Merge remote-tracking branch 'gum/master'

This commit is contained in:
lassulus 2016-06-02 14:48:03 +02:00
commit 5a2cdca774
13 changed files with 245 additions and 138 deletions

View File

@ -270,8 +270,8 @@ with config.krebs.lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; #ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
}; };
wbob = rec { wbob = rec {
cores = 1; cores = 1;
@ -409,6 +409,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e"; ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [ aliases = [
"heidi.r" "heidi.r"
"heidi.retiolum"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -424,6 +425,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
}; };
}; };
soundflower = rec { soundflower = rec {
cores = 1; cores = 1;
nets = { nets = {
@ -594,7 +596,28 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
}; };
}; };
}; };
} // { # hosts only maintained in stockholm, not owned by me
tpsw = {
cores = 2;
owner = config.krebs.users.ciko; # main laptop
nets = {
retiolum = {
ip4.addr = "10.243.183.236";
ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
aliases = [ "tpsw.r" "tpsw.retiolum" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAvwYPFAINwV0EH0myFpNzRjVbqXdAmJP616C5JvODklhZWJxFxlKJ
Poczl57j2Z+4bonkTrJmsNtSaQLPKYH4H1qfo/lwz7nqEpPi3Xp4Fgts23w36eML
WBvbw0fQO9R8zZJIIdRkJ2qqlhZiTlor1Gtlm8Z1RmpKkhL9O6Yzj94VhGLhABVl
OsaF2M3PgXJMiLry67jzbAs3+mVaT3iBTzWOaOyREjKQEUg9B9IDxrmZMSWqdXZM
0wfzaCjS40jD73m7tqi7W3tXzAUP4mEeUqkC+NC2Zgm/lJ5B1KPx7AyNqtRLsBLd
pIdJs6ng63WV1fyHYUWMYqZk9zB/tQ0b0wIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
}; };
users = rec { users = rec {
makefu = { makefu = {
@ -615,6 +638,9 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
inherit (makefu) mail pgp; inherit (makefu) mail pgp;
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
}; };
ciko = {
mail = "wieczorek.stefan@googlemail.com";
};
exco = { exco = {
mail = "dickbutt@excogitation.de"; mail = "dickbutt@excogitation.de";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de";

View File

@ -26,6 +26,7 @@
# services # services
../2configs/git/brain-retiolum.nix ../2configs/git/brain-retiolum.nix
../2configs/tor.nix ../2configs/tor.nix
../2configs/steam.nix
# ../2configs/buildbot-standalone.nix # ../2configs/buildbot-standalone.nix
# hardware specifics are in here # hardware specifics are in here
@ -35,23 +36,36 @@
# ../2configs/mediawiki.nix # ../2configs/mediawiki.nix
#../2configs/wordpress.nix #../2configs/wordpress.nix
../2configs/nginx/public_html.nix ../2configs/nginx/public_html.nix
# temporary modules
# ../2configs/temp/share-samba.nix
# ../2configs/temp/elkstack.nix
# ../2configs/temp/sabnzbd.nix
]; ];
krebs.nginx = { krebs.nginx = {
default404 = false; default404 = false;
servers.default.listen = [ "80 default_server" ]; servers.default.listen = [ "80 default_server" ];
servers.default.server-names = [ "_" ]; servers.default.server-names = [ "_" ];
}; };
krebs.retiolum.enable = true;
# steam environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true; virtualisation.docker.enable = true;
# configure pulseAudio to provide a HDMI sink as well # configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [ 80 ];
25 networking.firewall.allowedUDPPorts = [ 665 ];
80
];
krebs.build.host = config.krebs.hosts.pornocauster; krebs.build.host = config.krebs.hosts.pornocauster;
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
krebs.retiolum = {
enable = true;
connectTo = [ "omo" "gum" "prism" ];
};
networking.extraHosts = ''
192.168.1.11 omo.local
'';
} }

View File

@ -22,7 +22,7 @@ with config.krebs.lib;
source = mapAttrs (_: mkDefault) { source = mapAttrs (_: mkDefault) {
nixpkgs = { nixpkgs = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
rev = "40c586b7ce2c559374df435f46d673baf711c543"; # unstable @ 2016-02-27, tested on wry rev = "63b9785"; # stable @ 2016-06-01
}; };
secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/"; secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
stockholm = "/home/makefu/stockholm"; stockholm = "/home/makefu/stockholm";
@ -75,7 +75,7 @@ with config.krebs.lib;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -" "d /tmp 1777 root root - -"
]; ];
nix.nixPath = [ "/var/src" ];
environment.variables = { environment.variables = {
NIX_PATH = mkForce "/var/src"; NIX_PATH = mkForce "/var/src";
EDITOR = mkForce "vim"; EDITOR = mkForce "vim";
@ -126,6 +126,7 @@ with config.krebs.lib;
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.runCommand "empty" {} "mkdir -p $out"; nano = pkgs.runCommand "empty" {} "mkdir -p $out";
tinc = pkgs.tinc_pre; tinc = pkgs.tinc_pre;
gnupg1compat = super.gnupg1compat.override { gnupg = self.gnupg21; };
}; };
services.cron.enable = false; services.cron.enable = false;

View File

@ -2,9 +2,10 @@
with config.krebs.lib; with config.krebs.lib;
{ {
networking.firewall.allowedTCPPorts = [ 25 ];
krebs.exim-retiolum.enable = true; krebs.exim-retiolum.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
msmtp msmtp
]; ];
} }

View File

@ -15,6 +15,9 @@ let
tinc_graphs = { tinc_graphs = {
desc = "Tinc Advanced Graph Generation"; desc = "Tinc Advanced Graph Generation";
}; };
stockholm-init = {
desc = "Build new Stockholm hosts";
};
cac-api = { }; cac-api = { };
init-stockholm = { init-stockholm = {
desc = "Init stuff for stockholm"; desc = "Init stuff for stockholm";

View File

@ -69,15 +69,15 @@ in {
browseable = "yes"; browseable = "yes";
"guest ok" = "yes"; "guest ok" = "yes";
}; };
usenet-rw = { crypt0-rw = {
path = "/media/crypt0/usenet"; path = "/media/crypt0/";
"read only" = "no"; "read only" = "no";
browseable = "yes"; browseable = "yes";
"guest ok" = "no"; "guest ok" = "no";
"valid users" = "makefu"; "valid users" = "makefu";
}; };
emu-rw = { crypt1-rw = {
path = "/media/crypt1/emu"; path = "/media/crypt1/";
"read only" = "no"; "read only" = "no";
browseable = "yes"; browseable = "yes";
"guest ok" = "no"; "guest ok" = "no";

View File

@ -0,0 +1,6 @@
{pkgs, ...}:
{
environment.systemPackages = [ pkgs.steam ];
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.support32Bit = true;
}

View File

@ -0,0 +1,28 @@
{config, ... }:{
users.users.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
description = "smb guest user";
home = "/var/empty";
};
services.samba = {
enable = true;
shares = {
share-home = {
path = "/home/share/";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
}

View File

@ -13,6 +13,7 @@ in
nodemcu-uploader = callPackage ./nodemcu-uploader {}; nodemcu-uploader = callPackage ./nodemcu-uploader {};
tw-upload-plugin = callPackage ./tw-upload-plugin {}; tw-upload-plugin = callPackage ./tw-upload-plugin {};
inherit (callPackage ./devpi {}) devpi-web devpi-server; inherit (callPackage ./devpi {}) devpi-web devpi-server;
skytraq-logger = callPackage ./skytraq-logger/ {};
taskserver = callPackage ./taskserver {}; taskserver = callPackage ./taskserver {};
}; };
} }

View File

@ -0,0 +1,31 @@
{ stdenv, lib, pkgs, fetchFromGitHub, ... }:
stdenv.mkDerivation rec {
name = "skytraq-datalogger-${version}";
version = "4966a8";
src = fetchFromGitHub {
owner = "makefu";
repo = "skytraq-datalogger";
rev = version ;
sha256 = "1qaszrs7638kc9x4qq4m1yxqmk8jw7wajywvdk4wc2i007p89v3y";
};
buildFlags = "CC=gcc";
makeFlags = "PREFIX=bin/ DESTDIR=$(out)";
preInstall = ''
mkdir -p $out/bin
'';
#patchPhase = ''
# sed -i -e 's#/usr/bin/gcc#gcc#' -e Makefile
#'';
buildInputs = with pkgs;[
curl
gnugrep
];
meta = {
homepage = http://github.com/makefu/skytraq-datalogger;
description = "datalogger for skytraq";
license = lib.licenses.gpl2;
};
}

View File

@ -0,0 +1 @@
/nix/store/xpwdwpw2nkgi16yhpxin2kivaz7z588h-skytraq-datalogger-4966a8

View File

@ -1,135 +1,126 @@
{ config, lib, pkgs, ... }@args: { config, pkgs, ... }@args:
with config.krebs.lib; with config.krebs.lib;
let let
# TODO krebs.build.user # TODO krebs.build.user
user = config.users.users.tv; user = config.users.users.tv;
in {
out = { environment.systemPackages = [
services.xserver.display = 11; pkgs.ff
services.xserver.tty = 11; pkgs.gitAndTools.qgit
pkgs.mpv
pkgs.sxiv
pkgs.xsel
pkgs.zathura
];
services.xserver.synaptics = { fonts.fonts = [
pkgs.xlibs.fontschumachermisc
];
# TODO dedicated group, i.e. with a single user [per-user-setuid]
# TODO krebs.setuid.slock.path vs /var/setuid-wrappers
krebs.setuid.slock = {
filename = "${pkgs.slock}/bin/slock";
group = "wheel";
envp = {
DISPLAY = ":${toString config.services.xserver.display}";
USER = user.name;
};
};
services.xserver = {
enable = true;
display = 11;
tty = 11;
synaptics = {
enable = true; enable = true;
twoFingerScroll = true; twoFingerScroll = true;
accelFactor = "0.035"; accelFactor = "0.035";
}; };
};
fonts.fonts = [ systemd.services.display-manager.enable = false;
pkgs.xlibs.fontschumachermisc
systemd.services.xmonad = {
wantedBy = [ "multi-user.target" ];
requires = [ "xserver.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
XMONAD_STATE = "/tmp/xmonad.state";
# XXX JSON is close enough :)
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
"Dashboard" # we start here
"23"
"cr"
"ff"
"hack"
"im"
"mail"
"stockholm"
"za" "zh" "zj" "zs"
]);
};
serviceConfig = {
SyslogIdentifier = "xmonad";
ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
User = user.name;
WorkingDirectory = user.home;
};
};
systemd.services.xserver = {
after = [
"systemd-udev-settle.service"
"local-fs.target"
"acpid.service"
]; ];
reloadIfChanged = true;
systemd.services.urxvtd = { environment = {
wantedBy = [ "multi-user.target" ]; XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
reloadIfChanged = true; XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
serviceConfig = { LD_LIBRARY_PATH = concatStringsSep ":" (
ExecReload = need-reload "urxvtd.service"; [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd"; ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
Restart = "always";
RestartSec = "2s";
StartLimitBurst = 0;
User = user.name;
};
}; };
serviceConfig = {
environment.systemPackages = [ SyslogIdentifier = "xserver";
pkgs.ff ExecReload = "${pkgs.coreutils}/bin/echo NOP";
pkgs.gitAndTools.qgit ExecStart = toString [
pkgs.mpv "${pkgs.xorg.xorgserver}/bin/X"
pkgs.sxiv ":${toString config.services.xserver.display}"
pkgs.xsel "vt${toString config.services.xserver.tty}"
pkgs.zathura "-config ${import ./xserver.conf.nix args}"
]; "-logfile /dev/null -logverbose 0 -verbose 3"
"-nolisten tcp"
# TODO dedicated group, i.e. with a single user "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
# TODO krebs.setuid.slock.path vs /var/setuid-wrappers
krebs.setuid.slock = {
filename = "${pkgs.slock}/bin/slock";
group = "wheel";
envp = {
DISPLAY = ":${toString config.services.xserver.display}";
USER = user.name;
};
};
systemd.services.display-manager.enable = false;
services.xserver.enable = true;
systemd.services.xmonad = {
wantedBy = [ "multi-user.target" ];
requires = [ "xserver.service" ];
environment = xmonad-environment;
serviceConfig = {
ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-tv";
ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-tv --shutdown";
User = user.name;
WorkingDirectory = user.home;
};
};
systemd.services.xserver = {
after = [
"systemd-udev-settle.service"
"local-fs.target"
"acpid.service"
]; ];
reloadIfChanged = true;
environment = xserver-environment;
serviceConfig = {
ExecReload = need-reload "xserver.service";
ExecStart = toString [
"${pkgs.xorg.xorgserver}/bin/X"
":${toString config.services.xserver.display}"
"vt${toString config.services.xserver.tty}"
"-config ${import ./xserver.conf.nix args}"
"-logfile /var/log/X.${toString config.services.xserver.display}.log"
"-nolisten tcp"
"-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
];
};
}; };
}; };
xmonad-environment = { systemd.services.urxvtd = {
DISPLAY = ":${toString config.services.xserver.display}"; wantedBy = [ "multi-user.target" ];
reloadIfChanged = true;
XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" '' serviceConfig = {
${pkgs.xorg.xhost}/bin/xhost +LOCAL: & SyslogIdentifier = "urxvtd";
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} & ExecReload = "${pkgs.coreutils}/bin/echo NOP";
${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} & ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' & Restart = "always";
wait RestartSec = "2s";
''; StartLimitBurst = 0;
User = user.name;
XMONAD_STATE = "/tmp/xmonad.state"; };
# XXX JSON is close enough :)
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
"Dashboard" # we start here
"23"
"cr"
"ff"
"hack"
"im"
"mail"
"stockholm"
"za" "zh" "zj" "zs"
]);
}; };
}
xserver-environment = {
XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
LD_LIBRARY_PATH = concatStringsSep ":" (
[ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
};
need-reload = s: toString [
"${pkgs.writeDashBin "need-reload" ''echo "$*"''}/bin/need-reload"
(shell.escape s)
];
in out

View File

@ -1,8 +1,12 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeScriptBin "ff" '' # TODO use krebs.setuid
#! ${pkgs.bash}/bin/bash # This requires that we can create setuid executables that can only be accessed
exec sudo -u ff -i <<EOF # by a single user. [per-user-setuid]
# using bash for %q
pkgs.writeBashBin "ff" ''
exec /var/setuid-wrappers/sudo -u ff -i <<EOF
exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@")
EOF EOF
'' ''