diff options
-rw-r--r-- | modules/cd/default.nix | 2 | ||||
-rw-r--r-- | modules/tv/ejabberd.nix | 4 | ||||
-rw-r--r-- | modules/wu/users.nix | 2 | ||||
-rwxr-xr-x | next/bin/build | 22 | ||||
-rwxr-xr-x | next/bin/copy-secrets | 28 | ||||
-rwxr-xr-x | next/bin/deploy | 16 | ||||
-rwxr-xr-x | next/bin/query | 20 | ||||
-rwxr-xr-x | next/profile | 11 |
8 files changed, 101 insertions, 4 deletions
diff --git a/modules/cd/default.nix b/modules/cd/default.nix index 3ee3704..7ceaf71 100644 --- a/modules/cd/default.nix +++ b/modules/cd/default.nix @@ -3,7 +3,7 @@ { imports = [ - <secrets/cd.hashedPasswords.nix> + <secrets/hashedPasswords.nix> ./iptables.nix ./networking.nix ../common/nixpkgs.nix diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix index e836d2c..008fe2c 100644 --- a/modules/tv/ejabberd.nix +++ b/modules/tv/ejabberd.nix @@ -221,7 +221,7 @@ in %% file and uncomment this line: %% starttls, - {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}, + {certfile, "/etc/ejabberd/ejabberd.pem"}, {access, c2s}, {shaper, c2s_shaper}, @@ -274,7 +274,7 @@ in %% %% s2s_certfile: Specify a certificate file. %% - {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}. + {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. %% %% domain_certfile: Specify a different certificate for each served hostname. diff --git a/modules/wu/users.nix b/modules/wu/users.nix index 654d49c..88f2b65 100644 --- a/modules/wu/users.nix +++ b/modules/wu/users.nix @@ -210,7 +210,7 @@ in { imports = [ - <secrets/wu.hashedPasswords.nix> + <secrets/hashedPasswords.nix> ]; users.defaultUserShell = "/run/current-system/sw/bin/bash"; diff --git a/next/bin/build b/next/bin/build new file mode 100755 index 0000000..40bbec3 --- /dev/null +++ b/next/bin/build @@ -0,0 +1,22 @@ +#! /bin/sh +# +# build : hostname -> system-path +# +set -euf + +host=$1 + +#target=root@$host + +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +nix-build \ + -I "$nixpkgs" \ + -I nixos-config="$nixos_config" \ + -I retiolum-hosts="$retiolum_hosts" \ + -I secrets="$secrets_nix" \ + -A system \ + --no-out-link \ + '<nixos>' diff --git a/next/bin/copy-secrets b/next/bin/copy-secrets new file mode 100755 index 0000000..7398d4f --- /dev/null +++ b/next/bin/copy-secrets @@ -0,0 +1,28 @@ +#! /bin/sh +set -euf + +host=$1 + +target=root@$host + +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +if ! test -e "$secrets_rsync"; then + exit # nothing to do +fi + +retiolum_secret=$(query $host services.retiolum.privateKeyFile) +retiolum_uid=$(query $host users.extraUsers.retiolum-tinc.uid) + +ejabberd_secret=/etc/ejabberd/ejabberd.pem +ejabberd_uid=$(query $host users.extraUsers.ejabberd.uid) + +rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/" + +ssh "$target" -T <<EOF +set -euf +! test -f $retiolum_secret || chown -v $retiolum_uid:0 $retiolum_secret +! test -f $ejabberd_secret || chown -v $ejabberd_uid:0 $ejabberd_secret +EOF diff --git a/next/bin/deploy b/next/bin/deploy new file mode 100755 index 0000000..1c1d977 --- /dev/null +++ b/next/bin/deploy @@ -0,0 +1,16 @@ +#! /bin/sh +# +# deploy +# +set -euf + +host=$1 +system=${2-$(build "$host")} + +target=root@$host + +nix-copy-closure --gzip --to "$target" "$system" + +copy-secrets "$host" + +ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch diff --git a/next/bin/query b/next/bin/query new file mode 100755 index 0000000..0e55a6c --- /dev/null +++ b/next/bin/query @@ -0,0 +1,20 @@ +#! /bin/sh +set -euf + +host=$1 +attr=$2 + +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +nix-instantiate \ + -I "$nixpkgs" \ + -I nixos-config="$nixos_config" \ + -I retiolum-hosts="$retiolum_hosts" \ + -I secrets="$secrets_nix" \ + -A config."$attr" \ + '<nixos>' \ + --eval \ + --json \ + | jq -r . diff --git a/next/profile b/next/profile new file mode 100755 index 0000000..138c271 --- /dev/null +++ b/next/profile @@ -0,0 +1,11 @@ +#! /bin/sh +export PATH=$HOME/src/config/next/bin:$PATH +export nixpkgs=/var/nixpkgs +export config_root=$HOME/src/config +export retiolum_hosts=$HOME/src/config/hosts +export secrets_root=$HOME/src/config/secrets + +export PS1='\[\e[1;35m\]config>\[\e[m\] ' + +cd /var/empty +exec /bin/sh |