Merge remote-tracking branch 'lass/master'

12 files changed, 88 insertions, 41 deletions

diff --git a/krebs/0tests/data/test-config.nix b/krebs/0tests/data/test-config.nix
index f0927ddd9..33cb01245 100644
--- a/krebs/0tests/data/test-config.nix
+++ b/krebs/0tests/data/test-config.nix
@@ -8,7 +8,6 @@
   ];
 
   krebs.hosts.minimal = {
-    cores = 1;
     secure = false;
   };
 
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index fffe128e6..eda03cc10 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -53,6 +53,7 @@ with import <stockholm/lib>;
     config.krebs.users.lass-mors.pubkey
     config.krebs.users.makefu.pubkey
     config.krebs.users.tv.pubkey
+    config.krebs.users.kmein.pubkey
   ];
 
   # The NixOS release to be compatible with for stateful data such as databases.
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index a802b8a25..5435ea166 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -8,6 +8,7 @@
   services.ergochat = {
     enable = true;
     settings = {
+      server.name = "irc.r";
       server.secure-nets = [
         "42::0/16"
         "10.240.0.0/12"
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 9bcee6fbd..11aaf876a 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -146,7 +146,7 @@ let
     command = 1;
     arguments = [2];
     env.TASKDATA = "${stateDir}/${name}";
-    commands = {
+    commands = rec {
       add.filename = pkgs.writeDash "${name}-task-add" ''
         ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1"
       '';
@@ -159,6 +159,7 @@ let
       delete.filename = pkgs.writeDash "${name}-task-delete" ''
         ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1"
       '';
+      del = delete;
       done.filename = pkgs.writeDash "${name}-task-done" ''
         ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1"
       '';
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 6babac72e..bff7e135f 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -7,6 +7,7 @@ let
   out = {
     imports = [
       ../../kartei
+      ../../submodules/disko/module.nix
       ./acl.nix
       ./airdcpp.nix
       ./announce-activation.nix
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 7c176d224..b3cf212e4 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -108,7 +108,7 @@ let
   };
 
   imp = {
-    krebs.systemd.services.exim = {};
+    krebs.systemd.services.exim.restartIfCredentialsChange = true;
     systemd.services.exim.serviceConfig.LoadCredential =
       map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
     krebs.exim = {
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 7007090c0..052dad9c6 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -43,10 +43,6 @@ let
                 target = mkOption {
                   type = str;
                 };
-                precedence = mkOption {
-                  type = int;
-                  default = 0;
-                };
                 v4 = mkOption {
                   type = bool;
                   default = true;
@@ -145,13 +141,11 @@ let
       buildChain = tn: cn:
         let
           filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
-          sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
-
         in
           #TODO: double check should be unneccessary, refactor!
           if ts.${tn}.${cn}.rules or null != null then
             concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
-              ++ map (buildRule tn cn) sortedRules
+              ++ map (buildRule tn cn) filteredRules
             )
           else
             ""
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index c4cfb9a49..5b8a53be8 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -159,7 +159,9 @@ let
     ) cfg.repos;
 
     krebs.systemd.services = mapAttrs' (name: _:
-      nameValuePair "repo-sync-${name}" {}
+      nameValuePair "repo-sync-${name}" {
+        restartIfCredentialsChange = true;
+      }
     ) cfg.repos;
 
     systemd.services = mapAttrs' (name: repo:
diff --git a/krebs/3modules/systemd.nix b/krebs/3modules/systemd.nix
index 194e8b24a..3e524d3b5 100644
--- a/krebs/3modules/systemd.nix
+++ b/krebs/3modules/systemd.nix
@@ -3,14 +3,28 @@
 
   body.options.krebs.systemd.services = lib.mkOption {
     default = {};
-    type = lib.types.attrsOf (lib.types.submodule {
+    type = lib.types.attrsOf (lib.types.submodule (cfg_: let
+      serviceName = cfg_.config._module.args.name;
+      cfg = config.systemd.services.${serviceName} // cfg_.config;
+    in {
       options = {
+        credentialPaths = lib.mkOption {
+          default =
+            lib.sort
+              lib.lessThan
+              (lib.filter
+                lib.types.absolute-pathname.check
+                (map
+                  (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
+                  (lib.toList cfg.serviceConfig.LoadCredential)));
+          readOnly = true;
+        };
+        credentialUnitName = lib.mkOption {
+          default = "trigger-${lib.systemd.encodeName serviceName}";
+          readOnly = true;
+        };
         restartIfCredentialsChange = lib.mkOption {
-          # Enabling this by default only makes sense here as the user already
-          # bothered to write down krebs.systemd.services.* = {}.  If this
-          # functionality gets upstreamed to systemd.services, restarting
-          # should be disabled by default.
-          default = true;
+          default = false;
           description = ''
             Whether to restart the service whenever any of its credentials
             change.  Only credentials with an absolute path in LoadCredential=
@@ -19,30 +33,40 @@
           type = lib.types.bool;
         };
       };
-    });
+    }));
   };
 
-  body.config = {
-    systemd.paths = lib.mapAttrs' (serviceName: _:
-      lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
-        wantedBy = [ "multi-user.target" ];
-        pathConfig.PathChanged =
-          lib.filter
-            lib.types.absolute-pathname.check
-            (map
-              (lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
-              (lib.toList
-                config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
-      }
-    ) config.krebs.systemd.services;
+  body.config.systemd = lib.mkMerge (lib.mapAttrsToList (serviceName: cfg: {
+    paths.${cfg.credentialUnitName} = {
+      wantedBy = [ "multi-user.target" ];
+      pathConfig.PathChanged = cfg.credentialPaths;
+    };
+    services.${cfg.credentialUnitName} = {
+      serviceConfig = {
+        Type = "oneshot";
+        StateDirectory = "credentials";
+        ExecStart = pkgs.writeDash "${cfg.credentialUnitName}.sh" ''
+          set -efu
 
-    systemd.services = lib.mapAttrs' (serviceName: cfg:
-      lib.nameValuePair "trigger-${lib.systemd.encodeName serviceName}" {
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${pkgs.systemd}/bin/systemctl restart ${lib.shell.escape serviceName}";
-        };
-      }
-    ) config.krebs.systemd.services;
-  };
+          PATH=${lib.makeBinPath [
+            pkgs.coreutils
+            pkgs.diffutils
+            pkgs.systemd
+          ]}
+
+          cache=/var/lib/credentials/${lib.shell.escape serviceName}.sha1sum
+          tmpfile=$(mktemp -t "$(basename "$cache")".XXXXXXXX)
+          trap 'rm -f "$tmpfile"' EXIT
+
+          sha1sum ${toString cfg.credentialPaths} > "$tmpfile"
+          if test -f "$cache" && cmp -s "$tmpfile" "$cache"; then
+            exit
+          fi
+          mv "$tmpfile" "$cache"
+
+          systemctl restart ${lib.shell.escape serviceName}
+        '';
+      };
+    };
+  }) config.krebs.systemd.services);
 }
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index c33b30f0d..0babc448a 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -232,6 +232,7 @@ with import <stockholm/lib>;
     ) config.krebs.tinc;
 
     krebs.systemd.services = mapAttrs (netname: cfg: {
+      restartIfCredentialsChange = true;
     }) config.krebs.tinc;
 
     systemd.services = mapAttrs (netname: cfg: {
diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix
index f9a7450f7..a3c9f67c5 100644
--- a/krebs/5pkgs/simple/generate-secrets/default.nix
+++ b/krebs/5pkgs/simple/generate-secrets/default.nix
@@ -23,7 +23,6 @@ pkgs.writers.writeDashBin "generate-secrets" ''
 
   cat <<EOF
     $HOSTNAME = {
-      cores = 1;
       owner = config.krebs.users.krebs;
       nets = {
         retiolum = {
diff --git a/krebs/5pkgs/simple/git-assembler.nix b/krebs/5pkgs/simple/git-assembler.nix
new file mode 100644
index 000000000..095dddf0f
--- /dev/null
+++ b/krebs/5pkgs/simple/git-assembler.nix
@@ -0,0 +1,24 @@
+{ pkgs, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "git-assembler";
+  version = "1.3";
+
+  src = pkgs.fetchFromGitLab {
+    owner = "wavexx";
+    repo = "git-assembler";
+    rev = "v${version}";
+    hash = "sha256-A+ygt6Fxiu6EkVoQU5L1rhxu2e1HU0nbqJFzLzXzHBo=";
+  };
+
+  buildInputs = [
+    pkgs.python3
+  ];
+
+  buildPhase = ":";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp git-assembler $out/bin
+  '';
+}