Compare commits
No commits in common. "67f43298e82768269ee5e4e97b89cc31fa868d2a" and "ac5d7923fac1a29d2c66fc6da4a65b2b90713aca" have entirely different histories.
67f43298e8
...
ac5d7923fa
12
flake.lock
12
flake.lock
|
@ -260,16 +260,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1697804921,
|
||||
"narHash": "sha256-PAoThb0U52HGscrU/Qp1GKwidqM6xnWxgovJCXNpjCc=",
|
||||
"owner": "chayleaf",
|
||||
"lastModified": 1696375444,
|
||||
"narHash": "sha256-Sv0ICt/pXfpnFhTGYTsX6lUr1SljnuXWejYTI2ZqHa4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "77ba48251d2b629d347e566c888000a379711ce0",
|
||||
"rev": "81e8f48ebdecf07aab321182011b067aafc78896",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "chayleaf",
|
||||
"ref": "akkoma",
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
|
@ -3,9 +3,9 @@
|
|||
|
||||
inputs = {
|
||||
#nixpkgs.url = "github:nixos/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f";
|
||||
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixpkgs.url = "github:chayleaf/nixpkgs/akkoma";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixpkgs2.url = "github:nixos/nixpkgs/master";
|
||||
# nixpkgs.url = "github:chayleaf/nixpkgs/ccache2";
|
||||
nixos-hardware.url = "github:NixOS/nixos-hardware";
|
||||
mobile-nixos = {
|
||||
# url = "github:NixOS/mobile-nixos";
|
||||
|
@ -156,7 +156,6 @@
|
|||
./system/devices/radxa-rock5a-server.nix
|
||||
(if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
|
||||
./system/modules/scanservjs.nix
|
||||
./system/modules/certspotter.nix
|
||||
];
|
||||
};
|
||||
server-cross = crossConfig server;
|
||||
|
|
1407
pkgs/Cargo.lock
generated
Normal file
1407
pkgs/Cargo.lock
generated
Normal file
File diff suppressed because it is too large
Load diff
|
@ -1,71 +0,0 @@
|
|||
diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go
|
||||
index 9730789..f2eb081 100644
|
||||
--- a/cmd/certspotter/main.go
|
||||
+++ b/cmd/certspotter/main.go
|
||||
@@ -163,6 +163,7 @@ func main() {
|
||||
logs string
|
||||
noSave bool
|
||||
script string
|
||||
+ sendmail string
|
||||
startAtEnd bool
|
||||
stateDir string
|
||||
stdout bool
|
||||
@@ -176,6 +177,7 @@ func main() {
|
||||
flag.StringVar(&flags.logs, "logs", defaultLogList, "File path or URL of JSON list of logs to monitor")
|
||||
flag.BoolVar(&flags.noSave, "no_save", false, "Do not save a copy of matching certificates in state directory")
|
||||
flag.StringVar(&flags.script, "script", "", "Program to execute when a matching certificate is discovered")
|
||||
+ flag.StringVar(&flags.sendmail, "sendmail", "/usr/sbin/sendmail", "Path to the sendmail-compatible program to use")
|
||||
flag.BoolVar(&flags.startAtEnd, "start_at_end", false, "Start monitoring logs from the end rather than the beginning (saves considerable bandwidth)")
|
||||
flag.StringVar(&flags.stateDir, "state_dir", defaultStateDir(), "Directory for storing log position and discovered certificates")
|
||||
flag.BoolVar(&flags.stdout, "stdout", false, "Write matching certificates to stdout")
|
||||
@@ -201,6 +203,7 @@ func main() {
|
||||
Verbose: flags.verbose,
|
||||
Script: flags.script,
|
||||
ScriptDir: defaultScriptDir(),
|
||||
+ SendmailPath: flags.sendmail,
|
||||
Email: flags.email,
|
||||
Stdout: flags.stdout,
|
||||
HealthCheckInterval: flags.healthcheck,
|
||||
diff --git a/monitor/config.go b/monitor/config.go
|
||||
index 1e0d60c..d1bc430 100644
|
||||
--- a/monitor/config.go
|
||||
+++ b/monitor/config.go
|
||||
@@ -20,6 +20,7 @@ type Config struct {
|
||||
WatchList WatchList
|
||||
Verbose bool
|
||||
SaveCerts bool
|
||||
+ SendmailPath string
|
||||
Script string
|
||||
ScriptDir string
|
||||
Email []string
|
||||
diff --git a/monitor/notify.go b/monitor/notify.go
|
||||
index 8fc6d09..86cabca 100644
|
||||
--- a/monitor/notify.go
|
||||
+++ b/monitor/notify.go
|
||||
@@ -36,7 +36,7 @@ func notify(ctx context.Context, config *Config, notif notification) error {
|
||||
}
|
||||
|
||||
if len(config.Email) > 0 {
|
||||
- if err := sendEmail(ctx, config.Email, notif); err != nil {
|
||||
+ if err := sendEmail(ctx, config.SendmailPath, config.Email, notif); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
@@ -62,7 +62,7 @@ func writeToStdout(notif notification) {
|
||||
os.Stdout.WriteString(notif.Text() + "\n")
|
||||
}
|
||||
|
||||
-func sendEmail(ctx context.Context, to []string, notif notification) error {
|
||||
+func sendEmail(ctx context.Context, sendmailPath string, to []string, notif notification) error {
|
||||
stdin := new(bytes.Buffer)
|
||||
stderr := new(bytes.Buffer)
|
||||
|
||||
@@ -77,7 +77,7 @@ func sendEmail(ctx context.Context, to []string, notif notification) error {
|
||||
args := []string{"-i", "--"}
|
||||
args = append(args, to...)
|
||||
|
||||
- sendmail := exec.CommandContext(ctx, "/usr/sbin/sendmail", args...)
|
||||
+ sendmail := exec.CommandContext(ctx, sendmailPath, args...)
|
||||
sendmail.Stdin = stdin
|
||||
sendmail.Stderr = stderr
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
{ lib
|
||||
, buildGoModule
|
||||
, fetchFromGitHub
|
||||
, lowdown
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "certspotter";
|
||||
version = "0.16.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "SSLMate";
|
||||
repo = "certspotter";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-0+7GWxbV4j2vVdmool8J9hqRqUi8O/yKedCyynWJDkE=";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-haYmWc2FWZNFwMhmSy3DAtj9oW5G82dX0fxpGqI8Hbw=";
|
||||
|
||||
patches = [ ./configurable-sendmail.patch ];
|
||||
|
||||
ldflags = [ "-s" "-w" ];
|
||||
|
||||
nativeBuildInputs = [ lowdown ];
|
||||
|
||||
postInstall = ''
|
||||
cd man
|
||||
make
|
||||
mkdir -p $out/share/man/man8
|
||||
mv *.8 $out/share/man/man8
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "Certificate Transparency Log Monitor";
|
||||
homepage = "https://github.com/SSLMate/certspotter";
|
||||
changelog = "https://github.com/SSLMate/certspotter/blob/${src.rev}/CHANGELOG.md";
|
||||
license = licenses.mpl20;
|
||||
mainProgram = "certspotter";
|
||||
maintainers = with maintainers; [ chayleaf ];
|
||||
};
|
||||
}
|
25
pkgs/chompjs.nix
Normal file
25
pkgs/chompjs.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
# TODO: remove this file when searxng gets updated in nixpkgs
|
||||
{ lib
|
||||
, buildPythonPackage
|
||||
, fetchPypi
|
||||
}:
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "chompjs";
|
||||
version = "1.2.2";
|
||||
format = "setuptools";
|
||||
|
||||
src = fetchPypi {
|
||||
inherit pname version;
|
||||
hash = "sha256-I5PbVinyjO1OF78t9h67lVBM/VsogYoMj3iFZS4WTn8=";
|
||||
};
|
||||
|
||||
pythonImportsCheck = [ "chompjs" ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "Parsing JavaScript objects into Python dictionaries";
|
||||
homepage = "https://pypi.org/project/chompjs/";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ chayleaf ];
|
||||
};
|
||||
}
|
|
@ -60,7 +60,6 @@ in
|
|||
meta = builtins.removeAttrs old.meta [ "broken" ];
|
||||
});
|
||||
|
||||
certspotter = callPackage ./certspotter { };
|
||||
clang-tools_latest = pkgs.clang-tools_16;
|
||||
clang_latest = pkgs.clang_16;
|
||||
/*ghidra = pkgs.ghidra.overrideAttrs (old: {
|
||||
|
@ -91,17 +90,21 @@ in
|
|||
'';
|
||||
};
|
||||
rofi-steam-game-list = callPackage ./rofi-steam-game-list { };
|
||||
scanservjs = callPackage ./scanservjs { };
|
||||
scanservjs = callPackage ./scanservjs.nix { };
|
||||
searxng = pkgs'.python3.pkgs.toPythonModule (pkgs.searxng.overrideAttrs (old: {
|
||||
inherit (sources.searxng) src;
|
||||
version = "unstable-" + sources.searxng.date;
|
||||
propagatedBuildInputs = old.propagatedBuildInputs ++ [
|
||||
(pkgs'.python3.pkgs.callPackage ./chompjs.nix { })
|
||||
];
|
||||
}));
|
||||
# system76-scheduler = callPackage ./system76-scheduler.nix { };
|
||||
techmino = callPackage ./techmino { };
|
||||
|
||||
firefox-addons = lib.recurseIntoAttrs (callPackage ./firefox-addons { inherit nur sources; });
|
||||
mpvScripts = pkgs.mpvScripts // callPackage ./mpv-scripts { };
|
||||
|
||||
qemu_7 = callPackage ./qemu/7.nix {
|
||||
qemu_7 = callPackage ./qemu_7.nix {
|
||||
stdenv = pkgs'.ccacheStdenv;
|
||||
inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices Cocoa Hypervisor vmnet;
|
||||
inherit (pkgs.darwin.stubs) rez setfile;
|
||||
|
@ -115,7 +118,7 @@ in
|
|||
qemu_7_xen_4_15-light = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; xenSupport = true; xen = pkgs.xen_4_15-light; });
|
||||
qemu_7_test = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; nixosTestRunner = true; });
|
||||
# TODO: when https://gitlab.com/virtio-fs/virtiofsd/-/issues/96 is fixed remove this
|
||||
virtiofsd = callPackage ./qemu/virtiofsd.nix {
|
||||
virtiofsd = callPackage ./qemu_virtiofsd.nix {
|
||||
qemu = pkgs'.qemu_7;
|
||||
};
|
||||
|
||||
|
@ -127,6 +130,5 @@ in
|
|||
stdenv = pkgs'.ccacheStdenv;
|
||||
};
|
||||
}
|
||||
// import ./postgresql-packages { inherit pkgs pkgs' lib sources; }
|
||||
// import ./ccache.nix { inherit pkgs pkgs' lib sources; }
|
||||
// import ../system/hardware/bpi-r3/pkgs.nix { inherit pkgs pkgs' lib sources; }
|
||||
|
|
16
pkgs/kvmfr-linux6_4.patch
Normal file
16
pkgs/kvmfr-linux6_4.patch
Normal file
|
@ -0,0 +1,16 @@
|
|||
diff --git a/kvmfr.c b/kvmfr.c
|
||||
index 121aae5b..2f4c9e1a 100644
|
||||
--- a/kvmfr.c
|
||||
+++ b/kvmfr.c
|
||||
@@ -539,7 +539,11 @@ static int __init kvmfr_module_init(void)
|
||||
if (kvmfr->major < 0)
|
||||
goto out_free;
|
||||
|
||||
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
|
||||
kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
|
||||
+#else
|
||||
+ kvmfr->pClass = class_create(KVMFR_DEV_NAME);
|
||||
+#endif
|
||||
if (IS_ERR(kvmfr->pClass))
|
||||
goto out_unreg;
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
{ pkgs
|
||||
, pkgs'
|
||||
, ... }:
|
||||
|
||||
let
|
||||
inherit (pkgs') callPackage;
|
||||
|
||||
extraPackages = {
|
||||
tsja = callPackage ./tsja.nix { };
|
||||
};
|
||||
gen' = postgresql: builtins.mapAttrs (k: v: v.override { inherit postgresql; }) extraPackages;
|
||||
gen = ver: pkgs."postgresql${toString ver}Packages" // gen' pkgs."postgresql_${toString ver}";
|
||||
in {
|
||||
mecab = pkgs.mecab.overrideAttrs (old: {
|
||||
postInstall = ''
|
||||
mkdir -p $out/lib/mecab/dic
|
||||
ln -s ${callPackage /${pkgs.path}/pkgs/tools/text/mecab/ipadic.nix {
|
||||
mecab-nodic = callPackage /${pkgs.path}/pkgs/tools/text/mecab/nodic.nix { };
|
||||
}} $out/lib/mecab/dic/ipadic
|
||||
'';
|
||||
});
|
||||
postgresqlPackages = gen "";
|
||||
postgresql11Packages = gen 11;
|
||||
postgresql12Packages = gen 12;
|
||||
postgresql13Packages = gen 13;
|
||||
postgresql14Packages = gen 14;
|
||||
postgresql15Packages = gen 15;
|
||||
postgresql16Packages = gen 16;
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{ lib
|
||||
, stdenv
|
||||
, postgresql
|
||||
, mecab
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "tsja";
|
||||
version = "0.5.0";
|
||||
|
||||
src = fetchTarball {
|
||||
url = "https://www.amris.jp/tsja/tsja-${version}.tar.xz";
|
||||
sha256 = "0hx4iygnqw1ay3nwrf3x2izflw4ip9i8i0yny26vivdz862m97w7";
|
||||
};
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace Makefile \
|
||||
--replace /usr/local/pgsql ${postgresql} \
|
||||
--replace -L/usr/local/lib "" \
|
||||
--replace -I/usr/local/include ""
|
||||
substituteInPlace tsja.c --replace /usr/local/lib/mecab ${mecab}/lib/mecab
|
||||
'';
|
||||
|
||||
buildInputs = [ postgresql mecab ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/lib $out/share/postgresql/extension
|
||||
cp libtsja.so $out/lib
|
||||
cp dbinit_libtsja.txt $out/share/postgresql/extension/libtsja_dbinit.sql
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "PostgreSQL extension implementing Japanese text search";
|
||||
homepage = "https://www.amris.jp/tsja/index.html";
|
||||
maintainers = with maintainers; [ chayleaf ];
|
||||
platforms = postgresql.meta.platforms;
|
||||
license = licenses.postgresql;
|
||||
};
|
||||
}
|
65
pkgs/system76-scheduler.nix
Normal file
65
pkgs/system76-scheduler.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ lib
|
||||
, fetchFromGitHub
|
||||
, writeText
|
||||
, rustPlatform
|
||||
, pkg-config
|
||||
, dbus
|
||||
, bcc
|
||||
}:
|
||||
|
||||
rustPlatform.buildRustPackage {
|
||||
pname = "system76-scheduler";
|
||||
version = "unstable-2022-11-08";
|
||||
src = fetchFromGitHub {
|
||||
owner = "pop-os";
|
||||
repo = "system76-scheduler";
|
||||
rev = "0fe4d8dfc4275fd856aee28ca942b9fa53229fc9";
|
||||
sha256 = "sha256-uFFJkuMxqcGj6OQShF0zh/FGwX4/ln1l6NwGonkUsNI=";
|
||||
};
|
||||
cargoPatches = [(writeText "ron-rev.diff" ''
|
||||
diff --git i/daemon/Cargo.toml w/daemon/Cargo.toml
|
||||
index 0397788..fbd6202 100644
|
||||
--- i/daemon/Cargo.toml
|
||||
+++ w/daemon/Cargo.toml
|
||||
@@ -33,7 +33,7 @@ clap = { version = "3.1.18", features = ["cargo"] }
|
||||
# Necessary for deserialization of untagged enums in assignments.
|
||||
[dependencies.ron]
|
||||
git = "https://github.com/MomoLangenstein/ron"
|
||||
-branch = "253-untagged-enums"
|
||||
+rev = "afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||
|
||||
[dependencies.tracing-subscriber]
|
||||
version = "0.3.11"
|
||||
diff --git i/Cargo.lock w/Cargo.lock
|
||||
index a782756..fe56c1f 100644
|
||||
--- i/Cargo.lock
|
||||
+++ w/Cargo.lock
|
||||
@@ -788,7 +788,7 @@ dependencies = [
|
||||
[[package]]
|
||||
name = "ron"
|
||||
version = "0.8.0"
|
||||
-source = "git+https://github.com/MomoLangenstein/ron?branch=253-untagged-enums#afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||
+source = "git+https://github.com/MomoLangenstein/ron?rev=afb960bb8b0402a79260533aa3b9d87a8abae72b#afb960bb8b0402a79260533aa3b9d87a8abae72b"
|
||||
dependencies = [
|
||||
"base64",
|
||||
"bitflags",
|
||||
'')];
|
||||
cargoSha256 = "sha256-tY7o09Nu1/Lbn//5+iecUmV67Aw1QvVLdUaD8DDgKi0=";
|
||||
cargoLock.lockFile = ./Cargo.lock;
|
||||
cargoLock.outputHashes."ron-0.8.0" = "sha256-k+LuTEq97/DohcsulXoLXWqFLzPUzIR1D5pGru+M5Ew=";
|
||||
nativeBuildInputs = [ pkg-config ];
|
||||
buildInputs = [ dbus ];
|
||||
EXECSNOOP_PATH = "${bcc}/bin/execsnoop";
|
||||
postInstall = ''
|
||||
install -D -m 0644 data/com.system76.Scheduler.conf $out/etc/dbus-1/system.d/com.system76.Scheduler.conf
|
||||
mkdir -p $out/etc/system76-scheduler
|
||||
install -D -m 0644 data/*.ron $out/etc/system76-scheduler/
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "System76 Scheduler";
|
||||
homepage = "https://github.com/pop-os/system76-scheduler";
|
||||
license = lib.licenses.mpl20;
|
||||
platforms = [ "i686-linux" "x86_64-linux" ];
|
||||
};
|
||||
}
|
|
@ -1,5 +1,4 @@
|
|||
{ hardware
|
||||
, pkgs
|
||||
, ... }:
|
||||
|
||||
{
|
||||
|
@ -13,7 +12,6 @@
|
|||
common.resolution = "1920x1080";
|
||||
vfio.pciIDs = [ "1002:73df" "1002:ab28" ];
|
||||
boot = {
|
||||
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
|
||||
initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
|
||||
kernelParams = [
|
||||
# disable PSR to *hopefully* avoid random hangs
|
||||
|
@ -53,19 +51,4 @@
|
|||
};
|
||||
})
|
||||
];
|
||||
specialisation.no_patches.configuration = {
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
amd-ucode = prev.amd-ucode.override { inherit (final) linux-firmware; };
|
||||
linux-firmware = prev.stdenvNoCC.mkDerivation {
|
||||
inherit (prev.linux-firmware) pname version meta src;
|
||||
dontFixup = true;
|
||||
passthru = { inherit (prev.linux-firmware) version; };
|
||||
installFlags = [ "DESTDIR=$(out)" ];
|
||||
patches = [ ];
|
||||
postPatch = "";
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -282,7 +282,6 @@ in {
|
|||
];
|
||||
router-settings.dhcp6Reservations = [
|
||||
{ ipAddress = serverAddress6;
|
||||
duid = cfg.serverDuid;
|
||||
macAddress = cfg.serverMac; }
|
||||
{ ipAddress = vacuumAddress6;
|
||||
macAddress = cfg.vacuumMac; }
|
||||
|
@ -435,11 +434,11 @@ in {
|
|||
gateways = [ netAddresses.lan6 ];
|
||||
radvdSettings.AdvAutonomous = true;
|
||||
coreradSettings.autonomous = true;
|
||||
# don't allocate addresses for most devices
|
||||
# don't autoallocate addresses, keep autonomous ones
|
||||
keaSettings.pools = [ ];
|
||||
# just assign the reservations
|
||||
keaSettings.reservations = map (res:
|
||||
(if res.duid != null then { duid = res.duid; } else { hw-address = res.macAddress; }) // {
|
||||
keaSettings.reservations = map (res: {
|
||||
hw-address = res.macAddress;
|
||||
ip-addresses = [ res.ipAddress ];
|
||||
}) cfg.dhcp6Reservations;
|
||||
});
|
||||
|
|
|
@ -13,11 +13,6 @@
|
|||
description = "server's mac address";
|
||||
type = lib.types.str;
|
||||
};
|
||||
serverDuid = lib.mkOption {
|
||||
description = "server's duid";
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
};
|
||||
serverInitrdMac = lib.mkOption {
|
||||
description = "server's mac address in initrd";
|
||||
type = lib.types.str;
|
||||
|
@ -97,15 +92,9 @@
|
|||
description = "device's ip address";
|
||||
};
|
||||
options.macAddress = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
type = lib.types.str;
|
||||
description = "device's mac address";
|
||||
};
|
||||
options.duid = lib.mkOption {
|
||||
type = with lib.types; nullOr str;
|
||||
default = null;
|
||||
description = "device's duid";
|
||||
};
|
||||
});
|
||||
};
|
||||
dnatRules = lib.mkOption {
|
||||
|
|
|
@ -82,7 +82,6 @@ in {
|
|||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_13;
|
||||
services.postgresql.extraPlugins = with pkgs.postgresql13Packages; [ tsja ];
|
||||
|
||||
# SSH
|
||||
services.openssh.enable = true;
|
||||
|
@ -278,27 +277,12 @@ in {
|
|||
https = true;
|
||||
};
|
||||
|
||||
# AKKOMA
|
||||
# TODO: remove this in 2024
|
||||
services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
|
||||
quic = true;
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
serverAliases = [ "akkoma.${cfg.domainName}" ];
|
||||
locations."/".return = "301 https://fedi.${cfg.domainName}$request_uri";
|
||||
};
|
||||
|
||||
services.akkoma = {
|
||||
enable = true;
|
||||
dist.extraFlags = [
|
||||
"+sbwt" "none"
|
||||
"+sbwtdcpu" "none"
|
||||
"+sbwtdio" "none"
|
||||
];
|
||||
config.":pleroma"."Pleroma.Web.Endpoint" = {
|
||||
url = {
|
||||
scheme = "https";
|
||||
host = "fedi.${cfg.domainName}";
|
||||
host = "pleroma.${cfg.domainName}";
|
||||
port = 443;
|
||||
};
|
||||
secret_key_base._secret = "/secrets/akkoma/secret_key_base";
|
||||
|
@ -310,7 +294,7 @@ in {
|
|||
'';
|
||||
initDb = {
|
||||
enable = false;
|
||||
username = "akkoma";
|
||||
username = "pleroma";
|
||||
password._secret = "/secrets/akkoma/postgres_password";
|
||||
};
|
||||
config.":pleroma".":instance" = {
|
||||
|
@ -323,9 +307,9 @@ in {
|
|||
};
|
||||
config.":pleroma"."Pleroma.Repo" = {
|
||||
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
|
||||
username = "akkoma";
|
||||
username = "pleroma";
|
||||
password._secret = "/secrets/akkoma/postgres_password";
|
||||
database = "akkoma";
|
||||
database = "pleroma";
|
||||
hostname = "localhost";
|
||||
};
|
||||
config.":web_push_encryption".":vapid_details" = {
|
||||
|
@ -335,38 +319,20 @@ in {
|
|||
};
|
||||
config.":joken".":default_signer"._secret = "/secrets/akkoma/joken_signer";
|
||||
nginx = {
|
||||
serverAliases = [ "akkoma.${cfg.domainName}" ];
|
||||
quic = true;
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
systemd.services.akkoma = {
|
||||
path = [ pkgs.exiftool pkgs.gawk ];
|
||||
serviceConfig.Restart = "on-failure";
|
||||
unitConfig = {
|
||||
systemd.services.akkoma.path = [ pkgs.exiftool pkgs.gawk ];
|
||||
systemd.services.akkoma.serviceConfig = {
|
||||
Restart = "on-failure";
|
||||
};
|
||||
systemd.services.akkoma.unitConfig = {
|
||||
StartLimitIntervalSec = 60;
|
||||
StartLimitBurst = 3;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.certspotter.extraGroups = [ "acme" ];
|
||||
services.certspotter = {
|
||||
enable = true;
|
||||
watchlist = [ ".pavluk.org" ];
|
||||
hooks = let
|
||||
openssl = "${pkgs.openssl.bin}/bin/openssl";
|
||||
in lib.toList (pkgs.writeShellScript "certspotter-hook" ''
|
||||
if [[ "$EVENT" == discovered_cert ]]; then
|
||||
mkdir -p /var/lib/certspotter/allowed_tbs
|
||||
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
|
||||
hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)"
|
||||
touch "/var/lib/certspotter/allowed_tbs/$hash"
|
||||
done
|
||||
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
|
||||
fi
|
||||
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
|
||||
'');
|
||||
};
|
||||
|
||||
/*locations."/dns-query".extraConfig = ''
|
||||
grpc_pass grpc://127.0.0.1:53453;
|
||||
|
|
|
@ -1,112 +0,0 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.certspotter;
|
||||
in {
|
||||
options.services.certspotter = {
|
||||
enable = lib.mkEnableOption "Cert Spotter, a Certificate Transparency log monitor";
|
||||
sendmailPath = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
Path to the `sendmail` binary. By default, the local sendmail wrapper is used
|
||||
(see `config.services.mail.sendmailSetuidWrapper`).
|
||||
'';
|
||||
example = lib.literalExpression ''"''${pkgs.system-sendmail}/bin/sendmail"'';
|
||||
};
|
||||
watchlist = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = "Domain names to watch. To monitor a domain with all subdomains, prefix its name with `.` (e.g. `.example.org`).";
|
||||
default = [ ];
|
||||
example = [ ".example.org" "another.example.com" ];
|
||||
};
|
||||
emailRecipients = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = "A list of email addresses to send certificate updates to.";
|
||||
default = [ ];
|
||||
};
|
||||
hooks = lib.mkOption {
|
||||
type = with lib.types; listOf path;
|
||||
description = ''
|
||||
Scripts to run upon the detection of a new certificate. See `man 8 certspotter-script` or [the GitHub page](https://github.com/SSLMate/certspotter/blob/master/man/certspotter-script.md) for more info.
|
||||
'';
|
||||
default = [];
|
||||
example = lib.literalExpression ''
|
||||
[
|
||||
(pkgs.writeShellScript "certspotter-hook" '''
|
||||
echo "Event summary: $SUMMARY."
|
||||
''')
|
||||
]
|
||||
'';
|
||||
};
|
||||
extraFlags = lib.mkOption {
|
||||
type = with lib.types; listOf str;
|
||||
description = "Extra command-line arguments to pass to Cert Spotter";
|
||||
example = [ "-start_at_end" ];
|
||||
default = [ ];
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.watchlist != [ ];
|
||||
message = "You must specify at least one domain for Cert Spotter to watch";
|
||||
}
|
||||
{
|
||||
assertion = cfg.hooks != [] || cfg.emailRecipients != [];
|
||||
message = "You must specify at least one hook or email recipient for Cert Spotter";
|
||||
}
|
||||
{
|
||||
assertion = (cfg.emailRecipients != []) -> (cfg.sendmailPath != "/run/current-system/sw/bin/false");
|
||||
message = ''
|
||||
You must configure the sendmail setuid wrapper (services.mail.sendmailSetuidWrapper)
|
||||
or services.certspotter.sendmailPath
|
||||
'';
|
||||
}
|
||||
];
|
||||
services.certspotter.sendmailPath = lib.mkMerge [
|
||||
(lib.mkIf (config.services.mail.sendmailSetuidWrapper != null) (lib.mkOptionDefault "/run/wrappers/bin/sendmail"))
|
||||
(lib.mkIf (config.services.mail.sendmailSetuidWrapper == null) (lib.mkOptionDefault "/run/current-system/sw/bin/false"))
|
||||
];
|
||||
users.users.certspotter = {
|
||||
group = "certspotter";
|
||||
home = "/var/lib/certspotter";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
# uid = config.ids.uids.certspotter;
|
||||
};
|
||||
users.groups.certspotter = {
|
||||
# gid = config.ids.gids.certspotter;
|
||||
};
|
||||
systemd.services.certspotter = {
|
||||
description = "Cert Spotter - Certificate Transparency Monitor";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment.CERTSPOTTER_CONFIG_DIR = pkgs.linkFarm "certspotter-config"
|
||||
(lib.toList {
|
||||
name = "watchlist";
|
||||
path = pkgs.writeText "cerspotter-watchlist" (builtins.concatStringsSep "\n" cfg.watchlist);
|
||||
}
|
||||
++ lib.optional (cfg.emailRecipients != [ ]) {
|
||||
name = "email_recipients";
|
||||
path = pkgs.writeText "cerspotter-email_recipients" (builtins.concatStringsSep "\n" cfg.emailRecipients);
|
||||
}
|
||||
++ lib.optional (cfg.hooks != [ ]) {
|
||||
name = "hooks.d";
|
||||
path = pkgs.linkFarm "certspotter-hooks" (lib.imap1 (i: path: {
|
||||
inherit path;
|
||||
name = "hook${toString i}";
|
||||
}) cfg.hooks);
|
||||
});
|
||||
environment.CERTSPOTTER_STATE_DIR = "/var/lib/certspotter";
|
||||
serviceConfig = {
|
||||
User = "certspotter";
|
||||
Group = "certspotter";
|
||||
WorkingDirectory = "/var/lib/certspotter";
|
||||
ExecStart = "${pkgs.certspotter}/bin/certspotter -sendmail ${cfg.sendmailPath} ${lib.escapeShellArgs cfg.extraFlags}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -93,7 +93,6 @@ in {
|
|||
# ISO-8601
|
||||
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
|
||||
environment.systemPackages = with pkgs; ([
|
||||
bottom
|
||||
wget
|
||||
git
|
||||
tmux
|
||||
|
|
Loading…
Reference in a new issue