summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/1systems/hotdog/config.nix1
-rw-r--r--krebs/2configs/reaktor2.nix5
-rw-r--r--krebs/3modules/bepasty-server.nix8
-rw-r--r--krebs/3modules/ci.nix6
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/external/default.nix13
-rw-r--r--krebs/3modules/lass/default.nix3
-rw-r--r--krebs/3modules/permown.nix102
-rw-r--r--krebs/3modules/realwallpaper.nix2
-rw-r--r--krebs/3modules/setuid.nix4
-rw-r--r--krebs/3modules/syncthing.nix21
-rw-r--r--krebs/5pkgs/haskell/blessings.nix4
-rw-r--r--krebs/5pkgs/haskell/email-header.nix5
-rw-r--r--krebs/5pkgs/simple/kpaste/default.nix5
-rw-r--r--krebs/5pkgs/simple/krebspaste/default.nix12
-rw-r--r--krebs/5pkgs/simple/qrscan.nix27
-rw-r--r--krebs/nixpkgs.json6
-rwxr-xr-xkrebs/update-channel.sh2
-rw-r--r--lass/1systems/blue/config.nix9
-rw-r--r--lass/1systems/blue/physical.nix1
-rw-r--r--lass/1systems/daedalus/config.nix8
-rw-r--r--lass/1systems/green/config.nix11
-rw-r--r--lass/1systems/green/physical.nix1
-rw-r--r--lass/1systems/icarus/config.nix1
-rw-r--r--lass/1systems/iso.nix10
-rw-r--r--lass/1systems/littleT/config.nix1
-rw-r--r--lass/1systems/morpheus/config.nix8
-rw-r--r--lass/1systems/mors/config.nix36
-rw-r--r--lass/1systems/prism/config.nix36
-rw-r--r--lass/1systems/red/physical.nix1
-rw-r--r--lass/1systems/shodan/config.nix2
-rw-r--r--lass/1systems/skynet/config.nix1
-rw-r--r--lass/1systems/yellow/config.nix1
-rw-r--r--lass/1systems/yellow/physical.nix1
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/exim-smarthost.nix3
-rw-r--r--lass/2configs/green-host.nix82
-rw-r--r--lass/2configs/hw/x220.nix5
-rw-r--r--lass/2configs/mail.nix4
-rw-r--r--lass/2configs/paste.nix10
-rw-r--r--lass/2configs/prism-share.nix2
-rw-r--r--lass/2configs/radio.nix16
-rw-r--r--lass/2configs/ssh-cryptsetup.nix17
-rw-r--r--lass/2configs/sync/decsync.nix11
-rw-r--r--lass/2configs/sync/weechat.nix8
-rw-r--r--lass/2configs/syncthing.nix21
-rw-r--r--lass/2configs/websites/domsen.nix6
-rw-r--r--lass/2configs/xdg-open.nix66
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/ensure-permissions.nix66
-rw-r--r--lass/3modules/usershadow.nix31
-rw-r--r--lib/types.nix21
-rw-r--r--makefu/1systems/sdev/config.nix14
-rw-r--r--makefu/1systems/x/config.nix51
-rw-r--r--makefu/2configs/binary-cache/gum.nix13
-rw-r--r--makefu/2configs/binary-cache/server.nix7
-rw-r--r--makefu/2configs/bureautomation/automation/bureau-shutdown.nix42
-rw-r--r--makefu/2configs/bureautomation/automation/hass-restart.nix31
-rw-r--r--makefu/2configs/bureautomation/automation/nachtlicht.nix72
-rw-r--r--makefu/2configs/bureautomation/default.nix3
-rw-r--r--makefu/2configs/bureautomation/hass.nix27
-rw-r--r--makefu/2configs/bureautomation/light/statuslight.nix5
-rw-r--r--makefu/2configs/bureautomation/ota.nix15
-rw-r--r--makefu/2configs/bureautomation/sensor/tasmota_firmware.nix16
-rw-r--r--makefu/2configs/deployment/owncloud.nix4
-rw-r--r--makefu/2configs/home-manager/default.nix2
-rw-r--r--makefu/2configs/home-manager/desktop.nix6
-rw-r--r--makefu/2configs/home-manager/recording.nix4
-rw-r--r--makefu/2configs/home-manager/taskwarrior.nix6
-rw-r--r--makefu/2configs/home-manager/zsh.nix1
-rw-r--r--makefu/2configs/homeautomation/default.nix1
-rw-r--r--makefu/2configs/hw/tp-x2x0.nix2
-rw-r--r--makefu/2configs/tools/android-pentest.nix2
-rw-r--r--makefu/2configs/tools/core-gui.nix3
-rw-r--r--makefu/2configs/tools/media.nix2
-rw-r--r--makefu/5pkgs/nixpkgs-pytools/default.nix17
-rw-r--r--makefu/5pkgs/prison-break/default.nix6
-rw-r--r--makefu/krops.nix10
-rw-r--r--tv/2configs/mail-client.nix1
-rw-r--r--tv/2configs/pulse.nix4
-rw-r--r--tv/5pkgs/default.nix3
-rw-r--r--tv/5pkgs/simple/utsushi.nix25
82 files changed, 844 insertions, 277 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 916073375..f68c8ce50 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -21,5 +21,4 @@
boot.isContainer = true;
networking.useDHCP = false;
- environment.variables.NIX_REMOTE = "daemon";
}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 4d90ae3d5..b52125ae8 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -115,6 +115,11 @@ let
in {
+ users.users.reaktor2 = {
+ uid = genid_uint31 "reaktor2";
+ home = stateDir;
+ };
+
krebs.reaktor2 = {
freenode = {
hostname = "irc.freenode.org";
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index e12367b7c..94a509520 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -2,10 +2,10 @@
with import <stockholm/lib>;
let
- gunicorn = pkgs.pythonPackages.gunicorn;
- bepasty = pkgs.bepasty;
- gevent = pkgs.pythonPackages.gevent;
- python = pkgs.pythonPackages.python;
+ gunicorn = pkgs.python27Packages.gunicorn;
+ bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; };
+ gevent = pkgs.python27Packages.gevent;
+ python = pkgs.python27Packages.python;
cfg = config.krebs.bepasty;
out = {
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index a47dbe611..244de1a0d 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -108,10 +108,12 @@ let
name=str(new_step),
command=[
"${pkgs.writeDash "build-stepper.sh" ''
- set -efu
+ set -xefu
profile=${shell.escape profileRoot}/$build_name
result=$("$build_script")
- ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+ if [ -n "$result" ]; then
+ ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+ fi
''}"
],
env={
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 567c077eb..4d40f3856 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -39,6 +39,7 @@ let
./nixpkgs.nix
./on-failure.nix
./os-release.nix
+ ./permown.nix
./per-user.nix
./power-action.nix
./Reaktor.nix
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index c9715cb85..9bfc920a3 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -429,6 +429,17 @@ in {
};
};
};
+ ada = {
+ owner = config.krebs.users.filly;
+ nets = {
+ wiregrill = {
+ aliases = [ "ada.w" ];
+ wireguard = {
+ pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk=";
+ };
+ };
+ };
+ };
};
users = {
ciko = {
@@ -464,6 +475,8 @@ in {
};
miaoski = {
};
+ filly = {
+ };
};
}
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index a3b8cab39..41f3852b9 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -20,6 +20,7 @@ in {
extraZones = {
"krebsco.de" = ''
cache IN A ${nets.internet.ip4.addr}
+ p IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr}
prism IN A ${nets.internet.ip4.addr}
'';
@@ -38,6 +39,7 @@ in {
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
@@ -239,6 +241,7 @@ in {
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
+ syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
};
icarus = {
cores = 2;
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix
new file mode 100644
index 000000000..63adb2236
--- /dev/null
+++ b/krebs/3modules/permown.nix
@@ -0,0 +1,102 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: {
+
+ options.krebs.permown = mkOption {
+ default = {};
+ type = types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ directory-mode = mkOption {
+ default = "=rwx";
+ type = types.str; # TODO
+ };
+ file-mode = mkOption {
+ default = "=rw";
+ type = types.str; # TODO
+ };
+ group = mkOption {
+ apply = x: if x == null then "" else x;
+ default = null;
+ type = types.nullOr types.groupname;
+ };
+ owner = mkOption {
+ type = types.username;
+ };
+ path = mkOption {
+ default = config._module.args.name;
+ type = types.absolute-pathname;
+ };
+ umask = mkOption {
+ default = "0027";
+ type = types.file-mode;
+ };
+ };
+ }));
+ };
+
+ config = let
+ plans = attrValues config.krebs.permown;
+ in mkIf (plans != []) {
+
+ system.activationScripts.permown = let
+ mkdir = plan: /* sh */ ''
+ ${pkgs.coreutils}/bin/mkdir -p ${shell.escape plan.path}
+ '';
+ in concatMapStrings mkdir plans;
+
+ systemd.services = genAttrs' plans (plan: {
+ name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
+ value = {
+ environment = {
+ DIR_MODE = plan.directory-mode;
+ FILE_MODE = plan.file-mode;
+ OWNER_GROUP = "${plan.owner}:${plan.group}";
+ ROOT_PATH = plan.path;
+ };
+ path = [
+ pkgs.coreutils
+ pkgs.findutils
+ pkgs.inotifyTools
+ ];
+ serviceConfig = {
+ ExecStart = pkgs.writeDash "permown" ''
+ set -efu
+
+ find "$ROOT_PATH" -exec chown -h "$OWNER_GROUP" {} +
+ find "$ROOT_PATH" -type d -exec chmod "$DIR_MODE" {} +
+ find "$ROOT_PATH" -type f -exec chmod "$FILE_MODE" {} +
+
+ paths=/tmp/paths
+ rm -f "$paths"
+ mkfifo "$paths"
+
+ inotifywait -mrq -e CREATE --format %w%f "$ROOT_PATH" > "$paths" &
+ inotifywaitpid=$!
+
+ trap cleanup EXIT
+ cleanup() {
+ kill "$inotifywaitpid"
+ }
+
+ while read -r path; do
+ if test -d "$path"; then
+ cleanup
+ exec "$0" "$@"
+ fi
+ chown -h "$OWNER_GROUP" "$path"
+ if test -f "$path"; then
+ chmod "$FILE_MODE" "$path"
+ fi
+ done < "$paths"
+ '';
+ PrivateTemp = true;
+ Restart = "always";
+ RestartSec = 10;
+ UMask = plan.umask;
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ });
+
+ };
+
+}
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index cb940efef..a0c00c20d 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -78,7 +78,7 @@ let
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeDash "generate-wallpaper" ''
- set -xeuf
+ set -euf
# usage: getimg FILENAME URL
fetch() {
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 3ba598a45..97cf21cdd 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -21,8 +21,8 @@ let
default = config._module.args.name;
};
envp = mkOption {
- type = types.attrsOf types.str;
- default = {};
+ type = types.nullOr (types.attrsOf types.str);
+ default = null;
};
filename = mkOption {
type = mkOptionType {
diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix
index 34879fd3f..897ba1e7f 100644
--- a/krebs/3modules/syncthing.nix
+++ b/krebs/3modules/syncthing.nix
@@ -10,7 +10,7 @@ let
addresses = peer.addresses;
}) cfg.peers;
- folders = map (folder: {
+ folders = mapAttrsToList ( _: folder: {
inherit (folder) path id type;
devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
rescanIntervalS = folder.rescanInterval;
@@ -81,17 +81,18 @@ in
};
folders = mkOption {
- default = [];
- type = types.listOf (types.submodule ({ config, ... }: {
+ default = {};
+ type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
path = mkOption {
type = types.absolute-pathname;
+ default = config._module.args.name;
};
id = mkOption {
type = types.str;
- default = config.path;
+ default = config._module.args.name;
};
peers = mkOption {
@@ -133,8 +134,16 @@ in
systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
preStart = ''
- ${optionalString (cfg.cert != null) "cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem"}
- ${optionalString (cfg.key != null) "cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem"}
+ ${optionalString (cfg.cert != null) ''
+ cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem
+ chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem
+ chmod 400 ${config.services.syn