From 44542b6914a9cf6c1a3dc9326fbd1048a3ce0831 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 10:56:11 +0100 Subject: [PATCH 01/15] nixpkgs: 21.05 -> 21.11 --- krebs/update-nixpkgs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh index 368a3ecb3..bc421a75f 100755 --- a/krebs/update-nixpkgs.sh +++ b/krebs/update-nixpkgs.sh @@ -3,7 +3,7 @@ dir=$(dirname $0) oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-21.05' \ + --rev refs/heads/nixos-21.11' \ > $dir/nixpkgs.json newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" From 6274e2c5317489c3bae86340333ea59b35298655 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 10:56:31 +0100 Subject: [PATCH 02/15] nixpkgs: 2452847 -> 96b4157 --- krebs/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index d6d70faf6..0543c65ca 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "24528474d2b3370f2f23879a557ae2cc92a5d50b", - "date": "2021-11-19T11:04:27+01:00", - "path": "/nix/store/f435816nqq7y14ar1haadw228nbxnh33-nixpkgs", - "sha256": "0pdmqzk1l7cwwfp005kzv0dwnmg8xnskzc745052gdxp8pzh1w45", + "rev": "96b4157790fc96e70d6e6c115e3f34bba7be490f", + "date": "2021-11-30T21:39:06+08:00", + "path": "/nix/store/lcn20w73v7gcd121kr5kmmncrqkh5bw7-nixpkgs", + "sha256": "05m0gn1dy0cdlamwyiq276s770bm2pw8qx6s0mfrv3khpcvv186l", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From 0594a70fea841be9ce48575386f7e4579dbf1563 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 16:44:42 +0100 Subject: [PATCH 03/15] l bitlbee: disable dynamicUser --- lass/2configs/bitlbee.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index d8f1ae888..b84221155 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -11,9 +11,22 @@ with (import ); pkgs.bitlbee-discord ]; libpurple_plugins = [ - # pkgs.telegram-purple - pkgs.tdlib-purple + pkgs.telegram-purple + # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; }; + + users.users.bitlbee = { + uid = genid_uint31 "bitlbee"; + isSystemUser = true; + group = "bitlbee"; + }; + users.groups.bitlbee = {}; + + systemd.services.bitlbee.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "bitlbee"; + StateDirectory = lib.mkForce null; + }; } From 93fb28ac98fb301779c0ab1cd4ef54476faa9879 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 17:52:23 +0100 Subject: [PATCH 04/15] l hass: use new mosquitto config --- lass/2configs/hass/default.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index be9c32809..b303df938 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -119,13 +119,10 @@ in { services.mosquitto = { enable = true; - host = "0.0.0.0"; - allowAnonymous = false; - checkPasswords = true; - users.gg23 = { - password = "gg23-mqtt"; - acl = [ "topic readwrite #" ]; - }; + listeners = [{ + acl = [ "topic pattern readwrite #" ]; + users.gg23 = { acl = [ "topic readwrite #" ]; password = "gg23-mqtt"; }; + }]; }; environment.systemPackages = [ pkgs.mosquitto ]; From 280ed594fb4d4256a3f7a9a0b903c3e251234735 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 17:55:22 +0100 Subject: [PATCH 05/15] htgen: generate group for every user --- krebs/3modules/htgen.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 517dad76f..4221703ec 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -69,10 +69,13 @@ let users.users = mapAttrs' (name: htgen: nameValuePair htgen.user.name { inherit (htgen.user) home name uid; + group = htgen.user.name; createHome = true; isSystemUser = true; } ) cfg; + users.groups = mapAttrs (_: _: {}) cfg; + }; in out From c5ade4fdd6c414c6726e1ac152a1c80327b5e796 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:27:04 +0100 Subject: [PATCH 06/15] realwallpaper: add group --- krebs/3modules/realwallpaper.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index 1fa6012cf..167afed2c 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -59,10 +59,13 @@ let users.extraUsers.realwallpaper = { uid = genid "realwallpaper"; + group = "realwallpaper"; home = cfg.workingDir; createHome = true; isSystemUser = true; }; + + users.groups.realwallpaper = {}; }; in From cd367626d4cb434e89ebfce0f4c13a11108043db Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:28:26 +0100 Subject: [PATCH 07/15] tinc_graphs: add groups --- krebs/3modules/tinc_graphs.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 7a414e6e3..733db69ca 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -128,9 +128,12 @@ let users.extraUsers.tinc_graphs = { uid = genid_uint31 "tinc_graphs"; + group = "tinc_graphs"; home = "/var/spool/tinc_graphs"; isSystemUser = true; }; + users.groups.tinc_graphs = {}; + services.nginx = mkIf cfg.nginx.enable { enable = mkDefault true; virtualHosts = { From 5d6bbe679742f6e975b48512c81e6d9c2dab9043 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:29:24 +0100 Subject: [PATCH 08/15] brockman: add group --- krebs/3modules/brockman.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index 7a78880ea..8427ca50b 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -11,10 +11,12 @@ in { config = mkIf cfg.enable { users.extraUsers.brockman = { home = "/var/lib/brockman"; + group = "brockman"; createHome = true; isSystemUser = true; uid = genid_uint31 "brockman"; }; + users.groups.brockman = {}; systemd.services.brockman = { description = "RSS to IRC broadcaster"; From bb709ce412115424db63b9ec2622989070c93d46 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:30:57 +0100 Subject: [PATCH 09/15] buildbot: add groups to users --- krebs/3modules/buildbot/master.nix | 1 + krebs/3modules/buildbot/slave.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index e55bd95ea..c30f31e31 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -319,6 +319,7 @@ let users.extraUsers.buildbotMaster = { uid = genid "buildbotMaster"; + group = "buildbotMaster"; description = "Buildbot Master"; home = cfg.workDir; createHome = false; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index d877b9911..f97b50def 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -128,6 +128,7 @@ let users.extraUsers.buildbotSlave = { uid = genid "buildbotSlave"; + group = "buildbotSlave"; description = "Buildbot Slave"; home = cfg.workDir; createHome = false; From 9f6c37f21c49fb26d214765cbecef0d9e5abca40 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:31:53 +0100 Subject: [PATCH 10/15] github-host-sync: add group --- krebs/3modules/github-hosts-sync.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 9421576df..71eed6c69 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -66,11 +66,14 @@ let users.users.${user.name} = { inherit (user) uid; + group = user.name; home = cfg.dataDir; isSystemUser = true; }; }; + users.groups.${user.name} = {}; + user = rec { mail = "${name}@${config.krebs.build.host.name}"; name = "github-hosts-sync"; From d33c92fe21e9690c9cc558a274472617ba034197 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 18:53:18 +0100 Subject: [PATCH 11/15] l usershadow: remove legacy pamEnvironment --- lass/3modules/usershadow.nix | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index c3d4de84d..1f5b6673f 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -28,15 +28,12 @@ session required pam_permit.so ''; - security.pam.services.dovecot2 = { - text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; - }; + security.pam.services.dovecot2.text = '' + auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + ''; security.wrappers.shadow_verify_pam = { source = "${usershadow}/bin/verify_pam"; From 625d725e1394e0b9f5a4161fffc1b8adf8fe9595 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Dec 2021 19:12:00 +0100 Subject: [PATCH 12/15] l usershadow: add groups to security.wrappers --- lass/3modules/usershadow.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index 1f5b6673f..b1011ced0 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -38,10 +38,12 @@ security.wrappers.shadow_verify_pam = { source = "${usershadow}/bin/verify_pam"; owner = "root"; + group = "root"; }; security.wrappers.shadow_verify_arg = { source = "${usershadow}/bin/verify_arg"; owner = "root"; + group = "root"; }; }; From 3906ddedcc3be71417be57e70d336271f183c3d3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Dec 2021 15:50:36 +0100 Subject: [PATCH 13/15] nixpkgs: 96b4157 -> a640d83 --- krebs/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 0543c65ca..e219581a1 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "96b4157790fc96e70d6e6c115e3f34bba7be490f", - "date": "2021-11-30T21:39:06+08:00", - "path": "/nix/store/lcn20w73v7gcd121kr5kmmncrqkh5bw7-nixpkgs", - "sha256": "05m0gn1dy0cdlamwyiq276s770bm2pw8qx6s0mfrv3khpcvv186l", + "rev": "a640d8394f34714578f3e6335fc767d0755d78f9", + "date": "2021-12-01T16:06:54+01:00", + "path": "/nix/store/88zw2qrbzaq3bnnsmz9qc4lvkwg0168g-nixpkgs", + "sha256": "1dyyzgcmlhpsdb4ngiy8m0x10qmh0r56ky75r8ppvvh730m3lhfj", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From e44a4024a0c20a5eec9a0053fc52ee91b7abd646 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Dec 2021 15:51:05 +0100 Subject: [PATCH 14/15] nixpkgs-unstable: 715f634 -> 6daa4a5 --- krebs/nixpkgs-unstable.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index da23245ae..8678a40cd 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", - "date": "2021-11-17T14:17:56+01:00", - "path": "/nix/store/85yrz3ygrzkgw87fp3j42i1i9f4vf0n0-nixpkgs", - "sha256": "152kxfk11mgwg8gx0s1rgykyydfb7s746yfylvbwk5mk5cv4z9nv", + "rev": "6daa4a5c045d40e6eae60a3b6e427e8700f1c07f", + "date": "2021-12-01T17:29:12+01:00", + "path": "/nix/store/g62v0nj6b8v9qb5q0wxjss9q8y9qcg3r-nixpkgs", + "sha256": "1wg55jlxyvbjvm8x2rcirmvqws4y8xq504dn3yjp05m1bajhpj5r", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From 70be7f119b25f1913be9a219f5dad0b179405b4e Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 3 Dec 2021 16:23:46 +0100 Subject: [PATCH 15/15] l coaxmetal.r: remove obsolete trackpoint patch (is now upstream) --- lass/1systems/coaxmetal/physical.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix index b033477fe..6be047300 100644 --- a/lass/1systems/coaxmetal/physical.nix +++ b/lass/1systems/coaxmetal/physical.nix @@ -56,14 +56,4 @@ xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2 xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5 ''; - - # https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4 - # https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1 - boot.kernelPatches = [{ - name = "fix-trackpoint-jumping"; - patch = pkgs.fetchurl { - url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/"; - sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg"; - }; - }]; }