# vim: filetype=bash
export NIX_PATH=nixpkgs=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nixops".url')
-NIX_PATH=$NIX_PATH:nixpkgs-nix=$(cat $(expand_path nix/sources.json) | jq -r '."nixpkgs-nix".url')
export NIXOPS_ENV_LOADED=1
export ANONYMIZE_KEY="dedhogryajkegthlwribFecnocItTelilAwdod"
-subrecipes = setup nix-info edit_env edit_vars
-subrecipes += ssh-eldiron ssh-backup-2 ssh-monitoring-1 ssh-4c
-subrecipes += debug build dry-run upload deploy next-boot deploy-reboot
-subrecipes += list-generations delete-generations cleanup
-${subrecipes}:
+TARGET ?=
+MORPH_ARGS ?=
+SSHARGS ?=
+GEN ?=
+
+setup nix-info edit_env edit_vars ssh-eldiron ssh-backup-2 ssh-monitoring-1 ssh-4c debug build dry-run upload deploy next-boot deploy-reboot list-generations delete-generations cleanup:
@$(MAKE) --no-print-directory -C nixops/ $@
-.PHONY: ${subrecipes}
nur:
./scripts/make-nur
# e-mails
muttprint mutt-ics
- notmuch-python2 notmuch-python3 notmuch-vim
+ notmuch-python3 notmuch-vim
neomutt mairix
bogofilter fetchmail
sieve-connect
feh imagemagick tiv graphicsmagick qrcode
# internet browsing
- w3m lynx links elinks browsh woob urlview urlscan googler urlwatch
+ w3m lynx links2 elinks browsh python3Packages.woob urlview urlscan googler urlwatch
# less
python3Packages.pygments lesspipe highlight sourceHighlight
# monitoring
cnagios mtop pg_activity nagios-cli mtr
iftop htop iotop iperf bonfire
- goaccess tcpdump tshark tcpflow
+ goaccess tcpdump wireshark-cli tcpflow
mitmproxy
# nagnu
# nix
yarn2nix-moretea.yarn2nix nixUnstable
- nixops nix-prefetch-scripts nix-generate-from-cpan
+ nix-prefetch-scripts nix-generate-from-cpan
bundix nodePackages.bower2nix nix-diff
nodePackages.node2nix niv
# (nixos {}).nixos-generate-config
pdftk poppler_utils
# programming
- emacs26-nox ctags
+ emacs-nox ctags
wdiff patch gnumake
# security
s6-portable-utils
# system tools
- telnet bind.dnsutils httpie ngrep nmap p0f socat lsof psmisc
+ inetutils bind.dnsutils httpie ngrep nmap p0f socat lsof psmisc
wget patchelf rename tmux (lib.meta.hiPrio nettools)
- vlock' mosh manpages openssl openssl.doc openssl.man
+ vlock' mosh man-pages openssl openssl.doc openssl.man
sshfs ncdu procps-watch8bit
# other tools
pgloader s3cmd lftp jq cpulimit libxslt gandi-cli bubblewrap
- # Terraform + AWS
- terraform_0_12 awscli
- ansible python3Packages.boto
+ # AWS
+ awscli
+ ansible
openvpn
zsh-completions
- hetzner
+ python3Packages.hetzner
smartmontools
];
in
+++ /dev/null
-{
- description = "Backported packages";
-
- inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
- inputs.flake-utils.url = "github:numtide/flake-utils";
-
- outputs = { self, flake-utils, nixpkgs }: flake-utils.lib.eachDefaultSystem (system:
- let
- pkgs = import nixpkgs { inherit system; overlays = []; };
- in rec {
- packages = {
- apprise = pkgs.apprise;
- bitlbee-mastodon = pkgs.bitlbee-mastodon;
- cointop = pkgs.cointop;
- coturn = pkgs.coturn;
- cryptpad = pkgs.cryptpad;
- delta = pkgs.delta;
- dovecot_fts-xapian = pkgs.dovecot_fts_xapian;
- duply = pkgs.duply;
- fiche = pkgs.fiche;
- galene = pkgs.galene;
- hetzner = pkgs.python3Packages.hetzner;
- influxdb2 = pkgs.influxdb2;
- ldapvi = pkgs.ldapvi;
- lego = pkgs.lego;
- mpd = pkgs.mpd;
- mpd-small = pkgs.mpd-small;
- neomutt = pkgs.neomutt;
- opensmtpd = pkgs.opensmtpd;
- pass = pkgs.pass;
- pg_activity = pkgs.pg_activity;
- signald = pkgs.signald;
- ssh-to-age = pkgs.ssh-to-age;
- stgit = pkgs.stgit;
- sops = pkgs.sops;
- sudo = pkgs.sudo;
- telegram-cli = pkgs.telegram-cli;
- woob = pkgs.python3Packages.woob;
- zrepl = pkgs.zrepl;
- };
- legacyPackages = packages;
- apps = {
- apprise = flake-utils.lib.mkApp { drv = packages.apprise; name = "apprise"; };
- cointop = flake-utils.lib.mkApp { drv = packages.cointop; name = "cointop"; };
- coturn = flake-utils.lib.mkApp { drv = packages.coturn; name = "coturn"; };
- cryptpad = flake-utils.lib.mkApp { drv = packages.cryptpad; name = "cryptpad"; };
- delta = flake-utils.lib.mkApp { drv = packages.delta; name = "delta"; };
- duply = flake-utils.lib.mkApp { drv = packages.duply; name = "duply"; };
- fiche = flake-utils.lib.mkApp { drv = packages.fiche; name = "fiche"; };
- galene = flake-utils.lib.mkApp { drv = packages.galene; name = "galene"; };
- hetzner = flake-utils.lib.mkApp { drv = packages.hetzner; name = "hetznerctl"; };
- influxd = flake-utils.lib.mkApp { drv = packages.influxdb2; name = "influxd"; };
- influx = flake-utils.lib.mkApp { drv = packages.influxdb2; name = "influx"; };
- ldapvi = flake-utils.lib.mkApp { drv = packages.ldapvi; name = "ldapvi"; };
- lego = flake-utils.lib.mkApp { drv = packages.lego; name = "lego"; };
- mpd = flake-utils.lib.mkApp { drv = packages.mpd; name = "mpd"; };
- mpd-small = flake-utils.lib.mkApp { drv = packages.mpd-small; name = "mpd"; };
- neomutt = flake-utils.lib.mkApp { drv = packages.neomutt; name = "neomutt"; };
- opensmtpd = flake-utils.lib.mkApp { drv = packages.opensmtpd; name = "opensmtpd"; };
- pass = flake-utils.lib.mkApp { drv = packages.pass; name = "pass"; };
- pg_activity = flake-utils.lib.mkApp { drv = packages.pg_activity; name = "pg_activity"; };
- signald = flake-utils.lib.mkApp { drv = packages.signald; name = "signald"; };
- ssh-to-age = flake-utils.lib.mkApp { drv = packages.ssh-to-age; name = "ssh-to-age"; };
- stgit = flake-utils.lib.mkApp { drv = packages.stgit; name = "stgit"; };
- sops = flake-utils.lib.mkApp { drv = packages.sops; name = "sops"; };
- sudo = flake-utils.lib.mkApp { drv = packages.sudo; name = "sudo"; };
- telegram-cli = flake-utils.lib.mkApp { drv = packages.telegram-cli; name = "telegram-cli"; };
- woob = flake-utils.lib.mkApp { drv = packages.woob; name = "woob"; };
- zrepl = flake-utils.lib.mkApp { drv = packages.zrepl; name = "zrepl"; };
- };
- }
- ) // rec {
- lib = {
- overrideDeps = pkgs: package: let
- packageDeps = builtins.attrNames package.override.__functionArgs;
- in package.override (pkgs.lib.genAttrs packageDeps (n: pkgs."${n}"));
- };
- overlays = {
- apprise = final: prev: { apprise = self.packages."${final.system}".apprise; };
- bitlbee-mastodon = final: prev: {
- bitlbee-mastodon = lib.overrideDeps final self.packages."${final.system}".bitlbee-mastodon;
- };
- cointop = final: prev: { cointop = self.packages."${final.system}".cointop; };
- coturn = final: prev: { coturn = self.packages."${final.system}".coturn; };
- cryptpad = final: prev: { cryptpad = self.packages."${final.system}".cryptpad; };
- delta = final: prev: { delta = self.packages."${final.system}".delta; };
- dovecot_fts-xapian = final: prev: {
- dovecot_fts-xapian = lib.overrideDeps final self.packages."${final.system}".dovecot_fts-xapian;
- };
- duply = final: prev: { duply = self.packages."${final.system}".duply; };
- fiche = final: prev: { fiche = self.packages."${final.system}".fiche; };
- galene = final: prev: { galene = self.packages."${final.system}".galene; };
- hetzner = final: prev: { hetzner = self.packages."${final.system}".hetzner; };
- influxdb2 = final: prev: { influxdb2 = self.packages."${final.system}".influxdb2; };
- ldapvi = final: prev: { ldapvi = self.packages."${final.system}".ldapvi; };
- lego = final: prev: { lego = self.packages."${final.system}".lego; };
- mpd = final: prev: { mpd = self.packages."${final.system}".mpd; };
- neomutt = final: prev: { neomutt = self.packages."${final.system}".neomutt; };
- opensmtpd = final: prev: { opensmtpd = self.packages."${final.system}".opensmtpd; };
- pass = final: prev: { pass = self.packages."${final.system}".pass; };
- pg_activity = final: prev: { pg_activity = self.packages."${final.system}".pg_activity; };
- signald = final: prev: { signald = self.packages."${final.system}".signald; };
- ssh-to-age = final: prev: { ssh-to-age = self.packages."${final.system}".ssh-to-age; };
- stgit = final: prev: { stgit = self.packages."${final.system}".stgit; };
- sops = final: prev: { sops = self.packages."${final.system}".sops; };
- sudo = final: prev: { sudo = self.packages."${final.system}".sudo; };
- telegram-cli = final: prev: { telegram-cli = self.packages."${final.system}".telegram-cli; };
- woob = final: prev: { woob = self.packages."${final.system}".woob; };
- zrepl = final: prev: { zrepl = self.packages."${final.system}".zrepl; };
- };
- overlay = final: prev: ({}
- // overlays.apprise final prev
- // overlays.bitlbee-mastodon final prev
- // overlays.cointop final prev
- // overlays.coturn final prev
- // overlays.cryptpad final prev
- // overlays.delta final prev
- // overlays.dovecot_fts-xapian final prev
- // overlays.duply final prev
- // overlays.fiche final prev
- // overlays.galene final prev
- // overlays.hetzner final prev
- // overlays.influxdb2 final prev
- // overlays.ldapvi final prev
- // overlays.lego final prev
- // overlays.mpd final prev
- // overlays.neomutt final prev
- // overlays.opensmtpd final prev
- // overlays.pass final prev
- // overlays.pg_activity final prev
- // overlays.signald final prev
- // overlays.ssh-to-age final prev
- // overlays.stgit final prev
- // overlays.sops final prev
- // overlays.sudo final prev
- // overlays.telegram-cli final prev
- // overlays.woob final prev
- // overlays.zrepl final prev
- );
-
- nixosModules = {
- coturn = import (nixpkgs + "/nixos/modules/services/networking/coturn.nix");
- galene = import (nixpkgs + "/nixos/modules/services/web-apps/galene.nix");
- influxdb2 = import (nixpkgs + "/nixos/modules/services/databases/influxdb2.nix");
- mpd = import (nixpkgs + "/nixos/modules/services/audio/mpd.nix");
- zrepl = import (nixpkgs + "/nixos/modules/services/backup/zrepl.nix");
- };
- };
-}
-
# Check that there is no clash with nixos/modules/misc/ids.nix
uids = {
cryptpad = 386;
+ openldap = 99; # commented in the ids file
postfixscripts = 387;
acme = 388;
backup = 389;
};
gids = {
nagios = 11; # commented in the ids file
+ openldap = 99; # commented in the ids file
cryptpad = 386;
acme = 388;
backup = 389;
nixosModule = { lib, pkgs, config, ... }:
let
name = "peertube";
- cfg = config.services.peertube;
+ cfg = config.immaeServices.peertube;
in
{
- options.services.peertube = {
+ options.immaeServices.peertube = {
enable = lib.mkEnableOption "Enable Peertube’s service";
user = lib.mkOption {
type = lib.types.str;
"nodes": {
"flake-utils": {
"locked": {
- "lastModified": 1629481132,
- "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
+ "lastModified": 1648297722,
+ "narHash": "sha256-W+qlPsiZd8F3XkzXOzAoR+mpFqzm3ekQkJNa+PIh1BQ=",
"owner": "numtide",
"repo": "flake-utils",
- "rev": "997f7efcb746a9c140ce1f13c72263189225f482",
+ "rev": "0f8662f1319ad6abf89b3380dd2722369fc51ade",
"type": "github"
},
"original": {
}
},
"nixpkgs": {
+ "flake": false,
"locked": {
- "lastModified": 1645433236,
- "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=",
+ "lastModified": 1596265691,
+ "narHash": "sha256-9ofCzFqttTsGrvTaS4RrDSTNQO9PFOz5uyn8V+2eA5M=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d",
+ "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
"type": "github"
},
"original": {
"owner": "NixOS",
- "ref": "nixos-unstable",
"repo": "nixpkgs",
+ "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
"type": "github"
}
},
--- /dev/null
+{
+ description = "Php old versions";
+ inputs.flake-utils.url = "github:numtide/flake-utils";
+ inputs.nixpkgs = {
+ url = "github:NixOS/nixpkgs/840c782d507d60aaa49aa9e3f6d0b0e780912742";
+ flake = false;
+ };
+ outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachSystem ["x86_64-linux"] (system:
+ let
+ pkgs = import nixpkgs { inherit system; overlays = []; };
+ in rec {
+ packages = {
+ php72 = pkgs.php72;
+ php73 = pkgs.php73;
+ };
+ defaultPackage = packages.php73;
+ legacyPackages = packages;
+ }) // rec {
+ overlays = {
+ php = final: prev: {
+ php72 = self.packages."${final.system}".php72;
+ php73 = self.packages."${final.system}".php73;
+ };
+ };
+ overlay = overlays.php;
+ };
+}
];
programs.ssh.knownHosts = lib.attrsets.mapAttrs' (name: profile: lib.attrsets.nameValuePair name {
- hostNames = [ profile.host ];
+ extraHostNames = [ profile.host ];
publicKey = "${profile.host_key_type} ${profile.host_key}";
}) cfg.profiles;
# This file originates from node2nix
-{stdenv, nodejs, python2, utillinux, libtool, runCommand, writeTextFile}:
+{lib, stdenv, nodejs, python2, utillinux, libtool, runCommand, writeTextFile}:
let
python = if nodejs ? python then nodejs.python else python2;
};
includeDependencies = {dependencies}:
- stdenv.lib.optionalString (dependencies != [])
- (stdenv.lib.concatMapStrings (dependency:
+ lib.optionalString (dependencies != [])
+ (lib.concatMapStrings (dependency:
''
# Bundle the dependencies of the package
mkdir -p node_modules
cd "$DIR/${packageName}"
${includeDependencies { inherit dependencies; }}
cd ..
- ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
'';
pinpointDependencies = {dependencies, production}:
''
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
- ${stdenv.lib.optionalString (dependencies != [])
+ ${lib.optionalString (dependencies != [])
''
if [ -d node_modules ]
then
cd node_modules
- ${stdenv.lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
+ ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
cd ..
fi
''}
cd "${packageName}"
${pinpointDependencies { inherit dependencies production; }}
cd ..
- ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
fi
'';
stdenv.mkDerivation ({
name = "node-${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
- ++ stdenv.lib.optional (stdenv.isLinux) utillinux
- ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+ ++ lib.optional (stdenv.isLinux) utillinux
+ ++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments
cd "${packageName}"
runHook preRebuild
- ${stdenv.lib.optionalString bypassCache ''
+ ${lib.optionalString bypassCache ''
if [ ! -f package-lock.json ]
then
echo "No package-lock.json file found, reconstructing..."
node ${addIntegrityFieldsScript}
''}
- npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} rebuild
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
if [ "$dontNpmInstall" != "1" ]
then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
- npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} install
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
fi
# Create symlink to the deployed executable folder, if applicable
name = "node-dependencies-${name}-${version}";
buildInputs = [ tarWrapper python nodejs ]
- ++ stdenv.lib.optional (stdenv.isLinux) utillinux
- ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+ ++ lib.optional (stdenv.isLinux) utillinux
+ ++ lib.optional (stdenv.isDarwin) libtool
++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments
# Create fake package.json to make the npm commands work properly
cp ${src}/package.json .
chmod 644 package.json
- ${stdenv.lib.optionalString bypassCache ''
+ ${lib.optionalString bypassCache ''
if [ -f ${src}/package-lock.json ]
then
cp ${src}/package-lock.json .
# Pinpoint the versions of all dependencies to the ones that are actually being used
echo "pinpointing versions of dependencies..."
cd ..
- ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
source $pinpointDependenciesScriptPath
cd ${packageName}
export HOME=$PWD
- ${stdenv.lib.optionalString bypassCache ''
+ ${lib.optionalString bypassCache ''
if [ ! -f package-lock.json ]
then
echo "No package-lock.json file found, reconstructing..."
node ${addIntegrityFieldsScript}
''}
- npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} rebuild
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
- ${stdenv.lib.optionalString (!dontNpmInstall) ''
+ ${lib.optionalString (!dontNpmInstall) ''
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
- npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} install
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} install
''}
cd ..
- ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
mv ${packageName} lib
ln -s $out/lib/node_modules/.bin $out/bin
stdenv.mkDerivation {
name = "node-shell-${name}-${version}";
- buildInputs = [ python nodejs ] ++ stdenv.lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
+ buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
buildCommand = ''
mkdir -p $out/bin
cat > $out/bin/shell <<EOF
# Provide the dependencies in a development shell through the NODE_PATH environment variable
inherit nodeDependencies;
- shellHook = stdenv.lib.optionalString (dependencies != []) ''
+ shellHook = lib.optionalString (dependencies != []) ''
export NODE_PATH=$nodeDependencies/lib/node_modules
'';
};
in
{
- buildNodeSourceDist = stdenv.lib.makeOverridable buildNodeSourceDist;
- buildNodePackage = stdenv.lib.makeOverridable buildNodePackage;
- buildNodeShell = stdenv.lib.makeOverridable buildNodeShell;
+ buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;
+ buildNodePackage = lib.makeOverridable buildNodePackage;
+ buildNodeShell = lib.makeOverridable buildNodeShell;
}
php-application = ./websites/php-application.nix;
zrepl = ./zrepl.nix;
websites = ./websites;
-
- galene = (flakeCompat ../flakes/backports).nixosModules.galene;
} // (if builtins.pathExists ./private then import ./private else {})
};
certConfig = lib.mkOption {
default = {
- webroot = lib.mkForce null; # avoids creation of tmpfiles
+ webroot = "/var/lib/acme/acme-challenges";
email = "ismael@bouya.org";
postRun = builtins.concatStringsSep "\n" [
(lib.optionalString config.services.httpd.Prod.enable "systemctl reload httpdProd.service")
];
extraLegoRenewFlags = [ "--reuse-key" ];
keyType = lib.mkDefault "ec256"; # https://github.com/NixOS/nixpkgs/pull/83121
+ #extraLegoRunFlags = [ "--reuse-key" "--preferred-chain" "ISRG Root X1"];
+ #extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
};
description = "Default configuration for certificates";
};
domain = config.hostEnv.fqdn;
};
};
-
- users.users.acme = {
- uid = config.ids.uids.acme;
- group = "acme";
- description = "Acme user";
- };
- users.groups.acme = {
- gid = config.ids.gids.acme;
- };
-
- systemd.services = lib.attrsets.mapAttrs' (k: v:
- lib.attrsets.nameValuePair "acme-selfsigned-${k}" {
- wantedBy = [ "acme-selfsigned-certificates.target" ];
- script = lib.mkAfter ''
- cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
- chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-
- cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
- chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
- chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
- '';
- }
- ) config.security.acme.certs //
- lib.attrsets.mapAttrs' (k: data:
- lib.attrsets.nameValuePair "acme-${k}" {
- after = lib.mkAfter [ "bind.service" ];
- serviceConfig =
- let
- cfg = config.security.acme;
- hashOptions = let
- domains = builtins.concatStringsSep "," (
- [ data.domain ] ++ (builtins.attrNames data.extraDomains)
- );
- certOptions = builtins.concatStringsSep "," [
- (if data.ocspMustStaple then "must-staple" else "no-must-staple")
- ];
- in
- builtins.hashString "sha256" (builtins.concatStringsSep ";" [ data.keyType domains certOptions ]);
- accountsDir = "accounts-${data.keyType}";
- lpath = "acme/${k}";
- apath = "/var/lib/${lpath}";
- spath = "/var/lib/acme/.lego/${k}";
- fileMode = if data.allowKeysForGroup then "640" else "600";
- dirFileMode = if data.allowKeysForGroup then "750" else "700";
- globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
- ++ lib.optionals (cfg.acceptTerms) [ "--accept-tos" ]
- ++ lib.optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
- ++ lib.concatLists (lib.mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
- ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" config.myServices.certificates.webroot ])
- ++ lib.optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
- certOpts = lib.optionals data.ocspMustStaple [ "--must-staple" ];
- runOpts = lib.escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
- renewOpts = lib.escapeShellArgs (globalOpts ++
- [ "renew" "--days" (builtins.toString cfg.validMinDays) ] ++
- certOpts ++ data.extraLegoRenewFlags);
- forceRenewOpts = lib.escapeShellArgs (globalOpts ++
- [ "renew" "--days" "999" ] ++
- certOpts ++ data.extraLegoRenewFlags);
- keyName = builtins.replaceStrings ["*"] ["_"] data.domain;
- in {
- User = lib.mkForce "acme";
- Group = lib.mkForce "acme";
- WorkingDirectory = lib.mkForce spath;
- StateDirectory = lib.mkForce "acme/.lego/${k} acme/.lego/${accountsDir}";
- ExecStartPre =
- let
- script = pkgs.writeScript "acme-prestart" ''
- #!${pkgs.runtimeShell} -e
- install -m 0755 -o acme -g acme -d ${config.myServices.certificates.webroot}
- '';
- in
- lib.mkForce "+${script}";
- ExecStart = lib.mkForce (pkgs.writeScript "acme-start" ''
- #!${pkgs.runtimeShell} -e
- # lego doesn't check key type after initial creation, we
- # need to check for him
- if [ -L ${spath}/accounts -o -d ${spath}/accounts ]; then
- if [ -L ${spath}/accounts -a "$(readlink ${spath}/accounts)" != ../${accountsDir} ]; then
- ln -sfn ../${accountsDir} ${spath}/accounts
- mv -f ${spath}/certificates/${keyName}.key ${spath}/certificates/${keyName}.key.old
- fi
- else
- ln -s ../${accountsDir} ${spath}/accounts
- fi
- # check if domain changed: lego doesn't check by itself
- if [ ! -e ${spath}/certificates/${keyName}.crt -o ! -e ${spath}/certificates/${keyName}.key -o ! -e "${spath}/accounts/acme-v02.api.letsencrypt.org/${data.email}/account.json" ]; then
- ${pkgs.lego}/bin/lego ${runOpts}
- elif [ ! -f ${spath}/currentDomains -o "$(cat ${spath}/currentDomains)" != "${hashOptions}" ]; then
- ${pkgs.lego}/bin/lego ${forceRenewOpts}
- else
- ${pkgs.lego}/bin/lego ${renewOpts}
- fi
- '');
- ExecStartPost =
- let
- ISRG_Root_X1 = pkgs.fetchurl {
- url = "https://letsencrypt.org/certs/isrgrootx1.pem";
- sha256 = "1la36n2f31j9s03v847ig6ny9lr875q3g7smnq33dcsmf2i5gd92";
- };
- fix_ISRG_Root_X1 = pkgs.writeScript "fix-pem" ''
- for file in chain fullchain full; do
- if grep -q MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA "$file.pem"; then
- cat ${ISRG_Root_X1} | grep -v " CERTIFICATE" | \
- sed -i.bak -ne "/MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ {r /dev/stdin" -e ":a; n; /Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5/ { b }; ba };p" $file.pem
- fi
- done
- '';
- script = pkgs.writeScript "acme-post-start" ''
- #!${pkgs.runtimeShell} -e
- install -m 0755 -o root -g root -d /var/lib/acme
- install -m 0${dirFileMode} -o ${data.user} -g ${data.group} -d /var/lib/acme/${k}
- cd /var/lib/acme/${k}
-
- # Test that existing cert is older than new cert
- KEY=${spath}/certificates/${keyName}.key
- KEY_CHANGED=no
- if [ -e $KEY -a $KEY -nt key.pem ]; then
- KEY_CHANGED=yes
- cp -p ${spath}/certificates/${keyName}.key key.pem
- cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
- cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
- ln -sf fullchain.pem cert.pem
- cat key.pem fullchain.pem > full.pem
- echo -n "${hashOptions}" > ${spath}/currentDomains
- fi
-
- ${fix_ISRG_Root_X1}
- chmod ${fileMode} *.pem
- chown '${data.user}:${data.group}' *.pem
-
- if [ "$KEY_CHANGED" = "yes" ]; then
- : # noop in case postRun is empty
- ${data.postRun}
- fi
- '';
- in
- lib.mkForce "+${script}";
- };
- }
- ) config.security.acme.certs //
- {
- httpdProd = lib.mkIf config.services.httpd.Prod.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- httpdTools = lib.mkIf config.services.httpd.Tools.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- httpdInte = lib.mkIf config.services.httpd.Inte.enable
- { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; };
- };
};
}
users.users.mysql.extraGroups = [ "keys" ];
security.acme.certs."mysql" = config.myServices.databasesCerts // {
- user = "mysql";
group = "mysql";
domain = "db-1.immae.eu";
postRun = ''
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.databases.openldap;
- ldapConfig = let
- eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
- in ''
- ${eldiron_schemas}
-
- pidfile ${cfg.pids.pid}
- argsfile ${cfg.pids.args}
-
- moduleload back_hdb
- backend hdb
-
- TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem
- TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem
- TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem
- TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
- #This makes openldap crash
- #TLSCipherSuite DEFAULT
-
- sasl-host kerberos.immae.eu
- '';
in
{
options.myServices.databases = {
permissions = "0400";
user = "openldap";
group = "openldap";
- text = "rootpw ${cfg.rootPw}";
+ text = "${cfg.rootPw}";
};
"ldap/access" = {
permissions = "0400";
networking.firewall.allowedTCPPorts = [ 636 389 ];
security.acme.certs."ldap" = config.myServices.databasesCerts // {
- user = "openldap";
group = "openldap";
domain = "ldap.immae.eu";
postRun = ''
services.openldap = {
enable = true;
- dataDir = cfg.dataDir;
urlList = [ "ldap://" "ldaps://" ];
- logLevel = "none";
- extraConfig = ldapConfig;
- extraDatabaseConfig = ''
- moduleload memberof
- overlay memberof
+ settings = {
+ attrs = {
+ olcPidFile = cfg.pids.pid;
+ olcArgsFile = cfg.pids.args;
+ olcLogLevel = "none";
+ olcTLSCertificateFile = "${config.security.acme.certs.ldap.directory}/cert.pem";
+ olcTLSCertificateKeyFile = "${config.security.acme.certs.ldap.directory}/key.pem";
+ olcTLSCACertificateFile = "${config.security.acme.certs.ldap.directory}/fullchain.pem";
+ olcTLSCACertificatePath = "${pkgs.cacert.unbundled}/etc/ssl/certs/";
+ # This makes openldap crash
+ # olcTLSCipherSuite = "DEFAULT";
+ olcSaslHost = "kerberos.immae.eu";
+ # Map sasl "dn" to ldap dn
+ olcAuthzRegexp = ''{0}"uid=([^,]*)(,cn=IMMAE.EU)?,cn=(gssapi|gss-spnego),cn=auth" "uid=$1,ou=users,dc=immae,dc=eu"'';
+ };
+ children = {
+ "cn=module{0}" = {
+ attrs = {
+ cn = "module{0}";
+ objectClass = [ "olcModuleList" ];
+ olcModuleLoad = [ "{0}back_hdb" "{1}memberof" "{2}syncprov" ];
+ };
+ };
+ "cn=schema".includes = map (schema:
+ "${config.services.openldap.package}/etc/schema/${schema}.ldif"
+ ) [ "core" "cosine" "inetorgperson" "nis" ] ++ [
+ "${./immae.ldif}"
+ ];
+ "olcDatabase={0}config" = {
+ attrs = {
+ objectClass = "olcDatabaseConfig";
+ olcDatabase = "{0}config";
+ olcAccess = ["{0}to * by * none"];
+ };
+ };
+ "olcDatabase={1}hdb" = {
+ attrs = {
+ objectClass = [ "olcDatabaseConfig" "olcHdbConfig" ];
+ olcDatabase = "{1}hdb";
+ olcDbIndex = [
+ "objectClass eq"
+ "uid pres,eq"
+ "mail pres,eq,sub"
+ "cn pres,eq,sub"
+ "sn pres,eq,sub"
+ "dc eq"
+ "member eq"
+ "memberOf eq"
+ ];
+ olcAccess = let
+ join = builtins.replaceStrings ["\n"] [" "];
+ in [
+ # First matching "to" + "by" wins
+ #### Replication needs full access
+ (join ''{0}to *
+ by dn.base="uid=ldap_replication,cn=ldap,ou=services,dc=immae,dc=eu" read
+ by * break
+ '')
+ #### Kerberos needs access to users password
+ (join ''{1}to attrs=userPassword,shadowLastChange
+ by self write
+ by anonymous auth
+ by * none
+ '')
+ ####
+ (join ''{2}to attrs=immaeSshKey
+ by self write
+ by * break
+ '')
- moduleload syncprov
- overlay syncprov
- syncprov-checkpoint 100 10
+ #### Anyone can auth, and I can see myself
+ (join ''{3}to *
+ by self read
+ by anonymous auth
+ by * break
+ '')
- include ${config.secrets.fullPaths."ldap/access"}
- '';
- rootpwFile = config.secrets.fullPaths."ldap/password";
- suffix = cfg.baseDn;
- rootdn = cfg.rootDn;
- database = "hdb";
+ #### Specific access for phpldapadmin
+ (join ''{4}to filter="(uid=*)" attrs=entry,uid
+ by dn.base="cn=phpldapadmin,ou=services,dc=immae,dc=eu" read
+ by * break
+ '')
+
+ #### Hosts
+ # The attributes are available to every host
+ (join ''{5}to dn.one="ou=hosts,dc=immae,dc=eu"
+ by dn.subtree="ou=hosts,dc=immae,dc=eu" read
+ by dn.base="dc=immae,dc=eu" search
+ by * break
+ '')
+ #### /Hosts
+
+ #### Local services
+ # this/-* & user : all your ancestors have access to you
+ # this/memberOf/-* & user : all those whom you belong to (in a group),
+ # and their ancestors, have access to you
+ # user/immaeAccessWriteDn*/member & this : you have write access to the
+ # members of your immaeAccessDn
+ # attributes
+ # user/immaeAccessDn*/member & this : you have access to the members
+ # of your immaeAccessDn attributes
+ # user/immaeAccessReadSubtree* & this/-* : you have access to the
+ # childrens of your immaeAccessReadSubtree
+ # attributes
+ # this/memberOf/-* & user/immaeAccessReadSubtree*: you have access to
+ # the members of the childrens of your
+ # immaeAccessReadSubtree attributes
+ # http://www.openldap.org/faq/data/cache/1133.html
+ (join ''{6}to dn.subtree="dc=immae,dc=eu"
+ by dn.subtree="ou=external_services,dc=immae,dc=eu" break
+ by set.exact="this/-* & user" read
+ by set.exact="this/memberOf/-* & user" read
+ by set.exact="user/immaeAccessWriteDn*/member & this" write
+ by set.exact="user/immaeAccessDn*/member & this" read
+ by set.exact="user/immaeAccessReadSubtree* & this/-*" read
+ by set.exact="this/memberOf/-* & user/immaeAccessReadSubtree*" read
+ by users search
+ by * break
+ '')
+ #### /Local services
+
+ #### External services
+ # http://www.openldap.org/faq/data/cache/429.html
+ # FIXME: Find a way to whitelist?
+ (join ''{7}to attrs=immaeSshKey
+ by dn.subtree="ou=external_services,dc=immae,dc=eu" none
+ '')
+ (join ''{8}to dn.subtree="dc=immae,dc=eu"
+ by set.exact="this/-* & user" read
+ by set.exact="this/memberOf/-* & user" read
+ by set.exact="user/immaeAccessDn*/member & this/-*" read
+ by users search
+ by * none
+ '')
+ #### /External services
+ ];
+ olcDbDirectory = cfg.dataDir;
+ olcRootDN = cfg.rootDn;
+ olcRootPW.path = config.secrets.fullPaths."ldap/password";
+ olcSuffix = cfg.baseDn;
+ };
+ children = {
+ "olcOverlay={0}memberof" = {
+ attrs = {
+ objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+ olcOverlay = "{0}memberof";
+ };
+ };
+ "olcOverlay={1}syncprov" = {
+ attrs = {
+ objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ];
+ olcOverlay = "{1}syncprov";
+ olcSpCheckpoint = "100 10";
+ };
+ };
+ };
+ };
+ };
+ };
};
};
}
url = "https://raw.githubusercontent.com/puppetlabs/puppet/bf7c108825ffdb5ea89cf3e500d55d27ab64b8d2/ext/ldap/puppet.schema";
sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
};
- schemas = [
+ schemas = {
#"${openldap}/etc/schema/core.schema"
#"${openldap}/etc/schema/cosine.schema"
#"${openldap}/etc/schema/inetorgperson.schema"
#"${openldap}/etc/schema/nis.schema"
- puppetSchema
- kerberosSchema
- ./immae.schema
- ];
+ puppet = puppetSchema;
+ kerberos = kerberosSchema;
+ immae = ./immae.schema;
+ };
in
- builtins.concatStringsSep "\n" (map (v: "include ${v}") schemas)
+ schemas
--- /dev/null
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 22130f5f
+dn: cn=immae,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: immae
+olcObjectIdentifier: {0}Immaeroot 1.3.6.1.4.1.50071
+olcObjectIdentifier: {1}Immae Immaeroot:2
+olcObjectIdentifier: {2}ImmaeattributeType Immae:3
+olcObjectIdentifier: {3}ImmaeobjectClass Immae:4
+olcAttributeTypes: {0}( ImmaeattributeType:1 NAME 'immaeTtrssLogin' DESC 'lo
+ gin for TTRSS' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {1}( ImmaeattributeType:2 NAME 'immaeFtpDirectory' DESC '
+ home directory for ftp' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.
+ 115.121.1.26 )
+olcAttributeTypes: {2}( ImmaeattributeType:3 NAME 'immaeFtpUid' DESC 'user i
+ d for ftp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {3}( ImmaeattributeType:4 NAME 'immaeFtpGid' DESC 'group
+ id for ftp' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+olcAttributeTypes: {4}( ImmaeattributeType:5 NAME 'immaeSshKey' DESC 'OpenSS
+ H Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4
+ 0 )
+olcAttributeTypes: {5}( ImmaeattributeType:6 NAME 'immaeAccessDn' EQUALITY d
+ istinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {6}( ImmaeattributeType:17 NAME 'immaeAccessWriteDn' EQUA
+ LITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {7}( ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {8}( ImmaeattributeType:7 NAME 'immaeXmppUid' DESC 'user
+ part for Xmpp' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY
+ NTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {9}( ImmaeattributeType:8 NAME 'immaePostfixAddress' DESC
+ 'the dovecot address to match as username' EQUALITY caseIgnoreIA5Match SUB
+ STR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
+ )
+olcAttributeTypes: {10}( ImmaeattributeType:9 NAME 'immaePostfixHome' DESC '
+ the postfix home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {11}( ImmaeattributeType:10 NAME 'immaePostfixMail' DESC
+ 'the dovecot mail location' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1
+ 466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {12}( ImmaeattributeType:11 NAME 'immaePostfixUid' DESC '
+ the dovecot uid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {13}( ImmaeattributeType:12 NAME 'immaePostfixGid' DESC '
+ the dovecot gid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.26 SINGLE-VALUE )
+olcAttributeTypes: {14}( ImmaeattributeType:16 NAME 'immaePuppetJson' DESC '
+ Puppet hiera json' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.12
+ 1.1.40 )
+olcAttributeTypes: {15}( ImmaeattributeType:19 NAME 'immaeTaskId' DESC 'Task
+ warrior server Org:Name:Key' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubs
+ tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcAttributeTypes: {16}( ImmaeattributeType:20 NAME 'immaePeertubeId' DESC '
+ login for Peertube' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+olcObjectClasses: {0}( ImmaeobjectClass:1 NAME 'immaeTtrssClass' DESC 'Expan
+ sion of the existing object classes for ttrss' SUP top AUXILIARY MUST immae
+ TtrssLogin )
+olcObjectClasses: {1}( ImmaeobjectClass:2 NAME 'immaeFtpClass' DESC 'Expansi
+ on of the existing object classes for ftp' SUP top AUXILIARY MUST ( immaeFt
+ pDirectory $ immaeFtpGid $ immaeFtpUid ) )
+olcObjectClasses: {2}( ImmaeobjectClass:3 NAME 'immaeSshClass' DESC 'OpenSSH
+ class' SUP top AUXILIARY MAY immaeSSHKey )
+olcObjectClasses: {3}( ImmaeobjectClass:4 NAME 'immaeAccessClass' DESC 'Acce
+ ss class' SUP top AUXILIARY MAY ( immaeAccessDn $ immaeAccessWriteDn $ imma
+ eAccessReadSubtree ) )
+olcObjectClasses: {4}( ImmaeobjectClass:5 NAME 'immaeXmppClass' DESC 'Expans
+ ion of the existing object classes for XMPP' SUP top AUXILIARY MUST immaeXm
+ ppUid )
+olcObjectClasses: {5}( ImmaeobjectClass:6 NAME 'immaePostfixClass' DESC 'Exp
+ ansion of the existing object classes for Postfix' SUP top AUXILIARY MAY (
+ immaePostfixHome $ immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) M
+ UST ( immaePostfixAddress ) )
+olcObjectClasses: {6}( ImmaeobjectClass:8 NAME 'immaePuppetClass' DESC 'Expa
+ nsion of the existing object classes for Puppet' SUP top AUXILIARY MUST imm
+ aePuppetJson )
+olcObjectClasses: {7}( ImmaeobjectClass:9 NAME 'immaeTaskClass' DESC 'Expans
+ ion of the existing object classes for Task' SUP top AUXILIARY MUST immaeTa
+ skId )
+olcObjectClasses: {8}( ImmaeobjectClass:10 NAME 'immaePeertubeClass' DESC 'E
+ xpansion of the existing object classes for peertube' SUP top AUXILIARY MUS
+ T immaePeertubeId )
objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
DESC 'Expansion of the existing object classes for Postfix'
SUP top AUXILIARY
- MUST ( immaePostfixAddress $ immaePostfixHome $
- immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+ MAY ( immaePostfixHome $ immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+ MUST ( immaePostfixAddress )
)
# Tinc informations
--- /dev/null
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 fca3810d
+dn: cn=kerberos,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kerberos
+olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName
+ ' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1
+ .4.1.1466.115.121.1.26 )
+olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU
+ ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE
+ SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi
+ ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE )
+olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags'
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable
+ Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU
+ E )
+olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen
+ ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers'
+ EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers'
+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers'
+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer'
+ EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe
+ ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
+ .12 )
+olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming
+ Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-
+ VALUE )
+olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers'
+ EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife'
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife'
+ EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC
+ hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
+ UE )
+olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt
+ h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+ )
+olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL
+ ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU
+ ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt
+ erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration
+ ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ
+ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL
+ ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi
+ fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+ )
+olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt
+ s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
+ VALUE )
+olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe
+ ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
+ 12 SINGLE-VALUE )
+olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp
+ iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE )
+olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe
+ y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic
+ yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121
+ .1.12 SINGLE-VALUE )
+olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E
+ QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS
+ altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn
+ cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory'
+ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan
+ ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
+ LE-VALUE )
+olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E
+ QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA
+ LUE )
+olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL
+ ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl
+ iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess
+ fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE )
+olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA
+ uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
+ GLE-VALUE )
+olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed
+ Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
+ LUE )
+olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData'
+ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer
+ ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
+ )
+olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai
+ nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
+ 2 )
+olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth
+ Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT
+ o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.
+ 1.4.1.1466.115.121.1.26 )
+olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP
+ top STRUCTURAL MUST cn )
+olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer
+ ' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k
+ rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa
+ ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm
+ Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef
+ ) )
+olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t
+ op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
+olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU
+ P krbService STRUCTURAL )
+olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU
+ P krbService STRUCTURAL )
+olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux'
+ SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled
+ $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb
+ PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto
+ ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS
+ uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr
+ bAllowedToDelegateTo $ krbPrincipalAuthInd ) )
+olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP
+ top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
+olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux'
+ SUP top AUXILIARY MAY krbPrincipalReferences )
+olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S
+ UP krbService STRUCTURAL )
+olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU
+ P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif
+ fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF
+ ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL
+ ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
+olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy
+ Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene
+ wableAge ) )
+olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy
+ ' SUP top STRUCTURAL MUST cn )
--- /dev/null
+# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
+# CRC32 62aec6fb
+dn: cn=puppet,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: puppet
+olcAttributeTypes: {0}( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass' DESC '
+ Puppet Node Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.
+ 121.1.26 )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode' DESC 'Pu
+ ppet Parent Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
+ 21.1.26 SINGLE-VALUE )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment' DESC '
+ Puppet Node Environment' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.146
+ 6.115.121.1.26 )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar' DESC 'A
+ variable setting for puppet' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1
+ .1466.115.121.1.26 )
+olcObjectClasses: {0}( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' DESC 'P
+ uppet Client objectclass' SUP top AUXILIARY MAY ( puppetclass $ parentnode
+ $ environment $ puppetvar ) )
{ pkgs, config, lib, ... }:
let
cfg = config.myServices.databasesReplication.openldap;
- eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {};
ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" ''
include ${pkgs.openldap}/etc/schema/core.schema
include ${pkgs.openldap}/etc/schema/cosine.schema
include ${pkgs.openldap}/etc/schema/inetorgperson.schema
include ${pkgs.openldap}/etc/schema/nis.schema
- ${eldiron_schemas}
+ include ${./openldap/immae.schema}
pidfile /run/slapd_${name}/slapd.pid
argsfile /run/slapd_${name}/slapd.args
networking.firewall.allowedTCPPorts = [ 5432 ];
security.acme.certs."postgresql" = config.myServices.databasesCerts // {
- user = "postgres";
group = "postgres";
domain = "db-1.immae.eu";
postRun = ''
systemd.services.postgresql.serviceConfig = {
SupplementaryGroups = "keys";
+ ExecStartPre = [ ("+" + (pkgs.writeShellScript "postgresql-fix-cert" ''
+ # postgresql complains:
+ # private key file "${config.security.acme.certs.postgresql.directory}/key.pem" must be owned by the database user or root
+ cp -f
+ "${config.security.acme.certs.postgresql.directory}/key.pem" "${config.services.postgresql.dataDir}/key.pem"
+ chown postgres:postgres "${config.services.postgresql.dataDir}/key.pem"
+ chmod go-r "${config.services.postgresql.dataDir}/key.pem"
+ '')) ];
};
systemd.services.postgresql.postStart = lib.mkAfter ''
# This line is already defined in 19.09
- PSQL="${pkgs.sudo}/bin/sudo -u postgres psql --port=5432"
+ PSQL="psql --port=5432"
${builtins.concatStringsSep "\n" (lib.mapAttrsToList (role: _: ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${role}'" \
enable = true;
package = cfg.package;
enableTCPIP = true;
- extraConfig = ''
- max_connections = 100
- wal_level = logical
- shared_buffers = 512MB
- work_mem = 10MB
- max_wal_size = 1GB
- min_wal_size = 80MB
- log_timezone = 'Europe/Paris'
- datestyle = 'iso, mdy'
- timezone = 'Europe/Paris'
- lc_messages = 'en_US.UTF-8'
- lc_monetary = 'en_US.UTF-8'
- lc_numeric = 'en_US.UTF-8'
- lc_time = 'en_US.UTF-8'
- default_text_search_config = 'pg_catalog.english'
+ checkConfig = false;
+ settings = {
+ max_connections = 100;
+ wal_level = "logical";
+ shared_buffers = "512MB";
+ work_mem = "10MB";
+ max_wal_size = "1GB";
+ min_wal_size = "80MB";
+ log_timezone = "Europe/Paris";
+ datestyle = "iso, mdy";
+ timezone = "Europe/Paris";
+ lc_messages = "en_US.UTF-8";
+ lc_monetary = "en_US.UTF-8";
+ lc_numeric = "en_US.UTF-8";
+ lc_time = "en_US.UTF-8";
+ default_text_search_config = "pg_catalog.english";
# this introduces a small delay before storing on disk, but
# makes it order of magnitudes quicker
- synchronous_commit = off
- ssl = on
- ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem'
- ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem'
- '';
+ synchronous_commit = "off";
+ ssl = "on";
+ ssl_cert_file = "${config.security.acme.certs.postgresql.directory}/fullchain.pem";
+ ssl_key_file = "${config.services.postgresql.dataDir}/key.pem";
+ };
authentication = let
hosts = builtins.concatStringsSep "\n" (
lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
config = lib.mkIf cfg.enable {
users.users.redis.uid = config.ids.uids.redis;
users.groups.redis.gid = config.ids.gids.redis;
- services.redis = rec {
+ services.redis.servers."" = {
enable = true;
bind = "127.0.0.1";
unixSocket = cfg.sockets.redis;
- extraConfig = ''
- unixsocketperm 777
- maxclients 1024
- '';
+ unixSocketPerm = 777;
+ maxclients = 1024;
};
systemd.services.redis.serviceConfig.Slice = "redis.slice";
+ systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
services.spiped = {
enable = true;
rev = "061f0564757289d3bea553b16f8fd5c4a0319c5e";
};
log2rotate = pkgs.writeScript "log2rotate" ''
- #!${pkgs.python3}/bin/python
+ #!${pkgs.python38}/bin/python
${builtins.readFile "${log2rotateSrc}/log2rotate.py"}
'';
${cfg.extraConfig}
${ lib.concatMapStrings
- ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
+ ({ name, file, master ? true, extraConfig ? "", slaves ? [], masters ? [] }:
''
zone "${name}" {
type ${if master then "master" else "slave"};
};
'' else ""}
allow-query { any; };
- ${extra}
+ ${extraConfig}
};
'')
- cfg.zones }
+ (builtins.attrValues cfg.zones) }
'';
mxes = lib.attrsets.filterAttrs
(n: v: v.mx.enable)
masters = if lib.attrsets.hasAttr "masters" conf
then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
else [];
+ slaves = [];
}) slaveZones)
++ (map (conf: {
name = conf.name;
master = true;
- extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+ extraConfig = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+ masters = [];
slaves = if lib.attrsets.hasAttr "slaves" conf
then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
else [];
config = lib.mkIf cfg.enable {
security.acme.certs = {
"ejabberd" = config.myServices.certificates.certConfig // {
- user = "ejabberd";
group = "ejabberd";
domain = "eldiron.immae.eu";
keyType = "rsa4096";
postRun = ''
systemctl restart ejabberd.service
'';
- extraDomains = {
- "immae.fr" = null;
- "conference.immae.fr" = null;
- "proxy.immae.fr" = null;
- "pubsub.immae.fr" = null;
- "upload.immae.fr" = null;
- };
+ extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ];
};
};
networking.firewall.allowedTCPPorts = [ 5222 5269 ];
config = lib.mkIf config.myServices.ftp.enable {
security.acme.certs."ftp" = config.myServices.certificates.certConfig // {
domain = "eldiron.immae.eu";
+ # FIXME: make it global
+ extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
+ extraLegoRenewFlags = ["--preferred-chain" "ISRG Root X1"];
postRun = (lib.optionalString pure-ftpd-enabled ''
systemctl restart pure-ftpd.service
'') + (lib.optionalString proftpd-enabled ''
systemctl restart proftpd.service
'');
- extraDomains = { "ftp.immae.eu" = null; };
+ extraDomainNames = [ "ftp.immae.eu" ];
};
networking = {
];
in
[
- (pkgs.python3.withPackages python-packages)
+ (pkgs.python38.withPackages python-packages)
pkgs.nettools
pkgs.findutils
];
};
config = {
- system.activationScripts.update-lingering =
- stringAfter [ "users" ] updateLingering;
+ system.activationScripts.update-lingering = {
+ deps = ["users"];
+ text = "${updateLingering}";
+ };
};
}
config = lib.mkIf config.myServices.mail.enable {
security.acme.certs."mail" = config.myServices.certificates.certConfig // {
+ postRun = lib.mkBefore ''
+ cp -f fullchain.pem /etc/dovecot/fullchain.pem
+ chown :dovecot2 /etc/dovecot/fullchain.pem
+ chmod a+r /etc/dovecot/fullchain.pem
+ '';
domain = config.hostEnv.fqdn;
- extraDomains = let
+ extraDomainNames = let
zonesWithMx = builtins.filter (zone:
lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
) config.myEnv.dns.masterZones;
mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
- in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+ in mxs;
};
# This is for clients that don’t support elliptic curves (e.g.
# printer)
security.acme.certs."mail-rsa" = config.myServices.certificates.certConfig // {
+ postRun = lib.mkBefore ''
+ cp -f fullchain.pem /etc/dovecot/fullchain-rsa.pem
+ chown :dovecot2 /etc/dovecot/fullchain-rsa.pem
+ chmod a+r /etc/dovecot/fullchain-rsa.pem
+ '';
domain = config.hostEnv.fqdn;
keyType = "rsa4096";
- extraDomains = let
+ extraDomainNames = let
zonesWithMx = builtins.filter (zone:
lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
) config.myEnv.dns.masterZones;
mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
- in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+ in mxs;
};
systemd.slices.mail = {
description = "Mail slice";
uid = config.ids.uids.vhost;
};
users.groups.vhost.gid = config.ids.gids.vhost;
+ users.users."${config.services.dovecot2.user}".extraGroups = [ "acme" ];
# https://blog.zeninc.net/index.php?post/2018/04/01/Un-annuaire-pour-les-gouverner-tous.......
services.dovecot2 = {
protocols = [ "sieve" ];
modules = [
pkgs.dovecot_pigeonhole
- pkgs.dovecot_fts-xapian
+ pkgs.dovecot_fts_xapian
];
mailUser = "vhost";
mailGroup = "vhost";
Drafts = { auto = "subscribe"; specialUse = "Drafts"; };
};
mailLocation = "mbox:~/Mail:INBOX=~/Mail/Inbox:INDEX=~/.imap";
- sslServerCert = "/var/lib/acme/mail/fullchain.pem";
+ sslServerCert = "/etc/dovecot/fullchain.pem";
sslServerKey = "/var/lib/acme/mail/key.pem";
- sslCACert = "/var/lib/acme/mail/fullchain.pem";
+ sslCACert = "/etc/dovecot/fullchain.pem";
extraConfig = builtins.concatStringsSep "\n" [
# For printer which doesn’t support elliptic curve
''
- ssl_alt_cert = </var/lib/acme/mail-rsa/fullchain.pem
+ ssl_alt_cert = </etc/dovecot/fullchain-rsa.pem
ssl_alt_key = </var/lib/acme/mail-rsa/key.pem
''
postRun = ''
systemctl restart dovecot2.service
'';
- extraDomains = {
- "imap.immae.eu" = null;
- "pop3.immae.eu" = null;
- };
+ extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ];
};
security.acme.certs."mail" = {
postRun = ''
systemctl restart dovecot2.service
'';
- extraDomains = {
- "imap.immae.eu" = null;
- "pop3.immae.eu" = null;
- };
+ extraDomainNames = [ "imap.immae.eu" "pop3.immae.eu" ];
};
};
}
Slice = "mail.slice";
User = "postfix";
Group = "postfix";
- ExecStart = let python = pkgs.python3.withPackages (p: [ p.pymilter ]);
+ ExecStart = let python = pkgs.python38.withPackages (p: [ p.pymilter ]);
in "${python}/bin/python ${./verify_from.py} -s /run/milter_verify_from/verify_from.sock";
RuntimeDirectory = "milter_verify_from";
};
enable = true;
serverConfiguration = let
filter-rewrite-from = pkgs.runCommand "filter-rewrite-from.py" {
- buildInputs = [ pkgs.python3 ];
+ buildInputs = [ pkgs.python38 ];
} ''
cp ${./filter-rewrite-from.py} $out
patchShebangs $out
'';
};
environment.systemPackages = [ config.services.opensmtpd.package ];
- services.mail.sendmailSetuidWrapper = {
- program = "sendmail";
- source = "${config.services.opensmtpd.package}/bin/smtpctl";
- setuid = false;
- setgid = false;
- };
- security.wrappers.mailq = {
- program = "mailq";
- source = "${config.services.opensmtpd.package}/bin/smtpctl";
- setuid = false;
- setgid = false;
- };
};
}
postRun = ''
systemctl restart postfix.service
'';
- extraDomains = {
- "smtp.immae.eu" = null;
- };
+ extraDomainNames = [ "smtp.immae.eu" ];
};
security.acme.certs."mail-rsa" = {
postRun = ''
systemctl restart postfix.service
'';
- extraDomains = {
- "smtp.immae.eu" = null;
- };
+ extraDomainNames = [ "smtp.immae.eu" ];
};
system.activationScripts.testmail = {
deps = [ "users" ];
systemctl restart postfix.service
'';
domain = config.hostEnv.fqdn;
- extraDomains = let
+ extraDomainNames = let
zonesWithMx = builtins.filter (zone:
lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
) config.myEnv.dns.masterZones;
mxs = map (zone: "${config.myEnv.servers."${name}".mx.subdomain}.${zone.name}") zonesWithMx;
- in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
+ in mxs;
};
secrets.keys = {
"postfix/mysql_alias_maps" = {
[ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
+ systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "vhost" ];
services.rspamd = {
enable = true;
debug = false;
cp ${./plugins}/check_eriomem $out/
patchShebangs $out/check_eriomem
wrapProgram $out/check_eriomem --prefix PATH : ${lib.makeBinPath [
- pkgs.s3cmd pkgs.python3
+ pkgs.s3cmd pkgs.python38
]}
cp ${./plugins}/check_backup_age $out/check_backup_eriomem_age
patchShebangs $out/check_backup_eriomem_age
cp ${./plugins}/check_mem.sh $out/
patchShebangs $out/check_mem.sh
wrapProgram $out/check_mem.sh --prefix PATH : ${lib.makeBinPath [
- pkgs.gnugrep pkgs.gawk pkgs.procps-ng
+ pkgs.gnugrep pkgs.gawk pkgs.procps
]}
'';
};
cp ${./plugins}/check_ovh_sms $out/
patchShebangs $out/check_ovh_sms
wrapProgram $out/check_ovh_sms --prefix PATH : ${lib.makeBinPath [
- (pkgs.python3.withPackages (ps: [ps.ovh]))
+ (pkgs.python38.withPackages (ps: [ps.ovh]))
]}
'';
};
name = "eldiron";
hcfg = config.myServices.databasesReplication.openldap.hosts.eldiron;
base = config.myServices.databasesReplication.openldap.base;
- eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {};
ldapConfig = pkgs.writeText "slapd.conf" ''
include ${pkgs.openldap}/etc/schema/core.schema
include ${pkgs.openldap}/etc/schema/cosine.schema
include ${pkgs.openldap}/etc/schema/inetorgperson.schema
include ${pkgs.openldap}/etc/schema/nis.schema
- ${eldiron_schemas}
+ include ${../databases/openldap/immae.schema}
moduleload back_hdb
backend hdb
database hdb
};
};
security.acme.certs."${name}" = {
- extraDomains."status.immae.eu" = null;
- user = config.services.nginx.user;
+ extraDomainNames = [ "status.immae.eu" ];
group = config.services.nginx.group;
};
Type = "simple";
WorkingDirectory = "${./status}";
ExecStart = let
- python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
+ python = pkgs.python38.withPackages (p: [ p.gunicorn p.flask p.flask_login ]);
in
"${python}/bin/gunicorn -w4 --bind unix:/run/naemon-status/socket.sock app:app";
User = "naemon";
'';
};
- services.redis = rec {
+ services.redis.servers."" = rec {
enable = true;
bind = "127.0.0.1";
};
description = "Restricted shell user";
home = "/var/lib/pub";
uid = config.myEnv.users.pub.uid;
+ isNormalUser = true;
+ group = "nogroup";
useDefaultShell = true;
packages = [
restrict
mariadb = self.mariadb_pam;
}) # don’t put them as generic overlay because of home-manager
];
+ nixpkgs.config.permittedInsecurePackages = [
+ "nodejs-10.24.1"
+ ];
services.journald.extraConfig = ''
#Should be "warning" but disabled for now, it prevents anything from being stored
'';
in
[
- pkgs.telnet
+ pkgs.inetutils
pkgs.htop
pkgs.iftop
pkgs.bind.dnsutils
pkgs.whois
pkgs.ngrep
pkgs.tcpdump
- pkgs.tshark
+ pkgs.wireshark-cli
pkgs.tcpflow
# pkgs.mitmproxy # failing
pkgs.nmap
myServices.certificates.enable = true;
security.acme.certs."${name}" = {
- user = config.services.nginx.user;
group = config.services.nginx.group;
};
services.nginx = {
};
blacklistedKernelModules = [ "nvidiafb" ];
supportedFilesystems = [ "zfs" ];
- kernelPackages = pkgs.linuxPackages_latest;
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
kernelModules = [ "kvm-intel" ];
initrd.availableKernelModules = [ "ahci" "sd_mod" ];
initrd.secrets = {
# available in nixos-20.09
#zfs.requestEncryptionCredentials = [ "zpool/root" ];
};
- nix.maxJobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.enableRedistributableFirmware = true;
shell = pkgs.bashInteractive;
isSystemUser = true;
group = "libvirtd";
- packages = [ pkgs.netcat-openbsd ];
+ packages = [ pkgs.libressl.nc ];
openssh.authorizedKeys.keys = [
config.myEnv.buildbot.ssh_key.public
config.myEnv.sshd.rootKeys.ismael_flony
];
};
+ users.groups.backup = {};
users.users.backup = {
hashedPassword = "!";
isSystemUser = true;
extraGroups = [ "keys" ];
+ group = "backup";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keys = let
zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml";
virtualisation.docker.enable = true;
virtualisation.docker.storageDriver = "zfs";
virtualisation.libvirtd.enable = true;
- users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ];
+ systemd.services.libvirtd.path = lib.mkAfter [ config.boot.zfs.package ];
+ users.groups.immae = {};
+ users.extraUsers.immae.extraGroups = [ "immae" "libvirtd" "docker" ];
systemd.services.libvirtd.postStart = ''
install -m 0770 -g libvirtd -d /var/lib/libvirt/images
'';
time.timeZone = "Europe/Paris";
nix = {
- useSandbox = "relaxed";
+ settings = {
+ sandbox = "relaxed";
+ max-jobs = 8;
+ substituters = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
+ trusted-public-keys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+ };
extraOptions = ''
keep-outputs = true
keep-derivations = true
"home-manager=${pkgs.sources.home-manager.url}"
"nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}"
];
- nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
- nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
myServices.monitoring.enable = true;
myServices.certificates.enable = true;
security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // {
- user = "immae";
+ group = "immae";
domain = "dilion.immae.eu";
};
security.acme.certs."${name}" = {
- user = config.services.nginx.user;
group = config.services.nginx.group;
- extraDomains = {
- "dilion.immae.dev" = null;
- "caldance.cs.immae.dev" = null;
- "zulip.carpentier.earth" = null;
- "zulip.tof.carpentier.earth" = null;
- "zulip.dine.carpentier.earth" = null;
- "zulip.quentin.carpentier.earth" = null;
- "zulip.agnes.carpentier.earth" = null;
+ extraDomainNames = [
+ "dilion.immae.dev"
+ "caldance.cs.immae.dev"
+ "zulip.carpentier.earth"
+ "zulip.tof.carpentier.earth"
+ "zulip.dine.carpentier.earth"
+ "zulip.quentin.carpentier.earth"
+ "zulip.agnes.carpentier.earth"
- "ofn.nc.immae.dev" = null;
+ "ofn.nc.immae.dev"
- "bookstack.cc.immae.dev" = null;
- };
+ "bookstack.cc.immae.dev"
+ ];
};
services.nginx = {
enable = true;
# zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup
# pour flony:
# zfs allow backup hold,release,bookmark,snapshot,send zpool
- services.zrepl = {
+ immaeServices.zrepl = {
enable = true;
config = ''
global:
client_cns:
- flony
filesystems:
- "zpool/docker<": true
"zpool/libvirt<": true
"zpool/root<": true
snapshotting:
type: manual
+ - type: source
+ # must not change
+ name: "backup-to-wd-zpool-docker"
+ # not encrypted!
+ serve:
+ type: tls
+ listen: :19002
+ ca: ${config.secrets.fullPaths."zrepl/certificates/flony.crt"}
+ cert: ${config.secrets.fullPaths."zrepl/certificates/dilion.crt"}
+ key: ${config.secrets.fullPaths."zrepl/dilion.key"}
+ client_cns:
+ - flony
+ filesystems:
+ "zpool/docker<": true
+ snapshotting:
+ type: manual
'';
};
# This value determines the NixOS release with which your system is
Type = "oneshot";
RemainAfterExit = "yes";
};
+ path = [ config.boot.zfs.package ];
script =
let
xml = pkgs.writeText "libvirt-guest-${name}.xml"
Type = "oneshot";
RemainAfterExit = "yes";
};
+ path = [ config.boot.zfs.package ];
script = let
xml = pkgs.writeText "libvirt-network-${name}.xml" ''
<network>
Type = "oneshot";
RemainAfterExit = "yes";
};
+ path = [ config.boot.zfs.package ];
script = let
xml = pkgs.writeText "libvirt-pool-${name}.xml" ''
<pool type="${pool.type}">
};
supportedFilesystems = [ "zfs" ];
kernelParams = ["zfs.zfs_arc_max=6442450944"];
- kernelPackages = pkgs.linuxPackages_latest;
+ kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = [ "ahci" "sd_mod" ];
initrd.secrets = {
"/boot/pass.key" = "/boot/pass.key";
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0"
'';
- nix.maxJobs = 8;
+ nix.settings.max-jobs = 8;
powerManagement.cpuFreqGovernor = "powersave";
myEnv = import ../../../nixops/secrets/environment.nix;
};
};
programs.ssh.knownHosts.dilion = {
- hostNames = ["dilion.immae.eu"];
+ extraHostNames = ["dilion.immae.eu"];
publicKey = let
profile = config.myEnv.rsync_backup.profiles.dilion;
in
environment.systemPackages = [ pkgs.bindfs ];
- services.zrepl = {
+ immaeServices.zrepl = {
enable = true;
config = let
redis_dump = pkgs.writeScript "redis-dump" ''
environment.systemPackages = [
sponsoredUser userquotas
pkgs.git pkgs.vim pkgs.rsync pkgs.strace pkgs.home-manager
- pkgs.telnet pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
- pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.tshark
+ pkgs.inetutils pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
+ pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.wireshark-cli
pkgs.tcpflow pkgs.nmap pkgs.p0f pkgs.socat pkgs.lsof pkgs.psmisc
pkgs.openssl pkgs.wget pkgs.pv pkgs.smartmontools pkgs.youtube-dl
pkgs.unzip pkgs.octave pkgs.feh pkgs.xv pkgs.sshfs pkgs.gdb
permissions = "0400";
user = "openldap";
group = "openldap";
- text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
+ text = "${serverSpecificConfig.ldap_root_pw}";
};
"webapps/tools-ldap" = {
user = "wwwrun";
users.users.openldap.extraGroups = [ "keys" ];
services.openldap = {
enable = true;
- dataDir = "/var/lib/openldap";
urlList = [ "ldap://localhost" ];
- logLevel = "none";
- extraConfig = ''
- pidfile /run/slapd/slapd.pid
- argsfile /run/slapd/slapd.args
-
- moduleload back_hdb
- backend hdb
- '';
-
- extraDatabaseConfig = ''
- moduleload memberof
- overlay memberof
-
- moduleload syncprov
- overlay syncprov
- syncprov-checkpoint 100 10
-
- index objectClass eq
- index uid pres,eq
- #index uidMember pres,eq
- index mail pres,sub,eq
- index cn pres,sub,eq
- index sn pres,sub,eq
- index dc eq
- index member eq
- index memberOf eq
-
- # No one must access that information except root
- access to attrs=description
- by * none
-
- access to attrs=entry,uid filter="(uid=*)"
- by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
- by * break
-
- access to dn.subtree="ou=users,dc=salle-s,dc=org"
- by dn.subtree="ou=services,dc=salle-s,dc=org" read
- by * break
-
- access to *
- by self read
- by anonymous auth
- by * break
- '';
- rootpwFile = config.secrets.fullPaths."ldap/password";
- suffix = "dc=salle-s,dc=org";
- rootdn = "cn=root,dc=salle-s,dc=org";
- database = "hdb";
+ settings = {
+ attrs = {
+ olcPidFile = "/run/slapd/slapd.pid";
+ olcArgsFile = "/run/slapd/slapd.args";
+ olcLogLevel = "none";
+ };
+ children = {
+ "cn=module{0}" = {
+ attrs = {
+ cn = "module{0}";
+ objectClass = [ "olcModuleList" ];
+ olcModuleLoad = [ "{0}back_hdb" "{1}memberof" "{2}syncprov" ];
+ };
+ };
+ "cn=schema".includes = map (schema:
+ "${config.services.openldap.package}/etc/schema/${schema}.ldif"
+ ) [ "core" "cosine" "inetorgperson" "nis" ];
+ "olcDatabase={0}config" = {
+ attrs = {
+ objectClass = "olcDatabaseConfig";
+ olcDatabase = "{0}config";
+ olcAccess = ["{0}to * by * none"];
+ };
+ };
+ "olcDatabase={1}hdb" = {
+ attrs = {
+ objectClass = [ "olcDatabaseConfig" "olcHdbConfig" ];
+ olcDatabase = "{1}hdb";
+ olcAccess = let
+ join = builtins.replaceStrings ["\n"] [" "];
+ in [
+ (join ''{0}to attrs=description
+ by * none
+ '')
+ (join ''{1}to filter="(uid=*)" attrs=entry,uid
+ by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
+ by * break
+ '')
+ (join ''{2}to dn.subtree="ou=users,dc=salle-s,dc=org"
+ by dn.subtree="ou=services,dc=salle-s,dc=org" read
+ by * break
+ '')
+ (join ''{3}to *
+ by self read
+ by anonymous auth
+ by * break
+ '')
+ ];
+ olcDbIndex = [
+ "objectClass eq"
+ "uid pres,eq"
+ #"uidMember pres,eq"
+ "mail pres,eq,sub"
+ "cn pres,eq,sub"
+ "sn pres,eq,sub"
+ "dc eq"
+ "member eq"
+ "memberOf eq"
+ ];
+ olcDbDirectory = "/var/lib/openldap";
+ olcRootDN = "cn=root,dc=salle-s,dc=org";
+ olcRootPW.path = config.secrets.fullPaths."ldap/password";
+ olcSuffix = "dc=salle-s,dc=org";
+ };
+ children = {
+ "olcOverlay={0}memberof" = {
+ attrs = {
+ objectClass = [ "olcOverlayConfig" "olcMemberOf" ];
+ olcOverlay = "{0}memberof";
+ };
+ };
+ "olcOverlay={1}syncprov" = {
+ attrs = {
+ objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ];
+ olcOverlay = "{1}syncprov";
+ olcSpCheckpoint = "100 10";
+ };
+ };
+ };
+ };
+ };
+ };
};
services.websites.env.production.modules = [ "proxy_fcgi" ];
};
security.acme.certs."task" = config.myServices.certificates.certConfig // {
- inherit user group;
+ inherit group;
domain = fqdn;
postRun = ''
systemctl restart taskserver.service
inherit app;
serviceDeps = [ "mysql.service" ];
phpOpenbasedir = [ "/tmp" secretsPath ];
+ phpPackage = pkgs.php74;
phpPool = {
"php_admin_value[upload_max_filesize]" = "100M";
"php_admin_value[post_max_size]" = "100M";
{ varDir, secretsPath
-, composerEnv, fetchFromGitHub, fetchurl }:
+, composerEnv, fetchFromGitHub, fetchurl, php74 }:
let
- app = composerEnv.buildPackage (
- import ./php-packages.nix { inherit composerEnv fetchurl; } //
+ composerEnv' = composerEnv.override { php = php74; };
+ app = composerEnv'.buildPackage (
+ import ./php-packages.nix { composerEnv = composerEnv'; inherit fetchurl; } //
rec {
version = "master-7d86952";
pname = "agorakit";
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: sendmail
mailer_host: null
mailer_user: null
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: sendmail
mailer_host: null
mailer_user: null
Type = "simple";
WorkingDirectory = varDir;
ExecStart = let
- python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+ python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
in
"${python}/bin/gunicorn -w4 -p /run/denise_bingo/gunicorn.pid --bind unix:${socket} app:app";
User = "wwwrun";
Type = "simple";
WorkingDirectory = varDirBeta;
ExecStart = let
- python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask ]);
+ python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask ]);
in
"${python}/bin/gunicorn -w4 -p /run/denise_bingo_beta/gunicorn.pid --bind unix:${socket_beta} app:app";
User = "wwwrun";
Type = "simple";
WorkingDirectory = varDir;
ExecStart = let
- python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+ python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
in
"${python}/bin/gunicorn -w4 -p /run/denise_oms/gunicorn.pid --bind unix:${socket} app:app";
User = "wwwrun";
Type = "simple";
WorkingDirectory = varDirBeta;
ExecStart = let
- python = pkgs.python3.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
+ python = pkgs.python39.withPackages (p: [ p.gunicorn p.flask p.matplotlib p.unidecode ]);
in
"${python}/bin/gunicorn -w4 -p /run/denise_oms_beta/gunicorn.pid --bind unix:${socket_beta} app:app";
User = "wwwrun";
options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration";
config = lib.mkIf cfg.enable {
- security.acme.certs."ftp".extraDomains."ft.immae.dev" = null;
+ security.acme.certs."ftp".extraDomainNames = [ "ft.immae.dev" ];
services.websites.env.integration.modules = adminer.apache.modules;
services.websites.env.integration.vhostConfs.florian_integration = {
options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production";
config = lib.mkIf cfg.enable {
- security.acme.certs."ftp".extraDomains."tellesflorian.com" = null;
+ security.acme.certs."ftp".extraDomainNames = [ "tellesflorian.com" ];
services.websites.env.production.modules = adminer.apache.modules;
services.websites.env.production.vhostConfs.florian_production = {
config = lib.mkIf cfg.enable {
services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ];
- security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
+ security.acme.certs."ftp".extraDomainNames = [ "naturaloutil.immae.eu" ];
secrets.keys."websites/jerome/naturaloutil" = {
user = apacheUser;
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
config = lib.mkIf cfg.enable {
services.webstats.sites = [ { name = domain; } ];
- security.acme.certs."ftp".extraDomains."${domain}" = null;
+ security.acme.certs."ftp".extraDomainNames = [ domain ];
services.websites.env.production.vhostConfs.nassime = {
certName = "nassime";
install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${varDir}
'';
};
- security.acme.certs."ftp".extraDomains."${domain}" = null;
+ security.acme.certs."ftp".extraDomainNames = [ domain ];
services.websites.env.production.vhostConfs.nath_villon = {
certName = "nath";
name = secrets.mysql.database;
user = secrets.mysql.user;
password = secrets.mysql.password;
- version = pkgs.mariadb.mysqlVersion;
+ version = config.myServices.databases.mariadb.package.mysqlVersion;
};
admipassword = secrets.adminpassword;
smtp = {
{ varDir
, secretsPath
-, composerEnv, fetchFromGitHub, fetchurl, fetchgit }:
+, composerEnv, fetchFromGitHub, fetchurl, fetchgit, php73 }:
let
- app = composerEnv.buildPackage (
- import ./php-packages.nix { inherit composerEnv fetchurl fetchgit; } //
+ composerEnv' = composerEnv.override { php = php73; };
+ app = composerEnv'.buildPackage (
+ import ./php-packages.nix { composerEnv = composerEnv'; inherit fetchurl fetchgit; } //
rec {
version = "1.32.3";
pname = "gestion-compte";
name = secrets.mysql.database;
user = secrets.mysql.user;
password = secrets.mysql.password;
- version = pkgs.mariadb.mysqlVersion;
+ version = config.myServices.databases.mariadb.package.mysqlVersion;
};
admipassword = secrets.adminpassword;
smtp = {
requires = ["poetry-core>=1.0.0"]
build-backend = "poetry.core.masonry.api"
'';
- newPoetry = pkgs.poetry.override { python = pkgs.python36; };
+ newPoetry = pkgs.poetry.override { python = pkgs.python37; };
in
pkgs.mkShell {
buildInputs = [ pkgs.perl pkgs.gcc pkgs.libjpeg pkgs.libxslt pkgs.pkg-config pkgs.postgresql_11 pkgs.cyrus_sasl pkgs.openldap pkgs.zlib pkgs.file pkgs.libxml2 newPoetry ];
options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website";
config = lib.mkIf cfg.enable {
- security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null;
+ security.acme.certs."ftp".extraDomainNames = [ "surveillance.maison.bbc.bouya.org" ];
services.cron = {
systemCronJobs = let
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
- database_server_version: ${pkgs.mariadb.mysqlVersion}
+ database_server_version: ${config.myServices.databases.mariadb.package.mysqlVersion}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
config = lib.mkIf cfg.enable {
services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ];
- security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null;
+ security.acme.certs."ftp".extraDomainNames = [ "telio-tortay.immae.eu" ];
system.activationScripts.telio_tortay = {
deps = [ "httpd" ];
RewriteEngine On
- ProxyPass /500.html !
- ProxyPass /sw.js !
- ProxyPass /embed.js !
- ProxyPass /robots.txt !
- ProxyPass /manifest.json !
- ProxyPass /browserconfig.xml !
- ProxyPass /mask-icon.svg !
- ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
- ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
-
RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+ RewriteRule ^/api/v1/streaming/public$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/public [P,NE,QSA,L]
RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
- ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+ RewriteCond %{REQUEST_URI} !/500.html
+ RewriteCond %{REQUEST_URI} !/sw.js
+ RewriteCond %{REQUEST_URI} !/embed.js
+ RewriteCond %{REQUEST_URI} !/robots.txt
+ RewriteCond %{REQUEST_URI} !/manifest.json
+ RewriteCond %{REQUEST_URI} !/browserconfig.xml
+ RewriteCond %{REQUEST_URI} !/mask-icon.svg
+ RewriteCond %{REQUEST_URI} !^(/.*\.(png|ico|gif)$)
+ RewriteCond %{REQUEST_URI} !^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge)
+ RewriteRule ^/(.*)$ unix:///run/mastodon/live_immae_puma.sock|http://mastodon.immae.eu/$1 [P,NE,QSA,L]
ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
Alias /system ${mcfg.dataDir}
let
env = config.myEnv.tools.peertube;
cfg = config.myServices.websites.tools.peertube;
- pcfg = config.services.peertube;
+ pcfg = config.immaeServices.peertube;
in {
options.myServices.websites.tools.peertube = {
enable = lib.mkEnableOption "enable Peertube's website";
};
config = lib.mkIf cfg.enable {
- services.peertube = {
+ immaeServices.peertube = {
enable = true;
configFile = config.secrets.fullPaths."webapps/tools-peertube";
};
'';
};
toVhost = ips: vhostConf: {
+ acmeRoot = "/var/lib/acme/acme-challenges";
forceSSL = vhostConf.forceSSL or true;
useACMEHost = vhostConf.certName;
logFormat = "combinedVhost";
if (!isNull (groupToDomain g))
then cfg.certs // {
domain = groupToDomain g;
- extraDomains = builtins.listToAttrs (
- map (d: attrsets.nameValuePair d null) (extraDomains g));
+ extraDomainNames = extraDomains g;
}
else {
- extraDomains = builtins.listToAttrs (
- map (d: attrsets.nameValuePair d null) (extraDomains g));
+ extraDomainNames = extraDomains g;
}
) groupedCerts;
group = mkDefault cfg.group;
email = if hostOpts.adminAddr != null then hostOpts.adminAddr else cfg.adminAddr;
webroot = hostOpts.acmeRoot;
- extraDomains = genAttrs hostOpts.serverAliases (alias: null);
+ extraDomainNames = hostOpts.serverAliases;
postRun = "systemctl reload httpd.service";
}) (filterAttrs (name: hostOpts: hostOpts.enableACME) cfg.virtualHosts);
}
) cfgByEnv;
+ services.phpfpm.phpPackage = pkgs.php74;
services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
name {
user = icfg.httpdUser;
{ config, lib, pkgs, name, ... }:
let
- cfg = config.services.zrepl;
+ cfg = config.immaeServices.zrepl;
in
{
options = {
- services.zrepl = {
+ immaeServices.zrepl = {
enable = lib.mkEnableOption "Enable the zrepl daemon";
config = lib.mkOption {
"homepage": "https://rycee.gitlab.io/home-manager/",
"owner": "rycee",
"repo": "home-manager",
- "rev": "6cf6b587b575493e7718bf08b209013d7dcf4d58",
- "sha256": "0666ayxazbphjn5xcrczv8m7k2q62k224fvf0kz1lx9qjn93wkvr",
+ "rev": "9580f6c42af2535dc7890edb681ead090f5105f2",
+ "sha256": "0ahfyaba0zkh3hhxfk7pp9smbz7bykqfp5hcd36qig7bnppwa3jq",
"type": "tarball",
- "url": "https://github.com/rycee/home-manager/archive/6cf6b587b575493e7718bf08b209013d7dcf4d58.tar.gz",
- "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
- },
- "nixpkgs": {
- "branch": "nixos-unstable",
- "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
- "homepage": "https://github.com/NixOS/nixpkgs",
- "owner": "NixOS",
- "repo": "nixpkgs-channels",
- "rev": "fce7562cf46727fdaf801b232116bc9ce0512049",
- "sha256": "14rvi69ji61x3z88vbn17rg5vxrnw2wbnanxb7y0qzyqrj7spapx",
- "type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs-channels/archive/fce7562cf46727fdaf801b232116bc9ce0512049.tar.gz",
+ "url": "https://github.com/rycee/home-manager/archive/9580f6c42af2535dc7890edb681ead090f5105f2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-home-manager": {
"branch": "nixos-unstable",
- "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
- "homepage": "https://github.com/NixOS/nixpkgs",
- "owner": "NixOS",
- "repo": "nixpkgs-channels",
- "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
- "sha256": "1ak7jqx94fjhc68xh1lh35kh3w3ndbadprrb762qgvcfb8351x8v",
- "type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs-channels/archive/c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38.tar.gz",
- "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
- },
- "nixpkgs-nix": {
- "branch": "nixos-unstable",
- "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
+ "description": "Nix Packages collection",
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "891f607d5301d6730cb1f9dcf3618bcb1ab7f10e",
- "sha256": "1cr39f0sbr0h5d83dv1q34mcpwnkwwbdk5fqlyqp2mnxghzwssng",
+ "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
+ "sha256": "0vfd7g1gwy9lcnnv8kclqr68pndd9sg0xq69h465zbbzb2vnijh9",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/891f607d5301d6730cb1f9dcf3618bcb1ab7f10e.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/062a0c5437b68f950b081bbfc8a699d57a4ee026.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-nixops": {
"branch": "nixos-unstable",
- "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
+ "description": "Nix Packages collection",
"homepage": "https://github.com/NixOS/nixpkgs",
"owner": "NixOS",
- "repo": "nixpkgs-channels",
- "rev": "840c782d507d60aaa49aa9e3f6d0b0e780912742",
- "sha256": "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn",
+ "repo": "nixpkgs",
+ "rev": "062a0c5437b68f950b081bbfc8a699d57a4ee026",
+ "sha256": "0vfd7g1gwy9lcnnv8kclqr68pndd9sg0xq69h465zbbzb2vnijh9",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs-channels/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz",
+ "url": "https://github.com/NixOS/nixpkgs/archive/062a0c5437b68f950b081bbfc8a699d57a4ee026.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"webapps-landing": {
self: super: {
bitlbee-discord = super.bitlbee-discord.overrideAttrs(old: rec {
- version = "master-3061edd";
+ version = "master";
name = "bitlbee-discord-${version}";
src = self.fetchFromGitHub {
- rev = "master";
+ rev = "607f9887ca85f246e970778e3d40aa5c346365a7";
owner = "sm00th";
repo = "bitlbee-discord";
- sha256 = "07gjd4b0g09888gpaqwcjafr8m292y2qz0gzharxjh1k2jbs88g3";
+ sha256 = "0jkwhx2walx2ay0vc9x13q0j1qq4r5x30ss03a3j7ks28xvsnxc7";
};
});
}
self: super: {
bonfire = let
- click = self.python3Packages.click.overridePythonAttrs(old: rec {
- version = "6.7";
- src = self.python3Packages.fetchPypi {
- pname = "click";
- inherit version;
- sha256 = "02qkfpykbq35id8glfgwc38yc430427yd05z1wc5cnld8zgicmgi";
- };
- postPatch = ''
- substituteInPlace click/_unicodefun.py --replace "'locale'" "'${self.locale}/bin/locale'"
- '';
- doCheck = false;
- });
- keyring = self.python3Packages.keyring.overridePythonAttrs(old: rec {
- version = "20.0.1";
- src = self.python3Packages.fetchPypi {
- pname = "keyring";
- inherit version;
- sha256 = "963bfa7f090269d30bdc5e25589e5fd9dad2cf2a7c6f176a7f2386910e5d0d8d";
- };
- });
in
super.bonfire.overridePythonAttrs(old: {
version = "0.0.8";
src = self.fetchFromGitHub {
owner = "blue-yonder";
repo = "bonfire";
- rev = "0a0f18469d484aba6871fa7421bbb2c00ccefcb0";
- sha256 = "1y2r537ibghhmk6jngw0zwvh1vn2bihqcvji50ffh1j0qc6q3x6x";
+ rev = "6807fd36e27605bfdf9858bcb345c97b55cf013d";
+ sha256 = "1ngggsi8x8qilhjzpv0srgdyzdn82m6g6gqszbdgn1splqqv3iyl";
};
postPatch = "";
- propagatedBuildInputs = self.lib.subtractLists [ self.python3Packages.click self.python3Packages.keyring ] old.propagatedBuildInputs ++ [ click keyring ];
meta.broken = false;
});
}
self: super: rec {
- mariadb_pam = super.mariadb.overrideAttrs(old: {
+ mariadb_pam = super.mariadb_106.overrideAttrs(old: {
cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
buildInputs = old.buildInputs ++ [ self.pam ];
outputs = old.outputs ++ [ "dev" ];
+ passthru = old.passthru // { mysqlVersion = "5.7"; };
postInstall = ''
mkdir -p $dev $dev/lib $dev/share
cp -a $out/include $dev
let
flakeCompat = import ../lib/flake-compat.nix;
flakes = builtins.foldl' (a: b: a // b) {} (map (n: (flakeCompat n).overlays) [
- ../flakes/backports
../flakes/etherpad-lite
../flakes/grocy
../flakes/openarc
../flakes/mediagoblin
../flakes/private/peertube
../flakes/private/buildbot
+ ../flakes/private/php
]);
in flakes // {
mylibs = self: super: { mylibs = import ../lib { pkgs = self; }; };
lesspipe = import ./lesspipe;
mysql = import ./databases/mysql;
neomutt = import ./neomutt;
- nixops = import ./nixops;
pass = import ./pass;
php-packages = import ./php-packages;
postfix = import ./postfix;
postgresql = import ./databases/postgresql;
- procps-ng = import ./procps-ng;
- sc-im = import ./sc-im;
+ procps = import ./procps-ng;
shaarli = import ./shaarli;
slrn = import ./slrn;
- taskwarrior = import ./taskwarrior;
vcsh = import ./vcsh;
weechat = import ./weechat;
ympd = import ./ympd;
static const float mfact = 0.55; /* factor of master area size [0.05..0.95] */
static const int nmaster = 1; /* number of clients in master area */
static const int resizehints = 1; /* 1 means respect size hints in tiled resizals */
+static const int lockfullscreen = 1; /* 1 will force focus on the fullscreen window */
static const Layout layouts[] = {
/* symbol arrange function */
self: super: {
- elinks = super.elinks.overrideAttrs (old:
- self.mylibs.fetchedGithub ./elinks.json // rec {
- preConfigure = ''sh autogen.sh'';
- buildInputs = old.buildInputs ++ (with self; [ gettext automake autoconf ]);
- configureFlags = [
- "--disable-smb" "--without-x" "--enable-cgi"
- "--enable-leds" "--enable-256-colors"
- "--enable-html-highlight" "--with-zlib"
- ];
- patches = [];
- }
- );
+ elinks = super.elinks.overrideAttrs (old: rec {
+ configureFlags = old.configureFlags ++ [
+ "--disable-smb" "--without-x" "--enable-leds" "--with-zlib"
+ ];
+ });
}
+++ /dev/null
-{
- "tag": "f86be65-master",
- "meta": {
- "name": "elinks",
- "url": "https://github.com/nabetaro/elinks",
- "branch": "master"
- },
- "github": {
- "owner": "nabetaro",
- "repo": "elinks",
- "rev": "f86be659718c0cd0a67f88b42f07044c23d0d028",
- "sha256": "1jxb7xgawcjkb3gw4gqyw26g02709wwdbhyczfckh3l4njxhy14m",
- "fetchSubmodules": true
- }
-}
sha256 = "0n82mjz9i17800r7vs45sxpss14rivsf1j8hrv7jal24iyfm01dz";
excludes = [ "doc/NEWS.md" ];
})
+ (self.fetchpatch {
+ name = "path_local.patch";
+ url = "https://github.com/ledger/ledger/commit/ba8ec32435313b4749a3733071b3184ca6bd8e14.patch";
+ sha256 = "17zgc765ypcf808jay271kqv7m17slr37q13gzllp776qi2n95ca";
+ excludes = [ "test/regress/BF3C1F82-2.test" ];
+ })
];
});
}
self: super: {
- morph = super.morph.overrideAttrs(old: {
- patches = (old.patches or []) ++ [ ./verbose_nix.patch ./dry-run.patch ];
+ morph = super.morph.overrideAttrs(old: rec {
+ version = "1.6.0-30-g5b85237";
+ src = self.fetchFromGitHub {
+ owner = "dbcdk";
+ repo = "morph";
+ rev = "5b852370d8054a895b5ba79b5ef017c3afbb3a3c";
+ sha256 = "166dwibbpb90bdy8dvhlinh6gc509f8pq8wn345h01pilf7fc8fh";
+ };
+
+ ldflags = [
+ "-X main.version=${version}"
+ ];
+ preBuild = ''
+ ldflags+=" -X main.assetRoot=$lib"
+ '';
+ postInstall = ''
+ mkdir -p $lib
+ cp -v ./data/*.nix $lib
+ '';
+
+ outputs = [ "out" "lib" ];
+ vendorSha256 = "08zzp0h4c4i5hk4whz06a3da7qjms6lr36596vxz0d8q0n7rspr9";
+
+ patches = (old.patches or []) ++ [ ./dry-run.patch ];
});
}
self: super: {
neomutt = super.neomutt.overrideAttrs(old: rec {
- version = "20211029";
- src = self.fetchFromGitHub {
- owner = "neomutt";
- repo = "neomutt";
- rev = "3429205b716c12eff84db4b35daf91a7e959e31d";
- sha256 = "17mfdi2brdmd6mjg04rsnz2aqngbmp6vb4xja9q1cvhdagcs0sxv";
- };
nativeBuildInputs = old.nativeBuildInputs ++ [self.w3m];
patches = old.patches or [] ++ [
./tx.patch
+++ /dev/null
-self: super: {
- nixops = super.nixops.overrideAttrs (old: {
- patches = [
- ./fix_glibc.patch
- (self.fetchpatch {
- name = "hetzner_cloud.patch";
- url = "https://github.com/goodraven/nixops/commit/272e50d0b0262e49cdcaad42cdab57aad183d1c2.patch";
- sha256 = "12wcrb0155ald52m7fbr2m5rrxdnwdwripq91ckscgsk42mdc517";
- })
- ];
- preConfigure = (old.preConfigure or "") + ''
- # https://github.com/NixOS/nixops/issues/1216
- sed -i -e "/Register the paths in the Nix database./s/#.*$/export USER=root/" nix/libvirtd-image.nix
-
- sed -i -e '/^import sys$/s/$/; sys.tracebacklimit = 0/' scripts/nixops
- sed -i -e "/'keyFile'/s/'path'/'string'/" nixops/backends/__init__.py
- sed -i -e "/security.initialRootPassword/d" nix/hetzner.nix
- '';
- });
-}
+++ /dev/null
-diff --git a/nix/hetzner-bootstrap.nix b/nix/hetzner-bootstrap.nix
-index 035e6f9..def42a1 100644
---- a/nix/hetzner-bootstrap.nix
-+++ b/nix/hetzner-bootstrap.nix
-@@ -3,9 +3,7 @@ with import <nixpkgs> { system = "x86_64-linux"; };
- let
- pkgsNative = import <nixpkgs> {};
-
-- nixpart = python2Packages.nixpart0.override {
-- useNixUdev = false;
-- };
-+ nixpart = python2Packages.nixpart0;
-
- generateConfig = (import <nixpkgs/nixos> {
- configuration = {};
+++ /dev/null
-From 272e50d0b0262e49cdcaad42cdab57aad183d1c2 Mon Sep 17 00:00:00 2001
-From: goodraven
- <employee-pseudonym-7f597def-7eeb-47f8-b10a-0724f2ba59a9@google.com>
-Date: Thu, 3 May 2018 22:24:58 -0700
-Subject: [PATCH] Initial commit adding support for hetzner cloud
-
-This is based on the digital ocean backend. It also uses nixos-infect. I extended nixos-infect to be generic
-for both backends.
-
-Fixes #855
----
- examples/trivial-hetzner-cloud.nix | 12 ++
- nix/eval-machine-info.nix | 1 +
- nix/hetzner-cloud.nix | 56 +++++++
- nix/options.nix | 1 +
- nixops/backends/hetzner_cloud.py | 230 +++++++++++++++++++++++++++++
- nixops/data/nixos-infect | 77 +++++++---
- 6 files changed, 354 insertions(+), 23 deletions(-)
- create mode 100644 examples/trivial-hetzner-cloud.nix
- create mode 100644 nix/hetzner-cloud.nix
- create mode 100644 nixops/backends/hetzner_cloud.py
-
-diff --git a/examples/trivial-hetzner-cloud.nix b/examples/trivial-hetzner-cloud.nix
-new file mode 100644
-index 000000000..c61add6bb
---- /dev/null
-+++ b/examples/trivial-hetzner-cloud.nix
-@@ -0,0 +1,12 @@
-+{
-+ resources.sshKeyPairs.ssh-key = {};
-+
-+ machine = { config, pkgs, ... }: {
-+ services.openssh.enable = true;
-+
-+ deployment.targetEnv = "hetznerCloud";
-+ deployment.hetznerCloud.serverType = "cx11";
-+
-+ networking.firewall.allowedTCPPorts = [ 22 ];
-+ };
-+}
-diff --git a/nix/eval-machine-info.nix b/nix/eval-machine-info.nix
-index 2884b4b47..6a7205786 100644
---- a/nix/eval-machine-info.nix
-+++ b/nix/eval-machine-info.nix
-@@ -309,6 +309,7 @@ rec {
- digitalOcean = optionalAttrs (v.config.deployment.targetEnv == "digitalOcean") v.config.deployment.digitalOcean;
- gce = optionalAttrs (v.config.deployment.targetEnv == "gce") v.config.deployment.gce;
- hetzner = optionalAttrs (v.config.deployment.targetEnv == "hetzner") v.config.deployment.hetzner;
-+ hetznerCloud = optionalAttrs (v.config.deployment.targetEnv == "hetznerCloud") v.config.deployment.hetznerCloud;
- container = optionalAttrs (v.config.deployment.targetEnv == "container") v.config.deployment.container;
- route53 = v.config.deployment.route53;
- virtualbox =
-diff --git a/nix/hetzner-cloud.nix b/nix/hetzner-cloud.nix
-new file mode 100644
-index 000000000..21d148c1a
---- /dev/null
-+++ b/nix/hetzner-cloud.nix
-@@ -0,0 +1,56 @@
-+{ config, pkgs, lib, utils, ... }:
-+
-+with utils;
-+with lib;
-+with import ./lib.nix lib;
-+
-+let
-+ cfg = config.deployment.hetznerCloud;
-+in
-+{
-+ ###### interface
-+ options = {
-+
-+ deployment.hetznerCloud.authToken = mkOption {
-+ default = "";
-+ example = "8b2f4e96af3997853bfd4cd8998958eab871d9614e35d63fab45a5ddf981c4da";
-+ type = types.str;
-+ description = ''
-+ The API auth token. We're checking the environment for
-+ <envar>HETZNER_CLOUD_AUTH_TOKEN</envar> first and if that is
-+ not set we try this auth token.
-+ '';
-+ };
-+
-+ deployment.hetznerCloud.datacenter = mkOption {
-+ example = "fsn1-dc8";
-+ default = null;
-+ type = types.nullOr types.str;
-+ description = ''
-+ The datacenter.
-+ '';
-+ };
-+
-+ deployment.hetznerCloud.location = mkOption {
-+ example = "fsn1";
-+ default = null;
-+ type = types.nullOr types.str;
-+ description = ''
-+ The location.
-+ '';
-+ };
-+
-+ deployment.hetznerCloud.serverType = mkOption {
-+ example = "cx11";
-+ type = types.str;
-+ description = ''
-+ Name or id of server types.
-+ '';
-+ };
-+ };
-+
-+ config = mkIf (config.deployment.targetEnv == "hetznerCloud") {
-+ nixpkgs.system = mkOverride 900 "x86_64-linux";
-+ services.openssh.enable = true;
-+ };
-+}
-diff --git a/nix/options.nix b/nix/options.nix
-index 0866c3ab8..db021f74d 100644
---- a/nix/options.nix
-+++ b/nix/options.nix
-@@ -22,6 +22,7 @@ in
- ./keys.nix
- ./gce.nix
- ./hetzner.nix
-+ ./hetzner-cloud.nix
- ./container.nix
- ./libvirtd.nix
- ];
-diff --git a/nixops/backends/hetzner_cloud.py b/nixops/backends/hetzner_cloud.py
-new file mode 100644
-index 000000000..a2cb176b9
---- /dev/null
-+++ b/nixops/backends/hetzner_cloud.py
-@@ -0,0 +1,230 @@
-+# -*- coding: utf-8 -*-
-+"""
-+A backend for hetzner cloud.
-+
-+This backend uses nixos-infect (which uses nixos LUSTRATE) to infect a
-+hetzner cloud instance. The setup requires two reboots, one for
-+the infect itself, another after we pushed the nixos image.
-+"""
-+import os
-+import os.path
-+import time
-+import socket
-+
-+import requests
-+
-+import nixops.resources
-+from nixops.backends import MachineDefinition, MachineState
-+from nixops.nix_expr import Function, RawValue
-+import nixops.util
-+import nixops.known_hosts
-+
-+infect_path = os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'data', 'nixos-infect'))
-+
-+API_HOST = 'api.hetzner.cloud'
-+
-+class ApiError(Exception):
-+ pass
-+
-+class ApiNotFoundError(ApiError):
-+ pass
-+
-+class HetznerCloudDefinition(MachineDefinition):
-+ @classmethod
-+ def get_type(cls):
-+ return "hetznerCloud"
-+
-+ def __init__(self, xml, config):
-+ MachineDefinition.__init__(self, xml, config)
-+ self.auth_token = config["hetznerCloud"]["authToken"]
-+ self.location = config["hetznerCloud"]["location"]
-+ self.datacenter = config["hetznerCloud"]["datacenter"]
-+ self.server_type = config["hetznerCloud"]["serverType"]
-+
-+ def show_type(self):
-+ return "{0} [{1}]".format(self.get_type(), self.location or self.datacenter or 'any location')
-+
-+
-+class HetznerCloudState(MachineState):
-+ @classmethod
-+ def get_type(cls):
-+ return "hetznerCloud"
-+
-+ state = nixops.util.attr_property("state", MachineState.MISSING, int) # override
-+ public_ipv4 = nixops.util.attr_property("publicIpv4", None)
-+ public_ipv6 = nixops.util.attr_property("publicIpv6", None)
-+ location = nixops.util.attr_property("hetznerCloud.location", None)
-+ datacenter = nixops.util.attr_property("hetznerCloud.datacenter", None)
-+ server_type = nixops.util.attr_property("hetznerCloud.serverType", None)
-+ auth_token = nixops.util.attr_property("hetznerCloud.authToken", None)
-+ server_id = nixops.util.attr_property("hetznerCloud.serverId", None, int)
-+
-+ def __init__(self, depl, name, id):
-+ MachineState.__init__(self, depl, name, id)
-+ self.name = name
-+
-+ def get_ssh_name(self):
-+ return self.public_ipv4
-+
-+ def get_ssh_flags(self, *args, **kwargs):
-+ super_flags = super(HetznerCloudState, self).get_ssh_flags(*args, **kwargs)
-+ return super_flags + [
-+ '-o', 'UserKnownHostsFile=/dev/null',
-+ '-o', 'StrictHostKeyChecking=no',
-+ '-i', self.get_ssh_private_key_file(),
-+ ]
-+
-+ def get_physical_spec(self):
-+ return Function("{ ... }", {
-+ 'imports': [ RawValue('<nixpkgs/nixos/modules/profiles/qemu-guest.nix>') ],
-+ ('boot', 'loader', 'grub', 'device'): 'nodev',
-+ ('fileSystems', '/'): { 'device': '/dev/sda1', 'fsType': 'ext4'},
-+ ('users', 'extraUsers', 'root', 'openssh', 'authorizedKeys', 'keys'): [self.depl.active_resources.get('ssh-key').public_key],
-+ })
-+
-+ def get_ssh_private_key_file(self):
-+ return self.write_ssh_private_key(self.depl.active_resources.get('ssh-key').private_key)
-+
-+ def create_after(self, resources, defn):
-+ # make sure the ssh key exists before we do anything else
-+ return {
-+ r for r in resources if
-+ isinstance(r, nixops.resources.ssh_keypair.SSHKeyPairState)
-+ }
-+
-+ def get_auth_token(self):
-+ return os.environ.get('HETZNER_CLOUD_AUTH_TOKEN', self.auth_token)
-+
-+ def _api(self, path, method=None, data=None, json=True):
-+ """Basic wrapper around requests that handles auth and serialization."""
-+ assert path[0] == '/'
-+ url = 'https://%s%s' % (API_HOST, path)
-+ token = self.get_auth_token()
-+ if not token:
-+ raise Exception('No hetzner cloud auth token set')
-+ headers = {
-+ 'Authorization': 'Bearer '+self.get_auth_token(),
-+ }
-+ res = requests.request(
-+ method=method,
-+ url=url,
-+ json=data,
-+ headers=headers)
-+
-+ if res.status_code == 404:
-+ raise ApiNotFoundError('Not Found: %r' % path)
-+ elif not res.ok:
-+ raise ApiError('Response for %s %s has status code %d: %s' % (method, path, res.status_code, res.content))
-+ if not json:
-+ return
-+ try:
-+ res_data = res.json()
-+ except ValueError as e:
-+ raise ApiError('Response for %s %s has invalid JSON (%s): %r' % (method, path, e, res.content))
-+ return res_data
-+
-+
-+ def destroy(self, wipe=False):
-+ if not self.server_id:
-+ self.log('server {} was never made'.format(self.name))
-+ return
-+ self.log('destroying server {} with id {}'.format(self.name, self.server_id))
-+ try:
-+ res = self._api('/v1/servers/%s' % (self.server_id), method='DELETE')
-+ except ApiNotFoundError:
-+ self.log("server not found - assuming it's been destroyed already")
-+
-+ self.public_ipv4 = None
-+ self.server_id = None
-+
-+ return True
-+
-+ def _create_ssh_key(self, public_key):
-+ """Create or get an ssh key and return an id."""
-+ public_key = public_key.strip()
-+ res = self._api('/v1/ssh_keys', method='GET')
-+ name = 'nixops-%s-%s' % (self.depl.uuid, self.name)
-+ deletes = []
-+ for key in res['ssh_keys']:
-+ if key['public_key'].strip() == public_key:
-+ return key['id']
-+ if key['name'] == name:
-+ deletes.append(key['id'])
-+ for d in deletes:
-+ # This reply is empty, so don't decode json.
-+ self._api('/v1/ssh_keys/%d' % d, method='DELETE', json=False)
-+ res = self._api('/v1/ssh_keys', method='POST', data={
-+ 'name': name,
-+ 'public_key': public_key,
-+ })
-+ return res['ssh_key']['id']
-+
-+ def create(self, defn, check, allow_reboot, allow_recreate):
-+ ssh_key = self.depl.active_resources.get('ssh-key')
-+ if ssh_key is None:
-+ raise Exception('Please specify a ssh-key resource (resources.sshKeyPairs.ssh-key = {}).')
-+
-+ self.set_common_state(defn)
-+
-+ if self.server_id is not None:
-+ return
-+
-+ ssh_key_id = self._create_ssh_key(ssh_key.public_key)
-+
-+ req = {
-+ 'name': self.name,
-+ 'server_type': defn.server_type,
-+ 'start_after_create': True,
-+ 'image': 'debian-9',
-+ 'ssh_keys': [
-+ ssh_key_id,
-+ ],
-+ }
-+
-+ if defn.datacenter:
-+ req['datacenter'] = defn.datacenter
-+ elif defn.location:
-+ req['location'] = defn.location
-+
-+ self.log_start("creating server ...")
-+ create_res = self._api('/v1/servers', method='POST', data=req)
-+ self.server_id = create_res['server']['id']
-+ self.public_ipv4 = create_res['server']['public_net']['ipv4']['ip']
-+ self.public_ipv6 = create_res['server']['public_net']['ipv6']['ip']
-+ self.datacenter = create_res['server']['datacenter']['name']
-+ self.location = create_res['server']['datacenter']['location']['name']
-+
-+ action = create_res['action']
-+ action_path = '/v1/servers/%d/actions/%d' % (self.server_id, action['id'])
-+
-+ while action['status'] == 'running':
-+ time.sleep(1)
-+ res = self._api(action_path, method='GET')
-+ action = res['action']
-+
-+ if action['status'] != 'success':
-+ raise Exception('unexpected status: %s' % action['status'])
-+
-+ self.log_end("{}".format(self.public_ipv4))
-+
-+ self.wait_for_ssh()
-+ self.log_start("running nixos-infect")
-+ self.run_command('bash </dev/stdin 2>&1', stdin=open(infect_path))
-+ self.reboot_sync()
-+
-+ def reboot(self, hard=False):
-+ if hard:
-+ self.log("sending hard reset to server...")
-+ res = self._api('/v1/servers/%d/actions/reset' % self.server_id, method='POST')
-+ action = res['action']
-+ action_path = '/v1/servers/%d/actions/%d' % (self.server_id, action['id'])
-+ while action['status'] == 'running':
-+ time.sleep(1)
-+ res = self._api(action_path, method='GET')
-+ action = res['action']
-+ if action['status'] != 'success':
-+ raise Exception('unexpected status: %s' % action['status'])
-+ self.wait_for_ssh()
-+ self.state = self.STARTING
-+ else:
-+ MachineState.reboot(self, hard=hard)
-diff --git a/nixops/data/nixos-infect b/nixops/data/nixos-infect
-index 66634357b..437a2ec61 100644
---- a/nixops/data/nixos-infect
-+++ b/nixops/data/nixos-infect
-@@ -68,26 +68,49 @@ makeConf() {
- }
- EOF
- # (nixos-generate-config will add qemu-user and bind-mounts, so avoid)
-+ local disk
-+ if [ -e /dev/sda ]; then
-+ disk=/dev/sda
-+ else
-+ disk=/dev/vda
-+ fi
- cat > /etc/nixos/hardware-configuration.nix << EOF
- { ... }:
- {
- imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
-- boot.loader.grub.device = "/dev/vda";
-- fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
-+ boot.loader.grub.device = "${disk}";
-+ fileSystems."/" = { device = "${disk}1"; fsType = "ext4"; };
- }
- EOF
-
- local IFS=$'\n'
-- ens3_ip4s=($(ip address show dev eth0 | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-- ens3_ip6s=($(ip address show dev eth0 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-- ens4_ip4s=($(ip address show dev eth1 | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-- ens4_ip6s=($(ip address show dev eth1 | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-- gateway=($(ip route show dev eth0 | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
-- gateway6=($(ip -6 route show dev eth0 | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
-- ether0=($(ip address show dev eth0 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
-- ether1=($(ip address show dev eth1 | grep link/ether | sed -r 's|.*link/ether ([0-9a-f:]+) .*|\1|'))
-+ gateway=($(ip route show | grep default | sed -r 's|default via ([0-9.]+).*|\1|'))
-+ gateway6=($(ip -6 route show | grep default | sed -r 's|default via ([0-9a-f:]+).*|\1|'))
-+ interfaces=($(ip link | awk -F ': ' '/^[0-9]*: / {if ($2 != "lo") {print $2}}'))
- nameservers=($(grep ^nameserver /etc/resolv.conf | cut -f2 -d' '))
-
-+ # Predict the predictable name for each interface since that is enabled in
-+ # the nixos system.
-+ declare -A predictable_names
-+ for interface in ${interfaces[@]}; do
-+ # udevadm prints out the candidate names which will be selected if
-+ # available in this order.
-+ local name=$(udevadm info /sys/class/net/$interface | awk -F = '
-+ /^E: ID_NET_NAME_FROM_DATABASE=/ {arr[1]=$2}
-+ /^E: ID_NET_NAME_ONBOARD=/ {arr[2]=$2}
-+ /^E: ID_NET_NAME_SLOT=/ {arr[3]=$2}
-+ /^E: ID_NET_NAME_PATH=/ {arr[4]=$2}
-+ /^E: ID_NET_NAME_MAC=/ {arr[5]=$2}
-+ END {for (i=1;i<6;i++) {if (length(arr[i]) > 0) { print arr[i]; break}}}')
-+ if [ -z "$name" ]; then
-+ echo Could not determine predictable name for interface $interface
-+ fi
-+ predictable_names[$interface]=$name
-+ done
-+
-+ # Take a gamble on the first interface being able to reach the gateway.
-+ local default_interface=${predictable_names[${interfaces[0]}]}
-+
- cat > /etc/nixos/networking.nix << EOF
- { ... }: {
- # This file was populated at runtime with the networking
-@@ -96,25 +119,27 @@ EOF
- nameservers = [$(for a in ${nameservers[@]}; do echo -n "
- \"$a\""; done)
- ];
-- defaultGateway = "${gateway}";
-- defaultGateway6 = "${gateway6}";
-+ defaultGateway = {address = "${gateway}"; interface = "${default_interface}";};
-+ defaultGateway6 = {address = "${gateway6}"; interface = "${default_interface}";};
- interfaces = {
-- ens3 = {
-- ip4 = [$(for a in ${ens3_ip4s[@]}; do echo -n "
-- $a"; done)
-- ];
-- ip6 = [$(for a in ${ens3_ip6s[@]}; do echo -n "
-- $a"; done)
-- ];
-- };
-- ens4 = {
-- ip4 = [$(for a in ${ens4_ip4s[@]}; do echo -n "
-+EOF
-+
-+ for interface in ${interfaces[@]}; do
-+ ip4s=($(ip address show dev $interface | grep 'inet ' | sed -r 's|.*inet ([0-9.]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-+ ip6s=($(ip address show dev $interface | grep 'inet6 .*global' | sed -r 's|.*inet6 ([0-9a-f:]+)/([0-9]+).*|{ address="\1"; prefixLength=\2; }|'))
-+ cat >> /etc/nixos/networking.nix << EOF
-+ ${predictable_names[$interface]} = {
-+ ip4 = [$(for a in ${ip4s[@]}; do echo -n "
- $a"; done)
- ];
-- ip6 = [$(for a in ${ens4_ip6s[@]}; do echo -n "
-+ ip6 = [$(for a in ${ip6s[@]}; do echo -n "
- $a"; done)
- ];
- };
-+EOF
-+ done
-+
-+ cat >> /etc/nixos/networking.nix << EOF
- };
- };
- }
-@@ -154,6 +179,12 @@ export HOME="/root"
- groupadd -r nixbld -g 30000
- seq 1 10 | xargs -I{} useradd -c "Nix build user {}" -d /var/empty -g nixbld -G nixbld -M -N -r -s `which nologin` nixbld{}
-
-+if ! which curl >/dev/null 2>/dev/null; then
-+ if which apt-get >/dev/null 2>/dev/null; then
-+ apt-get update && apt-get install -y curl
-+ fi
-+fi
-+
- curl https://nixos.org/nix/install | sh
-
- source ~/.nix-profile/etc/profile.d/nix.sh
self: super: {
pass = super.pass.overrideAttrs (old: rec {
- patches = old.patches ++ [ ./pass-fix-pass-init.patch ];
+ prePatch = ''
+ sed -i -e "s/\bsub\b/[sp]ub/g" src/password-store.sh
+ '';
});
}
self: super: rec {
myPhpPackages.mysqli_pam = self.php74.extensions.mysqli.overrideAttrs(old: {
- configureFlags = [ "--with-mysqli=${self.libmysqlclient_pam}/bin/mysql_config" "--with-mysql-sock=/run/mysqld/mysqld.sock" ];
- patches = old.patches or [] ++ [ ./mysqli_patch.patch ];
+ configureFlags = [ "--with-mysqli=${self.libmysqlclient_pam.dev}/bin/mysql_config" "--with-mysql-sock=/run/mysqld/mysqld.sock" ];
});
}
self: super: {
- procps-ng = super.procps-ng.overrideAttrs(old: {
+ procps-watch8bit = super.procps.overrideAttrs(old: {
configureFlags = old.configureFlags ++ [ "--enable-watch8bit" ];
});
}
# needs to come before all other in alphabetical order (or make use of
# lib.mkBefore)
__pythonOverlayFix = self: super: let
- pyNames = [ "python3" "python36" "python37" "python38" ];
+ pyNames = [ "python3" "python37" "python38" ];
overriddenPython = name: [
{ inherit name; value = super.${name}.override { packageOverrides = self.pythonOverrides; }; }
{ name = "${name}Packages"; value = self.recurseIntoAttrs self.${name}.pkgs; }
+++ /dev/null
-self: super: {
- sc-im = super.sc-im.overrideAttrs (old: {
- buildPhase = ''
- cd src
- sed -i Makefile -e 's@\...name.info@.local/state/$(name)info@'
- cd ..
- '' + old.buildPhase;
- });
-}
self: super: {
vcsh = super.vcsh.overrideAttrs(old: {
patchPhase = old.patchPhase or "" + ''
- sed -i -e 's@-r "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@-f "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@' vcsh
+ sed -i -e 's@-r "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@-f "$XDG_CONFIG_HOME/vcsh/config.d/$VCSH_REPO_NAME"@' vcsh.in
'';
});
}
weechat = super.weechat.override {
configure = { availablePlugins, ... }: {
plugins = with self; with availablePlugins; [
- (python.withPackages (ps: with ps; [websocket_client emoji]))
+ (python.withPackages (ps: with ps; [cffi websocket_client emoji]))
perl
ruby
];
-{ stdenv, fetchurl, expat, openssl, autoconf, ncurses }:
+{ stdenv, fetchurl, expat, openssl, autoconf269, ncurses }:
stdenv.mkDerivation rec {
name = "boinctui-${version}";
- version = "2.5.0";
+ version = "2.6.0";
src = fetchurl {
url = "http://sourceforge.net/projects/boinctui/files/boinctui_${version}.tar.gz";
- sha256 = "16zxp8r4z6pllacdacg681y56cg2phnn3pm5gwszbsi93cix2g8p";
+ sha256 = "1c6hc4x28z8hjncxcwxhb0r3980f72i6480569a0hd9y7vcgf3d0";
};
configureFlags = [ "--without-gnutls" ];
autoconf
'';
+ makeFlags = [ "DESTDIR=$(out)" ];
preBuild = ''
sed -i -e 's/"HOME"/"XDG_CONFIG_HOME"/' src/cfg.cpp
sed -i -e 's@\.boinctui\.cfg@boinctui/boinctui.cfg@' src/mainprog.cpp
'';
- buildInputs = [ expat openssl autoconf ncurses ];
+ buildInputs = [ expat openssl autoconf269 ncurses ];
}
# This file originates from composer2nix
-{ stdenv, writeTextFile, fetchurl, php, unzip }:
+{ stdenv, lib, writeTextFile, fetchurl, php, unzip }:
let
composer = stdenv.mkDerivation {
'';
meta = {
description = "Dependency Manager for PHP";
- #license = stdenv.licenses.mit;
- maintainers = [ stdenv.lib.maintainers.sander ];
- platforms = stdenv.lib.platforms.unix;
+ #license = lib.licenses.mit;
+ maintainers = [ lib.maintainers.sander ];
+ platforms = lib.platforms.unix;
};
};
else
$allPackages = array();
- ${stdenv.lib.optionalString (!noDev) ''
+ ${lib.optionalString (!noDev) ''
if(array_key_exists("packages-dev", $config))
$allPackages = array_merge($allPackages, $config["packages-dev"]);
''}
};
bundleDependencies = dependencies:
- stdenv.lib.concatMapStrings (dependencyName:
+ lib.concatMapStrings (dependencyName:
let
dependency = dependencies.${dependencyName};
in
# Copy or symlink the provided dependencies
cd vendor
${bundleDependencies packages}
- ${stdenv.lib.optionalString (!noDev) (bundleDependencies devPackages)}
+ ${lib.optionalString (!noDev) (bundleDependencies devPackages)}
cd ..
# Reconstruct autoload scripts
# We use the optimize feature because Nix packages cannot change after they have been built
# Using the dynamic loader for a Nix package is useless since there is nothing to dynamically reload.
- composer dump-autoload --optimize ${stdenv.lib.optionalString noDev "--no-dev"}
+ composer dump-autoload --optimize ${lib.optionalString noDev "--no-dev"}
# Run the install step as a validation to confirm that everything works out as expected
- composer install --optimize-autoloader ${stdenv.lib.optionalString noDev "--no-dev"}
+ composer install --optimize-autoloader ${lib.optionalString noDev "--no-dev"}
- ${stdenv.lib.optionalString executable ''
+ ${lib.optionalString executable ''
# Reconstruct the bin/ folder if we deploy an executable project
${constructBin} composer.json
ln -s $(pwd)/vendor/bin $out/bin
''}
- ${stdenv.lib.optionalString (!symlinkDependencies) ''
+ ${lib.optionalString (!symlinkDependencies) ''
# Patch the shebangs if possible
if [ -d $(pwd)/vendor/bin ]
then
} // extraArgs);
in
{
- composer = stdenv.lib.makeOverridable composer;
- buildZipPackage = stdenv.lib.makeOverridable buildZipPackage;
- buildPackage = stdenv.lib.makeOverridable buildPackage;
+ composer = lib.makeOverridable composer;
+ buildZipPackage = lib.makeOverridable buildZipPackage;
+ buildPackage = lib.makeOverridable buildPackage;
}
nb = callPackage ./nb {};
note = callPackage ./note {};
notmuch-python2 = callPackage ./notmuch/notmuch-python { pythonPackages = python2Packages; };
- notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python3Packages; };
+ notmuch-python3 = callPackage ./notmuch/notmuch-python { pythonPackages = python38Packages; };
notmuch-vim = callPackage ./notmuch/notmuch-vim {};
- pgloader = callPackage ./pgloader {};
predixy = callPackage ./predixy { inherit mylibs; };
rrsync_sudo = callPackage ./rrsync_sudo {};
signaldctl = callPackage ./signaldctl {};
};
python3PackagesPlus = callPackage ./python-packages {
- python = python3;
+ python = python38;
inherit mylibs;
};
dovecot_deleted-to-trash = callPackage ./dovecot/plugins/deleted_to_trash {
-{ stdenv, fetchurl, boost, gperf, libevent, libmysqlclient, libuuid, python3, sqlite, hiredis, postgresql, openssl }:
+{ stdenv, fetchurl, boost, gperf, libevent, libmysqlclient, libuuid, sqlite, hiredis, postgresql, openssl }:
stdenv.mkDerivation rec {
pname = "gearmand";
version = "1.1.19.1";
-{ stdenv, fetchurl, mpfr, glib, hicolor-icon-theme, gtk2, intltool, gnome-doc-utils, python3, gnome2, autoconf, automake, libtool, ncurses, readline, pkg-config, }:
+{ stdenv, fetchurl, mpfr, glib, hicolor-icon-theme, gtk2, intltool, gnome-doc-utils, python38, gnome2, autoconf, automake, libtool, ncurses, readline, pkg-config, }:
stdenv.mkDerivation rec {
name = "genius-${version}";
version = "1.0.24";
sha256 = "772f95f6ae4716d39bb180cd50e8b6b9b074107bee0cd083b825e1e6e55916b6";
};
buildInputs = [
- mpfr glib hicolor-icon-theme gtk2 intltool gnome-doc-utils python3 gnome2.gtksourceview
+ mpfr glib hicolor-icon-theme gtk2 intltool gnome-doc-utils python38 gnome2.gtksourceview
autoconf automake libtool ncurses readline pkg-config
];
preConfigure = ''
{ stdenv, iputils, fetchpatch, fetchurl, file, hostname, perl, openssl,
- bind, openldap, procps-ng, postfix,
+ bind, openldap, procps, postfix,
wrapperDir ? "/run/wrappers/bin"
}:
stdenv.mkDerivation rec {
--with-sudo-command="${wrapperDir}/sudo"
'';
- buildInputs = [ perl file hostname iputils openssl openldap procps-ng bind.dnsutils postfix ];
+ buildInputs = [ perl file hostname iputils openssl openldap procps bind.dnsutils postfix ];
}
-{ buildPerlPackage, fetchurl, perlPackages, lib }:
-buildPerlPackage rec {
+{ fetchurl, perlPackages, lib }:
+perlPackages.buildPerlPackage rec {
pname = "mtop";
version = "0.6.6";
src = fetchurl {
-{ lib, buildPerlPackage, fetchurl, perlPackages }:
-buildPerlPackage rec {
+{ lib, fetchurl, perlPackages }:
+perlPackages.buildPerlPackage rec {
pname = "note";
version = "1.3.26";
src = fetchurl {
+++ /dev/null
-# https://github.com/NixOS/nixpkgs/pull/61702
-{ stdenv, fetchurl, makeWrapper, sbcl, sqlite, freetds, libzip, curl, git, cacert, openssl }:
-stdenv.mkDerivation rec {
- pname = "pgloader";
- version = "3.6.1";
- name = "${pname}-${version}";
-
- src = fetchurl {
- url = "https://github.com/dimitri/pgloader/releases/download/v3.6.1/pgloader-bundle-3.6.1.tgz";
- sha256 = "1sm8xmq30d1biin5br0y3vrv4fydbrzfqglz1hnvrkdyxrg7d6f9";
- };
-
- nativeBuildInputs = [ git makeWrapper ];
- buildInputs = [ sbcl cacert sqlite freetds libzip curl openssl ];
-
- LD_LIBRARY_PATH = stdenv.lib.makeLibraryPath [ sqlite libzip curl git openssl freetds ];
-
- buildPhase = ''
- export PATH=$PATH:$out/bin
- export HOME=$TMPDIR
-
- make pgloader
- '';
-
- dontStrip = true;
- enableParallelBuilding = false;
-
- installPhase = ''
- install -Dm755 bin/pgloader "$out/bin/pgloader"
- wrapProgram $out/bin/pgloader --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}"
- '';
-
- meta = with stdenv.lib; {
- homepage = https://pgloader.io/;
- description = "pgloader loads data into PostgreSQL and allows you to implement Continuous Migration from your current database to PostgreSQL";
- maintainers = with maintainers; [ mguentner ];
- license = licenses.postgresql;
- platforms = platforms.all;
- };
-}
{ ldapFtpId ? null
-, stdenv, fetchurl, openssl, postgresql, openldap }:
+, stdenv, lib, fetchurl, openssl, postgresql, openldap }:
stdenv.mkDerivation rec {
name = "pure-ftpd-1.0.47";
configureFlags = [ "--with-everything" "--with-tls" "--with-pgsql" "--with-ldap" ];
- meta = with stdenv.lib; {
+ meta = with lib; {
description = "A free, secure, production-quality and standard-conformant FTP server";
homepage = https://www.pureftpd.org;
license = licenses.isc; # with some parts covered by BSD3(?)
-{ stdenv, composerEnv, fetchurl, callPackage, config_file ? "/var/lib/status_engine/interface.yml" }:
-composerEnv.buildPackage (
- import ./interface_php_packages.nix { inherit composerEnv fetchurl; } // rec {
+{ stdenv, composerEnv, php73, fetchurl, callPackage, config_file ? "/var/lib/status_engine/interface.yml" }:
+let
+ composerEnv' = composerEnv.override { php = php73; };
+in
+composerEnv'.buildPackage (
+ import ./interface_php_packages.nix { composerEnv = composerEnv'; inherit fetchurl; } // rec {
pname = "interface";
version = "3.4.0";
name = "${pname}-${version}";
-{ stdenv, mylibs, composerEnv, fetchurl, gearmand, callPackage, php73, config_file ? "/var/lib/status_engine/ui.yml" }:
+{ stdenv, mylibs, composerEnv, fetchurl, gearmand, callPackage, php74, config_file ? "/var/lib/status_engine/ui.yml" }:
let
- gearman = php73.buildPecl rec {
- version = "2.0.6";
+ gearman = php74.buildPecl rec {
+ version = "2.1.0";
pname = "gearman";
src = fetchurl {
- url = "https://github.com/wcgallego/pecl-gearman/archive/${pname}-${version}.tar.gz";
- sha256 = "0bliga4j41xkvdfh6bqi6k8x6mfxbi5sl9gix97axs7w0ncyfprz";
+ url = "https://github.com/php/pecl-networking-gearman/archive/${pname}-${version}.tar.gz";
+ sha256 = "077wh1kxpp9pfmsm3xixplis85zx5fpbhilvz1d5pic6rb0ali5s";
};
configureFlags = [ "--with-gearman=${gearmand}" ];
nativeBuildInputs = [ gearmand ];
};
in
(composerEnv.override {
- php = php73.withExtensions({ enabled, all }: enabled ++ (with all; [gearman redis mbstring bcmath json iconv]));
+ php = php74.withExtensions({ enabled, all }: enabled ++ (with all; [gearman redis mbstring bcmath json iconv]));
}).buildPackage (mylibs.fetchedGithub ./worker.json //
import ./worker_php_packages.nix { inherit composerEnv fetchurl; } // rec {
postInstall = ''
-{ python36Packages }:
-with python36Packages;
+{ python37Packages }:
+with python37Packages;
buildPythonApplication rec {
pname = "terminal-velocity-git";
version = "0.2.0";
-{ buildPerlPackage, fetchurl, perlPackages }:
-buildPerlPackage rec {
+{ fetchurl, perlPackages }:
+perlPackages.buildPerlPackage rec {
pname = "tiv";
version = "2015";
src = fetchurl {
+++ /dev/null
-# Generated by bower2nix v3.2.0 (https://github.com/rvl/bower2nix)
-{ fetchbower, buildEnv }:
-buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
- (fetchbower "jquery" "2.1.4" "~2.1.3" "1ywrpk2xsr6ghkm3j9gfnl9r3jn6xarfamp99b0bcm57kq9fm2k0")
- (fetchbower "video.js" "4.11.4" "~4.11.4" "05prdvyk0rxbkh7sdd0d9ns5l5crwvc68wzkyqmrdjw367pcv8sn")
- (fetchbower "leaflet" "0.7.7" "~0.7.3" "0jim285bljmxxngpm3yx6bnnd10n2whwkgmmhzpcd1rdksnr5nca")
- (fetchbower "tinymce" "4.1.10" "~4.1.7" "16jyvdb9bq8gjwhs69q8p88vdixalajrz81nsmbrzzxhkih57dyx")
-]; }
+++ /dev/null
-{ makeWrapper, stdenv, writeScript, fetchurl, buildBowerComponents, mylibs, which, python36, gst_all_1, automake, autoconf, nodejs, nodePackages, lib, callPackage, fetchgit }:
-let
- overridePython = let
- packageOverrides = self: super: {
- pybcrypt = super.buildPythonPackage rec {
- pname = "pybcrypt";
- version = "0.4";
-
- src = self.fetchPypi {
- inherit pname version;
- sha256 = "5fa13bce551468350d66c4883694850570f3da28d6866bb638ba44fe5eabda78";
- };
- };
- celery = super.celery.overridePythonAttrs(old: rec {
- version = "3.1.26.post2";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "5493e172ae817b81ba7d09443ada114886765a8ce02f16a56e6fac68d953a9b2";
- };
- patches = [];
- doCheck = false;
- });
- billiard = super.billiard.overridePythonAttrs(old: rec {
- version = "3.3.0.23";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9";
- };
- doCheck = false;
- doInstallCheck = false;
- });
- amqp = super.amqp.overridePythonAttrs(old: rec {
- version = "1.4.9";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "2dea4d16d073c902c3b89d9b96620fb6729ac0f7a923bbc777cb4ad827c0c61a";
- };
- doCheck = false;
- });
- kombu = super.kombu.overridePythonAttrs(old: rec {
- version = "3.0.37";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "e064a00c66b4d1058cd2b0523fb8d98c82c18450244177b6c0f7913016642650";
- };
- propagatedBuildInputs = old.propagatedBuildInputs ++ [ self.anyjson ];
- doCheck = false;
- });
- markdown = super.markdown.overridePythonAttrs(old: rec {
- version = "3.1.1";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "2e50876bcdd74517e7b71f3e7a76102050edec255b3983403f1a63e7c8a41e7a";
- };
- });
- sqlalchemy = super.sqlalchemy.overridePythonAttrs(old: rec {
- version = "1.1.18";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "8b0ec71af9291191ba83a91c03d157b19ab3e7119e27da97932a4773a3f664a9";
- };
- doCheck = false;
- });
- tempita_5_3_dev = super.buildPythonPackage (mylibs.fetchedGithub ./tempita.json // rec {
- buildInputs = with self; [ nose ];
- disabled = false;
- });
- sqlalchemy_migrate = super.sqlalchemy_migrate.overridePythonAttrs(old: rec {
- propagatedBuildInputs = with self; [ pbr tempita_5_3_dev decorator sqlalchemy six sqlparse ];
- });
- pasteScript = super.pasteScript.overridePythonAttrs(old: rec {
- version = "2.0.2";
- name = "PasteScript-${version}";
- src = fetchurl {
- url = "mirror://pypi/P/PasteScript/${name}.tar.gz";
- sha256 = "1h3nnhn45kf4pbcv669ik4faw04j58k8vbj1hwrc532k0nc28gy0";
- };
- propagatedBuildInputs = with self; [ six paste PasteDeploy ];
- });
- werkzeug = super.werkzeug.overridePythonAttrs(old: rec {
- version = "0.16.1";
- src = self.fetchPypi {
- inherit version;
- inherit (old) pname;
- sha256 = "b353856d37dec59d6511359f97f6a4b2468442e454bd1c98298ddce53cac1f04";
- };
- });
- };
- in
- python36.override { inherit packageOverrides; };
- pythonEnv = python-pkgs: with python-pkgs; [
- waitress alembic dateutil wtforms pybcrypt
- pytest pytest_xdist werkzeug celery
- kombu jinja2 Babel webtest configobj markdown
- sqlalchemy itsdangerous pytz sphinx six
- oauthlib unidecode jsonschema PasteDeploy
- requests PyLD exifread
- typing pasteScript lxml
- # For images plugin
- pillow
- # For video plugin
- gst-python
- # migrations
- sqlalchemy_migrate
- # authentication
- ldap3
- redis
- psycopg2
- ];
- python = overridePython.withPackages pythonEnv;
- gmg = writeScript "gmg" ''
- #!${python}/bin/python
- __requires__ = 'mediagoblin'
- import sys
- from pkg_resources import load_entry_point
-
- if __name__ == '__main__':
- sys.exit(
- load_entry_point('mediagoblin', 'console_scripts', 'gmg')()
- )
- '';
- mediagoblinSrc = fetchgit {
- name = "mediagoblin";
- url = "git://git.savannah.gnu.org/mediagoblin.git";
- rev = "cd465ebfec837a75a44c4ebd727dffe2fff6d850";
- sha256 = "1yz4i4i97z3rxl534a6psaybyjbyp5nnc52v3nvbpzc4pd2s69mx";
- fetchSubmodules = true; # important!
- };
- bowerComponents = buildBowerComponents {
- name = "mediagoblin-bower-components";
- generated = ./bower-packages.nix;
- src = mediagoblinSrc;
- };
- pluginNames = [ "basicsearch" ];
- allPlugins = lib.attrsets.genAttrs pluginNames
- (name: callPackage (./plugins + "/${name}") {});
- toPassthru = pkg: {
- inherit allPlugins;
- withPlugins = withPlugins pkg;
- };
- withPlugins = pkg: toPlugins:
- let
- plugins = toPlugins allPlugins;
- toBuildPlugin = n: "ln -s ${n} mediagoblin/plugins/${n.pluginName}";
- newMediagoblin = pkg.overrideAttrs(old: {
- postBuild = old.postBuild + "\n" + builtins.concatStringsSep "\n" (map toBuildPlugin plugins);
- passthru = toPassthru newMediagoblin;
- });
- in newMediagoblin;
- package = stdenv.mkDerivation rec {
- pname = "mediagoblin";
- name = "${pname}-${version}";
- version = "cd465eb-stable";
- src = mediagoblinSrc;
- preConfigure = ''
- # ./bootstrap.sh
- aclocal -I m4 --install
- autoreconf -fvi
- # end
- export HOME=$PWD
- '';
- configureFlags = [ "--with-python3" "--without-virtualenv" ];
- postBuild = ''
- cp -a ${bowerComponents}/bower_components/* extlib
- chmod -R u+w extlib
- make extlib
- '';
- installPhase = let
- libpaths = with gst_all_1; [
- python
- gstreamer
- gst-plugins-base
- gst-libav
- gst-plugins-good
- gst-plugins-bad
- gst-plugins-ugly
- ];
- plugin_paths = builtins.concatStringsSep ":" (map (x: "${x}/lib") libpaths);
- typelib_paths = with gst_all_1; "${gstreamer}/lib/girepository-1.0:${gst-plugins-base}/lib/girepository-1.0";
- in ''
- sed -i "s/registry.has_key(current_theme_name)/current_theme_name in registry/" mediagoblin/tools/theme.py
- sed -i -e "s@\[DEFAULT\]@[DEFAULT]\nhere = $out@" mediagoblin/config_spec.ini
- sed -i -e "/from gi.repository import GstPbutils/s/^/gi.require_version('GstPbutils', '1.0')\n/" mediagoblin/media_types/video/transcoders.py
- cp ${./ldap_fix.py} mediagoblin/plugins/ldap/tools.py
- find . -name '*.pyc' -delete
- find . -type f -exec sed -i "s|$PWD|$out|g" {} \;
- python setup.py build
- cp -a . $out
- mkdir $out/bin
- makeWrapper ${gmg} $out/bin/gmg --prefix PYTHONPATH : "$out:$PYTHONPATH" \
- --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
- --prefix GI_TYPELIB_PATH : ${typelib_paths}
- makeWrapper ${python}/bin/paster $out/bin/paster --prefix PYTHONPATH : "$out:$PYTHONPATH" \
- --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
- --prefix GI_TYPELIB_PATH : ${typelib_paths}
- makeWrapper ${python}/bin/celery $out/bin/celery --prefix PYTHONPATH : "$out:$PYTHONPATH" \
- --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
- --prefix GI_TYPELIB_PATH : ${typelib_paths}
- '';
- buildInputs = [ makeWrapper automake autoconf which nodePackages.bower nodejs python ];
- propagatedBuildInputs = with gst_all_1; [ python gst-libav gst-plugins-good gst-plugins-bad gst-plugins-ugly gstreamer ];
- passthru = toPassthru package;
- };
-in package
+++ /dev/null
-# GNU MediaGoblin -- federated, autonomous media hosting
-# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from ldap3 import Server, Connection, SUBTREE
-from ldap3.core.exceptions import LDAPException
-import logging
-
-import six
-
-from mediagoblin.tools import pluginapi
-
-_log = logging.getLogger(__name__)
-
-
-class LDAP(object):
- def __init__(self):
- self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
-
- def _connect(self, server):
- _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
- self.server = Server(server['LDAP_SERVER_URI'])
-
- if 'LDAP_START_TLS' in server and server['LDAP_START_TLS'] == 'true':
- _log.info('Initiating TLS')
- self.server.start_tls()
-
- def _manager_auth(self, settings, username, password):
- conn = Connection(self.server,
- settings['LDAP_BIND_DN'],
- settings['LDAP_BIND_PW'],
- auto_bind=True)
- found = conn.search(
- search_base=settings['LDAP_SEARCH_BASE'],
- search_filter=settings['LDAP_SEARCH_FILTER'].format(username=username),
- search_scope=SUBTREE,
- attributes=[settings['EMAIL_SEARCH_FIELD']])
- if (not found) or len(conn.entries) > 1:
- return False, None
-
- user = conn.entries[0]
- user_dn = user.entry_dn
- try:
- email = user.entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
- except KeyError:
- email = None
-
- Connection(self.server, user_dn, password, auto_bind=True)
-
- return username, email
-
- def _direct_auth(self, settings, username, password):
- user_dn = settings['LDAP_USER_DN_TEMPLATE'].format(username=username)
- conn = Connection(self.server, user_dn, password, auto_bind=True)
- email_found = conn.search(
- search_base=settings['LDAP_SEARCH_BASE'],
- search_filter='uid={0}'.format(username),
- search_scope=SUBTREE,
- attributes=[settings['EMAIL_SEARCH_FIELD']])
-
- if email_found:
- try:
- email = conn.entries[0].entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
- except KeyError:
- email = None
-
- return username, email
-
- def login(self, username, password):
- for k, v in six.iteritems(self.ldap_settings):
- try:
- self._connect(v)
-
- if 'LDAP_BIND_DN' in v:
- return self._manager_auth(v, username, password)
- else:
- return self._direct_auth(v, username, password)
-
- except LDAPException as e:
- _log.info(e)
-
- return False, None
+++ /dev/null
-{ stdenv, fetchFromGitHub }:
-stdenv.mkDerivation rec {
- name = "mediagoblin-plugin-basicsearch-${version}";
- version = "ba0a154-master";
- src = fetchFromGitHub {
- owner = "ayleph";
- repo = "mediagoblin-basicsearch";
- rev = "ba0a1547bd24ebaf363227fe17644d38c6ce8a6b";
- sha256 = "0d4r7xkf4gxmgaxlb264l44xbanis77g49frwfhfzsflxmdwgncy";
- };
- phases = "unpackPhase installPhase";
- installPhase = ''
- cp -R ./basicsearch $out
- '';
- passthru = {
- pluginName = "basicsearch";
- };
-}
+++ /dev/null
-{
- "tag": "47414a7-master",
- "meta": {
- "name": "tempita",
- "url": "https://github.com/gjhiggins/tempita",
- "branch": "master"
- },
- "github": {
- "owner": "gjhiggins",
- "repo": "tempita",
- "rev": "47414a7c6e46a9a9afe78f0bce2ea299fa84d10d",
- "sha256": "0f33jjjs5rvp7ar2j6ggyfykcrsrn04jaqcq71qfvycf6b7nw3rn",
- "fetchSubmodules": true
- }
-}
-{ pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); },
- pkgs-nix ? import <nixpkgs-nix> { overlays = builtins.attrValues (import ./overlays); }
-}:
-let
- patchedNix = pkgs-nix.nixUnstable.overrideAttrs(old: {
- patches = old.patches ++ [
- # Fix the ETag bug. PR merged. Remove when updating to >= 20210125
- # https://github.com/NixOS/nixpkgs/pull/109309#issuecomment-768331750
- (pkgs-nix.fetchpatch {
- url = "https://patch-diff.githubusercontent.com/raw/NixOS/nix/pull/4470.diff";
- sha256 = "sha256-d4RNOKMxa4NMbFgYcqWRv2ByHt8F/XUWV+6P9qHz7S4=";
- })
- ];
- });
-in
+{ pkgs ? import <nixpkgs> { overlays = builtins.attrValues (import ./overlays); } }:
pkgs.mkShell {
- buildInputs = [ patchedNix pkgs.python3 pkgs.sops pkgs.morph pkgs.niv pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake pkgs.yq ];
+ buildInputs = [ pkgs.nixUnstable pkgs.python3 pkgs.sops pkgs.morph pkgs.niv pkgs.curl pkgs.shellcheck pkgs.jq pkgs.gnumake pkgs.yq ];
}