diff options
-rwxr-xr-x | bin/nixos-build | 24 | ||||
-rwxr-xr-x | bin/nixos-deploy | 16 | ||||
-rwxr-xr-x | bin/prefetch | 88 | ||||
-rw-r--r-- | default.nix | 151 | ||||
-rwxr-xr-x | deploy | 14 | ||||
-rw-r--r-- | modules/cd/default.nix | 6 | ||||
-rw-r--r-- | modules/cd/paths.nix | 12 | ||||
-rw-r--r-- | modules/mkdir/default.nix | 6 | ||||
-rw-r--r-- | modules/mkdir/paths.nix | 12 | ||||
-rw-r--r-- | modules/mu/default.nix | 6 | ||||
-rw-r--r-- | modules/mu/paths.nix | 12 | ||||
-rw-r--r-- | modules/rmdir/default.nix | 6 | ||||
-rw-r--r-- | modules/rmdir/paths.nix | 12 | ||||
-rw-r--r-- | modules/wu/default.nix | 6 | ||||
-rw-r--r-- | modules/wu/paths.nix | 12 |
15 files changed, 217 insertions, 166 deletions
diff --git a/bin/nixos-build b/bin/nixos-build deleted file mode 100755 index 3e902fd08..000000000 --- a/bin/nixos-build +++ /dev/null @@ -1,24 +0,0 @@ -#! /bin/sh -# -# nixos-build system_name -> system_path -# -set -euf - -system_name=$1 - -NIXOS_CONFIG=$config_root/modules/$system_name -export NIXOS_CONFIG - -# Notice how host's NIX_PATH is used to prefetch nixpkgs. -prefetch nixpkgs "$nixpkgs_root/$system_name" - -NIX_PATH=$nixpkgs_root/$system_name -NIX_PATH=$NIX_PATH:secrets=$secrets_root/$system_name/nix -NIX_PATH=$NIX_PATH:pubkeys=$config_root/pubkeys -NIX_PATH=$NIX_PATH:retiolum-hosts=$retiolum_hosts -export NIX_PATH - -exec nix-build \ - -A system \ - --no-out-link \ - '<nixos>' diff --git a/bin/nixos-deploy b/bin/nixos-deploy deleted file mode 100755 index fa86a8c88..000000000 --- a/bin/nixos-deploy +++ /dev/null @@ -1,16 +0,0 @@ -#! /bin/sh -# -# nixos-deploy system_name target -# -set -euf - -system_name=$1 -target=$2 - -system=$(nixos-build "$system_name") - -nix-copy-closure --gzip --to "$target" "$system" - -copy-secrets "$system_name" "$target" - -ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch diff --git a/bin/prefetch b/bin/prefetch deleted file mode 100755 index a87dd1899..000000000 --- a/bin/prefetch +++ /dev/null @@ -1,88 +0,0 @@ -#! /bin/sh -# -# usage: prefetch repo_name out_link -# -# Make the specified repository available as out_link. -# -set -euf - -repo_name=$1 -out_link=$2 - -if test "$repo_name" != nixpkgs; then - echo "prefetch: cannot fetch $repo_name, yet" >&2 - exit -1 -fi - -git_rev=$(nixos-query nixpkgs.rev) -git_url=$(nixos-query nixpkgs.url) -dirty=$(nixos-query nixpkgs.dirty) - -case $dirty in true) - ln -snf "$git_url" "$out_link" - echo "prefetch: using $git_url as it is" >&2 - exit -esac - -# Put all bases in the same place as out_link. -# Notice how out_link must not clash with cache_dir and work_dir. -cache_base=$(dirname "$out_link") -work_base=$(dirname "$out_link") - -# cache_dir points to a (maybe non-existent) directory, where a shared cache of -# the repository should be maintained. The shared cache is used to create -# multiple working trees of the repository. -cache_dir=$cache_base/$(echo "$git_url" | urlencode) - -# work_dir points to a (maybe non-existent) directory, where a specific -# revision of the repository is checked out. -work_dir=$work_base/$(echo "$git_rev" | urlencode) - -cache_git() { - git --git-dir="$cache_dir" "$@" -} - -work_git() { - git -C "$work_dir" "$@" -} - -is_up_to_date() { - test -d "$cache_dir" && - test -d "$work_dir" && - test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" && - test "$(work_git rev-parse --verify HEAD)" = "$git_rev" -} - -# Notice how the remote name "origin" has been chosen arbitrarily, but must be -# kept in sync with the default value of nixpkgs.rev. -if ! is_up_to_date; then - if ! test -d "$cache_dir"; then - mkdir -p "$cache_dir" - cache_git init --bare - fi - if ! cache_git_url=$(cache_git config remote.origin.url); then - cache_git remote add origin "$git_url" - elif test "$cache_git_url" != "$git_url"; then - cache_git remote set-url origin "$git_url" - fi - cache_git fetch origin - if ! test -d "$work_dir"; then - git clone -n --shared "$cache_dir" "$work_dir" - fi - commit_name=$(cache_git rev-parse --verify "$git_rev") - work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")" - work_git checkout -q "$commit_name" - work_git submodule init - work_git submodule update -fi -work_git clean -dxf - -# Relative links are nicer, and actually we know that work_dir and out_link are -# the same. But, for robustness, check anyway.. :) -if test "$(dirname "$work_dir")" = "$(dirname "$out_link")"; then - ln -snf "$(basename "$work_dir")" "$out_link" -else - ln -snf "$work_dir" "$out_link" -fi - -echo "prefetch: using $git_url $(work_git log --oneline -n1)" >&2 diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..841534824 --- /dev/null +++ b/default.nix @@ -0,0 +1,151 @@ +{ system-name +, rsync-target ? null +, deploy-target ? null +}: + +# TODO assert that only one of rsync-target or deploy-target is not null + +with builtins; +assert (typeOf system-name == "string"); +with import <nixpkgs/lib>; +let + paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix"; + + paths = import paths-file; + + prefetch.file = '' + echo "$prefetch_in_url" + ''; + + prefetch.git = '' + ${concatMapStringsSep "\n" (attr-name: '' + case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?) + printf '%s: %s: missing attribute: %s' \ + ${escapeShellArg paths-file} \ + "$prefetch_name" \ + ${escapeShellArg attr-name} \ + >&2 + return 1 + esac + '') [ "rev" "url" "cache" ]} + + git_rev=$prefetch_in_rev + git_url=$prefetch_in_url + + # cache_dir points to a (maybe non-existent) directory, where a shared cache of + # the repository should be maintained. The shared cache is used to create + # multiple working trees of the repository. + cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode) + cache_git() { + git --git-dir="$cache_dir" "$@" + } + + # work_dir points to a (maybe non-existent) directory, where a specific + # revision of the repository is checked out. + # XXX this is probably a bad idea if git_rev is not a commit + work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode) + work_git() { + git -C "$work_dir" "$@" + } + + is_up_to_date() { + test -d "$cache_dir" && + test -d "$work_dir" && + test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" && + test "$(work_git rev-parse --verify HEAD)" = "$git_rev" + } + + # Notice how the remote name "origin" has been chosen arbitrarily, but must be + # kept in sync with the default value of nixpkgs.rev. + if ! is_up_to_date; then + if ! test -d "$cache_dir"; then + mkdir -p "$cache_dir" + cache_git init --bare + fi + if ! cache_git_url=$(cache_git config remote.origin.url); then + cache_git remote add origin "$git_url" + elif test "$cache_git_url" != "$git_url"; then + cache_git remote set-url origin "$git_url" + fi + cache_git fetch origin + if ! test -d "$work_dir"; then + git clone -n --shared "$cache_dir" "$work_dir" + fi + commit_name=$(cache_git rev-parse --verify "$git_rev") + work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")" + work_git checkout -q "$commit_name" + work_git submodule init + work_git submodule update + fi + work_git clean -dxf + + echo "$work_dir" + ''; + + + f = pkg-name: pkg-spec: + let + types = attrNames pkg-spec; + type = elemAt types 0; + in + assert (length types == 1); # there can be only one source type + '' + out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v: + "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \ + prefetch_name=${escapeShellArg pkg-name} \ + __prefetch_${escapeShellArg type}) + printf '%s=%s\n' \ + ${escapeShellArg pkg-name} \ + "$out" + ''; +in +'' +#! /bin/sh +set -euf + +PATH=${toString ./.}/bin:$PATH +export PATH + +__prefetch_file() { +${prefetch.file} +} +__prefetch_git() { +${prefetch.git} +} + +# TODO make sure x contains only sane chars +x=$(${concatStrings (mapAttrsToList f paths)}) + +${optionalString (rsync-target != null) '' + proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ + rsync --delete --delete-excluded \ + --filter='- /*/.git' \ + --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \ + -vaz \ + --no-owner \ + --no-group \ + '/shitment/' \ + ${escapeShellArg rsync-target} +''} + + +${optionalString (deploy-target != null) '' + system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ + env \ + NIX_PATH=/shitment \ + NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \ + nix-build -A system --no-out-link '<nixpkgs/nixos>') + + system_name=${escapeShellArg system-name} + target=${escapeShellArg deploy-target} + + nix-copy-closure --gzip --to "$target" "$system_path" + + secrets_root=${toString ./.}/secrets \ + config_root=${toString ./.} \ + copy-secrets "$system_name" "$target" + + ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch +''} + +'' @@ -7,11 +7,9 @@ set -euf system_name=$1 target=${2-root@$system_name} -export PATH="$PWD/bin:$PATH" -#export nixpkgs=/var/nixpkgs -export nixpkgs_root=$PWD/tmp/nixpkgs -export config_root=$PWD -export retiolum_hosts=$PWD/hosts -export secrets_root=$PWD/secrets - -exec nixos-deploy "$system_name" "$target" +nix-instantiate \ + --argstr system-name "$system_name" \ + --argstr deploy-target "$target" \ + --eval --json . \ + | jq -r . \ + | sh diff --git a/modules/cd/default.nix b/modules/cd/default.nix index d57d46be2..45b798e27 100644 --- a/modules/cd/default.nix +++ b/modules/cd/default.nix @@ -10,7 +10,6 @@ in { users.extraUsers = import <secrets/extraUsers.nix>; } ./networking.nix ./users.nix - ../common/nixpkgs.nix ../tv/base.nix ../tv/base-cac-CentOS-7-64bit.nix ../tv/ejabberd.nix # XXX echtes modul @@ -50,11 +49,6 @@ in # "Developer 2" plan has two vCPUs. nix.maxJobs = 2; - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs"; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - environment.systemPackages = with pkgs; [ git # required for ./deploy, clone_or_update htop diff --git a/modules/cd/paths.nix b/modules/cd/paths.nix new file mode 100644 index 000000000..f873912fb --- /dev/null +++ b/modules/cd/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/modules/mkdir/default.nix b/modules/mkdir/default.nix index 5427a4590..e76419298 100644 --- a/modules/mkdir/default.nix +++ b/modules/mkdir/default.nix @@ -10,7 +10,6 @@ in { users.extraUsers = import <secrets/extraUsers.nix>; } ./networking.nix ./users.nix - ../common/nixpkgs.nix ../tv/base.nix ../tv/base-cac-CentOS-7-64bit.nix ../tv/exim-smarthost.nix @@ -49,11 +48,6 @@ in nix.maxJobs = 1; - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs"; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - environment.systemPackages = with pkgs; [ git # required for ./deploy, clone_or_update htop diff --git a/modules/mkdir/paths.nix b/modules/mkdir/paths.nix new file mode 100644 index 000000000..f873912fb --- /dev/null +++ b/modules/mkdir/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/modules/mu/default.nix b/modules/mu/default.nix index 8b37d9c5b..8490c842d 100644 --- a/modules/mu/default.nix +++ b/modules/mu/default.nix @@ -11,7 +11,6 @@ in { imports = [ <secrets/mu.hashedPasswords.nix> - ../common/nixpkgs.nix ../tv/base.nix ../tv/exim-retiolum.nix ../tv/retiolum.nix @@ -20,11 +19,6 @@ in nix.maxJobs = 2; - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs"; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" diff --git a/modules/mu/paths.nix b/modules/mu/paths.nix new file mode 100644 index 000000000..1c4ce52a1 --- /dev/null +++ b/modules/mu/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/wu/nix; +} diff --git a/modules/rmdir/default.nix b/modules/rmdir/default.nix index 62fbd84f1..d24ad5736 100644 --- a/modules/rmdir/default.nix +++ b/modules/rmdir/default.nix @@ -10,7 +10,6 @@ in { users.extraUsers = import <secrets/extraUsers.nix>; } ./networking.nix ./users.nix - ../common/nixpkgs.nix ../tv/base.nix ../tv/base-cac-CentOS-7-64bit.nix ../tv/exim-smarthost.nix @@ -50,11 +49,6 @@ in nix.maxJobs = 1; - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs"; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - environment.systemPackages = with pkgs; [ git # required for ./deploy, clone_or_update htop diff --git a/modules/rmdir/paths.nix b/modules/rmdir/paths.nix new file mode 100644 index 000000000..f873912fb --- /dev/null +++ b/modules/rmdir/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/modules/wu/default.nix b/modules/wu/default.nix index 37bf75884..2271798be 100644 --- a/modules/wu/default.nix +++ b/modules/wu/default.nix @@ -11,7 +11,6 @@ in { imports = [ ./hosts.nix - ../common/nixpkgs.nix ../tv/base.nix ../tv/exim-retiolum.nix ../tv/sanitize.nix @@ -63,11 +62,6 @@ in daemonNiceLevel = 1; }; - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs"; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - }; - services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0" SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0" diff --git a/modules/wu/paths.nix b/modules/wu/paths.nix new file mode 100644 index 000000000..2d2ff7b74 --- /dev/null +++ b/modules/wu/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/wu/nix; +} |