summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--old/Makefile48
-rw-r--r--old/README.md32
-rwxr-xr-xold/bin/copy-secrets69
-rwxr-xr-xold/bin/genid11
-rwxr-xr-xold/bin/netmask-to-prefix12
-rwxr-xr-xold/bin/nixos-query4
-rwxr-xr-xold/bin/urlencode35
-rwxr-xr-xold/cac337
-rw-r--r--old/certs/zalora-ca.crt24
-rw-r--r--old/default.nix151
-rwxr-xr-xold/deploy15
-rwxr-xr-xold/infest-cac-CentOS-7-64bit.sh51
-rw-r--r--old/infest.d/cac-CentOS-7-64bit/finalize.sh66
-rw-r--r--old/infest.d/cac-CentOS-7-64bit/prepare.sh104
-rw-r--r--old/infest.d/nixos-install.sh8
-rw-r--r--old/lib/default.nix62
-rw-r--r--old/lib/git.nix181
-rw-r--r--old/lib/modules.nix21
-rw-r--r--old/modules/cd/default.nix91
-rw-r--r--old/modules/cd/networking.nix14
-rw-r--r--old/modules/cd/paths.nix12
-rw-r--r--old/modules/cd/users.nix53
-rw-r--r--old/modules/cloudkrebs/default.nix69
-rw-r--r--old/modules/cloudkrebs/networking.nix14
-rw-r--r--old/modules/common/krebs-keys.nix18
-rw-r--r--old/modules/common/krebs-repos.nix36
-rw-r--r--old/modules/common/nixpkgs.nix25
-rw-r--r--old/modules/common/sshkeys.nix26
-rw-r--r--old/modules/lass/base.nix110
-rw-r--r--old/modules/lass/binary-caches.nix13
-rw-r--r--old/modules/lass/bird.nix13
-rw-r--r--old/modules/lass/bitcoin.nix17
-rw-r--r--old/modules/lass/browsers.nix67
-rw-r--r--old/modules/lass/chromium-patched.nix48
-rw-r--r--old/modules/lass/desktop-base.nix37
-rw-r--r--old/modules/lass/elster.nix20
-rw-r--r--old/modules/lass/games.nix25
-rw-r--r--old/modules/lass/gitolite-base.nix173
-rw-r--r--old/modules/lass/ircd.nix83
-rw-r--r--old/modules/lass/pass.nix10
-rw-r--r--old/modules/lass/programs.nix24
-rw-r--r--old/modules/lass/retiolum-cloudkrebs.nix21
-rw-r--r--old/modules/lass/retiolum-mors.nix21
-rw-r--r--old/modules/lass/retiolum-uriel.nix21
-rw-r--r--old/modules/lass/sshkeys.nix11
-rw-r--r--old/modules/lass/steam.nix29
-rw-r--r--old/modules/lass/texlive.nix7
-rw-r--r--old/modules/lass/urxvt.nix40
-rw-r--r--old/modules/lass/urxvtd.nix55
-rw-r--r--old/modules/lass/vim.nix116
-rw-r--r--old/modules/lass/virtualbox.nix22
-rw-r--r--old/modules/lass/wine.nix23
-rw-r--r--old/modules/lass/xresources.nix57
-rw-r--r--old/modules/lass/xserver-lass.nix43
-rw-r--r--old/modules/mkdir/default.nix86
-rw-r--r--old/modules/mkdir/networking.nix14
-rw-r--r--old/modules/mkdir/paths.nix12
-rw-r--r--old/modules/mkdir/users.nix19
-rw-r--r--old/modules/mors/default.nix283
-rw-r--r--old/modules/mors/git.nix71
-rw-r--r--old/modules/mors/repos.nix78
-rw-r--r--old/modules/mu/default.nix466
-rw-r--r--old/modules/mu/paths.nix12
-rw-r--r--old/modules/nomic/default.nix105
-rw-r--r--old/modules/nomic/hardware-configuration.nix49
-rw-r--r--old/modules/nomic/paths.nix12
-rw-r--r--old/modules/nomic/users.nix42
-rw-r--r--old/modules/rmdir/default.nix87
-rw-r--r--old/modules/rmdir/networking.nix15
-rw-r--r--old/modules/rmdir/paths.nix12
-rw-r--r--old/modules/rmdir/users.nix19
-rw-r--r--old/modules/tv/base-cac-CentOS-7-64bit.nix27
-rw-r--r--old/modules/tv/base.nix16
-rw-r--r--old/modules/tv/config/consul-client.nix9
-rw-r--r--old/modules/tv/config/consul-server.nix22
-rw-r--r--old/modules/tv/consul/default.nix121
-rw-r--r--old/modules/tv/ejabberd.nix867
-rw-r--r--old/modules/tv/environment.nix93
-rw-r--r--old/modules/tv/exim-retiolum.nix126
-rw-r--r--old/modules/tv/exim-smarthost.nix474
-rw-r--r--old/modules/tv/git/cgit.nix93
-rw-r--r--old/modules/tv/git/config.nix272
-rw-r--r--old/modules/tv/git/default.nix27
-rw-r--r--old/modules/tv/git/options.nix93
-rw-r--r--old/modules/tv/git/public.nix82
-rw-r--r--old/modules/tv/identity/default.nix71
-rw-r--r--old/modules/tv/iptables/config.nix93
-rw-r--r--old/modules/tv/iptables/default.nix11
-rw-r--r--old/modules/tv/iptables/options.nix29
-rw-r--r--old/modules/tv/nginx/config.nix49
-rw-r--r--old/modules/tv/nginx/default.nix11
-rw-r--r--old/modules/tv/nginx/options.nix21
-rw-r--r--old/modules/tv/retiolum/config.nix130
-rw-r--r--old/modules/tv/retiolum/default.nix11
-rw-r--r--old/modules/tv/retiolum/options.nix87
-rw-r--r--old/modules/tv/sanitize.nix12
-rw-r--r--old/modules/tv/smartd.nix17
-rw-r--r--old/modules/tv/synaptics.nix14
-rw-r--r--old/modules/tv/urlwatch/default.nix158
-rw-r--r--old/modules/tv/urxvt.nix24
-rw-r--r--old/modules/tv/users/default.nix67
-rw-r--r--old/modules/tv/xserver.nix40
-rw-r--r--old/modules/uriel/default.nix184
-rw-r--r--old/modules/uriel/repos.nix78
-rw-r--r--old/modules/wu/default.nix464
-rw-r--r--old/modules/wu/hosts.nix22
-rw-r--r--old/modules/wu/paths.nix12
-rw-r--r--old/modules/wu/users.nix227
-rw-r--r--old/pubkeys/deploy_wu.ssh.pub1
-rw-r--r--old/pubkeys/lass.ssh.pub1
-rw-r--r--old/pubkeys/makefu.ssh.pub1
-rw-r--r--old/pubkeys/mv_vod.ssh.pub1
-rw-r--r--old/pubkeys/tv_wu.ssh.pub1
-rw-r--r--old/pubkeys/uriel.ssh.pub1
114 files changed, 8237 insertions, 0 deletions
diff --git a/old/Makefile b/old/Makefile
new file mode 100644
index 0000000..bef7727
--- /dev/null
+++ b/old/Makefile
@@ -0,0 +1,48 @@
+all:;@exit 23
+
+tv-cluster := cd mkdir nomic rmdir wu
+deploy-cd:; ./deploy cd
+deploy-mkdir:; ./deploy mkdir
+deploy-nomic:; ./deploy nomic root@nomic-local
+deploy-rmdir:; ./deploy rmdir
+deploy-wu:; ./deploy wu root@localhost
+
+ifndef cluster
+cluster := $(LOGNAME)
+endif
+hosts := $($(cluster)-cluster)
+ifeq ($(hosts),)
+$(error bad cluster: $(cluster))
+else
+.ONESHELL:
+
+.PHONY: deploy $(addprefix deploy-,$(hosts))
+deploy:
+ exec parallel \
+ -j 0 \
+ --no-notice \
+ --rpl '{u} s/^.* deploy-(.*)/\1/' \
+ --tagstring '{u}' \
+ --line-buffer \
+ $(MAKE) deploy-{} ::: $(hosts)
+
+.PHONY: rotate-consul-encrypt
+rotate-consul-encrypt:
+ umask 0377
+ mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; }
+ json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt))
+ cmd='
+ f=secrets/{}/rsync/etc/consul/encrypt.json
+ rm -f "$$f"
+ echo "$$json" > "$$f"
+ '
+ export json
+ exec parallel \
+ -j 0 \
+ --no-notice \
+ --rpl '{u} s/^.* deploy-(.*)/\1/' \
+ --tagstring '{u}' \
+ --line-buffer \
+ --quote \
+ sh -eufc "$$cmd" ::: $(hosts)
+endif
diff --git a/old/README.md b/old/README.md
new file mode 100644
index 0000000..8a72d2f
--- /dev/null
+++ b/old/README.md
@@ -0,0 +1,32 @@
+
+
+# Turn a Cloud at Cost CentOS-7-64bit server into NixOS
+
+1. Configure the system (`$systemname`) you'd like to install (see Configuration below).
+2. Create new server instance (either Custom or cloudpro) using "CentOS-7-64bit".
+ Note the servername (something like c731445864-cloudpro-388922936).
+3. `cac_login=xxx cac_key=yyy ./infest-cac-CentOS-7-64bit.sh servername:$servername $systename`
+4. Enjoy. (`ssh root@$systename`)
+
+# Configuration
+
+Configure your system in modules/$systemname
+See modules/cd/default.nix as an example.
+
+Notice that modules/$systemname/networking will be autogenerated (but not committed).
+
+secrets/$systemname/nix/foo can be accessed as `<secrets/foo>` from within the configuration.
+
+You might want `secrets/$systemname/rsync/etc/tinc/retiolum/rsa_key.priv`.
+
+You might want `secrets/$systemname/nix/hashedPasswords.nix`, which looks like
+
+```nix
+_: { users.extraUsers.root.hashedPassword = "XXX"; }
+```
+
+`XXX` can be generated with e.g.
+
+```
+mkpasswd -m sha-512 -S $(openssl rand -base64 16 | tr -d '+=' | head -c 16)
+```
diff --git a/old/bin/copy-secrets b/old/bin/copy-secrets
new file mode 100755
index 0000000..f404935
--- /dev/null
+++ b/old/bin/copy-secrets
@@ -0,0 +1,69 @@
+#! /bin/sh
+#
+# copy-secrets system_name target
+#
+set -euf
+
+system_name=$1
+target=$2
+
+nixos_config=$config_root/modules/$system_name
+secrets_nix=$secrets_root/$system_name/nix
+secrets_rsync=$secrets_root/$system_name/rsync
+
+if ! test -e "$secrets_rsync"; then
+ exit # nothing to do
+fi
+
+# XXX this is ugly
+# Notice NIX_PATH used from host
+# Notice secrets required to evaluate configuration
+NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name
+NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix
+export NIX_PATH
+
+case $(nixos-query tv.retiolum.enable 2>/dev/null) in true)
+ retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile)
+ retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid)
+esac
+
+case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true)
+ ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile)
+ ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid)
+esac
+
+case $(nixos-query tv.consul.enable 2>/dev/null) in true)
+ consul_secret=$(nixos-query tv.consul.encrypt-file)
+ consul_uid=$(nixos-query users.extraUsers.consul.uid)
+esac
+
+(set -x
+ rsync \
+ --rsync-path="mkdir -p \"$2\" && rsync" \
+ -vzrlptD \
+ "$secrets_rsync/" \
+ "$target:/")
+
+ssh "$target" -T <<EOF
+set -euf
+
+retiolum_secret=${retiolum_secret-}
+retiolum_uid=${retiolum_uid-}
+ejabberd_secret=${ejabberd_secret-}
+ejabberd_uid=${ejabberd_uid-}
+consul_secret=${consul_secret-}
+consul_uid=${consul_uid-}
+
+if test -n "\$retiolum_secret"; then
+ chown -v "\$retiolum_uid:0" "\$retiolum_secret"
+fi
+
+if test -n "\$ejabberd_secret"; then
+ chown -v "\$ejabberd_uid:0" "\$ejabberd_secret"
+fi
+
+if test -n "\$consul_secret"; then
+ chown -v "\$consul_uid:0" "\$consul_secret"
+fi
+
+EOF
diff --git a/old/bin/genid b/old/bin/genid
new file mode 100755
index 0000000..8e22407
--- /dev/null
+++ b/old/bin/genid
@@ -0,0 +1,11 @@
+#! /bin/sh
+# usage: genid NAME
+set -euf
+name=$1
+hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F)
+echo "