summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/backup.nix138
-rw-r--r--krebs/3modules/build.nix2
-rw-r--r--krebs/3modules/default.nix24
-rw-r--r--krebs/3modules/exim-retiolum.nix2
-rw-r--r--krebs/3modules/exim-smarthost.nix4
-rw-r--r--krebs/3modules/exim.nix80
-rw-r--r--krebs/3modules/fetchWallpaper.nix3
-rw-r--r--krebs/3modules/iptables.nix3
-rw-r--r--krebs/3modules/lass/default.nix52
-rw-r--r--krebs/3modules/lass/default.pgp95
-rw-r--r--krebs/3modules/makefu/default.nix126
-rw-r--r--krebs/3modules/miefda/default.nix4
-rw-r--r--krebs/3modules/mv/default.nix4
-rw-r--r--krebs/3modules/nginx.nix40
-rw-r--r--krebs/3modules/on-failure.nix8
-rw-r--r--krebs/3modules/retiolum.nix133
-rw-r--r--krebs/3modules/shared/default.nix10
-rw-r--r--krebs/3modules/tv/default.nix69
-rw-r--r--krebs/4lib/types.nix75
-rw-r--r--krebs/5pkgs/default.nix17
-rw-r--r--lass/1systems/cloudkrebs.nix8
-rw-r--r--lass/1systems/dishfire.nix27
-rw-r--r--lass/1systems/echelon.nix6
-rw-r--r--lass/1systems/helios.nix8
-rw-r--r--lass/1systems/mors.nix134
-rw-r--r--lass/1systems/prism.nix36
-rw-r--r--lass/1systems/uriel.nix6
-rw-r--r--lass/2configs/backups.nix135
-rw-r--r--lass/2configs/baseX.nix5
-rw-r--r--lass/2configs/browsers.nix4
-rw-r--r--lass/2configs/buildbot-standalone.nix55
-rw-r--r--lass/2configs/default.nix (renamed from lass/2configs/base.nix)28
-rw-r--r--lass/2configs/downloading.nix1
-rw-r--r--lass/2configs/exim-retiolum.nix10
-rw-r--r--lass/2configs/exim-smarthost.nix48
-rw-r--r--lass/2configs/fastpoke-pages.nix101
-rw-r--r--lass/2configs/games.nix2
-rw-r--r--lass/2configs/krebs-pass.nix21
-rw-r--r--lass/2configs/mail.nix95
-rw-r--r--lass/2configs/mpv.nix49
-rw-r--r--lass/2configs/newsbot-js.nix1
-rw-r--r--lass/2configs/pass.nix3
-rw-r--r--lass/2configs/privoxy-retiolum.nix3
-rw-r--r--lass/2configs/programs.nix1
-rw-r--r--lass/2configs/websites/domsen.nix85
-rw-r--r--lass/2configs/websites/fritz.nix74
-rw-r--r--lass/2configs/websites/wohnprojekt-rhh.de.nix17
-rw-r--r--lass/2configs/xserver/default.nix19
-rw-r--r--lass/3modules/default.nix5
-rw-r--r--lass/3modules/mysql-backup.nix86
-rw-r--r--lass/3modules/per-user.nix53
-rw-r--r--lass/3modules/static_nginx.nix2
-rw-r--r--lass/4lib/default.nix225
-rw-r--r--lass/5pkgs/acronym/default.nix11
-rw-r--r--lass/5pkgs/default.nix2
-rw-r--r--lass/5pkgs/mk_sql_pair/default.nix19
-rw-r--r--lass/5pkgs/urban/default.nix21
-rw-r--r--lass/5pkgs/xmonad-lass/Main.hs149
-rw-r--r--lass/5pkgs/xmonad-lass/Util/PerWorkspaceConfig.hs52
-rw-r--r--makefu/1systems/gum.nix4
-rw-r--r--makefu/1systems/wry.nix4
-rw-r--r--makefu/2configs/deployment/mycube.connector.one.nix2
-rw-r--r--makefu/2configs/iodined.nix2
-rw-r--r--makefu/2configs/nginx/euer.blog.nix4
-rw-r--r--makefu/2configs/nginx/euer.test.nix4
-rw-r--r--makefu/2configs/nginx/euer.wiki.nix4
-rw-r--r--makefu/2configs/nginx/update.connector.one.nix2
-rw-r--r--makefu/2configs/omo-share.nix2
-rw-r--r--shared/1systems/test-all-krebs-modules.nix9
-rw-r--r--shared/1systems/wolf.nix4
-rw-r--r--tv/1systems/cd.nix18
-rw-r--r--tv/1systems/mkdir.nix11
-rw-r--r--tv/1systems/rmdir.nix7
-rw-r--r--tv/1systems/wu.nix2
-rw-r--r--tv/2configs/exim-retiolum.nix4
-rw-r--r--tv/2configs/exim-smarthost.nix6
-rw-r--r--tv/2configs/git.nix4
-rw-r--r--tv/3modules/charybdis/config.nix9
78 files changed, 1592 insertions, 1006 deletions
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix
index d22dd3810..71b22d8cb 100644
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@@ -103,103 +103,91 @@ let
plan.method == method &&
config.krebs.build.host.name == plan.${side}.host.name;
- start = plan: pkgs.writeDash "backup.${plan.name}" ''
+ start = plan: let
+ login-name = "root";
+ identity = local.host.ssh.privkey.path;
+ ssh = "ssh -i ${shell.escape identity}";
+ local = getAttr plan.method {
+ push = plan.src // { rsync = src-rsync; };
+ pull = plan.dst // { rsync = dst-rsync; };
+ };
+ remote = getAttr plan.method {
+ push = plan.dst // { rsync = dst-rsync; };
+ pull = plan.src // { rsync = src-rsync; };
+ };
+ src-rsync = "rsync";
+ dst-rsync = concatStringsSep " && " [
+ "stat ${shell.escape plan.dst.path} >/dev/null"
+ "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
+ "flock -n ${shell.escape plan.dst.path} rsync"
+ ];
+ in pkgs.writeScript "backup.${plan.name}" ''
+ #! ${pkgs.bash}/bin/bash
set -efu
+ start_date=$(date +%s)
+ ssh_target=${shell.escape login-name}@$(${fastest-address remote.host})
${getAttr plan.method {
push = ''
- identity=${shell.escape plan.src.host.ssh.privkey.path}
- src_path=${shell.escape plan.src.path}
- src=$src_path
- dst_user=root
- dst_host=$(${fastest-address plan.dst.host})
- dst_port=$(${network-ssh-port plan.dst.host "$dst_host"})
- dst_path=${shell.escape plan.dst.path}
- dst=$dst_user@$dst_host:$dst_path
- echo "update snapshot: current; $src -> $dst" >&2
- dst_shell() {
- exec ssh -F /dev/null \
- -i "$identity" \
- ''${dst_port:+-p $dst_port} \
- "$dst_user@$dst_host" \
- -T "$with_dst_path_lock_script"
- }
- rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}"
- local_rsync() {
- rsync "$@"
- }
- remote_rsync=${shell.escape (concatStringsSep " && " [
- "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
- "exec flock -n ${shell.escape plan.dst.path} rsync"
- ])}
+ rsync_src=${shell.escape plan.src.path}
+ rsync_dst=$ssh_target:${shell.escape plan.dst.path}
+ echo >&2 "update snapshot current; $rsync_src -> $rsync_dst"
'';
pull = ''
- identity=${shell.escape plan.dst.host.ssh.privkey.path}
- src_user=root
- src_host=$(${fastest-address plan.src.host})
- src_port=$(${network-ssh-port plan.src.host "$src_host"})
- src_path=${shell.escape plan.src.path}
- src=$src_user@$src_host:$src_path
- dst_path=${shell.escape plan.dst.path}
- dst=$dst_path
- echo "update snapshot: current; $dst <- $src" >&2
- dst_shell() {
- eval "$with_dst_path_lock_script"
- }
- rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}"
- local_rsync() {
- mkdir -m 0700 -p ${shell.escape plan.dst.path}/current
- flock -n ${shell.escape plan.dst.path} rsync "$@"
- }
- remote_rsync=rsync
+ rsync_src=$ssh_target:${shell.escape plan.src.path}
+ rsync_dst=${shell.escape plan.dst.path}
+ echo >&2 "update snapshot current; $rsync_dst <- $rsync_src"
'';
}}
- # Note that this only works because we trust date +%s to produce output
- # that doesn't need quoting when used to generate a command string.
- # TODO relax this requirement by selectively allowing to inject variables
- # e.g.: ''${shell.quote "exec env NOW=''${shell.unquote "$NOW"} ..."}
- with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape
- "flock -n ${shell.escape plan.dst.path} /bin/sh"
- }
- local_rsync >&2 \
+ ${local.rsync} >&2 \
-aAXF --delete \
- --rsh="$rsh" \
- --rsync-path="$remote_rsync" \
- --link-dest="$dst_path/current" \
- "$src/" \
- "$dst/.partial"
- dst_shell < ${toFile "backup.${plan.name}.take-snapshots" ''
+ --rsh=${shell.escape ssh} \
+ --rsync-path=${shell.escape remote.rsync} \
+ --link-dest=${shell.escape plan.dst.path}/current \
+ "$rsync_src/" \
+ "$rsync_dst/.partial"
+
+ dst_exec() {
+ ${getAttr plan.method {
+ push = ''exec ${ssh} "$ssh_target" -T "exec$(printf ' %q' "$@")"'';
+ pull = ''exec "$@"'';
+ }}
+ }
+ dst_exec env \
+ start_date="$start_date" \
+ flock -n ${shell.escape plan.dst.path} \
+ /bin/sh < ${toFile "backup.${plan.name}.take-snapshots" ''
set -efu
: $start_date
- dst=${shell.escape plan.dst.path}
+ dst_path=${shell.escape plan.dst.path}
- mv "$dst/current" "$dst/.previous"
- mv "$dst/.partial" "$dst/current"
- rm -fR "$dst/.previous"
+ mv "$dst_path/current" "$dst_path/.previous"
+ mv "$dst_path/.partial" "$dst_path/current"
+ rm -fR "$dst_path/.previous"
echo >&2
snapshot() {(
: $ns $format $retain
name=$(date --date="@$start_date" +"$format")
- if ! test -e "$dst/$ns/$name"; then
+ if ! test -e "$dst_path/$ns/$name"; then
echo >&2 "create snapshot: $ns/$name"
- mkdir -m 0700 -p "$dst/$ns"
+ mkdir -m 0700 -p "$dst_path/$ns"
rsync >&2 \
-aAXF --delete \
- --link-dest="$dst/current" \
- "$dst/current/" \
- "$dst/$ns/.partial.$name"
- mv "$dst/$ns/.partial.$name" "$dst/$ns/$name"
+ --link-dest="$dst_path/current" \
+ "$dst_path/current/" \
+ "$dst_path/$ns/.partial.$name"
+ mv "$dst_path/$ns/.partial.$name" "$dst_path/$ns/$name"
echo >&2
fi
case $retain in
([0-9]*)
delete_from=$(($retain + 1))
- ls -r "$dst/$ns" \
+ ls -r "$dst_path/$ns" \
| sed -n "$delete_from,\$p" \
| while read old_name; do
echo >&2 "delete snapshot: $ns/$old_name"
- rm -fR "$dst/$ns/$old_name"
+ rm -fR "$dst_path/$ns/$old_name"
done
;;
(ALL)
@@ -227,24 +215,12 @@ let
| ${pkgs.coreutils}/bin/head -1; }
'';
- # Note that we don't escape word on purpose, so we can deref shell vars.
- # TODO type word
- network-ssh-port = host: word: ''
- case ${word} in
- ${concatStringsSep ";;\n" (mapAttrsToList
- (_: net: "(${head net.aliases}) echo ${toString net.ssh.port}")
- host.nets)};;
- esac
- '';
-
in out
# TODO ionice
-# TODO mail on failed push, pull
# TODO mail on missing push
# TODO don't cancel plans on activation
# also, don't hang while deploying at:
# starting the following units: backup.wu-home-xu.push.service, backup.wu-home-xu.push.timer
-# TODO make sure /bku is properly mounted
# TODO make sure that secure hosts cannot backup to insecure ones
# TODO optionally only backup when src and dst are near enough :)
# TODO try using btrfs for snapshots (configurable)
diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix
index d4c6b08df..9cd095622 100644
--- a/krebs/3modules/build.nix
+++ b/krebs/3modules/build.nix
@@ -88,6 +88,8 @@ let
#! /bin/sh
set -efu
+ export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
verbose() {
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index be530d46f..e87b33600 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -13,6 +13,7 @@ let
./buildbot/slave.nix
./build.nix
./current.nix
+ ./exim.nix
./exim-retiolum.nix
./exim-smarthost.nix
./fetchWallpaper.nix
@@ -218,7 +219,7 @@ let
(filter (hasSuffix ".${cfg.search-domain}")
longs);
add-port = a:
- if net.ssh.port != null
+ if net.ssh.port != 22
then "[${a}]:${toString net.ssh.port}"
else a;
in
@@ -228,8 +229,25 @@ let
publicKey = host.ssh.pubkey;
})
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
+
+ programs.ssh.extraConfig = concatMapStrings
+ (net: ''
+ Host ${toString (net.aliases ++ net.addrs)}
+ Port ${toString net.ssh.port}
+ '')
+ (filter
+ (net: net.ssh.port != 22)
+ (concatMap (host: attrValues host.nets)
+ (mapAttrsToList
+ (_: host: recursiveUpdate host
+ (optionalAttrs (hasAttr config.krebs.search-domain host.nets) {
+ nets."" = host.nets.${config.krebs.search-domain} // {
+ aliases = [host.name];
+ addrs = [];
+ };
+ }))
+ config.krebs.hosts)));
}
];
-in
-out
+in out
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 696c48baf..8b6ac4a4e 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -32,7 +32,7 @@ let
};
imp = {
- services.exim = {
+ krebs.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index cee10ce7d..8d9227039 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -105,7 +105,7 @@ let
requires = [ "secret.service" ];
};
};
- services.exim = {
+ krebs.exim = {
enable = true;
config = ''
keep_environment =
@@ -136,6 +136,8 @@ let
syslog_timestamp = false
syslog_duplication = false
+ tls_advertise_hosts =
+
begin acl
acl_check_rcpt:
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
new file mode 100644
index 000000000..16a2a37b6
--- /dev/null
+++ b/krebs/3modules/exim.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }: with config.krebs.lib; let
+ cfg = config.krebs.exim;
+in {
+ options.krebs.exim = {
+ enable = mkEnableOption "krebs.exim";
+ config = mkOption {
+ type = types.str;
+ default = "";
+ description = ''
+ Verbatim Exim configuration. This should not contain exim_user,
+ exim_group, exim_path, or spool_directory.
+ '';
+ };
+ user = mkOption {
+ type = types.user;
+ default = {
+ name = "exim";
+ home = "/var/spool/exim";
+ };
+ description = ''
+ User to use when no root privileges are required.
+ In particular, this applies when receiving messages and when doing
+ remote deliveries. (Local deliveries run as various non-root users,
+ typically as the owner of a local mailbox.) Specifying this value
+ as root is not supported.
+ '';
+ };
+ group = mkOption {
+ type = types.group;
+ default = {
+ name = "exim";
+ };
+ description = ''
+ Group to use when no root privileges are required.
+ '';
+ };
+ };
+ config = lib.mkIf cfg.enable {
+ environment = {
+ etc."exim.conf".text = ''
+ exim_user = ${cfg.user.name}
+ exim_group = ${cfg.group.name}
+ exim_path = /var/setuid-wrappers/exim
+ spool_directory = ${cfg.user.home}
+ ${cfg.config}
+ '';
+ systemPackages = [ pkgs.exim ];
+ };
+ krebs.setuid = {
+ exim = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
+ sendmail = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
+ };
+ systemd.services.exim = {
+ restartTriggers = [
+ config.environment.etc."exim.conf".source
+ ];
+ serviceConfig = {
+ ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m";
+ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
+ users = {
+ groups.${cfg.group.name} = {
+ inherit (cfg.group) name gid;
+ };
+ users.${cfg.user.name} = {
+ inherit (cfg.user) home name uid;
+ createHome = true;