From 210c032fca659799376e08abb924536ee2e414ed Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 8 Dec 2021 22:01:32 +0100 Subject: tv x220 nix.daemon*: admit NixOS 21.11 harder Only compare majorMinor nixpkgs version because 21.11pre-git < 21.11 --- tv/2configs/hw/x220.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index a4342fcc..8c68cdef 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -31,7 +31,7 @@ in nix.buildCores = 2; nix.maxJobs = 2; } - (if lib.versionAtLeast lib.version "21.11" then { + (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then { nix.daemonCPUSchedPolicy = "batch"; nix.daemonIOSchedPriority = 1; } else { -- cgit v1.2.3 From e4384e10e94bc01507834568f2dfb4bd8255311f Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 09:55:47 +0100 Subject: pkgs.generate-krebs-intermediate-ca: set vailidy to 1y --- krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix index 8cec5432..5055a78a 100644 --- a/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix +++ b/krebs/5pkgs/simple/generate-krebs-intermediate-ca/default.nix @@ -23,6 +23,7 @@ pkgs.writers.writeDashBin "generate-intermediate-ca" '' ${pkgs.step-cli}/bin/step certificate create "Krebs ACME CA" intermediate_ca.crt intermediate_ca.key \ --template "$TMPDIR/intermediate.tpl" \ + --not-after 8760h \ --ca "$TMPDIR/krebs/ca.crt" \ --ca-key "$TMPDIR/krebs/ca.key" \ --no-password --insecure -- cgit v1.2.3 From 6d3ea779b6d6114120bd5d2510ca5870c3012e0c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 09:56:02 +0100 Subject: rotate krebsAcmeCA.crt --- krebs/6assets/krebsAcmeCA.crt | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/krebs/6assets/krebsAcmeCA.crt b/krebs/6assets/krebsAcmeCA.crt index 54729e25..1cd5aed0 100644 --- a/krebs/6assets/krebsAcmeCA.crt +++ b/krebs/6assets/krebsAcmeCA.crt @@ -1,15 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICWzCCAcSgAwIBAgIQVavHn7XtM7NJ8bnph6hGoTANBgkqhkiG9w0BAQsFADCB +MIICWTCCAcKgAwIBAgIQbAfVX2J0VIzhEYSPVAB4SzANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCWloxEjAQBgNVBAgMCXN0YXRlbGVzczEQMA4GA1UECgwHS3Jl YnNjbzELMAkGA1UECwwCS00xFjAUBgNVBAMMDUtyZWJzIFJvb3QgQ0ExJzAlBgkq -hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMDgxNTU5 -MDRaFw0yMTEyMDkxNTU5MDRaMBoxGDAWBgNVBAMTD0tyZWJzIEFDTUUgQ0EgMTBZ -MBMGByqGSM49AgEGCCqGSM49AwEHA0IABDOK4g3pJPhOErk49zQgpNKE1cAyoeLp -PqWXkHZVLIVg8CBzPyCYiHS8RtaJ1kwWxwo5OTypCDOLxf1isR5HgZOjgYAwfjAO -BgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUv758 -A4RPewsRtgjdB6AE1tn632swHwYDVR0jBBgwFoAUinqtNfqwMKe8gF8M5cGQaNxB -lS8wGAYDVR0eAQH/BA4wDKAKMAOCAXIwA4IBdzANBgkqhkiG9w0BAQsFAAOBgQAT -ewOSGWGTCWcJFGSxgnt8/WspMERq1hL1PikwwVMp7wzJmbHcbA0Es4fcrE5Xf8vQ -dGenlvyQjkQNahbsyGBoja7bpWpnw9qofLQkns1AZWp7q7GBqyKm30keM/E/stjH -YkgY4QaxlIL+6N0f4nKL3RSf6GQ1hWJOHf+RrboaMw== +hkiG9w0BCQEWGHJvb3QtY2FAc3ludGF4LWZlaGxlci5kZTAeFw0yMTEyMTAwODQ5 +MDZaFw0yMjEyMTAwODQ5MDZaMBgxFjAUBgNVBAMTDUtyZWJzIEFDTUUgQ0EwWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAATL8dNO7ajNe60Km7wHrG06tCUj5kQKWsrQ +Ay7KX8zO+RwQpYhd/i4bqpeGkGWh8uHLZ+164FlZaLgHO10DRja5o4GAMH4wDgYD +VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFMt9yJED +mPRhXsrNZ0x+GtzjdnTLMB8GA1UdIwQYMBaAFIp6rTX6sDCnvIBfDOXBkGjcQZUv +MBgGA1UdHgEB/wQOMAygCjADggFyMAOCAXcwDQYJKoZIhvcNAQELBQADgYEANo/2 +teIuEsniwxVdqu+ukjqOXHIkBK7F91+G7BuDjBlx2U96v1MwsmT4D9upajERnOOD +tLx990Sj4t3avRTpytt+qLeIMIxt62YksUXVjDWndqaDcEUat5ZVEQsZ0ZmjOHrA +BaB65eU0xhJWKAZdk55GqHEFz3Ym4rx7WUaomzk= -----END CERTIFICATE----- -- cgit v1.2.3 From 9841e402e2692a6eb37d5a5b89a53474168af590 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 10:13:49 +0100 Subject: wiki.r: listen on localhost, fix http redirect --- krebs/2configs/wiki.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index e7faca1f..aa694826 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,6 +29,7 @@ in { services.gollum = { enable = true; + address = "::"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -45,12 +46,13 @@ in virtualHosts."wiki.r" = { enableACME = true; addSSL = true; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.services.gollum.port}; - ''; + locations."/" = { + proxyPass = "http://[::]:${toString config.services.gollum.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; }; }; -- cgit v1.2.3 From 6b59b7972a901dcbb3cb5c1aeac4616a5a94ba7b Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 10 Dec 2021 18:09:44 +0100 Subject: wiki: listen gollum on localhost only --- krebs/2configs/wiki.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index aa694826..40d946f7 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -29,7 +29,7 @@ in { services.gollum = { enable = true; - address = "::"; + address = "::1"; extraConfig = '' Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1| system('${pushCgit}') @@ -47,7 +47,7 @@ in enableACME = true; addSSL = true; locations."/" = { - proxyPass = "http://[::]:${toString config.services.gollum.port}"; + proxyPass = "http://[::1]:${toString config.services.gollum.port}"; proxyWebsockets = true; extraConfig = '' proxy_set_header Host $host; -- cgit v1.2.3 From 0209b3499fe5582b42e21db2cebd9940c7ebc76e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:29:17 +0100 Subject: tv mu: use krebs.setuid --- tv/1systems/mu/config.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index 8fd6ee45..7c3f8cfd 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -83,8 +83,11 @@ with import ; programs.ssh.startAgent = false; - security.wrappers = { - slock.source = "${pkgs.slock}/bin/slock"; + krebs.setuid = { + slock = { + filename = "${pkgs.slock}/bin/slock"; + mode = "4111"; + }; }; security.pam.loginLimits = [ -- cgit v1.2.3 From 07880447af2d00c1e68591d02a9903756977df91 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:37:07 +0100 Subject: tv xmonad-tv: stdenv.lib -> lib --- tv/5pkgs/haskell/xmonad-tv/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tv/5pkgs/haskell/xmonad-tv/default.nix b/tv/5pkgs/haskell/xmonad-tv/default.nix index 36dffaa1..edb5f258 100644 --- a/tv/5pkgs/haskell/xmonad-tv/default.nix +++ b/tv/5pkgs/haskell/xmonad-tv/default.nix @@ -1,5 +1,5 @@ { mkDerivation, aeson, base, bytestring, containers, directory -, extra, stdenv, template-haskell, th-env, unix, X11, xmonad +, extra, lib, template-haskell, th-env, unix, X11, xmonad , xmonad-contrib, xmonad-stockholm }: mkDerivation { @@ -12,5 +12,5 @@ mkDerivation { aeson base bytestring containers directory extra template-haskell th-env unix X11 xmonad xmonad-contrib xmonad-stockholm ]; - license = stdenv.lib.licenses.mit; + license = lib.licenses.mit; } -- cgit v1.2.3 From 52fcfb00fd573cfffaea2ab62d7829efd42fe85b Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:41:53 +0100 Subject: tv CAC: RIP --- tv/2configs/hw/CAC-Developer-1.nix | 8 -------- tv/2configs/hw/CAC-Developer-2.nix | 8 -------- tv/2configs/hw/CAC.nix | 13 ------------- 3 files changed, 29 deletions(-) delete mode 100644 tv/2configs/hw/CAC-Developer-1.nix delete mode 100644 tv/2configs/hw/CAC-Developer-2.nix delete mode 100644 tv/2configs/hw/CAC.nix diff --git a/tv/2configs/hw/CAC-Developer-1.nix b/tv/2configs/hw/CAC-Developer-1.nix deleted file mode 100644 index 5143c835..00000000 --- a/tv/2configs/hw/CAC-Developer-1.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: -{ - imports = [ ./CAC.nix ]; - nix = { - buildCores = 1; - maxJobs = 1; - }; -} diff --git a/tv/2configs/hw/CAC-Developer-2.nix b/tv/2configs/hw/CAC-Developer-2.nix deleted file mode 100644 index 1b3b102c..00000000 --- a/tv/2configs/hw/CAC-Developer-2.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: -{ - imports = [ ./CAC.nix ]; - nix = { - buildCores = 2; - maxJobs = 2; - }; -} diff --git a/tv/2configs/hw/CAC.nix b/tv/2configs/hw/CAC.nix deleted file mode 100644 index 9ed18344..00000000 --- a/tv/2configs/hw/CAC.nix +++ /dev/null @@ -1,13 +0,0 @@ -_: -{ - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - boot.loader.grub.splashImage = null; - nix = { - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - sound.enable = false; -} -- cgit v1.2.3 From 30bdb1e7e535f8257f06a929012e58f421f709b0 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:40:36 +0100 Subject: tv w110er nix.daemon*: admit NixOS 21.11 --- tv/2configs/hw/w110er.nix | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/tv/2configs/hw/w110er.nix b/tv/2configs/hw/w110er.nix index 818d1aca..09dd9a49 100644 --- a/tv/2configs/hw/w110er.nix +++ b/tv/2configs/hw/w110er.nix @@ -1,7 +1,6 @@ -with import ; -{ pkgs, ... }: - -{ +{ pkgs, ... }: let + lib = import ; +in { imports = [ ../smartd.nix { @@ -16,6 +15,18 @@ with import ; # "nvidia-settings" #]; } + + { + nix.buildCores = 4; + nix.maxJobs = 4; + } + (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then { + nix.daemonCPUSchedPolicy = "batch"; + nix.daemonIOSchedPriority = 1; + } else { + nix.daemonIONiceLevel = 1; + nix.daemonNiceLevel = 1; + }) ]; boot.extraModprobeConfig = '' @@ -35,13 +46,6 @@ with import ; networking.wireless.enable = true; - nix = { - buildCores = 4; - maxJobs = 4; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - services.logind.extraConfig = '' HandleHibernateKey=ignore HandleLidSwitch=ignore -- cgit v1.2.3 From 1c778a5443554a55dd526d67f79b265168953da2 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:43:44 +0100 Subject: tv AO753 nix.daemon*: admit NixOS 21.11 --- tv/2configs/hw/AO753.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index 469f5c6f..c9afe9a0 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -5,6 +5,18 @@ with import ; { imports = [ ../smartd.nix + + { + nix.buildCores = 2; + nix.maxJobs = 2; + } + (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "21.11" then { + nix.daemonCPUSchedPolicy = "batch"; + nix.daemonIOSchedPriority = 1; + } else { + nix.daemonIONiceLevel = 1; + nix.daemonNiceLevel = 1; + }) ]; boot.loader.grub = { @@ -29,13 +41,6 @@ with import ; config.boot.kernelPackages.broadcom_sta ]; - nix = { - buildCores = 2; - maxJobs = 2; - daemonIONiceLevel = 1; - daemonNiceLevel = 1; - }; - services.logind.extraConfig = '' HandleHibernateKey=ignore HandleLidSwitch=ignore -- cgit v1.2.3 From 250fef75330f6681e891044656d4a30b02109f69 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 10 Dec 2021 23:49:12 +0100 Subject: tv AO753: drop boot.kernelPackages broadcom_sta is not broken for default kernel packages anymore. --- tv/2configs/hw/AO753.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index c9afe9a0..dd6fcfe6 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -33,10 +33,6 @@ with import ; "wl" ]; - # broadcom_sta is marked as broken for 5.9+ - # pkgs.linuxPackages_latest ist 5.9 - boot.kernelPackages = pkgs.linuxPackages_5_8; - boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ]; -- cgit v1.2.3 From f2533d88924feb48834a07c4dc1e82cd21acd025 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 11 Dec 2021 12:00:36 +0100 Subject: ci: add gcroots for successful builds --- krebs/3modules/ci.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index bb941a1f..822dbab6 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -108,8 +108,21 @@ let # create a ShellCommand for each stage and add them to the build stages = self.extract_stages(self.observer.getStdout()) self.build.addStepsAfterCurrentStep([ - steps.ShellCommand(name=stage, command=[stages[stage]]) - for stage in stages + steps.ShellCommand( + name=stage, + env=dict( + build_name = stage, + build_script = stages[stage], + ), + command="${pkgs.writeDash "build.sh" '' + set -xefu + profile=${shell.escape profileRoot}/$build_name + result=$("$build_script") + if [ -n "$result" ]; then + ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + fi + ''}", + ) for stage in stages ]) return result -- cgit v1.2.3