summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile15
-rw-r--r--default.nix39
-rw-r--r--krebs/3modules/build.nix72
-rw-r--r--krebs/3modules/build/default.nix269
-rw-r--r--krebs/3modules/default.nix126
-rw-r--r--krebs/4lib/infest/finalize.sh (renamed from krebs/3modules/build/infest/finalize.sh)0
-rw-r--r--krebs/4lib/infest/install-nix.sh (renamed from krebs/3modules/build/infest/install-nix.sh)0
-rw-r--r--krebs/4lib/infest/prepare.sh (renamed from krebs/3modules/build/infest/prepare.sh)0
-rw-r--r--krebs/4lib/shell.nix2
-rw-r--r--krebs/4lib/types.nix48
-rw-r--r--krebs/5pkgs/get/default.nix6
-rw-r--r--krebs/Zhosts/cloudkrebs2
-rw-r--r--krebs/Zhosts/echelon14
-rw-r--r--krebs/Zhosts/ire2
-rw-r--r--krebs/default.nix263
-rw-r--r--lass/1systems/cloudkrebs.nix13
-rw-r--r--lass/1systems/echelon.nix13
-rw-r--r--lass/1systems/mors.nix15
-rw-r--r--lass/1systems/uriel.nix12
-rw-r--r--lass/2configs/base.nix8
-rw-r--r--lass/2configs/browsers.nix2
-rw-r--r--lass/2configs/desktop-base.nix4
-rw-r--r--lass/2configs/firefoxPatched.nix58
-rw-r--r--lass/2configs/programs.nix1
-rw-r--r--lass/2configs/retiolum.nix1
-rw-r--r--lass/2configs/texlive.nix7
-rw-r--r--lass/2configs/zsh.nix10
-rw-r--r--lass/5pkgs/default.nix5
-rw-r--r--lass/5pkgs/firefoxPlugins/noscript.nix28
l---------lass/5pkgs/firefoxPlugins/result1
-rw-r--r--lass/5pkgs/firefoxPlugins/ublock.nix31
-rw-r--r--lass/5pkgs/firefoxPlugins/vimperator.nix19
-rw-r--r--tv/1systems/wu.nix2
-rw-r--r--tv/4lib/git.nix28
34 files changed, 754 insertions, 362 deletions
diff --git a/Makefile b/Makefile
index 3727793e8..552e6e0fd 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,8 @@
#
# usage:
-# make system=foo
-# make systems='foo bar'
+# make infest system=foo [target=bar]
+# make [deploy] system=foo [target=bar]
+# make [deploy] systems='foo bar'
# make eval get=tv.wu.config.time.timeZone [filter=json]
#
@@ -11,6 +12,7 @@
ifdef systems
$(systems):
@
+ unset target
parallel \
--line-buffer \
-j0 \
@@ -20,7 +22,7 @@ $(systems):
else ifdef system
.PHONY: deploy infest
deploy infest:;@
- export get=$$LOGNAME.${system}.config.krebs.build.scripts.$@
+ export get=krebs.$@
export filter=json
make -s eval | sh
@@ -39,8 +41,11 @@ endif
--eval \
-A "$$get" \
'<stockholm>' \
- --argstr user-name "$$LOGNAME" \
- --argstr host-name "$$HOSTNAME" \
+ --argstr current-date "$$(date -Is)" \
+ --argstr current-host-name "$$HOSTNAME" \
+ --argstr current-user-name "$$LOGNAME" \
+ $${system+--argstr system "$$system"} \
+ $${target+--argstr target "$$target"} \
| filter
else
$(error unbound variable: system[s])
diff --git a/default.nix b/default.nix
index 64c69a2f4..c6a635c29 100644
--- a/default.nix
+++ b/default.nix
@@ -1,35 +1,34 @@
-{ user-name, host-name }:
+{ current-date
+, current-host-name
+, current-user-name
+}:
let
lib = import <nixpkgs/lib>;
krebs-modules-path = ./krebs/3modules;
krebs-pkgs-path = ./krebs/5pkgs;
- user-modules-path = ./. + "/${user-name}/3modules";
- user-pkgs-path = ./. + "/${user-name}/5pkgs";
+ user-modules-path = ./. + "/${current-user-name}/3modules";
+ user-pkgs-path = ./. + "/${current-user-name}/5pkgs";
out =
- (lib.mapAttrs (k: v: mk-namespace (./. + "/${k}"))
- (lib.filterAttrs
- (k: v: !lib.hasPrefix "." k && v == "directory")
- (builtins.readDir ./.)));
+ lib.mapAttrs (_: builtins.getAttr "main")
+ (lib.filterAttrs (_: builtins.hasAttr "main")
+ (lib.mapAttrs
+ (k: v:
+ if lib.hasPrefix "." k || v != "directory" then
+ {}
+ else if builtins.pathExists (./. + "/${k}/default.nix") then
+ { main = import (./. + "/${k}"); }
+ else if builtins.pathExists (./. + "/${k}/1systems") then
+ { main = mk-namespace (./. + "/${k}"); }
+ else
+ {})
+ (builtins.readDir ./.)));
eval = path: import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = [
- ({ config, ... }:
- with import ./krebs/4lib { inherit lib; };
- {
- options.krebs.exec.host = mkOption {
- type = types.host;
- default = config.krebs.hosts.${host-name};
- };
- options.krebs.exec.user = mkOption {
- type = types.user;
- default = config.krebs.users.${user-name};
- };
- }
- )
path
krebs-modules-path
user-modules-path
diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix
new file mode 100644
index 000000000..57495ea69
--- /dev/null
+++ b/krebs/3modules/build.nix
@@ -0,0 +1,72 @@
+{ config, lib, ... }:
+
+with import ../4lib { inherit lib; };
+
+let
+ target = config.krebs.build // { user.name = "root"; };
+
+ out = {
+ # TODO deprecate krebs.build.host
+ options.krebs.build.host = mkOption {
+ type = types.host;
+ };
+
+ # TODO make krebs.build.profile shell safe
+ options.krebs.build.profile = mkOption {
+ type = types.str;
+ default = "/nix/var/nix/profiles/system";
+ };
+
+ # TODO make krebs.build.target.host :: host
+ options.krebs.build.target = mkOption {
+ type = with types; nullOr str;
+ default = null;
+ };
+
+ # TODO deprecate krebs.build.user
+ options.krebs.build.user = mkOption {
+ type = types.user;
+ };
+
+ options.krebs.build.source.dir = mkOption {
+ type = types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ host = mkOption {
+ type = types.host;
+ };
+ path = mkOption {
+ type = types.str;
+ };
+ target-path = mkOption {
+ type = types.str;
+ default = "/root/${config._module.args.name}";
+ };
+ url = mkOption {
+ type = types.str;
+ default = "file://${config.host.name}${config.path}";
+ };
+ };
+ }));
+ default = {};
+ };
+
+ options.krebs.build.source.git = mkOption {
+ type = with types; attrsOf (submodule ({ config, ... }: {
+ options = {
+ url = mkOption {
+ type = types.str; # TODO must be shell safe
+ };
+ rev = mkOption {
+ type = types.str;
+ };
+ target-path = mkOption {
+ type = types.str;
+ default = "/root/${config._module.args.name}";
+ };
+ };
+ }));
+ default = {};
+ };
+ };
+
+in out
diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix
deleted file mode 100644
index 4d2f36a02..000000000
--- a/krebs/3modules/build/default.nix
+++ /dev/null
@@ -1,269 +0,0 @@
-{ config, lib, ... }:
-
-with import ../../4lib { inherit lib; };
-
-let
- target = config.krebs.build // { user.name = "root"; };
-
- out = {
- # TODO deprecate krebs.build.host
- options.krebs.build.host = mkOption {
- type = types.host;
- };
-
- # TODO make krebs.build.profile shell safe
- options.krebs.build.profile = mkOption {
- type = types.str;
- default = "/nix/var/nix/profiles/system";
- };
-
- # TODO make krebs.build.target.host :: host
- options.krebs.build.target = mkOption {
- type = with types; nullOr str;
- default = null;
- };
-
- # TODO deprecate krebs.build.user
- options.krebs.build.user = mkOption {
- type = types.user;
- };
-
- options.krebs.build.scripts.deploy = lib.mkOption {
- type = lib.types.str;
- default = ''
- set -efu
- (${config.krebs.build.scripts._source})
- ${ssh-target ''
- ${config.krebs.build.scripts._nix-env}
- ${config.krebs.build.profile}/bin/switch-to-configuration switch
- ''}
- echo OK
- '';
- };
-
- options.krebs.build.scripts.infest = lib.mkOption {
- type = lib.types.str;
- default = ''
- set -efu
-
- export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \
- -o 'HostName ${target.host.infest.addr}' \
- -o 'Port ${toString target.host.infest.port}' \
- "
- ssh() {
- eval "$RSYNC_RSH \"\$@\""
- }
-
- ${ssh-target ''
- ${readFile ./infest/prepare.sh}
- ${readFile ./infest/install-nix.sh}
- ''}
-
- (${config.krebs.build.scripts._source})
-
- ${ssh-target ''
- export PATH; PATH=/root/.nix-profile/bin:$PATH
-
- src=$(type -p nixos-install)
- cat_src() {
- sed < "$src" "$(
- sed < "$src" -n '
- /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
- /^nixpkgs=/=
- /^NIX_PATH=/,/^$/{/./=}
- ' \
- | sed 's:$:s/^/#krebs#/:'
- )"
- }
-
- # Location to insert config.krebs.build.scripts._nix-env
- i=$(sed -n '/^echo "building the system configuration/=' "$src")
-
- {
- cat_src | sed -n "1,$i{p}"
- cat ${doc config.krebs.build.scripts._nix-env}
- cat_src | sed -n "$i,\''${$i!p}"
- } > nixos-install
- chmod +x nixos-install
-
- # Wrap inserted config.krebs.build.scripts._nix-env into chroot.
- nix_env=$(cat_src | sed -n '
- s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
- ')
- echo nix-env is $nix_env
- sed -i '
- s:^nix-env:chroot $mountPoint '"$nix_env"':
- ' nixos-install
-
- ./nixos-install
-
- ${readFile ./infest/finalize.sh}
- ''}
- '';
- };
-
- options.krebs.build.scripts._nix-env = lib.mkOption {
- type = lib.types.str;
- default = ''
- set -efu
- NIX_PATH=${config.krebs.build.source.NIX_PATH} \
- nix-env \
- -f '<stockholm>' \
- -Q \
- --argstr user-name ${config.krebs.exec.user.name} \
- --argstr host-name ${target.host.name} \
- --profile ${config.krebs.build.profile} \
- --set \
- -A ${lib.escapeShellArg (lib.concatStringsSep "." [
- config.krebs.build.user.name
- config.krebs.build.host.name
- "system"
- ])}
- '';
- };
-
- options.krebs.build.scripts._source = lib.mkOption {
- type = lib.types.str;
- default = ''
- set -efu
- ${
- lib.concatStringsSep "\n"
- (lib.mapAttrsToList
- (name: { scripts, url, ... }: "(${scripts._source})")
- (config.krebs.build.source.dir //
- config.krebs.build.source.git))
- }
- '';
- };
-
- options.krebs.build.source.NIX_PATH = mkOption {
- type = types.str;
- default =
- lib.concatStringsSep ":"
- (lib.mapAttrsToList (name: _: "${name}=/root/${name}")
- (config.krebs.build.source.dir //
- config.krebs.build.source.git));
- };
-
- options.krebs.build.source.dir = mkOption {
- type =
- let
- exec = config.krebs.exec;
- in
- types.attrsOf (types.submodule ({ config, ... }:
- let
- url = "file://${config.host.name}${config.path}";
-
- can-link = config.host.name == target.host.name;
- can-push = config.host.name == exec.host.name;
-
- push-method = ''
- rsync \
- --exclude .git \
- --exclude .graveyard \
- --exclude old \
- --exclude tmp \
- --rsync-path='mkdir -p ${config.target-path} && rsync' \
- --delete-excluded \
- -vrLptgoD \
- ${config.path}/ \
- ${target.user.name}@${target.host.name}:${config.target-path}
- '';
- in
- {
- options = {
- host = mkOption {
- type = types.host;
- description = ''
- define the host where the directory is stored on.
- XXX: currently it is just used to check if rsync is working,
- becomes part of url
- '';
- };
- path = mkOption {
- type = types.str;
- };
- scripts._source = mkOption {
- type = types.str;
- default =
- #if can-link then link-method else
- if can-push then push-method else
- throw "cannot source ${url}";
- };
- target-path = mkOption {
- type = types.str;
- default = "/root/${config._module.args.name}";
- };
- url = mkOption {
- type = types.str;
- default = "file://${config.host.name}${config.path}";
- };
- };
- }
- ));
- default = {};
- };
-
- options.krebs.build.source.git = mkOption {
- type =
- let
- target = config.krebs.build // { user.name = "root"; };
- in
- with types; attrsOf (submodule ({ config, ... }:
- {
- options = {
- url = mkOption {
- type = types.str; # TODO must be shell safe
- };
- rev = mkOption {
- type = types.str;
- };
- scripts._source = mkOption {
- type = types.str;
- default = ssh-target ''
- mkdir -p ${config.target-path}
- cd ${config.target-path}
- if ! test -e .git; then
- git init
- fi
- if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
- git remote add origin ${config.url}
- elif test "$cur_url" != ${config.url}; then
- git remote set-url origin ${config.url}
- fi
- if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then
- git fetch origin
- git checkout ${config.rev} -- .
- git checkout -q ${config.rev}
- git submodule init
- git submodule update
- fi
- git clean -dxf
- '';
- };
- target-path = mkOption {
- type = types.str;
- default = "/root/${config._module.args.name}";
- };
- };
- }
- ));
- default = {};
- };
- };
-
- doc = s:
- let b = "EOF${hashString "sha256" s}"; in
- ''
- <<\${b}
- ${s}
- ${b}
- '';
-
- ssh-target = script:
- "ssh root@${target.host.name} -T ${doc ''
- set -efu
- ${script}
- ''}";
-
-in out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index dc30b9c50..2d3b7b077 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,7 +6,7 @@ let
out = {
imports = [
- ./build
+ ./build.nix
./exim-retiolum.nix
./exim-smarthost.nix
./github-hosts-sync.nix
@@ -84,13 +84,16 @@ let
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
- aliases = toString (unique (longs ++ shorts));
+ aliases = longs ++ shorts;
providers = dns.split-by-provider net.aliases cfg.dns.providers;
longs = providers.hosts;
- shorts = map (removeSuffix ".${cfg.search-domain}") longs;
+ shorts =
+ map (removeSuffix ".${cfg.search-domain}")
+ (filter (hasSuffix ".${cfg.search-domain}")
+ longs);
in
- map (addr: "${addr} ${aliases}") net.addrs
- ) host.nets
+ map (addr: "${addr} ${toString aliases}") net.addrs
+ ) (filterAttrs (name: host: host.aliases != []) host.nets)
) cfg.hosts
));
@@ -100,6 +103,36 @@ let
([cfg.zone-head-config] ++ combined-hosts) ;
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+
+ services.openssh.hostKeys =
+ let inherit (config.krebs.build.host.ssh) privkey; in
+ mkIf (privkey != null) (mkForce [privkey]);
+
+ services.openssh.knownHosts =
+ mapAttrs
+ (name: host: {
+ hostNames =
+ concatLists
+ (mapAttrsToList
+ (net-name: net:
+ let
+ aliases = shorts ++ longs;
+ longs = net.aliases;
+ shorts =
+ map (removeSuffix ".${cfg.search-domain}")
+ (filter (hasSuffix ".${cfg.search-domain}")
+ longs);
+ add-port = a:
+ if net.ssh.port != null
+ then "[${a}]:${toString net.ssh.port}"
+ else a;
+ in
+ aliases ++ map add-port net.addrs)
+ host.nets);
+
+ publicKey = host.ssh.pubkey;
+ })
+ (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
}
];
@@ -110,7 +143,7 @@ let
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
- addrs4 = ["162.248.8.63"];
+ addrs4 = ["104.233.84.57"];
aliases = [
"echelon.internet"
];
@@ -125,12 +158,42 @@ let
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEA92ybhDahtGybpAkUNlG5Elxw05MVY4Pg7yK0dQugB4nVq+pnmi78
- DOMeIciecMHmJM8n9UlUU0eWZVCgHeVd23d6J0hTHCv24p24uHEGGy7XlO/dPJ6A
- IjROYU0l8c03pipdJ3cDBx6riArSglwmZJ7xH/Iw0BUhRZrPqbtijY7EcG2wc+8K
- N9N9mBofVMl4EcBiDR/eecK+ro8OkeOmYPtYgFJLvxTYXiPIhOxMAlkOY2fpin/t
- cgFLUFuN4ag751XjjcNpVovVq95vdg+VhKrrNVWZjJt03owW81BzoryY6CD2kIPq
- UxK89zEdeYOUT7AxaT/5V5v41IvGFZxCzwIDAQAB
+ MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ
+ oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX
+ MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f
+ 4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA
+ n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p
+ do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
+ fastpoke = {
+ dc = "lass"; #dc = "cac";
+ nets = rec {
+ internet = {
+ addrs4 = ["193.22.164.36"];
+ aliases = [
+ "fastpoke.internet"
+ ];
+ };
+ retiolum = {
+ via = internet;
+ addrs4 = ["10.243.253.152"];
+ addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"];
+ aliases = [
+ "fastpoke.retiolum"
+ "cgit.fastpoke.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAs4p5xsQYx06v+OkUbc09K6voFAbkvO66QdFoM71E10XyCeLP6iuq
+ DaIOFN4GrPR36pgyjqtJ+62G9uR+WsB/y14eio1p1ivDWgcpt5soOZAH5zVRRD9O
+ FBDlgVNwIJ6stMHy6OenEKWsfEiZRN3XstnqAqyykzjddglth1tJntn6kbZehzNQ
+ ezfIyN4XgaX2fhSu+UnAyLcV8wWnF9cMABjz7eKcSmRJgtG4ZiuDkbgiiEew7+pB
+ EPqOVQ80lJvzQKgO4PmVoAjD9A+AHnmLJNPDQQi8nIVilGCT60IX+XT1rt85Zpdy
+ rEaeriw/qsVJnberAhDAdQYYuM1ai2H5swIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
@@ -501,6 +564,7 @@ let
"cgit.cd.viljetic.de"
"cd.krebsco.de"
];
+ ssh.port = 11423;
};
retiolum = {
via = internet;
@@ -527,6 +591,8 @@ let
'';
};
};
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6";
};
mkdir = rec {
cores = 1;
@@ -534,7 +600,7 @@ let
infest.addr = head nets.internet.addrs4;
nets = rec {
internet = {
- addrs4 = ["104.233.84.102"];
+ addrs4 = ["104.233.84.215"];
aliases = [
"mkdir.internet"
];
@@ -559,6 +625,35 @@ let
'';
};
};
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw";
+ };
+ ire = {
+ nets = {
+ internet = {
+ addrs4 = ["198.147.22.115"];
+ ssh.port = 11423;
+ };
+ retiolum = {
+ addrs4 = ["10.243.231.66"];
+ addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
+ aliases = [
+ "ire.retiolum"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7
+ rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt
+ 6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU
+ 1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K
+ LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu
+ nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ ssh.port = 11423;
+ };
+ };
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY";
};
nomic = {
cores = 2;
@@ -584,6 +679,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09";
};
rmdir = rec {
cores = 1;
@@ -616,6 +712,8 @@ let
'';
};
};
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4";
};
wu = {
cores = 4;
@@ -641,6 +739,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
xu = {
cores = 4;
@@ -666,6 +765,7 @@ let
};
};
secure = true;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw";
};
};
users = addNames {
diff --git a/krebs/3modules/build/infest/finalize.sh b/krebs/4lib/infest/finalize.sh
index ced5a4d4d..ced5a4d4d 100644
--- a/krebs/3modules/build/infest/finalize.sh
+++ b/krebs/4lib/infest/finalize.sh
diff --git a/krebs/3modules/build/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh
index 88c8c3e1e..88c8c3e1e 100644
--- a/krebs/3modules/build/infest/install-nix.sh
+++ b/krebs/4lib/infest/install-nix.sh
diff --git a/krebs/3modules/build/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index 07c00c3a5..07c00c3a5 100644
--- a/krebs/3modules/build/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
diff --git a/krebs/4lib/shell.nix b/krebs/4lib/shell.nix
index 2a6da5c16..5910adacc 100644
--- a/krebs/4lib/shell.nix
+++ b/krebs/4lib/shell.nix
@@ -6,7 +6,7 @@ with lib;
rec {
escape =
let
- isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null;
+ isSafeChar = c: match "[-+./0-9:=A-Z_a-z]" c != null;
in
stringAsChars (c:
if isSafeChar c then c
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index dbffdf850..0aa594fb1 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -1,11 +1,12 @@
{ lib, ... }:
+with builtins;
with lib;
with types;
types // rec {
- host = submodule {
+ host = submodule ({ config, ... }: {
options = {
name = mkOption {
type = label;
@@ -46,8 +47,39 @@ types // rec {
TODO define minimum requirements for secure hosts
'';
};
+
+ ssh.pubkey = mkOption {
+ type = nullOr str;
+ default = null;
+ apply = x:
+ if x != null
+ then x
+ else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
+ };
+ ssh.privkey = mkOption {
+ type = nullOr (submodule {
+ options = {
+ bits = mkOption {
+ type = nullOr (enum ["4096"]);
+ default = null;
+ };
+ path = mkOption {
+ type = either path str;
+ apply =