diff options
| -rw-r--r-- | krebs/3modules/default.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/mv/default.nix | 41 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix | 10 | ||||
| -rw-r--r-- | krebs/3modules/tv/default.nix | 2 | ||||
| -rw-r--r-- | mv/1systems/stro.nix | 172 | ||||
| -rw-r--r-- | tv/1systems/alnus.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/xu.nix | 5 | ||||
| -rw-r--r-- | tv/1systems/zu.nix | 37 | ||||
| -rw-r--r-- | tv/2configs/bash.nix | 37 | ||||
| -rw-r--r-- | tv/2configs/default.nix | 69 | ||||
| -rw-r--r-- | tv/2configs/exim-smarthost.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/git.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/hw/x220.nix | 3 | ||||
| -rw-r--r-- | tv/2configs/ssh.nix | 25 | ||||
| -rw-r--r-- | tv/2configs/sshd.nix | 16 | ||||
| -rw-r--r-- | tv/2configs/xdg.nix | 14 | ||||
| -rw-r--r-- | tv/2configs/xserver/default.nix | 3 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix | 12 | ||||
| -rw-r--r-- | tv/5pkgs/ff/default.nix | 12 | 
19 files changed, 329 insertions, 135 deletions
| diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index a38d2b227..d64d8047a 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -91,6 +91,7 @@ let    imp = lib.mkMerge [      { krebs = import ./lass   { inherit config lib; }; }      { krebs = import ./makefu { inherit config lib; }; } +    { krebs = import ./mv     { inherit config lib; }; }      { krebs = import ./shared { inherit config lib; }; }      { krebs = import ./tv     { inherit config lib; }; }      { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix new file mode 100644 index 000000000..dc47d8983 --- /dev/null +++ b/krebs/3modules/mv/default.nix @@ -0,0 +1,41 @@ +{ config, ... }: + +with config.krebs.lib; + +{ +  hosts = mapAttrs (_: setAttr "owner" config.krebs.users.mv) { +    stro = { +      cores = 4; +      nets = { +        retiolum = { +          ip4.addr = "10.243.111.111"; +          ip6.addr = "42:0:0:0:0:0:111:111"; +          aliases = [ +            "stro.r" +            "cgit.stro.r" +            "stro.retiolum" +            "cgit.stro.retiolum" +          ]; +          tinc.pubkey = '' +            -----BEGIN RSA PUBLIC KEY----- +            MIIBCgKCAQEA0vIzLyoetOyi3R7qOh3gjSvUVjPEdqCvd0NEevDCIhhFy0nIbZ/b +            vnuk3EUeTb6e384J8fKB4agig0JeR3JjtDvtjy5g9Cdy2nrU71w8wqU0etmv2PTb +            FjbCFfeBXn0N3U7gXwjZGCvjAXa1a4jGb4R2iYBYGG3aY4reCN8B8Ah81h+S0oLg +            ZJJfaBmWM5vNRFEI5X4CLaVnwtsoZuXIjYStgNn/9Mg/Y6NQS0H0H+HFeyhigAqG +            oYGqNar/2QqPU176V/FwrD30F3qJV1uyzuPta7hmdfOxqYjZ/jqdPSRYtlunYYcq +            XbH5oYmzO9NEeVWzjdac/DiV2OP8HufoYwIDAQAB +            -----END RSA PUBLIC KEY----- +          ''; +        }; +      }; +      ssh.privkey.path = <secrets/ssh.ed25519>; +      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+7Qa51l0NSkBiaK2s8vQEoeObV3UPZyEzMxfUK/ZAO root@stro"; +    }; +  }; +  users = { +    mv = { +      mail = "mv@stro.r"; +      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfMqkfXsGRaXJ86Pi5svAx4508ij5kc4cMLGwr1CLvFI5G7EHggiHMZYooibmkZimBF1PvLM1lOdoptJ4nSmc3UGuQaeV9BpZ1dNXexc8wOmVPKzAHYZG/2upcV/xVZQ9lk3UOmDym6fDUXThMx4nXdhOjScgWpKp7+0N3JRCf2UHusZjWFGlhE9l4irLFHCwlZeBQ16DNF4fc03vsfZBB1ZrGGZlaVpkcY+FTC3sm8R0iF5QGaq8PgltJoCNnp3L1g3Yn7Elva7kCHjZfJC1pu5icV8vZMNptPn1b10gPsNwb302FCjvZohzRcMo39L2gwdNWQmflYfYk+NPY9EgqkLtSvZJywYu8oTVLeYBAp0ZGzJR4+uIH9at/WQF499HFMxpF4uwYiQweUcPiHrrOqI5zLQoOvqh9Jv0UMsnFynNrszbCTgwzeW8bcvv8ILcjE9of8GXRCrlIMvt7Z9q8xrb5j1RhKscvusyyNOAL+HMZl6jgSxUBDtzRqPZ62QHJsBEBdRXdJRQLGeHNW9kGPrh/tiKGucuT3/HZC+2Rcemxt3RVT60+lHkghrMLi0/VOWBUKL9J94UK5xIE4Gb3RTW9DcNK53U4ql+N4ORSSEuhk3Rqzx3Bzv7AXpLKQCFKdB7tjxzGN7sCQM3PBUUo6Tk0VG2cIKOjzTRnDJlb7Q== mv@stro"; +    }; +  }; +} diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index fc7fcca6f..bc32da3b1 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -31,12 +31,10 @@ let          options = {            server-names = mkOption {              type = with types; listOf str; -            # TODO use identity -            default = [ -              "${config.networking.hostName}" -              "${config.networking.hostName}.r" -              "${config.networking.hostName}.retiolum" -            ]; +            default = +              [config.krebs.build.host.name] ++ +              concatMap (getAttr "aliases") +                        (attrValues config.krebs.build.host.nets);            };            listen = mkOption {              type = with types; either str (listOf str); diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index d04f1cab2..a933cbddb 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -418,7 +418,7 @@ with config.krebs.lib;      dv = {        mail = "dv@alnus.r";      }; -    mv = { +    mv-cd = {        mail = "mv@cd.r";        pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod";      }; diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix new file mode 100644 index 000000000..c948754df --- /dev/null +++ b/mv/1systems/stro.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ +  krebs = { +    enable = true; +    build = { +      user = config.krebs.users.mv; +      host = config.krebs.hosts.stro; +      source = let +        HOME = getEnv "HOME"; +        host = config.krebs.build.host; +      in { +        nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix"; +        secrets.file = "${HOME}/secrets/${host.name}"; +        stockholm.file = "${HOME}/stockholm"; +        nixpkgs.git = { +          url = https://github.com/NixOS/nixpkgs; +          ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; +        }; +      }; +    }; +  }; + +  imports = [ +    <secrets> +    <stockholm/krebs> +    <stockholm/tv/2configs/audit.nix> +    <stockholm/tv/2configs/bash.nix> +    <stockholm/tv/2configs/exim-retiolum.nix> +    <stockholm/tv/2configs/hw/x220.nix> +    <stockholm/tv/2configs/im.nix> +    <stockholm/tv/2configs/mail-client.nix> +    <stockholm/tv/2configs/retiolum.nix> +    <stockholm/tv/2configs/ssh.nix> +    <stockholm/tv/2configs/sshd.nix> +    <stockholm/tv/2configs/vim.nix> +    <stockholm/tv/2configs/xdg.nix> +    <stockholm/tv/2configs/xserver> +    <stockholm/tv/3modules> +    <stockholm/tv/5pkgs> +  ]; + +  boot.kernel.sysctl = { +    # Enable IPv6 Privacy Extensions +    "net.ipv6.conf.all.use_tempaddr" = 2; +    "net.ipv6.conf.default.use_tempaddr" = 2; +  }; + +  boot.initrd.luks = { +    cryptoModules = [ "aes" "sha512" "xts" ]; +    devices = [ +      { +        name = "luks1"; +        device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2"; +      } +    ]; +  }; + +  environment = { +    profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; +    shellAliases = mkForce { +      gp = "${pkgs.pari}/bin/gp -q"; +      df = "df -h"; +      du = "du -h"; +      ls = "ls -h --color=auto --group-directories-first"; +      dmesg = "dmesg -L --reltime"; +      view = "vim -R"; + +      reload = "systemctl reload"; +      restart = "systemctl restart"; +      start = "systemctl start"; +      status = "systemctl status"; +      stop = "systemctl stop"; +    }; +    systemPackages = with pkgs; [ +      dic +      htop +      p7zip +      q + +      pavucontrol +      rxvt_unicode.terminfo + +      # stockholm +      git +      gnumake +      populate +    ]; +    variables = { +      NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; +    }; +  }; + +  fileSystems = { +    "/boot" = { +      device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1"; +    }; +    "/" = { +      device = "/dev/mapper/vg1-root"; +      fsType = "btrfs"; +      options = ["defaults" "noatime" "ssd" "compress=lzo"]; +    }; +    "/home" = { +      device = "/dev/mapper/vg1-home"; +      fsType = "btrfs"; +      options = ["defaults" "noatime" "ssd" "compress=lzo"]; +    }; +    "/tmp" = { +      device = "tmpfs"; +      fsType = "tmpfs"; +      options = ["nosuid" "nodev" "noatime"]; +    }; +  }; + +  hardware.pulseaudio = { +    enable = true; +    systemWide = true; +  }; + +  networking.hostName = config.krebs.build.host.name; + +  nix = { +    binaryCaches = ["https://cache.nixos.org"]; +    # TODO check if both are required: +    chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; +    requireSignedBinaryCaches = true; +    useChroot = true; +  }; + +  nixpkgs.config.allowUnfree = false; + +  users = { +    defaultUserShell = "/run/current-system/sw/bin/bash"; +    mutableUsers = false; +    users = { +      mv = { +        inherit (config.krebs.users.mv) home uid; +        isNormalUser = true; +      }; +    }; +  }; + +  security.setuidPrograms = [ +    "sendmail" +  ]; + +  security.sudo.extraConfig = '' +    Defaults env_keep+="SSH_CLIENT" +    Defaults mailto="${config.krebs.users.mv.mail}" +    Defaults !lecture +  ''; + +  services.cron.enable = false; +  services.journald.extraConfig = '' +    SystemMaxUse=1G +    RuntimeMaxUse=128M +  ''; +  services.nscd.enable = false; +  services.ntp.enable = false; +  services.timesyncd.enable = true; + +  time.timeZone = "Europe/Berlin"; + +  tv.iptables = { +    enable = true; +    accept-echo-request = "internet"; +  }; + +  system.stateVersion = "16.03"; +} diff --git a/tv/1systems/alnus.nix b/tv/1systems/alnus.nix index 360390c09..a9646b588 100644 --- a/tv/1systems/alnus.nix +++ b/tv/1systems/alnus.nix @@ -53,7 +53,6 @@ with config.krebs.lib;    };    hardware = { -    enableAllFirmware = true;      opengl.driSupport32Bit = true;      pulseaudio.enable = true;    }; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index b832470d0..fec0a02c5 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -155,11 +155,6 @@ with config.krebs.lib;    nixpkgs.config.chromium.enablePepperFlash = true; -  #hardware.bumblebee.enable = true; -  #hardware.bumblebee.group = "video"; -  hardware.enableAllFirmware = true; -  #hardware.opengl.driSupport32Bit = true; -    environment.systemPackages = with pkgs; [      ethtool      tinc_pre diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix index bfc018cc3..c0d51436a 100644 --- a/tv/1systems/zu.nix +++ b/tv/1systems/zu.nix @@ -161,11 +161,6 @@ with config.krebs.lib;    nixpkgs.config.chromium.enablePepperFlash = true; -  #hardware.bumblebee.enable = true; -  #hardware.bumblebee.group = "video"; -  hardware.enableAllFirmware = true; -  #hardware.opengl.driSupport32Bit = true; -    environment.systemPackages = with pkgs; [      ethtool      tinc_pre @@ -194,36 +189,4 @@ with config.krebs.lib;    # The NixOS release to be compatible with for stateful data such as databases.    system.stateVersion = "15.09"; - -#/* -#{ host api.doraemon.sg.zalora.net | awk '{print$4" api.zalora.sg"}'; -#  host bob.live.sg.zalora.net | awk '{print$4" bob.zalora.sg"}'; -#  host www.live.sg.zalora.net | awk '{print$4" www.zalora.sg costa.zalora.sg"}'; } -#*/ -#  networking.extraHosts = optionalString (1 == 1) '' -#54.255.133.72 api.zalora.sg -#52.77.12.194 bob.zalora.sg -#52.74.232.49 www.zalora.sg costa.zalora.sg -#  ''; - - -  #services.elasticsearch.enable = true; -  #services.kibana.enable = true; -  #services.logstash.enable = true; - -  environment.etc."ssh/ssh_config".text = mkForce '' -    AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} - -    ${optionalString config.programs.ssh.setXAuthLocation '' -      XAuthLocation ${pkgs.xorg.xauth}/bin/xauth -    ''} - -    ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"} - -    # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) -    #PubkeyAcceptedKeyTypes +ssh-dss - -    ${config.programs.ssh.extraConfig} -  ''; -  } diff --git a/tv/2configs/bash.nix b/tv/2configs/bash.nix new file mode 100644 index 000000000..fe87aa8d7 --- /dev/null +++ b/tv/2configs/bash.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ +  programs.bash = { +    interactiveShellInit = '' +      HISTCONTROL='erasedups:ignorespace' +      HISTSIZE=65536 +      HISTFILESIZE=$HISTSIZE + +      shopt -s checkhash +      shopt -s histappend histreedit histverify +      shopt -s no_empty_cmd_completion +      complete -d cd +    ''; +    promptInit = '' +      case $UID in +        0) +          PS1='\[\e[1;31m\]\w\[\e[0m\] ' +          ;; +        ${toString config.krebs.build.user.uid}) +          PS1='\[\e[1;32m\]\w\[\e[0m\] ' +          ;; +        *) +          PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' +          ;; +      esac +      if test -n "$SSH_CLIENT"; then +        PS1='\[\e[35m\]\h'" $PS1" +      fi +      if test -n "$SSH_AGENT_PID"; then +        PS1="ssh-agent[$SSH_AGENT_PID] $PS1" +      fi +    ''; +  }; +} diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 04009f54d..db1bfe5a2 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with config.krebs.lib;        stockholm.file = "/home/tv/stockholm";        nixpkgs.git = {          url = https://github.com/NixOS/nixpkgs; -        ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; +        ref = "2568ee3d73bdebd6bab6739adf8a900f3429c8e6";        };      } // optionalAttrs host.secure {        secrets-master.file = "/home/tv/secrets/master"; @@ -27,8 +27,12 @@ with config.krebs.lib;      <secrets>      ./audit.nix      ./backup.nix +    ./bash.nix      ./nginx +    ./ssh.nix +    ./sshd.nix      ./vim.nix +    ./xdg.nix      {        # stockholm dependencies        environment.systemPackages = with pkgs; [ @@ -104,49 +108,6 @@ with config.krebs.lib;        environment.variables = {          NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";        }; - -      programs.bash = { -        interactiveShellInit = '' -          HISTCONTROL='erasedups:ignorespace' -          HISTSIZE=65536 -          HISTFILESIZE=$HISTSIZE - -          shopt -s checkhash -          shopt -s histappend histreedit histverify -          shopt -s no_empty_cmd_completion -          complete -d cd - -          ${readFile ./bash_completion.sh} - -          # TODO source bridge -        ''; -        promptInit = '' -          case $UID in -            0) -              PS1='\[\e[1;31m\]\w\[\e[0m\] ' -              ;; -            ${toString config.krebs.users.tv.uid}) -              PS1='\[\e[1;32m\]\w\[\e[0m\] ' -              ;; -            *) -              PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' -              ;; -          esac -          if test -n "$SSH_CLIENT"; then -            PS1='\[\e[35m\]\h'" $PS1" -          fi -          if test -n "$SSH_AGENT_PID"; then -            PS1="ssh-agent[$SSH_AGENT_PID] $PS1" -          fi -        ''; -      }; - -      programs.ssh = { -        extraConfig = '' -          UseRoaming no -        ''; -        startAgent = false; -      };      }      { @@ -177,16 +138,6 @@ with config.krebs.lib;      }      { -      services.openssh = { -        enable = true; -        hostKeys = [ -          { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } -        ]; -      }; -      tv.iptables.input-internet-accept-tcp = singleton "ssh"; -    } - -    {        environment.systemPackages = [          pkgs.get          pkgs.krebszones @@ -194,15 +145,5 @@ with config.krebs.lib;          pkgs.push        ];      } - -    { -      systemd.tmpfiles.rules = let -        forUsers = flip map users; -        isUser = { name, group, ... }: -          name == "root" || hasSuffix "users" group; -        users = filter isUser (mapAttrsToList (_: id) config.users.users); -      in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); -      environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; -    }    ];  } diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 351b54da1..cade6fa7b 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -20,7 +20,7 @@ with config.krebs.lib;      ];      internet-aliases = with config.krebs.users; [        { from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822 -      { from = "mirko@viljetic.de"; to = mv.mail; } +      { from = "mirko@viljetic.de"; to = mv-cd.mail; }        { from = "tomislav@viljetic.de"; to = tv.mail; }        { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }        { from = "tv@viljetic.de"; to = tv.mail; } diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 4bc971370..fd3875410 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -101,7 +101,7 @@ let          perm = push "refs/*" [ non-fast-forward create delete merge ];        } ++        optional repo.public { -        user = [ lass makefu ]; +        user = attrValues config.krebs.users;          repo = [ repo ];          perm = fetch;        } ++ diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 9b3dd122a..c5a3485a2 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -10,6 +10,9 @@    networking.wireless.enable = true; +  # Required for Centrino. +  hardware.enableAllFirmware = true; +    hardware.trackpoint = {      enable = true;      sensitivity = 220; diff --git a/tv/2configs/ssh.nix b/tv/2configs/ssh.nix new file mode 100644 index 000000000..7bf583426 --- /dev/null +++ b/tv/2configs/ssh.nix @@ -0,0 +1,25 @@ +{ config, pkgs, ... }: + +with config.krebs.lib; + +{ +  # Override NixOS's "Allow DSA keys for now." +  environment.etc."ssh/ssh_config".text = mkForce '' +    AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} + +    ${optionalString config.programs.ssh.setXAuthLocation '' +      XAuthLocation ${pkgs.xorg.xauth}/bin/xauth +    ''} + +    ForwardX11 ${if config.programs.ssh.forwardX11 then "yes" else "no"} + +    ${config.programs.ssh.extraConfig} +  ''; + +  programs.ssh = { +    extraConfig = '' +      UseRoaming no +    ''; +    startAgent = false; +  }; +} diff --git a/tv/2configs/sshd.nix b/tv/2configs/sshd.nix new file mode 100644 index 000000000..943f32fe9 --- /dev/null +++ b/tv/2configs/sshd.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ +  services.openssh = { +    enable = true; +    hostKeys = [ +      { +        type = "ed25519"; +        path = "/etc/ssh/ssh_host_ed25519_key"; +      } +    ]; +  }; +  tv.iptables.input-internet-accept-tcp = singleton "ssh"; +} diff --git a/tv/2configs/xdg.nix b/tv/2configs/xdg.nix new file mode 100644 index 000000000..f05ec5431 --- /dev/null +++ b/tv/2configs/xdg.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ +  environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; + +  systemd.tmpfiles.rules = let +    forUsers = flip map users; +    isUser = { name, group, ... }: +      name == "root" || hasSuffix "users" group; +    users = filter isUser (mapAttrsToList (_: id) config.users.users); +  in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); +} diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix index c41c0a81e..7a76530be 100644 --- a/tv/2configs/xserver/default.nix +++ b/tv/2configs/xserver/default.nix @@ -1,8 +1,7 @@  { config, pkgs, ... }@args:  with config.krebs.lib;  let -  # TODO krebs.build.user -  user = config.users.users.tv; +  user = config.krebs.build.user;  in {    environment.systemPackages = [ diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index affb535ef..3590ad572 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -1,7 +1,7 @@ -{ pkgs, ... }: - +{ config, pkgs, ... }: +with config.krebs.lib;  { -  nixpkgs.config.packageOverrides = { +  nixpkgs.config.packageOverrides = super: {      # TODO use XDG_RUNTIME_DIR?      cr = pkgs.writeDashBin "cr" ''        set -efu @@ -10,12 +10,14 @@            --ssl-version-min=tls1 \            --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \            --disk-cache-size=50000000 \ -          "%@" +          "$@"      '';      ejabberd = pkgs.callPackage ./ejabberd {        erlang = pkgs.erlangR16;      }; -    ff = pkgs.callPackage ./ff {}; +    ff = pkgs.writeDashBin "ff" '' +      exec ${pkgs.firefoxWrapper}/bin/firefox "$@" +    '';      gnupg =        if elem config.krebs.build.host.name ["xu" "wu"]          then super.gnupg21 diff --git a/tv/5pkgs/ff/default.nix b/tv/5pkgs/ff/default.nix deleted file mode 100644 index b1d2c579a..000000000 --- a/tv/5pkgs/ff/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: - -# TODO use krebs.setuid -# This requires that we can create setuid executables that can only be accessed -# by a single user. [per-user-setuid] - -# using bash for %q -pkgs.writeBashBin "ff" '' - exec /var/setuid-wrappers/sudo -u ff -i <<EOF - exec ${pkgs.firefoxWrapper}/bin/firefox $(printf " %q" "$@") - EOF -'' | 
