diff options
-rw-r--r-- | krebs/3modules/exim-smarthost.nix | 35 | ||||
-rw-r--r-- | krebs/3modules/repo-sync.nix | 29 | ||||
-rw-r--r-- | krebs/3modules/systemd.nix | 3 | ||||
-rw-r--r-- | lass/1systems/green/config.nix | 13 | ||||
-rw-r--r-- | lass/krops.nix | 4 | ||||
-rw-r--r-- | tv/3modules/charybdis/config.nix | 4 | ||||
-rw-r--r-- | tv/3modules/charybdis/default.nix | 46 | ||||
-rw-r--r-- | tv/3modules/ejabberd/config.nix | 9 | ||||
-rw-r--r-- | tv/3modules/ejabberd/default.nix | 52 | ||||
-rw-r--r-- | tv/3modules/x0vncserver.nix | 28 |
10 files changed, 82 insertions, 141 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 4eb1d6411..fe149448b 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -24,13 +24,8 @@ let type = types.str; }; private_key = mkOption { - type = types.secret-file; - default = { - name = "exim.dkim_private_key/${config.domain}"; - path = "/run/krebs.secret/${config.domain}.dkim_private_key"; - owner.name = "exim"; - source-path = toString <secrets> + "/${config.domain}.dkim.priv"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/${config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { @@ -111,24 +106,13 @@ let }; imp = { - krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: { - name = "exim.dkim_private_key/${dkim.domain}"; - value = dkim.private_key; - })); - systemd.services = mkIf (cfg.dkim != []) { - exim = { - after = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - partOf = flip map cfg.dkim (dkim: - config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service - ); - }; - }; + krebs.systemd.services.exim = {}; + systemd.services.exim.serviceConfig.LoadCredential = + map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim; krebs.exim = { enable = true; config = /* exim */ '' - keep_environment = + keep_environment = CREDENTIALS_DIRECTORY primary_hostname = ${cfg.primary_hostname} @@ -242,8 +226,9 @@ let ${optionalString (cfg.dkim != []) (indent /* exim */ '' dkim_canon = relaxed dkim_domain = $sender_address_domain - dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} + dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}} dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} + dkim_strict = true '')} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ @@ -281,10 +266,6 @@ let inherit (cfg) internet-aliases; inherit (cfg) system-aliases; } // optionalAttrs (cfg.dkim != []) { - dkim_private_key = flip map cfg.dkim (dkim: { - from = dkim.domain; - to = dkim.private_key.path; - }); dkim_selector = flip map cfg.dkim (dkim: { from = dkim.domain; to = dkim.selector; diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index 0312c62fd..c4cfb9a49 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -122,13 +122,9 @@ let }; privateKeyFile = mkOption { - type = types.secret-file; - default = { - name = "repo-sync-key"; - path = "${cfg.stateDir}/ssh.priv"; - owner = cfg.user; - source-path = toString <secrets> + "/repo-sync.ssh.key"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/repo-sync.ssh.key"; + defaultText = "‹secrets/repo-sync.ssh.key›"; }; unitConfig = mkOption { @@ -144,14 +140,16 @@ let }; imp = { - krebs.secret.files.repo-sync-key = cfg.privateKeyFile; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; description = "repo-sync user"; isSystemUser = true; }; + users.groups.${cfg.user.name} = {}; + systemd.timers = mapAttrs' (name: repo: nameValuePair "repo-sync-${name}" { description = "repo-sync timer"; @@ -160,6 +158,10 @@ let } ) cfg.repos; + krebs.systemd.services = mapAttrs' (name: _: + nameValuePair "repo-sync-${name}" {} + ) cfg.repos; + systemd.services = mapAttrs' (name: repo: let repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json" @@ -168,16 +170,10 @@ let }); in nameValuePair "repo-sync-${name}" { description = "repo-sync"; - after = [ - config.krebs.secret.files.repo-sync-key.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.repo-sync-key.service - ]; + after = [ "network.target" ]; environment = { - GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}"; + GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key"; REPONAME = "${name}.git"; }; @@ -185,6 +181,7 @@ let serviceConfig = { Type = "simple"; PermissionsStartOnly = true; + LoadCredential = "ssh_key:${cfg.privateKeyFile}"; ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}"; WorkingDirectory = cfg.stateDir; User = "repo-sync"; diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix index 0ce44391e..294f80a3c 100644 --- a/krebs/3modules/systemd.nix +++ b/krebs/3modules/systemd.nix @@ -31,7 +31,8 @@ lib.types.absolute-pathname.check (map (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ]) - config.systemd.services.${serviceName}.serviceConfig.LoadCredential); + (lib.toList + config.systemd.services.${serviceName}.serviceConfig.LoadCredential)); } ) config.krebs.systemd.services; diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index b41e396c9..5cf7d9242 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -42,13 +42,6 @@ with import <stockholm/lib>; "-M ${toString config.users.users.mainUser.uid}" ]; }; - "/home/lass/sync" = { - source = "/var/state/lass_sync"; - options = [ - "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" - "--create-for-user=${toString config.users.users.syncthing.uid}" - ]; - }; "/var/lib/bitlbee" = { source = "/var/state/bitlbee"; options = [ @@ -94,4 +87,10 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = [ { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } ]; + + # workaround for ssh access from yubikey via android + services.openssh.extraConfig = '' + HostKeyAlgorithms +ssh-rsa + PubkeyAcceptedAlgorithms +ssh-rsa + ''; } diff --git a/lass/krops.nix b/lass/krops.nix index 4abd010e1..ace37888f 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -23,6 +23,10 @@ name = "hosts/${name}"; }; }; + stockholm.file = lib.mkForce { + path = toString ../.; + useChecksum = true; + }; } (if lib.pathExists (./. + "/1systems/${name}/source.nix") then import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs test; } diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix index 3c73d2565..dccbfde67 100644 --- a/tv/3modules/charybdis/config.nix +++ b/tv/3modules/charybdis/config.nix @@ -61,13 +61,13 @@ in toFile "charybdis.conf" '' vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr}; /* ssl_private_key: our ssl private key */ - ssl_private_key = ${toJSON cfg.ssl_private_key.path}; + ssl_private_key = "/tmp/credentials/ssl_private_key"; /* ssl_cert: certificate for our ssl server */ ssl_cert = ${toJSON cfg.ssl_cert}; /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ - ssl_dh_params = ${toJSON cfg.ssl_dh_params.path}; + ssl_dh_params = "/tmp/credentials/ssl_dh_params"; /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 9c5ce2731..96aae702a 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -15,22 +15,12 @@ in { type = types.path; }; ssl_dh_params = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_dh_params"; - path = "${cfg.user.home}/dh.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.dh.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.dh.pem"; }; ssl_private_key = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_private_key"; - path = "${cfg.user.home}/ssl.key.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.key.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.key.pem"; }; sslport = mkOption { type = types.int; @@ -46,22 +36,13 @@ in { }; config = lib.mkIf cfg.enable { - krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params; - krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key; - environment.etc."charybdis-ircd.motd".text = cfg.motd; + krebs.systemd.services.charybdis = {}; + systemd.services.charybdis = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - "network-online.target" - ]; - partOf = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - ]; + after = [ "network-online.target" ]; environment = { BANDB_DBPATH = "${cfg.user.home}/ban.db"; }; @@ -70,21 +51,30 @@ in { User = cfg.user.name; PrivateTmp = true; Restart = "always"; - ExecStartPre = - "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"; + ExecStartPre = [ + "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd" + "${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials" + ]; ExecStart = toString [ "${pkgs.charybdis}/bin/charybdis" "-configfile ${import ./config.nix args}" "-foreground" "-logfile /dev/stderr" ]; + LoadCredential = [ + "ssl_dh_params:${cfg.ssl_dh_params}" + "ssl_private_key:${cfg.ssl_private_key}" + ]; }; }; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; isSystemUser = true; }; + + users.groups.${cfg.user.name} = {}; }; } diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index a0631e226..a022bc448 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -48,6 +48,9 @@ in /* yaml */ '' - "::1/128" - "::FFFF:127.0.0.1/128" + certfiles: + - /tmp/credentials/certfile + hosts: ${toJSON config.hosts} language: "en" @@ -58,9 +61,8 @@ in /* yaml */ '' ip: "::" module: ejabberd_c2s shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} + dhfile: /var/lib/ejabberd/dhfile protocol_options: ${toJSON protocol_options} starttls: true starttls_required: true @@ -109,9 +111,8 @@ in /* yaml */ '' mod_http_api: {} s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} + s2s_dhfile: /var/lib/ejabberd/dhfile s2s_protocol_options: ${toJSON protocol_options} s2s_tls_compression: false s2s_use_starttls: required diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 2ca88732b..935df9a9c 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -16,22 +16,8 @@ in { options.tv.ejabberd = { enable = mkEnableOption "tv.ejabberd"; certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/ejabberd.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/ejabberd.pem"; }; hosts = mkOption { type = with types; listOf str; @@ -61,10 +47,6 @@ in { config.krebs.users.tv.mail ]; }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; user = mkOption { type = types.user; default = { @@ -90,27 +72,24 @@ in { }) ]; - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; + krebs.systemd.services.ejabberd = {}; systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; + after = [ "network.target" ]; serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; + ExecStart = pkgs.writeDash "ejabberd" '' + ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials + ${gen-dhparam} /var/lib/ejabberd/dhfile + exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground + ''; + LoadCredential = [ + "certfile:${cfg.certfile}" + ]; PermissionsStartOnly = true; + PrivateTmp = true; SyslogIdentifier = "ejabberd"; + StateDirectory = "ejabberd"; User = cfg.user.name; TimeoutStartSec = 60; }; @@ -119,7 +98,10 @@ in { users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; + group = cfg.user.name; isSystemUser = true; }; + + users.groups.${cfg.user.name} = {}; }; } diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix index ba79c4a49..4dbb34df0 100644 --- a/tv/3modules/x0vncserver.nix +++ b/tv/3modules/x0vncserver.nix @@ -11,17 +11,12 @@ in { }; enable = mkEnableOption "tv.x0vncserver"; pwfile = mkOption { - default = { - name = "x0vncserver-pwfile"; - owner = cfg.user; - path = "${cfg.user.home}/.vncpasswd"; - source-path = toString <secrets> + "/vncpasswd"; - }; + default = toString <secrets> + "/vncpasswd"; description = '' Use vncpasswd to edit pwfile. See: nix-shell -p tigervnc --run 'man vncpasswd' ''; - type = types.secret-file; + type = types.absolute-pathname; }; rfbport = mkOption { default = 5900; @@ -33,26 +28,17 @@ in { }; }; config = mkIf cfg.enable { - krebs.secret.files = { - x0vncserver-pwfile = cfg.pwfile; - }; + krebs.systemd.services.x0vncserver = {}; systemd.services.x0vncserver = { - after = [ - config.krebs.secret.files.x0vncserver-pwfile.service - "graphical.target" - ]; - partOf = [ - config.krebs.secret.files.x0vncserver-pwfile.service - ]; - requires = [ - "graphical.target" - ]; + after = [ "graphical.target" ]; + requires = [ "graphical.target" ]; serviceConfig = { ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [ "-display ${cfg.display}" - "-passwordfile ${cfg.pwfile.path}" + "-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile" "-rfbport ${toString cfg.rfbport}" ]}"; + LoadCredential = "ssh_key:${cfg.pwfile}"; User = cfg.user.name; }; }; |