diff options
| -rw-r--r-- | Makefile | 7 | ||||
| -rw-r--r-- | shared/1systems/test-all-krebs-modules.nix | 45 | ||||
| -rw-r--r-- | shared/1systems/test-centos7.nix | 3 | ||||
| -rw-r--r-- | shared/1systems/test-failing.nix | 6 | ||||
| -rw-r--r-- | shared/1systems/test-minimal-deploy.nix | 13 | ||||
| -rw-r--r-- | shared/1systems/wolf.nix | 4 | ||||
| -rw-r--r-- | shared/2configs/base.nix | 10 | ||||
| -rw-r--r-- | shared/2configs/buildbot-standalone.nix | 154 | ||||
| -rw-r--r-- | shared/2configs/cac-ci.nix | 11 | ||||
| -rw-r--r-- | shared/2configs/temp/dirs.nix | 1 | ||||
| -rw-r--r-- | shared/2configs/temp/networking.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/cd.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/xu.nix | 1 | ||||
| -rw-r--r-- | tv/2configs/backup.nix | 268 | ||||
| -rw-r--r-- | tv/2configs/default.nix | 1 |
15 files changed, 263 insertions, 263 deletions
@@ -35,7 +35,7 @@ ifeq ($(filter),json) else filter() { cat; } endif - nix-instantiate \ + result=$$(nix-instantiate \ $${extraArgs-} \ --eval \ -A "$$get" \ @@ -45,8 +45,9 @@ endif --argstr current-host-name "$$HOSTNAME" \ --argstr current-user-name "$$LOGNAME" \ $${system+--argstr system "$$system"} \ - $${target+--argstr target "$$target"} \ - | filter + $${target+--argstr target "$$target"}) + echo "$$result" | filter + else $(error unbound variable: system[s]) endif diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix new file mode 100644 index 0000000..b98004d --- /dev/null +++ b/shared/1systems/test-all-krebs-modules.nix @@ -0,0 +1,45 @@ +{ config, pkgs, lib, ... }: +let + en = { enable = true;}; +in { + krebs = { + enable = true; + build.user = config.krebs.users.shared; + build.host = config.krebs.hosts.test-all-krebs-modules; + Reaktor.enable = true; + apt-cacher-ng.enable = true; + backup.enable = true; + bepasty.enable = true; + buildbot.master.enable = true; + buildbot.slave = { + enable = true; + username = "lol"; + password = "wut"; + }; + exim-retiolum.enable = true; + exim-smarthost = { + enable = true; + system-aliases = [ { from = "dick"; to = "butt"; } ]; + }; + go.enable = true; + iptables = { + enable = true; + tables = {}; + }; + nginx.enable = true; + realwallpaper.enable = true; + retiolum.enable = true; + retiolum-bootstrap.enable = true; + tinc_graphs.enable = true; + urlwatch.enable = true; + fetchWallpaper = { + enable = true; + url ="localhost"; + }; + }; + # just get the system running + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/shared/1systems/test-centos7.nix b/shared/1systems/test-centos7.nix index 077a5d6..48cecc8 100644 --- a/shared/1systems/test-centos7.nix +++ b/shared/1systems/test-centos7.nix @@ -7,7 +7,8 @@ in { imports = [ ../2configs/base.nix ../2configs/os-templates/CAC-CentOS-7-64bit.nix - ../2configs/os-templates/temp-networking.nix + ../2configs/temp/networking.nix + ../2configs/temp/dirs.nix ]; sound.enable = false; diff --git a/shared/1systems/test-failing.nix b/shared/1systems/test-failing.nix new file mode 100644 index 0000000..81a9e48 --- /dev/null +++ b/shared/1systems/test-failing.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: + +{ + programs.ssh.startAgent = true; + programs.ssh.startAgent = false; +} diff --git a/shared/1systems/test-minimal-deploy.nix b/shared/1systems/test-minimal-deploy.nix new file mode 100644 index 0000000..ddd96f6 --- /dev/null +++ b/shared/1systems/test-minimal-deploy.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: +{ + krebs = { + enable = true; + build.user = config.krebs.users.shared; + build.host = config.krebs.hosts.test-all-krebs-modules; + }; + # just get the system running + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 2c51ac8..f05356f 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -11,7 +11,7 @@ in ../2configs/collectd-base.nix ../2configs/shack-nix-cacher.nix ../2configs/shack-drivedroid.nix - ../2configs/cac-ci.nix + ../2configs/buildbot-standalone.nix ../2configs/graphite.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by @@ -33,8 +33,6 @@ in # uninteresting stuff ##################### krebs.build.host = config.krebs.hosts.wolf; - # TODO rename shared user to "krebs" - krebs.build.user = config.krebs.users.shared; krebs.build.target = "wolf"; boot.kernel.sysctl = { diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix index df41eae..4d509d7 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/base.nix @@ -13,18 +13,22 @@ with lib; ]; }; + # TODO rename shared user to "krebs" + krebs.build.user = mkDefault config.krebs.users.shared; krebs.build.source = { git.nixpkgs = { url = https://github.com/NixOS/nixpkgs; rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80"; + target-path = "/var/src/nixpkgs"; }; dir.secrets = { host = config.krebs.current.host; - path = "${getEnv "HOME"}/secrets/krebs/wolf"; + path = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}"; }; dir.stockholm = { host = config.krebs.current.host; - path = "${getEnv "HOME"}/stockholm"; + path = mkDefault "${getEnv "HOME"}/stockholm"; + target-path = "/var/src/stockholm"; }; }; @@ -65,7 +69,7 @@ with lib; config.krebs.users.lass.pubkey config.krebs.users.makefu.pubkey # TODO HARDER: - (readFile ../../krebs/Zpubkeys/makefu_omo.ssh.pub) + config.krebs.users.makefu-omo.pubkey config.krebs.users.tv.pubkey ]; diff --git a/shared/2configs/buildbot-standalone.nix b/shared/2configs/buildbot-standalone.nix new file mode 100644 index 0000000..6ffd7fe --- /dev/null +++ b/shared/2configs/buildbot-standalone.nix @@ -0,0 +1,154 @@ +{ lib, config, pkgs, ... }: +let + pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {}; +in { + nixpkgs.config.packageOverrides = pkgs: { + buildbot = pkgs-unst.buildbot; + buildbot-slave = pkgs-unst.buildbot-slave; + }; + networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + krebs.buildbot.master = { + secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; + slaves = { + testslave = "krebspass"; + }; + change_source.stockholm = '' + stockholm_repo = 'http://cgit.gum/stockholm' + cs.append(changes.GitPoller( + stockholm_repo, + workdir='stockholm-poller', branch='master', + project='stockholm', + pollinterval=120)) + ''; + scheduler = { + force-scheduler = '' + sched.append(schedulers.ForceScheduler( + name="force", + builderNames=["full-tests"])) + ''; + fast-tests-scheduler = '' + # test the master real quick + sched.append(schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch="master"), + name="fast-master-test", + builderNames=["fast-tests"])) + ''; + test-cac-infest-master = '' + # files everyone depends on or are part of the share branch + def shared_files(change): + r =re.compile("^((krebs|shared)/.*|Makefile|default.nix)") + for file in change.files: + if r.match(file): + return True + return False + + sched.append(schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch="master"), + fileIsImportant=shared_files, + treeStableTimer=60*60, # master was stable for the last hour + name="full-master-test", + builderNames=["full-tests"])) + ''; + }; + builder_pre = '' + # prepare grab_repo step for stockholm + stockholm_repo = "http://cgit.gum.retiolum/stockholm" + grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') + + env = {"LOGNAME": "shared", "NIX_REMOTE": "daemon"} + + # prepare nix-shell + # the dependencies which are used by the test script + deps = [ "gnumake", "jq","nix","rsync", + "(import <stockholm> {}).pkgs.test.infest-cac-centos7" ] + # TODO: --pure , prepare ENV in nix-shell command: + # SSL_CERT_FILE,LOGNAME,NIX_REMOTE + nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ] + + # prepare addShell function + def addShell(factory,**kwargs): + factory.addStep(steps.ShellCommand(**kwargs)) + ''; + builder = { + fast-tests = '' + f = util.BuildFactory() + f.addStep(grab_repo) + addShell(f,name="deploy-eval-centos7",env=env, + command=nixshell + ["make -s eval get=krebs.deploy filter=json system=test-centos7"]) + + addShell(f,name="deploy-eval-wolf",env=env, + command=nixshell + ["make -s eval get=krebs.deploy filter=json system=wolf"]) + + addShell(f,name="deploy-eval-cross-check",env=env, + command=nixshell + ["! make eval get=krebs.deploy filter=json system=test-failing"]) + + addShell(f,name="instantiate-test-all-modules",env=env, + command=nixshell + \ + ["touch retiolum.rsa_key.priv; \ + nix-instantiate --eval -A \ + users.shared.test-all-krebs-modules.system \ + -I stockholm=. \ + -I secrets=. '<stockholm>' \ + --argstr current-date lol \ + --argstr current-user-name shared \ + --argstr current-host-name lol \ + --strict --json"]) + + addShell(f,name="instantiate-test-minimal-deploy",env=env, + command=nixshell + \ + ["nix-instantiate --eval -A \ + users.shared.test-minimal-deploy.system \ + -I stockholm=. \ + -I secrets=. '<stockholm>' \ + --argstr current-date lol \ + --argstr current-user-name shared \ + --argstr current-host-name lol \ + --strict --json"]) + + bu.append(util.BuilderConfig(name="fast-tests", + slavenames=slavenames, + factory=f)) + ''; + slow-tests = '' + s = util.BuildFactory() + s.addStep(grab_repo) + + # slave needs 2 files: + # * cac.json + # * retiolum + s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/cac.json", slavedest="cac.json")) + s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/retiolum-ci.rsa_key.priv", slavedest="retiolum.rsa_key.priv")) + + addShell(s, name="infest-cac-centos7",env=env, + sigtermTime=60, # SIGTERM 1 minute before SIGKILL + timeout=7200, # 2h + command=nixshell + ["infest-cac-centos7"]) + + bu.append(util.BuilderConfig(name="full-tests", + slavenames=slavenames, + factory=s)) + ''; + }; + enable = true; + web = { + enable = true; + }; + irc = { + enable = true; + nick = "shared-buildbot"; + server = "cd.retiolum"; + channels = [ "retiolum" ]; + allowForce = true; + }; + }; + + krebs.buildbot.slave = { + enable = true; + masterhost = "localhost"; + username = "testslave"; + password = "krebspass"; + packages = with pkgs;[ git nix ]; + # all nix commands will need a working nixpkgs installation + extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; }; + }; +} diff --git a/shared/2configs/cac-ci.nix b/shared/2configs/cac-ci.nix deleted file mode 100644 index 06cce27..0000000 --- a/shared/2configs/cac-ci.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -{ - environment.systemPackages = with pkgs;[ - get - cac - cacpanel - jq - ]; -} diff --git a/shared/2configs/temp/dirs.nix b/shared/2configs/temp/dirs.nix new file mode 100644 index 0000000..958608a --- /dev/null +++ b/shared/2configs/temp/dirs.nix @@ -0,0 +1 @@ +_: { } diff --git a/shared/2configs/temp/networking.nix b/shared/2configs/temp/networking.nix new file mode 100644 index 0000000..958608a --- /dev/null +++ b/shared/2configs/temp/networking.nix @@ -0,0 +1 @@ +_: { } diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 7cb903a..8c2a9ae 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -7,7 +7,6 @@ with lib; krebs.build.target = "root@cd.internet"; imports = [ - ../2configs/backup.nix ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix #../2configs/consul-server.nix diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index e1a9076..1f3e010 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -9,7 +9,6 @@ with lib; "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; imports = [ - ../2configs/backup.nix # TODO ../2configs/hw/x220.nix #../2configs/consul-client.nix ../2configs/git.nix diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 1cef0a6..51d3bb8 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -1,38 +1,22 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: with lib; -let - # Users that are allowed to connect to the backup user. - # Note: the user must own a push plan destination otherwise no rsync. - backup-users = [ - config.krebs.users.tv - ]; - - ## TODO parse.file-location admit user - ## loc has the form <host-name>:<abs-path> - #parse.file-location = loc: let - # parts = splitString ":" loc; - # host-name = head parts; - # path = concatStringsSep ":" (tail parts); - #in { - # type = "types.krebs.file-location"; - # host = config.krebs.hosts.${host-name}; - # path = path; - #}; - - # TODO assert plan.dst.path & co - plans = with config.krebs.users; with config.krebs.hosts; addNames { +{ + krebs.backup.plans = addNames { xu-test-cd = { method = "push"; - #src = parse.file-location xu:/tmp/xu-test; - #dst = parse.file-location cd:/krebs/backup/xu-test; - src = { user = tv; host = xu; path = "/tmp/xu-test"; }; - dst = { user = tv; host = cd; path = "/krebs/backup/xu-test"; }; - startAt = "0,6,12,18:00"; - retain = { - hourly = 4; # sneakily depends on startAt - daily = 7; - weekly = 4; - monthly = 3; + + src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; }; + dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; }; + + #startAt = "0,6,12,18:00"; + startAt = "minutely"; + snapshots = { + minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; + hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; }; }; #xu-test-wu = { @@ -41,214 +25,18 @@ let #}; cd-test-xu = { method = "pull"; - #src = parse.file-location cd:/tmp/cd-test; - #dst = parse.file-location xu:/bku/cd-test; - src = { user = tv; host = cd; path = "/tmp/cd-test"; }; - dst = { user = tv; host = xu; path = "/bku/cd-test"; }; + src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; }; + dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; }; + startAt = "minutely"; + snapshots = { + minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; + hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; }; }; - - out = { - #options.krebs.backup = api; - config = imp; - }; - - imp = { - users.groups.backup.gid = genid "backup"; - users.users = map makeUser (filter isPushDst (attrValues plans)); - systemd.services = - flip mapAttrs' (filterAttrs (_:isPushSrc) plans) (name: plan: { - name = "backup.${name}"; - value = makePushService plan; - }); - }; - - - # TODO getFQDN: admit hosts in other domains - getFQDN = host: "${host.name}.${config.krebs.search-domain}"; - - isPushSrc = plan: - plan.method == "push" && - plan.src.host.name == config.krebs.build.host.name; - - makePushService = plan: assert isPushSrc plan; { - startAt = plan.startAt; - serviceConfig.ExecStart = writeSh plan "rsync" '' - exec ${pkgs.rsync}/bin/rsync ${concatMapStringsSep " " shell.escape [ - "-a" - "-e" - "${pkgs.openssh}/bin/ssh -F /dev/null -i ${plan.src.host.ssh.privkey.path}" - "${plan.src.path}" - "${plan.name}@${getFQDN plan.dst.host}::push" - ]} - ''; - }; - - isPushDst = plan: - plan.method == "push" && - plan.dst.host.name == config.krebs.build.host.name; - - makeUser = plan: assert isPushDst plan; rec { - name = plan.name; - uid = genid name; - group = config.users.groups.backup.name; - home = plan.dst.path; - createHome = true; - shell = "${writeSh plan "shell" '' - case $2 in - 'rsync --server --daemon .') - exec ${backup.rsync plan [ "--server" "--daemon" "." ]} - ;; - ''') - echo "ERROR: no command specified" >&2 - exit 23 - ;; - *) - echo "ERROR: no unknown command: $SSH_ORIGINAL_COMMAND" >&2 - exit 23 - ;; - esac - ''}"; - openssh.authorizedKeys.keys = [ plan.src.host.ssh.pubkey ]; - }; - - rsync = plan: args: writeSh plan "rsync" '' - install -v -m 0700 -d ${plan.dst.path}/push >&2 - install -v -m 0700 -d ${plan.dst.path}/list >&2 - - ${pkgs.rsync}/bin/rsync \ - --config=${backup.rsyncd-conf plan { - post-xfer = writeSh plan "rsyncd.post-xfer" '' - case $RSYNC_EXIT_STATUS in 0) - exec ${backup.rsnapshot plan { - preexec = writeSh plan "rsnapshot.preexec" '' - touch ${plan.dst.path}/rsnapshot.$RSNAPSHOT_INTERVAL - ''; - postexec = writeSh plan "rsnapshot.postexec" '' - rm ${plan.dst.path}/rsnapshot.$RSNAPSHOT_INTERVAL - ''; - }} - esac - ''; - }} \ - ${toString (map shell.escape args)} - - fail=0 - for i in monthly weekly daily hourly; do - if test -e ${plan.dst.path}/rsnapshot.$i; then - rm ${plan.dst.path}/rsnapshot.$i - echo "ERROR: $i snapshot failed" >&2 - fail=1 - fi - done - if test $fail != 0; then - exit -1 - fi - ''; - - rsyncd-conf = plan: conf: pkgs.writeText "${plan.name}.rsyncd.conf" '' - fake super = yes - use chroot = no - lock file = ${plan.dst.path}/rsyncd.lock - - [push] - max connections = 1 - path = ${plan.dst.path}/push - write only = yes - read only = no - post-xfer exec = ${conf.post-xfer} - - [list] - path = ${plan.dst.path}/list - read only = yes - write only = no - ''; - - rsnapshot = plan: conf: writeSh plan "rsnapshot" '' - rsnapshot() { - ${pkgs.proot}/bin/proot \ - -b /bin \ - -b /nix \ - -b /run/current-system \ - -b ${plan.dst.path} \ - -r ${plan.dst.path} \ - -w / \ - ${pkgs.rsnapshot}/bin/rsnapshot \ - -c ${pkgs.writeText "${plan.name}.rsnapshot.conf" '' - config_version 1.2 - snapshot_root ${plan.dst.path}/list - cmd_cp ${pkgs.coreutils}/bin/cp - cmd_du ${pkgs.coreutils}/bin/du - #cmd_rm ${pkgs.coreutils}/bin/rm - cmd_rsync ${pkgs.rsync}/bin/rsync - cmd_rsnapshot_diff ${pkgs.rsnapshot}/bin/rsnapshot-diff - cmd_preexec ${conf.preexec} - cmd_postexec ${conf.postexec} - retain hourly 4 - retain daily 7 - retain weekly 4 - retain monthly 3 - lockfile ${plan.dst.path}/rsnapshot.pid - link_dest 1 - backup /push ./ - verbose 4 - ''} \ - "$@" - } - - cd ${plan.dst.path}/list/ - - now=$(date +%s) - is_older_than() { - test $(expr $now - $(date +%s -r $1 2>/dev/null || echo 0)) \ - -ge $2 - } - - # TODO report stale snapshots - # i.e. there are $interval.$i > $interval.$max - - hour_s=3600 - day_s=86400 - week_s=604800 - month_s=2419200 # 4 weeks - - set -- - - if test -e weekly.3 && is_older_than monthly.0 $month_s; then - set -- "$@" monthly - fi - - if test -e daily.6 && is_older_than weekly.0 $week_s; then - set -- "$@" weekly - fi - - if test -e hourly.3 && is_older_than daily.0 $day_s; then - set -- "$@" daily - fi - - if is_older_than hourly.0 $hour_s; then - set -- "$@" hourly - fi - - - if test $# = 0; then - echo "taking no snapshots" >&2 - else - echo "taking snapshots: $@" >&2 - fi - - export RSNAPSHOT_INTERVAL - for RSNAPSHOT_INTERVAL; do - rsnapshot "$RSNAPSHOT_INTERVAL" - done - ''; - - writeSh = plan: name: text: pkgs.writeScript "${plan.name}.${name}" '' - #! ${pkgs.dash}/bin/dash - set -efu - export PATH=${makeSearchPath "bin" (with pkgs; [ coreutils ])} - ${text} - ''; - -in out +} diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 3400c13..c300633 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -28,6 +28,7 @@ with lib; imports = [ <secrets> + ./backup.nix ./vim.nix { # stockholm dependencies |