diff options
Diffstat (limited to 'tv/2configs')
| -rw-r--r-- | tv/2configs/default.nix | 19 | ||||
| -rw-r--r-- | tv/2configs/exim-retiolum.nix | 4 | ||||
| -rw-r--r-- | tv/2configs/exim-smarthost.nix | 4 | ||||
| -rw-r--r-- | tv/2configs/vim.nix | 14 | ||||
| -rw-r--r-- | tv/2configs/wu-binary-cache/client.nix | 7 | ||||
| -rw-r--r-- | tv/2configs/wu-binary-cache/default.nix | 25 |
6 files changed, 51 insertions, 22 deletions
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 5a1e90bc..0a3e40a5 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,8 +14,7 @@ with config.krebs.lib; stockholm = "/home/tv/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; - dev = "/home/tv/nixpkgs"; + rev = "40c586b7ce2c559374df435f46d673baf711c543"; }; } // optionalAttrs config.krebs.build.host.secure { secrets-master = "/home/tv/secrets/master"; @@ -49,20 +48,20 @@ with config.krebs.lib; } { security.sudo.extraConfig = '' + Defaults env_keep+="SSH_CLIENT" Defaults mailto="${config.krebs.users.tv.mail}" Defaults !lecture ''; time.timeZone = "Europe/Berlin"; } + { # TODO check if both are required: nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; - nix.trustedBinaryCaches = [ - "https://cache.nixos.org" - "http://cache.nixos.org" - "http://hydra.nixos.org" - ]; + nix.requireSignedBinaryCaches = true; + + nix.binaryCaches = ["https://cache.nixos.org"]; nix.useChroot = true; } @@ -178,12 +177,6 @@ with config.krebs.lib; } { - # TODO: exim - security.setuidPrograms = [ - "sendmail" # for sudo - ]; - } - { environment.systemPackages = [ pkgs.get pkgs.krebszones diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 9197a3c3..dbe83dcf 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -4,5 +4,9 @@ with config.krebs.lib; { krebs.exim-retiolum.enable = true; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; } diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 75dd9b42..3ea01052 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -40,5 +40,9 @@ with config.krebs.lib; { from = "mirko"; to = "mv"; } ]; }; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; } diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index b0c26e50..6e205948 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -13,21 +13,17 @@ let environment.variables.VIMINIT = ":so /etc/vimrc"; }; - extra-runtimepath = let - inherit (pkgs.vimUtils) buildVimPlugin rtpPath; - fromVimPlugins = pkgs: concatStringsSep "," - (mapAttrsToList (name: pkg: "${pkg}/${rtpPath}/${name}") pkgs); - in fromVimPlugins { - inherit (pkgs.vimPlugins) undotree; - file-line = buildVimPlugin { + extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ + pkgs.vimPlugins.undotree + (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchgit { url = git://github.com/bogado/file-line; rev = "refs/tags/1.0"; sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; }; - }; - }; + }) + ]; dirs = { backupdir = "$HOME/.cache/vim/backup"; diff --git a/tv/2configs/wu-binary-cache/client.nix b/tv/2configs/wu-binary-cache/client.nix new file mode 100644 index 00000000..9634c21d --- /dev/null +++ b/tv/2configs/wu-binary-cache/client.nix @@ -0,0 +1,7 @@ +_: +{ + nix = { + binaryCaches = ["http://cache.wu.gg23"]; + binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="]; + }; +} diff --git a/tv/2configs/wu-binary-cache/default.nix b/tv/2configs/wu-binary-cache/default.nix new file mode 100644 index 00000000..6fcac21a --- /dev/null +++ b/tv/2configs/wu-binary-cache/default.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: with config.krebs.lib; +{ + services.nix-serve = assert config.krebs.build.host.name == "wu"; { + enable = true; + secretKeyFile = config.krebs.secret.files.nix-serve-key.path; + }; + systemd.services.nix-serve = { + requires = ["secret.service"]; + after = ["secret.service"]; + }; + krebs.secret.files.nix-serve-key = { + path = "/run/secret/nix-serve.key"; + owner.name = "nix-serve"; + source-path = toString <secrets> + "/nix-serve.key"; + }; + krebs.nginx = { + enable = true; + servers.nix-serve = { + server-names = [ "cache.wu.gg23" ]; + locations = singleton (nameValuePair "/" '' + proxy_pass http://localhost:${toString config.services.nix-serve.port}; + ''); + }; + }; +} |