diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index 7a78880ea..8427ca50b 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -11,10 +11,12 @@ in { config = mkIf cfg.enable { users.extraUsers.brockman = { home = "/var/lib/brockman"; + group = "brockman"; createHome = true; isSystemUser = true; uid = genid_uint31 "brockman"; }; + users.groups.brockman = {}; systemd.services.brockman = { description = "RSS to IRC broadcaster"; diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index e55bd95ea..c30f31e31 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -319,6 +319,7 @@ let users.extraUsers.buildbotMaster = { uid = genid "buildbotMaster"; + group = "buildbotMaster"; description = "Buildbot Master"; home = cfg.workDir; createHome = false; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index d877b9911..f97b50def 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -128,6 +128,7 @@ let users.extraUsers.buildbotSlave = { uid = genid "buildbotSlave"; + group = "buildbotSlave"; description = "Buildbot Slave"; home = cfg.workDir; createHome = false; diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 9421576df..71eed6c69 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -66,11 +66,14 @@ let users.users.${user.name} = { inherit (user) uid; + group = user.name; home = cfg.dataDir; isSystemUser = true; }; }; + users.groups.${user.name} = {}; + user = rec { mail = "${name}@${config.krebs.build.host.name}"; name = "github-hosts-sync"; diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 517dad76f..4221703ec 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -69,10 +69,13 @@ let users.users = mapAttrs' (name: htgen: nameValuePair htgen.user.name { inherit (htgen.user) home name uid; + group = htgen.user.name; createHome = true; isSystemUser = true; } ) cfg; + users.groups = mapAttrs (_: _: {}) cfg; + }; in out diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index 1fa6012cf..167afed2c 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -59,10 +59,13 @@ let users.extraUsers.realwallpaper = { uid = genid "realwallpaper"; + group = "realwallpaper"; home = cfg.workingDir; createHome = true; isSystemUser = true; }; + + users.groups.realwallpaper = {}; }; in diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 7a414e6e3..733db69ca 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -128,9 +128,12 @@ let users.extraUsers.tinc_graphs = { uid = genid_uint31 "tinc_graphs"; + group = "tinc_graphs"; home = "/var/spool/tinc_graphs"; isSystemUser = true; }; + users.groups.tinc_graphs = {}; + services.nginx = mkIf cfg.nginx.enable { enable = mkDefault true; virtualHosts = { diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index da23245ae..8678a40cd 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", - "date": "2021-11-17T14:17:56+01:00", - "path": "/nix/store/85yrz3ygrzkgw87fp3j42i1i9f4vf0n0-nixpkgs", - "sha256": "152kxfk11mgwg8gx0s1rgykyydfb7s746yfylvbwk5mk5cv4z9nv", + "rev": "6daa4a5c045d40e6eae60a3b6e427e8700f1c07f", + "date": "2021-12-01T17:29:12+01:00", + "path": "/nix/store/g62v0nj6b8v9qb5q0wxjss9q8y9qcg3r-nixpkgs", + "sha256": "1wg55jlxyvbjvm8x2rcirmvqws4y8xq504dn3yjp05m1bajhpj5r", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index d6d70faf6..e219581a1 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "24528474d2b3370f2f23879a557ae2cc92a5d50b", - "date": "2021-11-19T11:04:27+01:00", - "path": "/nix/store/f435816nqq7y14ar1haadw228nbxnh33-nixpkgs", - "sha256": "0pdmqzk1l7cwwfp005kzv0dwnmg8xnskzc745052gdxp8pzh1w45", + "rev": "a640d8394f34714578f3e6335fc767d0755d78f9", + "date": "2021-12-01T16:06:54+01:00", + "path": "/nix/store/88zw2qrbzaq3bnnsmz9qc4lvkwg0168g-nixpkgs", + "sha256": "1dyyzgcmlhpsdb4ngiy8m0x10qmh0r56ky75r8ppvvh730m3lhfj", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh index 368a3ecb3..bc421a75f 100755 --- a/krebs/update-nixpkgs.sh +++ b/krebs/update-nixpkgs.sh @@ -3,7 +3,7 @@ dir=$(dirname $0) oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-21.05' \ + --rev refs/heads/nixos-21.11' \ > $dir/nixpkgs.json newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix index b033477fe..6be047300 100644 --- a/lass/1systems/coaxmetal/physical.nix +++ b/lass/1systems/coaxmetal/physical.nix @@ -56,14 +56,4 @@ xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2 xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5 ''; - - # https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4 - # https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1 - boot.kernelPatches = [{ - name = "fix-trackpoint-jumping"; - patch = pkgs.fetchurl { - url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/"; - sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg"; - }; - }]; } diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index d8f1ae888..b84221155 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -11,9 +11,22 @@ with (import ); pkgs.bitlbee-discord ]; libpurple_plugins = [ - # pkgs.telegram-purple - pkgs.tdlib-purple + pkgs.telegram-purple + # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; }; + + users.users.bitlbee = { + uid = genid_uint31 "bitlbee"; + isSystemUser = true; + group = "bitlbee"; + }; + users.groups.bitlbee = {}; + + systemd.services.bitlbee.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "bitlbee"; + StateDirectory = lib.mkForce null; + }; } diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index be9c32809..b303df938 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -119,13 +119,10 @@ in { services.mosquitto = { enable = true; - host = "0.0.0.0"; - allowAnonymous = false; - checkPasswords = true; - users.gg23 = { - password = "gg23-mqtt"; - acl = [ "topic readwrite #" ]; - }; + listeners = [{ + acl = [ "topic pattern readwrite #" ]; + users.gg23 = { acl = [ "topic readwrite #" ]; password = "gg23-mqtt"; }; + }]; }; environment.systemPackages = [ pkgs.mosquitto ]; diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index c3d4de84d..b1011ced0 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -28,23 +28,22 @@ session required pam_permit.so ''; - security.pam.services.dovecot2 = { - text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; - }; + security.pam.services.dovecot2.text = '' + auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; security.wrappers.shadow_verify_pam = { source = "${usershadow}/bin/verify_pam"; owner = "root"; + group = "root"; }; security.wrappers.shadow_verify_arg = { source = "${usershadow}/bin/verify_arg"; owner = "root"; + group = "root"; }; };