diff options
| author | lassulus <lass@aidsballs.de> | 2016-02-06 18:45:38 +0100 |
|---|---|---|
| committer | lassulus <lass@aidsballs.de> | 2016-02-06 18:45:38 +0100 |
| commit | 337b6ed6c55874330fb34b41b59b90c5b5462d0b (patch) | |
| tree | e3cc2dc058b40937b6b53465d6f6b05f88b0d83f | |
| parent | 1f345820ffb80177db695aeea76a5d8e5f1ef6a7 (diff) | |
| parent | 1031de3638a1bd4bb6d80515718de52c195ef59a (diff) | |
Merge remote-tracking branch 'cd/master'
32 files changed, 188 insertions, 484 deletions
@@ -1,73 +1,41 @@ -# -# usage: -# make infest system=foo [target=bar] -# make [deploy] system=foo [target=bar] -# make [deploy] systems='foo bar' -# make eval get=users.tv.wu.config.time.timeZone [filter=json] -# +ifndef system +$(error unbound variable: system) +endif -.ONESHELL: -.SHELLFLAGS := -eufc +export target_host ?= $(system) +export target_user ?= root +export target_path ?= /var/src -ifdef systems -$(systems): - @ - unset target - parallel \ - --line-buffer \ - -j0 \ - --no-notice \ - --tagstring {} \ - -q make -s systems= system={} ::: $(systems) -else ifdef system -.PHONY: deploy infest -deploy infest:;@ - export get=krebs.$@ - export filter=json - script=$$(make -s eval) - echo "$$script" | sh +evaluate = \ + nix-instantiate \ + --arg configuration "./$$LOGNAME/1systems/$$system.nix" \ + --eval \ + --readonly-mode \ + --show-trace \ + $(1) -.PHONY: deploy2 -ifdef target -deploy2: export target-host = $(target) -else -deploy2: export target-host = $(system) -endif -deploy2:;@ - target=$${target-$$system} - result=$$(nix-instantiate \ - --json \ - --eval \ - krebs/populate.nix \ - --arg source 'with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; assert source-version == 2; source' \ - --argstr target-host "$$target" \ - --argstr target-path /var/src) - script=$$(echo "$$result" | jq -r .) +execute = \ + result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \ + script=$$(echo "$$result" | jq -r .) && \ echo "$$script" | sh - ssh root@$$target nixos-rebuild switch -I /var/src -.PHONY: eval -eval: - @ -ifeq ($(filter),json) - extraArgs='--json --strict' - filter() { jq -r .; } -else - filter() { cat; } -endif - result=$$(nix-instantiate \ - $${extraArgs-} \ - --eval \ - -A "$$get" \ - -I stockholm="$$PWD" \ - '<stockholm>' \ - --argstr current-date "$$(date -Is)" \ - --argstr current-host-name "$$HOSTNAME" \ - --argstr current-user-name "$$LOGNAME" \ - $${system+--argstr system "$$system"} \ - $${target+--argstr target "$$target"}) - echo "$$result" | filter +# usage: make deploy system=foo [target_host=bar] +deploy: + $(call execute,populate) + @set -x; ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path" -else -$(error unbound variable: system[s]) -endif +# usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name +eval eval.:;@$(call evaluate) +eval.%:;@$(call evaluate,-A $*) + +## usage: make install system=foo target= +#.PHONY: install +#install: ssh = ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null +#install:;@set -x +# $(ssh) "$$target_user@$$target_host" \ +# env target_path="$target_path" \ +# sh -s prepare < krebs/4lib/infest/prepare.sh +# make -s populate target_path=/mnt"$$target_path" +# $(ssh) "$$target_user@$$target_host" \ +# env NIXOS_CONFIG=/var/src/nixos-config \ +# nixos-install diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix index 92da82c..74e9d76 100644..120000 --- a/nixpkgs/default.nix +++ b/nixpkgs/default.nix @@ -1 +1 @@ -import <upstream-nixpkgs> +../upstream-nixpkgs/default.nix
\ No newline at end of file diff --git a/nixpkgs/krebs b/nixpkgs/krebs new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/nixpkgs/krebs diff --git a/nixpkgs/lib b/nixpkgs/lib new file mode 120000 index 0000000..2284ef4 --- /dev/null +++ b/nixpkgs/lib @@ -0,0 +1 @@ +../upstream-nixpkgs/lib
\ No newline at end of file diff --git a/nixpkgs/nixos/default.nix b/nixpkgs/nixos/default.nix index 6c5adf3..4fe08ef 100644 --- a/nixpkgs/nixos/default.nix +++ b/nixpkgs/nixos/default.nix @@ -1,65 +1 @@ -{ configuration ? import <upstream-nixpkgs/nixos/lib/from-env.nix> "NIXOS_CONFIG" <nixos-config> -, system ? builtins.currentSystem -}: - -let - eval-config = modules: import <upstream-nixpkgs/nixos/lib/eval-config.nix> { - inherit system; - modules = modules ++ [({ config, lib, ... }: with lib; { - imports = filter dir.has-default-nix (concatLists [ - (map (p: p + "/2configs") [ <stockholm-private> ]) - (map (p: p + "/3modules") [ <stockholm-krebs> <stockholm-private> ]) - ]); - - krebs.current = { - enable = true; - host = config.krebs.hosts.${readFile /proc/sys/kernel/hostname}; - user = config.krebs.users.${getEnv "LOGNAME"}; - }; - - nixpkgs.config.packageOverrides = pkgs: let - kpkgs = import <stockholm-krebs/5pkgs> { inherit lib pkgs; }; - upkgs = import <stockholm-private/5pkgs> { inherit lib; pkgs = pkgs // kpkgs; }; - in kpkgs // upkgs; - })]; - specialArgs = { - lib = let - nlib = import <upstream-nixpkgs/lib> // builtins; - klib = nlib // import <stockholm-krebs/4lib> { lib = nlib; }; - ulib = klib // (with klib; let p = <stockholm-private> + "/4lib"; in - optionalAttrs (dir.has-default-nix p) - (import p { lib = klib; })); - in ulib; - }; - }; - - eval = eval-config [ - configuration - ]; - - # This is for `nixos-rebuild build-vm'. - vm = eval-config [ - configuration - <upstream-nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> - ]; - - # This is for `nixos-rebuild build-vm-with-bootloader'. - vm-with-bootloader = eval-config [ - configuration - <upstream-nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> - { virtualisation.useBootLoader = true; } - ]; -in - -{ - inherit (eval) config options; - - system = eval.config.system.build.toplevel; - - vm = vm.config.system.build.vm; - - vmWithBootLoader = vm-with-bootloader.config.system.build.vm; - - # The following are used by nixos-rebuild. - nixFallback = eval.pkgs.nixUnstable; -} +import <stockholm> diff --git a/nixpkgs/nixos/lib b/nixpkgs/nixos/lib new file mode 120000 index 0000000..9e69d1a --- /dev/null +++ b/nixpkgs/nixos/lib @@ -0,0 +1 @@ +../../../upstream-nixpkgs/nixos/lib
\ No newline at end of file diff --git a/nixpkgs/nixos/modules b/nixpkgs/nixos/modules index 8fbc437..8aa2488 120000 --- a/nixpkgs/nixos/modules +++ b/nixpkgs/nixos/modules @@ -1 +1 @@ -../../upstream-nixpkgs/nixos/modules
\ No newline at end of file +../../../upstream-nixpkgs/nixos/modules
\ No newline at end of file diff --git a/nixpkgs/pkgs b/nixpkgs/pkgs new file mode 120000 index 0000000..ce5f544 --- /dev/null +++ b/nixpkgs/pkgs @@ -0,0 +1 @@ +../upstream-nixpkgs/pkgs
\ No newline at end of file @@ -0,0 +1 @@ +../stockholm-user
\ No newline at end of file diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 8cf5be7..bcfbd68 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -11,7 +11,8 @@ in ../2configs/collectd-base.nix ../2configs/shack-nix-cacher.nix ../2configs/shack-drivedroid.nix - ../2configs/buildbot-standalone.nix + ../2configs/shared-buildbot.nix + ../2configs/cgit-mirror.nix # ../2configs/graphite.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix index 5e60726..dd698ba 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/base.nix @@ -16,20 +16,16 @@ with lib; # TODO rename shared user to "krebs" krebs.build.user = mkDefault config.krebs.users.shared; krebs.build.source = { - git.nixpkgs = { + upstream-nixpkgs = mkDefault { url = https://github.com/NixOS/nixpkgs; rev = "d0e3cca"; - target-path = "/var/src/nixpkgs"; - }; - dir.secrets = { - host = config.krebs.current.host; - path = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - host = config.krebs.current.host; - path = mkDefault "${getEnv "HOME"}/stockholm"; - target-path = "/var/src/stockholm"; }; + secrets = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}"; + stockholm = mkDefault "${getEnv "HOME"}/stockholm"; + + nixos-config = "symlink:stockholm/${config.krebs.build.user.name}/1systems/${config.krebs.build.host.name}.nix"; + nixpkgs = symlink:stockholm/nixpkgs; + stockholm-user = "symlink:stockholm/${config.krebs.build.user.name}"; }; networking.hostName = config.krebs.build.host.name; diff --git a/shared/2configs/cgit-mirror.nix b/shared/2configs/cgit-mirror.nix new file mode 100644 index 0000000..4ff1902 --- /dev/null +++ b/shared/2configs/cgit-mirror.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + rules = with git; singleton { + user = [ git-sync ]; + repo = [ stockholm-mirror ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + + stockholm-mirror = { + public = true; + name = "stockholm-mirror"; + desc = "mirror for all stockholm branches"; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + git-sync = { + name = "git-sync"; + mail = "spam@krebsco.de"; + # TODO put git-sync pubkey somewhere more appropriate + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzUuzyoAhMgJmsiaTVWNSXqcrZNTpKpv0nfFBOMcNXUWEbvfAq5eNpg5cX+P8eoYl6UQgfftbYi06flKK3yJdntxoZKLwJGgJt9NZr8yZTsiIfMG8XosvGNQtGPkBtpLusgmPpu7t2RQ9QrqumBvoUDGYEauKTslLwupp1QeyWKUGEhihn4CuqQKiPrz+9vbNd75XOfVZMggk3j4F7HScatmA+p1EQXWyq5Jj78jQN5ZIRnHjMQcIZ4DOz1U96atwSKMviI1xEZIODYfgoGjjiWYeEtKaLVPtSqtLRGI7l+RNouMfwHLdTWOJSlIdFncfPXC6R19hTll3UHeHLtqLP git-sync''; + }; + +in { + krebs.git = { + enable = true; + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; + inherit rules; + repos.stockholm-mirror = stockholm-mirror; + }; +} diff --git a/shared/2configs/buildbot-standalone.nix b/shared/2configs/shared-buildbot.nix index c614bd3..50b2790 100644 --- a/shared/2configs/buildbot-standalone.nix +++ b/shared/2configs/shared-buildbot.nix @@ -1,5 +1,9 @@ { lib, config, pkgs, ... }: +# The buildbot config is seilf-contained and provides a way to test "shared" +# configuration (infrastructure to be used by every krebsminister). +# You can add your own test, test steps as required. Deploy the config on a +# shared host like wolf and everything should be fine. { networking.firewall.allowedTCPPorts = [ 8010 9989 ]; krebs.buildbot.master = { @@ -59,7 +63,10 @@ "(import <stockholm> {}).pkgs.test.infest-cac-centos7" ] # TODO: --pure , prepare ENV in nix-shell command: # SSL_CERT_FILE,LOGNAME,NIX_REMOTE - nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ] + nixshell = ["nix-shell", + "-I", "stockholm=.", + "-I", "nixpkgs=/var/src/upstream-nixpkgs", + "-p" ] + deps + [ "--run" ] # prepare addShell function def addShell(factory,**kwargs): @@ -69,14 +76,9 @@ fast-tests = '' f = util.BuildFactory() f.addStep(grab_repo) - addShell(f,name="deploy-eval-centos7",env=env, - command=nixshell + ["make -s eval get=krebs.deploy filter=json system=test-centos7"]) - - addShell(f,name="deploy-eval-wolf",env=env, - command=nixshell + ["make -s eval get=krebs.deploy filter=json system=wolf"]) - - addShell(f,name="deploy-eval-cross-check",env=env, - command=nixshell + ["! make eval get=krebs.deploy filter=json system=test-failing"]) + for i in [ "test-centos7", "wolf", "test-failing" ]: + addShell(f,name="populate-{}".format(i),env=env, + command=nixshell + ["set -o pipefail;{}( nix-instantiate --arg configuration shared/1systems/{}.nix --eval --readonly-mode --show-trace -A config.krebs.build.populate --strict | jq -r .)".format("!" if "failing" in i else "",i)]) addShell(f,name="instantiate-test-all-modules",env=env, command=nixshell + \ @@ -86,9 +88,6 @@ -I stockholm=. \ --show-trace \ -I secrets=. '<stockholm>' \ - --argstr current-date lol \ - --argstr current-user-name shared \ - --argstr current-host-name lol \ --strict --json"]) addShell(f,name="instantiate-test-minimal-deploy",env=env, @@ -98,9 +97,6 @@ -I stockholm=. \ -I secrets=. '<stockholm>' \ --show-trace \ - --argstr current-date lol \ - --argstr current-user-name shared \ - --argstr current-host-name lol \ --strict --json"]) bu.append(util.BuilderConfig(name="fast-tests", @@ -147,6 +143,6 @@ password = "krebspass"; packages = with pkgs;[ git nix ]; # all nix commands will need a working nixpkgs installation - extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; }; + extraEnviron = { NIX_PATH="/var/src"; }; }; } diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index b69d765..8297a56 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -6,17 +6,12 @@ with lib; krebs.build.host = config.krebs.hosts.cd; krebs.build.target = "root@cd.internet"; - krebs.build.source.upstream-nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "b7ff030"; - }; - imports = [ ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix + ../2configs/retiolum.nix ../2configs/urlwatch.nix { imports = [ ../2configs/charybdis.nix ]; @@ -30,6 +25,10 @@ with lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; + tv.iptables.input-internet-accept-new-tcp = [ + "xmpp-client" + "xmpp-server" + ]; } { krebs.github-hosts-sync.enable = true; @@ -37,38 +36,17 @@ with lib; singleton config.krebs.github-hosts-sync.port; } { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = [ "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" ]; - } - { # TODO make public_html also available to cd, cd.retiolum (AKA default) - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; ''); }; - } - { krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) @@ -76,16 +54,7 @@ with lib; root ${pkgs.viljetic-pages}; ''); }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } ]; diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 9d8a0bc..79e5f73 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,7 +22,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 7bc7b70..37ef204 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -5,47 +5,14 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; - krebs.build.target = "root@nomic.gg23"; - imports = [ ../2configs/hw/AO753.nix - #../2configs/consul-server.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 1f1d975..6fd79c5 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -23,7 +23,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 3bdf8d3..29e6de0 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -7,10 +7,12 @@ with lib; imports = [ ../2configs/hw/w110er.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -41,7 +43,7 @@ with lib; # tv bc bind # dig - cac + cac-api dic file get @@ -123,39 +125,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { @@ -188,7 +157,7 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; hardware.bumblebee.enable = true; hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index e6894b5..8c4af2b 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -5,15 +5,14 @@ with lib; { krebs.build.host = config.krebs.hosts.xu; - krebs.build.source.git.nixpkgs.rev = - "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; - imports = [ ../2configs/hw/x220.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -124,40 +123,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "http" - "tinc" - "smtp" - ]; - }; - } - { - krebs.exim-retiolum.enable = true; - } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { @@ -190,7 +155,6 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; #hardware.bumblebee.enable = true; #hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix deleted file mode 100644 index 0a8bf4d..0000000 --- a/tv/2configs/consul-client.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ ./consul-server.nix ]; - - tv.consul = { - server = pkgs.lib.mkForce false; - }; -} diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix deleted file mode 100644 index d10f9ea..0000000 --- a/tv/2configs/consul-server.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -{ - tv.consul = rec { - enable = true; - - self = config.krebs.build.host; - inherit (self) dc; - - server = true; - - hosts = with config.krebs.hosts; [ - # TODO get this list automatically from each host where tv.consul.enable is true - cd - mkdir - nomic - rmdir - #wu - ]; - }; -} diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 3100770..57c4620 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -8,15 +8,13 @@ with lib; krebs.build = { user = config.krebs.users.tv; target = mkDefault "root@${config.krebs.build.host.name}"; - source-version = 2; source = mapAttrs (_: mkDefault) ({ - nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; - nixpkgs = symlink:stockholm-nixpkgs; + nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix"; + nixpkgs = symlink:stockholm/nixpkgs; secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets-common = "/home/tv/secrets/common"; - stockholm-krebs = "/home/tv/stockholm/krebs"; - stockholm-nixpkgs = "/home/tv/stockholm/nixpkgs"; - stockholm-private = "/home/tv/stockholm/tv"; + stockholm = "/home/tv/stockholm"; + stockholm-user = "symlink:stockholm/tv"; upstream-nixpkgs = { url = https://github.com/NixOS/nixpkgs; rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; @@ -70,6 +68,9 @@ with lib; nix.useChroot = true; } { + nixpkgs.config.allowUnfree = false; + } + { environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; environment.systemPackages = with pkgs; [ @@ -101,7 +102,7 @@ with lib; }; environment.variables = { - NIX_PATH = mkForce "/var/src"; + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; programs.bash = { @@ -163,12 +164,17 @@ with lib; } { + tv.iptables.enable = true; + } + + { services.openssh = { enable = true; hostKeys = [ { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; } { diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix new file mode 100644 index 0000000..aedf258 --- /dev/null +++ b/tv/2configs/exim-retiolum.nix @@ -0,0 +1,8 @@ +{ lib, ... }: + +with lib; + +{ + krebs.exim-retiolum.enable = true; + tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; +} diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index f5f63d2..bcfea78 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { krebs.exim-smarthost = { @@ -34,4 +36,5 @@ { from = "mirko"; to = "mv"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; } diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 800deff..b818008 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -9,7 +9,7 @@ let enable = true; root-title = "public repositories at ${config.krebs.build.host.name}"; root-desc = "keep calm and engage"; - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + repos = repos; rules = rules; }; }; @@ -22,8 +22,8 @@ let public-repos = mapAttrs make-public-repo ({ } // mapAttrValues (setAttr "section" "1. Miscellaneous") { - cac = { - desc = "CloudAtCost command line interface"; + cac-api = { + desc = "CloudAtCost API command line interface"; }; get = {}; hack = {}; @@ -39,6 +39,7 @@ let stockholm = { desc = "take all the computers hostage, they'll love you!"; }; + with-tmpdir = {}; } // mapAttrValues (setAttr "section" "2. Haskell libraries") { blessings = {}; mime = {}; @@ -98,7 +99,7 @@ let repo = [ repo ]; perm = fetch; } ++ - optional |