Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
9f194012bd
@ -24,13 +24,8 @@ let
|
||||
type = types.str;
|
||||
};
|
||||
private_key = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "exim.dkim_private_key/${config.domain}";
|
||||
path = "/run/krebs.secret/${config.domain}.dkim_private_key";
|
||||
owner.name = "exim";
|
||||
source-path = toString <secrets> + "/${config.domain}.dkim.priv";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/${config.domain}.dkim.priv";
|
||||
defaultText = "‹secrets/‹domain›.dkim.priv›";
|
||||
};
|
||||
selector = mkOption {
|
||||
@ -111,24 +106,13 @@ let
|
||||
};
|
||||
|
||||
imp = {
|
||||
krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
|
||||
name = "exim.dkim_private_key/${dkim.domain}";
|
||||
value = dkim.private_key;
|
||||
}));
|
||||
systemd.services = mkIf (cfg.dkim != []) {
|
||||
exim = {
|
||||
after = flip map cfg.dkim (dkim:
|
||||
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
|
||||
);
|
||||
partOf = flip map cfg.dkim (dkim:
|
||||
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
|
||||
);
|
||||
};
|
||||
};
|
||||
krebs.systemd.services.exim = {};
|
||||
systemd.services.exim.serviceConfig.LoadCredential =
|
||||
map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
|
||||
krebs.exim = {
|
||||
enable = true;
|
||||
config = /* exim */ ''
|
||||
keep_environment =
|
||||
keep_environment = CREDENTIALS_DIRECTORY
|
||||
|
||||
primary_hostname = ${cfg.primary_hostname}
|
||||
|
||||
@ -242,8 +226,9 @@ let
|
||||
${optionalString (cfg.dkim != []) (indent /* exim */ ''
|
||||
dkim_canon = relaxed
|
||||
dkim_domain = $sender_address_domain
|
||||
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
||||
dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}}
|
||||
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
|
||||
dkim_strict = true
|
||||
'')}
|
||||
helo_data = ''${if eq{$acl_m_special_dom}{} \
|
||||
{$primary_hostname} \
|
||||
@ -281,10 +266,6 @@ let
|
||||
inherit (cfg) internet-aliases;
|
||||
inherit (cfg) system-aliases;
|
||||
} // optionalAttrs (cfg.dkim != []) {
|
||||
dkim_private_key = flip map cfg.dkim (dkim: {
|
||||
from = dkim.domain;
|
||||
to = dkim.private_key.path;
|
||||
});
|
||||
dkim_selector = flip map cfg.dkim (dkim: {
|
||||
from = dkim.domain;
|
||||
to = dkim.selector;
|
||||
|
@ -122,13 +122,9 @@ let
|
||||
};
|
||||
|
||||
privateKeyFile = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "repo-sync-key";
|
||||
path = "${cfg.stateDir}/ssh.priv";
|
||||
owner = cfg.user;
|
||||
source-path = toString <secrets> + "/repo-sync.ssh.key";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/repo-sync.ssh.key";
|
||||
defaultText = "‹secrets/repo-sync.ssh.key›";
|
||||
};
|
||||
|
||||
unitConfig = mkOption {
|
||||
@ -144,14 +140,16 @@ let
|
||||
};
|
||||
|
||||
imp = {
|
||||
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
|
||||
users.users.${cfg.user.name} = {
|
||||
inherit (cfg.user) home name uid;
|
||||
createHome = true;
|
||||
group = cfg.user.name;
|
||||
description = "repo-sync user";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.${cfg.user.name} = {};
|
||||
|
||||
systemd.timers = mapAttrs' (name: repo:
|
||||
nameValuePair "repo-sync-${name}" {
|
||||
description = "repo-sync timer";
|
||||
@ -160,6 +158,10 @@ let
|
||||
}
|
||||
) cfg.repos;
|
||||
|
||||
krebs.systemd.services = mapAttrs' (name: _:
|
||||
nameValuePair "repo-sync-${name}" {}
|
||||
) cfg.repos;
|
||||
|
||||
systemd.services = mapAttrs' (name: repo:
|
||||
let
|
||||
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
|
||||
@ -168,16 +170,10 @@ let
|
||||
});
|
||||
in nameValuePair "repo-sync-${name}" {
|
||||
description = "repo-sync";
|
||||
after = [
|
||||
config.krebs.secret.files.repo-sync-key.service
|
||||
"network.target"
|
||||
];
|
||||
partOf = [
|
||||
config.krebs.secret.files.repo-sync-key.service
|
||||
];
|
||||
after = [ "network.target" ];
|
||||
|
||||
environment = {
|
||||
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
|
||||
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
|
||||
REPONAME = "${name}.git";
|
||||
};
|
||||
|
||||
@ -185,6 +181,7 @@ let
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
PermissionsStartOnly = true;
|
||||
LoadCredential = "ssh_key:${cfg.privateKeyFile}";
|
||||
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
|
||||
WorkingDirectory = cfg.stateDir;
|
||||
User = "repo-sync";
|
||||
|
@ -31,7 +31,8 @@
|
||||
lib.types.absolute-pathname.check
|
||||
(map
|
||||
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
|
||||
config.systemd.services.${serviceName}.serviceConfig.LoadCredential);
|
||||
(lib.toList
|
||||
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
|
||||
}
|
||||
) config.krebs.systemd.services;
|
||||
|
||||
|
@ -61,13 +61,13 @@ in toFile "charybdis.conf" ''
|
||||
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
|
||||
|
||||
/* ssl_private_key: our ssl private key */
|
||||
ssl_private_key = ${toJSON cfg.ssl_private_key.path};
|
||||
ssl_private_key = "/tmp/credentials/ssl_private_key";
|
||||
|
||||
/* ssl_cert: certificate for our ssl server */
|
||||
ssl_cert = ${toJSON cfg.ssl_cert};
|
||||
|
||||
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
|
||||
ssl_dh_params = ${toJSON cfg.ssl_dh_params.path};
|
||||
ssl_dh_params = "/tmp/credentials/ssl_dh_params";
|
||||
|
||||
/* ssld_count: number of ssld processes you want to start, if you
|
||||
* have a really busy server, using N-1 where N is the number of
|
||||
|
@ -15,22 +15,12 @@ in {
|
||||
type = types.path;
|
||||
};
|
||||
ssl_dh_params = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "charybdis-ssl_dh_params";
|
||||
path = "${cfg.user.home}/dh.pem";
|
||||
owner = cfg.user;
|
||||
source-path = toString <secrets> + "/charybdis.dh.pem";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/charybdis.dh.pem";
|
||||
};
|
||||
ssl_private_key = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "charybdis-ssl_private_key";
|
||||
path = "${cfg.user.home}/ssl.key.pem";
|
||||
owner = cfg.user;
|
||||
source-path = toString <secrets> + "/charybdis.key.pem";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/charybdis.key.pem";
|
||||
};
|
||||
sslport = mkOption {
|
||||
type = types.int;
|
||||
@ -46,22 +36,13 @@ in {
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params;
|
||||
krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key;
|
||||
|
||||
environment.etc."charybdis-ircd.motd".text = cfg.motd;
|
||||
|
||||
krebs.systemd.services.charybdis = {};
|
||||
|
||||
systemd.services.charybdis = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
config.krebs.secret.files.charybdis-ssl_dh_params.service
|
||||
config.krebs.secret.files.charybdis-ssl_private_key.service
|
||||
"network-online.target"
|
||||
];
|
||||
partOf = [
|
||||
config.krebs.secret.files.charybdis-ssl_dh_params.service
|
||||
config.krebs.secret.files.charybdis-ssl_private_key.service
|
||||
];
|
||||
after = [ "network-online.target" ];
|
||||
environment = {
|
||||
BANDB_DBPATH = "${cfg.user.home}/ban.db";
|
||||
};
|
||||
@ -70,21 +51,30 @@ in {
|
||||
User = cfg.user.name;
|
||||
PrivateTmp = true;
|
||||
Restart = "always";
|
||||
ExecStartPre =
|
||||
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd";
|
||||
ExecStartPre = [
|
||||
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
|
||||
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
|
||||
];
|
||||
ExecStart = toString [
|
||||
"${pkgs.charybdis}/bin/charybdis"
|
||||
"-configfile ${import ./config.nix args}"
|
||||
"-foreground"
|
||||
"-logfile /dev/stderr"
|
||||
];
|
||||
LoadCredential = [
|
||||
"ssl_dh_params:${cfg.ssl_dh_params}"
|
||||
"ssl_private_key:${cfg.ssl_private_key}"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${cfg.user.name} = {
|
||||
inherit (cfg.user) home name uid;
|
||||
createHome = true;
|
||||
group = cfg.user.name;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.${cfg.user.name} = {};
|
||||
};
|
||||
}
|
||||
|
@ -48,6 +48,9 @@ in /* yaml */ ''
|
||||
- "::1/128"
|
||||
- "::FFFF:127.0.0.1/128"
|
||||
|
||||
certfiles:
|
||||
- /tmp/credentials/certfile
|
||||
|
||||
hosts: ${toJSON config.hosts}
|
||||
|
||||
language: "en"
|
||||
@ -58,9 +61,8 @@ in /* yaml */ ''
|
||||
ip: "::"
|
||||
module: ejabberd_c2s
|
||||
shaper: c2s_shaper
|
||||
certfile: ${toJSON config.certfile.path}
|
||||
ciphers: ${toJSON ciphers}
|
||||
dhfile: ${toJSON config.dhfile.path}
|
||||
dhfile: /var/lib/ejabberd/dhfile
|
||||
protocol_options: ${toJSON protocol_options}
|
||||
starttls: true
|
||||
starttls_required: true
|
||||
@ -109,9 +111,8 @@ in /* yaml */ ''
|
||||
mod_http_api: {}
|
||||
|
||||
s2s_access: s2s
|
||||
s2s_certfile: ${toJSON config.s2s_certfile.path}
|
||||
s2s_ciphers: ${toJSON ciphers}
|
||||
s2s_dhfile: ${toJSON config.dhfile.path}
|
||||
s2s_dhfile: /var/lib/ejabberd/dhfile
|
||||
s2s_protocol_options: ${toJSON protocol_options}
|
||||
s2s_tls_compression: false
|
||||
s2s_use_starttls: required
|
||||
|
@ -16,22 +16,8 @@ in {
|
||||
options.tv.ejabberd = {
|
||||
enable = mkEnableOption "tv.ejabberd";
|
||||
certfile = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "ejabberd-certfile";
|
||||
path = "${cfg.user.home}/ejabberd.pem";
|
||||
owner = cfg.user;
|
||||
source-path = toString <secrets> + "/ejabberd.pem";
|
||||
};
|
||||
};
|
||||
dhfile = mkOption {
|
||||
type = types.secret-file;
|
||||
default = {
|
||||
name = "ejabberd-dhfile";
|
||||
path = "${cfg.user.home}/dhparams.pem";
|
||||
owner = cfg.user;
|
||||
source-path = "/dev/null";
|
||||
};
|
||||
type = types.absolute-pathname;
|
||||
default = toString <secrets> + "/ejabberd.pem";
|
||||
};
|
||||
hosts = mkOption {
|
||||
type = with types; listOf str;
|
||||
@ -61,10 +47,6 @@ in {
|
||||
config.krebs.users.tv.mail
|
||||
];
|
||||
};
|
||||
s2s_certfile = mkOption {
|
||||
type = types.secret-file;
|
||||
default = cfg.certfile;
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.user;
|
||||
default = {
|
||||
@ -90,27 +72,24 @@ in {
|
||||
})
|
||||
];
|
||||
|
||||
krebs.secret.files = {
|
||||
ejabberd-certfile = cfg.certfile;
|
||||
ejabberd-s2s_certfile = cfg.s2s_certfile;
|
||||
};
|
||||
krebs.systemd.services.ejabberd = {};
|
||||
|
||||
systemd.services.ejabberd = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [
|
||||
config.krebs.secret.files.ejabberd-certfile.service
|
||||
config.krebs.secret.files.ejabberd-s2s_certfile.service
|
||||
"network.target"
|
||||
];
|
||||
partOf = [
|
||||
config.krebs.secret.files.ejabberd-certfile.service
|
||||
config.krebs.secret.files.ejabberd-s2s_certfile.service
|
||||
];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
|
||||
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
|
||||
ExecStart = pkgs.writeDash "ejabberd" ''
|
||||
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
|
||||
${gen-dhparam} /var/lib/ejabberd/dhfile
|
||||
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
|
||||
'';
|
||||
LoadCredential = [
|
||||
"certfile:${cfg.certfile}"
|
||||
];
|
||||
PermissionsStartOnly = true;
|
||||
PrivateTmp = true;
|
||||
SyslogIdentifier = "ejabberd";
|
||||
StateDirectory = "ejabberd";
|
||||
User = cfg.user.name;
|
||||
TimeoutStartSec = 60;
|
||||
};
|
||||
@ -119,7 +98,10 @@ in {
|
||||
users.users.${cfg.user.name} = {
|
||||
inherit (cfg.user) home name uid;
|
||||
createHome = true;
|
||||
group = cfg.user.name;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.${cfg.user.name} = {};
|
||||
};
|
||||
}
|
||||
|
@ -11,17 +11,12 @@ in {
|
||||
};
|
||||
enable = mkEnableOption "tv.x0vncserver";
|
||||
pwfile = mkOption {
|
||||
default = {
|
||||
name = "x0vncserver-pwfile";
|
||||
owner = cfg.user;
|
||||
path = "${cfg.user.home}/.vncpasswd";
|
||||
source-path = toString <secrets> + "/vncpasswd";
|
||||
};
|
||||
default = toString <secrets> + "/vncpasswd";
|
||||
description = ''
|
||||
Use vncpasswd to edit pwfile.
|
||||
See: nix-shell -p tigervnc --run 'man vncpasswd'
|
||||
'';
|
||||
type = types.secret-file;
|
||||
type = types.absolute-pathname;
|
||||
};
|
||||
rfbport = mkOption {
|
||||
default = 5900;
|
||||
@ -33,26 +28,17 @@ in {
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
krebs.secret.files = {
|
||||
x0vncserver-pwfile = cfg.pwfile;
|
||||
};
|
||||
krebs.systemd.services.x0vncserver = {};
|
||||
systemd.services.x0vncserver = {
|
||||
after = [
|
||||
config.krebs.secret.files.x0vncserver-pwfile.service
|
||||
"graphical.target"
|
||||
];
|
||||
partOf = [
|
||||
config.krebs.secret.files.x0vncserver-pwfile.service
|
||||
];
|
||||
requires = [
|
||||
"graphical.target"
|
||||
];
|
||||
after = [ "graphical.target" ];
|
||||
requires = [ "graphical.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
|
||||
"-display ${cfg.display}"
|
||||
"-passwordfile ${cfg.pwfile.path}"
|
||||
"-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile"
|
||||
"-rfbport ${toString cfg.rfbport}"
|
||||
]}";
|
||||
LoadCredential = "ssh_key:${cfg.pwfile}";
|
||||
User = cfg.user.name;
|
||||
};
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user