Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2020-08-11 12:12:13 +02:00
commit 4cb0ff12ba
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
33 changed files with 364 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
jeschli/5pkgs/firefox/firefox-with-config.nix
View File

@ -5,7 +5,7 @@
, MPlayerPlugin, ffmpeg, xorg, libpulseaudio, libcanberra-gtk2
, jrePlugin, icedtea_web
, bluejeans, djview4, adobe-reader
, google_talk_plugin, fribid, gnome3/*.gnome-shell*/
, fribid, gnome3/*.gnome-shell*/
, esteidfirefoxplugin ? ""
, browserpass, chrome-gnome-shell, uget-integrator, plasma-browser-integration, bukubrow
, udev
@ -82,7 +82,6 @@ let
++ lib.optional (cfg.enableMPlayer or false) (MPlayerPlugin browser)
++ lib.optional (supportsJDK && jre && jrePlugin ? mozillaPlugin) jrePlugin
++ lib.optional icedtea icedtea_web
++ lib.optional (cfg.enableGoogleTalkPlugin or false) google_talk_plugin
++ lib.optional (cfg.enableFriBIDPlugin or false) fribid
++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome-shell
++ lib.optional (cfg.enableBluejeans or false) bluejeans

1
krebs/1systems/hotdog/config.nix
View File

@ -14,6 +14,7 @@
<stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/nscd-fix.nix>
<stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
];
krebs.build.host = config.krebs.hosts.hotdog;

2
krebs/2configs/buildbot-stockholm.nix
View File

@ -5,7 +5,7 @@
services.nginx = {
enable = true;
virtualHosts.build = {
serverAliases = [ "build.${config.networking.hostName}.r" ];
serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ];
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

4
krebs/2configs/reaktor2.nix
View File

@ -14,7 +14,7 @@ let
confirmation=no
'';
in {
pattern = "^${name}-([a-z]+)(?::\\s*(.*))?";
pattern = "^${name}-([a-z]+)(?::?\\s*(.*))?";
activate = "match";
command = 1;
arguments = [2];
@ -76,7 +76,7 @@ let
};
}
{
pattern = ''^(\S+)\s+([+-][1-9][0-9]*)\s+(\S+)$'';
pattern = ''^([\w-]*):?\s+([+-][1-9][0-9]*)\s+(\S+)$'';
activate = "match";
arguments = [1 2 3];
command = {

19
krebs/2configs/wiki.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, ... }:
{
services.gollum = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts.wiki = {
serverAliases = [ "wiki.r" "wiki.${config.networking.hostName}.r" ];
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:${toString config.services.gollum.port};
'';
};
};
}

9
krebs/3modules/exim-smarthost.nix
View File

@ -26,6 +26,7 @@ let
private_key = mkOption {
type = types.secret-file;
default = {
name = "exim.dkim_private_key/${config.domain}";
path = "/run/krebs.secret/${config.domain}.dkim_private_key";
owner.name = "exim";
source-path = toString <secrets> + "/${config.domain}.dkim.priv";
@ -115,8 +116,12 @@ let
}));
systemd.services = mkIf (cfg.dkim != []) {
exim = {
after = [ "secret.service" ];
requires = [ "secret.service" ];
after = flip map cfg.dkim (dkim:
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
partOf = flip map cfg.dkim (dkim:
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
);
};
};
krebs.exim = {

55
krebs/3modules/external/mic92.nix vendored
View File

@ -13,6 +13,11 @@ in {
amy = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.57";
ip6.addr = "2001:630:3c1:164:b62e:99ff:fe3e:d369";
aliases = [ "amy.i" ];
};
retiolum = {
addrs = [
config.krebs.hosts.amy.nets.retiolum.ip4.addr
@ -41,6 +46,11 @@ in {
clara = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.58";
ip6.addr = "2001:630:3c1:164:b62e:99ff:fe3d:70f2";
aliases = [ "clara.i" ];
};
retiolum = {
addrs = [
config.krebs.hosts.clara.nets.retiolum.ip4.addr
@ -92,6 +102,7 @@ in {
nets = rec {
internet = {
ip4.addr = "129.215.165.54";
ip6.addr = "2001:630:3c1:164:30a2:6e7b:c58b:cafd";
aliases = [ "donna.i" ];
};
retiolum = {
@ -272,6 +283,7 @@ in {
nets = rec {
internet = {
ip4.addr = "129.215.165.53";
ip6.addr = "2001:630:3c1:164:6d4:c4ff:fe04:4aba";
aliases = [ "martha.i" ];
};
retiolum = {
@ -355,6 +367,7 @@ in {
nets = rec {
internet = {
ip4.addr = "129.215.165.52";
ip6.addr = "2001:630:3c1:164:6d4:c4ff:fe04:4e4b";
aliases = [ "rose.i" ];
};
retiolum = {
@ -411,5 +424,47 @@ in {
};
};
};
harsha = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.184";
aliases = [
"harsha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
eva = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.185";
aliases = [
"eva.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqIc+ozq3hKHMe/X3v4j+6or8LMjEV7MtQ8/+n00xpG4NkI4G38Bv
3nmAcV7OhN6of0fr0psbBmym+2VxCZbpl8E3g1GWSKpAvlmP/9v4wDVdrADaTvXC
pzCxejtCwEhKLisnMwCMJCuUPbIsSBU+IQDPKP7NP0yY5VapgW3Xl3qXpnehCW1r
NBZjZASnhSXcJRLJayEDN6uBviYrnnfbrHOx4fPcjQPTHX5RYr3EbgGZQO9xki44
9dKT4EA95lupTqC3wzuQbaNpvIuVzmggiDY/NsBIVh0/2XjGnO54wtCEPudaLnWd
WNtc1wfVFB6gzgG1N7msOuFUReOIfyF/ywIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
};
}

2
krebs/3modules/konsens.nix
View File

@ -56,7 +56,7 @@ let
systemd.services = mapAttrs' (name: repo:
nameValuePair "konsens-${name}" {
after = [ "network.target" "secret.service" ];
after = [ "network.target" ];
path = [ pkgs.git ];
restartIfChanged = false;
serviceConfig = {

2
krebs/3modules/krebs/default.nix
View File

@ -74,6 +74,8 @@ in {
"build.hotdog.r"
"cgit.hotdog.r"
"irc.r"
"wiki.r"
"wiki.hotdog.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----

9
krebs/3modules/repo-sync.nix
View File

@ -124,6 +124,7 @@ let
privateKeyFile = mkOption {
type = types.secret-file;
default = {
name = "repo-sync-key";
path = "${cfg.stateDir}/ssh.priv";
owner = cfg.user;
source-path = toString <secrets> + "/repo-sync.ssh.key";
@ -166,7 +167,13 @@ let
});
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
after = [ "network.target" "secret.service" ];
after = [
config.krebs.secret.files.repo-sync-key.service
"network.target"
];
partOf = [
config.krebs.secret.files.repo-sync-key.service
];
environment = {
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.stateDir}/ssh.priv";

60
krebs/3modules/secret.nix
View File

@ -1,4 +1,5 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
with import <stockholm/lib>;
{ config, lib, pkgs, ... }: let
cfg = config.krebs.secret;
in {
options.krebs.secret = {
@ -8,32 +9,43 @@ in {
};
};
config = lib.mkIf (cfg.files != {}) {
systemd.services.secret = let
# TODO fail if two files have the same path but differ otherwise
files = unique (map (flip removeAttrs ["_module"])
(attrValues cfg.files));
in {
systemd.paths =
mapAttrs'
(name: file: nameValuePair "secret-trigger-${systemd.encodeName name}" {
wantedBy = ["multi-user.target"];
pathConfig.PathChanged = file.source-path;
})
cfg.files;
systemd.services =
mapAttrs'
(name: file: nameValuePair "secret-trigger-${systemd.encodeName name}" {
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ${file.service}";
};
})
cfg.files
//
mapAttrs'
(name: file: nameValuePair "secret-${systemd.encodeName name}" {
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
SyslogIdentifier = "secret";
ExecStart = pkgs.writeDash "install-secret-files" ''
exit_code=0
${concatMapStringsSep "\n" (file: ''
${pkgs.coreutils}/bin/install \
-D \
--compare \
--verbose \
--mode=${shell.escape file.mode} \
--owner=${shell.escape file.owner.name} \
--group=${shell.escape file.group-name} \
${shell.escape file.source-path} \
${shell.escape file.path} \
|| exit_code=1
'') files}
exit $exit_code
'';
};
ExecStart = toString [
"${pkgs.coreutils}/bin/install"
"-D"
"--compare"
"--verbose"
"--mode=${file.mode}"
"--owner=${file.owner.name}"
"--group=${file.group-name}"
file.source-path
file.path
];
};
})
cfg.files;
};
}

10
krebs/3modules/tinc.nix
View File

@ -158,6 +158,7 @@ let
privkey = mkOption {
type = types.secret-file;
default = {
name = "${tinc.config.netname}.rsa_key.priv";
path = "${tinc.config.user.home}/tinc.rsa_key.priv";
owner = tinc.config.user;
source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
@ -219,9 +220,14 @@ let
iproute = cfg.iproutePackage;
in {
description = "Tinc daemon for ${netname}";
after = [ "network.target" ];
after = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
"network.target"
];
partOf = [
config.krebs.secret.files."${netname}.rsa_key.priv".service
];
wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
path = [ tinc iproute ];
serviceConfig = rec {
Restart = "always";

6
krebs/nixpkgs-unstable.json
View File

@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "0f5ce2fac0c726036ca69a5524c59a49e2973dd4",
"date": "2020-05-19T01:31:20+02:00",
"sha256": "0nkk492aa7pr0d30vv1aw192wc16wpa1j02925pldc09s9m9i0r3",
"rev": "8e2b14aceb1d40c7e8b84c03a7c78955359872bb",
"date": "2020-08-05T09:17:35+01:00",
"sha256": "0zzjpd9smr7rxzrdf6raw9kbj42fbvafxb5bz36lcxgv290pgsm8",
"fetchSubmodules": false
}

6
krebs/nixpkgs.json
View File

@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "e2bb73ce5f786b83e984b80199112f86b8a6cc9d",
"date": "2020-06-07T23:11:12+02:00",
"sha256": "0mpcdwhippvgsj3kj8vw35dgz94dnzgxgsfqqzcfpmvnzjc23vk7",
"rev": "e23e05452c67ce406debffa831290fb3abaabf0e",
"date": "2020-08-06T15:33:30+02:00",
"sha256": "10wlcm20bvak8cxjhfvmn0vm4n9da3zl19026h66zc1wfmcqgrkp",
"fetchSubmodules": false
}

4
lass/1systems/mors/physical.nix
View File

@ -23,7 +23,7 @@
services.udev.extraRules = ''
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0"
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:4f:42:35", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
@ -37,12 +37,10 @@
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
}

5
lass/1systems/skynet/config.nix
View File

@ -36,7 +36,6 @@ with import <stockholm/lib>;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
}

36
lass/2configs/baseX.nix
View File

@ -91,6 +91,10 @@ in {
xorg.xhost
xsel
zathura
(pkgs.writeDashBin "screenshot" ''
${pkgs.flameshot-once}/bin/flameshot-once
${pkgs.klem}/bin/klem
'')
];
fonts.fonts = with pkgs; [
@ -147,4 +151,36 @@ in {
krebs.xresources.enable = true;
lass.screenlock.enable = true;
lass.klem = {
kpaste.script = pkgs.writeDash "kpaste-wrapper" ''
${pkgs.kpaste}/bin/kpaste \
| ${pkgs.coreutils}/bin/tail -1 \
| ${pkgs.coreutils}/bin/tr -d '\r\n'
'';
go = {
target = "STRING";
script = "${pkgs.goify}/bin/goify";
};
"go.lassul.us" = {
target = "STRING";
script = pkgs.writeDash "go.lassul.us" ''
export GO_HOST='go.lassul.us'
${pkgs.goify}/bin/goify
'';
};
qrcode = {
target = "image";
script = pkgs.writeDash "zbar" ''
${pkgs.zbar}/bin/zbarimg -q -
'';
};
ocr = {
target = "image";
script = pkgs.writeDash "gocr" ''
${pkgs.netpbm}/bin/pngtopnm - \
| ${pkgs.gocr}/bin/gocr -
'';
};
};
}

8
lass/2configs/binary-cache/server.nix
View File

@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
after = [
config.krebs.secret.files.nix-serve-key.service
];
partOf = [
config.krebs.secret.files.nix-serve-key.service
];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";

8
lass/2configs/nfs-dl.nix
View File

@ -3,17 +3,19 @@
device = "prism.w:/export/download";
fsType = "nfs";
options = [
"timeo=14"
#"timeo=14"
"noauto"
"noatime"
"nodiratime"
"noac"
"nocto"
#"noac"
#"nocto"
"x-systemd.automount"
"x-systemd.device-timeout=1"
"x-systemd.idle-timeout=1min"
"x-systemd.requires=retiolum.service"
"x-systemd.requires=wpa_supplicant.service"
"user"
"_netdev"
];
};
}

8
lass/2configs/websites/sqlBackup.nix
View File

@ -14,8 +14,12 @@
};
systemd.services.mysql = {
requires = [ "secret.service" ];
after = [ "secret.service" ];
after = [
config.krebs.secret.files.mysql_rootPassword.service
];
partOf = [
config.krebs.secret.files.mysql_rootPassword.service
];
};
lass.mysqlBackup = {

1
lass/3modules/default.nix
View File

@ -6,6 +6,7 @@ _:
./folderPerms.nix
./hass.nix
./hosts.nix
./klem.nix
./mysql-backup.nix
./news.nix
./nichtparasoup.nix

13
lass/3modules/ejabberd/default.nix
View File

@ -17,6 +17,7 @@ in {
certfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user;
source-path = "/var/lib/acme/lassul.us/full.pem";
@ -25,6 +26,7 @@ in {
dhfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user;
source-path = "/dev/null";
@ -74,8 +76,15 @@ in {
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
after = [ "network.target" "secret.service" ];
after = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";

75
lass/3modules/klem.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, pkgs, ... }: with import <stockholm/lib>; let
cfg = config.lass.klem;
in {
options.lass.klem = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ...}: {
options = {
target = mkOption {
default = ".*";
description = ''
regex of valid targets
can be shown with xclip -selection clipboard -t TARGETS
the first hit is taken as target argument
'';
type = types.str;
};
script = mkOption {
description = ''
file to run if entry is selected
'';
type = types.path;
};
label = mkOption {
default = config._module.args.name;
description = ''
label to show in dmenu for this script
'';
type = types.str;
};
};
}));
};
config = let
klem = pkgs.writers.writeDashBin "klem" ''
set -x
labels=""
# match filetype against patterns
${concatMapStringsSep "\n" (script: ''
${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \
| grep -q '${script.target}'
if [ $? -eq 0 ]; then
labels="$labels:${script.label}"
fi
'') (attrValues cfg)}
#remove empty line, feed into dmenu
script=$(echo "$labels" \
| ${pkgs.gnused}/bin/sed 's/^://;s/:/\n/g' \
| ${pkgs.dmenu}/bin/dmenu)
#run the chosen script
case $script in
${concatMapStringsSep "\n" (script: indent ''
${script.label})
target=$(${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \
| ${pkgs.gnugrep}/bin/grep '${script.target}' \
| ${pkgs.gnugrep}/bin/grep -v TARGETS \
| ${pkgs.coreutils}/bin/head -1)
${pkgs.xclip}/bin/xclip -selection clipboard -target "$target" -out \
| ${script.script} \
| ${pkgs.xclip}/bin/xclip -selection clipboard -in
;;
'') (attrValues cfg)}
esac
'';
in mkIf (cfg != {}) {
environment.systemPackages = [ klem ];
nixpkgs.overlays = [
(self: super: {
klem = klem;
})
];
};
}

4
lass/5pkgs/custom/xmonad-lass/default.nix
View File

@ -126,7 +126,7 @@ myKeyMap =
, ("M4-x", floatNext True >> spawn myTerm)
, ("M4-c", floatNext True >> spawn "${pkgs.termite}/bin/termite")
, ("M4-f", floatNext True)
, ("M4-b", sendMessage ToggleStruts)
, ("M4-b", spawn "/run/current-system/sw/bin/klem")
, ("M4-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.greedyView) )
, ("M4-S-v", gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.shift) )
@ -161,7 +161,7 @@ myKeyMap =
, ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter")
, ("M4-s", spawn "${pkgs.knav}/bin/knav")
, ("<Print>", spawn "${pkgs.flameshot-once}/bin/flameshot-once")
, ("M4-i", spawn "/run/current-system/sw/bin/screenshot")
--, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView))
--, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView))

3
lib/default.nix
View File

@ -8,6 +8,9 @@ let
krebs = import ./krebs lib;
krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; };
systemd = {
encodeName = replaceChars ["/"] ["\\x2f"];
};
types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
xml = import ./xml.nix { inherit lib; };

14
lib/types.nix
View File

@ -238,7 +238,7 @@ rec {
secret-file = submodule ({ config, ... }: {
options = {
name = mkOption {
type = filename;
type = pathname;
default = config._module.args.name;
};
path = mkOption {
@ -256,6 +256,10 @@ rec {
type = str;
default = "root";
};
service = mkOption {
type = systemd.unit-name;
default = "secret-${lib.systemd.encodeName config.name}.service";
};
source-path = mkOption {
type = str;
default = toString <secrets> + "/${config.name}";
@ -526,6 +530,14 @@ rec {
merge = mergeOneOption;
};
systemd.unit-name = mkOptionType {
name = "systemd unit name";
check = x:
test "^[0-9A-Za-z:_.\\-]+@?\\.(service|socket|device|mount|automount|swap|target|path|timer|slice|scope)$" x &&
stringLength x <= 256;
merge = mergeOneOption;
};
# RFC952, B. Lexical grammar, <hname>
hostname = mkOptionType {
name = "hostname";

8
makefu/2configs/binary-cache/server.nix
View File

@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
after = [
config.krebs.secret.files.nix-serve-key.service
];
partOf = [
config.krebs.secret.files.nix-serve-key.service
];
};
krebs.secret.files.nix-serve-key = {
path = "/run/secret/nix-serve.key";

8
makefu/3modules/netdata.nix
View File

@ -71,8 +71,12 @@ in
};
config = mkIf cfg.enable {
systemd.services.netdata = {
requires = [ "secret.service" ];
after = [ "secret.service" ];
after = [
config.krebs.secret.files.netdata-stream.service
];
partOf = [
config.krebs.secret.files.netdata-stream.service
];
};
krebs.secret.files.netdata-stream = {
path = "/run/secret/netdata-stream.conf";

8
tv/2configs/binary-cache/default.nix
View File

@ -9,8 +9,12 @@
};
systemd.services.nix-serve = {
requires = ["secret.service"];
after = ["secret.service"];
after = [
config.krebs.secret.files.binary-cache-seckey.service
];
partOf = [
config.krebs.secret.files.binary-cache-seckey.service
];
};
krebs.secret.files.binary-cache-seckey = {

1
tv/2configs/default.nix
View File

@ -36,6 +36,7 @@ with import <stockholm/lib>;
};
}
{
i18n.defaultLocale = mkDefault "C.UTF-8";
security.hideProcessInformation = true;
security.sudo.extraConfig = ''
Defaults env_keep+="SSH_CLIENT XMONAD_SPAWN_WORKSPACE"

13
tv/3modules/charybdis/default.nix
View File

@ -17,6 +17,7 @@ in {
ssl_dh_params = mkOption {
type = types.secret-file;
default = {
name = "charybdis-ssl_dh_params";
path = "${cfg.user.home}/dh.pem";
owner = cfg.user;
source-path = toString <secrets> + "/charybdis.dh.pem";
@ -25,6 +26,7 @@ in {
ssl_private_key = mkOption {
type = types.secret-file;
default = {
name = "charybdis-ssl_private_key";
path = "${cfg.user.home}/ssl.key.pem";
owner = cfg.user;
source-path = toString <secrets> + "/charybdis.key.pem";
@ -51,8 +53,15 @@ in {
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
after = [ "network-online.target" "secret.service" ];
after = [
config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
"network-online.target"
];
partOf = [
config.krebs.secret.files.charybdis-ssl_dh_params.service
config.krebs.secret.files.charybdis-ssl_private_key.service
];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};

13
tv/3modules/ejabberd/default.nix
View File

@ -18,6 +18,7 @@ in {
certfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-certfile";
path = "${cfg.user.home}/ejabberd.pem";
owner = cfg.user;
source-path = toString <secrets> + "/ejabberd.pem";
@ -26,6 +27,7 @@ in {
dhfile = mkOption {
type = types.secret-file;
default = {
name = "ejabberd-dhfile";
path = "${cfg.user.home}/dhparams.pem";
owner = cfg.user;
source-path = "/dev/null";
@ -95,8 +97,15 @@ in {
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ];
after = [ "network.target" "secret.service" ];
after = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
"network.target"
];
partOf = [
config.krebs.secret.files.ejabberd-certfile.service
config.krebs.secret.files.ejabberd-s2s_certfile.service
];
serviceConfig = {
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";

13
tv/3modules/x0vncserver.nix
View File

@ -12,6 +12,7 @@ in {
enable = mkEnableOption "tv.x0vncserver";
pwfile = mkOption {
default = {
name = "x0vncserver-pwfile";
owner = cfg.user;
path = "${cfg.user.home}/.vncpasswd";
source-path = toString <secrets> + "/vncpasswd";
@ -36,8 +37,16 @@ in {
x0vncserver-pwfile = cfg.pwfile;
};
systemd.services.x0vncserver = {
after = [ "graphical.target" "secret.service" ];
requires = [ "graphical.target" "secret.service" ];
after = [
config.krebs.secret.files.x0vncserver-pwfile.service
"graphical.target"
];
partOf = [
config.krebs.secret.files.x0vncserver-pwfile.service
];
requires = [
"graphical.target"
];
serviceConfig = {
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
"-display ${cfg.display}"