summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/exim-smarthost.nix35
-rw-r--r--krebs/3modules/repo-sync.nix29
-rw-r--r--krebs/3modules/systemd.nix3
-rw-r--r--lass/1systems/green/config.nix13
-rw-r--r--lass/krops.nix4
-rw-r--r--tv/3modules/charybdis/config.nix4
-rw-r--r--tv/3modules/charybdis/default.nix46
-rw-r--r--tv/3modules/ejabberd/config.nix9
-rw-r--r--tv/3modules/ejabberd/default.nix52
-rw-r--r--tv/3modules/x0vncserver.nix28
10 files changed, 82 insertions, 141 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 4eb1d6411..fe149448b 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -24,13 +24,8 @@ let
type = types.str;
};
private_key = mkOption {
- type = types.secret-file;
- default = {
- name = "exim.dkim_private_key/${config.domain}";
- path = "/run/krebs.secret/${config.domain}.dkim_private_key";
- owner.name = "exim";
- source-path = toString <secrets> + "/${config.domain}.dkim.priv";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/${config.domain}.dkim.priv";
defaultText = "‹secrets/‹domain›.dkim.priv›";
};
selector = mkOption {
@@ -111,24 +106,13 @@ let
};
imp = {
- krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
- name = "exim.dkim_private_key/${dkim.domain}";
- value = dkim.private_key;
- }));
- systemd.services = mkIf (cfg.dkim != []) {
- exim = {
- after = flip map cfg.dkim (dkim:
- config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
- );
- partOf = flip map cfg.dkim (dkim:
- config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
- );
- };
- };
+ krebs.systemd.services.exim = {};
+ systemd.services.exim.serviceConfig.LoadCredential =
+ map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
krebs.exim = {
enable = true;
config = /* exim */ ''
- keep_environment =
+ keep_environment = CREDENTIALS_DIRECTORY
primary_hostname = ${cfg.primary_hostname}
@@ -242,8 +226,9 @@ let
${optionalString (cfg.dkim != []) (indent /* exim */ ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
- dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
+ dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}}
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
+ dkim_strict = true
'')}
helo_data = ''${if eq{$acl_m_special_dom}{} \
{$primary_hostname} \
@@ -281,10 +266,6 @@ let
inherit (cfg) internet-aliases;
inherit (cfg) system-aliases;
} // optionalAttrs (cfg.dkim != []) {
- dkim_private_key = flip map cfg.dkim (dkim: {
- from = dkim.domain;
- to = dkim.private_key.path;
- });
dkim_selector = flip map cfg.dkim (dkim: {
from = dkim.domain;
to = dkim.selector;
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 0312c62fd..c4cfb9a49 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -122,13 +122,9 @@ let
};
privateKeyFile = mkOption {
- type = types.secret-file;
- default = {
- name = "repo-sync-key";
- path = "${cfg.stateDir}/ssh.priv";
- owner = cfg.user;
- source-path = toString <secrets> + "/repo-sync.ssh.key";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/repo-sync.ssh.key";
+ defaultText = "‹secrets/repo-sync.ssh.key›";
};
unitConfig = mkOption {
@@ -144,14 +140,16 @@ let
};
imp = {
- krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
+ group = cfg.user.name;
description = "repo-sync user";
isSystemUser = true;
};
+ users.groups.${cfg.user.name} = {};
+
systemd.timers = mapAttrs' (name: repo:
nameValuePair "repo-sync-${name}" {
description = "repo-sync timer";
@@ -160,6 +158,10 @@ let
}
) cfg.repos;
+ krebs.systemd.services = mapAttrs' (name: _:
+ nameValuePair "repo-sync-${name}" {}
+ ) cfg.repos;
+
systemd.services = mapAttrs' (name: repo:
let
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
@@ -168,16 +170,10 @@ let
});
in nameValuePair "repo-sync-${name}" {
description = "repo-sync";
- after = [
- config.krebs.secret.files.repo-sync-key.service
- "network.target"
- ];
- partOf = [
- config.krebs.secret.files.repo-sync-key.service
- ];
+ after = [ "network.target" ];
environment = {
- GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
+ GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
REPONAME = "${name}.git";
};
@@ -185,6 +181,7 @@ let
serviceConfig = {
Type = "simple";
PermissionsStartOnly = true;
+ LoadCredential = "ssh_key:${cfg.privateKeyFile}";
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
WorkingDirectory = cfg.stateDir;
User = "repo-sync";
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index 0ce44391e..294f80a3c 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -31,7 +31,8 @@
lib.types.absolute-pathname.check
(map
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
- config.systemd.services.${serviceName}.serviceConfig.LoadCredential);
+ (lib.toList
+ config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
}
) config.krebs.systemd.services;
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index b41e396c9..5cf7d9242 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -42,13 +42,6 @@ with import <stockholm/lib>;
"-M ${toString config.users.users.mainUser.uid}"
];
};
- "/home/lass/sync" = {
- source = "/var/state/lass_sync";
- options = [
- "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
- "--create-for-user=${toString config.users.users.syncthing.uid}"
- ];
- };
"/var/lib/bitlbee" = {
source = "/var/state/bitlbee";
options = [
@@ -94,4 +87,10 @@ with import <stockholm/lib>;
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
];
+
+ # workaround for ssh access from yubikey via android
+ services.openssh.extraConfig = ''
+ HostKeyAlgorithms +ssh-rsa
+ PubkeyAcceptedAlgorithms +ssh-rsa
+ '';
}
diff --git a/lass/krops.nix b/lass/krops.nix
index 4abd010e1..ace37888f 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -23,6 +23,10 @@
name = "hosts/${name}";
};
};
+ stockholm.file = lib.mkForce {
+ path = toString ../.;
+ useChecksum = true;
+ };
}
(if lib.pathExists (./. + "/1systems/${name}/source.nix") then
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs test; }
diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix
index 3c73d2565..dccbfde67 100644
--- a/tv/3modules/charybdis/config.nix
+++ b/tv/3modules/charybdis/config.nix
@@ -61,13 +61,13 @@ in toFile "charybdis.conf" ''
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */
- ssl_private_key = ${toJSON cfg.ssl_private_key.path};
+ ssl_private_key = "/tmp/credentials/ssl_private_key";
/* ssl_cert: certificate for our ssl server */
ssl_cert = ${toJSON cfg.ssl_cert};
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
- ssl_dh_params = ${toJSON cfg.ssl_dh_params.path};
+ ssl_dh_params = "/tmp/credentials/ssl_dh_params";
/* ssld_count: number of ssld processes you want to start, if you
* have a really busy server, using N-1 where N is the number of
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 9c5ce2731..96aae702a 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -15,22 +15,12 @@ in {
type = types.path;
};
ssl_dh_params = mkOption {
- type = types.secret-file;
- default = {
- name = "charybdis-ssl_dh_params";
- path = "${cfg.user.home}/dh.pem";
- owner = cfg.user;
- source-path = toString <secrets> + "/charybdis.dh.pem";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/charybdis.dh.pem";
};
ssl_private_key = mkOption {
- type = types.secret-file;
- default = {
- name = "charybdis-ssl_private_key";
- path = "${cfg.user.home}/ssl.key.pem";
- owner = cfg.user;
- source-path = toString <secrets> + "/charybdis.key.pem";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/charybdis.key.pem";
};
sslport = mkOption {
type = types.int;
@@ -46,22 +36,13 @@ in {
};
config = lib.mkIf cfg.enable {
- krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params;
- krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key;
-
environment.etc."charybdis-ircd.motd".text = cfg.motd;
+ krebs.systemd.services.charybdis = {};
+
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
- after = [
- config.krebs.secret.files.charybdis-ssl_dh_params.service
- config.krebs.secret.files.charybdis-ssl_private_key.service
- "network-online.target"
- ];
- partOf = [
- config.krebs.secret.files.charybdis-ssl_dh_params.service
- config.krebs.secret.files.charybdis-ssl_private_key.service
- ];
+ after = [ "network-online.target" ];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};
@@ -70,21 +51,30 @@ in {
User = cfg.user.name;
PrivateTmp = true;
Restart = "always";
- ExecStartPre =
- "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd";
+ ExecStartPre = [
+ "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
+ "${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
+ ];
ExecStart = toString [
"${pkgs.charybdis}/bin/charybdis"
"-configfile ${import ./config.nix args}"
"-foreground"
"-logfile /dev/stderr"
];
+ LoadCredential = [
+ "ssl_dh_params:${cfg.ssl_dh_params}"
+ "ssl_private_key:${cfg.ssl_private_key}"
+ ];
};
};
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
+ group = cfg.user.name;
isSystemUser = true;
};
+
+ users.groups.${cfg.user.name} = {};
};
}
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
index a0631e226..a022bc448 100644
--- a/tv/3modules/ejabberd/config.nix
+++ b/tv/3modules/ejabberd/config.nix
@@ -48,6 +48,9 @@ in /* yaml */ ''
- "::1/128"
- "::FFFF:127.0.0.1/128"
+ certfiles:
+ - /tmp/credentials/certfile
+
hosts: ${toJSON config.hosts}
language: "en"
@@ -58,9 +61,8 @@ in /* yaml */ ''
ip: "::"
module: ejabberd_c2s
shaper: c2s_shaper
- certfile: ${toJSON config.certfile.path}
ciphers: ${toJSON ciphers}
- dhfile: ${toJSON config.dhfile.path}
+ dhfile: /var/lib/ejabberd/dhfile
protocol_options: ${toJSON protocol_options}
starttls: true
starttls_required: true
@@ -109,9 +111,8 @@ in /* yaml */ ''
mod_http_api: {}
s2s_access: s2s
- s2s_certfile: ${toJSON config.s2s_certfile.path}
s2s_ciphers: ${toJSON ciphers}
- s2s_dhfile: ${toJSON config.dhfile.path}
+ s2s_dhfile: /var/lib/ejabberd/dhfile
s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false
s2s_use_starttls: required
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 2ca88732b..935df9a9c 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -16,22 +16,8 @@ in {
options.tv.ejabberd = {
enable = mkEnableOption "tv.ejabberd";
certfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-certfile";
- path = "${cfg.user.home}/ejabberd.pem";
- owner = cfg.user;
- source-path = toString <secrets> + "/ejabberd.pem";
- };
- };
- dhfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-dhfile";
- path = "${cfg.user.home}/dhparams.pem";
- owner = cfg.user;
- source-path = "/dev/null";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/ejabberd.pem";
};
hosts = mkOption {
type = with types; listOf str;
@@ -61,10 +47,6 @@ in {
config.krebs.users.tv.mail
];
};
- s2s_certfile = mkOption {
- type = types.secret-file;
- default = cfg.certfile;
- };
user = mkOption {
type = types.user;
default = {
@@ -90,27 +72,24 @@ in {
})
];
- krebs.secret.files = {
- ejabberd-certfile = cfg.certfile;
- ejabberd-s2s_certfile = cfg.s2s_certfile;
- };
+ krebs.systemd.services.ejabberd = {};
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
- after = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- "network.target"
- ];
- partOf = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- ];
+ after = [ "network.target" ];
serviceConfig = {
- ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
- ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
+ ExecStart = pkgs.writeDash "ejabberd" ''
+ ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
+ ${gen-dhparam} /var/lib/ejabberd/dhfile
+ exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
+ '';
+ LoadCredential = [
+ "certfile:${cfg.certfile}"
+ ];
PermissionsStartOnly = true;
+ PrivateTmp = true;
SyslogIdentifier = "ejabberd";
+ StateDirectory = "ejabberd";
User = cfg.user.name;
TimeoutStartSec = 60;
};
@@ -119,7 +98,10 @@ in {
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
+ group = cfg.user.name;
isSystemUser = true;
};
+
+ users.groups.${cfg.user.name} = {};
};
}
diff --git a/tv/3modules/x0vncserver.nix b/tv/3modules/x0vncserver.nix
index ba79c4a49..4dbb34df0 100644
--- a/tv/3modules/x0vncserver.nix
+++ b/tv/3modules/x0vncserver.nix
@@ -11,17 +11,12 @@ in {
};
enable = mkEnableOption "tv.x0vncserver";
pwfile = mkOption {
- default = {
- name = "x0vncserver-pwfile";
- owner = cfg.user;
- path = "${cfg.user.home}/.vncpasswd";
- source-path = toString <secrets> + "/vncpasswd";
- };
+ default = toString <secrets> + "/vncpasswd";
description = ''
Use vncpasswd to edit pwfile.
See: nix-shell -p tigervnc --run 'man vncpasswd'
'';
- type = types.secret-file;
+ type = types.absolute-pathname;
};
rfbport = mkOption {
default = 5900;
@@ -33,26 +28,17 @@ in {
};
};
config = mkIf cfg.enable {
- krebs.secret.files = {
- x0vncserver-pwfile = cfg.pwfile;
- };
+ krebs.systemd.services.x0vncserver = {};
systemd.services.x0vncserver = {
- after = [
- config.krebs.secret.files.x0vncserver-pwfile.service
- "graphical.target"
- ];
- partOf = [
- config.krebs.secret.files.x0vncserver-pwfile.service
- ];
- requires = [
- "graphical.target"
- ];
+ after = [ "graphical.target" ];
+ requires = [ "graphical.target" ];
serviceConfig = {
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
"-display ${cfg.display}"
- "-passwordfile ${cfg.pwfile.path}"
+ "-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile"
"-rfbport ${toString cfg.rfbport}"
]}";
+ LoadCredential = "ssh_key:${cfg.pwfile}";
User = cfg.user.name;
};
};