Compare commits

..

14 Commits

Author SHA1 Message Date
Vegard Bieker Matthey 273110b304 gluttony: set nginx group for serving bluemap files 2026-05-24 10:03:53 +02:00
Vegard Bieker Matthey 32a14e262f gluttony: bluemap don't create a new directory 2026-05-24 09:51:34 +02:00
Vegard Bieker Matthey d66fef033d bekkalokk: add back config added through bluemap module 2026-05-24 09:21:17 +02:00
Vegard Bieker Matthey 4d7fdcc059 bekkalokk: remove bluemap secrets 2026-05-24 09:04:17 +02:00
Vegard Bieker Matthey 52e1d693cc bekkalokk: remove bluemap rendering 2026-05-24 09:01:43 +02:00
Vegard Bieker Matthey df54bcd853 remove unused variable 2026-05-24 09:01:43 +02:00
Vegard Bieker Matthey b8ec6308bd gluttony: use webRoot variable 2026-05-24 09:01:33 +02:00
Vegard Bieker Matthey c67e381065 gluttony: bluemap fix path 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey 6bf2ede728 gluttony: add private key and set public key for bekkalokk 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey 7c4439dbc0 bekkalokk: pull rendered map from gluttony 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey cbb587f79c gluttony: bluemap export to bekkern 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey 33b7a420e3 add bekkalokk to known_hosts 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey e08e61d6a1 bluemap: set group to nginx only if nginx is enabled 2026-05-24 08:37:31 +02:00
Vegard Bieker Matthey eeab3b8fa6 gluttony: setup bluemap 2026-05-24 08:37:25 +02:00
15 changed files with 102 additions and 323 deletions
-2
View File
@@ -45,7 +45,6 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
| [lupine][lup] | Physical | Gitea CI/CD runners | | [lupine][lup] | Physical | Gitea CI/CD runners |
| shark | Virtual | Test host for authentication, absolutely horrendous | | shark | Virtual | Test host for authentication, absolutely horrendous |
| [skrot][skr] | Physical | Kiosk, snacks and soda | | [skrot][skr] | Physical | Kiosk, snacks and soda |
| [temmie][tem] | Virtual | User websites |
| [wenche][wen] | Virtual | Nix-builders, general purpose compute | | [wenche][wen] | Virtual | Nix-builders, general purpose compute |
## Documentation ## Documentation
@@ -64,5 +63,4 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
[kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
[lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot [skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
[tem]: https://wiki.pvv.ntnu.no/wiki/Maskiner/temmie
[wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
+4 -4
View File
@@ -77,10 +77,10 @@
''; '';
# These are servers, sleep is for the weak # These are servers, sleep is for the weak
systemd.sleep.settings.Sleep = { systemd.sleep.extraConfig = lib.mkDefault ''
AllowSuspend = lib.mkDefault false; AllowSuspend=no
AllowHibernation = lib.mkDefault false; AllowHibernation=no
}; '';
# users.mutableUsers = lib.mkDefault false; # users.mutableUsers = lib.mkDefault false;
+1 -1
View File
@@ -8,6 +8,6 @@
services.resolved = { services.resolved = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways... dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
}; };
} }
+2 -1
View File
@@ -6,7 +6,8 @@ in
services.journald.upload = { services.journald.upload = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
settings.Upload = { settings.Upload = {
URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}"; # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
ServerKeyFile = "-"; ServerKeyFile = "-";
ServerCertificateFile = "-"; ServerCertificateFile = "-";
TrustedCertificateFile = "-"; TrustedCertificateFile = "-";
Generated
+18 -62
View File
@@ -1,27 +1,5 @@
{ {
"nodes": { "nodes": {
"bro": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1779629827,
"narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
"ref": "main",
"rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
"revCount": 3,
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/bro.git"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pvv.ntnu.no/Projects/bro.git"
}
},
"crane": { "crane": {
"locked": { "locked": {
"lastModified": 1776635034, "lastModified": 1776635034,
@@ -65,16 +43,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1768920986, "lastModified": 1736864502,
"narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=", "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "de5708739256238fb912c62f03988815db89ec9a", "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "v1.13.0", "ref": "v1.11.0",
"repo": "disko", "repo": "disko",
"type": "github" "type": "github"
} }
@@ -123,7 +101,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1777019032, "lastModified": 1777019032,
@@ -187,7 +165,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1767906976, "lastModified": 1767906976,
@@ -270,15 +248,15 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1779622335, "lastModified": 1778544512,
"narHash": "sha256-06G98ieM6l+OI7EMhlvchgDBDn+DvIWCNj40LDhKpmc=", "narHash": "sha256-VIsPgfIpZ/01XUO6WN+o1NZbP5iKPKPHdHPWqfm4XIg=",
"rev": "705e9929918b43bd7b715dc0a878ac870449bb03", "rev": "c417517f9d525181ee5619c683419d308ee29fe8",
"type": "tarball", "type": "tarball",
"url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05beta1.705e9929918b/nixexprs.tar.xz" "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.10745.c417517f9d52/nixexprs.tar.xz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz" "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
@@ -316,11 +294,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1779774845, "lastModified": 1764869785,
"narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=", "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
"ref": "main", "ref": "main",
"rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0", "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
"revCount": 29, "revCount": 23,
"type": "git", "type": "git",
"url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git" "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
}, },
@@ -374,7 +352,6 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"bro": "bro",
"dibbler": "dibbler", "dibbler": "dibbler",
"disko": "disko", "disko": "disko",
"gergle": "gergle", "gergle": "gergle",
@@ -400,7 +377,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"rust-overlay": "rust-overlay_4" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1778600367, "lastModified": 1778600367,
@@ -419,27 +396,6 @@
} }
}, },
"rust-overlay": { "rust-overlay": {
"inputs": {
"nixpkgs": [
"bro",
"nixpkgs"
]
},
"locked": {
"lastModified": 1779419951,
"narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"greg-ng", "greg-ng",
@@ -460,7 +416,7 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay_3": { "rust-overlay_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"minecraft-heatmap", "minecraft-heatmap",
@@ -481,7 +437,7 @@
"type": "github" "type": "github"
} }
}, },
"rust-overlay_4": { "rust-overlay_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"roowho2", "roowho2",
+5 -15
View File
@@ -2,13 +2,13 @@
description = "PVV System flake"; description = "PVV System flake";
inputs = { inputs = {
nixpkgs.url = "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz"; nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"; nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
sops-nix.url = "github:Mic92/sops-nix/master"; sops-nix.url = "github:Mic92/sops-nix/master";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko/v1.13.0"; disko.url = "github:nix-community/disko/v1.11.0";
disko.inputs.nixpkgs.follows = "nixpkgs"; disko.inputs.nixpkgs.follows = "nixpkgs";
nix-topology.url = "github:oddlama/nix-topology/main"; nix-topology.url = "github:oddlama/nix-topology/main";
@@ -47,9 +47,6 @@
qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main"; qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
qotd.inputs.nixpkgs.follows = "nixpkgs"; qotd.inputs.nixpkgs.follows = "nixpkgs";
bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
bro.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { outputs = {
@@ -88,7 +85,6 @@
[ [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
"nvidia-kernel-modules"
]; ];
}); });
@@ -109,7 +105,6 @@
[ [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"
"nvidia-kernel-modules"
]; ];
overlays = overlays =
(lib.optionals enableDefaults [ (lib.optionals enableDefaults [
@@ -194,12 +189,14 @@
(final: prev: { (final: prev: {
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {}; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
simplesamlphp = final.callPackage ./packages/simplesamlphp {}; simplesamlphp = final.callPackage ./packages/simplesamlphp {};
bluemap = final.callPackage ./packages/bluemap.nix {};
}) })
inputs.pvv-nettsiden.overlays.default inputs.pvv-nettsiden.overlays.default
inputs.qotd.overlays.default inputs.qotd.overlays.default
]; ];
modules = [ modules = [
inputs.pvv-nettsiden.nixosModules.default inputs.pvv-nettsiden.nixosModules.default
self.nixosModules.bluemap
inputs.qotd.nixosModules.default inputs.qotd.nixosModules.default
]; ];
}; };
@@ -217,14 +214,7 @@
}; };
shark = stableNixosConfig "shark" {}; shark = stableNixosConfig "shark" {};
wenche = stableNixosConfig "wenche" {}; wenche = stableNixosConfig "wenche" {};
temmie = stableNixosConfig "temmie" { temmie = stableNixosConfig "temmie" {};
overlays = [
inputs.bro.overlays.default
];
modules = [
inputs.bro.nixosModules.default
];
};
gluttony = stableNixosConfig "gluttony" { gluttony = stableNixosConfig "gluttony" {
overlays = [ overlays = [
(final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; }) (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
+7
View File
@@ -64,4 +64,11 @@ in
''; '';
}; };
}; };
networking.firewall.allowedUDPPortRanges = [
{
from = cfg.settings.rtc.port_range_start;
to = cfg.settings.rtc.port_range_end;
}
];
} }
-39
View File
@@ -1,39 +0,0 @@
# Do modify this file! It was generated by „nixos-generate-config“
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix and run ⟪nix-env --switch-profile⟫ instead.
{ config, lib, pkgs, modulesPath, home-manager, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "af_alg" "esp4" "esp6" "rds" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/sdj1";
fsType = "bcachefs";
};
fileSystems."/boott" =
{ device = "/dev/disk/by-uuid/AAAA-AAAA";
fsType = "vfat";
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with networking.interfaces.<interface>.useDHCP.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.em1.useDHCP = lib.mkDefault true;
# networking.interfaces.em2.useDHCP = lib.mkDefault true;
# networking.interfaces.pflog0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "i686-freebsd";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.infiniband.enable = true;
hardware.flipperzero.enable = lib.mkIf (config.security.isolate.cgRoot == "auto:/run/isolate/tank") true;
}
@@ -1,4 +1,4 @@
{ config, pkgs, lib, values, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.services.uptime-kuma; cfg = config.services.uptime-kuma;
domain = "status.pvv.ntnu.no"; domain = "status.pvv.ntnu.no";
@@ -24,21 +24,4 @@ in {
fsType = "bind"; fsType = "bind";
options = [ "bind" ]; options = [ "bind" ];
}; };
services.rsync-pull-targets = {
enable = true;
locations.${stateDir} = {
user = "root";
rrsyncArgs.ro = true;
authorizedKeysAttrs = [
"restrict"
"from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
"no-agent-forwarding"
"no-port-forwarding"
"no-pty"
"no-X11-forwarding"
];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
};
};
} }
-2
View File
@@ -50,8 +50,6 @@ in
SIGNING_NAME = "PVV Git"; SIGNING_NAME = "PVV Git";
SIGNING_EMAIL = "gitea@git.pvv.ntnu.no"; SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
INITIAL_COMMIT = "always"; INITIAL_COMMIT = "always";
MERGES = lib.concatStringsSep "," [ "always" ];
CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
WIKI = "always"; WIKI = "always";
}; };
} }
+30 -37
View File
@@ -39,7 +39,7 @@ let
extraConfig = phpOptions; extraConfig = phpOptions;
}; };
perlEnv = (pkgs.perl.withPackages (ps: with ps; [ perlEnv = pkgs.perl.withPackages (ps: with ps; [
pkgs.exiftool pkgs.exiftool
pkgs.ikiwiki pkgs.ikiwiki
pkgs.irssi pkgs.irssi
@@ -54,14 +54,7 @@ let
ImageMagick ImageMagick
JSON JSON
TemplateToolkit TemplateToolkit
])).overrideAttrs (prev: { ]);
# NOTE: `pkgs.perl.propagatedBuildInputs` don't actually propagate through the
# wrapper derivation created by `withPackages`. This should compensate
# for that.
postBuild = prev.postBuild + ''
cp -r '${pkgs.perl}/nix-support' "$out"/nix-support
'';
});
# https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function
pythonEnv = pkgs.python3.buildEnv.override { pythonEnv = pkgs.python3.buildEnv.override {
@@ -74,6 +67,21 @@ let
ignoreCollisions = true; ignoreCollisions = true;
}; };
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
text = ''
args=("$@")
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f$USERDIR_USER" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' "''${args[@]}"
'';
};
# https://nixos.org/manual/nixpkgs/stable/#sec-building-environment # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment
fhsEnv = pkgs.buildEnv { fhsEnv = pkgs.buildEnv {
name = "userweb-env"; name = "userweb-env";
@@ -81,7 +89,7 @@ let
paths = with pkgs; [ paths = with pkgs; [
bash bash
config.services.bro.instances.userweb-sendmail.client.package sendmailWrapper
perlEnv perlEnv
pythonEnv pythonEnv
@@ -176,21 +184,17 @@ in
extraModules = [ extraModules = [
"systemd" "systemd"
"userdir" "userdir"
{ # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some
name = "perl"; # incorrect or restrictive assumptions upstream, either nixpkgs or source
path = let # {
mod_perl = pkgs.symlinkJoin { # name = "perl";
name = "userweb_modperl_with_custom_perl_env"; # path = let
ignoreCollisions = true; # mod_perl = pkgs.apacheHttpdPackages.mod_perl.override {
paths = [ # apacheHttpd = cfg.package.out;
(pkgs.apacheHttpdPackages.mod_perl.override { # perl = perlEnv;
apacheHttpd = cfg.package.out; # };
}) # in "${mod_perl}/modules/mod_perl.so";
perlEnv # }
];
};
in "${mod_perl}/modules/mod_perl.so";
}
]; ];
extraConfig = '' extraConfig = ''
@@ -199,14 +203,11 @@ in
ScriptLog ${cfg.logDir}/cgi.log ScriptLog ${cfg.logDir}/cgi.log
''; '';
# virtualHosts."userweb.pvv.ntnu.no" = {
virtualHosts."temmie.pvv.ntnu.no" = { virtualHosts."temmie.pvv.ntnu.no" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
serverAliases = [
"www2.pvv.ntnu.no"
];
extraConfig = '' extraConfig = ''
UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters} UserDir ${lib.concatMapStringsSep " " (l: "/home/pvv/${l}/*/web-docs") homeLetters}
UserDir disabled root UserDir disabled root
@@ -257,14 +258,6 @@ in
# ]; # ];
# }; # };
# NOTE: 54 -> 33, this is the UID/GID we used for www-data on tom in the past.
# Any files accessed by or created by httpd will do so over NFS with this
# UID/GID pair as its credentials.
# This overlaps with the hardcoded `disnix` uid in nixpkgs, but we *probably*
# won't be using that for the foreseeable future.
users.users."wwwrun".uid = lib.mkForce 33;
users.groups."wwwrun".gid = lib.mkForce 33;
systemd.services.httpd = { systemd.services.httpd = {
after = [ "pvv-homedirs.target" ]; after = [ "pvv-homedirs.target" ];
requires = [ "pvv-homedirs.target" ]; requires = [ "pvv-homedirs.target" ];
+1 -108
View File
@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }: { config, lib, ... }:
{ {
services.postfix.enable = lib.mkForce false; services.postfix.enable = lib.mkForce false;
@@ -9,111 +9,4 @@
remotes = "mail.pvv.ntnu.no smtp --port=25"; remotes = "mail.pvv.ntnu.no smtp --port=25";
}; };
}; };
services.bro = {
enable = true;
instances.userweb-sendmail = {
enable = true;
client = {
settings.BRO_FILE_FLAGS = [
"-C"
];
};
server = {
settings = {
executable = let
sendmailWrapper = pkgs.writeShellApplication {
name = "sendmail";
runtimeInputs = [ ];
bashOptions = [
"errexit"
"pipefail"
];
text = ''
args=("$@")
if [[ -z "$USERDIR_USER" ]] && [[ "$USERDIR_USER" != "pvv" ]]; then
# Prepend -fusername to the argument list, so bounces go to the user
args=("-f$USERDIR_USER" "''${args[@]}")
fi
exec '${lib.getExe pkgs.system-sendmail}' -t -i "''${args[@]}"
'';
};
in lib.getExe sendmailWrapper;
allowed-env = [ "USERDIR_USER" ];
};
};
};
};
environment.systemPackages = [
(config.services.bro.instances.userweb-sendmail.client.package.overrideAttrs (prev: {
buildCommand = prev.buildCommand + ''
mv "$out/bin/sendmail" "$out/bin/bro-sendmail"
'';
}))
];
users.users.nullmailer-user = {
enable = true;
isSystemUser = true;
group = "nullmailer-user";
};
users.groups.nullmailer-user = { };
systemd.services.bro-userweb-sendmail = {
serviceConfig = {
User = "nullmailer-user";
Group = "nullmailer-user";
ReadWritePaths = [
"/var/spool/nullmailer"
];
AmbientCapabilities = "";
CapabilityBoundingSet = "";
NoNewPrivileges = false;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = false;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateMounts = true;
ProcSubset = "pid";
ProtectProc = "invisible";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@resources"
];
UMask = "0077";
};
};
systemd.services.httpd.serviceConfig = {
BindPaths = [ (lib.head config.systemd.sockets.bro-userweb-sendmail.listenStreams) ];
};
} }
+2 -3
View File
@@ -171,9 +171,6 @@ in
requires = [ "matrix-ooye-pre-start.service" ]; requires = [ "matrix-ooye-pre-start.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
startLimitIntervalSec = 5;
startLimitBurst = 5;
serviceConfig = { serviceConfig = {
ExecStart = lib.getExe config.services.matrix-ooye.package; ExecStart = lib.getExe config.services.matrix-ooye.package;
WorkingDirectory = "/var/lib/matrix-ooye"; WorkingDirectory = "/var/lib/matrix-ooye";
@@ -185,6 +182,8 @@ in
#PrivateDevices = true; #PrivateDevices = true;
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "5s"; RestartSec = "5s";
StartLimitIntervalSec = "5s";
StartLimitBurst = "5";
DynamicUser = true; DynamicUser = true;
}; };
}; };
+25 -25
View File
@@ -12,7 +12,7 @@ let
name name
, commit , commit
, hash , hash
, tracking-branch ? "REL1_45" , tracking-branch ? "REL1_44"
, kebab-name ? kebab-case-name name , kebab-name ? kebab-case-name name
, fetchgit ? pkgs.fetchgit , fetchgit ? pkgs.fetchgit
}: }:
@@ -33,63 +33,63 @@ in
lib.mergeAttrsList [ lib.mergeAttrsList [
(mw-ext { (mw-ext {
name = "CodeEditor"; name = "CodeEditor";
commit = "af7e82f24ba4b68393712fece6f1b5fa4bb049ec"; commit = "2db9c9cef35d88a0696b926e8e4ea2d479d0d73a";
hash = "sha256-XT8E4O6MEZYHSs6Q+A/dfYaUvJ4kY13Kd/cq30dA5NA="; hash = "sha256-f0tWJl/4hml+RCp7OoIpQ4WSGKE3/z8DTYOAOHbLA9A=";
}) })
(mw-ext { (mw-ext {
name = "CodeMirror"; name = "CodeMirror";
commit = "f06dfd40a08562a841ddf11b4ae3444ef06c98c7"; commit = "b16e614c3c4ba68c346b8dd7393ab005ab127441";
hash = "sha256-5zXkBjOwFdoQezkPRJ2AcBZLZEEpGG6FawO2K3KzllI="; hash = "sha256-J/TJPo5Oxgpy6UQINivLKl8jzJp4k/mKv6br3kcCSMQ=";
}) })
(mw-ext { (mw-ext {
name = "DeleteBatch"; name = "DeleteBatch";
commit = "9bc75a753efefedfc88c598fb01f18a7e4b61f00"; commit = "1b947c0f80249cf052b58138f830b379edf080bc";
hash = "sha256-1xA758fsvoioN9xuq0hRqZKtPXMQViVLtuRINDtowdk="; hash = "sha256-629RCz+38m2pfyJe/CrYutRoDyN1HzD0KzDdC2wwqlI=";
}) })
(mw-ext { (mw-ext {
name = "PluggableAuth"; name = "PluggableAuth";
commit = "64133683b73d8eeea8069fe7ed9cb7237fd5c212"; commit = "56893b8ee9ecd03eaee256e08c38bc82657ee0a1";
hash = "sha256-wqpfgVLenZp6XC510nrsrbvK1IMEPcWVYq5YuAOt5+c="; hash = "sha256-gvoJey7YLMk+toutQTdWxpaedNDr59E+3xXWmXWCGl0=";
}) })
(mw-ext { (mw-ext {
name = "Popups"; name = "Popups";
commit = "f74a8639f57232898978d9f3792293eb2d370e40"; commit = "6732d8d195bd8312779d8514e92bad372ef63096";
hash = "sha256-uunUtN3M/ksW/kcbeIzDVTdb1P/PHTeTwaTsvspMLko="; hash = "sha256-XZzhA9UjAOUMcoGYYwiqRg2uInZ927JOZ9/IrZtarJU=";
}) })
(mw-ext { (mw-ext {
name = "Scribunto"; name = "Scribunto";
commit = "cbab0c740e03c8e6184fd647d95e24e0826d20cb"; commit = "fc9658623bd37fad352e326ce81b2a08ef55f04d";
hash = "sha256-vXS3+wrUBVtPsETa19pMvud9sALGt4Ao9mM5rQRbBQc="; hash = "sha256-P9WQk8O9qP+vXsBS9A5eXX+bRhnfqHetbkXwU3+c1Vk=";
}) })
(mw-ext { (mw-ext {
name = "SimpleSAMLphp"; name = "SimpleSAMLphp";
kebab-name = "simple-saml-php"; kebab-name = "simple-saml-php";
commit = "fc5ad4501434fe85198f0b1f0087d798efa91f9f"; commit = "4c615a9203860bb908f2476a5467573e3287d224";
hash = "sha256-se0krTglo1fShJXj38bPLhw65tZC5P54Ywt7oeZrLes="; hash = "sha256-zNKvzInhdW3B101Hcghk/8m0Y+Qk/7XN7n0i/x/5hSE=";
}) })
(mw-ext { (mw-ext {
name = "TemplateData"; name = "TemplateData";
commit = "d37b02f6ed194138ac7193a0782bbf6efb9164f8"; commit = "6884b10e603dce82ee39632f839ee5ccd8a6fbe3";
hash = "sha256-NpzVBzX7qfXkIE+jh33ndooS9GE8ZF3/Jynm22in7IQ="; hash = "sha256-jcLe3r5fPIrQlp89N+PdIUSC7bkdd7pTmiYppSpdKVQ=";
}) })
(mw-ext { (mw-ext {
name = "TemplateStyles"; name = "TemplateStyles";
commit = "f85614c26a0057a9f418342f89214a04c9de9988"; commit = "f0401a6b82528c8fd5a0375f1e55e72d1211f2ab";
hash = "sha256-XZOtM3iadjE5vavsjkx7kfJNhLZlnnFt1CN+mv6XVHQ="; hash = "sha256-tEcCNBz/i9OaE3mNrqw0J2K336BAf6it30TLhQkbtKs=";
}) })
(mw-ext { (mw-ext {
name = "UserMerge"; name = "UserMerge";
commit = "2f2432c909a36691ca0002daf6fb304d6c182beb"; commit = "6c138ffc65991766fd58ff4739fcb7febf097146";
hash = "sha256-ZP8Tp6u+uJxx3I39YGMmkP0sTnjAQUSaxImAJaRv+Ek="; hash = "sha256-366Nb0ilmXixWgk5NgCuoxj82Mf0iRu1bC/L/eofAxU=";
}) })
(mw-ext { (mw-ext {
name = "VisualEditor"; name = "VisualEditor";
commit = "1508d49d0dd71fdc1d18badd23671441b3bc327b"; commit = "9cfcca3195bf88225844f136da90ab7a1f6dd0b9";
hash = "sha256-VNiCVNrCAImAr1tS9T28KPPzzNsKPz5ELFRIBtng+So="; hash = "sha256-jHw3RnUB3bQa1OvmzhEBqadZlFPWH62iGl5BLXi3nZ4=";
}) })
(mw-ext { (mw-ext {
name = "WikiEditor"; name = "WikiEditor";
commit = "aba5e7c6701877a6b43583709751658fec606d47"; commit = "fe5329ba7a8c71ac8236cd0e940a64de2645b780";
hash = "sha256-XmbQy0NXuY3oVGkkgC233kkzfBfx32HDylloGYXU/Nc="; hash = "sha256-no6kH7esqKiZv34btidzy2zLd75SBVb8EaYVhfRPQSI=";
}) })
] ]
+6 -6
View File
@@ -22,12 +22,12 @@ pkgs.mkShell {
stdenv.cc stdenv.cc
unzip unzip
util-linux util-linux
libX11 xorg.libX11
libXext xorg.libXext
libXi xorg.libXi
libXmu xorg.libXmu
libXrandr xorg.libXrandr
libXv xorg.libXv
zlib zlib
cudatoolkit cudatoolkit