diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index e7faca1f4..40d946f7d 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,6 +29,7 @@ in { services.gollum = { enable = true; + address = "::1"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -45,12 +46,13 @@ in virtualHosts."wiki.r" = { enableACME = true; addSSL = true; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.services.gollum.port}; - ''; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.gollum.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; }; }; diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index bb941a1fb..822dbab61 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -108,8 +108,21 @@ let # create a ShellCommand for each stage and add them to the build stages = self.extract_stages(self.observer.getStdout()) self.build.addStepsAfterCurrentStep([ - steps.ShellCommand(name=stage, command=[stages[stage]]) - for stage in stages + steps.ShellCommand( + name=stage, + env=dict( + build_name = stage, + build_script = stages[stage], + ), + command="${pkgs.writeDash "build.sh" '' + set -xefu + profile=${shell.escape profileRoot}/$build_name + result=$("$build_script") + if [ -n "$result" ]; then + ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + fi + ''}", + ) for stage in stages ]) return result diff --git a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix index 8cec54327..5055a78aa 100644 --- a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix +++ b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix @@ -23,6 +23,7 @@ pkgs.writers.writeDashBin "generate-intermediate-ca" '' ${pkgs.step-cli}/bin/step certificate create "Krebs ACME CA" intermediate_ca.crt intermediate_ca.key \ --template "$TMPDIR/intermediate.tpl" \ + --not-after 8760h \ --ca "$TMPDIR/krebs/ca.crt" \ --ca-key "$TMPDIR/krebs/ca.key" \ --no-password --insecure diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt index 54729e250..1cd5aed0b 100644 --- a/krebs/6assets/krebsAcmeCA.crt +++ b/krebs/6assets/krebsAcmeCA.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB +MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq -hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5 -MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ -MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp -PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO -BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758 -A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB -lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT -ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ -dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH -YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw== +hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5 +MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ +Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD +VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED +mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv +MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2 +teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD +tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA +BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk= -----END CERTIFICATE----- diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index 8fd6ee45b..7c3f8cfdb 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -83,8 +83,11 @@ with import ; programs.ssh.startAgent = false; - security.wrappers = { - slock.source = "${pkgs.slock}/bin/slock"; + krebs.setuid = { + slock = { + filename = "${pkgs.slock}/bin/slock"; + mode = "4111"; + }; }; security.pam.loginLimits = [ diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index 469f5c6f8..dd6fcfe67 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -5,6 +5,18 @@ with import ; { imports = [ ../smartd.nix + + { + nix.buildCores = 2; + nix.maxJobs = 2; + } + (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then { + nix.daemonCPUSchedPolicy = "batch"; + nix.daemonIOSchedPriority = 1; + } else { + nix.daemonIONiceLevel = 1; + nix.daemonNiceLevel = 1; + }) ]; boot.loader.grub = { @@ -21,21 +33,10 @@ with import ; "wl" ]; - # broadcom_sta is marked as broken for 5.9+ - # pkgs.linuxPackages_latest ist 5.9 - boot.kernelPackages = pkgs.linuxPackages_5_8; - boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; - nix = { - buildCores = 2; - maxJobs = 2; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - services.logind.extraConfig = '' HandleHibernateKey=ignore HandleLidSwitch=ignore diff --git a/tv/2configs/hw/CAC-Developer-1.nix b/tv/2configs/hw/CAC-Developer-1.nix deleted file mode 100644 index 5143c8359..000000000 --- a/tv/2configs/hw/CAC-Developer-1.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: -{ - imports = [ ./CAC.nix ]; - nix = { - buildCores = 1; - maxJobs = 1; - }; -} diff --git a/tv/2configs/hw/CAC-Developer-2.nix b/tv/2configs/hw/CAC-Developer-2.nix deleted file mode 100644 index 1b3b102cc..000000000 --- a/tv/2configs/hw/CAC-Developer-2.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: -{ - imports = [ ./CAC.nix ]; - nix = { - buildCores = 2; - maxJobs = 2; - }; -} diff --git a/tv/2configs/hw/CAC.nix b/tv/2configs/hw/CAC.nix deleted file mode 100644 index 9ed18344a..000000000 --- a/tv/2configs/hw/CAC.nix +++ /dev/null @@ -1,13 +0,0 @@ -_: -{ - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - boot.loader.grub.splashImage = null; - nix = { - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - sound.enable = false; -} diff --git a/tv/2configs/hw/w110er.nix b/tv/2configs/hw/w110er.nix index 818d1aca6..09dd9a49d 100644 --- a/tv/2configs/hw/w110er.nix +++ b/tv/2configs/hw/w110er.nix @@ -1,7 +1,6 @@ -with import ; -{ pkgs, ... }: - -{ +{ pkgs, ... }: let + lib = import ; +in { imports = [ ../smartd.nix { @@ -16,6 +15,18 @@ with import ; # "nvidia-settings" #]; } + + { + nix.buildCores = 4; + nix.maxJobs = 4; + } + (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then { + nix.daemonCPUSchedPolicy = "batch"; + nix.daemonIOSchedPriority = 1; + } else { + nix.daemonIONiceLevel = 1; + nix.daemonNiceLevel = 1; + }) ]; boot.extraModprobeConfig = '' @@ -35,13 +46,6 @@ with import ; networking.wireless.enable = true; - nix = { - buildCores = 4; - maxJobs = 4; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - services.logind.extraConfig = '' HandleHibernateKey=ignore HandleLidSwitch=ignore diff --git a/tv/5pkgs/haskell/xmonad-tv/default.nix b/tv/5pkgs/haskell/xmonad-tv/default.nix index 36dffaa13..edb5f258e 100644 --- a/tv/5pkgs/haskell/xmonad-tv/default.nix +++ b/tv/5pkgs/haskell/xmonad-tv/default.nix @@ -1,5 +1,5 @@ { mkDerivation, aeson, base, bytestring, containers, directory -, extra, stdenv, template-haskell, th-env, unix, X11, xmonad +, extra, lib, template-haskell, th-env, unix, X11, xmonad , xmonad-contrib, xmonad-stockholm }: mkDerivation { @@ -12,5 +12,5 @@ mkDerivation { aeson base bytestring containers directory extra template-haskell th-env unix X11 xmonad xmonad-contrib xmonad-stockholm ]; - license = stdenv.lib.licenses.mit; + license = lib.licenses.mit; }