11 files changed, 145 insertions, 10 deletions
diff --git a/flakes/private/chatons/flake.lock b/flakes/private/chatons/flake.lock
index 5e84cc2..1e163a2 100644
--- a/flakes/private/chatons/flake.lock
+++ b/flakes/private/chatons/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/environment/flake.nix b/flakes/private/environment/flake.nix
index 24cbb7a..389a601 100644
--- a/flakes/private/environment/flake.nix
+++ b/flakes/private/environment/flake.nix
@@ -369,6 +369,36 @@
              };
            };
          };
+          borg_backup = mkOption {
+            description = ''
+              Remote backup with borg/borgmatic
+            '';
+            type = submodule {
+              options = {
+                password = mkOption { type = str; description = "Password for encrypting files"; };
+                remotes = mkOption {
+                  type = attrsOf (submodule {
+                    options = {
+                      remote = mkOption {
+                        type = functionTo (functionTo str);
+                        example = literalExample ''
+                          bucket: "ssh://some_host/${bucket}";
+                          '';
+                        description = ''
+                          Function.
+                          Takes a bucket name as argument and returns a url
+                          '';
+                      };
+                      sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port"; };
+                      sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host"; };
+                      sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; };
+                    };
+                  });
+                };
+              };
+            };
+          };
          backup = mkOption {
            description = ''
              Remote backup with duplicity
@@ -379,6 +409,9 @@
                remotes = mkOption {
                  type = attrsOf (submodule {
                    options = {
+                      remote_type = mkOption {
+                        type = enum [ "s3" "rsync" ];
+                      };
                      remote = mkOption {
                        type = functionTo str;
                        example = literalExample ''
@@ -389,8 +422,12 @@
                          Takes a bucket name as argument and returns a url
                          '';
                      };
-                      accessKeyId = mkOption { type = str; description = "Remote access-key"; };
+                      sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port for rsync"; };
-                      secretAccessKey = mkOption { type = str; description = "Remote access secret"; };
+                      sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host for rsync"; };
+                      sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; };
+                      s3AccessKeyId = mkOption { type = nullOr str; default = null; description = "Remote access-key"; };
+                      s3SecretAccessKey = mkOption { type = nullOr str; default = null; description = "Remote access secret"; };
                    };
                  });
                };
@@ -905,6 +942,14 @@
                    };
                  };
                };
+                matrix = mkOption {
+                  description = "Matrix configuration";
+                  type = submodule {
+                    options = {
+                      ldap = mkLdapOptions "Mediagoblin" {};
+                    };
+                  };
+                };
                mediagoblin = mkOption {
                  description = "Mediagoblin configuration";
                  type = submodule {
diff --git a/flakes/private/mail-relay/flake.lock b/flakes/private/mail-relay/flake.lock
index d1447b7..4d620ad 100644
--- a/flakes/private/mail-relay/flake.lock
+++ b/flakes/private/mail-relay/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/milters/flake.lock b/flakes/private/milters/flake.lock
index e2366fa..6891e49 100644
--- a/flakes/private/milters/flake.lock
+++ b/flakes/private/milters/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/monitoring/flake.lock b/flakes/private/monitoring/flake.lock
index e76ca08..cdba7c2 100644
--- a/flakes/private/monitoring/flake.lock
+++ b/flakes/private/monitoring/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/monitoring/flake.nix b/flakes/private/monitoring/flake.nix
index b7c3997..5610d67 100644
--- a/flakes/private/monitoring/flake.nix
+++ b/flakes/private/monitoring/flake.nix
@@ -164,6 +164,13 @@
                Whether to enable monitoring.
              '';
            };
+            smartdDisks = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+              default = [];
+              description = ''
+                List of smartd disks ids (symlinks in /dev/disk/by-id/) to monitor
+              '';
+            };
            master = lib.mkOption {
              type = lib.types.bool;
              default = false;
@@ -261,6 +268,54 @@
            objectDefs =
              self.lib.toObjects cfg.objects;
          };
+          myServices.monitoring.objects.service = builtins.map (d: {
+            service_description = "Disk /dev/disk/by-id/${d} is sane";
+            use = "local-service";
+            check_command = [ "check_smartctl" "/dev/disk/by-id/${d}" ];
+            __passive_servicegroups = "webstatus-resources";
+            check_interval = 60;
+          }) cfg.smartdDisks;
+          systemd = let
+            checkShortTimer = {
+              timerConfig = {
+                OnCalendar = "monthly";
+                RandomizedDelaySec = "3 weeks";
+                FixedRandomDelay = true;
+              };
+              wantedBy = [ "timers.target" ];
+            };
+            checkLongTimer = {
+              timerConfig = {
+                OnCalendar = "monthly";
+                RandomizedDelaySec = "3 weeks";
+                FixedRandomDelay = true;
+              };
+              wantedBy = [ "timers.target" ];
+            };
+            toSDTimers = id: {
+              "check-smartd-long-${id}" = checkLongTimer;
+              "check-smartd-short-${id}" = checkShortTimer;
+            };
+            toCheckService = id: type: {
+              description = "Run ${type} smartctl test for /dev/disk/by-id/${id}";
+              after = [ "multi-user.target" ];
+              serviceConfig = {
+                Type = "oneshot";
+                ExecStart = "${pkgs.smartmontools}/bin/smartctl -t ${type} /dev/disk/by-id/${id}";
+              };
+            };
+            toSDServices = id: {
+              "check-smartd-long-${id}" = toCheckService id "long";
+              "check-smartd-short-${id}" = toCheckService id "short";
+            };
+          in {
+            services = lib.attrsets.mergeAttrsList (builtins.map toSDServices cfg.smartdDisks);
+            timers = lib.attrsets.mergeAttrsList (builtins.map toSDTimers cfg.smartdDisks);
+          };
        };
      };
  };
diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix
index f76f2c1..bb3a383 100644
--- a/flakes/private/monitoring/myplugins.nix
+++ b/flakes/private/monitoring/myplugins.nix
@@ -284,6 +284,30 @@ in
      ]}
    '';
  };
+  smartctl = {
+    commands = {
+      check_smartctl = "$USER2$/check_smartctl -i auto -d $ARG1$";
+    };
+    chunk = let
+      smartPlugin = pkgs.fetchurl {
+        url = "https://www.claudiokuenzler.com/monitoring-plugins/check_smart.pl";
+        sha256 = "sha256-gxGkzyycUl+I3WziKhOnZSoQjpqbPqjbunfUQxmeb7w=";
+      };
+    in ''
+      cp ${smartPlugin} $out/check_smartctl
+      chmod +x $out/check_smartctl
+      patchShebangs $out
+      substituteInPlace $out/check_smartctl --replace "/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin" "${pkgs.smartmontools}/bin"
+      substituteInPlace $out/check_smartctl --replace "sudo" "${sudo}"
+    '';
+    sudo = _: {
+      commands = [
+        { command = "${pkgs.smartmontools}/bin/smartctl *"; options = [ "NOPASSWD" ]; }
+      ];
+      runAs = "root";
+    };
+  };
  mysql = {
    commands = {
      check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\"";
diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock
index a2eea1a..15fea39 100644
--- a/flakes/private/opendmarc/flake.lock
+++ b/flakes/private/opendmarc/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/ssh/flake.lock b/flakes/private/ssh/flake.lock
index d1447b7..4d620ad 100644
--- a/flakes/private/ssh/flake.lock
+++ b/flakes/private/ssh/flake.lock
@@ -3,7 +3,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
diff --git a/flakes/private/system/flake.lock b/flakes/private/system/flake.lock
index 49fb3b5..c6362c5 100644
--- a/flakes/private/system/flake.lock
+++ b/flakes/private/system/flake.lock
@@ -19,7 +19,7 @@
    "environment": {
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",
+        "narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
        "path": "../environment",
        "type": "path"
      },
@@ -69,7 +69,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-etK0kcWYmiCmdex+9CjWWqn4q8EonDutUP0yFH+odrE=",
+        "narHash": "sha256-yHJid6Rpxa5pfKI81FfI0VZir9seZMHtLzjdvmt0FVw=",
        "path": "../../mypackages",
        "type": "path"
      },
diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix
index ad6c58c..6045fd4 100644
--- a/flakes/private/system/flake.nix
+++ b/flakes/private/system/flake.nix
@@ -30,6 +30,17 @@
          secrets.deleteSecretsVars = true;
          secrets.secretsVars = "/run/keys/vars.yml";
+          programs.ssh.package = lib.mkDefault (
+            pkgs.openssh.overrideAttrs(old: rec {
+              patches = old.patches ++ [
+                # Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
+                (pkgs.fetchpatch {
+                  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
+                  sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
+                })
+              ];
+            })
+          );
          services.openssh.enable = true;
          nixpkgs.overlays =

diff --git a/flakes/private/chatons/flake.lock b/flakes/private/chatons/flake.lock index 5e84cc2..1e163a2 100644 --- a/flakes/private/chatons/flake.lock +++ b/flakes/private/chatons/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/environment/flake.nix b/flakes/private/environment/flake.nix index 24cbb7a..389a601 100644 --- a/flakes/private/environment/flake.nix +++ b/flakes/private/environment/flake.nix
@@ -369,6 +369,36 @@
369	};	369	};
370	};	370	};
371	};	371	};
		372	borg_backup = mkOption {
		373	description = ''
		374	Remote backup with borg/borgmatic
		375	'';
		376	type = submodule {
		377	options = {
		378	password = mkOption { type = str; description = "Password for encrypting files"; };
		379	remotes = mkOption {
		380	type = attrsOf (submodule {
		381	options = {
		382	remote = mkOption {
		383	type = functionTo (functionTo str);
		384	example = literalExample ''
		385	bucket: "ssh://some_host/${bucket}";
		386	'';
		387	description = ''
		388	Function.
		389	Takes a bucket name as argument and returns a url
		390	'';
		391	};
		392	sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port"; };
		393	sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host"; };
		394
		395	sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; };
		396	};
		397	});
		398	};
		399	};
		400	};
		401	};
372	backup = mkOption {	402	backup = mkOption {
373	description = ''	403	description = ''
374	Remote backup with duplicity	404	Remote backup with duplicity
@@ -379,6 +409,9 @@
379	remotes = mkOption {	409	remotes = mkOption {
380	type = attrsOf (submodule {	410	type = attrsOf (submodule {
381	options = {	411	options = {
		412	remote_type = mkOption {
		413	type = enum [ "s3" "rsync" ];
		414	};
382	remote = mkOption {	415	remote = mkOption {
383	type = functionTo str;	416	type = functionTo str;
384	example = literalExample ''	417	example = literalExample ''
@@ -389,8 +422,12 @@
389	Takes a bucket name as argument and returns a url	422	Takes a bucket name as argument and returns a url
390	'';	423	'';
391	};	424	};
392	accessKeyId = mkOption { type = str; description = "Remote access-key"; };	425	sshRsyncPort = mkOption { type = str; default = "22"; description = "SSH port for rsync"; };
393	secretAccessKey = mkOption { type = str; description = "Remote access secret"; };	426	sshRsyncHost = mkOption { type = nullOr str; default = null; description = "SSH host for rsync"; };
		427
		428	sshKnownHosts = mkOption { type = nullOr str; default = null; description = "Ssh known hosts"; };
		429	s3AccessKeyId = mkOption { type = nullOr str; default = null; description = "Remote access-key"; };
		430	s3SecretAccessKey = mkOption { type = nullOr str; default = null; description = "Remote access secret"; };
394	};	431	};
395	});	432	});
396	};	433	};
@@ -905,6 +942,14 @@
905	};	942	};
906	};	943	};
907	};	944	};
		945	matrix = mkOption {
		946	description = "Matrix configuration";
		947	type = submodule {
		948	options = {
		949	ldap = mkLdapOptions "Mediagoblin" {};
		950	};
		951	};
		952	};
908	mediagoblin = mkOption {	953	mediagoblin = mkOption {
909	description = "Mediagoblin configuration";	954	description = "Mediagoblin configuration";
910	type = submodule {	955	type = submodule {


diff --git a/flakes/private/mail-relay/flake.lock b/flakes/private/mail-relay/flake.lock index d1447b7..4d620ad 100644 --- a/flakes/private/mail-relay/flake.lock +++ b/flakes/private/mail-relay/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/milters/flake.lock b/flakes/private/milters/flake.lock index e2366fa..6891e49 100644 --- a/flakes/private/milters/flake.lock +++ b/flakes/private/milters/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/monitoring/flake.lock b/flakes/private/monitoring/flake.lock index e76ca08..cdba7c2 100644 --- a/flakes/private/monitoring/flake.lock +++ b/flakes/private/monitoring/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/monitoring/flake.nix b/flakes/private/monitoring/flake.nix index b7c3997..5610d67 100644 --- a/flakes/private/monitoring/flake.nix +++ b/flakes/private/monitoring/flake.nix
@@ -164,6 +164,13 @@
164	Whether to enable monitoring.	164	Whether to enable monitoring.
165	'';	165	'';
166	};	166	};
		167	smartdDisks = lib.mkOption {
		168	type = lib.types.listOf lib.types.str;
		169	default = [];
		170	description = ''
		171	List of smartd disks ids (symlinks in /dev/disk/by-id/) to monitor
		172	'';
		173	};
167	master = lib.mkOption {	174	master = lib.mkOption {
168	type = lib.types.bool;	175	type = lib.types.bool;
169	default = false;	176	default = false;
@@ -261,6 +268,54 @@
261	objectDefs =	268	objectDefs =
262	self.lib.toObjects cfg.objects;	269	self.lib.toObjects cfg.objects;
263	};	270	};
		271
		272	myServices.monitoring.objects.service = builtins.map (d: {
		273	service_description = "Disk /dev/disk/by-id/${d} is sane";
		274	use = "local-service";
		275	check_command = [ "check_smartctl" "/dev/disk/by-id/${d}" ];
		276	__passive_servicegroups = "webstatus-resources";
		277
		278	check_interval = 60;
		279	}) cfg.smartdDisks;
		280
		281	systemd = let
		282	checkShortTimer = {
		283	timerConfig = {
		284	OnCalendar = "monthly";
		285	RandomizedDelaySec = "3 weeks";
		286	FixedRandomDelay = true;
		287	};
		288	wantedBy = [ "timers.target" ];
		289	};
		290	checkLongTimer = {
		291	timerConfig = {
		292	OnCalendar = "monthly";
		293	RandomizedDelaySec = "3 weeks";
		294	FixedRandomDelay = true;
		295	};
		296	wantedBy = [ "timers.target" ];
		297	};
		298	toSDTimers = id: {
		299	"check-smartd-long-${id}" = checkLongTimer;
		300	"check-smartd-short-${id}" = checkShortTimer;
		301	};
		302	toCheckService = id: type: {
		303	description = "Run ${type} smartctl test for /dev/disk/by-id/${id}";
		304	after = [ "multi-user.target" ];
		305	serviceConfig = {
		306	Type = "oneshot";
		307	ExecStart = "${pkgs.smartmontools}/bin/smartctl -t ${type} /dev/disk/by-id/${id}";
		308	};
		309	};
		310	toSDServices = id: {
		311	"check-smartd-long-${id}" = toCheckService id "long";
		312	"check-smartd-short-${id}" = toCheckService id "short";
		313	};
		314
		315	in {
		316	services = lib.attrsets.mergeAttrsList (builtins.map toSDServices cfg.smartdDisks);
		317	timers = lib.attrsets.mergeAttrsList (builtins.map toSDTimers cfg.smartdDisks);
		318	};
264	};	319	};
265	};	320	};
266	};	321	};


diff --git a/flakes/private/monitoring/myplugins.nix b/flakes/private/monitoring/myplugins.nix index f76f2c1..bb3a383 100644 --- a/flakes/private/monitoring/myplugins.nix +++ b/flakes/private/monitoring/myplugins.nix
@@ -284,6 +284,30 @@ in
284	]}	284	]}
285	'';	285	'';
286	};	286	};
		287	smartctl = {
		288	commands = {
		289	check_smartctl = "$USER2$/check_smartctl -i auto -d $ARG1$";
		290	};
		291	chunk = let
		292	smartPlugin = pkgs.fetchurl {
		293	url = "https://www.claudiokuenzler.com/monitoring-plugins/check_smart.pl";
		294	sha256 = "sha256-gxGkzyycUl+I3WziKhOnZSoQjpqbPqjbunfUQxmeb7w=";
		295	};
		296	in ''
		297	cp ${smartPlugin} $out/check_smartctl
		298	chmod +x $out/check_smartctl
		299	patchShebangs $out
		300	substituteInPlace $out/check_smartctl --replace "/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin" "${pkgs.smartmontools}/bin"
		301	substituteInPlace $out/check_smartctl --replace "sudo" "${sudo}"
		302	'';
		303
		304	sudo = _: {
		305	commands = [
		306	{ command = "${pkgs.smartmontools}/bin/smartctl *"; options = [ "NOPASSWD" ]; }
		307	];
		308	runAs = "root";
		309	};
		310	};
287	mysql = {	311	mysql = {
288	commands = {	312	commands = {
289	check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\"";	313	check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\"";


diff --git a/flakes/private/opendmarc/flake.lock b/flakes/private/opendmarc/flake.lock index a2eea1a..15fea39 100644 --- a/flakes/private/opendmarc/flake.lock +++ b/flakes/private/opendmarc/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/ssh/flake.lock b/flakes/private/ssh/flake.lock index d1447b7..4d620ad 100644 --- a/flakes/private/ssh/flake.lock +++ b/flakes/private/ssh/flake.lock
@@ -3,7 +3,7 @@
3	"environment": {	3	"environment": {
4	"locked": {	4	"locked": {
5	"lastModified": 1,	5	"lastModified": 1,
6	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	6	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
7	"path": "../environment",	7	"path": "../environment",
8	"type": "path"	8	"type": "path"
9	},	9	},


diff --git a/flakes/private/system/flake.lock b/flakes/private/system/flake.lock index 49fb3b5..c6362c5 100644 --- a/flakes/private/system/flake.lock +++ b/flakes/private/system/flake.lock
@@ -19,7 +19,7 @@
19	"environment": {	19	"environment": {
20	"locked": {	20	"locked": {
21	"lastModified": 1,	21	"lastModified": 1,
22	"narHash": "sha256-VO82m/95IcX3xxJ63wcLh3hXzXDRFKUohYil/18pBSY=",	22	"narHash": "sha256-xrpwkilnPpT6TklQVoLrID8tWUZAH4PJ5XqhRHXGbvo=",
23	"path": "../environment",	23	"path": "../environment",
24	"type": "path"	24	"type": "path"
25	},	25	},
@@ -69,7 +69,7 @@
69	},	69	},
70	"locked": {	70	"locked": {
71	"lastModified": 1,	71	"lastModified": 1,
72	"narHash": "sha256-etK0kcWYmiCmdex+9CjWWqn4q8EonDutUP0yFH+odrE=",	72	"narHash": "sha256-yHJid6Rpxa5pfKI81FfI0VZir9seZMHtLzjdvmt0FVw=",
73	"path": "../../mypackages",	73	"path": "../../mypackages",
74	"type": "path"	74	"type": "path"
75	},	75	},


diff --git a/flakes/private/system/flake.nix b/flakes/private/system/flake.nix index ad6c58c..6045fd4 100644 --- a/flakes/private/system/flake.nix +++ b/flakes/private/system/flake.nix
@@ -30,6 +30,17 @@
30	secrets.deleteSecretsVars = true;	30	secrets.deleteSecretsVars = true;
31	secrets.secretsVars = "/run/keys/vars.yml";	31	secrets.secretsVars = "/run/keys/vars.yml";
32		32
		33	programs.ssh.package = lib.mkDefault (
		34	pkgs.openssh.overrideAttrs(old: rec {
		35	patches = old.patches ++ [
		36	# Mitigation for CVE https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
		37	(pkgs.fetchpatch {
		38	url = "https://raw.githubusercontent.com/NixOS/nixpkgs/342bfe5c431fd7828fee8fa7e07a4d8fbfd18618/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
		39	sha256 = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
		40	})
		41	];
		42	})
		43	);
33	services.openssh.enable = true;	44	services.openssh.enable = true;
34		45
35	nixpkgs.overlays =	46	nixpkgs.overlays =