Merge remote-tracking branch 'cd/master'

tv/2configs/xserver/default.nix

@@ -1,135 +1,126 @@
-{ config, lib, pkgs, ... }@args:
+{ config, pkgs, ... }@args:
-
 with config.krebs.lib;
-
 let
   # TODO krebs.build.user
   user = config.users.users.tv;
+in {
 
-  out = {
+  environment.systemPackages = [
-    services.xserver.display = 11;
+    pkgs.ff
-    services.xserver.tty = 11;
+    pkgs.gitAndTools.qgit
+    pkgs.mpv
+    pkgs.sxiv
+    pkgs.xsel
+    pkgs.zathura
+  ];
 
-    services.xserver.synaptics = {
+  fonts.fonts = [
+    pkgs.xlibs.fontschumachermisc
+  ];
+
+  # TODO dedicated group, i.e. with a single user [per-user-setuid]
+  # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+  krebs.setuid.slock = {
+    filename = "${pkgs.slock}/bin/slock";
+    group = "wheel";
+    envp = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+      USER = user.name;
+    };
+  };
+
+  services.xserver = {
+    enable = true;
+    display = 11;
+    tty = 11;
+
+    synaptics = {
       enable = true;
       twoFingerScroll = true;
       accelFactor = "0.035";
     };
+  };
 
-    fonts.fonts = [
+  systemd.services.display-manager.enable = false;
-      pkgs.xlibs.fontschumachermisc
+
+  systemd.services.xmonad = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "xserver.service" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+
+      XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+        ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+        ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+        ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+        ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+        wait
+      '';
+
+      XMONAD_STATE = "/tmp/xmonad.state";
+
+      # XXX JSON is close enough :)
+      XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+        "Dashboard" # we start here
+        "23"
+        "cr"
+        "ff"
+        "hack"
+        "im"
+        "mail"
+        "stockholm"
+        "za" "zh" "zj" "zs"
+      ]);
+    };
+    serviceConfig = {
+      SyslogIdentifier = "xmonad";
+      ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
+      ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
+      User = user.name;
+      WorkingDirectory = user.home;
+    };
+  };
+
+  systemd.services.xserver = {
+    after = [
+      "systemd-udev-settle.service"
+      "local-fs.target"
+      "acpid.service"
     ];
-
+    reloadIfChanged = true;
-    systemd.services.urxvtd = {
+    environment = {
-      wantedBy = [ "multi-user.target" ];
+      XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
-      reloadIfChanged = true;
+      XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-      serviceConfig = {
+      LD_LIBRARY_PATH = concatStringsSep ":" (
-        ExecReload = need-reload "urxvtd.service";
+        [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
-        ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+        ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
-        Restart = "always";
-        RestartSec = "2s";
-        StartLimitBurst = 0;
-        User = user.name;
-      };
     };
-
+    serviceConfig = {
-    environment.systemPackages = [
+      SyslogIdentifier = "xserver";
-      pkgs.ff
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
-      pkgs.gitAndTools.qgit
+      ExecStart = toString [
-      pkgs.mpv
+        "${pkgs.xorg.xorgserver}/bin/X"
-      pkgs.sxiv
+        ":${toString config.services.xserver.display}"
-      pkgs.xsel
+        "vt${toString config.services.xserver.tty}"
-      pkgs.zathura
+        "-config ${import ./xserver.conf.nix args}"
-    ];
+        "-logfile /dev/null -logverbose 0 -verbose 3"
-
+        "-nolisten tcp"
-    # TODO dedicated group, i.e. with a single user
+        "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
-    # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
-    krebs.setuid.slock = {
-      filename = "${pkgs.slock}/bin/slock";
-      group = "wheel";
-      envp = {
-        DISPLAY = ":${toString config.services.xserver.display}";
-        USER = user.name;
-      };
-    };
-
-    systemd.services.display-manager.enable = false;
-
-    services.xserver.enable = true;
-
-    systemd.services.xmonad = {
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "xserver.service" ];
-      environment = xmonad-environment;
-      serviceConfig = {
-        ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
-        ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
-        User = user.name;
-        WorkingDirectory = user.home;
-      };
-    };
-
-    systemd.services.xserver = {
-      after = [
-        "systemd-udev-settle.service"
-        "local-fs.target"
-        "acpid.service"
       ];
-      reloadIfChanged = true;
-      environment = xserver-environment;
-      serviceConfig = {
-        ExecReload = need-reload "xserver.service";
-        ExecStart = toString [
-          "${pkgs.xorg.xorgserver}/bin/X"
-          ":${toString config.services.xserver.display}"
-          "vt${toString config.services.xserver.tty}"
-          "-config ${import ./xserver.conf.nix args}"
-          "-logfile /var/log/X.${toString config.services.xserver.display}.log"
-          "-nolisten tcp"
-          "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
-        ];
-      };
     };
   };
 
-  xmonad-environment = {
+  systemd.services.urxvtd = {
-    DISPLAY = ":${toString config.services.xserver.display}";
+    wantedBy = [ "multi-user.target" ];
-
+    reloadIfChanged = true;
-    XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+    serviceConfig = {
-      ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+      SyslogIdentifier = "urxvtd";
-      ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
-      ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+      ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
-      ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+      Restart = "always";
-      wait
+      RestartSec = "2s";
-    '';
+      StartLimitBurst = 0;
-
+      User = user.name;
-    XMONAD_STATE = "/tmp/xmonad.state";
+    };
-
-    # XXX JSON is close enough :)
-    XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
-      "Dashboard" # we start here
-      "23"
-      "cr"
-      "ff"
-      "hack"
-      "im"
-      "mail"
-      "stockholm"
-      "za" "zh" "zj" "zs"
-    ]);
   };
-
+}
-  xserver-environment = {
-    XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
-    XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-    LD_LIBRARY_PATH = concatStringsSep ":" (
-      [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
-      ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
-  };
-
-  need-reload = s: toString [
-    "${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload"
-    (shell.escape s)
-  ];
-
-in out

tv/5pkgs/ff/default.nix

@@ -1,8 +1,12 @@
 { pkgs, ... }:
 
-pkgs.writeScriptBin "ff" ''
+# TODO use krebs.setuid
- #! ${pkgs.bash}/bin/bash
+# This requires that we can create setuid executables that can only be accessed
- exec sudo -u ff -i <<EOF
+# by a single user. [per-user-setuid]
+
+# using bash for %q
+pkgs.writeBashBin "ff" ''
+ exec /var/setuid-wrappers/sudo -u ff -i <<EOF
  exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
  EOF
 ''