From d780569d78a28ec4fb2722a699cedc6839406009 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 2 Mar 2017 19:42:44 +0100 Subject: [PATCH 01/10] tv nixpkgs: 5d03aab -> 53a2baa --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index dc26a6c6f..1d3ee3980 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4"; + ref = "53a2baa"; # nixos-unstable (17.03-rc) }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; From 863bb9f912413054156c96d1c39770187736dbfc Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 2 Mar 2017 19:43:10 +0100 Subject: [PATCH 02/10] krebs.setuid: update for nixos-unstable --- krebs/3modules/setuid.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 13f981437..c9677fd24 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -73,7 +73,7 @@ let }; imp = { - system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); }; From ed3585bfcfd154688a7e95b2f1179133a1a53734 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 2 Mar 2017 19:57:52 +0100 Subject: [PATCH 03/10] krebs,tv: /var/setuid-wrappers -> /run/wrappers/bin --- krebs/3modules/exim.nix | 2 +- krebs/3modules/on-failure.nix | 2 +- krebs/3modules/urlwatch.nix | 2 +- tv/2configs/xserver/default.nix | 2 +- tv/5pkgs/xmonad-tv/default.nix | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 1127c0a50..0044f5b32 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -40,7 +40,7 @@ in { etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" '' exim_user = ${cfg.user.name} exim_group = ${cfg.group.name} - exim_path = /var/setuid-wrappers/exim + exim_path = /run/wrappers/bin/exim spool_directory = ${cfg.user.home} ${cfg.config} ''; diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix index 8bb022442..4da303dec 100644 --- a/krebs/3modules/on-failure.nix +++ b/krebs/3modules/on-failure.nix @@ -58,7 +58,7 @@ }; sendmail = mkOption { type = types.str; - default = "/var/setuid-wrappers/sendmail"; + default = "/run/wrappers/bin/sendmail"; }; }; diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index e43f8de4a..126fc33bb 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -178,7 +178,7 @@ let echo To: ${shell.escape cfg.mailto} echo cat changes - } | /var/setuid-wrappers/sendmail -t + } | /run/wrappers/bin/sendmail -t fi ''; }; diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix index 7dcfecce6..deb929c34 100644 --- a/tv/2configs/xserver/default.nix +++ b/tv/2configs/xserver/default.nix @@ -18,7 +18,7 @@ in { ]; # TODO dedicated group, i.e. with a single user [per-user-setuid] - # TODO krebs.setuid.slock.path vs /var/setuid-wrappers + # TODO krebs.setuid.slock.path vs /run/wrappers/bin krebs.setuid.slock = { filename = "${pkgs.slock}/bin/slock"; group = "wheel"; diff --git a/tv/5pkgs/xmonad-tv/default.nix b/tv/5pkgs/xmonad-tv/default.nix index c6a622bd1..5ac8f8372 100644 --- a/tv/5pkgs/xmonad-tv/default.nix +++ b/tv/5pkgs/xmonad-tv/default.nix @@ -132,7 +132,7 @@ spawnRootTerm :: X () spawnRootTerm = forkFile urxvtcPath - ["-name", "root-urxvt", "-e", "/var/setuid-wrappers/su", "-"] + ["-name", "root-urxvt", "-e", "/run/wrappers/bin/su", "-"] Nothing spawnTermAt :: String -> X () @@ -143,7 +143,7 @@ spawnTermAt ws = do myKeys :: XConfig Layout -> Map (KeyMask, KeySym) (X ()) myKeys conf = Map.fromList $ - [ ((_4 , xK_Escape ), forkFile "/var/setuid-wrappers/slock" [] Nothing) + [ ((_4 , xK_Escape ), forkFile "/run/wrappers/bin/slock" [] Nothing) , ((_4S , xK_c ), kill) , ((_4 , xK_x ), chooseAction spawnTermAt) From 6435001c48d865ba96f0f784ee9c0bcf03204e1e Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 2 Mar 2017 20:02:01 +0100 Subject: [PATCH 04/10] mv,tv: security.setuidPrograms -> security.wrappers --- mv/1systems/stro.nix | 6 +++--- tv/1systems/mu.nix | 8 ++++---- tv/1systems/wu.nix | 6 +++--- tv/1systems/xu.nix | 6 +++--- tv/1systems/zu.nix | 6 +++--- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix index e371db788..c8035b88e 100644 --- a/mv/1systems/stro.nix +++ b/mv/1systems/stro.nix @@ -143,9 +143,9 @@ with import ; }; }; - security.setuidPrograms = [ - "sendmail" - ]; + security.wrappers = { + sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron + }; security.sudo.extraConfig = '' Defaults env_keep+="SSH_CLIENT" diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index e9a8a131a..fcd0a2178 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -99,10 +99,10 @@ with import ; programs.ssh.startAgent = false; - security.setuidPrograms = [ - "sendmail" # for cron - "slock" - ]; + security.wrappers = { + sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron + slock.slock = "${pkgs.slock}/bin/slock"; + }; security.pam.loginLimits = [ # for jack diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index a9d7e94eb..4cde8b903 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -157,9 +157,9 @@ with import ; #jack2 ]; - security.setuidPrograms = [ - "sendmail" # for cron - ]; + security.wrappers = { + sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron + }; services.printing.enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 974d820d5..4b8fe8da2 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -167,9 +167,9 @@ with import ; gptfdisk ]; - security.setuidPrograms = [ - "sendmail" # for cron - ]; + security.wrappers = { + sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron + }; services.printing.enable = true; diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix index 59e8b1c7f..194ac2928 100644 --- a/tv/1systems/zu.nix +++ b/tv/1systems/zu.nix @@ -167,9 +167,9 @@ with import ; gptfdisk ]; - security.setuidPrograms = [ - "sendmail" # for cron - ]; + security.wrappers = { + sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron + }; services.printing.enable = true; From 286fc7045b3ad8dea36386d8de4a1fc59fd70c80 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 22:49:24 +0100 Subject: [PATCH 05/10] git-hooks.irc-announce: simplify file structure --- krebs/5pkgs/git-hooks/default.nix | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix index 9355a878c..3b9d1b3b0 100644 --- a/krebs/5pkgs/git-hooks/default.nix +++ b/krebs/5pkgs/git-hooks/default.nix @@ -1,13 +1,10 @@ -{ lib, pkgs, ... }: +{ pkgs, ... }: -with lib; - -let - out = { - inherit irc-announce; - }; +with import ; +{ # TODO irc-announce should return a derivation + # but it cannot because krebs.git.repos.*.hooks :: attrsOf str irc-announce = { nick, channel, server, port ? 6667, verbose ? false, branches ? [] }: '' #! /bin/sh set -euf @@ -99,7 +96,7 @@ let done if test -n "''${message-}"; then - exec ${irc-announce-script} \ + exec ${pkgs.irc-announce}/bin/irc-announce \ "$server" \ "$port" \ "$nick" \ @@ -107,6 +104,4 @@ let "$message" fi ''; - - irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce"; -in out +} From b690768e28170cd0227f5132ca39451a43cf573f Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 22:49:44 +0100 Subject: [PATCH 06/10] git-hooks.irc-announce: append .r to cgit_endpoint --- krebs/5pkgs/git-hooks/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix index 3b9d1b3b0..4017b873b 100644 --- a/krebs/5pkgs/git-hooks/default.nix +++ b/krebs/5pkgs/git-hooks/default.nix @@ -34,7 +34,7 @@ with import ; port=${toString port} host=$nick - cgit_endpoint=http://cgit.$host + cgit_endpoint=http://cgit.$host.r empty=0000000000000000000000000000000000000000 From 1689862147c7bb4b9d8b0ef8fb645b6bde8b2838 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 23:04:07 +0100 Subject: [PATCH 07/10] wolf: drop packageOverride for nano --- shared/2configs/default.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/shared/2configs/default.nix b/shared/2configs/default.nix index cae2bc814..0f72b2b60 100644 --- a/shared/2configs/default.nix +++ b/shared/2configs/default.nix @@ -30,10 +30,6 @@ with import ; ]; nix.useSandbox = true; - nixpkgs.config.packageOverrides = pkgs: { - nano = pkgs.vim; - }; - environment.systemPackages = with pkgs; [ git rxvt_unicode.terminfo From 4a3a44df416818d7ef0f644e8e6c064ff84768db Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 23:04:26 +0100 Subject: [PATCH 08/10] shared nixpkgs: b8ede35 -> 5b0c9d4 --- shared/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/2configs/default.nix b/shared/2configs/default.nix index 0f72b2b60..49c0d3d95 100644 --- a/shared/2configs/default.nix +++ b/shared/2configs/default.nix @@ -11,7 +11,7 @@ with import ; nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "b8ede35d2efa96490857c22c751e75d600bea44f"; # nixos-16.09 @ 2016-10-19 + ref = "5b0c9d4f92f15f171afa65caf13a29ac1c068a10"; # nixos-17.03 @ 2017-03-03 }; secrets.file = if getEnv "dummy_secrets" == "true" From 4f3ece51f7e775bcad1df209bc8881cdbcd5c516 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 23:15:56 +0100 Subject: [PATCH 09/10] tv urlwatch: nixos-16.09 -> nixos-17.03 --- tv/2configs/urlwatch.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index 6e11e0251..5779240ba 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -31,7 +31,7 @@ with import ; ## other - https://nixos.org/channels/nixos-16.09/git-revision + https://nixos.org/channels/nixos-17.03/git-revision https://nixos.org/channels/nixos-unstable/git-revision ## 2014-10-17 From d7761aed6559adba3cfa61d822165c42c90fc276 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 4 Mar 2017 23:21:53 +0100 Subject: [PATCH 10/10] tv nixpkgs: 53a2baa -> 5b0c9d4 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 1d3ee3980..33fb7e492 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "53a2baa"; # nixos-unstable (17.03-rc) + ref = "5b0c9d4f92f15f171afa65caf13a29ac1c068a10"; # nixos-17.03 }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master";