diff options
Diffstat (limited to 'old')
114 files changed, 8237 insertions, 0 deletions
diff --git a/old/Makefile b/old/Makefile new file mode 100644 index 0000000..bef7727 --- /dev/null +++ b/old/Makefile @@ -0,0 +1,48 @@ +all:;@exit 23 + +tv-cluster := cd mkdir nomic rmdir wu +deploy-cd:; ./deploy cd +deploy-mkdir:; ./deploy mkdir +deploy-nomic:; ./deploy nomic root@nomic-local +deploy-rmdir:; ./deploy rmdir +deploy-wu:; ./deploy wu root@localhost + +ifndef cluster +cluster := $(LOGNAME) +endif +hosts := $($(cluster)-cluster) +ifeq ($(hosts),) +$(error bad cluster: $(cluster)) +else +.ONESHELL: + +.PHONY: deploy $(addprefix deploy-,$(hosts)) +deploy: + exec parallel \ + -j 0 \ + --no-notice \ + --rpl '{u} s/^.* deploy-(.*)/\1/' \ + --tagstring '{u}' \ + --line-buffer \ + $(MAKE) deploy-{} ::: $(hosts) + +.PHONY: rotate-consul-encrypt +rotate-consul-encrypt: + umask 0377 + mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; } + json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt)) + cmd=' + f=secrets/{}/rsync/etc/consul/encrypt.json + rm -f "$$f" + echo "$$json" > "$$f" + ' + export json + exec parallel \ + -j 0 \ + --no-notice \ + --rpl '{u} s/^.* deploy-(.*)/\1/' \ + --tagstring '{u}' \ + --line-buffer \ + --quote \ + sh -eufc "$$cmd" ::: $(hosts) +endif diff --git a/old/README.md b/old/README.md new file mode 100644 index 0000000..8a72d2f --- /dev/null +++ b/old/README.md @@ -0,0 +1,32 @@ + + +# Turn a Cloud at Cost CentOS-7-64bit server into NixOS + +1. Configure the system (`$systemname`) you'd like to install (see Configuration below). +2. Create new server instance (either Custom or cloudpro) using "CentOS-7-64bit". + Note the servername (something like c731445864-cloudpro-388922936). +3. `cac_login=xxx cac_key=yyy ./infest-cac-CentOS-7-64bit.sh servername:$servername $systename` +4. Enjoy. (`ssh root@$systename`) + +# Configuration + +Configure your system in modules/$systemname +See modules/cd/default.nix as an example. + +Notice that modules/$systemname/networking will be autogenerated (but not committed). + +secrets/$systemname/nix/foo can be accessed as `<secrets/foo>` from within the configuration. + +You might want `secrets/$systemname/rsync/etc/tinc/retiolum/rsa_key.priv`. + +You might want `secrets/$systemname/nix/hashedPasswords.nix`, which looks like + +```nix +_: { users.extraUsers.root.hashedPassword = "XXX"; } +``` + +`XXX` can be generated with e.g. + +``` +mkpasswd -m sha-512 -S $(openssl rand -base64 16 | tr -d '+=' | head -c 16) +``` diff --git a/old/bin/copy-secrets b/old/bin/copy-secrets new file mode 100755 index 0000000..f404935 --- /dev/null +++ b/old/bin/copy-secrets @@ -0,0 +1,69 @@ +#! /bin/sh +# +# copy-secrets system_name target +# +set -euf + +system_name=$1 +target=$2 + +nixos_config=$config_root/modules/$system_name +secrets_nix=$secrets_root/$system_name/nix +secrets_rsync=$secrets_root/$system_name/rsync + +if ! test -e "$secrets_rsync"; then + exit # nothing to do +fi + +# XXX this is ugly +# Notice NIX_PATH used from host +# Notice secrets required to evaluate configuration +NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name +NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix +export NIX_PATH + +case $(nixos-query tv.retiolum.enable 2>/dev/null) in true) + retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile) + retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid) +esac + +case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true) + ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile) + ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid) +esac + +case $(nixos-query tv.consul.enable 2>/dev/null) in true) + consul_secret=$(nixos-query tv.consul.encrypt-file) + consul_uid=$(nixos-query users.extraUsers.consul.uid) +esac + +(set -x + rsync \ + --rsync-path="mkdir -p \"$2\" && rsync" \ + -vzrlptD \ + "$secrets_rsync/" \ + "$target:/") + +ssh "$target" -T <<EOF +set -euf + +retiolum_secret=${retiolum_secret-} +retiolum_uid=${retiolum_uid-} +ejabberd_secret=${ejabberd_secret-} +ejabberd_uid=${ejabberd_uid-} +consul_secret=${consul_secret-} +consul_uid=${consul_uid-} + +if test -n "\$retiolum_secret"; then + chown -v "\$retiolum_uid:0" "\$retiolum_secret" +fi + +if test -n "\$ejabberd_secret"; then + chown -v "\$ejabberd_uid:0" "\$ejabberd_secret" +fi + +if test -n "\$consul_secret"; then + chown -v "\$consul_uid:0" "\$consul_secret" +fi + +EOF |