From 6aadd262fc1ec1cb7159da9ee62bd35616ddc23d Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 16 Jul 2015 23:22:30 +0200 Subject: Goodbye old world, and thanks for all the fish! --- old/Makefile | 48 -- old/README.md | 32 - old/bin/copy-secrets | 69 --- old/bin/genid | 11 - old/bin/netmask-to-prefix | 12 - old/bin/nixos-query | 4 - old/bin/urlencode | 35 -- old/cac | 337 ----------- old/certs/zalora-ca.crt | 24 - old/default.nix | 151 ----- old/deploy | 15 - old/infest-cac-CentOS-7-64bit.sh | 51 -- old/infest.d/cac-CentOS-7-64bit/finalize.sh | 66 -- old/infest.d/cac-CentOS-7-64bit/prepare.sh | 104 ---- old/infest.d/nixos-install.sh | 8 - old/lib/default.nix | 62 -- old/lib/git.nix | 181 ------ old/lib/modules.nix | 21 - old/modules/cd/default.nix | 91 --- old/modules/cd/networking.nix | 14 - old/modules/cd/paths.nix | 12 - old/modules/cd/users.nix | 53 -- old/modules/cloudkrebs/default.nix | 71 --- old/modules/cloudkrebs/networking.nix | 14 - old/modules/cloudkrebs/retiolum.nix | 21 - old/modules/common/krebs-keys.nix | 18 - old/modules/common/krebs-repos.nix | 36 -- old/modules/common/nixpkgs.nix | 25 - old/modules/common/sshkeys.nix | 26 - old/modules/lass/base.nix | 129 ---- old/modules/lass/binary-caches.nix | 13 - old/modules/lass/bird.nix | 13 - old/modules/lass/bitcoin.nix | 17 - old/modules/lass/browsers.nix | 67 --- old/modules/lass/chromium-patched.nix | 48 -- old/modules/lass/desktop-base.nix | 65 -- old/modules/lass/elster.nix | 20 - old/modules/lass/games.nix | 25 - old/modules/lass/gitolite-base.nix | 173 ------ old/modules/lass/iptables/config.nix | 119 ---- old/modules/lass/iptables/default.nix | 11 - old/modules/lass/iptables/options.nix | 44 -- old/modules/lass/ircd.nix | 88 --- old/modules/lass/pass.nix | 10 - old/modules/lass/programs.nix | 24 - old/modules/lass/sshkeys.nix | 11 - old/modules/lass/steam.nix | 29 - old/modules/lass/texlive.nix | 7 - old/modules/lass/urxvt.nix | 40 -- old/modules/lass/urxvtd.nix | 55 -- old/modules/lass/vim.nix | 118 ---- old/modules/lass/virtualbox.nix | 22 - old/modules/lass/wine.nix | 23 - old/modules/lass/xresources.nix | 57 -- old/modules/mkdir/default.nix | 86 --- old/modules/mkdir/networking.nix | 14 - old/modules/mkdir/paths.nix | 12 - old/modules/mkdir/users.nix | 19 - old/modules/mors/default.nix | 294 --------- old/modules/mors/git.nix | 130 ---- old/modules/mors/paths.nix | 12 - old/modules/mors/repos.nix | 87 --- old/modules/mors/retiolum.nix | 21 - old/modules/mu/default.nix | 466 -------------- old/modules/mu/paths.nix | 12 - old/modules/nomic/default.nix | 105 ---- old/modules/nomic/hardware-configuration.nix | 49 -- old/modules/nomic/paths.nix | 12 - old/modules/nomic/users.nix | 42 -- old/modules/rmdir/default.nix | 87 --- old/modules/rmdir/networking.nix | 15 - old/modules/rmdir/paths.nix | 12 - old/modules/rmdir/users.nix | 19 - old/modules/tv/base-cac-CentOS-7-64bit.nix | 27 - old/modules/tv/base.nix | 16 - old/modules/tv/config/consul-client.nix | 9 - old/modules/tv/config/consul-server.nix | 22 - old/modules/tv/consul/default.nix | 121 ---- old/modules/tv/ejabberd.nix | 867 --------------------------- old/modules/tv/environment.nix | 93 --- old/modules/tv/exim-retiolum.nix | 126 ---- old/modules/tv/exim-smarthost.nix | 474 --------------- old/modules/tv/git/cgit.nix | 93 --- old/modules/tv/git/config.nix | 272 --------- old/modules/tv/git/default.nix | 27 - old/modules/tv/git/options.nix | 93 --- old/modules/tv/git/public.nix | 82 --- old/modules/tv/identity/default.nix | 71 --- old/modules/tv/iptables/config.nix | 93 --- old/modules/tv/iptables/default.nix | 11 - old/modules/tv/iptables/options.nix | 29 - old/modules/tv/nginx/config.nix | 49 -- old/modules/tv/nginx/default.nix | 11 - old/modules/tv/nginx/options.nix | 21 - old/modules/tv/retiolum/config.nix | 130 ---- old/modules/tv/retiolum/default.nix | 11 - old/modules/tv/retiolum/options.nix | 87 --- old/modules/tv/sanitize.nix | 12 - old/modules/tv/smartd.nix | 17 - old/modules/tv/synaptics.nix | 14 - old/modules/tv/urlwatch/default.nix | 158 ----- old/modules/tv/urxvt.nix | 24 - old/modules/tv/users/default.nix | 67 --- old/modules/tv/xserver.nix | 40 -- old/modules/uriel/default.nix | 188 ------ old/modules/uriel/git.nix | 130 ---- old/modules/uriel/repos.nix | 78 --- old/modules/uriel/retiolum.nix | 31 - old/modules/wu/default.nix | 464 -------------- old/modules/wu/hosts.nix | 22 - old/modules/wu/paths.nix | 12 - old/modules/wu/users.nix | 227 ------- old/pubkeys/deploy_wu.ssh.pub | 1 - old/pubkeys/lass.ssh.pub | 1 - old/pubkeys/makefu.ssh.pub | 1 - old/pubkeys/mv_vod.ssh.pub | 1 - old/pubkeys/tv_wu.ssh.pub | 1 - old/pubkeys/uriel.ssh.pub | 1 - 118 files changed, 8659 deletions(-) delete mode 100644 old/Makefile delete mode 100644 old/README.md delete mode 100755 old/bin/copy-secrets delete mode 100755 old/bin/genid delete mode 100755 old/bin/netmask-to-prefix delete mode 100755 old/bin/nixos-query delete mode 100755 old/bin/urlencode delete mode 100755 old/cac delete mode 100644 old/certs/zalora-ca.crt delete mode 100644 old/default.nix delete mode 100755 old/deploy delete mode 100755 old/infest-cac-CentOS-7-64bit.sh delete mode 100644 old/infest.d/cac-CentOS-7-64bit/finalize.sh delete mode 100644 old/infest.d/cac-CentOS-7-64bit/prepare.sh delete mode 100644 old/infest.d/nixos-install.sh delete mode 100644 old/lib/default.nix delete mode 100644 old/lib/git.nix delete mode 100644 old/lib/modules.nix delete mode 100644 old/modules/cd/default.nix delete mode 100644 old/modules/cd/networking.nix delete mode 100644 old/modules/cd/paths.nix delete mode 100644 old/modules/cd/users.nix delete mode 100644 old/modules/cloudkrebs/default.nix delete mode 100644 old/modules/cloudkrebs/networking.nix delete mode 100644 old/modules/cloudkrebs/retiolum.nix delete mode 100644 old/modules/common/krebs-keys.nix delete mode 100644 old/modules/common/krebs-repos.nix delete mode 100644 old/modules/common/nixpkgs.nix delete mode 100644 old/modules/common/sshkeys.nix delete mode 100644 old/modules/lass/base.nix delete mode 100644 old/modules/lass/binary-caches.nix delete mode 100644 old/modules/lass/bird.nix delete mode 100644 old/modules/lass/bitcoin.nix delete mode 100644 old/modules/lass/browsers.nix delete mode 100644 old/modules/lass/chromium-patched.nix delete mode 100644 old/modules/lass/desktop-base.nix delete mode 100644 old/modules/lass/elster.nix delete mode 100644 old/modules/lass/games.nix delete mode 100644 old/modules/lass/gitolite-base.nix delete mode 100644 old/modules/lass/iptables/config.nix delete mode 100644 old/modules/lass/iptables/default.nix delete mode 100644 old/modules/lass/iptables/options.nix delete mode 100644 old/modules/lass/ircd.nix delete mode 100644 old/modules/lass/pass.nix delete mode 100644 old/modules/lass/programs.nix delete mode 100644 old/modules/lass/sshkeys.nix delete mode 100644 old/modules/lass/steam.nix delete mode 100644 old/modules/lass/texlive.nix delete mode 100644 old/modules/lass/urxvt.nix delete mode 100644 old/modules/lass/urxvtd.nix delete mode 100644 old/modules/lass/vim.nix delete mode 100644 old/modules/lass/virtualbox.nix delete mode 100644 old/modules/lass/wine.nix delete mode 100644 old/modules/lass/xresources.nix delete mode 100644 old/modules/mkdir/default.nix delete mode 100644 old/modules/mkdir/networking.nix delete mode 100644 old/modules/mkdir/paths.nix delete mode 100644 old/modules/mkdir/users.nix delete mode 100644 old/modules/mors/default.nix delete mode 100644 old/modules/mors/git.nix delete mode 100644 old/modules/mors/paths.nix delete mode 100644 old/modules/mors/repos.nix delete mode 100644 old/modules/mors/retiolum.nix delete mode 100644 old/modules/mu/default.nix delete mode 100644 old/modules/mu/paths.nix delete mode 100644 old/modules/nomic/default.nix delete mode 100644 old/modules/nomic/hardware-configuration.nix delete mode 100644 old/modules/nomic/paths.nix delete mode 100644 old/modules/nomic/users.nix delete mode 100644 old/modules/rmdir/default.nix delete mode 100644 old/modules/rmdir/networking.nix delete mode 100644 old/modules/rmdir/paths.nix delete mode 100644 old/modules/rmdir/users.nix delete mode 100644 old/modules/tv/base-cac-CentOS-7-64bit.nix delete mode 100644 old/modules/tv/base.nix delete mode 100644 old/modules/tv/config/consul-client.nix delete mode 100644 old/modules/tv/config/consul-server.nix delete mode 100644 old/modules/tv/consul/default.nix delete mode 100644 old/modules/tv/ejabberd.nix delete mode 100644 old/modules/tv/environment.nix delete mode 100644 old/modules/tv/exim-retiolum.nix delete mode 100644 old/modules/tv/exim-smarthost.nix delete mode 100644 old/modules/tv/git/cgit.nix delete mode 100644 old/modules/tv/git/config.nix delete mode 100644 old/modules/tv/git/default.nix delete mode 100644 old/modules/tv/git/options.nix delete mode 100644 old/modules/tv/git/public.nix delete mode 100644 old/modules/tv/identity/default.nix delete mode 100644 old/modules/tv/iptables/config.nix delete mode 100644 old/modules/tv/iptables/default.nix delete mode 100644 old/modules/tv/iptables/options.nix delete mode 100644 old/modules/tv/nginx/config.nix delete mode 100644 old/modules/tv/nginx/default.nix delete mode 100644 old/modules/tv/nginx/options.nix delete mode 100644 old/modules/tv/retiolum/config.nix delete mode 100644 old/modules/tv/retiolum/default.nix delete mode 100644 old/modules/tv/retiolum/options.nix delete mode 100644 old/modules/tv/sanitize.nix delete mode 100644 old/modules/tv/smartd.nix delete mode 100644 old/modules/tv/synaptics.nix delete mode 100644 old/modules/tv/urlwatch/default.nix delete mode 100644 old/modules/tv/urxvt.nix delete mode 100644 old/modules/tv/users/default.nix delete mode 100644 old/modules/tv/xserver.nix delete mode 100644 old/modules/uriel/default.nix delete mode 100644 old/modules/uriel/git.nix delete mode 100644 old/modules/uriel/repos.nix delete mode 100644 old/modules/uriel/retiolum.nix delete mode 100644 old/modules/wu/default.nix delete mode 100644 old/modules/wu/hosts.nix delete mode 100644 old/modules/wu/paths.nix delete mode 100644 old/modules/wu/users.nix delete mode 100644 old/pubkeys/deploy_wu.ssh.pub delete mode 100644 old/pubkeys/lass.ssh.pub delete mode 100644 old/pubkeys/makefu.ssh.pub delete mode 100644 old/pubkeys/mv_vod.ssh.pub delete mode 100644 old/pubkeys/tv_wu.ssh.pub delete mode 100644 old/pubkeys/uriel.ssh.pub (limited to 'old') diff --git a/old/Makefile b/old/Makefile deleted file mode 100644 index bef7727..0000000 --- a/old/Makefile +++ /dev/null @@ -1,48 +0,0 @@ -all:;@exit 23 - -tv-cluster := cd mkdir nomic rmdir wu -deploy-cd:; ./deploy cd -deploy-mkdir:; ./deploy mkdir -deploy-nomic:; ./deploy nomic root@nomic-local -deploy-rmdir:; ./deploy rmdir -deploy-wu:; ./deploy wu root@localhost - -ifndef cluster -cluster := $(LOGNAME) -endif -hosts := $($(cluster)-cluster) -ifeq ($(hosts),) -$(error bad cluster: $(cluster)) -else -.ONESHELL: - -.PHONY: deploy $(addprefix deploy-,$(hosts)) -deploy: - exec parallel \ - -j 0 \ - --no-notice \ - --rpl '{u} s/^.* deploy-(.*)/\1/' \ - --tagstring '{u}' \ - --line-buffer \ - $(MAKE) deploy-{} ::: $(hosts) - -.PHONY: rotate-consul-encrypt -rotate-consul-encrypt: - umask 0377 - mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; } - json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt)) - cmd=' - f=secrets/{}/rsync/etc/consul/encrypt.json - rm -f "$$f" - echo "$$json" > "$$f" - ' - export json - exec parallel \ - -j 0 \ - --no-notice \ - --rpl '{u} s/^.* deploy-(.*)/\1/' \ - --tagstring '{u}' \ - --line-buffer \ - --quote \ - sh -eufc "$$cmd" ::: $(hosts) -endif diff --git a/old/README.md b/old/README.md deleted file mode 100644 index 8a72d2f..0000000 --- a/old/README.md +++ /dev/null @@ -1,32 +0,0 @@ - - -# Turn a Cloud at Cost CentOS-7-64bit server into NixOS - -1. Configure the system (`$systemname`) you'd like to install (see Configuration below). -2. Create new server instance (either Custom or cloudpro) using "CentOS-7-64bit". - Note the servername (something like c731445864-cloudpro-388922936). -3. `cac_login=xxx cac_key=yyy ./infest-cac-CentOS-7-64bit.sh servername:$servername $systename` -4. Enjoy. (`ssh root@$systename`) - -# Configuration - -Configure your system in modules/$systemname -See modules/cd/default.nix as an example. - -Notice that modules/$systemname/networking will be autogenerated (but not committed). - -secrets/$systemname/nix/foo can be accessed as `` from within the configuration. - -You might want `secrets/$systemname/rsync/etc/tinc/retiolum/rsa_key.priv`. - -You might want `secrets/$systemname/nix/hashedPasswords.nix`, which looks like - -```nix -_: { users.extraUsers.root.hashedPassword = "XXX"; } -``` - -`XXX` can be generated with e.g. - -``` -mkpasswd -m sha-512 -S $(openssl rand -base64 16 | tr -d '+=' | head -c 16) -``` diff --git a/old/bin/copy-secrets b/old/bin/copy-secrets deleted file mode 100755 index f404935..0000000 --- a/old/bin/copy-secrets +++ /dev/null @@ -1,69 +0,0 @@ -#! /bin/sh -# -# copy-secrets system_name target -# -set -euf - -system_name=$1 -target=$2 - -nixos_config=$config_root/modules/$system_name -secrets_nix=$secrets_root/$system_name/nix -secrets_rsync=$secrets_root/$system_name/rsync - -if ! test -e "$secrets_rsync"; then - exit # nothing to do -fi - -# XXX this is ugly -# Notice NIX_PATH used from host -# Notice secrets required to evaluate configuration -NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name -NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix -export NIX_PATH - -case $(nixos-query tv.retiolum.enable 2>/dev/null) in true) - retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile) - retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid) -esac - -case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true) - ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile) - ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid) -esac - -case $(nixos-query tv.consul.enable 2>/dev/null) in true) - consul_secret=$(nixos-query tv.consul.encrypt-file) - consul_uid=$(nixos-query users.extraUsers.consul.uid) -esac - -(set -x - rsync \ - --rsync-path="mkdir -p \"$2\" && rsync" \ - -vzrlptD \ - "$secrets_rsync/" \ - "$target:/") - -ssh "$target" -T < - max=2^32 # see 2^(8*sizeof(uid_t)) - ibase=16 - ($hash + min) % max -" | bc diff --git a/old/bin/netmask-to-prefix b/old/bin/netmask-to-prefix deleted file mode 100755 index 1c4dbeb..0000000 --- a/old/bin/netmask-to-prefix +++ /dev/null @@ -1,12 +0,0 @@ -#! /bin/sh -set -euf - -netmask=$1 - -binaryNetmask=$(echo $1 | sed 's/^/obase=2;/;s/\./;/g' | bc | tr -d \\n) -binaryPrefix=$(echo $binaryNetmask | sed -n 's/^\(1*\)0*$/\1/p') -if ! echo $binaryPrefix | grep -q .; then - echo $0: bad netmask: $netmask >&2 - exit 4 -fi -printf %s $binaryPrefix | tr -d 0 | wc -c diff --git a/old/bin/nixos-query b/old/bin/nixos-query deleted file mode 100755 index 1111aea..0000000 --- a/old/bin/nixos-query +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh -set -euf -result=$(nix-instantiate -A config."$1" --eval --json '') -echo $result | jq -r . diff --git a/old/bin/urlencode b/old/bin/urlencode deleted file mode 100755 index 02ca030..0000000 --- a/old/bin/urlencode +++ /dev/null @@ -1,35 +0,0 @@ -#! /bin/sh -set -euf -exec sed ' - s/%/%25/g - s/ /%20/g - s/!/%21/g - s/"/%22/g - s/#/%23/g - s/\$/%24/g - s/\&/%26/g - s/'\''/%27/g - s/(/%28/g - s/)/%29/g - s/\*/%2a/g - s/+/%2b/g - s/,/%2c/g - s/-/%2d/g - s/\./%2e/g - s/\//%2f/g - s/:/%3a/g - s/;/%3b/g - s//%3e/g - s/?/%3f/g - s/@/%40/g - s/\[/%5b/g - s/\\/%5c/g - s/\]/%5d/g - s/\^/%5e/g - s/_/%5f/g - s/`/%60/g - s/{/%7b/g - s/|/%7c/g - s/}/%7d/g - s/~/%7e/g -' diff --git a/old/cac b/old/cac deleted file mode 100755 index fb816b9..0000000 --- a/old/cac +++ /dev/null @@ -1,337 +0,0 @@ -#! /bin/sh -set -euf - -PATH=$PWD/bin:$PATH -export PATH - -cac_listservers_cache=$PWD/tmp/cac_listservers_cache.json - - -cac() { - __cac_cli__command=$1 - shift - __cac_cli__"$__cac_cli__command" "$@" -} - -# WIP -__cac_cli__help() {( - exec sed < "$0" -n ' - s/^__cac_cli__\([^(]\+\)().*/\1/p - ' -)} - -# usage: console -__cac_cli__console() {( - server=$(__cac_cli__getserver "$1") - sid=$(echo $server | jq -r .sid) - # TODO check reply status == ok - _cac_post_api_v1 console sid="$sid" | jq -r .console -)} - -__cac_cli__listservers() { - jq -r . $cac_listservers_cache -} - -__cac_cli__update() {( - umask 0077 - servers=$(_cac_listservers) - echo $servers > $cac_listservers_cache.tmp - mv $cac_listservers_cache.tmp $cac_listservers_cache -)} - -__cac_cli__getserver() {( - - case $1 in - *:*) - k=${1%%:*} - v=${1#*:} - ;; - *) - k=label - v=${1#*:} - ;; - esac - - if result=$(jq \ - -e \ - --arg k "$k" \ - --arg v "$v" \ - ' - map(select(.[$k]==$v)) | - if (. | length) == 1 then - .[0] - else - null - end - ' \ - $cac_listservers_cache); then - echo $result | jq -r . - else - echo "$0 getserver $k:$v => not unique server found" >&2 - exit 23 - fi -)} - -__cac_cli__generatenetworking() {( - server=$(__cac_cli__getserver "$1") - - hostname=$(echo $server | jq -r .label) - - address=$(echo $server | jq -r .ip) - gateway=$(echo $server | jq -r .gateway) - nameserver=8.8.8.8 - netmask=$(echo $server | jq -r .netmask) - prefix=$(netmask-to-prefix $netmask) - - #printf '# Generated file: %s generatenetworking %s %s\n' "$0" "$1" "$2" - #printf '# on %s\n' "$(date -Is)" - #printf '\n' - printf '_:\n' - printf '\n' - printf '{\n' - printf ' networking.hostName = "%s";\n' $hostname - printf ' networking.interfaces.enp2s1.ip4 = [\n' - printf ' {\n' - printf ' address = "%s";\n' $address - printf ' prefixLength = %d;\n' $prefix - printf ' }\n' - printf ' ];\n' - printf ' networking.defaultGateway = "%s";\n' $gateway - printf ' networking.nameservers = [\n' - printf ' "%s"\n' $nameserver - printf ' ];\n' - printf '}\n' -)} - -__cac_cli__powerop() {( - server=$(__cac_cli__getserver "$1") - action=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 powerop sid="$sid" action="$action") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . >&2 - exit 23 - ;; - esac -)} -__cac_cli__pushconfig() {( - server=$(__cac_cli__getserver "$1") - - prefix=${2-/} - - hostname=$(echo $server | jq -r .label) - - address=$(echo $server | jq -r .ip) - target=root@$address - - RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' - SSHPASS=$(echo $server | jq -r .rootpass) - export RSYNC_RSH SSHPASS - - pushgit . $target:$prefix/etc/nixos/ - pushgit hosts $target:$prefix/etc/nixos/hosts/ - pushgit tmp/nixpkgs/$hostname $target:$prefix/etc/nixos/nixpkgs/ - pushdir secrets/$hostname/nix $target:$prefix/etc/nixos/secrets/ - pushdir secrets/$hostname/rsync $target:$prefix/ - echo "_:{imports=[./modules/$hostname];}" \ - | $RSYNC_RSH "$target" tee "$prefix/etc/nixos/configuration.nix" \ - > /dev/null - - ## TODO chmod and chown secrets -)} - -__cac_cli__setlabel() {( - server=$(__cac_cli__getserver "$1") - label=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 renameserver sid="$sid" name="$label") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . >&2 - exit 23 - ;; - esac -)} - -__cac_cli__setmode() {( - server=$(__cac_cli__getserver "$1") - mode=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 runmode sid="$sid" mode="$mode") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . - exit 23 - ;; - esac -)} - -__cac_cli__ssh() {( - server=$(__cac_cli__getserver "$1") - shift - - address=$(echo $server | jq -r .ip) - target=root@$address - - SSHPASS=$(echo $server | jq -r .rootpass) - export SSHPASS - - exec sshpass -e ssh \ - -S none \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - $target \ - "$@" -)} - - -# usage: ./cac waitstatus mode:Safe 'Powered On' -# blocks until server has specfied state -__cac_cli__waitstatus() { - server=$(__cac_cli__getserver "$1") - status=$(echo $server | jq -r .status) - - case $status in - $2) - return - ;; - esac - - echo "$(date -Is) Waiting for status: $2; current status: $status ..." >&2 - - __cac_cli__waitforcacheupdate __cac_cli__waitstatus "$@" -} - - -# XXX for __cac_cli__waitforcacheupdate and __cac_cli__poll cache means $cac_listservers_cache - -# blocks until cache has been updated then executes "$@" -__cac_cli__waitforcacheupdate() { - case $(inotifywait --format %f -q -e moved_to $(dirname $cac_listservers_cache)) in - $(basename $cac_listservers_cache)) "$@";; - *) __cac_cli__waitforcacheupdate "$@";; - esac -} - -# usage: with cac ./cac poll 60s -# continuously update cache, sleeping at least $1 between updates -__cac_cli__poll() { - __cac_cli__update - t=${1-1m} - echo "$(date -Is) cache updated; sleeping $t ..." >&2 - sleep "$t" - __cac_cli__poll "$@" -} - - -_cac_listservers() {( - servers=$(_cac_get_api_v1 listservers) - status=$(echo $servers | jq -r .status) - - if [ "$status" = ok ]; then - echo "$servers" | jq -r .data - else - echo "cac_listservers: bad listservers status: $status" >&2 - exit 1 - fi -)} - - - - -# rsyncfiles : lines filename |> local-dir x rsync-target -> ? |> ? -rsyncfiles() {( - set -x - rsync \ - --rsync-path="mkdir -p \"$2\" && rsync" \ - -vzrlptD \ - --files-from=- \ - "$1"/ \ - "$2" -)} - - -# gitfiles : git-work-tree -> lines filename -gitfiles() { - git -C "$1" archive --format=tar HEAD | tar t | sed '/\/$/d' -} - -# pushgit : git-work-tree x rsync-target -> ? -pushgit() { - gitfiles "$1" | rsyncfiles "$1" "$2" -} - -# dirfiles : local-dir -> lines filename -dirfiles() {( - cd "$1" - find . -type f | sed 's/^\.\///' -)} - -# pushdir : local-dir x rsync-target -> ? -pushdir() { - dirfiles "$1" | rsyncfiles "$1" "$2" -} - - - - - - -_cac_get_api_v1() { - _cac_curl_api_v1 -G "$@" -} - -_cac_post_api_v1() { - _cac_curl_api_v1 -XPOST "$@" -} - -_cac_curl_api_v1() { - _cac_exec curl -sS "$1" "https://panel.cloudatcost.com/api/v1/$2.php" $( - shift 2 - set -- "$@" login="$cac_login" key="$cac_key" - for arg; do - echo -d $(printf '%s' "$arg" | urlencode) - done - ) -} - -_cac_exec() { - if test -z "${cac_via-}"; then - env -- "$@" - else - ssh -q "$cac_via" -t "$@" - fi -} - - - - - -case ${run-true} in - true) cac "$@";; -esac diff --git a/old/certs/zalora-ca.crt b/old/certs/zalora-ca.crt deleted file mode 100644 index 12cdf8f..0000000 --- a/old/certs/zalora-ca.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7zCCAtegAwIBAgIJAPImpJwMgGmhMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD -VQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMQ8wDQYDVQQKDAZaYWxvcmExCzAJ -BgNVBAsMAklUMSUwIwYDVQQDDBxaYWxvcmEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 -MSUwIwYJKoZIhvcNAQkBFhZpdC1zZXJ2aWNlc0B6YWxvcmEuY29tMB4XDTE0MDkx -ODIxNDY0N1oXDTI0MDkxNTIxNDY0N1owgY0xCzAJBgNVBAYTAlNHMRIwEAYDVQQI -DAlTaW5nYXBvcmUxDzANBgNVBAoMBlphbG9yYTELMAkGA1UECwwCSVQxJTAjBgNV -BAMMHFphbG9yYSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEW -Fml0LXNlcnZpY2VzQHphbG9yYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDi48Tkh6XuS2gdE1+gsPPQjTI8Q2wbXqZGTHnyAZx75btOIUZHeHJm -Fvu8erAD+vtx1nD1GOG30uvHFk9Of2mFY1fxw0R1LthJHSLFJU1/GjFSggHWkaI3 -HBSmeALjss/XHG3EtShLo8SHBc/+B8ehqj1JqcXF8q50JtfTQ+zlf+k26ke2S5Xo -OdHLxjlNaPwj+TgJI1DHqs/bTapaPHPKk5+jFQzAcMmq0bygzpQTHCvvKqcoXaJk -UgDBQnVsJUtwfObrM1TKu2TOXUhqgfnnflYf2sz5Sr30QlkrHP+PM3BRLB+6FXhr -UlKKVcAcIwrBo0aJ5Sd0fv39GwV1XCWVAgMBAAGjUDBOMB0GA1UdDgQWBBQFftMH -5/dc0pUNDqLbVQ8gm7+I5TAfBgNVHSMEGDAWgBQFftMH5/dc0pUNDqLbVQ8gm7+I -5TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQC2aSKJ15v5OI7Zj/HQ -lW+iY9STBPJi9lgOjaGrNaPX0IuhJLkeKDntmzjvpGwvcylHMp6Im02svTymteNN -38s8A0aStnmW4ysGT853H7L7Jxzf7J2vrUF0Dj4QkZ07Gp3vAgKnWVcqz36Xr0Se -DEqrKMl/6fq3Ygl35fZXP1kb6t/wP6qx69bnENH6ksHFpZapWYssKNZO9yiB8+Eq -ngB22X/ycMmAqOnNQDzw1JBw7LzdXypCG75UKEK6kbnUy2yPADdHpH8v9qcRa1U9 -vEmUTJs6i1CpPO+2frPJ8A8QIp61nNxe7xJ1SnNVtwk9d6SRet6YGySvgG748Wjw -GwWx ------END CERTIFICATE----- diff --git a/old/default.nix b/old/default.nix deleted file mode 100644 index 8415348..0000000 --- a/old/default.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ system-name -, rsync-target ? null -, deploy-target ? null -}: - -# TODO assert that only one of rsync-target or deploy-target is not null - -with builtins; -assert (typeOf system-name == "string"); -with import ; -let - paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix"; - - paths = import paths-file; - - prefetch.file = '' - echo "$prefetch_in_url" - ''; - - prefetch.git = '' - ${concatMapStringsSep "\n" (attr-name: '' - case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?) - printf '%s: %s: missing attribute: %s' \ - ${escapeShellArg paths-file} \ - "$prefetch_name" \ - ${escapeShellArg attr-name} \ - >&2 - return 1 - esac - '') [ "rev" "url" "cache" ]} - - git_rev=$prefetch_in_rev - git_url=$prefetch_in_url - - # cache_dir points to a (maybe non-existent) directory, where a shared cache of - # the repository should be maintained. The shared cache is used to create - # multiple working trees of the repository. - cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode) - cache_git() { - git --git-dir="$cache_dir" "$@" - } - - # work_dir points to a (maybe non-existent) directory, where a specific - # revision of the repository is checked out. - # XXX this is probably a bad idea if git_rev is not a commit - work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode) - work_git() { - git -C "$work_dir" "$@" - } - - is_up_to_date() { - test -d "$cache_dir" && - test -d "$work_dir" && - test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" && - test "$(work_git rev-parse --verify HEAD)" = "$git_rev" - } - - # Notice how the remote name "origin" has been chosen arbitrarily, but must be - # kept in sync with the default value of nixpkgs.rev. - if ! is_up_to_date; then - if ! test -d "$cache_dir"; then - mkdir -p "$cache_dir" - cache_git init --bare - fi - if ! cache_git_url=$(cache_git config remote.origin.url); then - cache_git remote add origin "$git_url" - elif test "$cache_git_url" != "$git_url"; then - cache_git remote set-url origin "$git_url" - fi - cache_git fetch origin - if ! test -d "$work_dir"; then - git clone -n --shared "$cache_dir" "$work_dir" - fi - commit_name=$(cache_git rev-parse --verify "$git_rev") - work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")" - work_git checkout -q "$commit_name" - work_git submodule init - work_git submodule update - fi - work_git clean -dxf - - echo "$work_dir" - ''; - - - f = pkg-name: pkg-spec: - let - types = attrNames pkg-spec; - type = elemAt types 0; - in - assert (length types == 1); # there can be only one source type - '' - out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v: - "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \ - prefetch_name=${escapeShellArg pkg-name} \ - __prefetch_${escapeShellArg type}) - printf '%s=%s\n' \ - ${escapeShellArg pkg-name} \ - "$out" - ''; -in -'' -#! /bin/sh -set -euf - -PATH=${toString ./.}/bin:$PATH -export PATH - -__prefetch_file() { -${prefetch.file} -} -__prefetch_git() { -${prefetch.git} -} - -# TODO make sure x contains only sane chars -x=$(${concatStrings (mapAttrsToList f paths)}) - -${optionalString (rsync-target != null) '' - proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ - rsync --delete --delete-excluded \ - --filter='- /*/.git' \ - --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \ - -vaz \ - --no-owner \ - --no-group \ - '/shitment/' \ - ${escapeShellArg rsync-target} -''} - - -${optionalString (deploy-target != null) '' - system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ - env \ - NIX_PATH=/shitment \ - NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \ - nix-build -A system --no-out-link '') - - system_name=${escapeShellArg system-name} - target=${escapeShellArg deploy-target} - - nix-copy-closure --gzip --to "$target" "$system_path" - - secrets_root=${toString ./.}/secrets \ - config_root=${toString ./.} \ - copy-secrets "$system_name" "$target" - - ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch -''} - -'' diff --git a/old/deploy b/old/deploy deleted file mode 100755 index a9dbf45..0000000 --- a/old/deploy +++ /dev/null @@ -1,15 +0,0 @@ -#! /bin/sh -# -# usage: ./deploy system_name [target] -# -set -euf - -system_name=$1 -target=${2-root@$system_name} - -nix-instantiate \ - --argstr system-name "$system_name" \ - --argstr deploy-target "$target" \ - --eval --json . \ - | jq -r . \ - | sh diff --git a/old/infest-cac-CentOS-7-64bit.sh b/old/infest-cac-CentOS-7-64bit.sh deleted file mode 100755 index 1e96e0e..0000000 --- a/old/infest-cac-CentOS-7-64bit.sh +++ /dev/null @@ -1,51 +0,0 @@ -#! /bin/sh -set -xeuf - -serverspec=$1 -systemname=$2 - -( - PATH=$PWD/bin:$PATH - export PATH - - # Notice NIX_PATH used from host - # Notice secrets required to evaluate configuration - NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$systemname - NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$systemname/nix - export NIX_PATH - - case $(nixos-query nixpkgs.dirty) in true) - echo "$0: cannot use nixpkgs.dirty" >&2 # b/c ./cac pushconfig - exit -1 - esac - - prefetch nixpkgs tmp/nixpkgs/$systemname -) - -./cac poll 10s 2>/dev/null & -pollpid=$! -trap "kill $pollpid; trap - EXIT" EXIT - -./cac waitstatus $serverspec 'Powered On' - -# TODO don't set label/mode if they're already good -./cac setlabel $serverspec $systemname -./cac setmode $systemname normal -./cac generatenetworking $systemname > modules/$systemname/networking.nix - -cat infest.d/cac-CentOS-7-64bit/prepare.sh | ./cac ssh $systemname \ - nix_url=https://nixos.org/releases/nix/nix-1.9/nix-1.9-x86_64-linux.tar.bz2 \ - nix_sha256=5c76611c631e79aef5faf3db2d253237998bbee0f61fa093f925fa32203ae32b \ - /bin/sh - -./cac pushconfig $systemname /mnt - -# This needs to be run twice because (at least): -# Initialized empty Git repository in /var/lib/git/$reponame -# chown: invalid user: 'git:nogroup' -cat infest.d/nixos-install.sh | ./cac ssh $systemname || : -cat infest.d/nixos-install.sh | ./cac ssh $systemname - -cat infest.d/cac-CentOS-7-64bit/finalize.sh | ./cac ssh $systemname - -./cac powerop $systemname reset diff --git a/old/infest.d/cac-CentOS-7-64bit/finalize.sh b/old/infest.d/cac-CentOS-7-64bit/finalize.sh deleted file mode 100644 index b70276b..0000000 --- a/old/infest.d/cac-CentOS-7-64bit/finalize.sh +++ /dev/null @@ -1,66 +0,0 @@ -#! /bin/sh -set -eu -{ - umount /mnt2 - umount /mnt/nix - umount /mnt/boot - umount /mnt - umount /boot - - PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i) - export PATH - - mkdir /oldshit - - mv /bin /oldshit/ - mv /newshit/bin / - - # TODO ensure /boot is empty - rmdir /newshit/boot - - # skip /dev - rmdir /newshit/dev - - mv /etc /oldshit/ - mv /newshit/etc / - - # TODO ensure /home is empty - rmdir /newshit/home - - # skip /nix (it's already there) - rmdir /newshit/nix - - # skip /proc - rmdir /newshit/proc - - # skip /run - rmdir /newshit/run - - # skip /sys - rmdir /newshit/sys - - # skip /tmp - # TODO rmdir /newshit/tmp - - mv /usr /oldshit/ - mv /newshit/usr / - - mv /var /oldshit/ - mv /newshit/var / - - mv /root /oldshit/ - mv /newshit/root / - - mv /lib /oldshit/ - mv /lib64 /oldshit/ - mv /sbin /oldshit/ - mv /mnt2 /oldshit/ - mv /srv /oldshit/ - mv /opt /oldshit/ - - - mv /newshit /root/ # TODO this one shoult be empty - mv /oldshit /root/ - - sync -} diff --git a/old/infest.d/cac-CentOS-7-64bit/prepare.sh b/old/infest.d/cac-CentOS-7-64bit/prepare.sh deleted file mode 100644 index f932e9c..0000000 --- a/old/infest.d/cac-CentOS-7-64bit/prepare.sh +++ /dev/null @@ -1,104 +0,0 @@ -#! /bin/sh -set -euf - -: $nix_url -: $nix_sha256 - -{ - # - # prepare host - # - - type bzip2 2>/dev/null || yum install -y bzip2 - type rsync 2>/dev/null || yum install -y rsync - - if ! getent group nixbld >/dev/null; then - groupadd -g 30000 -r nixbld - fi - for i in `seq 1 10`; do - if ! getent passwd nixbld$i 2>/dev/null; then - useradd \ - -c "CentOS Nix build user $i" \ - -d /var/empty \ - -g 30000 \ - -G 30000 \ - -l \ - -M \ - -s /sbin/nologin \ - -u $(expr 30000 + $i) \ - nixbld$i - rm -f /var/spool/mail/nixbld$i - fi - done - - # generate fake sudo because - # sudo: sorry, you must have a tty to run sudo - mkdir -p bin - printf '#! /bin/sh\nexec env "$@"\n' > bin/sudo - chmod +x bin/sudo - - PATH=$PWD/bin:$PATH - export PATH - - # install nix on host (cf. https://nixos.org/nix/install) - if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then - ( - verify() { - echo $nix_sha256 $(basename $nix_url) | sha256sum -c - } - if ! verify; then - curl -C - -O "$nix_url" - verify - fi - ) - tar jxf $(basename $nix_url) - $(basename $nix_url .tar.bz2)/install - fi - - MANPATH=/var/empty . /root/.nix-profile/etc/profile.d/nix.sh - - if ! type nixos-install 2>/dev/null; then - nixpkgs_expr='import { system = builtins.currentSystem; }' - nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath 'throw "no modulesPath"' \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.nixos-install - fi - - # - # mount install directory - # - - if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt type xfs'; then - mkdir -p /newshit - mount --bind /newshit /mnt - fi - - if ! mount | grep -Fq '/dev/sda1 on /mnt/boot type xfs'; then - mkdir -p /mnt/boot - mount /dev/sda1 /mnt/boot - fi - - if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then - mkdir -p /mnt/nix - mount --bind /nix /mnt/nix - fi - - mount | grep 'on /mnt\>' >&2 - - # - # prepare install directory - # - # XXX This should be done by (?) - # remote_dir=/mnt ./cac pushconfig servername:c731445864-cloudpro-134581046 rmdir - - mkdir -p /mnt/etc/nixos - mkdir -m 0555 -p /mnt/var/empty - - # add eye candy - address=$(echo $SSH_CONNECTION | awk '{print$3}') - echo 'PS1='\''\[\e[1;31m\]\u@'"$address"'\[\e[m\] \[\e[1;32m\]\w\[\e[m\] '\' > .bashrc -} diff --git a/old/infest.d/nixos-install.sh b/old/infest.d/nixos-install.sh deleted file mode 100644 index df01a34..0000000 --- a/old/infest.d/nixos-install.sh +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/sh -# usage: cat infest-nixos-install.sh | ./cac ssh ... -set -euf -nixos-install \ - -I secrets=/etc/nixos/secrets \ - -I retiolum-hosts=/etc/nixos/hosts \ - -I pubkeys=/etc/nixos/pubkeys \ - -I nixpkgs=/etc/nixos/nixpkgs diff --git a/old/lib/default.nix b/old/lib/default.nix deleted file mode 100644 index 164a6a1..0000000 --- a/old/lib/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ lib, pkgs, ... }: - -with builtins; - -let - inherit (lib) mapAttrs stringAsChars; -in - -rec { - git = import ./git.nix { - lib = lib // { - inherit addNames; - }; - inherit pkgs; - }; - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - - # "7.4.335" -> "74" - majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - - - concat = xs : - if xs == [] - then "" - else head xs + concat (tail xs) - ; - - flip = f : x : y : f y x; - - # isSuffixOf :: String -> String -> Bool - isSuffixOf = - s : xs : - let - sn = stringLength s; - xsn = stringLength xs; - in - xsn >= sn && substring (xsn - sn) sn xs == s ; - - removeSuffix = - s : xs : substring 0 (stringLength xs - stringLength s) xs; - - # setMap :: (String -> a -> b) -> Set String a -> [b] - #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs); - - # setToList :: Set k a -> [a] - #setToList = setMap (_: v: v); - - shell-escape = - let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; - in - stringAsChars (c: - if isSafeChar c then c - else if c == "\n" then "'\n'" - else "\\${c}"); - -} diff --git a/old/lib/git.nix b/old/lib/git.nix deleted file mode 100644 index 8dc1761..0000000 --- a/old/lib/git.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ lib, pkgs, ... }: - -let - inherit (lib) addNames escapeShellArg makeSearchPath; - - commands = addNames { - git-receive-pack = {}; - git-upload-pack = {}; - }; - - receive-modes = addNames { - fast-forward = {}; - non-fast-forward = {}; - create = {}; - delete = {}; - merge = {}; # TODO implement in git.nix - }; - - permissions = { - fetch = { - allow-commands = [ - commands.git-upload-pack - ]; - }; - - push = ref: extra-modes: { - allow-commands = [ - commands.git-receive-pack - commands.git-upload-pack - ]; - allow-receive-ref = ref; - allow-receive-modes = [ receive-modes.fast-forward ] ++ extra-modes; - }; - }; - - refs = { - master = "refs/heads/master"; - all-heads = "refs/heads/*"; - }; - - irc-announce-script = pkgs.writeScript "irc-announce-script" '' - #! /bin/sh - set -euf - - export PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - gawk - gnused - netcat - nettools - ])} - - IRC_SERVER=$1 - IRC_PORT=$2 - IRC_NICK=$3$$ - IRC_CHANNEL=$4 - message=$5 - - export IRC_CHANNEL # for privmsg_cat - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - printf '%s' "$message" \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - - hooks = { - # TODO make this a package? - irc-announce = { nick, channel, server, port ? 6667 }: '' - #! /bin/sh - set -euf - - export PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnused - ])} - - nick=${escapeShellArg nick} - channel=${escapeShellArg channel} - server=${escapeShellArg server} - port=${toString port} - - host=$nick - - empty=0000000000000000000000000000000000000000 - - unset message - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - h=$(echo $ref | sed 's:^refs/heads/::') - - # empty_tree=$(git hash-object -t tree /dev/null - empty_tree=4b825dc6 - - id=$(echo $newrev | cut -b-7) - id2=$(echo $oldrev | cut -b-7) - if [ $newrev = $empty ]; then id=$empty_tree; fi - if [ $oldrev = $empty ]; then id2=$empty_tree; fi - - case $receive_mode in - create) - #git log --oneline $id2 - link="http://$host/cgit/$GIT_SSH_REPO/?h=$h" - ;; - delete) - #git log --oneline $id2 - link="http://$host/cgit/$GIT_SSH_REPO/ ($h)" - ;; - fast-forward|non-fast-forward) - #git diff --stat $id..$id2 - link="http://$host/cgit/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2" - ;; - esac - - #$host $GIT_SSH_REPO $ref $link - message="''${message+$message - }$GIT_SSH_USER $receive_mode $link" - done - - if test -n "''${message-}"; then - exec ${irc-announce-script} \ - "$server" \ - "$port" \ - "$nick" \ - "$channel" \ - "$message" - fi - ''; - }; - -in -commands // receive-modes // permissions // refs // hooks diff --git a/old/lib/modules.nix b/old/lib/modules.nix deleted file mode 100644 index 248e638..0000000 --- a/old/lib/modules.nix +++ /dev/null @@ -1,21 +0,0 @@ -let - pkgs = import {}; - inherit (pkgs.lib) concatMap hasAttr; -in rec { - - no-touch-args = { - config = throw "no-touch-args: can't touch config!"; - lib = throw "no-touch-args: can't touch lib!"; - pkgs = throw "no-touch-args: can't touch pkgs!"; - }; - - # list-imports : path -> [path] - # Return a module's transitive list of imports. - # XXX duplicates won't get eliminated from the result. - list-imports = path: - let module = import path no-touch-args; - imports = if hasAttr "imports" module - then concatMap list-imports module.imports - else []; - in [path] ++ imports; -} diff --git a/old/modules/cd/default.nix b/old/modules/cd/default.nix deleted file mode 100644 index e3abd47..0000000 --- a/old/modules/cd/default.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (builtins) readFile; -in - -{ - imports = - [ - { users.extraUsers = import ; } - ./networking.nix - ./users.nix - ../tv/base.nix - ../tv/base-cac-CentOS-7-64bit.nix - ../tv/config/consul-server.nix - ../tv/ejabberd.nix # XXX echtes modul - ../tv/exim-smarthost.nix - ../tv/git/public.nix - ../tv/sanitize.nix - { - imports = [ ../tv/identity ]; - tv.identity = { - enable = true; - self = config.tv.identity.hosts.cd; - }; - } - { - imports = [ ../tv/iptables ]; - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - imports = [ ../tv/retiolum ]; - tv.retiolum = { - enable = true; - hosts = ; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - # "Developer 2" plan has two vCPUs. - nix.maxJobs = 2; - - environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update - htop - iftop - iotop - iptables - mutt # for mv - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.ejabberd-cd = { - enable = true; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - permitRootLogin = "yes"; - }; - - sound.enable = false; -} diff --git a/old/modules/cd/networking.nix b/old/modules/cd/networking.nix deleted file mode 100644 index 215e208..0000000 --- a/old/modules/cd/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{...}: -{ - networking.hostName = "cd"; - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.219.7.216"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "162.219.7.1"; - networking.nameservers = [ - "8.8.8.8" - ]; -} diff --git a/old/modules/cd/paths.nix b/old/modules/cd/paths.nix deleted file mode 100644 index f873912..0000000 --- a/old/modules/cd/paths.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - lib.file.url = ../../lib; - modules.file.url = ../../modules; - nixpkgs.git = { - url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - cache = ../../tmp/git-cache; - }; - pubkeys.file.url = ../../pubkeys; - retiolum-hosts.file.url = ../../hosts; - secrets.file.url = ../../secrets/cd/nix; -} diff --git a/old/modules/cd/users.nix b/old/modules/cd/users.nix deleted file mode 100644 index 656336d..0000000 --- a/old/modules/cd/users.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: - -let - inherit (builtins) readFile; -in - -{ - users.extraGroups = { - - # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories - # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) - # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago - # Docs: man:tmpfiles.d(5) - # man:systemd-tmpfiles(8) - # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) - # Main PID: 19272 (code=exited, status=1/FAILURE) - # - # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE - # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. - # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. - # warning: error(s) occured while switching to the new configuration - lock.gid = 10001; - - }; - users.extraUsers = - { - root = { - openssh.authorizedKeys.keys = [ - (readFile ) - (readFile ) - ]; - }; - - mv = rec { - name = "mv"; - uid = 1338; - group = "users"; - home = "/home/${name}"; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ - (readFile ) - ]; - }; - - }; - - users.mutableUsers = false; -} diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix deleted file mode 100644 index 135b662..0000000 --- a/old/modules/cloudkrebs/default.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/base-cac-CentOS-7-64bit.nix - ./retiolum.nix - ./networking.nix - ../../secrets/cloudkrebs-pw.nix - ../lass/sshkeys.nix - ../lass/base.nix - ../common/nixpkgs.nix - ]; - - nixpkgs = { - url = "https://github.com/Lassulus/nixpkgs"; - rev = "b42ecfb8c61e514bf7733b4ab0982d3e7e27dacb"; - }; - - nix.maxJobs = 1; - - #tmpfiles Unknown group 'lock' workaround: - users.extraGroups = { - lock.gid = 10001; - }; - - #TODO move into modules - users.extraUsers = { - #main user - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - ]; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - permitRootLogin = "yes"; - }; - - networking.firewall = { - enable = true; - - allowedTCPPorts = [ - 22 - ]; - }; - -} diff --git a/old/modules/cloudkrebs/networking.nix b/old/modules/cloudkrebs/networking.nix deleted file mode 100644 index fc50073..0000000 --- a/old/modules/cloudkrebs/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{...}: -{ - networking.hostName = "cloudkrebs"; - networking.interfaces.enp2s1.ip4 = [ - { - address = "104.167.113.104"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.167.113.1"; - networking.nameservers = [ - "8.8.8.8" - ]; -} diff --git a/old/modules/cloudkrebs/retiolum.nix b/old/modules/cloudkrebs/retiolum.nix deleted file mode 100644 index 1caa924..0000000 --- a/old/modules/cloudkrebs/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = ../../hosts; - privateKeyFile = "/etc/nixos/secrets/cloudkrebs.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/old/modules/common/krebs-keys.nix b/old/modules/common/krebs-keys.nix deleted file mode 100644 index 5e34933..0000000 --- a/old/modules/common/krebs-keys.nix +++ /dev/null @@ -1,18 +0,0 @@ -# alle public keys der krebsminister fuer R in krebs repos -{ config, ... }: - -let - inherit (builtins) readFile; -in - -with import ../lass/sshkeys.nix { - config.sshKeys.lass.pub = config.sshKeys.lass.pub; - config.sshKeys.uriel.pub = config.sshKeys.uriel.pub; - }; -{ - imports = [ - ./sshkeys.nix - ]; - - config.sshKeys.tv.pub = readFile ; -} diff --git a/old/modules/common/krebs-repos.nix b/old/modules/common/krebs-repos.nix deleted file mode 100644 index 86f3731..0000000 --- a/old/modules/common/krebs-repos.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ lib, ... }: - -let - inherit (lib) mkDefault; - - mkSecureRepo = name: - { inherit name; - value = { - users = { - lass = mkDefault "R"; - tv = mkDefault "R"; - makefu = mkDefault "R"; - }; - }; - }; - - mkRepo = name: - { inherit name; - value = { - users = { - lass = mkDefault "R"; - tv = mkDefault "R"; - makefu = mkDefault "R"; - }; - }; - }; - -in { - services.gitolite.repos = - (lib.listToAttrs (map mkSecureRepo [ "brain" ])) // - (lib.listToAttrs (map mkRepo [ - "painload" - "services" - "hosts" - ])); -} diff --git a/old/modules/common/nixpkgs.nix b/old/modules/common/nixpkgs.nix deleted file mode 100644 index 486cf02..0000000 --- a/old/modules/common/nixpkgs.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - nixpkgs.url = mkOption { - type = types.str; - description = "URL of the nixpkgs repository."; - }; - nixpkgs.rev = mkOption { - type = types.str; - default = "origin/master"; - description = "Revision of the remote repository."; - }; - nixpkgs.dirty = mkOption { - type = types.bool; - default = false; - description = '' - If nixpkgs.url is a local path, then use that as it is. - TODO this break if URL is not a local path. - ''; - }; - }; -} diff --git a/old/modules/common/sshkeys.nix b/old/modules/common/sshkeys.nix deleted file mode 100644 index 5f1c606..0000000 --- a/old/modules/common/sshkeys.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: - -with lib; - -{ - options = { - sshKeys = mkOption { - type = types.attrsOf (types.submodule ( - { config, ... }: - { - options = { - pub = mkOption { - type = types.str; - description = "Public part of the ssh key."; - }; - - priv = mkOption { - type = types.str; - description = "Private part of the ssh key."; - }; - }; - })); - description = "collection of ssh-keys"; - }; - }; -} diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix deleted file mode 100644 index 159372a..0000000 --- a/old/modules/lass/base.nix +++ /dev/null @@ -1,129 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./sshkeys.nix - ./iptables - ]; - - nix.useChroot = true; - - users.mutableUsers = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - PAGER=most - ''; - - environment.systemPackages = with pkgs; [ - git - most - rxvt_unicode.terminfo - - #network - iptables - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - security.setuidPrograms = [ - "sendmail" - ]; - - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - lass.iptables = { - enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } - ]; - }; - }; - - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; -} diff --git a/old/modules/lass/binary-caches.nix b/old/modules/lass/binary-caches.nix deleted file mode 100644 index c272752..0000000 --- a/old/modules/lass/binary-caches.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - nix.sshServe.enable = true; - nix.sshServe.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" - ]; - nix.binaryCaches = [ - #"scp://nix-ssh@mors" - #"scp://nix-ssh@uriel" - ]; -} diff --git a/old/modules/lass/bird.nix b/old/modules/lass/bird.nix deleted file mode 100644 index 3fc265c..0000000 --- a/old/modules/lass/bird.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - config.services.bird = { - enable = true; - config = '' - router id 192.168.122.1; - protocol device { - scan time 10; - } - ''; - }; -} diff --git a/old/modules/lass/bitcoin.nix b/old/modules/lass/bitcoin.nix deleted file mode 100644 index d3bccbf..0000000 --- a/old/modules/lass/bitcoin.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - electrum - ]; - - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - useDefaultShell = true; - createHome = true; - }; - }; -} diff --git a/old/modules/lass/browsers.nix b/old/modules/lass/browsers.nix deleted file mode 100644 index 8aecea9..0000000 --- a/old/modules/lass/browsers.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - - nixpkgs.config.packageOverrides = pkgs : { - chromium = pkgs.chromium.override { - pulseSupport = true; - }; - }; - - environment.systemPackages = with pkgs; [ - firefox - ]; - - users.extraUsers = { - firefox = { - name = "firefox"; - description = "user for running firefox"; - home = "/home/firefox"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - chromium = { - name = "chromium"; - description = "user for running chromium"; - home = "/home/chromium"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - facebook = { - name = "facebook"; - description = "user for running facebook in chromium"; - home = "/home/facebook"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - google = { - name = "google"; - description = "user for running google+/gmail in chromium"; - home = "/home/google"; - useDefaultShell = true; - createHome = true; - }; - flash = { - name = "flash"; - description = "user for running flash stuff"; - home = "/home/flash"; - useDefaultShell = true; - extraGroups = [ "audio" ]; - createHome = true; - }; - }; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(firefox) NOPASSWD: ALL - ${mainUser.name} ALL=(chromium) NOPASSWD: ALL - ${mainUser.name} ALL=(facebook) NOPASSWD: ALL - ${mainUser.name} ALL=(google) NOPASSWD: ALL - ${mainUser.name} ALL=(flash) NOPASSWD: ALL - ''; -} diff --git a/old/modules/lass/chromium-patched.nix b/old/modules/lass/chromium-patched.nix deleted file mode 100644 index 7151817..0000000 --- a/old/modules/lass/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce mast