summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--default.nix9
-rw-r--r--krebs/3modules/bepasty-server.nix (renamed from makefu/3modules/bepasty-server.nix)102
-rw-r--r--krebs/3modules/default.nix10
-rw-r--r--krebs/3modules/tinc_graphs.nix (renamed from makefu/3modules/tinc_graphs.nix)4
-rw-r--r--krebs/default.nix26
-rw-r--r--makefu/1systems/wry.nix2
-rw-r--r--makefu/2configs/Reaktor/random-emoji.nix1
-rw-r--r--makefu/2configs/Reaktor/random-emoji.sh3
-rw-r--r--makefu/3modules/default.nix2
-rw-r--r--tv/1systems/cd.nix1
-rw-r--r--tv/1systems/mkdir.nix1
-rw-r--r--tv/1systems/nomic.nix13
-rw-r--r--tv/1systems/rmdir.nix1
-rw-r--r--tv/1systems/wu.nix1
-rw-r--r--tv/2configs/base.nix6
15 files changed, 99 insertions, 83 deletions
diff --git a/default.nix b/default.nix
index c70225174..b261e51e7 100644
--- a/default.nix
+++ b/default.nix
@@ -17,7 +17,8 @@
{ current-date ? abort "current-date not defined"
, current-host-name ? abort "current-host-name not defined"
, current-user-name ? builtins.getEnv "LOGNAME"
-}@current:
+, StrictHostKeyChecking ? "yes"
+}@args:
let stockholm = {
# The generated scripts to deploy (or infest) systems can be found in the
@@ -44,10 +45,10 @@ let stockholm = {
# Additionally, output lib and pkgs for easy access from the shell.
# Notice how we're evaluating just the base module to obtain pkgs.
inherit lib;
- inherit (eval {}) pkgs;
+ inherit pkgs;
};
- krebs = import ./krebs (current // { inherit lib stockholm; });
+ krebs = import ./krebs (args // { inherit lib stockholm; });
lib =
let
@@ -62,6 +63,8 @@ let stockholm = {
nspath = ns: p: stockholm-path + "/${ns}/${p}";
};
+ inherit (eval {}) pkgs;
+
# Path resolvers for common and individual files.
# Example: `upath "3modules"` produces the current user's 3modules directory
kpath = lib.nspath "krebs";
diff --git a/makefu/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index ff32eea60..c99c3d11a 100644
--- a/makefu/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -10,7 +10,10 @@ let
out = {
options.krebs.bepasty = api;
- config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+ config = mkIf cfg.enable (mkMerge [
+ (mkIf cfg.serveNginx nginx-imp)
+ imp
+ ]);
};
api = {
@@ -25,7 +28,7 @@ let
type = with types; attrsOf unspecified;
description = ''
additional nginx configuration. see krebs.nginx for all options
- '' ;
+ '';
};
secretKey = mkOption {
@@ -52,7 +55,7 @@ let
description = ''
Defaults to the new users home dir which defaults to
/var/lib/bepasty-server/data
- '';
+ '';
default = "${config.users.extraUsers.bepasty.home}/data";
};
@@ -65,14 +68,14 @@ let
'myadminsecret': 'admin,list,create,read,delete',
}
MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
- '';
+ '';
};
defaultPermissions = mkOption {
# TODO: listOf str
type = types.str;
description = ''
- default permissions for all unauthenticated users.
+ default permissions for all unauthenticated users.
'';
example = "read,create,delete";
default = "read";
@@ -88,42 +91,42 @@ let
# Configures systemd services for each configured server
# environment.systemPackages = [ bepasty gunicorn gevent ];
systemd.services = mapAttrs' (name: server:
- nameValuePair ("bepasty-server-${name}")
- ({
- description = "Bepasty Server ${name}";
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
- restartIfChanged = true;
- environment = {
- BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
- PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
- };
- serviceConfig = {
- Type = "simple";
- PrivateTmp = true;
-
- ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
- #!/bin/sh
- mkdir -p "${server.dataDir}" "${server.workDir}"
- chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
- cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
- SITENAME="${name}"
- STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
- SECRET_KEY="${server.secretKey}"
- DEFAULT_PERMISSIONS="${server.defaultPermissions}"
- ${server.extraConfig}
- EOF
- '';
- ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
- -u bepasty \
- -g bepasty \
- --workers 3 --log-level=info \
- --bind=unix:${server.workDir}/gunicorn-${name}.sock \
- --pid ${server.workDir}/gunicorn-${name}.pid \
- -k gevent
- '';
- };
- })
+ nameValuePair "bepasty-server-${name}" {
+ description = "Bepasty Server ${name}";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ restartIfChanged = true;
+ environment = {
+ BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+ PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+ };
+
+ serviceConfig = {
+ Type = "simple";
+ PrivateTmp = true;
+
+ ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+ #!/bin/sh
+ mkdir -p "${server.dataDir}" "${server.workDir}"
+ chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+ cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+ SITENAME="${name}"
+ STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+ SECRET_KEY="${server.secretKey}"
+ DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+ ${server.extraConfig}
+ EOF
+ '';
+ ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+ -u bepasty \
+ -g bepasty \
+ --workers 3 --log-level=info \
+ --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+ --pid ${server.workDir}/gunicorn-${name}.pid \
+ -k gevent
+ '';
+ };
+ }
) cfg.servers;
users.extraUsers.bepasty = {
@@ -137,8 +140,8 @@ let
};
nginx-imp = {
- assertions = [ { assertion = config.krebs.nginx.enable;
- message = "krebs.nginx.enable must be true"; }];
+ assertions = [{ assertion = config.krebs.nginx.enable;
+ message = "krebs.nginx.enable must be true"; }];
krebs.nginx.servers = mapAttrs' (name: server:
nameValuePair("bepasty-server-${name}")
@@ -147,18 +150,15 @@ let
client_max_body_size 32M;
'';
locations = [
- (nameValuePair ("/")
- (''
+ (nameValuePair "/" ''
proxy_set_header Host $http_host;
proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
- ''))
- (nameValuePair ("/static/")
- (''
+ '')
+ (nameValuePair "/static/" ''
alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
- ''))
+ '')
];
- }])
- ) cfg.servers ;
+ }])) cfg.servers ;
};
in
out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index c695589ca..e244ef7b7 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
out = {
imports = [
+ ./bepasty-server.nix
./build.nix
./exim-retiolum.nix
./exim-smarthost.nix
@@ -17,6 +18,7 @@ let
./retiolum-bootstrap.nix
./realwallpaper.nix
./retiolum.nix
+ ./tinc_graphs.nix
./urlwatch.nix
];
options.krebs = api;
@@ -103,10 +105,14 @@ let
# Implements environment.etc."zones/<zone-name>"
environment.etc = let
+ stripEmptyLines = s: concatStringsSep "\n"
+ (remove "\n" (remove "" (splitString "\n" s)));
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
- ([cfg.zone-head-config] ++ combined-hosts) ;
+ ([cfg.zone-head-config] ++ combined-hosts);
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
- in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+ in lib.mapAttrs' (name: value: nameValuePair
+ ("zones/" + name)
+ { text=(stripEmptyLines value); }) all-zones;
krebs.exim-smarthost.internet-aliases = let
format = from: to:
diff --git a/makefu/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 1f87f00cc..a6c628353 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -2,12 +2,12 @@
with lib;
let
- cfg = config.makefu.tinc_graphs;
+ cfg = config.krebs.tinc_graphs;
internal_dir = "${cfg.workingDir}/internal";
external_dir = "${cfg.workingDir}/external";
out = {
- options.makefu.tinc_graphs = api;
+ options.krebs.tinc_graphs = api;
config = mkIf cfg.enable imp ;
};
diff --git a/krebs/default.nix b/krebs/default.nix
index 0b055cd24..31a7f7d04 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -3,6 +3,7 @@
, current-user-name
, lib
, stockholm
+, StrictHostKeyChecking ? "yes"
}:
let out = {
@@ -131,18 +132,22 @@ let out = {
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
')
echo "nix-env is $nix_env" >&2
- getchrootpath() {(
+ findpkg() {(
name=$1
- path=$(find /mnt/nix/store \
+ path=$(find /nix/store \
-mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
| head -n 1 | sed s:^/mnt::)
- echo "$name is $path" >&2
- echo "$path"
+ if echo "$path" | grep .; then
+ echo "$name is $path" >&2
+ else
+ echo "Error: package not found: $name" >&2
+ exit 1
+ fi
)}
- cacert=$(getchrootpath cacert)
- coreutils=$(getchrootpath coreutils)
- env="$coreutils/bin/env \
- SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
+ cacert=$(findpkg cacert)
+ coreutils=$(findpkg coreutils)
+ cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
+ env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
sed -i '
s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
s:^nix-env:'"$nix_env"':
@@ -260,7 +265,10 @@ let out = {
in out;
rootssh = target: script:
- "ssh root@${target} -T ${doc ''
+ let
+ flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
+ in
+ "ssh ${flags} root@${target} -T ${doc ''
set -efu
${script}
''}";
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 63b1f47f7..6627d87b5 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -40,7 +40,7 @@ in {
krebs.retiolum-bootstrap.enable = true;
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
- makefu.tinc_graphs = {
+ krebs.tinc_graphs = {
enable = true;
nginx = {
enable = true;
diff --git a/makefu/2configs/Reaktor/random-emoji.nix b/makefu/2configs/Reaktor/random-emoji.nix
index b2d99b36b..3113a826b 100644
--- a/makefu/2configs/Reaktor/random-emoji.nix
+++ b/makefu/2configs/Reaktor/random-emoji.nix
@@ -12,6 +12,7 @@ let
coreutils
gnused
gnugrep
+ xmlstarlet
curl]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
diff --git a/makefu/2configs/Reaktor/random-emoji.sh b/makefu/2configs/Reaktor/random-emoji.sh
index 913d615be..386aa68b9 100644
--- a/makefu/2configs/Reaktor/random-emoji.sh
+++ b/makefu/2configs/Reaktor/random-emoji.sh
@@ -2,4 +2,5 @@
curl http://emojicons.com/random -s | \
grep data-text | \
sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
- head -n 1
+ head -n 1 | \
+ xmlstarlet unesc
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 3ac325b29..a8a1f69d0 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -2,8 +2,6 @@ _:
{
imports = [
- ./tinc_graphs.nix
- ./bepasty-server.nix
];
}
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 12e52cd11..d2b08bef7 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -114,7 +114,6 @@ with lib;
];
environment.systemPackages = with pkgs; [
- git # required for ./deploy, clone_or_update
htop
iftop
iotop
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
index 669dcc2f3..f0c7dc2a0 100644
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@@ -88,7 +88,6 @@ in
];
environment.systemPackages = with pkgs; [
- git # required for ./deploy, clone_or_update
htop
iftop
iotop
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 718f6ae24..210846215 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -64,27 +64,24 @@ with lib;
];
boot.initrd.luks = {
- cryptoModules = [ "aes" "sha1" "xts" ];
+ cryptoModules = [ "aes" "sha512" "xts" ];
devices = [
- {
- name = "luks1";
- device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
- }
+ { name = "luks1"; device = "/dev/sda2"; }
];
};
fileSystems."/" =
- { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+ { device = "/dev/mapper/nomic1-root";
fsType = "btrfs";
};
fileSystems."/boot" =
- { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+ { device = "/dev/sda1";
fsType = "ext4";
};
fileSystems."/home" =
- { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+ { device = "/dev/mapper/nomic1-home";
fsType = "btrfs";
};
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
index 79e47c539..c52222cd1 100644
--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@@ -84,7 +84,6 @@ in
];
environment.systemPackages = with pkgs; [
- git # required for ./deploy, clone_or_update
htop
iftop
iotop
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index c691066cb..89ad257f0 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -37,7 +37,6 @@ with lib;
# stockholm
genid
- git
gnumake
hashPassword
lentil
diff --git a/tv/2configs/base.nix b/tv/2configs/base.nix
index 010d4b326..4de980cf1 100644
--- a/tv/2configs/base.nix
+++ b/tv/2configs/base.nix
@@ -15,6 +15,12 @@ in
imports = [
{
+ # stockholm dependencies
+ environment.systemPackages = with pkgs; [
+ git
+ ];
+ }
+ {
# TODO never put hashedPassword into the store
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 07:21:51 +0000