pkgs/simple/urlwatch/default.nix @@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec { minidb pycodestyle pyyaml - requests2 + requests ]; meta = { diff --git a/krebs/source.nix b/krebs/source.nix index 1aba3d7ff..09edc817b 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -14,6 +14,6 @@ in stockholm.file = toString ; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09 + ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02 }; } diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index 6ff3fbb86..a94bbd3e9 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -11,6 +11,7 @@ with import ; + { # automatic hardware detection boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -94,4 +95,17 @@ with import ; programs.ssh.startAgent = lib.mkForce true; services.tlp.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + + security.pki.certificateFiles = [ + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) + ]; } diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 5b3091a39..8e44b113b 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -115,7 +115,12 @@ in { }; services.nginx.virtualHosts."hackerfleet.de-s" = { serverName = "hackerfleet.de"; - port = 443; + listen = [ + { + addr = "0.0.0.0"; + port = 443; + } + ]; serverAliases = [ "*.hackerfleet.de" ]; diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix index b2d40d4f3..43647892f 100644 --- a/lass/2configs/bepasty.nix +++ b/lass/2configs/bepasty.nix @@ -31,7 +31,6 @@ in { } // genAttrs ext-doms (ext-dom: { nginx = { - enableSSL = true; forceSSL = true; enableACME = true; }; diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix index b255254f2..fa01a99c9 100644 --- a/lass/2configs/copyq.nix +++ b/lass/2configs/copyq.nix @@ -25,12 +25,15 @@ in { environment = { DISPLAY = ":0"; }; + path = with pkgs; [ + qt5.full + ]; serviceConfig = { SyslogIdentifier = "copyq"; ExecStart = "${pkgs.copyq}/bin/copyq"; ExecStartPost = copyqConfig; Restart = "always"; - RestartSec = "2s"; + RestartSec = "15s"; StartLimitBurst = 0; User = "lass"; }; diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix new file mode 100644 index 000000000..0a5623bf0 --- /dev/null +++ b/lass/2configs/dcso-vpn.nix @@ -0,0 +1,44 @@ +with import ; +{ ... }: + +{ + + users.extraUsers = { + dcsovpn = rec { + name = "dcsovpn"; + uid = genid "dcsovpn"; + description = "user for running dcso openvpn"; + home = "/home/${name}"; + }; + }; + + users.extraGroups.dcsovpn.gid = genid "dcsovpn"; + + services.openvpn.servers = { + dcso = { + config = '' + client + dev tun + tun-mtu 1356 + mssfix + proto udp + float + remote 217.111.55.41 1194 + nobind + user dcsovpn + group dcsovpn + persist-key + persist-tun + ca ${toString } + cert ${toString } + key ${toString } + verb 3 + mute 20 + auth-user-pass ${toString } + route-method exe + route-delay 2 + ''; + updateResolvConf = true; + }; + }; +} diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 00f318e51..ad015180a 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import ; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ]; + automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; }; } diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 5bd2f2f7f..1c253a6c5 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -3,7 +3,8 @@ { krebs.per-user.lass.packages = with pkgs; [ pass - gnupg1 + gnupg ]; + programs.gnupg.agent.enable = true; } diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem new file mode 100644 index 000000000..e69de29bb diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key new file mode 100644 index 000000000..e69de29bb diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem new file mode 100644 index 000000000..e69de29bb diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt new file mode 100644 index 000000000..e69de29bb diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 17c39a5f4..6e185a4d6 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -73,17 +73,6 @@ in { allowKeysForGroup = true; group = "lasscert"; }; - certs."cgit.lassul.us" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/acme-challenges"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - }; }; krebs.tinc_graphs.enable = true; @@ -119,8 +108,8 @@ in { ]; services.nginx.virtualHosts."lassul.us" = { + addSSL = true; enableACME = true; - serverAliases = [ "lassul.us" ]; locations."/".extraConfig = '' root /srv/http/lassul.us; ''; @@ -158,30 +147,12 @@ in { in '' alias ${initscript}; ''; - - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/lassul.us/key.pem"; }; services.nginx.virtualHosts.cgit = { - serverAliases = [ - "cgit.lassul.us" - ]; - locations."/.well-known/acme-challenge".extraConfig = '' - root /var/lib/acme/acme-challenges; - ''; - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; + serverName = "cgit.lassul.us"; + addSSL = true; + enableACME = true; }; users.users.blog = { diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix index 7cb4b320e..2fffa6cc9 100644 --- a/lass/2configs/websites/sqlBackup.nix +++ b/lass/2configs/websites/sqlBackup.nix @@ -3,12 +3,13 @@ { krebs.secret.files.mysql_rootPassword = { path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - owner.name = "root"; + owner.name = "mysql"; source-path = toString + "/mysql_rootPassword"; }; services.mysql = { enable = true; + dataDir = "/var/mysql"; package = pkgs.mariadb; rootPassword = config.krebs.secret.files.mysql_rootPassword.path; }; diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index 4b6445619..d5496ac09 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -21,6 +21,11 @@ in { ]; }; + # mosh + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + #systemd.services.chat = { # description = "chat environment setup"; # after = [ "network.target" ]; diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix index 2444d32d3..0d2b731ca 100644 --- a/lass/2configs/wine.nix +++ b/lass/2configs/wine.nix @@ -5,7 +5,7 @@ let in { krebs.per-user.wine.packages = with pkgs; [ - wineFull + wine #(wineFull.override { wineBuild = "wine64"; }) ]; users.users= { diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix index b1fca08d3..68bcfa340 100644 --- a/lass/3modules/ejabberd/config.nix +++ b/lass/3modules/ejabberd/config.nix @@ -1,93 +1,129 @@ -{ config, ... }: with import ; let - cfg = config.lass.ejabberd; +with import ; +{ config, ... }: let - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; -in toFile "ejabberd.conf" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, local}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - {ip_access, [{allow, "127.0.0.0/8"}, - {allow, "0.0.0.0/0"}]}, - {access, register} - ]}, - {mod_roster, []}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. + # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + + ciphers = concatStringsSep ":" [ + "ECDHE-ECDSA-AES256-GCM-SHA384" + "ECDHE-RSA-AES256-GCM-SHA384" + "ECDHE-ECDSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" + "ECDHE-ECDSA-AES128-GCM-SHA256" + "ECDHE-RSA-AES128-GCM-SHA256" + "ECDHE-ECDSA-AES256-SHA384" + "ECDHE-RSA-AES256-SHA384" + "ECDHE-ECDSA-AES128-SHA256" + "ECDHE-RSA-AES128-SHA256" + ]; + + protocol_options = [ + "no_sslv2" + "no_sslv3" + "no_tlsv1" + "no_tlsv1_10" + ]; + +in /* yaml */ '' + + access_rules: + announce: + - allow: admin + local: + - allow: local + configure: + - allow: admin + register: + - allow + s2s: + - allow + trusted_network: + - allow: loopback + + acl: + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + hosts: ${toJSON config.hosts} + + language: "en" + + listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + shaper: c2s_shaper + certfile: ${toJSON config.certfile.path} + ciphers: ${toJSON ciphers} + dhfile: ${toJSON config.dhfile.path} + protocol_options: ${toJSON protocol_options} + starttls: true + starttls_required: true + tls: false + tls_compression: false + max_stanza_size: 65536 + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + shaper: s2s_shaper + max_stanza_size: 131072 + + loglevel: 4 + + modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_echo: {} + mod_irc: {} + mod_bosh: {} + mod_last: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_register: + access_from: deny + access: register + ip_access: trusted_network + registration_watchers: ${toJSON config.registration_watchers} + mod_roster: {} + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_version: {} + mod_http_api: {} + + s2s_access: s2s + s2s_certfile: ${toJSON config.s2s_certfile.path} + s2s_ciphers: ${toJSON ciphers} + s2s_dhfile: ${toJSON config.dhfile.path} + s2s_protocol_options: ${toJSON protocol_options} + s2s_tls_compression: false + s2s_use_starttls: required + + shaper_rules: + max_user_offline_messages: + - 5000: admin + - 100 + max_user_sessions: 10 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast '' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix index e2fba5ff5..4838a9093 100644 --- a/lass/3modules/ejabberd/default.nix +++ b/lass/3modules/ejabberd/default.nix @@ -1,5 +1,16 @@ { config, lib, pkgs, ... }@args: with import ; let cfg = config.lass.ejabberd; + + gen-dhparam = pkgs.writeDash "gen-dhparam" '' + set -efu + path=$1 + bits=2048 + # TODO regenerate dhfile after some time? + if ! test -e "$path"; then + ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" + fi + ''; + in { options.lass.ejabberd = { enable = mkEnableOption "lass.ejabberd"; @@ -11,20 +22,36 @@ in { source-path = "/var/lib/acme/lassul.us/full.pem"; }; }; + dhfile = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/dhparams.pem"; + owner = cfg.user; + source-path = "/dev/null"; + }; + }; hosts = mkOption { type = with types; listOf str; }; pkgs.ejabberdctl = mkOption { type = types.package; default = pkgs.writeDashBin "ejabberdctl" '' - set -efu - export SPOOLDIR=${shell.escape cfg.user.home} - export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)} exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --config ${toFile "ejabberd.yaml" (import ./config.nix { + inherit pkgs; + config = cfg; + })} \ --logs ${shell.escape cfg.user.home} \ + --spool ${shell.escape cfg.user.home} \ "$@" ''; }; + registration_watchers = mkOption { + type = types.listOf types.str; + default = [ + config.krebs.users.tv.mail + ]; + }; s2s_certfile = mkOption { type = types.secret-file; default = cfg.certfile; @@ -50,12 +77,12 @@ in { requires = [ "secret.service" ]; after = [ "network.target" "secret.service" ]; serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - PermissionsStartOnly = "true"; + ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; + ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; + PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start"; + TimeoutStartSec = 60; }; }; diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix index 46633ba1a..d04833255 100644 --- a/lass/5pkgs/default.nix +++ b/lass/5pkgs/default.nix @@ -4,9 +4,6 @@ nixpkgs.config.packageOverrides = rec { acronym = pkgs.callPackage ./acronym/default.nix {}; dpass = pkgs.callPackage ./dpass {}; - ejabberd = pkgs.callPackage ./ejabberd { - erlang = pkgs.erlangR16; - }; firefoxPlugins = { noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {}; ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {}; diff --git a/lass/5pkgs/ejabberd/default.nix b/lass/5pkgs/ejabberd/default.nix deleted file mode 100644 index 3a77c5cd1..000000000 --- a/lass/5pkgs/ejabberd/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}: - -stdenv.mkDerivation rec { - version = "2.1.13"; - name = "ejabberd-${version}"; - src = fetchurl { - url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; - sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8"; - }; - buildInputs = [ expat erlang zlib openssl pam ]; - patchPhase = '' - sed -i \ - -e "s|erl \\\|${erlang}/bin/erl \\\|" \ - -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \ - src/ejabberdctl.template - ''; - preConfigure = '' - cd src - ''; - configureFlags = ["--enable-pam"]; - - meta = { - description = "Open-source XMPP application server written in Erlang"; - license = stdenv.lib.licenses.gpl2; - homepage = http://www.ejabberd.im; - maintainers = [ lib.maintainers.sander ]; - }; -} diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 0a2945c21..b86ce358e 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS) import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace) import XMonad.Actions.DynamicWorkspaces (withWorkspace) import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch) +import XMonad.Actions.UpdatePointer (updatePointer) import XMonad.Hooks.FloatNext (floatNext) import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts)) @@ -63,14 +64,15 @@ mainNoArgs = do xmonad' $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ") $ def - { terminal = urxvtcPath - , modMask = mod4Mask - , layoutHook = smartBorders $ myLayoutHook - , manageHook = placeHook (smart (1,0)) <+> floatNextHook + { terminal = urxvtcPath + , modMask = mod4Mask + , layoutHook = smartBorders $ myLayoutHook + , logHook = updatePointer (0.25, 0.25) (0.25, 0.25) + , manageHook = placeHook (smart (1,0)) <+> floatNextHook , normalBorderColor = "#1c1c1c" , focusedBorderColor = "#f000b0" - , handleEventHook = handleShutdownEvent - , workspaces = [ "dashboard" ] + , handleEventHook = handleShutdownEvent + , workspaces = [ "dashboard", "sys", "wp" ] } `additionalKeysP` myKeyMap myLayoutHook = defLayout @@ -119,7 +121,7 @@ myKeyMap = , ("M4-f", floatNext True) , ("M4-b", sendMessage ToggleStruts) - , ("M4-v", withWorkspace autoXPConfig (windows . W.view)) + , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView)) , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift)) , ("M4-C-v", withWorkspace autoXPConfig (windows . copy)) @@ -131,12 +133,12 @@ myKeyMap = , ("M4-S-q", return ()) - , ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show") + , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show") - , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1") - , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10") - , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") - , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") + , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1") + , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10") + , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") + , ("M4-", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") ] forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X () diff --git a/lass/source.nix b/lass/source.nix index 9cc08299b..e0af7d83c 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -9,13 +9,8 @@ in { nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; nixpkgs.git = { - url = http://cgit.lassul.us/nixpkgs; - # nixos-17.03 - # + copytoram: - # 87a4615 & 334ac4f - # + acme permissions for groups - # fd7a8f1 - ref = "2d3b4fe"; + url = https://github.com/nixos/nixpkgs; + ref = "1987983"; }; secrets.file = getAttr builder { buildbot = toString ; diff --git a/mv/source.nix b/mv/source.nix index 5dea13e73..2fa53a13e 100644 --- a/mv/source.nix +++ b/mv/source.nix @@ -9,8 +9,8 @@ in { nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix"; nixpkgs.git = { - # nixos-17.03 - ref = mkDefault "3d04a557b72aa0987d9bf079e1445280b6bfd907"; + # nixos-17.09 + ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; url = https://github.com/NixOS/nixpkgs; }; secrets.file = getAttr builder { diff --git a/tv/1systems/alnus/source.nix b/tv/1systems/alnus/source.nix index c3ed4dcfb..9fd2f668c 100644 --- a/tv/1systems/alnus/source.nix +++ b/tv/1systems/alnus/source.nix @@ -1,4 +1,4 @@ import { name = "alnus"; - override.nixpkgs.git.ref = "9b948ea439ddbaa26740ce35543e7e35d2aa6d18"; + override.nixpkgs.git.ref = "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; } diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index f3e7b515b..501200c1f 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -52,11 +52,13 @@ with import ; networking.networkmanager.enable = true; environment.systemPackages = with pkgs; [ + (pkgs.kdeApplications.callPackage + (import "de" {}) + {}) chromium firefoxWrapper gimp iptables - kdeApplications.l10n.de.qt5 libreoffice pidginotr pidgin-with-plugins diff --git a/tv/2configs/br.nix b/tv/2configs/br.nix index c7eb20e90..d660ebc35 100644 --- a/tv/2configs/br.nix +++ b/tv/2configs/br.nix @@ -45,5 +45,4 @@ with import ; ]; }; - systemd.services.cups.serviceConfig.PrivateTmp = true; } diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index bbb1d4128..2c4b4868e 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -100,7 +100,7 @@ let { ); irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate { - channel = "#krebs"; + channel = "#xxx"; # TODO make nick = config.krebs.build.host.name the default nick = config.krebs.build.host.name; server = "irc.r"; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 1796609a9..9dc7ae7b1 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -13,6 +13,14 @@ foldl' mergeAttrs {} // { + brscan4 = overrideDerivation super.brscan4 (original: rec { + name = "brscan4-0.4.4-4"; + src = super.fetchurl { + url = "http://download.brother.com/welcome/dlf006645/${name}.amd64.deb"; + sha256 = "0xy5px96y1saq9l80vwvfn6anr2q42qlxdhm6ci2a0diwib5q9fd"; + }; + }); + # TODO use XDG_RUNTIME_DIR? cr = self.writeDashBin "cr" '' set -efu @@ -32,7 +40,7 @@ foldl' mergeAttrs {} exec ${self.firefoxWrapper}/bin/firefox "$@" ''; - gnupg = self.gnupg21; + gnupg = self.gnupg22; # https://github.com/NixOS/nixpkgs/issues/16113 wvdial = let diff --git a/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix b/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix deleted file mode 100644 index 1ef018b33..000000000 --- a/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ coreutils, dpkg, fetchurl, gnugrep, gnused, makeWrapper, mfcl2700dnlpr, -perl, stdenv }: - -stdenv.mkDerivation rec { - name = "mfcl2700dncupswrapper-${meta.version}"; - - src = fetchurl { - url = "http://download.brother.com/welcome/dlf102086/${name}.i386.deb"; - sha256 = "07w48mah0xbv4h8vsh1qd5cd4b463bx8y6gc5x9pfgsxsy6h6da1"; - }; - - nativeBuildInputs = [ dpkg makeWrapper ]; - - phases = [ "installPhase" ]; - - installPhase = '' - dpkg-deb -x $src $out - - basedir=${mfcl2700dnlpr}/opt/brother/Printers/MFCL2700DN - dir=$out/opt/brother/Printers/MFCL2700DN - - substituteInPlace $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "basedir =~" "basedir = \"$basedir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" - - wrapProgram $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ - --prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]} - - mkdir -p $out/lib/cups/filter - mkdir -p $out/share/cups/model - - ln $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN $out/lib/cups/filter - ln $dir/cupswrapper/brother-MFCL2700DN-cups-en.ppd $out/share/cups/model - ''; - - meta = { - description = "Brother MFC-L2700DN CUPS wrapper driver"; - homepage = "http://www.brother.com/"; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.tv ]; - platforms = stdenv.lib.platforms.linux; - version = "3.2.0-1"; - }; -} diff --git a/tv/5pkgs/simple/mfcl2700dnlpr/default.nix b/tv/5pkgs/simple/mfcl2700dnlpr/default.nix deleted file mode 100644 index fc11b53e9..000000000 --- a/tv/5pkgs/simple/mfcl2700dnlpr/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ coreutils, dpkg, fetchurl, ghostscript, gnugrep, gnused, pkgsi686Linux, makeWrapper, perl, stdenv, which }: - -stdenv.mkDerivation rec { - name = "mfcl2700dnlpr-${meta.version}"; - - src = fetchurl { - url = "http://download.brother.com/welcome/dlf102085/${name}.i386.deb"; - sha256 = "170qdzxlqikzvv2wphvfb37m19mn13az4aj88md87ka3rl5knk4m"; - }; - - nativeBuildInputs = [ dpkg makeWrapper ]; - - phases = [ "installPhase" ]; - - installPhase = '' - dpkg-deb -x $src $out - - dir=$out/opt/brother/Printers/MFCL2700DN - - substituteInPlace $dir/lpd/filter_MFCL2700DN \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" - - wrapProgram $dir/lpd/filter_MFCL2700DN \ - --prefix PATH : ${stdenv.lib.makeBinPath [ - coreutils ghostscript gnugrep gnused which - ]} - - interpreter=${pkgsi686Linux.stdenv.cc.libc.out}/lib/ld-linux.so.2 - patchelf --set-interpreter "$interpreter" $dir/inf/braddprinter - patchelf --set-interpreter "$interpreter" $dir/lpd/brprintconflsr3 - patchelf --set-interpreter "$interpreter" $dir/lpd/rawtobr3 - ''; - - meta = { - description = "Brother MFC-L2700DN LPR driver"; - homepage = "http://www.brother.com/"; - license = stdenv.lib.licenses.unfree; - maintainers = [ stdenv.lib.maintainers.tv ]; - platforms = stdenv.lib.platforms.linux; - version = "3.2.0-1"; - }; -} diff --git a/tv/source.nix b/tv/source.nix index 18733ee5c..f3bda2715 100644 --- a/tv/source.nix +++ b/tv/source.nix @@ -9,8 +9,8 @@ in { nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix"; nixpkgs.git = { - # nixos-17.03 - ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78"; + # nixos-17.09 + ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; url = https://github.com/NixOS/nixpkgs; }; secrets.file = getAttr builder {