summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/build.nix8
-rw-r--r--krebs/3modules/default.nix40
-rw-r--r--krebs/3modules/exim-retiolum.nix36
-rw-r--r--krebs/3modules/exim-smarthost.nix42
-rw-r--r--krebs/3modules/git.nix6
-rw-r--r--krebs/3modules/lass/default.nix2
-rw-r--r--krebs/3modules/lib.nix2
-rw-r--r--krebs/3modules/makefu/default.nix2
-rw-r--r--krebs/3modules/miefda/default.nix2
-rw-r--r--krebs/3modules/mv/default.nix2
-rw-r--r--krebs/3modules/secret.nix39
-rw-r--r--krebs/3modules/shared/default.nix1
-rw-r--r--krebs/3modules/tv/default.nix5
-rw-r--r--krebs/4lib/default.nix9
-rw-r--r--krebs/4lib/dns.nix31
-rw-r--r--krebs/4lib/infest/prepare.sh33
-rw-r--r--krebs/4lib/listset.nix11
-rw-r--r--krebs/4lib/types.nix65
-rw-r--r--krebs/5pkgs/push/default.nix12
-rwxr-xr-xkrebs/5pkgs/test/infest-cac-centos7/notes16
20 files changed, 221 insertions, 143 deletions
diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix
index b8ea34ae2..d4c6b08df 100644
--- a/krebs/3modules/build.nix
+++ b/krebs/3modules/build.nix
@@ -41,6 +41,8 @@ let
#! /bin/sh
set -eu
+ ssh=''${ssh-ssh}
+
verbose() {
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
@@ -48,7 +50,7 @@ let
{ printf 'PS5=%q%q\n' @ "$PS5"
echo ${shell.escape git-script}
- } | verbose ssh -p ${shell.escape target-port} \
+ } | verbose $ssh -p ${shell.escape target-port} \
${shell.escape "${target-user}@${target-host}"} -T
unset tmpdir
@@ -77,7 +79,7 @@ let
) (attrNames source-by-method.file)} \
--delete \
-vFrlptD \
- -e ${shell.escape "ssh -p ${target-port}"} \
+ -e "$ssh -p ${shell.escape target-port}" \
${shell.escape target-path}/ \
${shell.escape "${target-user}@${target-host}:${target-path}"}
'';
@@ -114,7 +116,7 @@ let
if ! test "$(git log --format=%H -1)" = "$hash"; then
git fetch origin
git checkout "$hash" -- "$dst_dir"
- git checkout "$hash"
+ git checkout -f "$hash"
fi
git clean -dxf
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index c06f3754e..186469e97 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -28,6 +28,7 @@ let
./realwallpaper.nix
./retiolum-bootstrap.nix
./retiolum.nix
+ ./secret.nix
./setuid.nix
./tinc_graphs.nix
./urlwatch.nix
@@ -42,9 +43,7 @@ let
dns = {
providers = mkOption {
- # TODO with types; tree dns.label dns.provider, so we can merge.
- # Currently providers can only be merged if aliases occur just once.
- type = with types; attrsOf unspecified;
+ type = with types; attrsOf str;
};
};
@@ -94,7 +93,7 @@ let
{ krebs = import ./tv { inherit config lib; }; }
{
krebs.dns.providers = {
- de.krebsco = "zones";
+ "krebsco.de" = "zones";
gg23 = "hosts";
shack = "hosts";
i = "hosts";
@@ -103,13 +102,27 @@ let
retiolum = "hosts";
};
- networking.extraHosts = concatStringsSep "\n" (flatten (
+ krebs.users = {
+ krebs = {
+ home = "/krebs";
+ mail = "spam@krebsco.de";
+ };
+ root = {
+ home = "/root";
+ pubkey = config.krebs.build.host.ssh.pubkey;
+ uid = 0;
+ };
+ };
+
+ networking.extraHosts = let
+ domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers);
+ check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
+ in concatStringsSep "\n" (flatten (
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = longs ++ shorts;
- providers = dns.split-by-provider net.aliases cfg.dns.providers;
- longs = providers.hosts;
+ longs = filter check net.aliases;
shorts = let s = ".${cfg.search-domain}"; in
map (removeSuffix s) (filter (hasSuffix s) longs);
in
@@ -130,12 +143,11 @@ let
{ text=(stripEmptyLines value); }) all-zones;
krebs.exim-smarthost.internet-aliases = let
- format = from: to:
+ format = from: to: {
+ inherit from;
# TODO assert is-retiolum-mail-address to;
- { inherit from;
- to = if typeOf to == "list"
- then concatMapStringsSep "," (getAttr "mail") to
- else to.mail; };
+ to = concatMapStringsSep "," (getAttr "mail") (toList to);
+ };
in mapAttrsToList format (with config.krebs.users; let
spam-ml = [
lass
@@ -154,6 +166,10 @@ let
"makefu@retiolum" = makefu;
"spam@retiolum" = spam-ml;
"tv@retiolum" = tv;
+ "lass@r" = lass;
+ "makefu@r" = makefu;
+ "spam@r" = spam-ml;
+ "tv@r" = tv;
});
services.openssh.hostKeys =
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 1722eef1f..6e6928f89 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -11,6 +11,24 @@ let
api = {
enable = mkEnableOption "krebs.exim-retiolum";
+ local_domains = mkOption {
+ type = with types; listOf hostname;
+ default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases;
+ };
+ primary_hostname = mkOption {
+ type = types.str;
+ default = let x = "${config.krebs.build.host.name}.r"; in
+ assert elem x config.krebs.build.host.nets.retiolum.aliases;
+ x;
+ };
+ relay_to_domains = mkOption {
+ # TODO hostname with wildcards
+ type = with types; listOf str;
+ default = [
+ "*.r"
+ "*.retiolum"
+ ];
+ };
};
imp = {
@@ -21,9 +39,9 @@ let
# TODO modular configuration
assert config.krebs.retiolum.enable;
''
- primary_hostname = ${retiolumHostname}
- domainlist local_domains = @ : localhost
- domainlist relay_to_domains = *.retiolum
+ primary_hostname = ${cfg.primary_hostname}
+ domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
+ domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
hostlist relay_from_hosts = <; 127.0.0.1 ; ::1
acl_smtp_rcpt = acl_check_rcpt
@@ -85,7 +103,7 @@ let
retiolum:
driver = manualroute
- domains = ! ${retiolumHostname} : *.retiolum
+ domains = ! +local_domains : +relay_to_domains
transport = remote_smtp
route_list = ^.* $0 byname
no_more
@@ -125,8 +143,8 @@ let
# mode = 0660
begin retry
- *.retiolum * F,42d,1m
- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+ ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains}
+ * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
@@ -134,8 +152,4 @@ let
'';
};
};
-
- # TODO get the hostname from somewhere else.
- retiolumHostname = "${config.networking.hostName}.retiolum";
-in
-out
+in out
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 267ee2900..c976e89de 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -25,14 +25,31 @@ let
}));
};
+ local_domains = mkOption {
+ type = with types; listOf hostname;
+ default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases;
+ };
+
relay_from_hosts = mkOption {
type = with types; listOf str;
default = [];
+ apply = xs: ["127.0.0.1" "::1"] ++ xs;
+ };
+
+ relay_to_domains = mkOption {
+ # TODO hostname with wildcards
+ type = with types; listOf str;
+ default = [
+ "*.r"
+ "*.retiolum"
+ ];
};
primary_hostname = mkOption {
type = types.str;
- default = "${config.networking.hostName}.retiolum";
+ default = let x = "${config.krebs.build.host.name}.r"; in
+ assert elem x config.krebs.build.host.nets.retiolum.aliases;
+ x;
};
sender_domains = mkOption {
@@ -63,19 +80,11 @@ let
# HOST_REDIR contains the real destinations for "local_domains".
#HOST_REDIR = /etc/exim4/host_redirect
-
# Domains not listed in local_domains need to be deliverable remotely.
# XXX We abuse local_domains to mean "domains, we're the gateway for".
- domainlist local_domains = @ : localhost
- domainlist relay_to_domains =
- hostlist relay_from_hosts = <;${concatStringsSep ";" (
- [
- "127.0.0.1"
- "::1"
- ]
- ++
- cfg.relay_from_hosts
- )}
+ domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
+ domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
+ hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@@ -144,7 +153,7 @@ let
retiolum:
debug_print = "R: retiolum for $local_part@$domain"
driver = manualroute
- domains = ! ${cfg.primary_hostname} : *.retiolum
+ domains = ! +local_domains : +relay_to_domains
transport = retiolum_smtp
route_list = ^.* $0 byname
no_more
@@ -197,8 +206,11 @@ let
return_path_add
begin retry
- *.retiolum * F,42d,1m
- * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
+ ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains}
+ ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m")
+ # TODO don't include relay_to_domains
+ (map (getAttr "from") cfg.internet-aliases)}
+ * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index a9542718d..0cc2f11c9 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -232,13 +232,15 @@ let
]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules));
};
- users.extraUsers = singleton rec {
+ # TODO cfg.user
+ users.users.git = rec {
description = "Git repository hosting user";
name = "git";
shell = "/bin/sh";
openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
- config.krebs.users;
+ (filterAttrs (_: user: isString user.pubkey)
+ config.krebs.users);
uid = genid name;
};
};
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 41a609105..4bf10ac56 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -3,7 +3,7 @@
with config.krebs.lib;
{
- hosts = {
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) {
dishfire = {
cores = 4;
nets = rec {
diff --git a/krebs/3modules/lib.nix b/krebs/3modules/lib.nix
index b19f275b5..ccd6a6afa 100644
--- a/krebs/3modules/lib.nix
+++ b/krebs/3modules/lib.nix
@@ -10,6 +10,6 @@ let
type = types.attrs;
};
imp = {
- krebs.lib = lib // import ../4lib { inherit lib; } // builtins;
+ krebs.lib = lib // import ../4lib { inherit config lib; } // builtins;
};
in out
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 6af77ad9b..d309c1714 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -3,7 +3,7 @@
with config.krebs.lib;
{
- hosts = {
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) {
pnp = {
cores = 1;
nets = {
diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix
index 6587ad92d..9a5866294 100644
--- a/krebs/3modules/miefda/default.nix
+++ b/krebs/3modules/miefda/default.nix
@@ -3,7 +3,7 @@
with config.krebs.lib;
{
- hosts = {
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.miefda) {
bobby = {
cores = 4;
nets = {
diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix
index 33f941aae..3b4001e7a 100644
--- a/krebs/3modules/mv/default.nix
+++ b/krebs/3modules/mv/default.nix
@@ -3,7 +3,7 @@
with config.krebs.lib;
{
- hosts = {
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.mv) {
stro = {
cores = 4;
nets = {
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
new file mode 100644
index 000000000..579f375f3
--- /dev/null
+++ b/krebs/3modules/secret.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+ cfg = config.krebs.secret;
+in {
+ options.krebs.secret = {
+ files = mkOption {
+ type = with types; attrsOf secret-file;
+ default = {};
+ };
+ };
+ config = lib.mkIf (cfg.files != {}) {
+ systemd.services.secret = let
+ # TODO fail if two files have the same path but differ otherwise
+ files = unique (map (flip removeAttrs ["_module"])
+ (attrValues cfg.files));
+ in {
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = "yes";
+ SyslogIdentifier = "secret";
+ ExecStart = pkgs.writeDash "install-secret-files" ''
+ exit_code=0
+ ${concatMapStringsSep "\n" (file: ''
+ ${pkgs.coreutils}/bin/install \
+ -D \
+ --compare \
+ --verbose \
+ --mode=${shell.escape file.mode} \
+ --owner=${shell.escape file.owner.name} \
+ --group=${shell.escape file.group-name} \
+ ${shell.escape file.source-path} \
+ ${shell.escape file.path} \
+ || exit_code=1
+ '') files}
+ exit $exit_code
+ '';
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix
index 208b596f8..ccd15b569 100644
--- a/krebs/3modules/shared/default.nix
+++ b/krebs/3modules/shared/default.nix
@@ -15,6 +15,7 @@ let
addrs4 = ["10.243.111.111"];
addrs6 = ["42:0:0:0:0:0:0:7357"];
aliases = [
+ "test.r"
"test.retiolum"
];
tinc.pubkey = ''
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 300fce017..533502914 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -4,9 +4,9 @@ with config.krebs.lib;
{
dns.providers = {
- de.viljetic = "regfish";
+ "viljetic.de" = "regfish";
};
- hosts = {
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) {
cd = rec {
cores = 2;
extraZones = {
@@ -354,6 +354,7 @@ with config.krebs.lib;
tv = {
mail = "tv@nomic.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu";
+ uid = 1337; # TODO use default
};
tv-nomic = {
inherit (tv) mail;
diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix
index d5b6d03ac..deac02bb7 100644
--- a/krebs/4lib/default.nix
+++ b/krebs/4lib/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
with builtins;
with lib;
@@ -15,14 +15,15 @@ let out = rec {
addNames = mapAttrs addName;
- types = import ./types.nix { inherit lib; };
+ types = import ./types.nix {
+ inherit config;
+ lib = lib // { inherit genid; };
+ };
dir.has-default-nix = path: pathExists (path + "/default.nix");
- dns = import ./dns.nix { inherit lib; };
genid = import ./genid.nix { lib = lib // out; };
git = import ./git.nix { lib = lib // out; };
- listset = import ./listset.nix { inherit lib; };
shell = import ./shell.nix { inherit lib; };
tree = import ./tree.nix { inherit lib; };
diff --git a/krebs/4lib/dns.nix b/krebs/4lib/dns.nix
deleted file mode 100644
index b2cf3c24c..000000000
--- a/krebs/4lib/dns.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{ lib, ... }:
-
-let
- listset = import ./listset.nix { inherit lib; };
-in
-
-with builtins;
-with lib;
-
-rec {
- # label = string
-
- # TODO does it make sense to have alias = list label?
-
- # split-by-provider :
- # [[label]] -> tree label provider -> listset provider alias
- split-by-provider = as: providers:
- foldl (m: a: listset.insert (provider-of a providers) a m) {} as;
-
- # provider-of : alias -> tree label provider -> provider
- # Note that we cannot use tree.get here, because path can be longer
- # than the tree depth.
- provider-of = a:
- let
- go = path: tree:
- if typeOf tree == "string"
- then tree
- else go (tail path) tree.${head path};
- in
- go (reverseList (splitString "." a));
-}
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index b3824c7d4..a217e7bed 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -184,26 +184,21 @@ prepare_common() {(
. /root/.nix-profile/etc/profile.d/nix.sh
- for i in \
- bash \
- coreutils \
- # This line intentionally left blank.
- do
- if ! nix-env -q $i | grep -q .; then
- nix-env -iA nixpkgs.pkgs.$i
- fi
- done
+ mkdir -p /mnt/"$target_path"
+ mkdir -p "$target_path"
+
+ if ! mountpoint "$target_path"; then
+ mount --rbind /mnt/"$target_path" "$target_path"
+ fi
+
+ mkdir -p bin
+ rm -f bin/nixos-install
+ cp "$(type -p nixos-install)" bin/nixos-install
+ sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
- # install nixos-install
- if ! type nixos-install 2>/dev/null; then
- nixpkgs_expr='import <nixpkgs> { system = builtins.currentSystem; }'
- nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d)
- nix-env \
- --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \
- --arg pkgs "$nixpkgs_expr" \
- --arg modulesPath 'throw "no modulesPath"' \
- -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \
- -iA config.system.build.nixos-install
+ if ! grep -q '^PATH.*#krebs' .bashrc; then
+ echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc
+ echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc
fi
)}
diff --git a/krebs/4lib/listset.nix b/krebs/4lib/listset.nix
deleted file mode 100644
index 3aae22f20..000000000
--- a/krebs/4lib/listset.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ lib, ... }:
-
-with lib;
-
-rec {
- # listset k v = set k [v]
-
- # insert : k -> v -> listset k v -> listset k v
- insert = name: value: set:
- set // { ${name} = set.${name} or [] ++ [value]; };
-}
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index d0a537467..fcb6ff3d3 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
with builtins;
with lib;
@@ -20,25 +20,17 @@ types // rec {
default = {};
};
+ owner = mkOption {
+ type = user;
+ default = config.krebs.users.krebs;
+ };
+
extraZones = mkOption {
default = {};
# TODO: string is either MX, NS, A or AAAA
type = with types; attrsOf string;
};
- infest = {
- addr = mkOption {
- type = str;
- apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.addr' is used. It was replaced by the `target' argument to `make` or `get`. See Makefile for more information.";
- };
- port = mkOption {
- type = int;
- default = 22;
- # TODO replacement: allow target with port, SSH-style: [lol]:666
- apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.port' is used. It's gone without replacement.";
- };
- };
-
secure = mkOption {
type = bool;
default = false;
@@ -147,6 +139,25 @@ types // rec {
merge = mergeOneOption;
};
+ secret-file = submodule ({ config, ... }: {
+ options = {
+ path = mkOption { type = str; };
+ mode = mkOption { type = str; default = "0400"; };
+ owner = mkOption {
+ type = user;
+ default = config.krebs.users.root;
+ };
+ group-name = mkOption {
+ type = str;
+ default = "root";
+ };
+ source-path = mkOption {
+ type = str;
+ default = toString <secrets> + "/${config._module.args.name}";
+ };
+ };
+ });
+
suffixed-str = suffs:
mkOptionType {
name = "string suffixed by ${concatStringsSep ", " suffs}";
@@ -156,6 +167,10 @@ types // rec {
user = submodule ({ config, ... }: {
options = {
+ home = mkOption {
+ type = absolute-pathname;
+ default = "/home/${config.name}";
+ };
mail = mkOption {
type = str; # TODO retiolum mail address
};
@@ -164,7 +179,12 @@ types // rec {
default = config._module.args.name;
};
pubkey = mkOption {
- type = str;
+ type = nullOr str;
+ default = null;
+ };
+ uid = mkOption {
+ type = int;
+ default = genid config.name;
};
};
});
@@ -217,6 +237,21 @@ types // rec {
merge = mergeOneOption;
};
+ # POSIX.1‐2013, 3.2 Absolute Pathname
+ # TODO normalize slashes
+ # TODO two slashes
+ absolute-pathname = mkOptionType {
+ name = "POSIX absolute pathname";
+ check = s: pathname.check s && substring 0 1 s == "/";
+ };
+
+ # POSIX.1‐2013, 3.267 Pathname
+ # TODO normalize slashes
+ pathname = mkOptionType {
+ name = "POSIX pathname";
+ check = s: isString s && all filename.check (splitString "/" s);
+ };
+
# POSIX.1-2013, 3.431 User Name
username = mkOptionType {
name = "POSIX username";
diff --git a/krebs/5pkgs/push/default.nix b/krebs/5pkgs/push/default.nix
index 13769c747..aa17a21a9 100644
--- a/krebs/5pkgs/push/default.nix
+++ b/krebs/5pkgs/push/default.nix
@@ -1,20 +1,21 @@
{ fetchgit, lib, stdenv
, coreutils
-, get
, git
+, gnumake
, gnused
, jq
+, nix
, openssh
, parallel
, ... }:
stdenv.mkDerivation {
- name = "push-1.1.1";
+ name = "push-1.1.2";
src = fetchgit {
url = http://cgit.cd.krebsco.de/push;
- rev = "ea8b76569c6b226fe148e559477669b095408472";
- sha256 = "c305a1515d30603f6ed825d44487e863fdc7d90400620ceaf2c335a3b5d1e221";
+ rev = "da5b3a4b05ef822cc41d36b6cc2071a2e78506d4";
+ sha256 = "0gfxz207lm11g77rw02jcqpvzhx07j9hzgjgscbmslzl5r8icd6g";
};
phases = [
@@ -26,10 +27,11 @@ stdenv.mkDerivation {
let
path = lib.makeSearchPath "bin" [
coreutils
- get
git
+ gnumake
gnused
jq
+ nix
openssh
parallel
];
diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes
index db80c0c6c..6bb0258a9 100755
--- a/krebs/5pkgs/test/infest-cac-centos7/notes
+++ b/krebs/5pkgs/test/infest-cac-centos7/notes
@@ -1,4 +1,4 @@
-# nix-shell -p gnumake jq openssh cac-api cac-panel
+# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass
set -eufx
# 2 secrets are required:
@@ -99,7 +99,7 @@ defer "cac-api delete $id;$old_trapstr"
mkdir -p shared/2configs/temp
cac-api generatenetworking $id > \
shared/2configs/temp/networking.nix
-# new temporary ssh key we will use to log in after infest
+# new temporary ssh key we will use to log in after install
ssh-keygen -f $krebs_ssh -N ""
cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
# we override the directories for secrets and stockholm
@@ -118,12 +118,12 @@ _: {
}
EOF
-LOGNAME=shared make eval get=krebs.infest \
- target=derp system=test-centos7 filter=json \
- | sed -e "s#^ssh.*<<#cac-api ssh $id<<#" \
- -e "/^rsync/a -e 'cac-api ssh $id' \\\\" \
- -e "s#root.derp:#:#" > $krebs_secrets/infest
-sh -x $krebs_secrets/infest
+make install \
+ LOGNAME=shared \
+ SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \
+ ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
+ system=test-centos7 \
+ target=$ip
# TODO: generate secrets directory $krebs_secrets for nix import
cac-api powerop $id reset