summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--modules/cd/default.nix2
-rw-r--r--modules/tv/ejabberd.nix4
-rw-r--r--modules/wu/users.nix2
-rwxr-xr-xnext/bin/build22
-rwxr-xr-xnext/bin/copy-secrets28
-rwxr-xr-xnext/bin/deploy16
-rwxr-xr-xnext/bin/query20
-rwxr-xr-xnext/profile11
8 files changed, 101 insertions, 4 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix
index 3ee3704..7ceaf71 100644
--- a/modules/cd/default.nix
+++ b/modules/cd/default.nix
@@ -3,7 +3,7 @@
{
imports =
[
- <secrets/cd.hashedPasswords.nix>
+ <secrets/hashedPasswords.nix>
./iptables.nix
./networking.nix
../common/nixpkgs.nix
diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix
index e836d2c..008fe2c 100644
--- a/modules/tv/ejabberd.nix
+++ b/modules/tv/ejabberd.nix
@@ -221,7 +221,7 @@ in
%% file and uncomment this line:
%%
starttls,
- {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"},
+ {certfile, "/etc/ejabberd/ejabberd.pem"},
{access, c2s},
{shaper, c2s_shaper},
@@ -274,7 +274,7 @@ in
%%
%% s2s_certfile: Specify a certificate file.
%%
- {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}.
+ {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
%%
%% domain_certfile: Specify a different certificate for each served hostname.
diff --git a/modules/wu/users.nix b/modules/wu/users.nix
index 654d49c..88f2b65 100644
--- a/modules/wu/users.nix
+++ b/modules/wu/users.nix
@@ -210,7 +210,7 @@ in
{
imports = [
- <secrets/wu.hashedPasswords.nix>
+ <secrets/hashedPasswords.nix>
];
users.defaultUserShell = "/run/current-system/sw/bin/bash";
diff --git a/next/bin/build b/next/bin/build
new file mode 100755
index 0000000..40bbec3
--- /dev/null
+++ b/next/bin/build
@@ -0,0 +1,22 @@
+#! /bin/sh
+#
+# build : hostname -> system-path
+#
+set -euf
+
+host=$1
+
+#target=root@$host
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+nix-build \
+ -I "$nixpkgs" \
+ -I nixos-config="$nixos_config" \
+ -I retiolum-hosts="$retiolum_hosts" \
+ -I secrets="$secrets_nix" \
+ -A system \
+ --no-out-link \
+ '<nixos>'
diff --git a/next/bin/copy-secrets b/next/bin/copy-secrets
new file mode 100755
index 0000000..7398d4f
--- /dev/null
+++ b/next/bin/copy-secrets
@@ -0,0 +1,28 @@
+#! /bin/sh
+set -euf
+
+host=$1
+
+target=root@$host
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+if ! test -e "$secrets_rsync"; then
+ exit # nothing to do
+fi
+
+retiolum_secret=$(query $host services.retiolum.privateKeyFile)
+retiolum_uid=$(query $host users.extraUsers.retiolum-tinc.uid)
+
+ejabberd_secret=/etc/ejabberd/ejabberd.pem
+ejabberd_uid=$(query $host users.extraUsers.ejabberd.uid)
+
+rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/"
+
+ssh "$target" -T <<EOF
+set -euf
+! test -f $retiolum_secret || chown -v $retiolum_uid:0 $retiolum_secret
+! test -f $ejabberd_secret || chown -v $ejabberd_uid:0 $ejabberd_secret
+EOF
diff --git a/next/bin/deploy b/next/bin/deploy
new file mode 100755
index 0000000..1c1d977
--- /dev/null
+++ b/next/bin/deploy
@@ -0,0 +1,16 @@
+#! /bin/sh
+#
+# deploy
+#
+set -euf
+
+host=$1
+system=${2-$(build "$host")}
+
+target=root@$host
+
+nix-copy-closure --gzip --to "$target" "$system"
+
+copy-secrets "$host"
+
+ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch
diff --git a/next/bin/query b/next/bin/query
new file mode 100755
index 0000000..0e55a6c
--- /dev/null
+++ b/next/bin/query
@@ -0,0 +1,20 @@
+#! /bin/sh
+set -euf
+
+host=$1
+attr=$2
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+nix-instantiate \
+ -I "$nixpkgs" \
+ -I nixos-config="$nixos_config" \
+ -I retiolum-hosts="$retiolum_hosts" \
+ -I secrets="$secrets_nix" \
+ -A config."$attr" \
+ '<nixos>' \
+ --eval \
+ --json \
+ | jq -r .
diff --git a/next/profile b/next/profile
new file mode 100755
index 0000000..138c271
--- /dev/null
+++ b/next/profile
@@ -0,0 +1,11 @@
+#! /bin/sh
+export PATH=$HOME/src/config/next/bin:$PATH
+export nixpkgs=/var/nixpkgs
+export config_root=$HOME/src/config
+export retiolum_hosts=$HOME/src/config/hosts
+export secrets_root=$HOME/src/config/secrets
+
+export PS1='\[\e[1;35m\]config>\[\e[m\] '
+
+cd /var/empty
+exec /bin/sh