summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--1systems/tv/cd.nix17
-rw-r--r--1systems/tv/mkdir.nix7
-rw-r--r--1systems/tv/nomic.nix8
-rw-r--r--1systems/tv/rmdir.nix7
-rw-r--r--1systems/tv/wu.nix12
-rw-r--r--2configs/tv/consul-server.nix1
-rw-r--r--2configs/tv/exim-retiolum.nix4
-rw-r--r--2configs/tv/git.nix (renamed from 2configs/tv/git-public.nix)43
-rw-r--r--2configs/tv/identity.nix3
-rw-r--r--3modules/krebs/default.nix43
-rw-r--r--3modules/krebs/git.nix11
-rw-r--r--3modules/krebs/retiolum.nix40
-rw-r--r--3modules/tv/consul.nix1
-rw-r--r--3modules/tv/default.nix10
-rw-r--r--3modules/tv/retiolum.nix29
-rw-r--r--4lib/krebs/default.nix10
-rw-r--r--4lib/krebs/types.nix20
-rw-r--r--4lib/tv/default.nix7
-rw-r--r--Makefile27
19 files changed, 162 insertions, 138 deletions
diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix
index 463d643..d30e7ed 100644
--- a/1systems/tv/cd.nix
+++ b/1systems/tv/cd.nix
@@ -13,7 +13,7 @@ in
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
- ../../2configs/tv/git-public.nix
+ ../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/charybdis.nix ];
tv.charybdis = {
@@ -22,14 +22,12 @@ in
};
}
{
- imports = [ ../../3modules/tv/ejabberd.nix ];
tv.ejabberd = {
enable = true;
hosts = [ "jabber.viljetic.de" ];
};
}
{
- imports = [ ../../3modules/krebs/github-hosts-sync.nix ];
krebs.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp =
singleton config.krebs.github-hosts-sync.port;
@@ -39,7 +37,6 @@ in
tv.identity.self = config.tv.identity.hosts.cd;
}
{
- imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@@ -55,19 +52,11 @@ in
};
}
{
- imports = [
- ../../3modules/tv/iptables.nix
- ../../3modules/krebs/nginx.nix
- ];
tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
}
{
# TODO make public_html also available to cd, cd.retiolum (AKA default)
- imports = [
- ../../3modules/tv/iptables.nix
- ../../3modules/krebs/nginx.nix
- ];
tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de";
@@ -86,10 +75,8 @@ in
};
}
{
- imports = [ ../../3modules/tv/retiolum.nix ];
- tv.retiolum = {
+ krebs.retiolum = {
enable = true;
- hosts = ../../Zhosts;
connectTo = [
"fastpoke"
"pigstarter"
diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix
index e0e057d..3e5fb72 100644
--- a/1systems/tv/mkdir.nix
+++ b/1systems/tv/mkdir.nix
@@ -9,13 +9,12 @@ with lib;
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
- ../../2configs/tv/git-public.nix
+ ../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.mkdir;
}
{
- imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@@ -29,10 +28,8 @@ with lib;
};
}
{
- imports = [ ../../3modules/tv/retiolum.nix ];
- tv.retiolum = {
+ krebs.retiolum = {
enable = true;
- hosts = ../../Zhosts;
connectTo = [
"cd"
"fastpoke"
diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix
index 8e6812e..2d32d9e 100644
--- a/1systems/tv/nomic.nix
+++ b/1systems/tv/nomic.nix
@@ -8,13 +8,12 @@ with lib;
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-retiolum.nix
- ../../2configs/tv/git-public.nix
+ ../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.nomic;
}
{
- imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@@ -26,7 +25,6 @@ with lib;
};
}
{
- imports = [ ../../3modules/krebs/nginx.nix ];
krebs.nginx = {
enable = true;
servers.default.locations = [
@@ -37,10 +35,8 @@ with lib;
};
}
{
- imports = [ ../../3modules/tv/retiolum.nix ];
- tv.retiolum = {
+ krebs.retiolum = {
enable = true;
- hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix
index b77a1c3..c470086 100644
--- a/1systems/tv/rmdir.nix
+++ b/1systems/tv/rmdir.nix
@@ -9,13 +9,12 @@ with lib;
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
- ../../2configs/tv/git-public.nix
+ ../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.rmdir;
}
{
- imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@@ -29,10 +28,8 @@ with lib;
};
}
{
- imports = [ ../../3modules/tv/retiolum.nix ];
- tv.retiolum = {
+ krebs.retiolum = {
enable = true;
- hosts = ../../Zhosts;
connectTo = [
"cd"
"mkdir"
diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix
index 1d7bbe5..234b805 100644
--- a/1systems/tv/wu.nix
+++ b/1systems/tv/wu.nix
@@ -12,8 +12,7 @@ in
../../2configs/tv/base.nix
../../2configs/tv/consul-client.nix
../../2configs/tv/exim-retiolum.nix
- ../../2configs/tv/git-public.nix
- # TODO git-private.nix
+ ../../2configs/tv/git.nix
../../2configs/tv/mail-client.nix
../../2configs/tv/xserver.nix
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
@@ -24,7 +23,7 @@ in
{
environment.systemPackages = with pkgs; [
- # shitment
+ # stockholm
git
gnumake
parallel
@@ -122,7 +121,6 @@ in
];
}
{
- imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@@ -134,7 +132,6 @@ in
};
}
{
- imports = [ ../../3modules/krebs/nginx.nix ];
krebs.nginx = {
enable = true;
servers.default.locations = [
@@ -145,10 +142,8 @@ in
};
}
{
- imports = [ ../../3modules/tv/retiolum.nix ];
- tv.retiolum = {
+ krebs.retiolum = {
enable = true;
- hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
@@ -156,7 +151,6 @@ in
};
}
{
- imports = [ ../../3modules/krebs/urlwatch.nix ];
krebs.urlwatch = {
enable = true;
mailto = "tv@wu.retiolum"; # TODO
diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix
index 1c8dcb8..5d3fd55 100644
--- a/2configs/tv/consul-server.nix
+++ b/2configs/tv/consul-server.nix
@@ -1,7 +1,6 @@
{ config, ... }:
{
- imports = [ ../../3modules/tv/consul.nix ];
tv.consul = rec {
enable = true;
diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix
index efab5cf..851a0c6 100644
--- a/2configs/tv/exim-retiolum.nix
+++ b/2configs/tv/exim-retiolum.nix
@@ -4,9 +4,9 @@
services.exim =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
- assert config.tv.retiolum.enable;
+ assert config.krebs.retiolum.enable;
let
- # TODO get the hostname from config.tv.retiolum.
+ # TODO get the hostname from config.krebs.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum";
in
{ enable = true;
diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix
index 7f2b513..b7f9983 100644
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git.nix
@@ -1,18 +1,22 @@
{ config, lib, pkgs, ... }:
+
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
- imports = [ ../../3modules/krebs/git.nix ];
krebs.git = {
enable = true;
root-title = "public repositories at ${config.tv.identity.self.name}";
root-desc = "keep calm and engage";
- inherit repos rules users;
+ inherit repos rules;
};
};
- repos = public-repos;
+ repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
+ public-repos //
+ optionalAttrs config.tv.identity.self.secure restricted-repos
+ );
+
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
@@ -37,13 +41,14 @@ let
xintmap = {};
};
- # TODO move users to separate module
- users = mapAttrs make-user {
- tv = ../../Zpubkeys/tv_wu.ssh.pub;
- lass = ../../Zpubkeys/lass.ssh.pub;
- uriel = ../../Zpubkeys/uriel.ssh.pub;
- makefu = ../../Zpubkeys/makefu.ssh.pub;
- };
+ restricted-repos = mapAttrs make-restricted-repo (
+ {
+ brain = {
+ collaborators = with config.krebs.users; [ lass makefu ];
+ };
+ } //
+ import /root/src/secrets/repos.nix { inherit config lib pkgs; }
+ );
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
@@ -58,8 +63,14 @@ let
};
};
+ make-restricted-repo = name: { desc ? null, ... }: {
+ inherit name desc;
+ public = false;
+ hooks = {}; # TODO default
+ };
+
make-rules =
- with git // users;
+ with git // config.krebs.users;
repo:
singleton {
user = tv;
@@ -70,11 +81,11 @@ let
user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
+ } ++
+ optional (length (repo.collaborators or []) > 0) {
+ user = repo.collaborators;
+ repo = [ repo ];
+ perm = fetch;
};
- make-user = name: pubkey-file: {
- inherit name;
- pubkey = readFile pubkey-file;
- };
-
in out
diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix
index 44208c9..379d02e 100644
--- a/2configs/tv/identity.nix
+++ b/2configs/tv/identity.nix
@@ -1,7 +1,6 @@
{ config, ... }:
{
- imports = [ ../../3modules/tv/identity.nix ];
tv.identity = {
enable = true;
search = "retiolum";
@@ -99,6 +98,7 @@
'';
};
};
+ secure = true;
};
rmdir = {
cores = 1;
@@ -154,6 +154,7 @@
'';
};
};
+ secure = true;
};
};
};
diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix
new file mode 100644
index 0000000..b8722d1
--- /dev/null
+++ b/3modules/krebs/default.nix
@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+
+with import ../../4lib/krebs { inherit lib; };
+let
+ cfg = config.krebs;
+
+ out = {
+ imports = [
+ ./github-hosts-sync.nix
+ ./git.nix
+ ./nginx.nix
+ ./retiolum.nix
+ ./urlwatch.nix
+ ];
+ options.krebs = api;
+ config = mkIf cfg.enable imp;
+ };
+
+ api = {
+ users = mkOption {
+ type = with types; attrsOf user;
+ default = addNames {
+ lass = {
+ pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
+ };
+ makefu = {
+ pubkey = readFile ../../Zpubkeys/makefu.ssh.pub;
+ };
+ tv = {
+ pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub;
+ };
+ uriel = {
+ pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
+ };
+ };
+ };
+ };
+
+ imp = {
+ };
+
+in
+out
diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix
index 2d747cc..499d330 100644
--- a/3modules/krebs/git.nix
+++ b/3modules/krebs/git.nix
@@ -6,8 +6,7 @@
# TODO when authorized_keys changes, then restart ssh
# (or kill already connected users somehow)
-with builtins;
-with lib;
+with import ../../4lib/krebs { inherit lib; };
let
cfg = config.krebs.git;
@@ -127,9 +126,6 @@ let
rules = mkOption {
type = types.unspecified;
};
- users = mkOption {
- type = types.unspecified;
- };
};
git-imp = {
@@ -157,7 +153,8 @@ let
name = "git";
shell = "/bin/sh";
openssh.authorizedKeys.keys =
- mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users;
+ mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
+ config.krebs.users;
uid = 129318403; # genid git
};
};
@@ -263,7 +260,7 @@ let
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
- makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }:
+ makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }:
# TODO assert name
# TODO assert pubkey
let
diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix
index 5c26dff..481d656 100644
--- a/3modules/krebs/retiolum.nix
+++ b/3modules/krebs/retiolum.nix
@@ -57,9 +57,9 @@ let
};
hosts = mkOption {
- default = null;
+ type = with types; either package path;
+ default = ../../Zhosts;
description = ''
- Hosts package or path to use.
If a path is given, then it will be used to generate an ad-hoc package.
'';
};
@@ -131,24 +131,20 @@ let
};
tinc = cfg.tincPackage;
- hostsType = builtins.typeOf cfg.hosts;
- hosts =
- if hostsType == "package" then
- # use package as is
- cfg.hosts
- else if hostsType == "path" then
- # use path to generate a package
- pkgs.stdenv.mkDerivation {
- name = "custom-retiolum-hosts";
- src = cfg.hosts;
- installPhase = ''
- mkdir $out
- find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
- '';
- }
- else
- abort "The option `services.retiolum.hosts' must be set to a package or a path"
- ;
+
+ hosts = getAttr (typeOf cfg.hosts) {
+ package = cfg.hosts;
+ path = pkgs.stdenv.mkDerivation {
+ name = "custom-retiolum-hosts";
+ src = cfg.hosts;
+ installPhase = ''
+ mkdir $out
+ find . -name .git -prune -o -type f -print0 \
+ | xargs -0 cp --target-directory $out
+ '';
+ };
+ };
+
iproute = cfg.iproutePackage;
retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
@@ -226,5 +222,5 @@ let
chmod +x $out/tinc-up
'';
-in
-out
+
+in out
diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix
index 312faa0..4e54c2a 100644
--- a/3modules/tv/consul.nix
+++ b/3modules/tv/consul.nix
@@ -10,7 +10,6 @@ let
cfg = config.tv.consul;
out = {
- imports = [ ../../3modules/tv/iptables.nix ];
options.tv.consul = api;
config = mkIf cfg.enable (mkMerge [
imp
diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix
new file mode 100644
index 0000000..e267d0b
--- /dev/null
+++ b/3modules/tv/default.nix
@@ -0,0 +1,10 @@
+_:
+
+{
+ imports = [
+ ./consul.nix
+ ./ejabberd.nix
+ ./identity.nix
+ ./iptables.nix
+ ];
+}
diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix
deleted file mode 100644
index d003774..0000000
--- a/3modules/tv/retiolum.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-let
- cfg = config.tv.retiolum;
-
- out = {
- imports = [ ../../3modules/krebs/retiolum.nix ];
- options.tv.retiolum = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "tv.retiolum";
-
- connectTo = mkOption {
- type = with types; listOf str;
- };
-
- hosts = mkOption {
- type = types.path;
- };
- };
-
- imp = {
- krebs.retiolum = cfg;
- };
-
-in out
diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix
index 38c2a97..0c59076 100644
--- a/4lib/krebs/default.nix
+++ b/4lib/krebs/default.nix
@@ -1,6 +1,14 @@
{ lib, ... }:
-builtins // lib // {
+with builtins;
+with lib;
+
+builtins // lib // rec {
+
+ addName = name: set:
+ set // { inherit name; };
+
+ addNames = mapAttrs addName;
types = import ./types.nix { inherit lib; };
diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix
index 38ed8a9..ca92c69 100644
--- a/4lib/krebs/types.nix
+++ b/4lib/krebs/types.nix
@@ -20,6 +20,15 @@ types // rec {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
+ secure = mkOption {
+ type = bool;
+ default = false;
+ description = ''
+ If true, then the host is capable of keeping secret information.
+
+ TODO define minimum requirements for secure hosts
+ '';
+ };
};
};
@@ -72,6 +81,17 @@ types // rec {
merge = mergeOneOption;
};
+ user = submodule {
+ options = {
+ name = mkOption {
+ type = str; # TODO
+ };
+ pubkey = mkOption {
+ type = str;
+ };
+ };
+ };
+
# TODO
addr = str;
addr4 = str;
diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix
index 267a858..16888c2 100644
--- a/4lib/tv/default.nix
+++ b/4lib/tv/default.nix
@@ -15,16 +15,9 @@ krebs // rec {
inherit pkgs;
};
- addName = name: set:
- set // { inherit name; };
-
- addNames = mapAttrs addName;
-
-
# "7.4.335" -> "74"
majmin = with lib; x : concatStrings (take 2 (splitString "." x));
-
concat = xs :
if xs == []
then ""
diff --git a/Makefile b/Makefile
index da23467..6d075e6 100644
--- a/Makefile
+++ b/Makefile
@@ -41,13 +41,14 @@ deploy:;@
"$$src/" "$$deploy_host:$$dst"
)}
- prepush /root/src/shitment "$$PWD"
+ prepush /root/src/stockholm "$$PWD"
prepush /root/src/secrets "$$secrets_dir"
ssh -S none "$$deploy_host" -T env \
nixpkgs_url="$$nixpkgs_url" \
nixpkgs_rev="$$nixpkgs_rev" \
system_name="$$system_name" \
+ user_name="$$LOGNAME" \
sh -euf \
<<-\EOF
prefetch(){(
@@ -77,26 +78,30 @@ deploy:;@
prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
echo build system...
- NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \
- NIX_PATH=src \
- nix-build -Q -A system '<nixpkgs/nixos>'
+ NIX_PATH=/root/src \
+ nix-build \
+ -Q \
+ -A system \
+ '<stockholm>' \
+ --argstr user-name "$$user_name" \
+ --argstr system-name "$$system_name"
result/bin/switch-to-configuration switch
EOF
.PHONY: eval
eval:
- @nix-instantiate \
+ @
+ NIX_PATH=stockholm=$$PWD:$$NIX_PATH \
+ nix-instantiate \
--json \
--eval \
--strict \
-A "$$get" \
- -E '
- import <nixpkgs/nixos/lib/eval-config.nix> {
- system = builtins.currentSystem;
- modules = [ ./1systems/$(LOGNAME)/$(system).nix ];
- }
- ' | jq -r .
+ '<stockholm>' \
+ --argstr user-name "$$LOGNAME" \
+ --argstr system-name "$$system" \
+ | jq -r .
else
$(error unbound variable: system[s])
endif