From 7adf24631f14409208376f5554c31db73e4af0c8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 20:42:12 +0200
Subject: l nixpkgs: d151161 -> 670b4e2 (17.09)

---
 lass/source.nix | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index 01631bef..5155a272 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -9,13 +9,8 @@ in
     {
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
-        url = http://cgit.lassul.us/nixpkgs;
-        # nixos-17.03
-        # + copytoram:
-        #   87a4615 & 334ac4f
-        # + acme permissions for groups
-        #   fd7a8f1
-        ref = "d151161";
+        url = https://github.com/nixos/nixpkgs;
+        ref = "670b4e2";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From c0a4063c2d183ecf1cf7a1dc4e1a35f1f1be0733 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 13 Sep 2017 21:13:53 +0200
Subject: l bepasty: forceSSL conflicts with enableSSL

---
 lass/2configs/bepasty.nix | 1 -
 1 file changed, 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix
index b2d40d4f..43647892 100644
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@@ -31,7 +31,6 @@ in {
     } //
     genAttrs ext-doms (ext-dom: {
       nginx = {
-        enableSSL = true;
         forceSSL = true;
         enableACME = true;
       };
-- 
cgit v1.2.3


From f1908e0fa546bde76a95d3da20521d6170cd08f8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 1 Oct 2017 18:06:27 +0200
Subject: l nixpkgs: 670b4e2 -> 5ac8389

---
 lass/source.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index 5155a272..6a6fff9b 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "670b4e2";
+        ref = "5ac8389";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From ea793ecf797f82dce0b70d0eb5b268f5326ba79b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 2 Oct 2017 11:45:25 +0200
Subject: Revert "l nixpkgs: 670b4e2 -> 5ac8389"

This reverts commit f1908e0fa546bde76a95d3da20521d6170cd08f8.
---
 lass/source.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index 6a6fff9b..5155a272 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "5ac8389";
+        ref = "670b4e2";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From d3b17d180642d3a344495468c27355f6a7521d42 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 2 Oct 2017 17:57:24 +0200
Subject: l nixpkgs: 670b4e2 -> b61d084

---
 lass/source.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index 5155a272..c6dc127c 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "670b4e2";
+        ref = "b61d084";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From 2ad003037417f90c04df833a2ad27fd5a52c754e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 2 Oct 2017 18:38:28 +0200
Subject: l ejabberd: RIP

---
 lass/5pkgs/default.nix          |  3 ---
 lass/5pkgs/ejabberd/default.nix | 28 ----------------------------
 2 files changed, 31 deletions(-)
 delete mode 100644 lass/5pkgs/ejabberd/default.nix

(limited to 'lass')

diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 46633ba1..d0483325 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -4,9 +4,6 @@
   nixpkgs.config.packageOverrides = rec {
     acronym = pkgs.callPackage ./acronym/default.nix {};
     dpass = pkgs.callPackage ./dpass {};
-    ejabberd = pkgs.callPackage ./ejabberd {
-      erlang = pkgs.erlangR16;
-    };
     firefoxPlugins = {
       noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
       ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
diff --git a/lass/5pkgs/ejabberd/default.nix b/lass/5pkgs/ejabberd/default.nix
deleted file mode 100644
index 3a77c5cd..00000000
--- a/lass/5pkgs/ejabberd/default.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
-
-stdenv.mkDerivation rec {
-  version = "2.1.13";
-  name = "ejabberd-${version}";
-  src = fetchurl {
-    url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
-    sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
-  };
-  buildInputs = [ expat erlang zlib openssl pam ];
-  patchPhase = ''
-    sed -i \
-      -e "s|erl \\\|${erlang}/bin/erl \\\|" \
-      -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
-      src/ejabberdctl.template
-  '';
-  preConfigure = ''
-    cd src
-  '';
-  configureFlags = ["--enable-pam"];
-
-  meta = {
-    description = "Open-source XMPP application server written in Erlang";
-    license = stdenv.lib.licenses.gpl2;
-    homepage = http://www.ejabberd.im;
-    maintainers = [ lib.maintainers.sander ];
-  };
-}
-- 
cgit v1.2.3


From 5ab273b5364a35fed96473e4290147940425c6b3 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 2 Oct 2017 18:45:28 +0200
Subject: l wine: pkgs.wineFull -> pkgs.wine

---
 lass/2configs/wine.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index 2444d32d..0d2b731c 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -5,7 +5,7 @@ let
 
 in {
   krebs.per-user.wine.packages = with pkgs; [
-    wineFull
+    wine
     #(wineFull.override { wineBuild = "wine64"; })
   ];
   users.users= {
-- 
cgit v1.2.3


From 336f4315d9364407f209d5789423dfe8831e4caf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 2 Oct 2017 18:50:19 +0200
Subject: l prism.r: track nginx changes

---
 lass/1systems/prism/config.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 5b3091a3..8e44b113 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -115,7 +115,12 @@ in {
       };
       services.nginx.virtualHosts."hackerfleet.de-s" = {
         serverName = "hackerfleet.de";
-        port = 443;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 443;
+          }
+        ];
         serverAliases = [
           "*.hackerfleet.de"
         ];
-- 
cgit v1.2.3


From 32d9ba480b4797baf4ccdc015685f9ea472f036f Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 11:11:40 +0200
Subject: l nixpkgs: b61d084 -> 07ca7b6

---
 lass/source.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index c6dc127c..296a2041 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "b61d084";
+        ref = "07ca7b6";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From 958e86fadf2a2ca2901e7bd5fd8a0fcc16cbe103 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 11:38:11 +0200
Subject: l copyq: fix startup

---
 lass/2configs/copyq.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix
index b255254f..fa01a99c 100644
--- a/lass/2configs/copyq.nix
+++ b/lass/2configs/copyq.nix
@@ -25,12 +25,15 @@ in {
     environment = {
       DISPLAY = ":0";
     };
+    path = with pkgs; [
+      qt5.full
+    ];
     serviceConfig = {
       SyslogIdentifier = "copyq";
       ExecStart = "${pkgs.copyq}/bin/copyq";
       ExecStartPost = copyqConfig;
       Restart = "always";
-      RestartSec = "2s";
+      RestartSec = "15s";
       StartLimitBurst = 0;
       User = "lass";
     };
-- 
cgit v1.2.3


From c54d84b9efe01a7f4f8837b2308b7e2d61f1926f Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 13:43:13 +0200
Subject: l sqlBackup: set mysql.dataDir to /var/mysql

---
 lass/2configs/websites/sqlBackup.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 7cb4b320..2fffa6cc 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -3,12 +3,13 @@
 {
   krebs.secret.files.mysql_rootPassword = {
     path = "${config.services.mysql.dataDir}/mysql_rootPassword";
-    owner.name = "root";
+    owner.name = "mysql";
     source-path = toString <secrets> + "/mysql_rootPassword";
   };
 
   services.mysql = {
     enable = true;
+    dataDir = "/var/mysql";
     package = pkgs.mariadb;
     rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
   };
-- 
cgit v1.2.3


From c37c047ee6c080f7d76f2e19269162615a9aacfb Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 13:43:31 +0200
Subject: l weechat: open mosh port

---
 lass/2configs/weechat.nix | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
index 4b644561..d5496ac0 100644
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@@ -21,6 +21,11 @@ in {
     ];
   };
 
+  # mosh
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+  ];
+
   #systemd.services.chat = {
   #  description = "chat environment setup";
   #  after = [ "network.target" ];
-- 
cgit v1.2.3


From 3be76df6c9ea70c56eee66935476bd4738912171 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 23:51:11 +0200
Subject: l websites lass: use addSSL

---
 lass/2configs/websites/lassulus.nix | 32 +++-----------------------------
 1 file changed, 3 insertions(+), 29 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 17c39a5f..77790e8b 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -73,17 +73,6 @@ in {
       allowKeysForGroup = true;
       group = "lasscert";
     };
-    certs."cgit.lassul.us" = {
-      email = "lassulus@gmail.com";
-      webroot = "/var/lib/acme/acme-challenges";
-      plugins = [
-        "account_key.json"
-        "key.pem"
-        "fullchain.pem"
-      ];
-      group = "nginx";
-      allowKeysForGroup = true;
-    };
   };
 
   krebs.tinc_graphs.enable = true;
@@ -119,6 +108,7 @@ in {
   ];
 
   services.nginx.virtualHosts."lassul.us" = {
+    addSSL = true;
     enableACME = true;
     serverAliases = [ "lassul.us" ];
     locations."/".extraConfig = ''
@@ -158,30 +148,14 @@ in {
     in ''
       alias ${initscript};
     '';
-
-    enableSSL = true;
-    extraConfig = ''
-      listen 80;
-      listen [::]:80;
-    '';
-    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
-    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
   };
 
   services.nginx.virtualHosts.cgit = {
+    addSSL = true;
+    enableACME = true;
     serverAliases = [
       "cgit.lassul.us"
     ];
-    locations."/.well-known/acme-challenge".extraConfig = ''
-      root /var/lib/acme/acme-challenges;
-    '';
-    enableSSL = true;
-    extraConfig = ''
-      listen 80;
-      listen [::]:80;
-    '';
-    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
-    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
   };
 
   users.users.blog = {
-- 
cgit v1.2.3


From 632195921e4c69f3ba4d50a49f0192de16cf576c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 23:53:09 +0200
Subject: l ejabberd: copy tv's stuff

---
 lass/3modules/ejabberd/config.nix  | 218 +++++++++++++++++++++----------------
 lass/3modules/ejabberd/default.nix |  41 +++++--
 2 files changed, 161 insertions(+), 98 deletions(-)

(limited to 'lass')

diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index b1fca08d..68bcfa34 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
-  cfg = config.lass.ejabberd;
+with import <stockholm/lib>;
+{ config, ... }: let
 
-  # XXX this is a placeholder that happens to work the default strings.
-  toErlang = builtins.toJSON;
-in toFile "ejabberd.conf" ''
-  {loglevel, 3}.
-  {hosts, ${toErlang cfg.hosts}}.
-  {listen,
-   [
-    {5222, ejabberd_c2s, [
-        starttls,
-        {certfile, ${toErlang cfg.certfile.path}},
-        {access, c2s},
-        {shaper, c2s_shaper},
-        {max_stanza_size, 65536}
-             ]},
-    {5269, ejabberd_s2s_in, [
-           {shaper, s2s_shaper},
-           {max_stanza_size, 131072}
-          ]},
-    {5280, ejabberd_http, [
-         captcha,
-         http_bind,
-         http_poll,
-         web_admin
-        ]}
-   ]}.
-  {s2s_use_starttls, required}.
-  {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
-  {auth_method, internal}.
-  {shaper, normal, {maxrate, 1000}}.
-  {shaper, fast, {maxrate, 50000}}.
-  {max_fsm_queue, 1000}.
-  {acl, local, {user_regexp, ""}}.
-  {access, max_user_sessions, [{10, all}]}.
-  {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
-  {access, local, [{allow, local}]}.
-  {access, c2s, [{deny, blocked},
-           {allow, all}]}.
-  {access, c2s_shaper, [{none, admin},
-            {normal, all}]}.
-  {access, s2s_shaper, [{fast, all}]}.
-  {access, announce, [{allow, admin}]}.
-  {access, configure, [{allow, admin}]}.
-  {access, muc_admin, [{allow, admin}]}.
-  {access, muc_create, [{allow, local}]}.
-  {access, muc, [{allow, all}]}.
-  {access, pubsub_createnode, [{allow, local}]}.
-  {access, register, [{allow, local}]}.
-  {language, "en"}.
-  {modules,
-   [
-    {mod_adhoc,    []},
-    {mod_announce, [{access, announce}]},
-    {mod_blocking,[]},
-    {mod_caps,     []},
-    {mod_configure,[]},
-    {mod_disco,    []},
-    {mod_irc,      []},
-    {mod_http_bind, []},
-    {mod_last,     []},
-    {mod_muc,      [
-        {access, muc},
-        {access_create, muc_create},
-        {access_persistent, muc_create},
-        {access_admin, muc_admin}
-       ]},
-    {mod_offline,  [{access_max_user_messages, max_user_offline_messages}]},
-    {mod_ping,     []},
-    {mod_privacy,  []},
-    {mod_private,  []},
-    {mod_pubsub,   [
-        {access_createnode, pubsub_createnode},
-        {ignore_pep_from_offline, true},
-        {last_item_cache, false},
-        {plugins, ["flat", "hometree", "pep"]}
-       ]},
-    {mod_register, [
-        {welcome_message, {"Welcome!",
-               "Hi.\nWelcome to this XMPP server."}},
-        {ip_access, [{allow, "127.0.0.0/8"},
-               {allow, "0.0.0.0/0"}]},
-        {access, register}
-       ]},
-    {mod_roster,   []},
-    {mod_shared_roster,[]},
-    {mod_stats,    []},
-    {mod_time,     []},
-    {mod_vcard,    []},
-    {mod_version,  []}
-   ]}.
+  # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
+
+  ciphers = concatStringsSep ":" [
+    "ECDHE-ECDSA-AES256-GCM-SHA384"
+    "ECDHE-RSA-AES256-GCM-SHA384"
+    "ECDHE-ECDSA-CHACHA20-POLY1305"
+    "ECDHE-RSA-CHACHA20-POLY1305"
+    "ECDHE-ECDSA-AES128-GCM-SHA256"
+    "ECDHE-RSA-AES128-GCM-SHA256"
+    "ECDHE-ECDSA-AES256-SHA384"
+    "ECDHE-RSA-AES256-SHA384"
+    "ECDHE-ECDSA-AES128-SHA256"
+    "ECDHE-RSA-AES128-SHA256"
+  ];
+
+  protocol_options = [
+    "no_sslv2"
+    "no_sslv3"
+    "no_tlsv1"
+    "no_tlsv1_10"
+  ];
+
+in /* yaml */ ''
+
+  access_rules:
+    announce:
+      - allow: admin
+    local:
+      - allow: local
+    configure:
+      - allow: admin
+    register:
+      - allow
+    s2s:
+      - allow
+    trusted_network:
+      - allow: loopback
+
+  acl:
+    local:
+      user_regexp: ""
+    loopback:
+      ip:
+        - "127.0.0.0/8"
+        - "::1/128"
+        - "::FFFF:127.0.0.1/128"
+
+  hosts: ${toJSON config.hosts}
+
+  language: "en"
+
+  listen:
+    -
+      port: 5222
+      ip: "::"
+      module: ejabberd_c2s
+      shaper: c2s_shaper
+      certfile: ${toJSON config.certfile.path}
+      ciphers: ${toJSON ciphers}
+      dhfile: ${toJSON config.dhfile.path}
+      protocol_options: ${toJSON protocol_options}
+      starttls: true
+      starttls_required: true
+      tls: false
+      tls_compression: false
+      max_stanza_size: 65536
+    -
+      port: 5269
+      ip: "::"
+      module: ejabberd_s2s_in
+      shaper: s2s_shaper
+      max_stanza_size: 131072
+
+  loglevel: 4
+
+  modules:
+    mod_adhoc: {}
+    mod_admin_extra: {}
+    mod_announce:
+      access: announce
+    mod_caps: {}
+    mod_carboncopy: {}
+    mod_client_state: {}
+    mod_configure: {}
+    mod_disco: {}
+    mod_echo: {}
+    mod_irc: {}
+    mod_bosh: {}
+    mod_last: {}
+    mod_offline:
+      access_max_user_messages: max_user_offline_messages
+    mod_ping: {}
+    mod_privacy: {}
+    mod_private: {}
+    mod_register:
+      access_from: deny
+      access: register
+      ip_access: trusted_network
+      registration_watchers: ${toJSON config.registration_watchers}
+    mod_roster: {}
+    mod_shared_roster: {}
+    mod_stats: {}
+    mod_time: {}
+    mod_vcard:
+      search: false
+    mod_version: {}
+    mod_http_api: {}
+
+  s2s_access: s2s
+  s2s_certfile: ${toJSON config.s2s_certfile.path}
+  s2s_ciphers: ${toJSON ciphers}
+  s2s_dhfile: ${toJSON config.dhfile.path}
+  s2s_protocol_options: ${toJSON protocol_options}
+  s2s_tls_compression: false
+  s2s_use_starttls: required
+
+  shaper_rules:
+    max_user_offline_messages:
+      - 5000: admin
+      - 100
+    max_user_sessions: 10
+    c2s_shaper:
+      - none: admin
+      - normal
+    s2s_shaper: fast
 ''
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index e2fba5ff..4838a909 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -1,5 +1,16 @@
 { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
   cfg = config.lass.ejabberd;
+
+  gen-dhparam = pkgs.writeDash "gen-dhparam" ''
+    set -efu
+    path=$1
+    bits=2048
+    # TODO regenerate dhfile after some time?
+    if ! test -e "$path"; then
+      ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
+    fi
+  '';
+
 in {
   options.lass.ejabberd = {
     enable = mkEnableOption "lass.ejabberd";
@@ -11,20 +22,36 @@ in {
         source-path = "/var/lib/acme/lassul.us/full.pem";
       };
     };
+    dhfile = mkOption {
+      type = types.secret-file;
+      default = {
+        path = "${cfg.user.home}/dhparams.pem";
+        owner = cfg.user;
+        source-path = "/dev/null";
+      };
+    };
     hosts = mkOption {
       type = with types; listOf str;
     };
     pkgs.ejabberdctl = mkOption {
       type = types.package;
       default = pkgs.writeDashBin "ejabberdctl" ''
-        set -efu
-        export SPOOLDIR=${shell.escape cfg.user.home}
-        export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
         exec ${pkgs.ejabberd}/bin/ejabberdctl \
+            --config ${toFile "ejabberd.yaml" (import ./config.nix {
+              inherit pkgs;
+              config = cfg;
+            })} \
             --logs ${shell.escape cfg.user.home} \
+            --spool ${shell.escape cfg.user.home} \
             "$@"
       '';
     };
+    registration_watchers = mkOption {
+      type = types.listOf types.str;
+      default = [
+        config.krebs.users.tv.mail
+      ];
+    };
     s2s_certfile = mkOption {
       type = types.secret-file;
       default = cfg.certfile;
@@ -50,12 +77,12 @@ in {
       requires = [ "secret.service" ];
       after = [ "network.target" "secret.service" ];
       serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = "yes";
-        PermissionsStartOnly = "true";
+        ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
+        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
+        PermissionsStartOnly = true;
         SyslogIdentifier = "ejabberd";
         User = cfg.user.name;
-        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+        TimeoutStartSec = 60;
       };
     };
 
-- 
cgit v1.2.3


From 387bf34e82a5cb5cf82288cf3c58fff5b1bb4ce5 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 3 Oct 2017 23:53:43 +0200
Subject: l pass: gnupg1 -> gnupg

---
 lass/2configs/pass.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 5bd2f2f7..43eb0db9 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -3,7 +3,7 @@
 {
   krebs.per-user.lass.packages = with pkgs; [
     pass
-    gnupg1
+    gnupg
   ];
 
 }
-- 
cgit v1.2.3


From 9cd1869b8a8a2a54d13e93539b0d0b3743e20adf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 04:37:19 +0200
Subject: l nixpkgs: 07ca7b6 -> 1987983

---
 lass/source.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/source.nix b/lass/source.nix
index 296a2041..e0af7d83 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "07ca7b6";
+        ref = "1987983";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-- 
cgit v1.2.3


From 579b2cbecf8cec8786864bb2bdf6ffaf6bcf65b4 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:01:00 +0200
Subject: l websites: remove deprecated attributes

---
 lass/2configs/websites/lassulus.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 77790e8b..6e185a4d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -110,7 +110,6 @@ in {
   services.nginx.virtualHosts."lassul.us" = {
     addSSL = true;
     enableACME = true;
-    serverAliases = [ "lassul.us" ];
     locations."/".extraConfig = ''
       root /srv/http/lassul.us;
     '';
@@ -151,11 +150,9 @@ in {
   };
 
   services.nginx.virtualHosts.cgit = {
+    serverName = "cgit.lassul.us";
     addSSL = true;
     enableACME = true;
-    serverAliases = [
-      "cgit.lassul.us"
-    ];
   };
 
   users.users.blog = {
-- 
cgit v1.2.3


From fcc9e7e942de7212f2b568255c1597ae487ef939 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:02:06 +0200
Subject: l pkgs.xmonad: add more default workspaces

---
 lass/5pkgs/xmonad-lass.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 0a2945c2..16719d54 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -70,7 +70,7 @@ mainNoArgs = do
             , normalBorderColor  = "#1c1c1c"
             , focusedBorderColor = "#f000b0"
             , handleEventHook = handleShutdownEvent
-            , workspaces        = [ "dashboard" ]
+            , workspaces        = [ "dashboard", "sys", "wp" ]
             } `additionalKeysP` myKeyMap
 
 myLayoutHook = defLayout
-- 
cgit v1.2.3


From 9624545b97fc480d9ed5d262ea02eb8895b64b80 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:02:37 +0200
Subject: l pkgs.xmonad: use greedyView

---
 lass/5pkgs/xmonad-lass.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 16719d54..fe294e90 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -119,7 +119,7 @@ myKeyMap =
     , ("M4-f", floatNext True)
     , ("M4-b", sendMessage ToggleStruts)
 
-    , ("M4-v", withWorkspace autoXPConfig (windows . W.view))
+    , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView))
     , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift))
     , ("M4-C-v", withWorkspace autoXPConfig (windows . copy))
 
-- 
cgit v1.2.3


From ed3153dd9865799782df2014f4178271955c0e38 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:03:10 +0200
Subject: l pkgs.xmonad: move keys around

---
 lass/5pkgs/xmonad-lass.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'lass')

diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index fe294e90..c0893a40 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -131,12 +131,12 @@ myKeyMap =
 
     , ("M4-S-q", return ())
 
-    , ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
+    , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
 
-    , ("M4-<F1>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
-    , ("M4-<F2>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
-    , ("M4-<F3>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
-    , ("M4-<F4>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
+    , ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
+    , ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
+    , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
+    , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
     ]
 
 forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
-- 
cgit v1.2.3


From a5430f2b87fce6d42d13a63ed9547ec85e51adaf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:04:01 +0200
Subject: l helios.r: use nvidia drivers

---
 lass/1systems/helios/config.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
index 6ff3fbb8..b50f3d9b 100644
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@@ -94,4 +94,6 @@ with import <stockholm/lib>;
   programs.ssh.startAgent = lib.mkForce true;
 
   services.tlp.enable = true;
+
+  services.xserver.videoDrivers = [ "nvidia" ];
 }
-- 
cgit v1.2.3


From 612926846d729751d2a4b130290f6bfa62d372ab Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:04:31 +0200
Subject: l helios.r: add certificateFiles

---
 lass/1systems/helios/config.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
index b50f3d9b..dd576e0f 100644
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@@ -96,4 +96,15 @@ with import <stockholm/lib>;
   services.tlp.enable = true;
 
   services.xserver.videoDrivers = [ "nvidia" ];
+
+  security.pki.certificateFiles = [
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
+
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+  ];
 }
-- 
cgit v1.2.3


From be4bfed6eddb2e957301a6734725a99d181d3753 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:05:00 +0200
Subject: l pass: activate gnupg-agent

---
 lass/2configs/pass.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 43eb0db9..1c253a6c 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -6,4 +6,5 @@
     gnupg
   ];
 
+  programs.gnupg.agent.enable = true;
 }
-- 
cgit v1.2.3


From 4e6827b8cd1e1edce7a27a6d6b2afda6ce6b7bc9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 05:28:32 +0200
Subject: l gc: deactivate on helios

---
 lass/2configs/gc.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
index 00f318e5..ad015180 100644
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@@ -3,6 +3,6 @@
 with import <stockholm/lib>;
 {
   nix.gc = {
-    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
   };
 }
-- 
cgit v1.2.3


From ba663f044508ec596b6f9ab22a43e39677bcf3c2 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 15:50:45 +0200
Subject: l helios.r: add dcsovpn

---
 lass/1systems/helios/config.nix |  1 +
 lass/2configs/dcso-vpn.nix      | 44 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 lass/2configs/dcso-vpn.nix

(limited to 'lass')

diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
index dd576e0f..a94bbd3e 100644
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@@ -11,6 +11,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/otp-ssh.nix>
     <stockholm/lass/2configs/git.nix>
+    <stockholm/lass/2configs/dcso-vpn.nix>
     { # automatic hardware detection
       boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
       boot.kernelModules = [ "kvm-intel" ];
diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix
new file mode 100644
index 00000000..0a5623bf
--- /dev/null
+++ b/lass/2configs/dcso-vpn.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ ... }:
+
+{
+
+  users.extraUsers = {
+    dcsovpn = rec {
+      name = "dcsovpn";
+      uid = genid "dcsovpn";
+      description = "user for running dcso openvpn";
+      home = "/home/${name}";
+    };
+  };
+
+  users.extraGroups.dcsovpn.gid = genid "dcsovpn";
+
+  services.openvpn.servers = {
+    dcso = {
+      config = ''
+        client
+        dev tun
+        tun-mtu 1356
+        mssfix
+        proto udp
+        float
+        remote 217.111.55.41 1194
+        nobind
+        user dcsovpn
+        group dcsovpn
+        persist-key
+        persist-tun
+        ca ${toString <secrets/dcsovpn/ca.pem>}
+        cert ${toString <secrets/dcsovpn/cert.pem>}
+        key ${toString <secrets/dcsovpn/cert.key>}
+        verb 3
+        mute 20
+        auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
+        route-method exe
+        route-delay 2
+      '';
+      updateResolvConf = true;
+    };
+  };
+}
-- 
cgit v1.2.3


From 54d20b612f126ae64c807aa2b68f18836e824d69 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 16:08:55 +0200
Subject: l dummy-secrets: add dcsovpn

---
 lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem    | 0
 lass/2configs/tests/dummy-secrets/dcsovpn/cert.key  | 0
 lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem  | 0
 lass/2configs/tests/dummy-secrets/dcsovpn/login.txt | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
 create mode 100644 lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
 create mode 100644 lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
 create mode 100644 lass/2configs/tests/dummy-secrets/dcsovpn/login.txt

(limited to 'lass')

diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
new file mode 100644
index 00000000..e69de29b
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
new file mode 100644
index 00000000..e69de29b
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
new file mode 100644
index 00000000..e69de29b
diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
new file mode 100644
index 00000000..e69de29b
-- 
cgit v1.2.3


From a8db051451d2827d7c7ad38f005284013e63c039 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 5 Oct 2017 16:17:12 +0200
Subject: l pkgs.xmonad: pointer follows focus

---
 lass/5pkgs/xmonad-lass.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'lass')

diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index c0893a40..b86ce358 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Actions.UpdatePointer (updatePointer)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@@ -63,14 +64,15 @@ mainNoArgs = do
     xmonad'
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
-            { terminal          = urxvtcPath
-            , modMask           = mod4Mask
-            , layoutHook = smartBorders $ myLayoutHook
-            , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
+            { terminal           = urxvtcPath
+            , modMask            = mod4Mask
+            , layoutHook         = smartBorders $ myLayoutHook
+            , logHook            = updatePointer (0.25, 0.25) (0.25, 0.25)
+            , manageHook         = placeHook (smart (1,0)) <+> floatNextHook
             , normalBorderColor  = "#1c1c1c"
             , focusedBorderColor = "#f000b0"
-            , handleEventHook = handleShutdownEvent
-            , workspaces        = [ "dashboard", "sys", "wp" ]
+            , handleEventHook    = handleShutdownEvent
+            , workspaces         = [ "dashboard", "sys", "wp" ]
             } `additionalKeysP` myKeyMap
 
 myLayoutHook = defLayout
-- 
cgit v1.2.3