diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix
index 7a78880ea..8427ca50b 100644
--- a/krebs/3modules/brockman.nix
+++ b/krebs/3modules/brockman.nix
@@ -11,10 +11,12 @@ in {
config = mkIf cfg.enable {
users.extraUsers.brockman = {
home = "/var/lib/brockman";
+ group = "brockman";
createHome = true;
isSystemUser = true;
uid = genid_uint31 "brockman";
};
+ users.groups.brockman = {};
systemd.services.brockman = {
description = "RSS to IRC broadcaster";
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index e55bd95ea..c30f31e31 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -319,6 +319,7 @@ let
users.extraUsers.buildbotMaster = {
uid = genid "buildbotMaster";
+ group = "buildbotMaster";
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index d877b9911..f97b50def 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -128,6 +128,7 @@ let
users.extraUsers.buildbotSlave = {
uid = genid "buildbotSlave";
+ group = "buildbotSlave";
description = "Buildbot Slave";
home = cfg.workDir;
createHome = false;
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 9421576df..71eed6c69 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -66,11 +66,14 @@ let
users.users.${user.name} = {
inherit (user) uid;
+ group = user.name;
home = cfg.dataDir;
isSystemUser = true;
};
};
+ users.groups.${user.name} = {};
+
user = rec {
mail = "${name}@${config.krebs.build.host.name}";
name = "github-hosts-sync";
diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix
index 517dad76f..4221703ec 100644
--- a/krebs/3modules/htgen.nix
+++ b/krebs/3modules/htgen.nix
@@ -69,10 +69,13 @@ let
users.users = mapAttrs' (name: htgen:
nameValuePair htgen.user.name {
inherit (htgen.user) home name uid;
+ group = htgen.user.name;
createHome = true;
isSystemUser = true;
}
) cfg;
+ users.groups = mapAttrs (_: _: {}) cfg;
+
};
in out
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 1fa6012cf..167afed2c 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -59,10 +59,13 @@ let
users.extraUsers.realwallpaper = {
uid = genid "realwallpaper";
+ group = "realwallpaper";
home = cfg.workingDir;
createHome = true;
isSystemUser = true;
};
+
+ users.groups.realwallpaper = {};
};
in
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 7a414e6e3..733db69ca 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -128,9 +128,12 @@ let
users.extraUsers.tinc_graphs = {
uid = genid_uint31 "tinc_graphs";
+ group = "tinc_graphs";
home = "/var/spool/tinc_graphs";
isSystemUser = true;
};
+ users.groups.tinc_graphs = {};
+
services.nginx = mkIf cfg.nginx.enable {
enable = mkDefault true;
virtualHosts = {
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index da23245ae..8678a40cd 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2",
- "date": "2021-11-17T14:17:56+01:00",
- "path": "/nix/store/85yrz3ygrzkgw87fp3j42i1i9f4vf0n0-nixpkgs",
- "sha256": "152kxfk11mgwg8gx0s1rgykyydfb7s746yfylvbwk5mk5cv4z9nv",
+ "rev": "6daa4a5c045d40e6eae60a3b6e427e8700f1c07f",
+ "date": "2021-12-01T17:29:12+01:00",
+ "path": "/nix/store/g62v0nj6b8v9qb5q0wxjss9q8y9qcg3r-nixpkgs",
+ "sha256": "1wg55jlxyvbjvm8x2rcirmvqws4y8xq504dn3yjp05m1bajhpj5r",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index d6d70faf6..e219581a1 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "24528474d2b3370f2f23879a557ae2cc92a5d50b",
- "date": "2021-11-19T11:04:27+01:00",
- "path": "/nix/store/f435816nqq7y14ar1haadw228nbxnh33-nixpkgs",
- "sha256": "0pdmqzk1l7cwwfp005kzv0dwnmg8xnskzc745052gdxp8pzh1w45",
+ "rev": "a640d8394f34714578f3e6335fc767d0755d78f9",
+ "date": "2021-12-01T16:06:54+01:00",
+ "path": "/nix/store/88zw2qrbzaq3bnnsmz9qc4lvkwg0168g-nixpkgs",
+ "sha256": "1dyyzgcmlhpsdb4ngiy8m0x10qmh0r56ky75r8ppvvh730m3lhfj",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh
index 368a3ecb3..bc421a75f 100755
--- a/krebs/update-nixpkgs.sh
+++ b/krebs/update-nixpkgs.sh
@@ -3,7 +3,7 @@ dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs \
- --rev refs/heads/nixos-21.05' \
+ --rev refs/heads/nixos-21.11' \
> $dir/nixpkgs.json
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"
diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix
index b033477fe..6be047300 100644
--- a/lass/1systems/coaxmetal/physical.nix
+++ b/lass/1systems/coaxmetal/physical.nix
@@ -56,14 +56,4 @@
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5
'';
-
- # https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4
- # https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1
- boot.kernelPatches = [{
- name = "fix-trackpoint-jumping";
- patch = pkgs.fetchurl {
- url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/";
- sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg";
- };
- }];
}
diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix
index d8f1ae888..b84221155 100644
--- a/lass/2configs/bitlbee.nix
+++ b/lass/2configs/bitlbee.nix
@@ -11,9 +11,22 @@ with (import <stockholm/lib>);
pkgs.bitlbee-discord
];
libpurple_plugins = [
- # pkgs.telegram-purple
- pkgs.tdlib-purple
+ pkgs.telegram-purple
+ # pkgs.tdlib-purple
# pkgs.purple-gowhatsapp
];
};
+
+ users.users.bitlbee = {
+ uid = genid_uint31 "bitlbee";
+ isSystemUser = true;
+ group = "bitlbee";
+ };
+ users.groups.bitlbee = {};
+
+ systemd.services.bitlbee.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = "bitlbee";
+ StateDirectory = lib.mkForce null;
+ };
}
diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix
index be9c32809..b303df938 100644
--- a/lass/2configs/hass/default.nix
+++ b/lass/2configs/hass/default.nix
@@ -119,13 +119,10 @@ in {
services.mosquitto = {
enable = true;
- host = "0.0.0.0";
- allowAnonymous = false;
- checkPasswords = true;
- users.gg23 = {
- password = "gg23-mqtt";
- acl = [ "topic readwrite #" ];
- };
+ listeners = [{
+ acl = [ "topic pattern readwrite #" ];
+ users.gg23 = { acl = [ "topic readwrite #" ]; password = "gg23-mqtt"; };
+ }];
};
environment.systemPackages = [ pkgs.mosquitto ];
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index c3d4de84d..b1011ced0 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -28,23 +28,22 @@
session required pam_permit.so
'';
- security.pam.services.dovecot2 = {
- text = ''
- auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
- auth required pam_permit.so
- account required pam_permit.so
- session required pam_permit.so
- session required pam_env.so envfile=${config.system.build.pamEnvironment}
- '';
- };
+ security.pam.services.dovecot2.text = ''
+ auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
security.wrappers.shadow_verify_pam = {
source = "${usershadow}/bin/verify_pam";
owner = "root";
+ group = "root";
};
security.wrappers.shadow_verify_arg = {
source = "${usershadow}/bin/verify_arg";
owner = "root";
+ group = "root";
};
};