diff options
34 files changed, 754 insertions, 362 deletions
@@ -1,7 +1,8 @@ # # usage: -# make system=foo -# make systems='foo bar' +# make infest system=foo [target=bar] +# make [deploy] system=foo [target=bar] +# make [deploy] systems='foo bar' # make eval get=tv.wu.config.time.timeZone [filter=json] # @@ -11,6 +12,7 @@ ifdef systems $(systems): @ + unset target parallel \ --line-buffer \ -j0 \ @@ -20,7 +22,7 @@ $(systems): else ifdef system .PHONY: deploy infest deploy infest:;@ - export get=$$LOGNAME.${system}.config.krebs.build.scripts.$@ + export get=krebs.$@ export filter=json make -s eval | sh @@ -39,8 +41,11 @@ endif --eval \ -A "$$get" \ '<stockholm>' \ - --argstr user-name "$$LOGNAME" \ - --argstr host-name "$$HOSTNAME" \ + --argstr current-date "$$(date -Is)" \ + --argstr current-host-name "$$HOSTNAME" \ + --argstr current-user-name "$$LOGNAME" \ + $${system+--argstr system "$$system"} \ + $${target+--argstr target "$$target"} \ | filter else $(error unbound variable: system[s]) diff --git a/default.nix b/default.nix index 64c69a2f4..c6a635c29 100644 --- a/default.nix +++ b/default.nix @@ -1,35 +1,34 @@ -{ user-name, host-name }: +{ current-date +, current-host-name +, current-user-name +}: let lib = import <nixpkgs/lib>; krebs-modules-path = ./krebs/3modules; krebs-pkgs-path = ./krebs/5pkgs; - user-modules-path = ./. + "/${user-name}/3modules"; - user-pkgs-path = ./. + "/${user-name}/5pkgs"; + user-modules-path = ./. + "/${current-user-name}/3modules"; + user-pkgs-path = ./. + "/${current-user-name}/5pkgs"; out = - (lib.mapAttrs (k: v: mk-namespace (./. + "/${k}")) - (lib.filterAttrs - (k: v: !lib.hasPrefix "." k && v == "directory") - (builtins.readDir ./.))); + lib.mapAttrs (_: builtins.getAttr "main") + (lib.filterAttrs (_: builtins.hasAttr "main") + (lib.mapAttrs + (k: v: + if lib.hasPrefix "." k || v != "directory" then + {} + else if builtins.pathExists (./. + "/${k}/default.nix") then + { main = import (./. + "/${k}"); } + else if builtins.pathExists (./. + "/${k}/1systems") then + { main = mk-namespace (./. + "/${k}"); } + else + {}) + (builtins.readDir ./.))); eval = path: import <nixpkgs/nixos/lib/eval-config.nix> { system = builtins.currentSystem; modules = [ - ({ config, ... }: - with import ./krebs/4lib { inherit lib; }; - { - options.krebs.exec.host = mkOption { - type = types.host; - default = config.krebs.hosts.${host-name}; - }; - options.krebs.exec.user = mkOption { - type = types.user; - default = config.krebs.users.${user-name}; - }; - } - ) path krebs-modules-path user-modules-path diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix new file mode 100644 index 000000000..57495ea69 --- /dev/null +++ b/krebs/3modules/build.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: + +with import ../4lib { inherit lib; }; + +let + target = config.krebs.build // { user.name = "root"; }; + + out = { + # TODO deprecate krebs.build.host + options.krebs.build.host = mkOption { + type = types.host; + }; + + # TODO make krebs.build.profile shell safe + options.krebs.build.profile = mkOption { + type = types.str; + default = "/nix/var/nix/profiles/system"; + }; + + # TODO make krebs.build.target.host :: host + options.krebs.build.target = mkOption { + type = with types; nullOr str; + default = null; + }; + + # TODO deprecate krebs.build.user + options.krebs.build.user = mkOption { + type = types.user; + }; + + options.krebs.build.source.dir = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + host = mkOption { + type = types.host; + }; + path = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + url = mkOption { + type = types.str; + default = "file://${config.host.name}${config.path}"; + }; + }; + })); + default = {}; + }; + + options.krebs.build.source.git = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + url = mkOption { + type = types.str; # TODO must be shell safe + }; + rev = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + }; + })); + default = {}; + }; + }; + +in out diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix deleted file mode 100644 index 4d2f36a02..000000000 --- a/krebs/3modules/build/default.nix +++ /dev/null @@ -1,269 +0,0 @@ -{ config, lib, ... }: - -with import ../../4lib { inherit lib; }; - -let - target = config.krebs.build // { user.name = "root"; }; - - out = { - # TODO deprecate krebs.build.host - options.krebs.build.host = mkOption { - type = types.host; - }; - - # TODO make krebs.build.profile shell safe - options.krebs.build.profile = mkOption { - type = types.str; - default = "/nix/var/nix/profiles/system"; - }; - - # TODO make krebs.build.target.host :: host - options.krebs.build.target = mkOption { - type = with types; nullOr str; - default = null; - }; - - # TODO deprecate krebs.build.user - options.krebs.build.user = mkOption { - type = types.user; - }; - - options.krebs.build.scripts.deploy = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - (${config.krebs.build.scripts._source}) - ${ssh-target '' - ${config.krebs.build.scripts._nix-env} - ${config.krebs.build.profile}/bin/switch-to-configuration switch - ''} - echo OK - ''; - }; - - options.krebs.build.scripts.infest = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - - export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ - -o 'HostName ${target.host.infest.addr}' \ - -o 'Port ${toString target.host.infest.port}' \ - " - ssh() { - eval "$RSYNC_RSH \"\$@\"" - } - - ${ssh-target '' - ${readFile ./infest/prepare.sh} - ${readFile ./infest/install-nix.sh} - ''} - - (${config.krebs.build.scripts._source}) - - ${ssh-target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - ' \ - | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert config.krebs.build.scripts._nix-env - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${doc config.krebs.build.scripts._nix-env} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - # Wrap inserted config.krebs.build.scripts._nix-env into chroot. - nix_env=$(cat_src | sed -n ' - s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - ') - echo nix-env is $nix_env - sed -i ' - s:^nix-env:chroot $mountPoint '"$nix_env"': - ' nixos-install - - ./nixos-install - - ${readFile ./infest/finalize.sh} - ''} - ''; - }; - - options.krebs.build.scripts._nix-env = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - NIX_PATH=${config.krebs.build.source.NIX_PATH} \ - nix-env \ - -f '<stockholm>' \ - -Q \ - --argstr user-name ${config.krebs.exec.user.name} \ - --argstr host-name ${target.host.name} \ - --profile ${config.krebs.build.profile} \ - --set \ - -A ${lib.escapeShellArg (lib.concatStringsSep "." [ - config.krebs.build.user.name - config.krebs.build.host.name - "system" - ])} - ''; - }; - - options.krebs.build.scripts._source = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - ${ - lib.concatStringsSep "\n" - (lib.mapAttrsToList - (name: { scripts, url, ... }: "(${scripts._source})") - (config.krebs.build.source.dir // - config.krebs.build.source.git)) - } - ''; - }; - - options.krebs.build.source.NIX_PATH = mkOption { - type = types.str; - default = - lib.concatStringsSep ":" - (lib.mapAttrsToList (name: _: "${name}=/root/${name}") - (config.krebs.build.source.dir // - config.krebs.build.source.git)); - }; - - options.krebs.build.source.dir = mkOption { - type = - let - exec = config.krebs.exec; - in - types.attrsOf (types.submodule ({ config, ... }: - let - url = "file://${config.host.name}${config.path}"; - - can-link = config.host.name == target.host.name; - can-push = config.host.name == exec.host.name; - - push-method = '' - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --exclude tmp \ - --rsync-path='mkdir -p ${config.target-path} && rsync' \ - --delete-excluded \ - -vrLptgoD \ - ${config.path}/ \ - ${target.user.name}@${target.host.name}:${config.target-path} - ''; - in - { - options = { - host = mkOption { - type = types.host; - description = '' - define the host where the directory is stored on. - XXX: currently it is just used to check if rsync is working, - becomes part of url - ''; - }; - path = mkOption { - type = types.str; - }; - scripts._source = mkOption { - type = types.str; - default = - #if can-link then link-method else - if can-push then push-method else - throw "cannot source ${url}"; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - url = mkOption { - type = types.str; - default = "file://${config.host.name}${config.path}"; - }; - }; - } - )); - default = {}; - }; - - options.krebs.build.source.git = mkOption { - type = - let - target = config.krebs.build // { user.name = "root"; }; - in - with types; attrsOf (submodule ({ config, ... }: - { - options = { - url = mkOption { - type = types.str; # TODO must be shell safe - }; - rev = mkOption { - type = types.str; - }; - scripts._source = mkOption { - type = types.str; - default = ssh-target '' - mkdir -p ${config.target-path} - cd ${config.target-path} - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin ${config.url} - elif test "$cur_url" != ${config.url}; then - git remote set-url origin ${config.url} - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then - git fetch origin - git checkout ${config.rev} -- . - git checkout -q ${config.rev} - git submodule init - git submodule update - fi - git clean -dxf - ''; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - }; - } - )); - default = {}; - }; - }; - - doc = s: - let b = "EOF${hashString "sha256" s}"; in - '' - <<\${b} - ${s} - ${b} - ''; - - ssh-target = script: - "ssh root@${target.host.name} -T ${doc '' - set -efu - ${script} - ''}"; - -in out diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index dc30b9c50..2d3b7b077 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,7 +6,7 @@ let out = { imports = [ - ./build + ./build.nix ./exim-retiolum.nix ./exim-smarthost.nix ./github-hosts-sync.nix @@ -84,13 +84,16 @@ let mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let - aliases = toString (unique (longs ++ shorts)); + aliases = longs ++ shorts; providers = dns.split-by-provider net.aliases cfg.dns.providers; longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets + map (addr: "${addr} ${toString aliases}") net.addrs + ) (filterAttrs (name: host: host.aliases != []) host.nets) ) cfg.hosts )); @@ -100,6 +103,36 @@ let ([cfg.zone-head-config] ++ combined-hosts) ; combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; + + services.openssh.hostKeys = + let inherit (config.krebs.build.host.ssh) privkey; in + mkIf (privkey != null) (mkForce [privkey]); + + services.openssh.knownHosts = + mapAttrs + (name: host: { + hostNames = + concatLists + (mapAttrsToList + (net-name: net: + let + aliases = shorts ++ longs; + longs = net.aliases; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); + add-port = a: + if net.ssh.port != null + then "[${a}]:${toString net.ssh.port}" + else a; + in + aliases ++ map add-port net.addrs) + host.nets); + + publicKey = host.ssh.pubkey; + }) + (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); } ]; @@ -110,7 +143,7 @@ let dc = "lass"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["162.248.8.63"]; + addrs4 = ["104.233.84.57"]; aliases = [ "echelon.internet" ]; @@ -125,12 +158,42 @@ let ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA92ybhDahtGybpAkUNlG5Elxw05MVY4Pg7yK0dQugB4nVq+pnmi78 - DOMeIciecMHmJM8n9UlUU0eWZVCgHeVd23d6J0hTHCv24p24uHEGGy7XlO/dPJ6A - IjROYU0l8c03pipdJ3cDBx6riArSglwmZJ7xH/Iw0BUhRZrPqbtijY7EcG2wc+8K - N9N9mBofVMl4EcBiDR/eecK+ro8OkeOmYPtYgFJLvxTYXiPIhOxMAlkOY2fpin/t - cgFLUFuN4ag751XjjcNpVovVq95vdg+VhKrrNVWZjJt03owW81BzoryY6CD2kIPq - UxK89zEdeYOUT7AxaT/5V5v41IvGFZxCzwIDAQAB + MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ + oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX + MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f + 4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA + n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p + do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + fastpoke = { + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["193.22.164.36"]; + aliases = [ + "fastpoke.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.253.152"]; + addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; + aliases = [ + "fastpoke.retiolum" + "cgit.fastpoke.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAs4p5xsQYx06v+OkUbc09K6voFAbkvO66QdFoM71E10XyCeLP6iuq + DaIOFN4GrPR36pgyjqtJ+62G9uR+WsB/y14eio1p1ivDWgcpt5soOZAH5zVRRD9O + FBDlgVNwIJ6stMHy6OenEKWsfEiZRN3XstnqAqyykzjddglth1tJntn6kbZehzNQ + ezfIyN4XgaX2fhSu+UnAyLcV8wWnF9cMABjz7eKcSmRJgtG4ZiuDkbgiiEew7+pB + EPqOVQ80lJvzQKgO4PmVoAjD9A+AHnmLJNPDQQi8nIVilGCT60IX+XT1rt85Zpdy + rEaeriw/qsVJnberAhDAdQYYuM1ai2H5swIDAQAB -----END RSA PUBLIC KEY----- ''; }; @@ -501,6 +564,7 @@ let "cgit.cd.viljetic.de" "cd.krebsco.de" ]; + ssh.port = 11423; }; retiolum = { via = internet; @@ -527,6 +591,8 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; mkdir = rec { cores = 1; @@ -534,7 +600,7 @@ let infest.addr = head nets.internet.addrs4; nets = rec { internet = { - addrs4 = ["104.233.84.102"]; + addrs4 = ["104.233.84.215"]; aliases = [ "mkdir.internet" ]; @@ -559,6 +625,35 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; + }; + ire = { + nets = { + internet = { + addrs4 = ["198.147.22.115"]; + ssh.port = 11423; + }; + retiolum = { + addrs4 = ["10.243.231.66"]; + addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; + aliases = [ + "ire.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7 + rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt + 6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU + 1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K + LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu + nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + ssh.port = 11423; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY"; }; nomic = { cores = 2; @@ -584,6 +679,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09"; }; rmdir = rec { cores = 1; @@ -616,6 +712,8 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4"; }; wu = { cores = 4; @@ -641,6 +739,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { cores = 4; @@ -666,6 +765,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw"; }; }; users = addNames { diff --git a/krebs/3modules/build/infest/finalize.sh b/krebs/4lib/infest/finalize.sh index ced5a4d4d..ced5a4d4d 100644 --- a/krebs/3modules/build/infest/finalize.sh +++ b/krebs/4lib/infest/finalize.sh diff --git a/krebs/3modules/build/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh index 88c8c3e1e..88c8c3e1e 100644 --- a/krebs/3modules/build/infest/install-nix.sh +++ b/krebs/4lib/infest/install-nix.sh diff --git a/krebs/3modules/build/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 07c00c3a5..07c00c3a5 100644 --- a/krebs/3modules/build/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh diff --git a/krebs/4lib/shell.nix b/krebs/4lib/shell.nix index 2a6da5c16..5910adacc 100644 --- a/krebs/4lib/shell.nix +++ b/krebs/4lib/shell.nix @@ -6,7 +6,7 @@ with lib; rec { escape = let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + isSafeChar = c: match "[-+./0-9:=A-Z_a-z]" c != null; in stringAsChars (c: if isSafeChar c then c diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index dbffdf850..0aa594fb1 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,11 +1,12 @@ { lib, ... }: +with builtins; with lib; with types; types // rec { - host = submodule { + host = submodule ({ config, ... }: { options = { name = mkOption { type = label; @@ -46,8 +47,39 @@ types // rec { TODO define minimum requirements for secure hosts ''; }; + + ssh.pubkey = mkOption { + type = nullOr str; + default = null; + apply = x: + if x != null + then x + else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; + }; + ssh.privkey = mkOption { + type = nullOr (submodule { + options = { + bits = mkOption { + type = nullOr (enum ["4096"]); + default = null; + }; + path = mkOption { + type = either path str; + apply = |