Compare commits
No commits in common. "67f43298e82768269ee5e4e97b89cc31fa868d2a" and "ac5d7923fac1a29d2c66fc6da4a65b2b90713aca" have entirely different histories.
67f43298e8
...
ac5d7923fa
12
flake.lock
12
flake.lock
|
@ -260,16 +260,16 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1697804921,
|
"lastModified": 1696375444,
|
||||||
"narHash": "sha256-PAoThb0U52HGscrU/Qp1GKwidqM6xnWxgovJCXNpjCc=",
|
"narHash": "sha256-Sv0ICt/pXfpnFhTGYTsX6lUr1SljnuXWejYTI2ZqHa4=",
|
||||||
"owner": "chayleaf",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "77ba48251d2b629d347e566c888000a379711ce0",
|
"rev": "81e8f48ebdecf07aab321182011b067aafc78896",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "chayleaf",
|
"owner": "nixos",
|
||||||
"ref": "akkoma",
|
"ref": "nixos-unstable",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,9 +3,9 @@
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
#nixpkgs.url = "github:nixos/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f";
|
#nixpkgs.url = "github:nixos/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f";
|
||||||
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
nixpkgs.url = "github:chayleaf/nixpkgs/akkoma";
|
|
||||||
nixpkgs2.url = "github:nixos/nixpkgs/master";
|
nixpkgs2.url = "github:nixos/nixpkgs/master";
|
||||||
|
# nixpkgs.url = "github:chayleaf/nixpkgs/ccache2";
|
||||||
nixos-hardware.url = "github:NixOS/nixos-hardware";
|
nixos-hardware.url = "github:NixOS/nixos-hardware";
|
||||||
mobile-nixos = {
|
mobile-nixos = {
|
||||||
# url = "github:NixOS/mobile-nixos";
|
# url = "github:NixOS/mobile-nixos";
|
||||||
|
@ -156,7 +156,6 @@
|
||||||
./system/devices/radxa-rock5a-server.nix
|
./system/devices/radxa-rock5a-server.nix
|
||||||
(if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
|
(if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
|
||||||
./system/modules/scanservjs.nix
|
./system/modules/scanservjs.nix
|
||||||
./system/modules/certspotter.nix
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
server-cross = crossConfig server;
|
server-cross = crossConfig server;
|
||||||
|
|
1407
pkgs/Cargo.lock
generated
Normal file
1407
pkgs/Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load diff
|
@ -1,71 +0,0 @@
|
||||||
diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go
|
|
||||||
index 9730789..f2eb081 100644
|
|
||||||
--- a/cmd/certspotter/main.go
|
|
||||||
+++ b/cmd/certspotter/main.go
|
|
||||||
@@ -163,6 +163,7 @@ func main() {
|
|
||||||
logs string
|
|
||||||
noSave bool
|
|
||||||
script string
|
|
||||||
+ sendmail string
|
|
||||||
startAtEnd bool
|
|
||||||
stateDir string
|
|
||||||
stdout bool
|
|
||||||
@@ -176,6 +177,7 @@ func main() {
|
|
||||||
flag.StringVar(&flags.logs, "logs", defaultLogList, "File path or URL of JSON list of logs to monitor")
|
|
||||||
flag.BoolVar(&flags.noSave, "no_save", false, "Do not save a copy of matching certificates in state directory")
|
|
||||||
flag.StringVar(&flags.script, "script", "", "Program to execute when a matching certificate is discovered")
|
|
||||||
+ flag.StringVar(&flags.sendmail, "sendmail", "/usr/sbin/sendmail", "Path to the sendmail-compatible program to use")
|
|
||||||
flag.BoolVar(&flags.startAtEnd, "start_at_end", false, "Start monitoring logs from the end rather than the beginning (saves considerable bandwidth)")
|
|
||||||
flag.StringVar(&flags.stateDir, "state_dir", defaultStateDir(), "Directory for storing log position and discovered certificates")
|
|
||||||
flag.BoolVar(&flags.stdout, "stdout", false, "Write matching certificates to stdout")
|
|
||||||
@@ -201,6 +203,7 @@ func main() {
|
|
||||||
Verbose: flags.verbose,
|
|
||||||
Script: flags.script,
|
|
||||||
ScriptDir: defaultScriptDir(),
|
|
||||||
+ SendmailPath: flags.sendmail,
|
|
||||||
Email: flags.email,
|
|
||||||
Stdout: flags.stdout,
|
|
||||||
HealthCheckInterval: flags.healthcheck,
|
|
||||||
diff --git a/monitor/config.go b/monitor/config.go
|
|
||||||
index 1e0d60c..d1bc430 100644
|
|
||||||
--- a/monitor/config.go
|
|
||||||
+++ b/monitor/config.go
|
|
||||||
@@ -20,6 +20,7 @@ type Config struct {
|
|
||||||
WatchList WatchList
|
|
||||||
Verbose bool
|
|
||||||
SaveCerts bool
|
|
||||||
+ SendmailPath string
|
|
||||||
Script string
|
|
||||||
ScriptDir string
|
|
||||||
Email []string
|
|
||||||
diff --git a/monitor/notify.go b/monitor/notify.go
|
|
||||||
index 8fc6d09..86cabca 100644
|
|
||||||
--- a/monitor/notify.go
|
|
||||||
+++ b/monitor/notify.go
|
|
||||||
@@ -36,7 +36,7 @@ func notify(ctx context.Context, config *Config, notif notification) error {
|
|
||||||
}
|
|
||||||
|
|
||||||
if len(config.Email) > 0 {
|
|
||||||
- if err := sendEmail(ctx, config.Email, notif); err != nil {
|
|
||||||
+ if err := sendEmail(ctx, config.SendmailPath, config.Email, notif); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -62,7 +62,7 @@ func writeToStdout(notif notification) {
|
|
||||||
os.Stdout.WriteString(notif.Text() + "\n")
|
|
||||||
}
|
|
||||||
|
|
||||||
-func sendEmail(ctx context.Context, to []string, notif notification) error {
|
|
||||||
+func sendEmail(ctx context.Context, sendmailPath string, to []string, notif notification) error {
|
|
||||||
stdin := new(bytes.Buffer)
|
|
||||||
stderr := new(bytes.Buffer)
|
|
||||||
|
|
||||||
@@ -77,7 +77,7 @@ func sendEmail(ctx context.Context, to []string, notif notification) error {
|
|
||||||
args := []string{"-i", "--"}
|
|
||||||
args = append(args, to...)
|
|
||||||
|
|
||||||
- sendmail := exec.CommandContext(ctx, "/usr/sbin/sendmail", args...)
|
|
||||||
+ sendmail := exec.CommandContext(ctx, sendmailPath, args...)
|
|
||||||
sendmail.Stdin = stdin
|
|
||||||
sendmail.Stderr = stderr
|
|
||||||
|
|
|
@ -1,41 +0,0 @@
|
||||||
{ lib
|
|
||||||
, buildGoModule
|
|
||||||
, fetchFromGitHub
|
|
||||||
, lowdown
|
|
||||||
}:
|
|
||||||
|
|
||||||
buildGoModule rec {
|
|
||||||
pname = "certspotter";
|
|
||||||
version = "0.16.0";
|
|
||||||
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "SSLMate";
|
|
||||||
repo = "certspotter";
|
|
||||||
rev = "v${version}";
|
|
||||||
hash = "sha256-0+7GWxbV4j2vVdmool8J9hqRqUi8O/yKedCyynWJDkE=";
|
|
||||||
};
|
|
||||||
|
|
||||||
vendorHash = "sha256-haYmWc2FWZNFwMhmSy3DAtj9oW5G82dX0fxpGqI8Hbw=";
|
|
||||||
|
|
||||||
patches = [ ./configurable-sendmail.patch ];
|
|
||||||
|
|
||||||
ldflags = [ "-s" "-w" ];
|
|
||||||
|
|
||||||
nativeBuildInputs = [ lowdown ];
|
|
||||||
|
|
||||||
postInstall = ''
|
|
||||||
cd man
|
|
||||||
make
|
|
||||||
mkdir -p $out/share/man/man8
|
|
||||||
mv *.8 $out/share/man/man8
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "Certificate Transparency Log Monitor";
|
|
||||||
homepage = "https://github.com/SSLMate/certspotter";
|
|
||||||
changelog = "https://github.com/SSLMate/certspotter/blob/${src.rev}/CHANGELOG.md";
|
|
||||||
license = licenses.mpl20;
|
|
||||||
mainProgram = "certspotter";
|
|
||||||
maintainers = with maintainers; [ chayleaf ];
|
|
||||||
};
|
|
||||||
}
|
|
25
pkgs/chompjs.nix
Normal file
25
pkgs/chompjs.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# TODO: remove this file when searxng gets updated in nixpkgs
|
||||||
|
{ lib
|
||||||
|
, buildPythonPackage
|
||||||
|
, fetchPypi
|
||||||
|
}:
|
||||||
|
|
||||||
|
buildPythonPackage rec {
|
||||||
|
pname = "chompjs";
|
||||||
|
version = "1.2.2";
|
||||||
|
format = "setuptools";
|
||||||
|
|
||||||
|
src = fetchPypi {
|
||||||
|
inherit pname version;
|
||||||
|
hash = "sha256-I5PbVinyjO1OF78t9h67lVBM/VsogYoMj3iFZS4WTn8=";
|
||||||
|
};
|
||||||
|
|
||||||
|
pythonImportsCheck = [ "chompjs" ];
|
||||||
|
|
||||||
|
meta = with lib; {
|
||||||
|
description = "Parsing JavaScript objects into Python dictionaries";
|
||||||
|
homepage = "https://pypi.org/project/chompjs/";
|
||||||
|
license = licenses.mit;
|
||||||
|
maintainers = with maintainers; [ chayleaf ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -60,7 +60,6 @@ in
|
||||||
meta = builtins.removeAttrs old.meta [ "broken" ];
|
meta = builtins.removeAttrs old.meta [ "broken" ];
|
||||||
});
|
});
|
||||||
|
|
||||||
certspotter = callPackage ./certspotter { };
|
|
||||||
clang-tools_latest = pkgs.clang-tools_16;
|
clang-tools_latest = pkgs.clang-tools_16;
|
||||||
clang_latest = pkgs.clang_16;
|
clang_latest = pkgs.clang_16;
|
||||||
/*ghidra = pkgs.ghidra.overrideAttrs (old: {
|
/*ghidra = pkgs.ghidra.overrideAttrs (old: {
|
||||||
|
@ -91,17 +90,21 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
rofi-steam-game-list = callPackage ./rofi-steam-game-list { };
|
rofi-steam-game-list = callPackage ./rofi-steam-game-list { };
|
||||||
scanservjs = callPackage ./scanservjs { };
|
scanservjs = callPackage ./scanservjs.nix { };
|
||||||
searxng = pkgs'.python3.pkgs.toPythonModule (pkgs.searxng.overrideAttrs (old: {
|
searxng = pkgs'.python3.pkgs.toPythonModule (pkgs.searxng.overrideAttrs (old: {
|
||||||
inherit (sources.searxng) src;
|
inherit (sources.searxng) src;
|
||||||
version = "unstable-" + sources.searxng.date;
|
version = "unstable-" + sources.searxng.date;
|
||||||
|
propagatedBuildInputs = old.propagatedBuildInputs ++ [
|
||||||
|
(pkgs'.python3.pkgs.callPackage ./chompjs.nix { })
|
||||||
|
];
|
||||||
}));
|
}));
|
||||||
|
# system76-scheduler = callPackage ./system76-scheduler.nix { };
|
||||||
techmino = callPackage ./techmino { };
|
techmino = callPackage ./techmino { };
|
||||||
|
|
||||||
firefox-addons = lib.recurseIntoAttrs (callPackage ./firefox-addons { inherit nur sources; });
|
firefox-addons = lib.recurseIntoAttrs (callPackage ./firefox-addons { inherit nur sources; });
|
||||||
mpvScripts = pkgs.mpvScripts // callPackage ./mpv-scripts { };
|
mpvScripts = pkgs.mpvScripts // callPackage ./mpv-scripts { };
|
||||||
|
|
||||||
qemu_7 = callPackage ./qemu/7.nix {
|
qemu_7 = callPackage ./qemu_7.nix {
|
||||||
stdenv = pkgs'.ccacheStdenv;
|
stdenv = pkgs'.ccacheStdenv;
|
||||||
inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices Cocoa Hypervisor vmnet;
|
inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices Cocoa Hypervisor vmnet;
|
||||||
inherit (pkgs.darwin.stubs) rez setfile;
|
inherit (pkgs.darwin.stubs) rez setfile;
|
||||||
|
@ -115,7 +118,7 @@ in
|
||||||
qemu_7_xen_4_15-light = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; xenSupport = true; xen = pkgs.xen_4_15-light; });
|
qemu_7_xen_4_15-light = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; xenSupport = true; xen = pkgs.xen_4_15-light; });
|
||||||
qemu_7_test = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; nixosTestRunner = true; });
|
qemu_7_test = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; nixosTestRunner = true; });
|
||||||
# TODO: when https://gitlab.com/virtio-fs/virtiofsd/-/issues/96 is fixed remove this
|
# TODO: when https://gitlab.com/virtio-fs/virtiofsd/-/issues/96 is fixed remove this
|
||||||
virtiofsd = callPackage ./qemu/virtiofsd.nix {
|
virtiofsd = callPackage ./qemu_virtiofsd.nix {
|
||||||
qemu = pkgs'.qemu_7;
|
qemu = pkgs'.qemu_7;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -127,6 +130,5 @@ in
|
||||||
stdenv = pkgs'.ccacheStdenv;
|
stdenv = pkgs'.ccacheStdenv;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
// import ./postgresql-packages { inherit pkgs pkgs' lib sources; }
|
|
||||||
// import ./ccache.nix { inherit pkgs pkgs' lib sources; }
|
// import ./ccache.nix { inherit pkgs pkgs' lib sources; }
|
||||||
// import ../system/hardware/bpi-r3/pkgs.nix { inherit pkgs pkgs' lib sources; }
|
// import ../system/hardware/bpi-r3/pkgs.nix { inherit pkgs pkgs' lib sources; }
|
||||||
|
|
16
pkgs/kvmfr-linux6_4.patch
Normal file
16
pkgs/kvmfr-linux6_4.patch
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
diff --git a/kvmfr.c b/kvmfr.c
|
||||||
|
index 121aae5b..2f4c9e1a 100644
|
||||||
|
--- a/kvmfr.c
|
||||||
|
+++ b/kvmfr.c
|
||||||
|
@@ -539,7 +539,11 @@ static int __init kvmfr_module_init(void)
|
||||||
|
if (kvmfr->major < 0)
|
||||||
|
goto out_free;
|
||||||
|
|
||||||
|
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
|
||||||
|
kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
|
||||||
|
+#else
|
||||||
|
+ kvmfr->pClass = class_create(KVMFR_DEV_NAME);
|
||||||
|
+#endif
|
||||||
|
if (IS_ERR(kvmfr->pClass))
|
||||||
|
goto out_unreg;
|
||||||
|
|
|
@ -1,29 +0,0 @@
|
||||||
{ pkgs
|
|
||||||
, pkgs'
|
|
||||||
, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
inherit (pkgs') callPackage;
|
|
||||||
|
|
||||||
extraPackages = {
|
|
||||||
tsja = callPackage ./tsja.nix { };
|
|
||||||
};
|
|
||||||
gen' = postgresql: builtins.mapAttrs (k: v: v.override { inherit postgresql; }) extraPackages;
|
|
||||||
gen = ver: pkgs."postgresql${toString ver}Packages" // gen' pkgs."postgresql_${toString ver}";
|
|
||||||
in {
|
|
||||||
mecab = pkgs.mecab.overrideAttrs (old: {
|
|
||||||
postInstall = ''
|
|
||||||
mkdir -p $out/lib/mecab/dic
|
|
||||||
ln -s ${callPackage /${pkgs.path}/pkgs/tools/text/mecab/ipadic.nix {
|
|
||||||
mecab-nodic = callPackage /${pkgs.path}/pkgs/tools/text/mecab/nodic.nix { };
|
|
||||||
}} $out/lib/mecab/dic/ipadic
|
|
||||||
'';
|
|
||||||
});
|
|
||||||
postgresqlPackages = gen "";
|
|
||||||
postgresql11Packages = gen 11;
|
|
||||||
postgresql12Packages = gen 12;
|
|
||||||
postgresql13Packages = gen 13;
|
|
||||||
postgresql14Packages = gen 14;
|
|
||||||
postgresql15Packages = gen 15;
|
|
||||||
postgresql16Packages = gen 16;
|
|
||||||
}
|
|
|
@ -1,39 +0,0 @@
|
||||||
{ lib
|
|
||||||
, stdenv
|
|
||||||
, postgresql
|
|
||||||
, mecab
|
|
||||||
}:
|
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
pname = "tsja";
|
|
||||||
version = "0.5.0";
|
|
||||||
|
|
||||||
src = fetchTarball {
|
|
||||||
url = "https://www.amris.jp/tsja/tsja-${version}.tar.xz";
|
|
||||||
sha256 = "0hx4iygnqw1ay3nwrf3x2izflw4ip9i8i0yny26vivdz862m97w7";
|
|
||||||
};
|
|
||||||
|
|
||||||
postPatch = ''
|
|
||||||
substituteInPlace Makefile \
|
|
||||||
--replace /usr/local/pgsql ${postgresql} \
|
|
||||||
--replace -L/usr/local/lib "" \
|
|
||||||
--replace -I/usr/local/include ""
|
|
||||||
substituteInPlace tsja.c --replace /usr/local/lib/mecab ${mecab}/lib/mecab
|
|
||||||
'';
|
|
||||||
|
|
||||||
buildInputs = [ postgresql mecab ];
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out/lib $out/share/postgresql/extension
|
|
||||||
cp libtsja.so $out/lib
|
|
||||||
cp dbinit_libtsja.txt $out/share/postgresql/extension/libtsja_dbinit.sql
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "PostgreSQL extension implementing Japanese text search";
|
|
||||||
homepage = "https://www.amris.jp/tsja/index.html";
|
|
||||||
maintainers = with maintainers; [ chayleaf ];
|
|
||||||
platforms = postgresql.meta.platforms;
|
|
||||||
license = licenses.postgresql;
|
|
||||||
};
|
|
||||||
}
|
|
65
pkgs/system76-scheduler.nix
Normal file
65
pkgs/system76-scheduler.nix
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
{ lib
|
||||||
|
, fetchFromGitHub
|
||||||
|
, writeText
|
||||||
|
, rustPlatform
|
||||||
|
, pkg-config
|
||||||
|
, dbus
|
||||||
|
, bcc
|
||||||
|
}:
|
||||||
|
|
||||||
|
rustPlatform.buildRustPackage {
|
||||||
|
pname = "system76-scheduler";
|
||||||
|
version = "unstable-2022-11-08";
|
||||||
|
src = fetchFromGitHub {
|
||||||
|
owner = "pop-os";
|
||||||
|
repo = "system76-scheduler";
|
||||||
|
rev = "0fe4d8dfc4275fd856aee28ca942b9fa53229fc9";
|
||||||
|
sha256 = "sha256-uFFJkuMxqcGj6OQShF0zh/FGwX4/ln1l6NwGonkUsNI=";
|
||||||
|
};
|
||||||
|
cargoPatches = [(writeText "ron-rev.diff" ''
|
||||||
|
diff --git i/daemon/Cargo.toml w/daemon/Cargo.toml
|
||||||
|
index 0397788..fbd6202 100644
|
||||||
|
--- i/daemon/Cargo.toml
|
||||||
|
+++ w/daemon/Cargo.toml
|
||||||
|
@@ -33,7 +33,7 @@ clap = { version = "3.1.18", features = ["cargo"] }
|
||||||
|
# Necessary for deserialization of untagged enums in assignments.
|
||||||
|
[dependencies.ron]
|
||||||
|
git = "https://github.com/MomoLangenstein/ron"
|
||||||
|
-branch = "253-untagged-enums"
|
||||||
|
+rev = "afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||||
|
|
||||||
|
[dependencies.tracing-subscriber]
|
||||||
|
version = "0.3.11"
|
||||||
|
diff --git i/Cargo.lock w/Cargo.lock
|
||||||
|
index a782756..fe56c1f 100644
|
||||||
|
--- i/Cargo.lock
|
||||||
|
+++ w/Cargo.lock
|
||||||
|
@@ -788,7 +788,7 @@ dependencies = [
|
||||||
|
[[package]]
|
||||||
|
name = "ron"
|
||||||
|
version = "0.8.0"
|
||||||
|
-source = "git+https://github.com/MomoLangenstein/ron?branch=253-untagged-enums#afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||||
|
+source = "git+https://github.com/MomoLangenstein/ron?rev=afb960bb8b0402a79260533aa3b9d87a8abae72b#afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||||
|
dependencies = [
|
||||||
|
"base64",
|
||||||
|
"bitflags",
|
||||||
|
'')];
|
||||||
|
cargoSha256 = "sha256-tY7o09Nu1/Lbn//5+iecUmV67Aw1QvVLdUaD8DDgKi0=";
|
||||||
|
cargoLock.lockFile = ./Cargo.lock;
|
||||||
|
cargoLock.outputHashes."ron-0.8.0" = "sha256-k+LuTEq97/DohcsulXoLXWqFLzPUzIR1D5pGru+M5Ew=";
|
||||||
|
nativeBuildInputs = [ pkg-config ];
|
||||||
|
buildInputs = [ dbus ];
|
||||||
|
EXECSNOOP_PATH = "${bcc}/bin/execsnoop";
|
||||||
|
postInstall = ''
|
||||||
|
install -D -m 0644 data/com.system76.Scheduler.conf $out/etc/dbus-1/system.d/com.system76.Scheduler.conf
|
||||||
|
mkdir -p $out/etc/system76-scheduler
|
||||||
|
install -D -m 0644 data/*.ron $out/etc/system76-scheduler/
|
||||||
|
'';
|
||||||
|
|
||||||
|
meta = {
|
||||||
|
description = "System76 Scheduler";
|
||||||
|
homepage = "https://github.com/pop-os/system76-scheduler";
|
||||||
|
license = lib.licenses.mpl20;
|
||||||
|
platforms = [ "i686-linux" "x86_64-linux" ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,5 +1,4 @@
|
||||||
{ hardware
|
{ hardware
|
||||||
, pkgs
|
|
||||||
, ... }:
|
, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
@ -13,7 +12,6 @@
|
||||||
common.resolution = "1920x1080";
|
common.resolution = "1920x1080";
|
||||||
vfio.pciIDs = [ "1002:73df" "1002:ab28" ];
|
vfio.pciIDs = [ "1002:73df" "1002:ab28" ];
|
||||||
boot = {
|
boot = {
|
||||||
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
|
|
||||||
initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
|
initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
|
||||||
kernelParams = [
|
kernelParams = [
|
||||||
# disable PSR to *hopefully* avoid random hangs
|
# disable PSR to *hopefully* avoid random hangs
|
||||||
|
@ -53,19 +51,4 @@
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
specialisation.no_patches.configuration = {
|
|
||||||
nixpkgs.overlays = [
|
|
||||||
(final: prev: {
|
|
||||||
amd-ucode = prev.amd-ucode.override { inherit (final) linux-firmware; };
|
|
||||||
linux-firmware = prev.stdenvNoCC.mkDerivation {
|
|
||||||
inherit (prev.linux-firmware) pname version meta src;
|
|
||||||
dontFixup = true;
|
|
||||||
passthru = { inherit (prev.linux-firmware) version; };
|
|
||||||
installFlags = [ "DESTDIR=$(out)" ];
|
|
||||||
patches = [ ];
|
|
||||||
postPatch = "";
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -282,7 +282,6 @@ in {
|
||||||
];
|
];
|
||||||
router-settings.dhcp6Reservations = [
|
router-settings.dhcp6Reservations = [
|
||||||
{ ipAddress = serverAddress6;
|
{ ipAddress = serverAddress6;
|
||||||
duid = cfg.serverDuid;
|
|
||||||
macAddress = cfg.serverMac; }
|
macAddress = cfg.serverMac; }
|
||||||
{ ipAddress = vacuumAddress6;
|
{ ipAddress = vacuumAddress6;
|
||||||
macAddress = cfg.vacuumMac; }
|
macAddress = cfg.vacuumMac; }
|
||||||
|
@ -435,11 +434,11 @@ in {
|
||||||
gateways = [ netAddresses.lan6 ];
|
gateways = [ netAddresses.lan6 ];
|
||||||
radvdSettings.AdvAutonomous = true;
|
radvdSettings.AdvAutonomous = true;
|
||||||
coreradSettings.autonomous = true;
|
coreradSettings.autonomous = true;
|
||||||
# don't allocate addresses for most devices
|
# don't autoallocate addresses, keep autonomous ones
|
||||||
keaSettings.pools = [ ];
|
keaSettings.pools = [ ];
|
||||||
# just assign the reservations
|
# just assign the reservations
|
||||||
keaSettings.reservations = map (res:
|
keaSettings.reservations = map (res: {
|
||||||
(if res.duid != null then { duid = res.duid; } else { hw-address = res.macAddress; }) // {
|
hw-address = res.macAddress;
|
||||||
ip-addresses = [ res.ipAddress ];
|
ip-addresses = [ res.ipAddress ];
|
||||||
}) cfg.dhcp6Reservations;
|
}) cfg.dhcp6Reservations;
|
||||||
});
|
});
|
||||||
|
|
|
@ -13,11 +13,6 @@
|
||||||
description = "server's mac address";
|
description = "server's mac address";
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
};
|
};
|
||||||
serverDuid = lib.mkOption {
|
|
||||||
description = "server's duid";
|
|
||||||
type = with lib.types; nullOr str;
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
serverInitrdMac = lib.mkOption {
|
serverInitrdMac = lib.mkOption {
|
||||||
description = "server's mac address in initrd";
|
description = "server's mac address in initrd";
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
|
@ -97,15 +92,9 @@
|
||||||
description = "device's ip address";
|
description = "device's ip address";
|
||||||
};
|
};
|
||||||
options.macAddress = lib.mkOption {
|
options.macAddress = lib.mkOption {
|
||||||
type = with lib.types; nullOr str;
|
type = lib.types.str;
|
||||||
default = null;
|
|
||||||
description = "device's mac address";
|
description = "device's mac address";
|
||||||
};
|
};
|
||||||
options.duid = lib.mkOption {
|
|
||||||
type = with lib.types; nullOr str;
|
|
||||||
default = null;
|
|
||||||
description = "device's duid";
|
|
||||||
};
|
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
dnatRules = lib.mkOption {
|
dnatRules = lib.mkOption {
|
||||||
|
|
|
@ -82,7 +82,6 @@ in {
|
||||||
|
|
||||||
services.postgresql.enable = true;
|
services.postgresql.enable = true;
|
||||||
services.postgresql.package = pkgs.postgresql_13;
|
services.postgresql.package = pkgs.postgresql_13;
|
||||||
services.postgresql.extraPlugins = with pkgs.postgresql13Packages; [ tsja ];
|
|
||||||
|
|
||||||
# SSH
|
# SSH
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
|
@ -278,27 +277,12 @@ in {
|
||||||
https = true;
|
https = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# AKKOMA
|
|
||||||
# TODO: remove this in 2024
|
|
||||||
services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
|
|
||||||
quic = true;
|
|
||||||
enableACME = true;
|
|
||||||
addSSL = true;
|
|
||||||
serverAliases = [ "akkoma.${cfg.domainName}" ];
|
|
||||||
locations."/".return = "301 https://fedi.${cfg.domainName}$request_uri";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.akkoma = {
|
services.akkoma = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dist.extraFlags = [
|
|
||||||
"+sbwt" "none"
|
|
||||||
"+sbwtdcpu" "none"
|
|
||||||
"+sbwtdio" "none"
|
|
||||||
];
|
|
||||||
config.":pleroma"."Pleroma.Web.Endpoint" = {
|
config.":pleroma"."Pleroma.Web.Endpoint" = {
|
||||||
url = {
|
url = {
|
||||||
scheme = "https";
|
scheme = "https";
|
||||||
host = "fedi.${cfg.domainName}";
|
host = "pleroma.${cfg.domainName}";
|
||||||
port = 443;
|
port = 443;
|
||||||
};
|
};
|
||||||
secret_key_base._secret = "/secrets/akkoma/secret_key_base";
|
secret_key_base._secret = "/secrets/akkoma/secret_key_base";
|
||||||
|
@ -310,7 +294,7 @@ in {
|
||||||
'';
|
'';
|
||||||
initDb = {
|
initDb = {
|
||||||
enable = false;
|
enable = false;
|
||||||
username = "akkoma";
|
username = "pleroma";
|
||||||
password._secret = "/secrets/akkoma/postgres_password";
|
password._secret = "/secrets/akkoma/postgres_password";
|
||||||
};
|
};
|
||||||
config.":pleroma".":instance" = {
|
config.":pleroma".":instance" = {
|
||||||
|
@ -323,9 +307,9 @@ in {
|
||||||
};
|
};
|
||||||
config.":pleroma"."Pleroma.Repo" = {
|
config.":pleroma"."Pleroma.Repo" = {
|
||||||
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
||||||
username = "akkoma";
|
username = "pleroma";
|
||||||
password._secret = "/secrets/akkoma/postgres_password";
|
password._secret = "/secrets/akkoma/postgres_password";
|
||||||
database = "akkoma";
|
database = "pleroma";
|
||||||
hostname = "localhost";
|
hostname = "localhost";
|
||||||
};
|
};
|
||||||
config.":web_push_encryption".":vapid_details" = {
|
config.":web_push_encryption".":vapid_details" = {
|
||||||
|
@ -335,37 +319,19 @@ in {
|
||||||
};
|
};
|
||||||
config.":joken".":default_signer"._secret = "/secrets/akkoma/joken_signer";
|
config.":joken".":default_signer"._secret = "/secrets/akkoma/joken_signer";
|
||||||
nginx = {
|
nginx = {
|
||||||
|
serverAliases = [ "akkoma.${cfg.domainName}" ];
|
||||||
quic = true;
|
quic = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.akkoma = {
|
systemd.services.akkoma.path = [ pkgs.exiftool pkgs.gawk ];
|
||||||
path = [ pkgs.exiftool pkgs.gawk ];
|
systemd.services.akkoma.serviceConfig = {
|
||||||
serviceConfig.Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
unitConfig = {
|
|
||||||
StartLimitIntervalSec = 60;
|
|
||||||
StartLimitBurst = 3;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
systemd.services.akkoma.unitConfig = {
|
||||||
users.users.certspotter.extraGroups = [ "acme" ];
|
StartLimitIntervalSec = 60;
|
||||||
services.certspotter = {
|
StartLimitBurst = 3;
|
||||||
enable = true;
|
|
||||||
watchlist = [ ".pavluk.org" ];
|
|
||||||
hooks = let
|
|
||||||
openssl = "${pkgs.openssl.bin}/bin/openssl";
|
|
||||||
in lib.toList (pkgs.writeShellScript "certspotter-hook" ''
|
|
||||||
if [[ "$EVENT" == discovered_cert ]]; then
|
|
||||||
mkdir -p /var/lib/certspotter/allowed_tbs
|
|
||||||
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
|
|
||||||
hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)"
|
|
||||||
touch "/var/lib/certspotter/allowed_tbs/$hash"
|
|
||||||
done
|
|
||||||
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
|
|
||||||
fi
|
|
||||||
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
|
|
||||||
'');
|
|
||||||
};
|
};
|
||||||
|
|
||||||
/*locations."/dns-query".extraConfig = ''
|
/*locations."/dns-query".extraConfig = ''
|
||||||
|
|
|
@ -1,112 +0,0 @@
|
||||||
{ config
|
|
||||||
, lib
|
|
||||||
, pkgs
|
|
||||||
, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
cfg = config.services.certspotter;
|
|
||||||
in {
|
|
||||||
options.services.certspotter = {
|
|
||||||
enable = lib.mkEnableOption "Cert Spotter, a Certificate Transparency log monitor";
|
|
||||||
sendmailPath = lib.mkOption {
|
|
||||||
type = lib.types.path;
|
|
||||||
description = ''
|
|
||||||
Path to the `sendmail` binary. By default, the local sendmail wrapper is used
|
|
||||||
(see `config.services.mail.sendmailSetuidWrapper`).
|
|
||||||
'';
|
|
||||||
example = lib.literalExpression ''"''${pkgs.system-sendmail}/bin/sendmail"'';
|
|
||||||
};
|
|
||||||
watchlist = lib.mkOption {
|
|
||||||
type = with lib.types; listOf str;
|
|
||||||
description = "Domain names to watch. To monitor a domain with all subdomains, prefix its name with `.` (e.g. `.example.org`).";
|
|
||||||
default = [ ];
|
|
||||||
example = [ ".example.org" "another.example.com" ];
|
|
||||||
};
|
|
||||||
emailRecipients = lib.mkOption {
|
|
||||||
type = with lib.types; listOf str;
|
|
||||||
description = "A list of email addresses to send certificate updates to.";
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
hooks = lib.mkOption {
|
|
||||||
type = with lib.types; listOf path;
|
|
||||||
description = ''
|
|
||||||
Scripts to run upon the detection of a new certificate. See `man 8 certspotter-script` or [the GitHub page](https://github.com/SSLMate/certspotter/blob/master/man/certspotter-script.md) for more info.
|
|
||||||
'';
|
|
||||||
default = [];
|
|
||||||
example = lib.literalExpression ''
|
|
||||||
[
|
|
||||||
(pkgs.writeShellScript "certspotter-hook" '''
|
|
||||||
echo "Event summary: $SUMMARY."
|
|
||||||
''')
|
|
||||||
]
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
extraFlags = lib.mkOption {
|
|
||||||
type = with lib.types; listOf str;
|
|
||||||
description = "Extra command-line arguments to pass to Cert Spotter";
|
|
||||||
example = [ "-start_at_end" ];
|
|
||||||
default = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
assertions = [
|
|
||||||
{
|
|
||||||
assertion = cfg.watchlist != [ ];
|
|
||||||
message = "You must specify at least one domain for Cert Spotter to watch";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = cfg.hooks != [] || cfg.emailRecipients != [];
|
|
||||||
message = "You must specify at least one hook or email recipient for Cert Spotter";
|
|
||||||
}
|
|
||||||
{
|
|
||||||
assertion = (cfg.emailRecipients != []) -> (cfg.sendmailPath != "/run/current-system/sw/bin/false");
|
|
||||||
message = ''
|
|
||||||
You must configure the sendmail setuid wrapper (services.mail.sendmailSetuidWrapper)
|
|
||||||
or services.certspotter.sendmailPath
|
|
||||||
'';
|
|
||||||
}
|
|
||||||
];
|
|
||||||
services.certspotter.sendmailPath = lib.mkMerge [
|
|
||||||
(lib.mkIf (config.services.mail.sendmailSetuidWrapper != null) (lib.mkOptionDefault "/run/wrappers/bin/sendmail"))
|
|
||||||
(lib.mkIf (config.services.mail.sendmailSetuidWrapper == null) (lib.mkOptionDefault "/run/current-system/sw/bin/false"))
|
|
||||||
];
|
|
||||||
users.users.certspotter = {
|
|
||||||
group = "certspotter";
|
|
||||||
home = "/var/lib/certspotter";
|
|
||||||
createHome = true;
|
|
||||||
isSystemUser = true;
|
|
||||||
# uid = config.ids.uids.certspotter;
|
|
||||||
};
|
|
||||||
users.groups.certspotter = {
|
|
||||||
# gid = config.ids.gids.certspotter;
|
|
||||||
};
|
|
||||||
systemd.services.certspotter = {
|
|
||||||
description = "Cert Spotter - Certificate Transparency Monitor";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
environment.CERTSPOTTER_CONFIG_DIR = pkgs.linkFarm "certspotter-config"
|
|
||||||
(lib.toList {
|
|
||||||
name = "watchlist";
|
|
||||||
path = pkgs.writeText "cerspotter-watchlist" (builtins.concatStringsSep "\n" cfg.watchlist);
|
|
||||||
}
|
|
||||||
++ lib.optional (cfg.emailRecipients != [ ]) {
|
|
||||||
name = "email_recipients";
|
|
||||||
path = pkgs.writeText "cerspotter-email_recipients" (builtins.concatStringsSep "\n" cfg.emailRecipients);
|
|
||||||
}
|
|
||||||
++ lib.optional (cfg.hooks != [ ]) {
|
|
||||||
name = "hooks.d";
|
|
||||||
path = pkgs.linkFarm "certspotter-hooks" (lib.imap1 (i: path: {
|
|
||||||
inherit path;
|
|
||||||
name = "hook${toString i}";
|
|
||||||
}) cfg.hooks);
|
|
||||||
});
|
|
||||||
environment.CERTSPOTTER_STATE_DIR = "/var/lib/certspotter";
|
|
||||||
serviceConfig = {
|
|
||||||
User = "certspotter";
|
|
||||||
Group = "certspotter";
|
|
||||||
WorkingDirectory = "/var/lib/certspotter";
|
|
||||||
ExecStart = "${pkgs.certspotter}/bin/certspotter -sendmail ${cfg.sendmailPath} ${lib.escapeShellArgs cfg.extraFlags}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -93,7 +93,6 @@ in {
|
||||||
# ISO-8601
|
# ISO-8601
|
||||||
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
||||||
environment.systemPackages = with pkgs; ([
|
environment.systemPackages = with pkgs; ([
|
||||||
bottom
|
|
||||||
wget
|
wget
|
||||||
git
|
git
|
||||||
tmux
|
tmux
|
||||||
|
|
Loading…
Reference in a new issue