Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2020-08-11 12:12:13 +02:00
commit 4cb0ff12ba
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
33 changed files with 364 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jeschli/5pkgs/firefox/firefox-with-config.nix
View File

@ -5,7 +5,7 @@
, MPlayerPlugin, ffmpeg, xorg, libpulseaudio, libcanberra-gtk2 , MPlayerPlugin, ffmpeg, xorg, libpulseaudio, libcanberra-gtk2
, jrePlugin, icedtea_web , jrePlugin, icedtea_web
, bluejeans, djview4, adobe-reader , bluejeans, djview4, adobe-reader
, google_talk_plugin, fribid, gnome3/*.gnome-shell*/ , fribid, gnome3/*.gnome-shell*/
, esteidfirefoxplugin ? "" , esteidfirefoxplugin ? ""
, browserpass, chrome-gnome-shell, uget-integrator, plasma-browser-integration, bukubrow , browserpass, chrome-gnome-shell, uget-integrator, plasma-browser-integration, bukubrow
, udev , udev
@ -82,7 +82,6 @@ let
++ lib.optional (cfg.enableMPlayer or false) (MPlayerPlugin browser) ++ lib.optional (cfg.enableMPlayer or false) (MPlayerPlugin browser)
++ lib.optional (supportsJDK && jre && jrePlugin ? mozillaPlugin) jrePlugin ++ lib.optional (supportsJDK && jre && jrePlugin ? mozillaPlugin) jrePlugin
++ lib.optional icedtea icedtea_web ++ lib.optional icedtea icedtea_web
++ lib.optional (cfg.enableGoogleTalkPlugin or false) google_talk_plugin
++ lib.optional (cfg.enableFriBIDPlugin or false) fribid ++ lib.optional (cfg.enableFriBIDPlugin or false) fribid
++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome-shell ++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome-shell
++ lib.optional (cfg.enableBluejeans or false) bluejeans ++ lib.optional (cfg.enableBluejeans or false) bluejeans

1
krebs/1systems/hotdog/config.nix
View File

@ -14,6 +14,7 @@
<stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/nscd-fix.nix> <stockholm/krebs/2configs/nscd-fix.nix>
<stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
]; ];
krebs.build.host = config.krebs.hosts.hotdog; krebs.build.host = config.krebs.hosts.hotdog;

2
krebs/2configs/buildbot-stockholm.nix
View File

@ -5,7 +5,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts.build = { virtualHosts.build = {
serverAliases = [ "build.${config.networking.hostName}.r" ]; serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ];
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";

4
krebs/2configs/reaktor2.nix
View File

@ -14,7 +14,7 @@ let
confirmation=no confirmation=no
''; '';
in { in {
pattern = "^${name}-([a-z]+)(?::\\s*(.*))?"; pattern = "^${name}-([a-z]+)(?::?\\s*(.*))?";
activate = "match"; activate = "match";
command = 1; command = 1;
arguments = [2]; arguments = [2];
@ -76,7 +76,7 @@ let
}; };
} }
{ {
pattern = ''^(\S+)\s+([+-][1-9][0-9]*)\s+(\S+)$''; pattern = ''^([\w-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
activate = "match"; activate = "match";
arguments = [1 2 3]; arguments = [1 2 3];
command = { command = {

19
krebs/2configs/wiki.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, ... }:
{
services.gollum = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts.wiki = {
serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ];
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:${toString config.services.gollum.port};
'';
};
};
}

9
krebs/3modules/exim-smarthost.nix
View File

@ -26,6 +26,7 @@ let
private_key = mkOption { private_key = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "exim.dkim_private_key/${config.domain}";
path = "/run/krebs.secret/${config.domain}.dkim_private_key"; path = "/run/krebs.secret/${config.domain}.dkim_private_key";
owner.name = "exim"; owner.name = "exim";
source-path = toString <secrets> + "/${config.domain}.dkim.priv"; source-path = toString <secrets> + "/${config.domain}.dkim.priv";
@ -115,8 +116,12 @@ let
})); }));
systemd.services = mkIf (cfg.dkim != []) { systemd.services = mkIf (cfg.dkim != []) {
exim = { exim = {
after = [ "secret.service" ]; after = flip map cfg.dkim (dkim:
requires = [ "secret.service" ]; config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
partOf = flip map cfg.dkim (dkim:
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
}; };
}; };
krebs.exim = { krebs.exim = {

55
krebs/3modules/external/mic92.nix vendored
View File

@ -13,6 +13,11 @@ in {
amy = { amy = {
owner = config.krebs.users.Mic92; owner = config.krebs.users.Mic92;
nets = rec { nets = rec {
internet = {
ip4.addr = "129.215.165.57";
ip6.addr = "2001:630:3c1:164:b62e:99ff:fe3e:d369";
aliases = [ "amy.i" ];
};
retiolum = { retiolum = {
addrs = [ addrs = [
config.krebs.hosts.amy.nets.retiolum.ip4.addr config.krebs.hosts.amy.nets.retiolum.ip4.addr
@ -41,6 +46,11 @@ in {
clara = { clara = {
owner = config.krebs.users.Mic92; owner = config.krebs.users.Mic92;
nets = rec { nets = rec {
internet = {
ip4.addr = "129.215.165.58";
ip6.addr = "2001:630:3c1:164:b62e:99ff:fe3d:70f2";
aliases = [ "clara.i" ];
};
retiolum = { retiolum = {
addrs = [ addrs = [
config.krebs.hosts.clara.nets.retiolum.ip4.addr config.krebs.hosts.clara.nets.retiolum.ip4.addr
@ -92,6 +102,7 @@ in {
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "129.215.165.54"; ip4.addr = "129.215.165.54";
ip6.addr = "2001:630:3c1:164:30a2:6e7b:c58b:cafd";
aliases = [ "donna.i" ]; aliases = [ "donna.i" ];
}; };
retiolum = { retiolum = {
@ -272,6 +283,7 @@ in {
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "129.215.165.53"; ip4.addr = "129.215.165.53";
ip6.addr = "2001:630:3c1:164:6d4:c4ff:fe04:4aba";
aliases = [ "martha.i" ]; aliases = [ "martha.i" ];
}; };
retiolum = { retiolum = {
@ -355,6 +367,7 @@ in {
nets = rec { nets = rec {
internet = { internet = {
ip4.addr = "129.215.165.52"; ip4.addr = "129.215.165.52";
ip6.addr = "2001:630:3c1:164:6d4:c4ff:fe04:4e4b";
aliases = [ "rose.i" ]; aliases = [ "rose.i" ];
}; };
retiolum = { retiolum = {
@ -411,5 +424,47 @@ in {
}; };
}; };
}; };
harsha = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.184";
aliases = [
"harsha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
eva = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.185";
aliases = [
"eva.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
}; };
} }

2
krebs/3modules/konsens.nix
View File

@ -56,7 +56,7 @@ let
systemd.services = mapAttrs' (name: repo: systemd.services = mapAttrs' (name: repo:
nameValuePair "konsens-${name}" { nameValuePair "konsens-${name}" {
after = [ "network.target" "secret.service" ]; after = [ "network.target" ];
path = [ pkgs.git ]; path = [ pkgs.git ];
restartIfChanged = false; restartIfChanged = false;
serviceConfig = { serviceConfig = {

2
krebs/3modules/krebs/default.nix
View File

@ -74,6 +74,8 @@ in {
"build.hotdog.r" "build.hotdog.r"
"cgit.hotdog.r" "cgit.hotdog.r"
"irc.r" "irc.r"
"wiki.r"
"wiki.hotdog.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----

9
krebs/3modules/repo-sync.nix
View File

@ -124,6 +124,7 @@ let
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "repo-sync-key";
path = "${cfg.stateDir}/ssh.priv"; path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user; owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key"; source-path = toString <secrets> + "/repo-sync.ssh.key";
@ -166,7 +167,13 @@ let
}); });
in nameValuePair "repo-sync-${name}" { in nameValuePair "repo-sync-${name}" {
description = "repo-sync"; description = "repo-sync";
after = [ "network.target" "secret.service" ]; after = [
config.krebs.secret.files.repo-sync-key.service
"network.target"
];
partOf = [
config.krebs.secret.files.repo-sync-key.service
];
environment = { environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv"; GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv";

68
krebs/3modules/secret.nix
View File

@ -1,4 +1,5 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let with import <stockholm/lib>;
{ config, lib, pkgs, ... }: let
cfg = config.krebs.secret; cfg = config.krebs.secret;
in { in {
options.krebs.secret = { options.krebs.secret = {
@ -8,32 +9,43 @@ in {
}; };
}; };
config = lib.mkIf (cfg.files != {}) { config = lib.mkIf (cfg.files != {}) {
systemd.services.secret = let systemd.paths =
# TODO fail if two files have the same path but differ otherwise mapAttrs'
files = unique (map (flip removeAttrs ["_module"]) (name: file: nameValuePair "secret-trigger-${systemd.encodeName name}" {
(attrValues cfg.files)); wantedBy = ["multi-user.target"];
in { pathConfig.PathChanged = file.source-path;
serviceConfig = { })
Type = "oneshot"; cfg.files;
RemainAfterExit = "yes"; systemd.services =
SyslogIdentifier = "secret"; mapAttrs'
ExecStart = pkgs.writeDash "install-secret-files" '' (name: file: nameValuePair "secret-trigger-${systemd.encodeName name}" {
exit_code=0 wantedBy = ["multi-user.target"];
${concatMapStringsSep "\n" (file: '' serviceConfig = {
${pkgs.coreutils}/bin/install \ Type = "oneshot";
-D \ ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}";
--compare \ };
--verbose \ })
--mode=${shell.escape file.mode} \ cfg.files
--owner=${shell.escape file.owner.name} \ //
--group=${shell.escape file.group-name} \ mapAttrs'
${shell.escape file.source-path} \ (name: file: nameValuePair "secret-${systemd.encodeName name}" {
${shell.escape file.path} \ wantedBy = ["multi-user.target"];
|| exit_code=1 serviceConfig = {
'') files} Type = "oneshot";
exit $exit_code RemainAfterExit = "yes";
''; ExecStart = toString [
}; "${pkgs.coreutils}/bin/install"
}; "-D"
"--compare"
"--verbose"
"--mode=${file.mode}"
"--owner=${file.owner.name}"
"--group=${file.group-name}"
file.source-path
file.path
];
};
})
cfg.files;
}; };
} }

10
krebs/3modules/tinc.nix
View File

@ -158,6 +158,7 @@ let
privkey = mkOption { privkey = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "${tinc.config.netname}.rsa_key.priv";
path = "${tinc.config.user.home}/tinc.rsa_key.priv"; path = "${tinc.config.user.home}/tinc.rsa_key.priv";
owner = tinc.config.user; owner = tinc.config.user;
source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
@ -219,9 +220,14 @@ let
iproute = cfg.iproutePackage; iproute = cfg.iproutePackage;
in { in {
description = "Tinc daemon for ${netname}"; description = "Tinc daemon for ${netname}";
after = [ "network.target" ]; after = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
"network.target"
];
partOf = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
path = [ tinc iproute ]; path = [ tinc iproute ];
serviceConfig = rec { serviceConfig = rec {
Restart = "always"; Restart = "always";

6
krebs/nixpkgs-unstable.json
View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/NixOS/nixpkgs-channels", "url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "0f5ce2fac0c726036ca69a5524c59a49e2973dd4", "rev": "8e2b14aceb1d40c7e8b84c03a7c78955359872bb",
"date": "2020-05-19T01:31:20+02:00", "date": "2020-08-05T09:17:35+01:00",
"sha256": "0nkk492aa7pr0d30vv1aw192wc16wpa1j02925pldc09s9m9i0r3", "sha256": "0zzjpd9smr7rxzrdf6raw9kbj42fbvafxb5bz36lcxgv290pgsm8",
"fetchSubmodules": false "fetchSubmodules": false
} }

6
krebs/nixpkgs.json
View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/NixOS/nixpkgs-channels", "url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "e2bb73ce5f786b83e984b80199112f86b8a6cc9d", "rev": "e23e05452c67ce406debffa831290fb3abaabf0e",
"date": "2020-06-07T23:11:12+02:00", "date": "2020-08-06T15:33:30+02:00",
"sha256": "0mpcdwhippvgsj3kj8vw35dgz94dnzgxgsfqqzcfpmvnzjc23vk7", "sha256": "10wlcm20bvak8cxjhfvmn0vm4n9da3zl19026h66zc1wfmcqgrkp",
"fetchSubmodules": false "fetchSubmodules": false
} }

4
lass/1systems/mors/physical.nix
View File

@ -23,7 +23,7 @@
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0" SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0" SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:4f:42:35", NAME="et0"
''; '';
#TODO activationScripts seem broken, fix them! #TODO activationScripts seem broken, fix them!
@ -37,12 +37,10 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
''; '';
} }

5
lass/1systems/skynet/config.nix
View File

@ -36,7 +36,6 @@ with import <stockholm/lib>;
networking.wireless.enable = false; networking.wireless.enable = false;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
services.logind.extraConfig = '' services.logind.lidSwitch = "ignore";
HandleLidSwitch=ignore services.logind.lidSwitchDocked = "ignore";
'';
} }

36
lass/2configs/baseX.nix
View File

@ -91,6 +91,10 @@ in {
xorg.xhost xorg.xhost
xsel xsel
zathura zathura
(pkgs.writeDashBin "screenshot" ''
${pkgs.flameshot-once}/bin/flameshot-once
${pkgs.klem}/bin/klem
'')
]; ];
fonts.fonts = with pkgs; [ fonts.fonts = with pkgs; [
@ -147,4 +151,36 @@ in {
krebs.xresources.enable = true; krebs.xresources.enable = true;
lass.screenlock.enable = true; lass.screenlock.enable = true;
lass.klem = {
kpaste.script = pkgs.writeDash "kpaste-wrapper" ''
${pkgs.kpaste}/bin/kpaste \
| ${pkgs.coreutils}/bin/tail -1 \
| ${pkgs.coreutils}/bin/tr -d '\r\n'
'';
go = {
target = "STRING";
script = "${pkgs.goify}/bin/goify";
};
"go.lassul.us" = {
target = "STRING";
script = pkgs.writeDash "go.lassul.us" ''
export GO_HOST='go.lassul.us'
${pkgs.goify}/bin/goify
'';
};
qrcode = {
target = "image";
script = pkgs.writeDash "zbar" ''
${pkgs.zbar}/bin/zbarimg -q -
'';
};
ocr = {
target = "image";
script = pkgs.writeDash "gocr" ''
${pkgs.netpbm}/bin/pngtopnm - \
| ${pkgs.gocr}/bin/gocr -
'';
};
};
} }

8
lass/2configs/binary-cache/server.nix
View File

@ -9,8 +9,12 @@
}; };
systemd.services.nix-serve = { systemd.services.nix-serve = {
requires = ["secret.service"]; after = [
after = ["secret.service"]; config.krebs.secret.files.nix-serve-key.service
];
partOf = [
config.krebs.secret.files.nix-serve-key.service
];
}; };
krebs.secret.files.nix-serve-key = { krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key"; path = "/run/secret/nix-serve.key";

8
lass/2configs/nfs-dl.nix
View File

@ -3,17 +3,19 @@
device = "prism.w:/export/download"; device = "prism.w:/export/download";
fsType = "nfs"; fsType = "nfs";
options = [ options = [
"timeo=14" #"timeo=14"
"noauto" "noauto"
"noatime" "noatime"
"nodiratime" "nodiratime"
"noac" #"noac"
"nocto" #"nocto"
"x-systemd.automount" "x-systemd.automount"
"x-systemd.device-timeout=1" "x-systemd.device-timeout=1"
"x-systemd.idle-timeout=1min" "x-systemd.idle-timeout=1min"
"x-systemd.requires=retiolum.service" "x-systemd.requires=retiolum.service"
"x-systemd.requires=wpa_supplicant.service" "x-systemd.requires=wpa_supplicant.service"
"user"
"_netdev"
]; ];
}; };
} }

8
lass/2configs/websites/sqlBackup.nix
View File

@ -14,8 +14,12 @@
}; };
systemd.services.mysql = { systemd.services.mysql = {
requires = [ "secret.service" ]; after = [
after = [ "secret.service" ]; config.krebs.secret.files.mysql_rootPassword.service
];
partOf = [
config.krebs.secret.files.mysql_rootPassword.service
];
}; };
lass.mysqlBackup = { lass.mysqlBackup = {

1
lass/3modules/default.nix
View File

@ -6,6 +6,7 @@ _:
./folderPerms.nix ./folderPerms.nix
./hass.nix ./hass.nix
./hosts.nix ./hosts.nix
./klem.nix
./mysql-backup.nix ./mysql-backup.nix
./news.nix ./news.nix
./nichtparasoup.nix ./nichtparasoup.nix

13
lass/3modules/ejabberd/default.nix
View File

@ -17,6 +17,7 @@ in {
certfile = mkOption { certfile = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem"; path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user; owner = cfg.user;
source-path = "/var/lib/acme/lassul.us/full.pem"; source-path = "/var/lib/acme/lassul.us/full.pem";
@ -25,6 +26,7 @@ in {
dhfile = mkOption { dhfile = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem"; path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user; owner = cfg.user;
source-path = "/dev/null"; source-path = "/dev/null";
@ -74,8 +76,15 @@ in {
systemd.services.ejabberd = { systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ]; after = [
after = [ "network.target" "secret.service" ]; config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
serviceConfig = { serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";

75
lass/3modules/klem.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, ... }: with import <stockholm/lib>; let
cfg = config.lass.klem;
in {
options.lass.klem = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ...}: {
options = {
target = mkOption {
default = ".*";
description = ''
regex of valid targets
can be shown with xclip -selection clipboard -t TARGETS
the first hit is taken as target argument
'';
type = types.str;
};
script = mkOption {
description = ''
file to run if entry is selected
'';
type = types.path;
};
label = mkOption {
default = config._module.args.name;
description = ''
label to show in dmenu for this script
'';
type = types.str;
};
};
}));
};
config = let
klem = pkgs.writers.writeDashBin "klem" ''
set -x
labels=""
# match filetype against patterns
${concatMapStringsSep "\n" (script: ''
${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \
| grep -q '${script.target}'
if [ $? -eq 0 ]; then
labels="$labels:${script.label}"
fi
'') (attrValues cfg)}
#remove empty line, feed into dmenu
script=$(echo "$labels" \
| ${pkgs.gnused}/bin/sed 's/^://;s/:/\n/g' \
| ${pkgs.dmenu}/bin/dmenu)
#run the chosen script
case $script in
${concatMapStringsSep "\n" (script: indent ''
${script.label})
target=$(${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \
| ${pkgs.gnugrep}/bin/grep '${script.target}' \
| ${pkgs.gnugrep}/bin/grep -v TARGETS \
| ${pkgs.coreutils}/bin/head -1)
${pkgs.xclip}/bin/xclip -selection clipboard -target "$target" -out \
| ${script.script} \
| ${pkgs.xclip}/bin/xclip -selection clipboard -in
;;
'') (attrValues cfg)}
esac
'';
in mkIf (cfg != {}) {
environment.systemPackages = [ klem ];
nixpkgs.overlays = [
(self: super: {
klem = klem;
})
];
};
}

4
lass/5pkgs/custom/xmonad-lass/default.nix
View File

@ -126,7 +126,7 @@ myKeyMap =
, ("M4-x", floatNext True >> spawn myTerm) , ("M4-x", floatNext True >> spawn myTerm)
, ("M4-c", floatNext True >> spawn "${pkgs.termite}/bin/termite") , ("M4-c", floatNext True >> spawn "${pkgs.termite}/bin/termite")
, ("M4-f", floatNext True) , ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts) , ("M4-b", spawn "/run/current-system/sw/bin/klem")
, ("M4-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.greedyView) ) , ("M4-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.greedyView) )
, ("M4-S-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.shift) ) , ("M4-S-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.shift) )
@ -161,7 +161,7 @@ myKeyMap =
, ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter")
, ("M4-s", spawn "${pkgs.knav}/bin/knav") , ("M4-s", spawn "${pkgs.knav}/bin/knav")
, ("<Print>", spawn "${pkgs.flameshot-once}/bin/flameshot-once") , ("M4-i", spawn "/run/current-system/sw/bin/screenshot")
--, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView)) --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView))
--, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView)) --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView))

3
lib/default.nix
View File

@ -8,6 +8,9 @@ let
krebs = import ./krebs lib; krebs = import ./krebs lib;
krops = import ../submodules/krops/lib; krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; }; shell = import ./shell.nix { inherit lib; };
systemd = {
encodeName = replaceChars ["/"] ["\\x2f"];
};
types = nixpkgs-lib.types // import ./types.nix { inherit lib; }; types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
xml = import ./xml.nix { inherit lib; }; xml = import ./xml.nix { inherit lib; };

14
lib/types.nix
View File

@ -238,7 +238,7 @@ rec {
secret-file = submodule ({ config, ... }: { secret-file = submodule ({ config, ... }: {
options = { options = {
name = mkOption { name = mkOption {
type = filename; type = pathname;
default = config._module.args.name; default = config._module.args.name;
}; };
path = mkOption { path = mkOption {
@ -256,6 +256,10 @@ rec {
type = str; type = str;
default = "root"; default = "root";
}; };
service = mkOption {
type = systemd.unit-name;
default = "secret-${lib.systemd.encodeName config.name}.service";
};
source-path = mkOption { source-path = mkOption {
type = str; type = str;
default = toString <secrets> + "/${config.name}"; default = toString <secrets> + "/${config.name}";
@ -526,6 +530,14 @@ rec {
merge = mergeOneOption; merge = mergeOneOption;
}; };
systemd.unit-name = mkOptionType {
name = "systemd unit name";
check = x:
test "^[0-9A-Za-z:_.\\-]+@?\\.(service|socket|device|mount|automount|swap|target|path|timer|slice|scope)$" x &&
stringLength x <= 256;
merge = mergeOneOption;
};
# RFC952, B. Lexical grammar, <hname> # RFC952, B. Lexical grammar, <hname>
hostname = mkOptionType { hostname = mkOptionType {
name = "hostname"; name = "hostname";

8
makefu/2configs/binary-cache/server.nix
View File

@ -9,8 +9,12 @@
}; };
systemd.services.nix-serve = { systemd.services.nix-serve = {
requires = ["secret.service"]; after = [
after = ["secret.service"]; config.krebs.secret.files.nix-serve-key.service
];
partOf = [
config.krebs.secret.files.nix-serve-key.service
];
}; };
krebs.secret.files.nix-serve-key = { krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key"; path = "/run/secret/nix-serve.key";

8
makefu/3modules/netdata.nix
View File

@ -71,8 +71,12 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.netdata = { systemd.services.netdata = {
requires = [ "secret.service" ]; after = [
after = [ "secret.service" ]; config.krebs.secret.files.netdata-stream.service
];
partOf = [
config.krebs.secret.files.netdata-stream.service
];
}; };
krebs.secret.files.netdata-stream = { krebs.secret.files.netdata-stream = {
path = "/run/secret/netdata-stream.conf"; path = "/run/secret/netdata-stream.conf";

8
tv/2configs/binary-cache/default.nix
View File

@ -9,8 +9,12 @@
}; };
systemd.services.nix-serve = { systemd.services.nix-serve = {
requires = ["secret.service"]; after = [
after = ["secret.service"]; config.krebs.secret.files.binary-cache-seckey.service
];
partOf = [
config.krebs.secret.files.binary-cache-seckey.service
];
}; };
krebs.secret.files.binary-cache-seckey = { krebs.secret.files.binary-cache-seckey = {

1
tv/2configs/default.nix
View File

@ -36,6 +36,7 @@ with import <stockholm/lib>;
}; };
} }
{ {
i18n.defaultLocale = mkDefault "C.UTF-8";
security.hideProcessInformation = true; security.hideProcessInformation = true;
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
Defaults env_keep+="SSH_CLIENT XMONAD_SPAWN_WORKSPACE" Defaults env_keep+="SSH_CLIENT XMONAD_SPAWN_WORKSPACE"

13
tv/3modules/charybdis/default.nix
View File

@ -17,6 +17,7 @@ in {
ssl_dh_params = mkOption { ssl_dh_params = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "charybdis-ssl_dh_params";
path = "${cfg.user.home}/dh.pem"; path = "${cfg.user.home}/dh.pem";
owner = cfg.user; owner = cfg.user;
source-path = toString <secrets> + "/charybdis.dh.pem"; source-path = toString <secrets> + "/charybdis.dh.pem";
@ -25,6 +26,7 @@ in {
ssl_private_key = mkOption { ssl_private_key = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "charybdis-ssl_private_key";
path = "${cfg.user.home}/ssl.key.pem"; path = "${cfg.user.home}/ssl.key.pem";
owner = cfg.user; owner = cfg.user;
source-path = toString <secrets> + "/charybdis.key.pem"; source-path = toString <secrets> + "/charybdis.key.pem";
@ -51,8 +53,15 @@ in {
systemd.services.charybdis = { systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ]; after = [
after = [ "network-online.target" "secret.service" ]; config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
"network-online.target"
];
partOf = [
config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
];
environment = { environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db"; BANDB_DBPATH = "${cfg.user.home}/ban.db";
}; };

13
tv/3modules/ejabberd/default.nix
View File

@ -18,6 +18,7 @@ in {
certfile = mkOption { certfile = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem"; path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user; owner = cfg.user;
source-path = toString <secrets> + "/ejabberd.pem"; source-path = toString <secrets> + "/ejabberd.pem";
@ -26,6 +27,7 @@ in {
dhfile = mkOption { dhfile = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem"; path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user; owner = cfg.user;
source-path = "/dev/null"; source-path = "/dev/null";
@ -95,8 +97,15 @@ in {
systemd.services.ejabberd = { systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ]; after = [
after = [ "network.target" "secret.service" ]; config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
serviceConfig = { serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";

13
tv/3modules/x0vncserver.nix
View File

@ -12,6 +12,7 @@ in {
enable = mkEnableOption "tv.x0vncserver"; enable = mkEnableOption "tv.x0vncserver";
pwfile = mkOption { pwfile = mkOption {
default = { default = {
name = "x0vncserver-pwfile";
owner = cfg.user; owner = cfg.user;
path = "${cfg.user.home}/.vncpasswd"; path = "${cfg.user.home}/.vncpasswd";
source-path = toString <secrets> + "/vncpasswd"; source-path = toString <secrets> + "/vncpasswd";
@ -36,8 +37,16 @@ in {
x0vncserver-pwfile = cfg.pwfile; x0vncserver-pwfile = cfg.pwfile;
}; };
systemd.services.x0vncserver = { systemd.services.x0vncserver = {
after = [ "graphical.target" "secret.service" ]; after = [
requires = [ "graphical.target" "secret.service" ]; config.krebs.secret.files.x0vncserver-pwfile.service
"graphical.target"
];
partOf = [
config.krebs.secret.files.x0vncserver-pwfile.service
];
requires = [
"graphical.target"
];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [ ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
"-display ${cfg.display}" "-display ${cfg.display}"