7 files changed, 46 insertions, 37 deletions

diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index f23981f44..bd17c3765 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -3,13 +3,14 @@
 with config.krebs.lib;
 let
 
-  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
-    owner = "NixOS"; repo = "nixpkgs-channels";
-    rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
-    sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
+  # https://github.com/NixOS/nixpkgs/issues/14026
+  nixpkgs-fix = import (pkgs.fetchgit {
+    url = https://github.com/nixos/nixpkgs;
+    rev = "e026b5c243ea39810826e68362718f5d703fb5d0";
+    sha256 = "87e0724910a6df0371f883f99a8cf42e366fb4119f676f6f74ffb404beca2632";
   }) {};
 
-  buildbot = nixpkgs-1509.buildbot;
+  buildbot = nixpkgs-fix.buildbot;
   buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
     # -*- python -*-
     from buildbot.plugins import *
diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix
index 10b00de47..51d2afe84 100644
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@@ -26,6 +26,9 @@ with builtins;
         enable = true;
       };
     }
+    {
+      lass.power-action.battery = "BAT1";
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.helios;
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 0021a8615..0f940a369 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs = {
       url = https://github.com/lassulus/nixpkgs;
-      rev = "c78f9ad2f91019648bdcf5a911f86ea3a397d290";
+      rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded";
     };
 }
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 3c33c0702..8a2161e45 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -113,18 +113,18 @@ in {
     createHome = true;
   };
 
-  services.phpfpm.phpOptions = ''
-    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-    sendmail_path = ${sendmail} -t
-  '';
-  #services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-  #   options = ''
-  #    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-  #    sendmail_path = "${sendmail} -t -i"
-  #  '';
-  #} ''
-  #  cat ${pkgs.php}/etc/php-recommended.ini > $out
-  #  echo "$options" >> $out
+  #services.phpfpm.phpOptions = ''
+  #  extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+  #  sendmail_path = ${sendmail} -t
   #'';
+  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+     options = ''
+      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+      sendmail_path = "${sendmail} -t -i"
+    '';
+  } ''
+    cat ${pkgs.php}/etc/php-recommended.ini > $out
+    echo "$options" >> $out
+  '';
 }
 
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 0107da739..39f0cce06 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -74,18 +74,13 @@ in {
     config.krebs.users.fritz.pubkey
   ];
 
-  services.phpfpm.phpOptions = ''
-    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-    sendmail_path = ${sendmail} -t
+  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+     options = ''
+      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+      sendmail_path = "${sendmail} -t -i"
+    '';
+  } ''
+    cat ${pkgs.php}/etc/php-recommended.ini > $out
+    echo "$options" >> $out
   '';
-
-  #services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-  #   options = ''
-  #    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-  #    sendmail_path = "${sendmail} -t -i"
-  #  '';
-  #} ''
-  #  cat ${pkgs.php}/etc/php-recommended.ini > $out
-  #  echo "$options" >> $out
-  #'';
 }
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index 9a4882644..83ca5dc2a 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -10,7 +10,7 @@ in toFile "ejabberd.conf" ''
    [
     {5222, ejabberd_c2s, [
         starttls,
-        {certfile, ${toErlang cfg.certfile}},
+        {certfile, ${toErlang cfg.certfile.path}},
         {access, c2s},
         {shaper, c2s_shaper},
         {max_stanza_size, 65536}
@@ -27,7 +27,7 @@ in toFile "ejabberd.conf" ''
         ]}
    ]}.
   {s2s_use_starttls, required}.
-  {s2s_certfile, ${toErlang cfg.s2s_certfile}}.
+  {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
   {auth_method, internal}.
   {shaper, normal, {maxrate, 1000}}.
   {shaper, fast, {maxrate, 50000}}.
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index c68f32ef0..18c7cd656 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -4,7 +4,12 @@ in {
   options.lass.ejabberd = {
     enable = mkEnableOption "lass.ejabberd";
     certfile = mkOption {
-      type = types.str;
+      type = types.secret-file;
+      default = {
+        path = "${cfg.user.home}/ejabberd.pem";
+        owner = cfg.user;
+        source-path = "/var/lib/acme/lassul.us/full.pem";
+      };
     };
     hosts = mkOption {
       type = with types; listOf str;
@@ -17,12 +22,11 @@ in {
         export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
         exec ${pkgs.ejabberd}/bin/ejabberdctl \
             --logs ${shell.escape cfg.user.home} \
-            --spool ${shell.escape cfg.user.home} \
             "$@"
       '';
     };
     s2s_certfile = mkOption {
-      type = types.str;
+      type = types.secret-file;
       default = cfg.certfile;
     };
     user = mkOption {
@@ -36,9 +40,15 @@ in {
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
 
+    krebs.secret.files = {
+      ejabberd-certfile = cfg.certfile;
+      ejabberd-s2s_certfile = cfg.s2s_certfile;
+    };
+
     systemd.services.ejabberd = {
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      requires = [ "secret.service" ];
+      after = [ "network.target" "secret.service" ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = "yes";