7 files changed, 158 insertions, 5 deletions

diff --git a/krebs/5pkgs/krebs-ci/default.nix b/krebs/5pkgs/krebs-ci/default.nix
new file mode 100644
index 000000000..f5b302b52
--- /dev/null
+++ b/krebs/5pkgs/krebs-ci/default.nix
@@ -0,0 +1,37 @@
+{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }:
+
+stdenv.mkDerivation rec {
+  name = "krebs-ci-0.1.0";
+
+  src = ./notes;
+
+  phases = [
+    "installPhase"
+  ];
+  buildInputs = [ makeWrapper ];
+
+  path = stdenv.lib.makeSearchPath "bin" [
+    coreutils
+    cac
+    cacpanel
+    gnumake
+    gnused
+    jq
+    openssh
+  ];
+
+  installPhase =
+    ''
+      mkdir -p $out/bin
+      cp ${src} $out/bin/krebs-ci
+      chmod +x $out/bin/krebs-ci
+      wrapProgram $out/bin/krebs-ci \
+              --prefix PATH : ${path}
+    '';
+  meta = with stdenv.lib; {
+    homepage = http://krebsco.de;
+    description = "Krebs CI Scripts";
+    license = licenses.wtfpl;
+    maintainers = [ maintainers.makefu ];
+  };
+}
diff --git a/krebs/5pkgs/krebs-ci/notes b/krebs/5pkgs/krebs-ci/notes
new file mode 100755
index 000000000..7e34d6a28
--- /dev/null
+++ b/krebs/5pkgs/krebs-ci/notes
@@ -0,0 +1,111 @@
+#! /bin/sh
+
+# nix-shell -p gnumake jq openssh cac cacpanel
+set -euf
+
+# 2 secrets are required:
+krebs_cred=${krebs_cred-./cac.json}
+retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
+
+# Sanity
+if test ! -r "$krebs_cred";then
+  echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
+fi
+if test ! -r "$retiolum_key";then
+  echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
+fi
+
+krebs_secrets=$(mktemp -d)
+sec_file=$krebs_secrets/cac_config
+krebs_ssh=$krebs_secrets/tempssh
+# we need to receive this key from buildmaster to speed up tinc bootstrap
+TRAP="rm $sec_file;rm -r $krebs_secrets"
+trap "$TRAP" INT TERM EXIT
+
+cat > $sec_file <<EOF
+cac_login="$(jq -r .email $krebs_cred)"
+cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)"
+EOF
+
+export cac_secrets=$sec_file
+cac-cli panel --config $krebs_cred update-api-ip
+
+# test login:
+cac update
+cac servers
+
+# Template 26: CentOS7
+# TODO: use cac templates to determine the real Centos7 template in case it changes
+name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\
+  | jq -r .servername)
+
+id=servername:$name
+trap "cac delete $id;$TRAP" INT TERM EXIT
+# TODO: timeout?
+always_update=true cac waitstatus $id "Powered On"
+
+wait_login_cac(){
+  # timeout
+  for t in `seq 60`;do
+    # now we have a working cac server
+    if cac ssh $1 cat /etc/redhat-release | \
+      grep CentOS ;then
+      return 0
+    fi
+    sleep 10
+  done
+  return 1
+}
+# die on timeout
+wait_login_cac $id
+
+mkdir -p shared/2configs/temp
+cac generatenetworking $id > \
+  shared/2configs/temp/networking.nix
+# new temporary ssh key we will use to log in after infest
+ssh-keygen -f $krebs_ssh -N ""
+cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
+# we override the directories for secrets and stockholm
+# additionally we set the ssh key we generated
+ip=$(cac getserver $id | jq -r .ip)
+
+cat > shared/2configs/temp/dirs.nix <<EOF
+_: {
+  krebs.build.source.dir = {
+    secrets.path = "$krebs_secrets";
+    stockholm.path = "$(pwd)";
+  };
+  users.extraUsers.root.openssh.authorizedKeys.keys = [
+    "$(cat ${krebs_ssh}.pub)"
+  ];
+  krebs.build.target = "$ip";
+}
+EOF
+
+LOGNAME=shared make eval get=krebs.infest \
+  target=derp system=test-centos7 filter=json \
+  | sed -e "s#^ssh.*<<#cac ssh $id<<#" \
+        -e "/^rsync/a -e 'cac ssh $id' \\\\"  \
+        -e "s#root.derp:#:#" > $krebs_secrets/infest
+sh -x $krebs_secrets/infest
+
+# TODO: generate secrets directory $krebs_secrets for nix import
+cac powerop $id reset
+
+wait_login(){
+  # timeout
+  for t in `seq 20`;do
+    # now we have a working cac server
+    if ssh -o StrictHostKeyChecking=no \
+           -o UserKnownHostsFile=/dev/null \
+           -i $krebs_ssh \
+           -o ConnectTimeout=10 \
+           -o BatchMode=yes \
+           root@$1 nixos-version ;then
+      return 0
+    fi
+    sleep 10
+  done
+  return 1
+}
+wait_login $ip
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index c0d7685e3..a0b49edaf 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -24,7 +24,7 @@ with lib;
         git.nixpkgs = {
           #url = https://github.com/NixOS/nixpkgs;
           url = mkDefault https://github.com/makefu/nixpkgs;
-          rev = mkDefault "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picking
+          rev = mkDefault "3fd2c24685f604edc925f73ed56600b8c66236b3"; # nixos-15.09 + cherry-picking
           target-path = "/var/src/nixpkgs";
         };
 
diff --git a/shared/1systems/test-centos7.nix b/shared/1systems/test-centos7.nix
index 077a5d61b..48cecc877 100644
--- a/shared/1systems/test-centos7.nix
+++ b/shared/1systems/test-centos7.nix
@@ -7,7 +7,8 @@ in {
   imports = [
     ../2configs/base.nix
     ../2configs/os-templates/CAC-CentOS-7-64bit.nix
-    ../2configs/os-templates/temp-networking.nix
+    ../2configs/temp/networking.nix
+    ../2configs/temp/dirs.nix
   ];
 
   sound.enable = false;
diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix
index df41eae1a..c36061e38 100644
--- a/shared/2configs/base.nix
+++ b/shared/2configs/base.nix
@@ -13,6 +13,8 @@ with lib;
     ];
   };
 
+  # TODO rename shared user to "krebs"
+  krebs.build.user = config.krebs.users.shared;
   krebs.build.source = {
     git.nixpkgs = {
       url = https://github.com/NixOS/nixpkgs;
@@ -20,11 +22,11 @@ with lib;
     };
     dir.secrets = {
       host = config.krebs.current.host;
-      path = "${getEnv "HOME"}/secrets/krebs/wolf";
+      path = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}";
     };
     dir.stockholm = {
       host = config.krebs.current.host;
-      path = "${getEnv "HOME"}/stockholm";
+      path = mkDefault "${getEnv "HOME"}/stockholm";
     };
   };
 
@@ -65,7 +67,7 @@ with lib;
     config.krebs.users.lass.pubkey
     config.krebs.users.makefu.pubkey
     # TODO HARDER:
-    (readFile ../../krebs/Zpubkeys/makefu_omo.ssh.pub)
+    config.krebs.users.makefu-omo.pubkey
     config.krebs.users.tv.pubkey
   ];
 
diff --git a/shared/2configs/temp/dirs.nix b/shared/2configs/temp/dirs.nix
new file mode 100644
index 000000000..958608a54
--- /dev/null
+++ b/shared/2configs/temp/dirs.nix
@@ -0,0 +1 @@
+_: { }
diff --git a/shared/2configs/temp/networking.nix b/shared/2configs/temp/networking.nix
new file mode 100644
index 000000000..958608a54
--- /dev/null
+++ b/shared/2configs/temp/networking.nix
@@ -0,0 +1 @@
+_: { }