Compare commits

..

4 commits

20 changed files with 385 additions and 1543 deletions

View file

@ -260,16 +260,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1696375444,
"narHash": "sha256-Sv0ICt/pXfpnFhTGYTsX6lUr1SljnuXWejYTI2ZqHa4=",
"owner": "nixos",
"lastModified": 1697804921,
"narHash": "sha256-PAoThb0U52HGscrU/Qp1GKwidqM6xnWxgovJCXNpjCc=",
"owner": "chayleaf",
"repo": "nixpkgs",
"rev": "81e8f48ebdecf07aab321182011b067aafc78896",
"rev": "77ba48251d2b629d347e566c888000a379711ce0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"owner": "chayleaf",
"ref": "akkoma",
"repo": "nixpkgs",
"type": "github"
}

View file

@ -3,9 +3,9 @@
inputs = {
#nixpkgs.url = "github:nixos/nixpkgs/3dc2b4f8166f744c3b3e9ff8224e7c5d74a5424f";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:chayleaf/nixpkgs/akkoma";
nixpkgs2.url = "github:nixos/nixpkgs/master";
# nixpkgs.url = "github:chayleaf/nixpkgs/ccache2";
nixos-hardware.url = "github:NixOS/nixos-hardware";
mobile-nixos = {
# url = "github:NixOS/mobile-nixos";
@ -156,6 +156,7 @@
./system/devices/radxa-rock5a-server.nix
(if devMaubot then import /${devPath}/maubot.nix/module else maubot.nixosModules.default)
./system/modules/scanservjs.nix
./system/modules/certspotter.nix
];
};
server-cross = crossConfig server;

1407
pkgs/Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,71 @@
diff --git a/cmd/certspotter/main.go b/cmd/certspotter/main.go
index 9730789..f2eb081 100644
--- a/cmd/certspotter/main.go
+++ b/cmd/certspotter/main.go
@@ -163,6 +163,7 @@ func main() {
logs string
noSave bool
script string
+ sendmail string
startAtEnd bool
stateDir string
stdout bool
@@ -176,6 +177,7 @@ func main() {
flag.StringVar(&flags.logs, "logs", defaultLogList, "File path or URL of JSON list of logs to monitor")
flag.BoolVar(&flags.noSave, "no_save", false, "Do not save a copy of matching certificates in state directory")
flag.StringVar(&flags.script, "script", "", "Program to execute when a matching certificate is discovered")
+ flag.StringVar(&flags.sendmail, "sendmail", "/usr/sbin/sendmail", "Path to the sendmail-compatible program to use")
flag.BoolVar(&flags.startAtEnd, "start_at_end", false, "Start monitoring logs from the end rather than the beginning (saves considerable bandwidth)")
flag.StringVar(&flags.stateDir, "state_dir", defaultStateDir(), "Directory for storing log position and discovered certificates")
flag.BoolVar(&flags.stdout, "stdout", false, "Write matching certificates to stdout")
@@ -201,6 +203,7 @@ func main() {
Verbose: flags.verbose,
Script: flags.script,
ScriptDir: defaultScriptDir(),
+ SendmailPath: flags.sendmail,
Email: flags.email,
Stdout: flags.stdout,
HealthCheckInterval: flags.healthcheck,
diff --git a/monitor/config.go b/monitor/config.go
index 1e0d60c..d1bc430 100644
--- a/monitor/config.go
+++ b/monitor/config.go
@@ -20,6 +20,7 @@ type Config struct {
WatchList WatchList
Verbose bool
SaveCerts bool
+ SendmailPath string
Script string
ScriptDir string
Email []string
diff --git a/monitor/notify.go b/monitor/notify.go
index 8fc6d09..86cabca 100644
--- a/monitor/notify.go
+++ b/monitor/notify.go
@@ -36,7 +36,7 @@ func notify(ctx context.Context, config *Config, notif notification) error {
}
if len(config.Email) > 0 {
- if err := sendEmail(ctx, config.Email, notif); err != nil {
+ if err := sendEmail(ctx, config.SendmailPath, config.Email, notif); err != nil {
return err
}
}
@@ -62,7 +62,7 @@ func writeToStdout(notif notification) {
os.Stdout.WriteString(notif.Text() + "\n")
}
-func sendEmail(ctx context.Context, to []string, notif notification) error {
+func sendEmail(ctx context.Context, sendmailPath string, to []string, notif notification) error {
stdin := new(bytes.Buffer)
stderr := new(bytes.Buffer)
@@ -77,7 +77,7 @@ func sendEmail(ctx context.Context, to []string, notif notification) error {
args := []string{"-i", "--"}
args = append(args, to...)
- sendmail := exec.CommandContext(ctx, "/usr/sbin/sendmail", args...)
+ sendmail := exec.CommandContext(ctx, sendmailPath, args...)
sendmail.Stdin = stdin
sendmail.Stderr = stderr

View file

@ -0,0 +1,41 @@
{ lib
, buildGoModule
, fetchFromGitHub
, lowdown
}:
buildGoModule rec {
pname = "certspotter";
version = "0.16.0";
src = fetchFromGitHub {
owner = "SSLMate";
repo = "certspotter";
rev = "v${version}";
hash = "sha256-0+7GWxbV4j2vVdmool8J9hqRqUi8O/yKedCyynWJDkE=";
};
vendorHash = "sha256-haYmWc2FWZNFwMhmSy3DAtj9oW5G82dX0fxpGqI8Hbw=";
patches = [ ./configurable-sendmail.patch ];
ldflags = [ "-s" "-w" ];
nativeBuildInputs = [ lowdown ];
postInstall = ''
cd man
make
mkdir -p $out/share/man/man8
mv *.8 $out/share/man/man8
'';
meta = with lib; {
description = "Certificate Transparency Log Monitor";
homepage = "https://github.com/SSLMate/certspotter";
changelog = "https://github.com/SSLMate/certspotter/blob/${src.rev}/CHANGELOG.md";
license = licenses.mpl20;
mainProgram = "certspotter";
maintainers = with maintainers; [ chayleaf ];
};
}

View file

@ -1,25 +0,0 @@
# TODO: remove this file when searxng gets updated in nixpkgs
{ lib
, buildPythonPackage
, fetchPypi
}:
buildPythonPackage rec {
pname = "chompjs";
version = "1.2.2";
format = "setuptools";
src = fetchPypi {
inherit pname version;
hash = "sha256-I5PbVinyjO1OF78t9h67lVBM/VsogYoMj3iFZS4WTn8=";
};
pythonImportsCheck = [ "chompjs" ];
meta = with lib; {
description = "Parsing JavaScript objects into Python dictionaries";
homepage = "https://pypi.org/project/chompjs/";
license = licenses.mit;
maintainers = with maintainers; [ chayleaf ];
};
}

View file

@ -60,6 +60,7 @@ in
meta = builtins.removeAttrs old.meta [ "broken" ];
});
certspotter = callPackage ./certspotter { };
clang-tools_latest = pkgs.clang-tools_16;
clang_latest = pkgs.clang_16;
/*ghidra = pkgs.ghidra.overrideAttrs (old: {
@ -90,21 +91,17 @@ in
'';
};
rofi-steam-game-list = callPackage ./rofi-steam-game-list { };
scanservjs = callPackage ./scanservjs.nix { };
scanservjs = callPackage ./scanservjs { };
searxng = pkgs'.python3.pkgs.toPythonModule (pkgs.searxng.overrideAttrs (old: {
inherit (sources.searxng) src;
version = "unstable-" + sources.searxng.date;
propagatedBuildInputs = old.propagatedBuildInputs ++ [
(pkgs'.python3.pkgs.callPackage ./chompjs.nix { })
];
}));
# system76-scheduler = callPackage ./system76-scheduler.nix { };
techmino = callPackage ./techmino { };
firefox-addons = lib.recurseIntoAttrs (callPackage ./firefox-addons { inherit nur sources; });
mpvScripts = pkgs.mpvScripts // callPackage ./mpv-scripts { };
qemu_7 = callPackage ./qemu_7.nix {
qemu_7 = callPackage ./qemu/7.nix {
stdenv = pkgs'.ccacheStdenv;
inherit (pkgs.darwin.apple_sdk.frameworks) CoreServices Cocoa Hypervisor vmnet;
inherit (pkgs.darwin.stubs) rez setfile;
@ -118,7 +115,7 @@ in
qemu_7_xen_4_15-light = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; xenSupport = true; xen = pkgs.xen_4_15-light; });
qemu_7_test = lib.lowPrio (pkgs'.qemu_7.override { hostCpuOnly = true; nixosTestRunner = true; });
# TODO: when https://gitlab.com/virtio-fs/virtiofsd/-/issues/96 is fixed remove this
virtiofsd = callPackage ./qemu_virtiofsd.nix {
virtiofsd = callPackage ./qemu/virtiofsd.nix {
qemu = pkgs'.qemu_7;
};
@ -130,5 +127,6 @@ in
stdenv = pkgs'.ccacheStdenv;
};
}
// import ./postgresql-packages { inherit pkgs pkgs' lib sources; }
// import ./ccache.nix { inherit pkgs pkgs' lib sources; }
// import ../system/hardware/bpi-r3/pkgs.nix { inherit pkgs pkgs' lib sources; }

View file

@ -1,16 +0,0 @@
diff --git a/kvmfr.c b/kvmfr.c
index 121aae5b..2f4c9e1a 100644
--- a/kvmfr.c
+++ b/kvmfr.c
@@ -539,7 +539,11 @@ static int __init kvmfr_module_init(void)
if (kvmfr->major < 0)
goto out_free;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
kvmfr->pClass = class_create(THIS_MODULE, KVMFR_DEV_NAME);
+#else
+ kvmfr->pClass = class_create(KVMFR_DEV_NAME);
+#endif
if (IS_ERR(kvmfr->pClass))
goto out_unreg;

View file

@ -0,0 +1,29 @@
{ pkgs
, pkgs'
, ... }:
let
inherit (pkgs') callPackage;
extraPackages = {
tsja = callPackage ./tsja.nix { };
};
gen' = postgresql: builtins.mapAttrs (k: v: v.override { inherit postgresql; }) extraPackages;
gen = ver: pkgs."postgresql${toString ver}Packages" // gen' pkgs."postgresql_${toString ver}";
in {
mecab = pkgs.mecab.overrideAttrs (old: {
postInstall = ''
mkdir -p $out/lib/mecab/dic
ln -s ${callPackage /${pkgs.path}/pkgs/tools/text/mecab/ipadic.nix {
mecab-nodic = callPackage /${pkgs.path}/pkgs/tools/text/mecab/nodic.nix { };
}} $out/lib/mecab/dic/ipadic
'';
});
postgresqlPackages = gen "";
postgresql11Packages = gen 11;
postgresql12Packages = gen 12;
postgresql13Packages = gen 13;
postgresql14Packages = gen 14;
postgresql15Packages = gen 15;
postgresql16Packages = gen 16;
}

View file

@ -0,0 +1,39 @@
{ lib
, stdenv
, postgresql
, mecab
}:
stdenv.mkDerivation rec {
pname = "tsja";
version = "0.5.0";
src = fetchTarball {
url = "https://www.amris.jp/tsja/tsja-${version}.tar.xz";
sha256 = "0hx4iygnqw1ay3nwrf3x2izflw4ip9i8i0yny26vivdz862m97w7";
};
postPatch = ''
substituteInPlace Makefile \
--replace /usr/local/pgsql ${postgresql} \
--replace -L/usr/local/lib "" \
--replace -I/usr/local/include ""
substituteInPlace tsja.c --replace /usr/local/lib/mecab ${mecab}/lib/mecab
'';
buildInputs = [ postgresql mecab ];
installPhase = ''
mkdir -p $out/lib $out/share/postgresql/extension
cp libtsja.so $out/lib
cp dbinit_libtsja.txt $out/share/postgresql/extension/libtsja_dbinit.sql
'';
meta = with lib; {
description = "PostgreSQL extension implementing Japanese text search";
homepage = "https://www.amris.jp/tsja/index.html";
maintainers = with maintainers; [ chayleaf ];
platforms = postgresql.meta.platforms;
license = licenses.postgresql;
};
}

View file

@ -1,65 +0,0 @@
{ lib
, fetchFromGitHub
, writeText
, rustPlatform
, pkg-config
, dbus
, bcc
}:
rustPlatform.buildRustPackage {
pname = "system76-scheduler";
version = "unstable-2022-11-08";
src = fetchFromGitHub {
owner = "pop-os";
repo = "system76-scheduler";
rev = "0fe4d8dfc4275fd856aee28ca942b9fa53229fc9";
sha256 = "sha256-uFFJkuMxqcGj6OQShF0zh/FGwX4/ln1l6NwGonkUsNI=";
};
cargoPatches = [(writeText "ron-rev.diff" ''
diff --git i/daemon/Cargo.toml w/daemon/Cargo.toml
index 0397788..fbd6202 100644
--- i/daemon/Cargo.toml
+++ w/daemon/Cargo.toml
@@ -33,7 +33,7 @@ clap = { version = "3.1.18", features = ["cargo"] }
# Necessary for deserialization of untagged enums in assignments.
[dependencies.ron]
git = "https://github.com/MomoLangenstein/ron"
-branch = "253-untagged-enums"
+rev = "afb960bb8b0402a79260533aa3b9d87a8abae72b"
[dependencies.tracing-subscriber]
version = "0.3.11"
diff --git i/Cargo.lock w/Cargo.lock
index a782756..fe56c1f 100644
--- i/Cargo.lock
+++ w/Cargo.lock
@@ -788,7 +788,7 @@ dependencies = [
[[package]]
name = "ron"
version = "0.8.0"
-source = "git+https://github.com/MomoLangenstein/ron?branch=253-untagged-enums#afb960bb8b0402a79260533aa3b9d87a8abae72b"
+source = "git+https://github.com/MomoLangenstein/ron?rev=afb960bb8b0402a79260533aa3b9d87a8abae72b#afb960bb8b0402a79260533aa3b9d87a8abae72b"
dependencies = [
"base64",
"bitflags",
'')];
cargoSha256 = "sha256-tY7o09Nu1/Lbn//5+iecUmV67Aw1QvVLdUaD8DDgKi0=";
cargoLock.lockFile = ./Cargo.lock;
cargoLock.outputHashes."ron-0.8.0" = "sha256-k+LuTEq97/DohcsulXoLXWqFLzPUzIR1D5pGru+M5Ew=";
nativeBuildInputs = [ pkg-config ];
buildInputs = [ dbus ];
EXECSNOOP_PATH = "${bcc}/bin/execsnoop";
postInstall = ''
install -D -m 0644 data/com.system76.Scheduler.conf $out/etc/dbus-1/system.d/com.system76.Scheduler.conf
mkdir -p $out/etc/system76-scheduler
install -D -m 0644 data/*.ron $out/etc/system76-scheduler/
'';
meta = {
description = "System76 Scheduler";
homepage = "https://github.com/pop-os/system76-scheduler";
license = lib.licenses.mpl20;
platforms = [ "i686-linux" "x86_64-linux" ];
};
}

View file

@ -1,4 +1,5 @@
{ hardware
, pkgs
, ... }:
{
@ -12,6 +13,7 @@
common.resolution = "1920x1080";
vfio.pciIDs = [ "1002:73df" "1002:ab28" ];
boot = {
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
initrd.availableKernelModules = [ "nvme" "xhci_pci" ];
kernelParams = [
# disable PSR to *hopefully* avoid random hangs
@ -51,4 +53,19 @@
};
})
];
specialisation.no_patches.configuration = {
nixpkgs.overlays = [
(final: prev: {
amd-ucode = prev.amd-ucode.override { inherit (final) linux-firmware; };
linux-firmware = prev.stdenvNoCC.mkDerivation {
inherit (prev.linux-firmware) pname version meta src;
dontFixup = true;
passthru = { inherit (prev.linux-firmware) version; };
installFlags = [ "DESTDIR=$(out)" ];
patches = [ ];
postPatch = "";
};
})
];
};
}

View file

@ -282,6 +282,7 @@ in {
];
router-settings.dhcp6Reservations = [
{ ipAddress = serverAddress6;
duid = cfg.serverDuid;
macAddress = cfg.serverMac; }
{ ipAddress = vacuumAddress6;
macAddress = cfg.vacuumMac; }
@ -434,11 +435,11 @@ in {
gateways = [ netAddresses.lan6 ];
radvdSettings.AdvAutonomous = true;
coreradSettings.autonomous = true;
# don't autoallocate addresses, keep autonomous ones
# don't allocate addresses for most devices
keaSettings.pools = [ ];
# just assign the reservations
keaSettings.reservations = map (res: {
hw-address = res.macAddress;
keaSettings.reservations = map (res:
(if res.duid != null then { duid = res.duid; } else { hw-address = res.macAddress; }) // {
ip-addresses = [ res.ipAddress ];
}) cfg.dhcp6Reservations;
});

View file

@ -13,6 +13,11 @@
description = "server's mac address";
type = lib.types.str;
};
serverDuid = lib.mkOption {
description = "server's duid";
type = with lib.types; nullOr str;
default = null;
};
serverInitrdMac = lib.mkOption {
description = "server's mac address in initrd";
type = lib.types.str;
@ -92,9 +97,15 @@
description = "device's ip address";
};
options.macAddress = lib.mkOption {
type = lib.types.str;
type = with lib.types; nullOr str;
default = null;
description = "device's mac address";
};
options.duid = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
description = "device's duid";
};
});
};
dnatRules = lib.mkOption {

View file

@ -82,6 +82,7 @@ in {
services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_13;
services.postgresql.extraPlugins = with pkgs.postgresql13Packages; [ tsja ];
# SSH
services.openssh.enable = true;
@ -277,12 +278,27 @@ in {
https = true;
};
# AKKOMA
# TODO: remove this in 2024
services.nginx.virtualHosts."pleroma.${cfg.domainName}" = {
quic = true;
enableACME = true;
addSSL = true;
serverAliases = [ "akkoma.${cfg.domainName}" ];
locations."/".return = "301 https://fedi.${cfg.domainName}$request_uri";
};
services.akkoma = {
enable = true;
dist.extraFlags = [
"+sbwt" "none"
"+sbwtdcpu" "none"
"+sbwtdio" "none"
];
config.":pleroma"."Pleroma.Web.Endpoint" = {
url = {
scheme = "https";
host = "pleroma.${cfg.domainName}";
host = "fedi.${cfg.domainName}";
port = 443;
};
secret_key_base._secret = "/secrets/akkoma/secret_key_base";
@ -294,7 +310,7 @@ in {
'';
initDb = {
enable = false;
username = "pleroma";
username = "akkoma";
password._secret = "/secrets/akkoma/postgres_password";
};
config.":pleroma".":instance" = {
@ -307,9 +323,9 @@ in {
};
config.":pleroma"."Pleroma.Repo" = {
adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
username = "pleroma";
username = "akkoma";
password._secret = "/secrets/akkoma/postgres_password";
database = "pleroma";
database = "akkoma";
hostname = "localhost";
};
config.":web_push_encryption".":vapid_details" = {
@ -319,19 +335,37 @@ in {
};
config.":joken".":default_signer"._secret = "/secrets/akkoma/joken_signer";
nginx = {
serverAliases = [ "akkoma.${cfg.domainName}" ];
quic = true;
enableACME = true;
forceSSL = true;
};
};
systemd.services.akkoma.path = [ pkgs.exiftool pkgs.gawk ];
systemd.services.akkoma.serviceConfig = {
Restart = "on-failure";
systemd.services.akkoma = {
path = [ pkgs.exiftool pkgs.gawk ];
serviceConfig.Restart = "on-failure";
unitConfig = {
StartLimitIntervalSec = 60;
StartLimitBurst = 3;
};
};
systemd.services.akkoma.unitConfig = {
StartLimitIntervalSec = 60;
StartLimitBurst = 3;
users.users.certspotter.extraGroups = [ "acme" ];
services.certspotter = {
enable = true;
watchlist = [ ".pavluk.org" ];
hooks = let
openssl = "${pkgs.openssl.bin}/bin/openssl";
in lib.toList (pkgs.writeShellScript "certspotter-hook" ''
if [[ "$EVENT" == discovered_cert ]]; then
mkdir -p /var/lib/certspotter/allowed_tbs
for cert in $(find /var/lib/acme -regex ".*/fullchain.pem"); do
hash="$(${openssl} x509 -in "$cert" -pubkey -noout | ${openssl} pkey -pubin -outform DER | ${openssl} sha256 | cut -d" " -f2)"
touch "/var/lib/certspotter/allowed_tbs/$hash"
done
[[ -f "/var/lib/certspotter/allowed_tbs/$TBS_SHA256" ]] && exit 0
fi
(echo "Subject: $SUMMARY" && echo && cat "$TEXT_FILENAME") | /run/wrappers/bin/sendmail -i webmaster-certspotter@${cfg.domainName}
'');
};
/*locations."/dns-query".extraConfig = ''

View file

@ -0,0 +1,112 @@
{ config
, lib
, pkgs
, ... }:
let
cfg = config.services.certspotter;
in {
options.services.certspotter = {
enable = lib.mkEnableOption "Cert Spotter, a Certificate Transparency log monitor";
sendmailPath = lib.mkOption {
type = lib.types.path;
description = ''
Path to the `sendmail` binary. By default, the local sendmail wrapper is used
(see `config.services.mail.sendmailSetuidWrapper`).
'';
example = lib.literalExpression ''"''${pkgs.system-sendmail}/bin/sendmail"'';
};
watchlist = lib.mkOption {
type = with lib.types; listOf str;
description = "Domain names to watch. To monitor a domain with all subdomains, prefix its name with `.` (e.g. `.example.org`).";
default = [ ];
example = [ ".example.org" "another.example.com" ];
};
emailRecipients = lib.mkOption {
type = with lib.types; listOf str;
description = "A list of email addresses to send certificate updates to.";
default = [ ];
};
hooks = lib.mkOption {
type = with lib.types; listOf path;
description = ''
Scripts to run upon the detection of a new certificate. See `man 8 certspotter-script` or [the GitHub page](https://github.com/SSLMate/certspotter/blob/master/man/certspotter-script.md) for more info.
'';
default = [];
example = lib.literalExpression ''
[
(pkgs.writeShellScript "certspotter-hook" '''
echo "Event summary: $SUMMARY."
''')
]
'';
};
extraFlags = lib.mkOption {
type = with lib.types; listOf str;
description = "Extra command-line arguments to pass to Cert Spotter";
example = [ "-start_at_end" ];
default = [ ];
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.watchlist != [ ];
message = "You must specify at least one domain for Cert Spotter to watch";
}
{
assertion = cfg.hooks != [] || cfg.emailRecipients != [];
message = "You must specify at least one hook or email recipient for Cert Spotter";
}
{
assertion = (cfg.emailRecipients != []) -> (cfg.sendmailPath != "/run/current-system/sw/bin/false");
message = ''
You must configure the sendmail setuid wrapper (services.mail.sendmailSetuidWrapper)
or services.certspotter.sendmailPath
'';
}
];
services.certspotter.sendmailPath = lib.mkMerge [
(lib.mkIf (config.services.mail.sendmailSetuidWrapper != null) (lib.mkOptionDefault "/run/wrappers/bin/sendmail"))
(lib.mkIf (config.services.mail.sendmailSetuidWrapper == null) (lib.mkOptionDefault "/run/current-system/sw/bin/false"))
];
users.users.certspotter = {
group = "certspotter";
home = "/var/lib/certspotter";
createHome = true;
isSystemUser = true;
# uid = config.ids.uids.certspotter;
};
users.groups.certspotter = {
# gid = config.ids.gids.certspotter;
};
systemd.services.certspotter = {
description = "Cert Spotter - Certificate Transparency Monitor";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment.CERTSPOTTER_CONFIG_DIR = pkgs.linkFarm "certspotter-config"
(lib.toList {
name = "watchlist";
path = pkgs.writeText "cerspotter-watchlist" (builtins.concatStringsSep "\n" cfg.watchlist);
}
++ lib.optional (cfg.emailRecipients != [ ]) {
name = "email_recipients";
path = pkgs.writeText "cerspotter-email_recipients" (builtins.concatStringsSep "\n" cfg.emailRecipients);
}
++ lib.optional (cfg.hooks != [ ]) {
name = "hooks.d";
path = pkgs.linkFarm "certspotter-hooks" (lib.imap1 (i: path: {
inherit path;
name = "hook${toString i}";
}) cfg.hooks);
});
environment.CERTSPOTTER_STATE_DIR = "/var/lib/certspotter";
serviceConfig = {
User = "certspotter";
Group = "certspotter";
WorkingDirectory = "/var/lib/certspotter";
ExecStart = "${pkgs.certspotter}/bin/certspotter -sendmail ${cfg.sendmailPath} ${lib.escapeShellArgs cfg.extraFlags}";
};
};
};
}

View file

@ -93,6 +93,7 @@ in {
# ISO-8601
i18n.extraLocaleSettings.LC_TIME = "en_DK.UTF-8";
environment.systemPackages = with pkgs; ([
bottom
wget
git
tmux