5 files changed, 15 insertions, 14 deletions

diff --git a/custom/tinc/def.nix b/custom/tinc/def.nix
index 58c5237c..a3bb00a0 100644
--- a/custom/tinc/def.nix
+++ b/custom/tinc/def.nix
@@ -18,7 +18,7 @@ in
 
       networks = mkOption {
         default = { };
-        type = types.loaOf types.optionSet;
+        type = types.loaOf types.submodule;
         description = ''
           Defines the tinc networks which will be started.
           Each network invokes a different daemon.
diff --git a/custom/uucp.nix b/custom/uucp.nix
index c69d15c5..0b4b1306 100644
--- a/custom/uucp.nix
+++ b/custom/uucp.nix
@@ -237,7 +237,7 @@ in {
                 choices as appropriate.  */
              #if 1
             -#define MAIL_PROGRAM "/usr/lib/sendmail -t"
-            +#define MAIL_PROGRAM "/var/setuid-wrappers/sendmail -t"
+            +#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t"
              /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */
              #define MAIL_PROGRAM_TO_BODY 1
              #define MAIL_PROGRAM_SUBJECT_BODY 1
@@ -256,7 +256,7 @@ in {
             *) from="$from@$relay";;
           esac
 
-          exec /var/setuid-wrappers/sendmail -G -i -f "$from" -- "$@"
+          exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@"
         '';
     };
 
@@ -264,6 +264,6 @@ in {
       uucp
     ];
 
-    services.cron.systemCronJobs = (map (name: "${config.services.uucp.interval} /var/setuid-wrappers/uucico -D -S ${name}") (if (config.services.uucp.interval != null) then config.services.uucp.remoteNodes else []));
+    services.cron.systemCronJobs = (map (name: "${config.services.uucp.interval} ${config.security.wrapperDir}/uucico -D -S ${name}") (if (config.services.uucp.interval != null) then config.services.uucp.remoteNodes else []));
   };
 }
diff --git a/hel.nix b/hel.nix
index 4e528bba..a7b34fe4 100644
--- a/hel.nix
+++ b/hel.nix
@@ -176,8 +176,8 @@
       nodeName = "hel";
       remoteNodes = ["isaac" "ymir"]; # legacy name for odin
       sshUser = {
-        openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''
-                                        ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico /var/setuid-wrappers/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''
+        openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''
+                                        ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''
                                       ];
       };
       sshConfig = ''
@@ -188,7 +188,7 @@
           Hostname ymir.niflheim.yggdrasil
           IdentityFile ~/.ssh/ymir
       '';
-      commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" "/var/setuid-wrappers/" ];
+      commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ];
       defaultCommands = [];
       commands = {
         "isaac" = ["recv-media" "notify-gkleen"];
@@ -209,7 +209,7 @@
       relayHost = "uucp:ymir";
       recipientDelimiter = "+";
       extraMasterConf = ''
-        uucp        unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient)
+        uucp        unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
         sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient
       '';
       transport = ''
@@ -361,7 +361,7 @@
                    setgid = true;
                    setuid = true;
                    permissions = "u+rx,g+x,o+x";
-                   source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen'';
+                   source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; inherit (config.security) wrapperDir}}/bin/notify-gkleen'';
                  };
                };
 
diff --git a/hel/recv-media.nix b/hel/recv-media.nix
index 52d5bae6..a074e76b 100644
--- a/hel/recv-media.nix
+++ b/hel/recv-media.nix
@@ -6,6 +6,7 @@
 , showTitle ? true
 , ffmpeg ? null
 , gnused ? null
+, wrapperDir ? "/run/wrappers/bin"
 }:
 
 assert showTitle -> ffmpeg != null && gnused != null && notifyUser != null;
@@ -15,7 +16,7 @@ writeScriptBin "recv-media" ''
 
   pid=$?
 
-  PATH=${eject}/bin:${coreutils}/bin:${if showTitle then ''${ffmpeg}/bin:${gnused}/bin:'' else ""}/var/setuid-wrappers
+  PATH=${eject}/bin:${coreutils}/bin:${if showTitle then ''${ffmpeg}/bin:${gnused}/bin:'' else ""}${wrapperDir}
 
   exec 1> >(logger --id=$pid -t recv-media -p user.notice)
   exec 2> >(logger --id=$pid -t recv-media -p user.error)
diff --git a/ymir.nix b/ymir.nix
index a6967749..5dfa265e 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -500,7 +500,7 @@ in rec {
       recipient_canonical_classes= envelope_recipient,header_recipient
     '';
     extraMasterConf = ''
-      uucp            unix - n n - - pipe  flags=Fqhu user=uucp   argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient)
+      uucp            unix - n n - - pipe  flags=Fqhu user=uucp   argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
       mlmmj           unix - n n - - pipe  flags=ORhu user=mlmmj  argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L /var/spool/lists/''${user}
       mlmmj-subs      unix - n n - - pipe  flags=ORhu user=mlmmj  argv=${pkgs.mlmmj-exposed}/bin/mlmmj-exposed /var/spool/lists/''${user} ''${extension}
       policy-spf      unix - n n - - spawn            user=nobody argv=${pkgs.pythonPackages.pypolicyd-spf}/bin/policyd-spf ${./ymir/spf.conf}
@@ -551,7 +551,7 @@ in rec {
     selector = "ymir";
     configFile = builtins.toFile "opendkim.conf" ''
       Syslog true
-      MTACommand /var/setuid-wrappers/sendmail
+      MTACommand ${config.security.wrapperDir}/sendmail
       LogResults true
     '';
   };
@@ -692,8 +692,8 @@ in rec {
     nodeName = "ymir";
     remoteNodes = ["isaac" "hel"]; # legacy name for odin
     sshUser = {
-      openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin''
-                                      ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel''
+      openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgtDHA7oDIaRwggGGznNaKZF68rFTziqefSCn1t9ZKe uucp@odin''
+                                      ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWBybBQKbPucqBgULQ1phv7IKFWl1Xc4drkCx3D5mIz uucp@hel''
                                     ];
     };
     sshConfig = ''