From 61bc72c4b4d19c612ea65c8f75762eca6e5ac535 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 09:18:41 +0100 Subject: 22.05 -> 22.11 --- krebs/update-nixpkgs.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh index 59dbd91b..97c069d8 100755 --- a/krebs/update-nixpkgs.sh +++ b/krebs/update-nixpkgs.sh @@ -3,7 +3,7 @@ dir=$(dirname $0) oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-22.05' \ + --rev refs/heads/nixos-22.11' \ > $dir/nixpkgs.json newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" -- cgit v1.2.3 From ad122be3b9dff8a186489bc8635f46e3db0f7559 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 09:19:08 +0100 Subject: nixpkgs: 6474d93 -> 596a8e8 --- krebs/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index f836f63f..b6d46f1f 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b", - "date": "2022-11-16T11:41:31+01:00", - "path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs", - "sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg", + "rev": "596a8e828c5dfa504f91918d0fa4152db3ab5502", + "date": "2022-11-30T14:03:12-05:00", + "path": "/nix/store/vax0irdsk8gvczikw219vj079mck6j6r-nixpkgs", + "sha256": "1n524a44p2kprk65zx2v6793kmxjpz1qm1ilxk82vq0vg0c5jy32", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From b7a24272db3d2ed342af7d9b979b8585408a640a Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 14:24:46 +0100 Subject: krebs: set defaultLocale --- krebs/2configs/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 38d77031..fffe128e 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -27,9 +27,6 @@ with import ; ]; console.keyMap = "us"; - i18n = { - defaultLocale = lib.mkForce "C"; - }; programs.ssh.startAgent = false; @@ -60,4 +57,7 @@ with import ; # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; + + # maybe fix Error: unsupported locales detected: + i18n.defaultLocale = mkDefault "C.UTF-8"; } -- cgit v1.2.3 From 2d5f0db519c70c5f6340d546612d5d3daec3d2be Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 16:30:47 +0100 Subject: mastodon: use nonsense mail --- krebs/2configs/mastodon.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index d0c1943c..86e2ec43 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -15,7 +15,7 @@ configureNginx = true; trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; smtp.createLocally = false; - smtp.fromAddress = "mastodon@social.krebsco.de"; + smtp.fromAddress = "derp"; }; services.nginx.virtualHosts.${config.services.mastodon.localDomain} = { -- cgit v1.2.3 From 8a6f835acb621cacabb0a3d158c26a0fcacf9e7d Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 16:31:01 +0100 Subject: mastodon: add create-mastodon-user helper --- krebs/2configs/mastodon.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 86e2ec43..145b383e 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -36,5 +36,11 @@ (pkgs.writers.writeDashBin "tootctl" '' sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" '') + (pkgs.writers.writeDashBin "create-mastodon-user" '' + set -efu + nick=$1 + /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed + /run/current-system/sw/bin/tootctl accounts approve "$nick" + '') ]; } -- cgit v1.2.3 From 0c54380529411e8b8bfff83a377343f38c57c21c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 2 Dec 2022 17:31:25 +0100 Subject: l libvirt: enable polkit --- lass/2configs/libvirt.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index 78d5ae0e..d391e0d7 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ... }: { - users.users.mainUser.extraGroups = [ "libvirtd" ]; virtualisation.libvirtd.enable = true; + security.polkit.enable = true; krebs.iptables.tables.filter.INPUT.rules = [ { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; } -- cgit v1.2.3 From 5d0d1993b6207c283189a2c81c8c76f549d44b2a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 4 Dec 2022 14:03:41 +0100 Subject: l websites: use default php --- lass/2configs/websites/util.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 22b1669b..bffa1036 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -174,7 +174,6 @@ rec { services.phpfpm.pools."${domain}" = { user = "nginx"; group = "nginx"; - phpPackage = pkgs.php74; extraConfig = '' listen = /srv/http/${domain}/phpfpm.pool pm = dynamic @@ -228,7 +227,6 @@ rec { services.phpfpm.pools."${domain}" = { user = "nginx"; group = "nginx"; - phpPackage = pkgs.php74; extraConfig = '' listen = /srv/http/${domain}/phpfpm.pool pm = dynamic -- cgit v1.2.3 From 45ce420a0c5fc783d364107a3ad290615ddaa7e6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 6 Dec 2022 13:46:29 +0100 Subject: nixpkgs-unstable: b457130 -> 14ddeae --- krebs/nixpkgs-unstable.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index a5d67f2f..897af648 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "b457130e8a21608675ddf12c7d85227b22a27112", - "date": "2022-11-16T11:03:19+00:00", - "path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs", - "sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df", + "rev": "14ddeaebcbe9a25748221d1d7ecdf98e20e2325e", + "date": "2022-12-04T12:18:32+01:00", + "path": "/nix/store/xnxll37bfls7a3g969avyvb2cic0g0f3-nixpkgs", + "sha256": "0bix6746zmifas85mkb49g0szkdza4ajzdfbix4cdan9ig06v6rc", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From b9f38f6cda90824e85d657707b4cdc80aed26988 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 6 Dec 2022 19:44:30 +0100 Subject: ssl: move rootCA to 6assets --- krebs/3modules/ssl.nix | 21 +-------------------- krebs/6assets/krebsRootCA.crt | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 20 deletions(-) create mode 100644 krebs/6assets/krebsRootCA.crt diff --git a/krebs/3modules/ssl.nix b/krebs/3modules/ssl.nix index 3a9b5d32..8cbd8dcc 100644 --- a/krebs/3modules/ssl.nix +++ b/krebs/3modules/ssl.nix @@ -5,26 +5,7 @@ in { rootCA = lib.mkOption { type = lib.types.str; readOnly = true; - default = '' - -----BEGIN CERTIFICATE----- - MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD - VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw - CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ - ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5 - MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx - EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS - b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw - gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/ - /qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU - QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B - HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo - 3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD - AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9 - GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese - 725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63 - 80WiO952 - -----END CERTIFICATE----- - ''; + default = builtins.readFile ../6assets/krebsRootCA.crt; }; intermediateCA = lib.mkOption { type = lib.types.str; diff --git a/krebs/6assets/krebsRootCA.crt b/krebs/6assets/krebsRootCA.crt new file mode 100644 index 00000000..3938c58b --- /dev/null +++ b/krebs/6assets/krebsRootCA.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC0jCCAjugAwIBAgIJAKeARo6lDD0YMA0GCSqGSIb3DQEBBQUAMIGBMQswCQYD +VQQGEwJaWjESMBAGA1UECAwJc3RhdGVsZXNzMRAwDgYDVQQKDAdLcmVic2NvMQsw +CQYDVQQLDAJLTTEWMBQGA1UEAwwNS3JlYnMgUm9vdCBDQTEnMCUGCSqGSIb3DQEJ +ARYYcm9vdC1jYUBzeW50YXgtZmVobGVyLmRlMB4XDTE0MDYxMTA4NTMwNloXDTM5 +MDIwMTA4NTMwNlowgYExCzAJBgNVBAYTAlpaMRIwEAYDVQQIDAlzdGF0ZWxlc3Mx +EDAOBgNVBAoMB0tyZWJzY28xCzAJBgNVBAsMAktNMRYwFAYDVQQDDA1LcmVicyBS +b290IENBMScwJQYJKoZIhvcNAQkBFhhyb290LWNhQHN5bnRheC1mZWhsZXIuZGUw +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMs/WNyeQziccllLqom7bfCjlh6/ +/qx9p6UOqpw96YOOT3sh/mNSBLyNxIUJbWsU7dN5hT7HkR7GwzpfKDtudd9qiZeU +QNYQ+OL0HdOnApjdPqdspZfKxKTXyC1T1vJlaODsM1RBrjLK9RUcQZeNhgg3iM9B +HptOCrMI2fjCdZuVAgMBAAGjUDBOMB0GA1UdDgQWBBSKeq01+rAwp7yAXwzlwZBo +3EGVLzAfBgNVHSMEGDAWgBSKeq01+rAwp7yAXwzlwZBo3EGVLzAMBgNVHRMEBTAD +AQH/MA0GCSqGSIb3DQEBBQUAA4GBAIWIffZuQ43ddY2/ZnjAxPCRpM3AjoKIwEj9 +GZuLJJ1sB9+/PAPmRrpmUniRkPLD4gtmolDVuoLDNAT9os7/v90yg5dOuga33Ese +725musUbhEoQE1A1oVHrexBs2sQOplxHKsVXoYJp2/trQdqvaNaEKc3EeVnzFC63 +80WiO952 +-----END CERTIFICATE----- -- cgit v1.2.3 From 2b74d084deba00babaa94f83ea47c4291cf1081a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 6 Dec 2022 19:44:45 +0100 Subject: update ACME CA --- krebs/6assets/krebsAcmeCA.crt | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt index 1cd5aed0..bf05b44f 100644 --- a/krebs/6assets/krebsAcmeCA.crt +++ b/krebs/6assets/krebsAcmeCA.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB +MIICWTCCAcKgAwIBAgIQIpBt0MsRpYd8LWNdb9MfITANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq -hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5 -MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT -BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ -Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD -VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED -mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv -MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2 -teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD -tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA -BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk= +hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMjEyMDYxODI2 +MDhaFw0yMzEyMDYxODI2MDhaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAAT4KuemY4BowAbFjzCvi+PthBTWCtewnAbr +qDSlA602QcuQVmqa1/3TaYag7KNDgeg5eshMRI9GN/boKTpgcLeZo4GAMH4wDgYD +VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJYxArnj +SEArwloaM5blBymFmcL2MB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv +MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEAekCt +XrKwanrcy6+k3YfXWGiMJ47Ys7Mfa5UfIs7QiXv74MgtklLsX63D27hKn5rd7wk4 +20wXLMhb8ofrKnO4mt0VFRSGm9/cq9N/c/uuf4hMzhAJmusgkn02GG+cafqZ9ab9 +MjLmveT9WHphmgQTnJPEeYP2U2faHKIp6Gwv5qc= -----END CERTIFICATE----- -- cgit v1.2.3 From 2eb33e60b45c2b37d51a57b0fbe4a023861a7429 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 7 Dec 2022 19:25:46 +0100 Subject: Revert "exim-smarthost: check SPF" This reverts commit 426d6e2e5cdbe52cf776400cec85036f4cb86b79. --- krebs/3modules/exim-smarthost.nix | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 5923b610..38cc828b 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -126,9 +126,8 @@ let domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains} hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts} - acl_smtp_data = acl_check_data - acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data never_users = root @@ -180,36 +179,6 @@ let accept - acl_check_mail: - accept - sender_domains = +sender_domains - hosts = +relay_from_hosts - deny - spf = fail : softfail - log_message = spf=$spf_result - message = SPF validation failed: \ - $sender_host_address is not allowed to send mail from \ - ''${if def:sender_address_domain\ - {$sender_address_domain}\ - {$sender_helo_name}} - deny - spf = permerror - log_message = spf=$spf_result - message = SPF validation failed: \ - syntax error in SPF record(s) for \ - ''${if def:sender_address_domain\ - {$sender_address_domain}\ - {$sender_helo_name}} - defer - spf = temperror - log_message = spf=$spf_result; deferred - message = temporary error during SPF validation; \ - please try again later - warn - spf = none : neutral - log_message = spf=$spf_result - accept - add_header = $spf_received begin routers -- cgit v1.2.3