summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbin/nixos-build24
-rwxr-xr-xbin/nixos-deploy16
-rwxr-xr-xbin/prefetch88
-rw-r--r--default.nix151
-rwxr-xr-xdeploy14
-rw-r--r--modules/cd/default.nix6
-rw-r--r--modules/cd/paths.nix12
-rw-r--r--modules/mkdir/default.nix6
-rw-r--r--modules/mkdir/paths.nix12
-rw-r--r--modules/mu/default.nix6
-rw-r--r--modules/mu/paths.nix12
-rw-r--r--modules/rmdir/default.nix6
-rw-r--r--modules/rmdir/paths.nix12
-rw-r--r--modules/wu/default.nix6
-rw-r--r--modules/wu/paths.nix12
15 files changed, 217 insertions, 166 deletions
diff --git a/bin/nixos-build b/bin/nixos-build
deleted file mode 100755
index 3e902fd08..000000000
--- a/bin/nixos-build
+++ /dev/null
@@ -1,24 +0,0 @@
-#! /bin/sh
-#
-# nixos-build system_name -> system_path
-#
-set -euf
-
-system_name=$1
-
-NIXOS_CONFIG=$config_root/modules/$system_name
-export NIXOS_CONFIG
-
-# Notice how host's NIX_PATH is used to prefetch nixpkgs.
-prefetch nixpkgs "$nixpkgs_root/$system_name"
-
-NIX_PATH=$nixpkgs_root/$system_name
-NIX_PATH=$NIX_PATH:secrets=$secrets_root/$system_name/nix
-NIX_PATH=$NIX_PATH:pubkeys=$config_root/pubkeys
-NIX_PATH=$NIX_PATH:retiolum-hosts=$retiolum_hosts
-export NIX_PATH
-
-exec nix-build \
- -A system \
- --no-out-link \
- '<nixos>'
diff --git a/bin/nixos-deploy b/bin/nixos-deploy
deleted file mode 100755
index fa86a8c88..000000000
--- a/bin/nixos-deploy
+++ /dev/null
@@ -1,16 +0,0 @@
-#! /bin/sh
-#
-# nixos-deploy system_name target
-#
-set -euf
-
-system_name=$1
-target=$2
-
-system=$(nixos-build "$system_name")
-
-nix-copy-closure --gzip --to "$target" "$system"
-
-copy-secrets "$system_name" "$target"
-
-ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch
diff --git a/bin/prefetch b/bin/prefetch
deleted file mode 100755
index a87dd1899..000000000
--- a/bin/prefetch
+++ /dev/null
@@ -1,88 +0,0 @@
-#! /bin/sh
-#
-# usage: prefetch repo_name out_link
-#
-# Make the specified repository available as out_link.
-#
-set -euf
-
-repo_name=$1
-out_link=$2
-
-if test "$repo_name" != nixpkgs; then
- echo "prefetch: cannot fetch $repo_name, yet" >&2
- exit -1
-fi
-
-git_rev=$(nixos-query nixpkgs.rev)
-git_url=$(nixos-query nixpkgs.url)
-dirty=$(nixos-query nixpkgs.dirty)
-
-case $dirty in true)
- ln -snf "$git_url" "$out_link"
- echo "prefetch: using $git_url as it is" >&2
- exit
-esac
-
-# Put all bases in the same place as out_link.
-# Notice how out_link must not clash with cache_dir and work_dir.
-cache_base=$(dirname "$out_link")
-work_base=$(dirname "$out_link")
-
-# cache_dir points to a (maybe non-existent) directory, where a shared cache of
-# the repository should be maintained. The shared cache is used to create
-# multiple working trees of the repository.
-cache_dir=$cache_base/$(echo "$git_url" | urlencode)
-
-# work_dir points to a (maybe non-existent) directory, where a specific
-# revision of the repository is checked out.
-work_dir=$work_base/$(echo "$git_rev" | urlencode)
-
-cache_git() {
- git --git-dir="$cache_dir" "$@"
-}
-
-work_git() {
- git -C "$work_dir" "$@"
-}
-
-is_up_to_date() {
- test -d "$cache_dir" &&
- test -d "$work_dir" &&
- test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" &&
- test "$(work_git rev-parse --verify HEAD)" = "$git_rev"
-}
-
-# Notice how the remote name "origin" has been chosen arbitrarily, but must be
-# kept in sync with the default value of nixpkgs.rev.
-if ! is_up_to_date; then
- if ! test -d "$cache_dir"; then
- mkdir -p "$cache_dir"
- cache_git init --bare
- fi
- if ! cache_git_url=$(cache_git config remote.origin.url); then
- cache_git remote add origin "$git_url"
- elif test "$cache_git_url" != "$git_url"; then
- cache_git remote set-url origin "$git_url"
- fi
- cache_git fetch origin
- if ! test -d "$work_dir"; then
- git clone -n --shared "$cache_dir" "$work_dir"
- fi
- commit_name=$(cache_git rev-parse --verify "$git_rev")
- work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")"
- work_git checkout -q "$commit_name"
- work_git submodule init
- work_git submodule update
-fi
-work_git clean -dxf
-
-# Relative links are nicer, and actually we know that work_dir and out_link are
-# the same. But, for robustness, check anyway.. :)
-if test "$(dirname "$work_dir")" = "$(dirname "$out_link")"; then
- ln -snf "$(basename "$work_dir")" "$out_link"
-else
- ln -snf "$work_dir" "$out_link"
-fi
-
-echo "prefetch: using $git_url $(work_git log --oneline -n1)" >&2
diff --git a/default.nix b/default.nix
new file mode 100644
index 000000000..841534824
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,151 @@
+{ system-name
+, rsync-target ? null
+, deploy-target ? null
+}:
+
+# TODO assert that only one of rsync-target or deploy-target is not null
+
+with builtins;
+assert (typeOf system-name == "string");
+with import <nixpkgs/lib>;
+let
+ paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix";
+
+ paths = import paths-file;
+
+ prefetch.file = ''
+ echo "$prefetch_in_url"
+ '';
+
+ prefetch.git = ''
+ ${concatMapStringsSep "\n" (attr-name: ''
+ case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?)
+ printf '%s: %s: missing attribute: %s' \
+ ${escapeShellArg paths-file} \
+ "$prefetch_name" \
+ ${escapeShellArg attr-name} \
+ >&2
+ return 1
+ esac
+ '') [ "rev" "url" "cache" ]}
+
+ git_rev=$prefetch_in_rev
+ git_url=$prefetch_in_url
+
+ # cache_dir points to a (maybe non-existent) directory, where a shared cache of
+ # the repository should be maintained. The shared cache is used to create
+ # multiple working trees of the repository.
+ cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode)
+ cache_git() {
+ git --git-dir="$cache_dir" "$@"
+ }
+
+ # work_dir points to a (maybe non-existent) directory, where a specific
+ # revision of the repository is checked out.
+ # XXX this is probably a bad idea if git_rev is not a commit
+ work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode)
+ work_git() {
+ git -C "$work_dir" "$@"
+ }
+
+ is_up_to_date() {
+ test -d "$cache_dir" &&
+ test -d "$work_dir" &&
+ test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" &&
+ test "$(work_git rev-parse --verify HEAD)" = "$git_rev"
+ }
+
+ # Notice how the remote name "origin" has been chosen arbitrarily, but must be
+ # kept in sync with the default value of nixpkgs.rev.
+ if ! is_up_to_date; then
+ if ! test -d "$cache_dir"; then
+ mkdir -p "$cache_dir"
+ cache_git init --bare
+ fi
+ if ! cache_git_url=$(cache_git config remote.origin.url); then
+ cache_git remote add origin "$git_url"
+ elif test "$cache_git_url" != "$git_url"; then
+ cache_git remote set-url origin "$git_url"
+ fi
+ cache_git fetch origin
+ if ! test -d "$work_dir"; then
+ git clone -n --shared "$cache_dir" "$work_dir"
+ fi
+ commit_name=$(cache_git rev-parse --verify "$git_rev")
+ work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")"
+ work_git checkout -q "$commit_name"
+ work_git submodule init
+ work_git submodule update
+ fi
+ work_git clean -dxf
+
+ echo "$work_dir"
+ '';
+
+
+ f = pkg-name: pkg-spec:
+ let
+ types = attrNames pkg-spec;
+ type = elemAt types 0;
+ in
+ assert (length types == 1); # there can be only one source type
+ ''
+ out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v:
+ "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \
+ prefetch_name=${escapeShellArg pkg-name} \
+ __prefetch_${escapeShellArg type})
+ printf '%s=%s\n' \
+ ${escapeShellArg pkg-name} \
+ "$out"
+ '';
+in
+''
+#! /bin/sh
+set -euf
+
+PATH=${toString ./.}/bin:$PATH
+export PATH
+
+__prefetch_file() {
+${prefetch.file}
+}
+__prefetch_git() {
+${prefetch.git}
+}
+
+# TODO make sure x contains only sane chars
+x=$(${concatStrings (mapAttrsToList f paths)})
+
+${optionalString (rsync-target != null) ''
+ proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \
+ rsync --delete --delete-excluded \
+ --filter='- /*/.git' \
+ --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \
+ -vaz \
+ --no-owner \
+ --no-group \
+ '/shitment/' \
+ ${escapeShellArg rsync-target}
+''}
+
+
+${optionalString (deploy-target != null) ''
+ system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \
+ env \
+ NIX_PATH=/shitment \
+ NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \
+ nix-build -A system --no-out-link '<nixpkgs/nixos>')
+
+ system_name=${escapeShellArg system-name}
+ target=${escapeShellArg deploy-target}
+
+ nix-copy-closure --gzip --to "$target" "$system_path"
+
+ secrets_root=${toString ./.}/secrets \
+ config_root=${toString ./.} \
+ copy-secrets "$system_name" "$target"
+
+ ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch
+''}
+
+''
diff --git a/deploy b/deploy
index c32ba9c30..a9dbf45e0 100755
--- a/deploy
+++ b/deploy
@@ -7,11 +7,9 @@ set -euf
system_name=$1
target=${2-root@$system_name}
-export PATH="$PWD/bin:$PATH"
-#export nixpkgs=/var/nixpkgs
-export nixpkgs_root=$PWD/tmp/nixpkgs
-export config_root=$PWD
-export retiolum_hosts=$PWD/hosts
-export secrets_root=$PWD/secrets
-
-exec nixos-deploy "$system_name" "$target"
+nix-instantiate \
+ --argstr system-name "$system_name" \
+ --argstr deploy-target "$target" \
+ --eval --json . \
+ | jq -r . \
+ | sh
diff --git a/modules/cd/default.nix b/modules/cd/default.nix
index d57d46be2..45b798e27 100644
--- a/modules/cd/default.nix
+++ b/modules/cd/default.nix
@@ -10,7 +10,6 @@ in
{ users.extraUsers = import <secrets/extraUsers.nix>; }
./networking.nix
./users.nix
- ../common/nixpkgs.nix
../tv/base.nix
../tv/base-cac-CentOS-7-64bit.nix
../tv/ejabberd.nix # XXX echtes modul
@@ -50,11 +49,6 @@ in
# "Developer 2" plan has two vCPUs.
nix.maxJobs = 2;
- nixpkgs = {
- url = "https://github.com/NixOS/nixpkgs";
- rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
- };
-
environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop
diff --git a/modules/cd/paths.nix b/modules/cd/paths.nix
new file mode 100644
index 000000000..f873912fb
--- /dev/null
+++ b/modules/cd/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/cd/nix;
+}
diff --git a/modules/mkdir/default.nix b/modules/mkdir/default.nix
index 5427a4590..e76419298 100644
--- a/modules/mkdir/default.nix
+++ b/modules/mkdir/default.nix
@@ -10,7 +10,6 @@ in
{ users.extraUsers = import <secrets/extraUsers.nix>; }
./networking.nix
./users.nix
- ../common/nixpkgs.nix
../tv/base.nix
../tv/base-cac-CentOS-7-64bit.nix
../tv/exim-smarthost.nix
@@ -49,11 +48,6 @@ in
nix.maxJobs = 1;
- nixpkgs = {
- url = "https://github.com/NixOS/nixpkgs";
- rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
- };
-
environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop
diff --git a/modules/mkdir/paths.nix b/modules/mkdir/paths.nix
new file mode 100644
index 000000000..f873912fb
--- /dev/null
+++ b/modules/mkdir/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/cd/nix;
+}
diff --git a/modules/mu/default.nix b/modules/mu/default.nix
index 8b37d9c5b..8490c842d 100644
--- a/modules/mu/default.nix
+++ b/modules/mu/default.nix
@@ -11,7 +11,6 @@ in
{
imports = [
<secrets/mu.hashedPasswords.nix>
- ../common/nixpkgs.nix
../tv/base.nix
../tv/exim-retiolum.nix
../tv/retiolum.nix
@@ -20,11 +19,6 @@ in
nix.maxJobs = 2;
- nixpkgs = {
- url = "https://github.com/NixOS/nixpkgs";
- rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
- };
-
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
diff --git a/modules/mu/paths.nix b/modules/mu/paths.nix
new file mode 100644
index 000000000..1c4ce52a1
--- /dev/null
+++ b/modules/mu/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/wu/nix;
+}
diff --git a/modules/rmdir/default.nix b/modules/rmdir/default.nix
index 62fbd84f1..d24ad5736 100644
--- a/modules/rmdir/default.nix
+++ b/modules/rmdir/default.nix
@@ -10,7 +10,6 @@ in
{ users.extraUsers = import <secrets/extraUsers.nix>; }
./networking.nix
./users.nix
- ../common/nixpkgs.nix
../tv/base.nix
../tv/base-cac-CentOS-7-64bit.nix
../tv/exim-smarthost.nix
@@ -50,11 +49,6 @@ in
nix.maxJobs = 1;
- nixpkgs = {
- url = "https://github.com/NixOS/nixpkgs";
- rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
- };
-
environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop
diff --git a/modules/rmdir/paths.nix b/modules/rmdir/paths.nix
new file mode 100644
index 000000000..f873912fb
--- /dev/null
+++ b/modules/rmdir/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/cd/nix;
+}
diff --git a/modules/wu/default.nix b/modules/wu/default.nix
index 37bf75884..2271798be 100644
--- a/modules/wu/default.nix
+++ b/modules/wu/default.nix
@@ -11,7 +11,6 @@ in
{
imports = [
./hosts.nix
- ../common/nixpkgs.nix
../tv/base.nix
../tv/exim-retiolum.nix
../tv/sanitize.nix
@@ -63,11 +62,6 @@ in
daemonNiceLevel = 1;
};
- nixpkgs = {
- url = "https://github.com/NixOS/nixpkgs";
- rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
- };
-
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
diff --git a/modules/wu/paths.nix b/modules/wu/paths.nix
new file mode 100644
index 000000000..2d2ff7b74
--- /dev/null
+++ b/modules/wu/paths.nix
@@ -0,0 +1,12 @@
+{
+ lib.file.url = ../../lib;
+ modules.file.url = ../../modules;
+ nixpkgs.git = {
+ url = https://github.com/NixOS/nixpkgs;
+ rev = "e1af50c4c4c0332136283e9231f0a32ac11f2b90";
+ cache = ../../tmp/git-cache;
+ };
+ pubkeys.file.url = ../../pubkeys;
+ retiolum-hosts.file.url = ../../hosts;
+ secrets.file.url = ../../secrets/wu/nix;
+}