From 61bc72c4b4d19c612ea65c8f75762eca6e5ac535 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 09:18:41 +0100
Subject: [PATCH 01/11] 22.05 -> 22.11
---
krebs/update-nixpkgs.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh
index 59dbd91b5..97c069d86 100755
--- a/krebs/update-nixpkgs.sh
+++ b/krebs/update-nixpkgs.sh
@@ -3,7 +3,7 @@ dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs \
- --rev refs/heads/nixos-22.05' \
+ --rev refs/heads/nixos-22.11' \
> $dir/nixpkgs.json
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"
From ad122be3b9dff8a186489bc8635f46e3db0f7559 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 09:19:08 +0100
Subject: [PATCH 02/11] nixpkgs: 6474d93 -> 596a8e8
---
krebs/nixpkgs.json | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index f836f63f9..b6d46f1f9 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
- "date": "2022-11-16T11:41:31+01:00",
- "path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs",
- "sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg",
+ "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502",
+ "date": "2022-11-30T14:03:12-05:00",
+ "path": "/nix/store/vax0irdsk8gvczikw219vj079mck6j6r-nixpkgs",
+ "sha256": "1n524a44p2kprk65zx2v6793kmxjpz1qm1ilxk82vq0vg0c5jy32",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
From b7a24272db3d2ed342af7d9b979b8585408a640a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 14:24:46 +0100
Subject: [PATCH 03/11] krebs: set defaultLocale
---
krebs/2configs/default.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 38d770316..fffe128e6 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -27,9 +27,6 @@ with import <stockholm/lib>;
];
console.keyMap = "us";
- i18n = {
- defaultLocale = lib.mkForce "C";
- };
programs.ssh.startAgent = false;
@@ -60,4 +57,7 @@ with import <stockholm/lib>;
# The NixOS release to be compatible with for stateful data such as databases.
system.stateVersion = "17.03";
+
+ # maybe fix Error: unsupported locales detected:
+ i18n.defaultLocale = mkDefault "C.UTF-8";
}
From 2d5f0db519c70c5f6340d546612d5d3daec3d2be Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 16:30:47 +0100
Subject: [PATCH 04/11] mastodon: use nonsense mail
---
krebs/2configs/mastodon.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index d0c1943cc..86e2ec437 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -15,7 +15,7 @@
configureNginx = true;
trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
smtp.createLocally = false;
- smtp.fromAddress = "mastodon@social.krebsco.de";
+ smtp.fromAddress = "derp";
};
services.nginx.virtualHosts.${config.services.mastodon.localDomain} = {
From 8a6f835acb621cacabb0a3d158c26a0fcacf9e7d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 16:31:01 +0100
Subject: [PATCH 05/11] mastodon: add create-mastodon-user helper
---
krebs/2configs/mastodon.nix | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
index 86e2ec437..145b383ed 100644
--- a/krebs/2configs/mastodon.nix
+++ b/krebs/2configs/mastodon.nix
@@ -36,5 +36,11 @@
(pkgs.writers.writeDashBin "tootctl" ''
sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@"
'')
+ (pkgs.writers.writeDashBin "create-mastodon-user" ''
+ set -efu
+ nick=$1
+ /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed
+ /run/current-system/sw/bin/tootctl accounts approve "$nick"
+ '')
];
}
From 0c54380529411e8b8bfff83a377343f38c57c21c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 2 Dec 2022 17:31:25 +0100
Subject: [PATCH 06/11] l libvirt: enable polkit
---
lass/2configs/libvirt.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index 78d5ae0e9..d391e0d7b 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }:
{
- users.users.mainUser.extraGroups = [ "libvirtd" ];
virtualisation.libvirtd.enable = true;
+ security.polkit.enable = true;
krebs.iptables.tables.filter.INPUT.rules = [
{ v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
From 5d0d1993b6207c283189a2c81c8c76f549d44b2a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Dec 2022 14:03:41 +0100
Subject: [PATCH 07/11] l websites: use default php
---
lass/2configs/websites/util.nix | 2 --
1 file changed, 2 deletions(-)
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 22b1669b0..bffa1036b 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -174,7 +174,6 @@ rec {
services.phpfpm.pools."${domain}" = {
user = "nginx";
group = "nginx";
- phpPackage = pkgs.php74;
extraConfig = ''
listen = /srv/http/${domain}/phpfpm.pool
pm = dynamic
@@ -228,7 +227,6 @@ rec {
services.phpfpm.pools."${domain}" = {
user = "nginx";
group = "nginx";
- phpPackage = pkgs.php74;
extraConfig = ''
listen = /srv/http/${domain}/phpfpm.pool
pm = dynamic
From 45ce420a0c5fc783d364107a3ad290615ddaa7e6 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 6 Dec 2022 13:46:29 +0100
Subject: [PATCH 08/11] nixpkgs-unstable: b457130 -> 14ddeae
---
krebs/nixpkgs-unstable.json | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index a5d67f2fc..897af6482 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "b457130e8a21608675ddf12c7d85227b22a27112",
- "date": "2022-11-16T11:03:19+00:00",
- "path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs",
- "sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df",
+ "rev": "14ddeaebcbe9a25748221d1d7ecdf98e20e2325e",
+ "date": "2022-12-04T12:18:32+01:00",
+ "path": "/nix/store/xnxll37bfls7a3g969avyvb2cic0g0f3-nixpkgs",
+ "sha256": "0bix6746zmifas85mkb49g0szkdza4ajzdfbix4cdan9ig06v6rc",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
From b9f38f6cda90824e85d657707b4cdc80aed26988 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 6 Dec 2022 19:44:30 +0100
Subject: [PATCH 09/11] ssl: move rootCA to 6assets
---
krebs/3modules/ssl.nix | 21 +--------------------
krebs/6assets/krebsRootCA.crt | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 20 deletions(-)
create mode 100644 krebs/6assets/krebsRootCA.crt
diff --git a/krebs/3modules/ssl.nix b/krebs/3modules/ssl.nix
index 3a9b5d329..8cbd8dcce 100644
--- a/krebs/3modules/ssl.nix
+++ b/krebs/3modules/ssl.nix
@@ -5,26 +5,7 @@ in {
rootCA = lib.mkOption {
type = lib.types.str;
readOnly = true;
- default = ''
- -----BEGIN CERTIFICATE-----
- MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
- VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw
- CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ
- ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5
- MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx
- EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS
- b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw
- gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/
- /qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU
- QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B
- HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo
- 3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD
- AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9
- GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese
- 725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63
- 80WiO952
- -----END CERTIFICATE-----
- '';
+ default = builtins.readFile ../6assets/krebsRootCA.crt;
};
intermediateCA = lib.mkOption {
type = lib.types.str;
diff --git a/krebs/6assets/krebsRootCA.crt b/krebs/6assets/krebsRootCA.crt
new file mode 100644
index 000000000..3938c58b4
--- /dev/null
+++ b/krebs/6assets/krebsRootCA.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD
+VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw
+CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ
+ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5
+MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx
+EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS
+b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/
+/qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU
+QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B
+HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo
+3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9
+GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese
+725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63
+80WiO952
+-----END CERTIFICATE-----
From 2b74d084deba00babaa94f83ea47c4291cf1081a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 6 Dec 2022 19:44:45 +0100
Subject: [PATCH 10/11] update ACME CA
---
krebs/6assets/krebsAcmeCA.crt | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt
index 1cd5aed0b..bf05b44f4 100644
--- a/krebs/6assets/krebsAcmeCA.crt
+++ b/krebs/6assets/krebsAcmeCA.crt
@@ -1,15 +1,15 @@
-----BEGIN CERTIFICATE-----
-MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB
+MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl
YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq
-hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5
-MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
-BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ
-Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD
-VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED
-mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
-MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2
-teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD
-tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA
-BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk=
+hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2
+MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT
+BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr
+qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD
+VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj
+SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv
+MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt
+XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4
+20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9
+MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc=
-----END CERTIFICATE-----
From 2eb33e60b45c2b37d51a57b0fbe4a023861a7429 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 7 Dec 2022 19:25:46 +0100
Subject: [PATCH 11/11] Revert "exim-smarthost: check SPF"
This reverts commit 426d6e2e5cdbe52cf776400cec85036f4cb86b79.
---
krebs/3modules/exim-smarthost.nix | 33 +------------------------------
1 file changed, 1 insertion(+), 32 deletions(-)
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 5923b610d..38cc828bb 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -126,9 +126,8 @@ let
domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains}
hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
- acl_smtp_data = acl_check_data
- acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
+ acl_smtp_data = acl_check_data
never_users = root
@@ -180,36 +179,6 @@ let
accept
- acl_check_mail:
- accept
- sender_domains = +sender_domains
- hosts = +relay_from_hosts
- deny
- spf = fail : softfail
- log_message = spf=$spf_result
- message = SPF validation failed: \
- $sender_host_address is not allowed to send mail from \
- ''${if def:sender_address_domain\
- {$sender_address_domain}\
- {$sender_helo_name}}
- deny
- spf = permerror
- log_message = spf=$spf_result
- message = SPF validation failed: \
- syntax error in SPF record(s) for \
- ''${if def:sender_address_domain\
- {$sender_address_domain}\
- {$sender_helo_name}}
- defer
- spf = temperror
- log_message = spf=$spf_result; deferred
- message = temporary error during SPF validation; \
- please try again later
- warn
- spf = none : neutral
- log_message = spf=$spf_result
- accept
- add_header = $spf_received
begin routers