1 files changed, 81 insertions, 23 deletions
diff --git a/hel.nix b/hel.nix
index 3753a8df..7a3a3af7 100644
--- a/hel.nix
+++ b/hel.nix
@@ -45,7 +45,6 @@
    git
    slock
    shadow
-    (callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })
    (callPackage ./utils/nix/rebuild-system.nix {})
    rewacom
  ];
@@ -58,7 +57,22 @@
    '';
    samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: {
-      buildInputs = with pkgs; [cups];
+      buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ];
+      builder = pkgs.writeScript "builder.sh" ''
+        #!${pkgs.stdenv.shell}
+        source ${pkgs.stdenv}/setup
+        ${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args}
+        export PATH=${pkgs.makeWrapper}/bin:$PATH
+      
+        echo "Wrapping samsung filters"
+        wrapProgram $out/lib/cups/filter/rastertosamsungspl \
+          --prefix PATH : ${pkgs.ghostscript}/bin
+        wrapProgram $out/lib/cups/filter/rastertosamsungsplc \
+          --prefix PATH : ${pkgs.ghostscript}/bin
+      '';
    });
  };
@@ -162,8 +176,8 @@
      nodeName = "hel";
      remoteNodes = ["isaac" "ymir"]; # legacy name for odin
      sshUser = {
-        openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''
+        openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''
-                                        ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico /var/setuid-wrappers/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''
+                                        ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''
                                      ];
      };
      sshConfig = ''
@@ -174,7 +188,7 @@
          Hostname ymir.niflheim.yggdrasil
          IdentityFile ~/.ssh/ymir
      '';
-      commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" "/var/setuid-wrappers/" ];
+      commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ];
      defaultCommands = [];
      commands = {
        "isaac" = ["recv-media" "notify-gkleen"];
@@ -195,12 +209,17 @@
      relayHost = "uucp:ymir";
      recipientDelimiter = "+";
      extraMasterConf = ''
-        uucp        unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient)
+        uucp        unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
        sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient
      '';
+      transport = ''
+        gkleen+sent@yggdrasil.li uucp:isaac
+      '';
      extraConfig = ''
-        default_transport = uucp:ymir
+        always_bcc = gkleen+sent@yggdrasil.li
      
+        default_transport = uucp:ymir
        inet_interfaces = loopback-only
      
        authorized_submit_users = !uucp, static:anyone
@@ -265,6 +284,34 @@
    upower = {
      enable = true;
    };
+    locate = {
+      enable = true;
+      interval = "hourly";
+      locate = pkgs.mlocate;
+      localuser = null;
+      prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"];
+    };
+    dbus = {
+      enable = true;
+      packages = [ (pkgs.writeTextFile {
+                      name = "eavesdrop.conf";
+                      text = ''
+                        <!DOCTYPE busconfig PUBLIC
+                        "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
+                        "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+                        <busconfig>
+                          <policy user="root">
+                            <allow eavesdrop="true"/>
+                            <allow eavesdrop="true" send_destination="*"/>
+                          </policy>
+                        </busconfig>
+                      '';
+                      destination = "/etc/dbus-1/system.d/eavesdrop.conf";
+                    })
+                 ];
+    };
  };
  users = {
@@ -304,17 +351,21 @@
      %wheel ALL=(ALL) NOPASSWD: SYSCTRL
    '';
-    setuidPrograms = ["slock" "mount" "mount.nfs" "umount" "newgrp" "thinklight"];
+    wrappers = { "slock".source = "${pkgs.slock}/bin/slock";
+                 "mount".source = "${pkgs.utillinux.bin}/bin/mount";
-    setuidOwners = [ { group = "users";
+                 "umount".source = "${pkgs.utillinux.bin}/bin/umount";
-                       owner = "gkleen";
+                 "newgrp".source = "${pkgs.shadow}/bin/newgrp";
-                       permissions = "u+rx,g+x,o+x";
+                 "thinklight".source =
-                       program = "notify-gkleen";
+                   "${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight";
-                       setgid = true;
+                 "notify-gkleen" = {
-                       setuid = true;
+                   group = "users";
-                       source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen'';
+                   owner = "gkleen";
-                     }
+                   setgid = true;
-                   ];
+                   setuid = true;
+                   permissions = "u+rx,g+x,o+x";
+                   source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen'';
+                 };
+               };
    polkit = {
      enable = true;
@@ -347,11 +398,11 @@
    bluetooth.enable = true;   
-    sane = {
+    # sane = {
-      enable = true;
+    #   enable = true;
-      extraBackends = with pkgs; [ samsung-unified-linux-driver ];
+    #   extraBackends = with pkgs; [ samsung-unified-linux-driver ];
-      configDir = "/etc/sane.d";
+    #   configDir = "/etc/sane.d";
-    };
+    # };
  };
  sound.enable = true;
@@ -374,6 +425,13 @@
  environment.etc."sane.d/dll.conf".text = "xerox_mfp";
  environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil";
+  environment.sessionVariables = {
+    "SANE_CONFIG_DIR" = "/etc/sane.d";
+    "TPRINT_BASEURL" = "http://bragi.asgard.yggdrasil/thermoprint/api";
+    "MPD_HOST" = "bragi.asgard.yggdrasil";
+    "MPD_PORT" = "6600";
+  };
  systemd.services."kill-user@" = {
    serviceConfig = {
      Type = "oneshot";

diff --git a/hel.nix b/hel.nix index 3753a8df..7a3a3af7 100644 --- a/hel.nix +++ b/hel.nix
@@ -45,7 +45,6 @@
45	git	45	git
46	slock	46	slock
47	shadow	47	shadow
48	(callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })
49	(callPackage ./utils/nix/rebuild-system.nix {})	48	(callPackage ./utils/nix/rebuild-system.nix {})
50	rewacom	49	rewacom
51	];	50	];
@@ -58,7 +57,22 @@
58	'';	57	'';
59		58
60	samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: {	59	samsung-unified-linux-driver = pkgs.stdenv.lib.overrideDerivation pkgs.samsung-unified-linux-driver (oldAttrs: {
61	buildInputs = with pkgs; [cups];	60	buildInputs = oldAttrs.buildInputs ++ [ pkgs.makeWrapper ];
		61	builder = pkgs.writeScript "builder.sh" ''
		62	#!${pkgs.stdenv.shell}
		63
		64	source ${pkgs.stdenv}/setup
		65
		66	${oldAttrs.builder} ${pkgs.lib.concatStringsSep " " oldAttrs.args}
		67
		68	export PATH=${pkgs.makeWrapper}/bin:$PATH
		69
		70	echo "Wrapping samsung filters"
		71	wrapProgram $out/lib/cups/filter/rastertosamsungspl \
		72	--prefix PATH : ${pkgs.ghostscript}/bin
		73	wrapProgram $out/lib/cups/filter/rastertosamsungsplc \
		74	--prefix PATH : ${pkgs.ghostscript}/bin
		75	'';
62	});	76	});
63	};	77	};
64		78
@@ -162,8 +176,8 @@
162	nodeName = "hel";	176	nodeName = "hel";
163	remoteNodes = ["isaac" "ymir"]; # legacy name for odin	177	remoteNodes = ["isaac" "ymir"]; # legacy name for odin
164	sshUser = {	178	sshUser = {
165	openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/var/setuid-wrappers/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''	179	openssh.authorizedKeys.keys = [ ''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${config.security.wrapperDir}/uucico" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFH1QWdgoC03nzW5GBuCl2pqASHeIXIYtE9IInHdaKcO uucp@ymir''
166	''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico /var/setuid-wrappers/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''	180	''no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="${pkgs.writeScript "odin.sh" "#!${pkgs.stdenv.shell}\necho .\nexec -a uucico ${config.security.wrapperDir}/uucico\n"}" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJhACtnt9+3j2ev4QVA2QBlPtblPnu7yol2njgfMlHtC uucp@odin''
167	];	181	];
168	};	182	};
169	sshConfig = ''	183	sshConfig = ''
@@ -174,7 +188,7 @@
174	Hostname ymir.niflheim.yggdrasil	188	Hostname ymir.niflheim.yggdrasil
175	IdentityFile ~/.ssh/ymir	189	IdentityFile ~/.ssh/ymir
176	'';	190	'';
177	commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" "/var/setuid-wrappers/" ];	191	commandPath = [ "${pkgs.callPackage ./hel/recv-media.nix {}}/bin" config.security.wrapperDir ];
178	defaultCommands = [];	192	defaultCommands = [];
179	commands = {	193	commands = {
180	"isaac" = ["recv-media" "notify-gkleen"];	194	"isaac" = ["recv-media" "notify-gkleen"];
@@ -195,12 +209,17 @@
195	relayHost = "uucp:ymir";	209	relayHost = "uucp:ymir";
196	recipientDelimiter = "+";	210	recipientDelimiter = "+";
197	extraMasterConf = ''	211	extraMasterConf = ''
198	uucp unix - n n - - pipe flags=Fqhu user=uucp argv=/var/setuid-wrappers/uux -z -a $sender - $nexthop!rmail ($recipient)	212	uucp unix - n n - - pipe flags=Fqhu user=uucp argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)
199	sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient	213	sshsendmail unix - n n - - pipe flags=Fq user=postfix_ssh argv=${pkgs.openssh}/bin/ssh -F /var/db/postfix_ssh/ssh.config $nexthop sendmail -f $sender -G $recipient
200	'';	214	'';
		215	transport = ''
		216	gkleen+sent@yggdrasil.li uucp:isaac
		217	'';
201	extraConfig = ''	218	extraConfig = ''
202	default_transport = uucp:ymir	219	always_bcc = gkleen+sent@yggdrasil.li
203		220
		221	default_transport = uucp:ymir
		222
204	inet_interfaces = loopback-only	223	inet_interfaces = loopback-only
205		224
206	authorized_submit_users = !uucp, static:anyone	225	authorized_submit_users = !uucp, static:anyone
@@ -265,6 +284,34 @@
265	upower = {	284	upower = {
266	enable = true;	285	enable = true;
267	};	286	};
		287
		288	locate = {
		289	enable = true;
		290	interval = "hourly";
		291	locate = pkgs.mlocate;
		292	localuser = null;
		293	prunePaths = ["/tmp" "/var/tmp" "/var/cache" "/var/lock" "/var/run" "/var/spool"];
		294	};
		295
		296	dbus = {
		297	enable = true;
		298	packages = [ (pkgs.writeTextFile {
		299	name = "eavesdrop.conf";
		300	text = ''
		301	<!DOCTYPE busconfig PUBLIC
		302	"-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
		303	"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
		304	<busconfig>
		305	<policy user="root">
		306	<allow eavesdrop="true"/>
		307	<allow eavesdrop="true" send_destination="*"/>
		308	</policy>
		309	</busconfig>
		310	'';
		311	destination = "/etc/dbus-1/system.d/eavesdrop.conf";
		312	})
		313	];
		314	};
268	};	315	};
269		316
270	users = {	317	users = {
@@ -304,17 +351,21 @@
304	%wheel ALL=(ALL) NOPASSWD: SYSCTRL	351	%wheel ALL=(ALL) NOPASSWD: SYSCTRL
305	'';	352	'';
306		353
307	setuidPrograms = ["slock" "mount" "mount.nfs" "umount" "newgrp" "thinklight"];	354	wrappers = { "slock".source = "${pkgs.slock}/bin/slock";
308		355	"mount".source = "${pkgs.utillinux.bin}/bin/mount";
309	setuidOwners = [ { group = "users";	356	"umount".source = "${pkgs.utillinux.bin}/bin/umount";
310	owner = "gkleen";	357	"newgrp".source = "${pkgs.shadow}/bin/newgrp";
311	permissions = "u+rx,g+x,o+x";	358	"thinklight".source =
312	program = "notify-gkleen";	359	"${(pkgs.callPackage ./custom/thinklight.nix { thinklight = "kbd_backlight"; })}/bin/thinklight";
313	setgid = true;	360	"notify-gkleen" = {
314	setuid = true;	361	group = "users";
315	source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen'';	362	owner = "gkleen";
316	}	363	setgid = true;
317	];	364	setuid = true;
		365	permissions = "u+rx,g+x,o+x";
		366	source = ''${pkgs.callPackage ./custom/notify-user.nix { inherit (pkgs.haskellPackages) ghcWithPackages; }}/bin/notify-gkleen'';
		367	};
		368	};
318		369
319	polkit = {	370	polkit = {
320	enable = true;	371	enable = true;
@@ -347,11 +398,11 @@
347		398
348	bluetooth.enable = true;	399	bluetooth.enable = true;
349		400
350	sane = {	401	# sane = {
351	enable = true;	402	# enable = true;
352	extraBackends = with pkgs; [ samsung-unified-linux-driver ];	403	# extraBackends = with pkgs; [ samsung-unified-linux-driver ];
353	configDir = "/etc/sane.d";	404	# configDir = "/etc/sane.d";
354	};	405	# };
355	};	406	};
356		407
357	sound.enable = true;	408	sound.enable = true;
@@ -374,6 +425,13 @@
374	environment.etc."sane.d/dll.conf".text = "xerox_mfp";	425	environment.etc."sane.d/dll.conf".text = "xerox_mfp";
375	environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil";	426	environment.etc."sane.d/xerox_mfp.conf".text = "tcp printer.asgard.yggdrasil";
376		427
		428	environment.sessionVariables = {
		429	"SANE_CONFIG_DIR" = "/etc/sane.d";
		430	"TPRINT_BASEURL" = "http://bragi.asgard.yggdrasil/thermoprint/api";
		431	"MPD_HOST" = "bragi.asgard.yggdrasil";
		432	"MPD_PORT" = "6600";
		433	};
		434
377	systemd.services."kill-user@" = {	435	systemd.services."kill-user@" = {
378	serviceConfig = {	436	serviceConfig = {
379	Type = "oneshot";	437	Type = "oneshot";