diff options
| -rw-r--r-- | 1systems/tv/cd.nix | 17 | ||||
| -rw-r--r-- | 1systems/tv/mkdir.nix | 7 | ||||
| -rw-r--r-- | 1systems/tv/nomic.nix | 8 | ||||
| -rw-r--r-- | 1systems/tv/rmdir.nix | 7 | ||||
| -rw-r--r-- | 1systems/tv/wu.nix | 12 | ||||
| -rw-r--r-- | 2configs/tv/consul-server.nix | 1 | ||||
| -rw-r--r-- | 2configs/tv/exim-retiolum.nix | 4 | ||||
| -rw-r--r-- | 2configs/tv/git.nix (renamed from 2configs/tv/git-public.nix) | 43 | ||||
| -rw-r--r-- | 2configs/tv/identity.nix | 3 | ||||
| -rw-r--r-- | 3modules/krebs/default.nix | 43 | ||||
| -rw-r--r-- | 3modules/krebs/git.nix | 11 | ||||
| -rw-r--r-- | 3modules/krebs/retiolum.nix | 40 | ||||
| -rw-r--r-- | 3modules/tv/consul.nix | 1 | ||||
| -rw-r--r-- | 3modules/tv/default.nix | 10 | ||||
| -rw-r--r-- | 3modules/tv/retiolum.nix | 29 | ||||
| -rw-r--r-- | 4lib/krebs/default.nix | 10 | ||||
| -rw-r--r-- | 4lib/krebs/types.nix | 20 | ||||
| -rw-r--r-- | 4lib/tv/default.nix | 7 | ||||
| -rw-r--r-- | Makefile | 27 | ||||
| -rw-r--r-- | default.nix | 20 |
20 files changed, 182 insertions, 138 deletions
diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 463d643a6..d30e7ed8f 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -13,7 +13,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { @@ -22,14 +22,12 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; @@ -39,7 +37,6 @@ in tv.identity.self = config.tv.identity.hosts.cd; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,19 +52,11 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; @@ -86,10 +75,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "fastpoke" "pigstarter" diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d63..3e5fb7286 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -9,13 +9,12 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.mkdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +28,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "fastpoke" diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 8e6812e43..2d32d9e1f 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -8,13 +8,12 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.nomic; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,7 +25,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -37,10 +35,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c39e..c470086ce 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -9,13 +9,12 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.rmdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +28,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "mkdir" diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 1d7bbe55b..234b80559 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -12,8 +12,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled @@ -24,7 +23,7 @@ in { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel @@ -122,7 +121,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,7 +132,6 @@ in }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -145,10 +142,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" @@ -156,7 +151,6 @@ in }; } { - imports = [ ../../3modules/krebs/urlwatch.nix ]; krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..5d3fd5579 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix index 7f2b51308..b7f9983a1 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git.nix @@ -1,18 +1,22 @@ { config, lib, pkgs, ... }: + with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/krebs/git.nix ]; krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; - inherit repos rules users; + inherit repos rules; }; }; - repos = public-repos; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.tv.identity.self.secure restricted-repos + ); + rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo { @@ -37,13 +41,14 @@ let xintmap = {}; }; - # TODO move users to separate module - users = mapAttrs make-user { - tv = ../../Zpubkeys/tv_wu.ssh.pub; - lass = ../../Zpubkeys/lass.ssh.pub; - uriel = ../../Zpubkeys/uriel.ssh.pub; - makefu = ../../Zpubkeys/makefu.ssh.pub; - }; + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); make-public-repo = name: { desc ? null, ... }: { inherit name desc; @@ -58,8 +63,14 @@ let }; }; + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + hooks = {}; # TODO default + }; + make-rules = - with git // users; + with git // config.krebs.users; repo: singleton { user = tv; @@ -70,11 +81,11 @@ let user = [ lass makefu uriel ]; repo = [ repo ]; perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; }; - make-user = name: pubkey-file: { - inherit name; - pubkey = readFile pubkey-file; - }; - in out diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 44208c956..379d02e45 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { enable = true; search = "retiolum"; @@ -99,6 +98,7 @@ ''; }; }; + secure = true; }; rmdir = { cores = 1; @@ -154,6 +154,7 @@ ''; }; }; + secure = true; }; }; }; diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix new file mode 100644 index 000000000..b8722d18f --- /dev/null +++ b/3modules/krebs/default.nix @@ -0,0 +1,43 @@ +{ config, lib, ... }: + +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { + users = mkOption { + type = with types; attrsOf user; + default = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + }; + + imp = { + }; + +in +out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix index 2d747cc1a..499d33095 100644 --- a/3modules/krebs/git.nix +++ b/3modules/krebs/git.nix @@ -6,8 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with builtins; -with lib; +with import ../../4lib/krebs { inherit lib; }; let cfg = config.krebs.git; @@ -127,9 +126,6 @@ let rules = mkOption { type = types.unspecified; }; - users = mkOption { - type = types.unspecified; - }; }; git-imp = { @@ -157,7 +153,8 @@ let name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) + config.krebs.users; uid = 129318403; # genid git }; }; @@ -263,7 +260,7 @@ let isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: # TODO assert name # TODO assert pubkey let diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix index 5c26dff18..481d6565c 100644 --- a/3modules/krebs/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -57,9 +57,9 @@ let }; hosts = mkOption { - default = null; + type = with types; either package path; + default = ../../Zhosts; description = '' - Hosts package or path to use. If a path is given, then it will be used to generate an ad-hoc package. ''; }; @@ -131,24 +131,20 @@ let }; tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; + + hosts = getAttr (typeOf cfg.hosts) { + package = cfg.hosts; + path = pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 \ + | xargs -0 cp --target-directory $out + ''; + }; + }; + iproute = cfg.iproutePackage; retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" @@ -226,5 +222,5 @@ let chmod +x $out/tinc-up ''; -in -out + +in out diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix index 312faa02f..4e54c2ab0 100644 --- a/3modules/tv/consul.nix +++ b/3modules/tv/consul.nix @@ -10,7 +10,6 @@ let cfg = config.tv.consul; out = { - imports = [ ../../3modules/tv/iptables.nix ]; options.tv.consul = api; config = mkIf cfg.enable (mkMerge [ imp diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix new file mode 100644 index 000000000..e267d0b9f --- /dev/null +++ b/3modules/tv/default.nix @@ -0,0 +1,10 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./identity.nix + ./iptables.nix + ]; +} diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix deleted file mode 100644 index d00377446..000000000 --- a/3modules/tv/retiolum.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.tv.retiolum; - - out = { - imports = [ ../../3modules/krebs/retiolum.nix ]; - options.tv.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.retiolum"; - - connectTo = mkOption { - type = with types; listOf str; - }; - - hosts = mkOption { - type = types.path; - }; - }; - - imp = { - krebs.retiolum = cfg; - }; - -in out diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix index 38c2a97d6..0c59076b6 100644 --- a/4lib/krebs/default.nix +++ b/4lib/krebs/default.nix @@ -1,6 +1,14 @@ { lib, ... }: -builtins // lib // { +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; types = import ./types.nix { inherit lib; }; diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index 38ed8a916..ca92c6900 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -20,6 +20,15 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + secure = mkOption { + type = bool; + default = false; + description = '' + If true, then the host is capable of keeping secret information. + + TODO define minimum requirements for secure hosts + ''; + }; }; }; @@ -72,6 +81,17 @@ types // rec { merge = mergeOneOption; }; + user = submodule { + options = { + name = mkOption { + type = str; # TODO + }; + pubkey = mkOption { + type = str; + }; + }; + }; + # TODO addr = str; addr4 = str; diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix index 267a858d2..16888c214 100644 --- a/4lib/tv/default.nix +++ b/4lib/tv/default.nix @@ -15,16 +15,9 @@ krebs // rec { inherit pkgs; }; - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - # "7.4.335" -> "74" majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - concat = xs : if xs == [] then "" @@ -41,13 +41,14 @@ deploy:;@ "$$src/" "$$deploy_host:$$dst" )} - prepush /root/src/shitment "$$PWD" + prepush /root/src/stockholm "$$PWD" prepush /root/src/secrets "$$secrets_dir" ssh -S none "$$deploy_host" -T env \ nixpkgs_url="$$nixpkgs_url" \ nixpkgs_rev="$$nixpkgs_rev" \ system_name="$$system_name" \ + user_name="$$LOGNAME" \ sh -euf \ <<-\EOF prefetch(){( @@ -77,26 +78,30 @@ deploy:;@ prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" echo build system... - NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ - NIX_PATH=src \ - nix-build -Q -A system '<nixpkgs/nixos>' + NIX_PATH=/root/src \ + nix-build \ + -Q \ + -A system \ + '<stockholm>' \ + --argstr user-name "$$user_name" \ + --argstr system-name "$$system_name" result/bin/switch-to-configuration switch EOF .PHONY: eval eval: - @nix-instantiate \ + @ + NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ + nix-instantiate \ --json \ --eval \ --strict \ -A "$$get" \ - -E ' - import <nixpkgs/nixos/lib/eval-config.nix> { - system = builtins.currentSystem; - modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; - } - ' | jq -r . + '<stockholm>' \ + --argstr user-name "$$LOGNAME" \ + --argstr system-name "$$system" \ + | jq -r . else $(error unbound variable: system[s]) endif diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..2deb7539a --- /dev/null +++ b/default.nix @@ -0,0 +1,20 @@ +{ user-name, system-name }: + +let + + eval = import <nixpkgs/nixos/lib/eval-config.nix> { + system = builtins.currentSystem; + modules = [ + (./1systems + "/${user-name}/${system-name}.nix") + (./3modules/krebs) + (./3modules + "/${user-name}") + ]; + }; + +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; +} |