summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile63
-rw-r--r--krebs/3modules/backup.nix23
-rw-r--r--krebs/3modules/build.nix126
-rw-r--r--krebs/3modules/tv/default.nix2
-rw-r--r--krebs/3modules/urlwatch.nix69
-rw-r--r--tv/1systems/nomic.nix2
-rw-r--r--tv/1systems/wu.nix28
-rw-r--r--tv/1systems/xu.nix7
-rw-r--r--tv/2configs/backup.nix38
-rw-r--r--tv/2configs/default.nix1
-rw-r--r--tv/2configs/im.nix24
-rw-r--r--tv/2configs/man.nix12
-rw-r--r--tv/2configs/urlwatch.nix41
-rw-r--r--tv/2configs/xu-qemu0.nix20
-rw-r--r--tv/3modules/iptables.nix22
15 files changed, 315 insertions, 163 deletions
diff --git a/Makefile b/Makefile
index 384c872ab..9dcd47548 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,32 @@
-ifndef system
-$(error unbound variable: system)
+stockholm ?= .
+
+ifndef nixos-config
+$(if $(system),,$(error unbound variable: system))
+nixos-config = ./$(LOGNAME)/1systems/$(system).nix
+endif
+
+# target = [target_user@]target_host[:target_port][/target_path]
+ifdef target
+_target_user != echo $(target) | sed -n 's/@.*//p'
+_target_path != echo $(target) | sed -n 's/^[^/]*//p'
+_target_port != echo $(target) | sed -En 's|^.*:([^/]*)(/.*)?$$|\1|p'
+_target_host != echo $(target) | sed -En 's/^(.*@)?([^:/]*).*/\2/p'
+ifneq ($(_target_host),)
+$(if $(target_host),$(error cannot define both, target_host and host in target))
+target_host ?= $(_target_host)
+endif
+ifneq ($(_target_user),)
+$(if $(target_user),$(error cannot define both, target_user and user in target))
+target_user ?= $(_target_user)
+endif
+ifneq ($(_target_port),)
+$(if $(target_port),$(error cannot define both, target_port and port in target))
+target_port ?= $(_target_port)
+endif
+ifneq ($(_target_path),)
+$(if $(target_path),$(error cannot define both, target_path and path in target))
+target_path ?= $(_target_path)
+endif
endif
export target_host ?= $(system)
@@ -7,24 +34,30 @@ export target_user ?= root
export target_port ?= 22
export target_path ?= /var/src
+$(if $(target_host),,$(error unbound variable: target_host))
+$(if $(target_user),,$(error unbound variable: target_user))
+$(if $(target_port),,$(error unbound variable: target_port))
+$(if $(target_path),,$(error unbound variable: target_path))
+
evaluate = \
nix-instantiate \
--eval \
--readonly-mode \
--show-trace \
- -I nixos-config=./$(LOGNAME)/1systems/$(system).nix \
- -I stockholm=. \
+ -I nixos-config=$(nixos-config) \
+ -I stockholm=$(stockholm) \
$(1)
execute = \
result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \
script=$$(echo "$$result" | jq -r .) && \
- echo "$$script" | sh
+ echo "$$script" | PS5=% sh
# usage: make deploy system=foo [target_host=bar]
+deploy: ssh ?= ssh
deploy:
$(call execute,populate)
- ssh $(target_user)@$(target_host) -p $(target_port) \
+ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
nixos-rebuild switch --show-trace -I $(target_path)
# usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name
@@ -41,3 +74,21 @@ install:
$(ssh) $(target_user)@$(target_host) -p $(target_port) \
env NIXOS_CONFIG=$(target_path)/nixos-config \
nixos-install
+
+# usage: make test system=foo [target=bar] [method={eval,build}]
+method ?= eval
+ifeq ($(method),build)
+test: command = nix-build --no-out-link
+else
+ifeq ($(method),eval)
+test: command ?= nix-instantiate --eval --json --readonly-mode --strict
+else
+$(error bad method: $(method))
+endif
+endif
+test: ssh ?= ssh
+test:
+ $(call execute,populate)
+ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
+ $(command) --show-trace -I $(target_path) \
+ -A config.system.build.toplevel $(target_path)/stockholm
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix
index 0aa86dec9..97082f56a 100644
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@@ -117,6 +117,14 @@ let
"$dst_user@$dst_host" \
-T "$with_dst_path_lock_script"
}
+ rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}"
+ local_rsync() {
+ rsync "$@"
+ }
+ remote_rsync=${shell.escape (concatStringsSep " && " [
+ "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
+ "exec flock -n ${shell.escape plan.dst.path} rsync"
+ ])}
'';
pull = ''
identity=${shell.escape plan.dst.host.ssh.privkey.path}
@@ -131,6 +139,12 @@ let
dst_shell() {
eval "$with_dst_path_lock_script"
}
+ rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}"
+ local_rsync() {
+ mkdir -m 0700 -p ${shell.escape plan.dst.path}/current
+ flock -n ${shell.escape plan.dst.path} rsync "$@"
+ }
+ remote_rsync=rsync
'';
}}
# Note that this only works because we trust date +%s to produce output
@@ -140,13 +154,10 @@ let
with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape
"flock -n ${shell.escape plan.dst.path} /bin/sh"
}
- rsync >&2 \
+ local_rsync >&2 \
-aAXF --delete \
- -e "ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}" \
- --rsync-path ${shell.escape (concatStringsSep " && " [
- "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
- "exec flock -n ${shell.escape plan.dst.path} rsync"
- ])} \
+ --rsh="$rsh" \
+ --rsync-path="$remote_rsync" \
--link-dest="$dst_path/current" \
"$src/" \
"$dst/.partial"
diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix
index a1f446188..b8ea34ae2 100644
--- a/krebs/3modules/build.nix
+++ b/krebs/3modules/build.nix
@@ -20,35 +20,19 @@ let
type = types.user;
};
- options.krebs.build.source = let
- raw = types.either types.str types.path;
- url = types.submodule {
+ options.krebs.build.source = mkOption {
+ type = with types; attrsOf (either str (submodule {
options = {
- url = mkOption {
- type = types.str;
- };
- rev = mkOption {
- type = types.str;
- };
- dev = mkOption {
- type = types.str;
- };
+ url = str;
+ rev = str;
};
- };
- in mkOption {
- type = types.attrsOf (types.either types.str url);
- apply = let f = mapAttrs (_: value: {
- string = value;
- path = toString value;
- set = f value;
- }.${typeOf value}); in f;
+ }));
default = {};
};
options.krebs.build.populate = mkOption {
type = types.str;
default = let
- source = config.krebs.build.source;
target-user = maybeEnv "target_user" "root";
target-host = maybeEnv "target_host" config.krebs.build.host.name;
target-port = maybeEnv "target_port" "22";
@@ -58,12 +42,13 @@ let
set -eu
verbose() {
- printf '+%s\n' "$(printf ' %q' "$@")" >&2
+ printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}
- echo ${shell.escape git-script} \
- | ssh -p ${shell.escape target-port} \
+ { printf 'PS5=%q%q\n' @ "$PS5"
+ echo ${shell.escape git-script}
+ } | verbose ssh -p ${shell.escape target-port} \
${shell.escape "${target-user}@${target-host}"} -T
unset tmpdir
@@ -75,24 +60,21 @@ let
tmpdir=$(mktemp -dt stockholm.XXXXXXXX)
chmod 0755 "$tmpdir"
- ${concatStringsSep "\n"
- (mapAttrsToList
- (name: spec: let dst = removePrefix "symlink:" (get-url spec); in
- "verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}")
- symlink-specs)}
+ ${concatStringsSep "\n" (mapAttrsToList (name: symlink: ''
+ verbose ln -s ${shell.escape symlink.target} \
+ "$tmpdir"/${shell.escape name}
+ '') source-by-method.symlink)}
verbose proot \
- -b $tmpdir:${shell.escape target-path} \
- ${concatStringsSep " \\\n "
- (mapAttrsToList
- (name: spec:
- "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}")
- file-specs)} \
+ -b "$tmpdir":${shell.escape target-path} \
+ ${concatStringsSep " \\\n " (mapAttrsToList (name: file:
+ "-b ${shell.escape "${file.path}:${target-path}/${name}"}"
+ ) source-by-method.file)} \
rsync \
-f ${shell.escape "P /*"} \
- ${concatMapStringsSep " \\\n "
- (name: "-f ${shell.escape "R /${name}"}")
- (attrNames file-specs)} \
+ ${concatMapStringsSep " \\\n " (name:
+ "-f ${shell.escape "R /${name}"}"
+ ) (attrNames source-by-method.file)} \
--delete \
-vFrlptD \
-e ${shell.escape "ssh -p ${target-port}"} \
@@ -100,36 +82,12 @@ let
${shell.escape "${target-user}@${target-host}:${target-path}"}
'';
- get-schema = uri:
- if substring 0 1 uri == "/"
- then "file"
- else head (splitString ":" uri);
-
- has-schema = schema: uri: get-schema uri == schema;
-
- get-url = spec: {
- string = spec;
- path = toString spec;
- set = get-url spec.url;
- }.${typeOf spec};
-
- git-specs =
- filterAttrs (_: spec: has-schema "https" (get-url spec)) source //
- filterAttrs (_: spec: has-schema "http" (get-url spec)) source //
- filterAttrs (_: spec: has-schema "git" (get-url spec)) source;
-
- file-specs =
- filterAttrs (_: spec: has-schema "file" (get-url spec)) source;
-
- symlink-specs =
- filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source;
-
git-script = ''
#! /bin/sh
set -efu
verbose() {
- printf '+%s\n' "$(printf ' %q' "$@")" >&2
+ printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}
@@ -162,20 +120,42 @@ let
git clean -dxf
)}
- ${concatStringsSep "\n"
- (mapAttrsToList
- (name: spec: toString (map shell.escape [
- "verbose"
- "fetch_git"
- "${target-path}/${name}"
- spec.url
- spec.rev
- ]))
- git-specs)}
+ ${concatStringsSep "\n" (mapAttrsToList (name: git: ''
+ verbose fetch_git ${concatMapStringsSep " " shell.escape [
+ "${target-path}/${name}"
+ git.url
+ git.rev
+ ]}
+ '') source-by-method.git)}
'';
in out;
};
};
+ source-by-method = let
+ known-methods = ["git" "file" "symlink"];
+ in genAttrs known-methods (const {}) // recursiveUpdate source-by-scheme {
+ git = source-by-scheme.http or {} //
+ source-by-scheme.https or {};
+ };
+
+ source-by-scheme = foldl' (out: { k, v }: recursiveUpdate out {
+ ${v.scheme}.${k} = v;
+ }) {} (mapAttrsToList (k: v: { inherit k v; }) normalized-source);
+
+ normalized-source = mapAttrs (name: let f = x: getAttr (typeOf x) {
+ path = f (toString x);
+ string = f {
+ url = if substring 0 1 x == "/" then "file://${x}" else x;
+ };
+ set = let scheme = head (splitString ":" x.url); in recursiveUpdate x {
+ inherit scheme;
+ } // {
+ symlink.target = removePrefix "symlink:" x.url;
+ file.path = # TODO file://host/...
+ assert hasPrefix "file:///" x.url;
+ removePrefix "file://" x.url;
+ }.${scheme} or {};
+ }; in f) config.krebs.build.source;
in out
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index f8d3d8671..300fce017 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -352,7 +352,7 @@ with config.krebs.lib;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod";
};
tv = {
- mail = "tv@wu.retiolum";
+ mail = "tv@nomic.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu";
};
tv-nomic = {
diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix
index cd4976a21..ed1a21260 100644
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@@ -3,7 +3,6 @@
# TODO multiple users
# TODO inform about unused caches
# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"
-# TODO hooks.py
with config.krebs.lib;
let
@@ -32,6 +31,14 @@ let
Content of the From: header of the generated mails.
'';
};
+ # TODO hooks :: attrsOf hook
+ hooksFile = mkOption {
+ type = with types; nullOr path;
+ default = null;
+ description = ''
+ File to use as hooks.py module.
+ '';
+ };
mailto = mkOption {
type = types.str;
default = config.krebs.build.user.mail;
@@ -48,7 +55,7 @@ let
'';
};
urls = mkOption {
- type = with types; listOf str;
+ type = with types; listOf (either str subtypes.job);
default = [];
description = "URL to watch.";
example = [
@@ -56,7 +63,10 @@ let
];
apply = map (x: getAttr (typeOf x) {
set = x;
- string.url = x;
+ string = {
+ url = x;
+ filter = null;
+ };
});
};
verbose = mkOption {
@@ -68,9 +78,12 @@ let
};
};
- urlsFile = toFile "urls" (concatMapStringsSep "\n---\n" toJSON cfg.urls);
+ urlsFile = pkgs.writeText "urls"
+ (concatMapStringsSep "\n---\n" toJSON cfg.urls);
+
+ hooksFile = cfg.hooksFile;
- configFile = toFile "urlwatch.yaml" (toJSON {
+ configFile = pkgs.writeText "urlwatch.yaml" (toJSON {
display = {
error = true;
new = true;
@@ -127,10 +140,10 @@ let
User = user.name;
PermissionsStartOnly = "true";
PrivateTmp = "true";
+ SyslogIdentifier = "urlwatch";
Type = "oneshot";
ExecStartPre =
- pkgs.writeScript "urlwatch-prestart" ''
- #! /bin/sh
+ pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
@@ -140,31 +153,29 @@ let
chown ${user.name}: "$dataDir"
fi
'';
- ExecStart = pkgs.writeScript "urlwatch" ''
- #! /bin/sh
+ ExecStart = pkgs.writeDash "urlwatch" ''
set -euf
- from=${escapeShellArg cfg.from}
- mailto=${escapeShellArg cfg.mailto}
- urlsFile=${escapeShellArg urlsFile}
- configFile=${escapeShellArg configFile}
cd /tmp
urlwatch \
${optionalString cfg.verbose "-v"} \
- --urls="$urlsFile" \
- --config="$configFile" \
+ --config=${shell.escape configFile} \
+ ${optionalString (hooksFile != null)
+ "--hooks=${shell.escape hooksFile}"
+ } \
+ --urls=${shell.escape urlsFile} \
> changes || :
if test -s changes; then
- date=$(date -R)
- subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \
- | tr \\n \ )
{
- echo "Date: $date"
- echo "From: $from"
- echo "Subject: $subject"
- echo "To: $mailto"
+ echo Date: $(date -R)
+ echo From: ${shell.escape cfg.from}
+ echo Subject: $(
+ sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \
+ | tr '\n' ' '
+ )
+ echo To: ${shell.escape cfg.mailto}
echo
cat changes
} | /var/setuid-wrappers/sendmail -t
@@ -181,5 +192,15 @@ let
name = "urlwatch";
uid = genid name;
};
-in
-out
+
+ subtypes.job = types.submodule {
+ options = {
+ url = mkOption {
+ type = types.str;
+ };
+ filter = mkOption {
+ type = with types; nullOr str; # TODO nullOr subtypes.filter
+ };
+ };
+ };
+in out
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 2c9775da7..45320690b 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -10,6 +10,8 @@ with config.krebs.lib;
../2configs/hw/AO753.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
+ ../2configs/im.nix
+ ../2configs/mail-client.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 6154e4df9..8c363d9fc 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -10,7 +10,9 @@ with config.krebs.lib;
../2configs/hw/w110er.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
+ ../2configs/im.nix
../2configs/mail-client.nix
+ ../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@@ -23,19 +25,6 @@ with config.krebs.lib;
hashPassword
haskellPackages.lentil
parallel
- (pkgs.writeScriptBin "im" ''
- #! ${pkgs.bash}/bin/bash
- export PATH=${makeSearchPath "bin" (with pkgs; [
- tmux
- gnugrep
- weechat
- ])}
- if tmux list-sessions -F\#S | grep -q '^im''$'; then
- exec tmux attach -t im
- else
- exec tmux new -s im weechat
- fi
- '')
# root
cryptsetup
@@ -52,14 +41,12 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
- manpages
mkpasswd
netcat
nix-repl
nmap
nq
p7zip
- posix_man_pages
push
qrencode
texLive
@@ -165,11 +152,7 @@ with config.krebs.lib;
hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
- xlibs.fontschumachermisc
- slock
ethtool
- #firefoxWrapper # with plugins
- #chromiumDevWrapper
tinc
iptables
#jack2
@@ -177,7 +160,6 @@ with config.krebs.lib;
security.setuidPrograms = [
"sendmail" # for cron
- "slock"
];
services.printing.enable = true;
@@ -201,12 +183,6 @@ with config.krebs.lib;
KERNEL=="hpet", GROUP="audio"
'';
- services.bitlbee = {
- enable = true;
- plugins = [
- pkgs.bitlbee-facebook
- ];
- };
services.tor.client.enable = true;
services.tor.enable = true;
services.virtualboxHost.enable = true;
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 5ec1fe52b..c6a69a85a 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -11,6 +11,7 @@ with config.krebs.lib;
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
+ ../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@@ -52,7 +53,6 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
- manpages
mkpasswd
netcat
nix-repl
@@ -60,7 +60,6 @@ with config.krebs.lib;
nq
p7zip
pass
- posix_man_pages
qrencode
texLive
tmux
@@ -163,11 +162,7 @@ with config.krebs.lib;
#hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
- #xlibs.fontschumachermisc
- #slock
ethtool
- #firefoxWrapper # with plugins
- #chromiumDevWrapper
tinc
iptables
#jack2
diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 641e2d586..b5512662f 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -2,29 +2,43 @@
with config.krebs.lib;
{
krebs.backup.plans = {
+ } // mapAttrs (_: recursiveUpdate {
+ snapshots = {
+ daily = { format = "%Y-%m-%d"; retain = 7; };
+ weekly = { format = "%YW%W"; retain = 4; };
+ monthly = { format = "%Y-%m"; retain = 12; };
+ yearly = { format = "%Y"; };
+ };
+ }) {
+ nomic-home-xu = {
+ method = "push";
+ src = { host = config.krebs.hosts.nomic; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
+ startAt = "05:00";
+ };
wu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.wu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
startAt = "05:00";
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
};
xu-home-wu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; };
startAt = "06:00";
- snapshots = {
- daily = { format = "%Y-%m-%d"; retain = 7; };
- weekly = { format = "%YW%W"; retain = 4; };
- monthly = { format = "%Y-%m"; retain = 12; };
- yearly = { format = "%Y"; };
- };
+ };
+ xu-pull-cd-ejabberd = {
+ method = "pull";
+ src = { host = config.krebs.hosts.cd; path = "/var/ejabberd"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/cd-ejabberd"; };
+ startAt = "07:00";
+ };
+ xu-pull-cd-home = {
+ method = "pull";
+ src = { host = config.krebs.hosts.cd; path = "/home"; };
+ dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
+ startAt = "07:00";
};
} // mapAttrs (_: recursiveUpdate {
snapshots = {
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index c4a2d6baa..13699a3d5 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -50,6 +50,7 @@ with config.krebs.lib;
{
security.sudo.extraConfig = ''
Defaults mailto="${config.krebs.users.tv.mail}"
+ Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}
diff --git a/tv/2configs/im.nix b/tv/2configs/im.nix
new file mode 100644
index 000000000..db1be7f0b
--- /dev/null
+++ b/tv/2configs/im.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+with config.krebs.lib;
+{
+ environment.systemPackages = with pkgs; [
+ (pkgs.writeDashBin "im" ''
+ export PATH=${makeSearchPath "bin" (with pkgs; [
+ tmux
+ gnugrep
+ weechat
+ ])}
+ if tmux list-sessions -F\#S | grep -q '^im''$'; then
+ exec tmux attach -t im
+ else
+ exec tmux new -s im weechat
+ fi
+ '')
+ ];
+ services.bitlbee = {
+ enable = true;
+ plugins = [
+ pkgs.bitlbee-facebook
+ ];
+ };
+}
diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix
new file mode 100644
index 000000000..a84e60b73
--- /dev/null
+++ b/tv/2configs/man.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+{
+ environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
+ ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
+ s:^NROFF\t.*:& -Wbreak:
+ '
+ '';
+ environment.systemPackages = with pkgs; [
+ manpages
+ posix_man_pages
+ ];
+}
diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 0106cddf7..51b53230b 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -1,5 +1,5 @@
-{ config, ... }:
-
+{ config, pkgs, ... }:
+with config.krebs.lib;
{
krebs.urlwatch = {
enable = true;
@@ -52,8 +52,43 @@
# is derived from `configFile` in:
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
- https://pypi.python.org/pypi/vncdotool
+ {
+ url = https://pypi.python.org/pypi/vncdotool/json;
+ filter = "system:${pkgs.jq}/bin/jq -r '.releases|keys[]'";
+ }
https://api.github.com/repos/kanaka/noVNC/tags
];
+ hooksFile = toFile "hooks.py" ''
+ import subprocess
+ import urlwatch
+
+ class CaseFilter(urlwatch.filters.FilterBase):
+ """Filter for piping data through an external process"""
+
+ __kind__ = 'system'
+
+ def filter(self, data, subfilter=None):
+ if subfilter is None:
+ raise ValueError('The system filter needs a command')
+
+ proc = subprocess.Popen(
+ subfilter,
+ shell=True,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ )
+
+ (stdout, stderr) = proc.communicate(data.encode())
+
+ if proc.returncode != 0:
+ raise RuntimeError(
+ "system filter returned non-zero exit status %d; stderr:\n"
+ % proc.returncode
+ + stderr.decode()
+ )
+
+ return stdout.decode()
+ '';
};
}
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
index 720a8acd8..5be4899c8 100644
--- a/tv/2configs/xu-qemu0.nix
+++ b/tv/2configs/xu-qemu0.nix
@@ -15,18 +15,26 @@ in
#
# make [install] system=xu-qemu0 target_host=10.56.0.101
-# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
-# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT
-# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
-
with config.krebs.lib;
{
networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
+ tv.iptables.extra = {
+ nat.POSTROUTING = ["-j MASQUERADE"];
+ filter.FORWARD = [
+ "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+ "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
+ ];
+ filter.INPUT = [
+ "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
+ "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
+ ];
+ };
+
systemd.network.enable = true;
+ systemd.services.systemd-networkd-wait-online.enable = false;
+
services.resolved.enable = mkForce false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index c0fd7ec12..c0e71f24d 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -26,6 +26,21 @@ let
type = with types; listOf (either int str);
default = [];
};
+
+ extra = {
+ nat.POSTROUTING = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ filter.FORWARD = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ filter.INPUT = mkOption {
+ type = with types; listOf str;
+ default = [];
+ };
+ };
};
imp = {
@@ -57,6 +72,11 @@ let
};
};
+ formatTable = table:
+ (concatStringsSep "\n"
+ (mapAttrsToList
+ (chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
+ table));
rules = iptables-version: let
accept-echo-request = {
@@ -79,6 +99,7 @@ let
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
+ ${formatTable cfg.extra.nat}
COMMIT
*filter
:INPUT DROP [0:0]
@@ -94,6 +115,7 @@ let
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
+ ${formatTable cfg.extra.filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request =