diff options
Diffstat (limited to 'krebs')
36 files changed, 388 insertions, 302 deletions
diff --git a/krebs/6tests/data/secrets/grafana_security.nix b/krebs/0tests/data/secrets/grafana_security.nix index 0967ef424..0967ef424 100644 --- a/krebs/6tests/data/secrets/grafana_security.nix +++ b/krebs/0tests/data/secrets/grafana_security.nix diff --git a/krebs/6tests/data/secrets/hashedPasswords.nix b/krebs/0tests/data/secrets/hashedPasswords.nix index 0967ef424..0967ef424 100644 --- a/krebs/6tests/data/secrets/hashedPasswords.nix +++ b/krebs/0tests/data/secrets/hashedPasswords.nix diff --git a/krebs/6tests/data/secrets/retiolum.rsa_key.priv b/krebs/0tests/data/secrets/retiolum.rsa_key.priv index e69de29bb..e69de29bb 100644 --- a/krebs/6tests/data/secrets/retiolum.rsa_key.priv +++ b/krebs/0tests/data/secrets/retiolum.rsa_key.priv diff --git a/krebs/6tests/data/secrets/shackspace-gitlab-ci-token.nix b/krebs/0tests/data/secrets/shackspace-gitlab-ci-token.nix index 963e6db8b..963e6db8b 100644 --- a/krebs/6tests/data/secrets/shackspace-gitlab-ci-token.nix +++ b/krebs/0tests/data/secrets/shackspace-gitlab-ci-token.nix diff --git a/krebs/6tests/data/secrets/ssh.id_ed25519 b/krebs/0tests/data/secrets/ssh.id_ed25519 index e69de29bb..e69de29bb 100644 --- a/krebs/6tests/data/secrets/ssh.id_ed25519 +++ b/krebs/0tests/data/secrets/ssh.id_ed25519 diff --git a/krebs/6tests/data/test-config.nix b/krebs/0tests/data/test-config.nix index f0927ddd9..f0927ddd9 100644 --- a/krebs/6tests/data/test-config.nix +++ b/krebs/0tests/data/test-config.nix diff --git a/krebs/6tests/data/test-source.nix b/krebs/0tests/data/test-source.nix index dfc6b3297..dfc6b3297 100644 --- a/krebs/6tests/data/test-source.nix +++ b/krebs/0tests/data/test-source.nix diff --git a/krebs/6tests/default.nix b/krebs/0tests/default.nix index c0ca00296..c0ca00296 100644 --- a/krebs/6tests/default.nix +++ b/krebs/0tests/default.nix diff --git a/krebs/6tests/deploy.nix b/krebs/0tests/deploy.nix index 156e9239f..d96963500 100644 --- a/krebs/6tests/deploy.nix +++ b/krebs/0tests/deploy.nix @@ -3,7 +3,7 @@ import <nixpkgs/nixos/tests/make-test.nix> ({ ... }: let pkgs = import <nixpkgs> { overlays = [(import ../5pkgs)]; }; - test-config = <stockholm/krebs/6tests/data/test-config.nix>; + test-config = <stockholm/krebs/0tests/data/test-config.nix>; privKey = '' -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 662e094d1..18b751a7e 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -9,17 +9,17 @@ <stockholm/krebs> <stockholm/krebs/2configs> - <stockholm/krebs/2configs/buildbot-all.nix> + <stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/gitlab-runner-shackspace.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor-retiolum.nix> + <stockholm/krebs/2configs/reaktor-krebs.nix> ]; krebs.build.host = config.krebs.hosts.hotdog; boot.isContainer = true; networking.useDHCP = false; - krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm"; environment.variables.NIX_REMOTE = "daemon"; } diff --git a/krebs/2configs/buildbot-all.nix b/krebs/2configs/buildbot-all.nix deleted file mode 100644 index d85cde175..000000000 --- a/krebs/2configs/buildbot-all.nix +++ /dev/null @@ -1,9 +0,0 @@ -with import <stockholm/lib>; -{ lib, config, pkgs, ... }: -{ - networking.firewall.allowedTCPPorts = [ 80 8010 9989 ]; - krebs.ci.enable = true; - krebs.ci.treeStableTimer = 1; - krebs.ci.hosts = filter (getAttr "ci") (attrValues config.krebs.hosts); -} - diff --git a/krebs/2configs/buildbot-krebs.nix b/krebs/2configs/buildbot-krebs.nix deleted file mode 100644 index a09b3b98b..000000000 --- a/krebs/2configs/buildbot-krebs.nix +++ /dev/null @@ -1,12 +0,0 @@ -with import <stockholm/lib>; -{ lib, config, pkgs, ... }: -{ - imports = [ - <stockholm/krebs/2configs/repo-sync.nix> - ]; - - networking.firewall.allowedTCPPorts = [ 80 8010 9989 ]; - krebs.ci.enable = true; - krebs.ci.treeStableTimer = 120; - krebs.ci.hosts = [ config.krebs.build.host ]; -} diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix new file mode 100644 index 000000000..04b1c999f --- /dev/null +++ b/krebs/2configs/buildbot-stockholm.nix @@ -0,0 +1,178 @@ +{ config, pkgs, ... }: with import <stockholm/lib>; + +let + + hostname = config.networking.hostName; + +in +{ + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nginx = { + enable = true; + virtualHosts.build = { + serverAliases = [ "build.${hostname}.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; + ''; + }; + }; + + krebs.buildbot.master = { + slaves = { + testslave = "lasspass"; + }; + change_source.stockholm = '' + stockholm_repo = 'http://cgit.prism.r/stockholm' + cs.append( + changes.GitPoller( + stockholm_repo, + workdir='stockholm-poller', branches=True, + project='stockholm', + pollinterval=10 + ) + ) + ''; + scheduler = { + auto-scheduler = '' + sched.append( + schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch_re=".*"), + treeStableTimer=60, + name="build-all-branches", + builderNames=[ + "hosts", + ] + ) + ) + ''; + force-scheduler = '' + sched.append( + schedulers.ForceScheduler( + name="hosts", + builderNames=[ + "hosts", + ] + ) + ) + ''; + }; + builder_pre = '' + # prepare grab_repo step for stockholm + grab_repo = steps.Git( + repourl=stockholm_repo, + mode='full', + ) + ''; + builder = { + hosts = '' + from buildbot import interfaces + from buildbot.steps.shell import ShellCommand + + class StepToStartMoreSteps(ShellCommand): + def __init__(self, **kwargs): + ShellCommand.__init__(self, **kwargs) + + def addBuildSteps(self, steps_factories): + for sf in steps_factories: + step = interfaces.IBuildStepFactory(sf).buildStep() + step.setBuild(self.build) + step.setBuildSlave(self.build.slavebuilder.slave) + step_status = self.build.build_status.addStepWithName(step.name) + step.setStepStatus(step_status) + self.build.steps.append(step) + + def start(self): + props = self.build.getProperties() + hosts = json.loads(props.getProperty('hosts_json')) + for host in hosts: + user = hosts[host]['owner'] + + self.addBuildSteps([steps.ShellCommand( + name=str(host), + env={ + "NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + }, + command=[ + "nix-shell", "-I", "stockholm=.", "--run", " ".join(["test", + "--user={}".format(user), + "--system={}".format(host), + "--force-populate", + "--target=$LOGNAME@${config.krebs.build.host.name}$HOME/{}".format(user), + ]) + ], + timeout=90001, + workdir='build', # TODO figure out why we need this? + )]) + + ShellCommand.start(self) + + + f = util.BuildFactory() + f.addStep(grab_repo) + + f.addStep(steps.SetPropertyFromCommand( + env={ + "NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src", + "NIX_REMOTE": "daemon", + }, + name="get_hosts", + command=["nix-instantiate", "--json", "--strict", "--eval", "-E", """ + with import <nixpkgs> {}; + let + eval-config = cfg: + import <nixpkgs/nixos/lib/eval-config.nix> { + modules = [ + (import cfg) + ]; + } + ; + + system = eval-config ./krebs/1systems/hotdog/config.nix; # TODO put a better config here + + ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts; + + filtered-attrs = lib.mapAttrs ( n: v: { + owner = v.owner.name; + }) ci-systems; + + in filtered-attrs + """], + property="hosts_json" + )) + f.addStep(StepToStartMoreSteps(command=["echo"])) # TODO remove dummy command from here + + bu.append( + util.BuilderConfig( + name="hosts", + slavenames=slavenames, + factory=f + ) + ) + ''; + }; + enable = true; + web.enable = true; + irc = { + enable = true; + nick = "build|${hostname}"; + server = "irc.r"; + channels = [ "noise" "xxx" ]; + allowForce = true; + }; + extraConfig = '' + c['buildbotURL'] = "http://build.${hostname}.r/" + ''; + }; + + krebs.buildbot.slave = { + enable = true; + masterhost = "localhost"; + username = "testslave"; + password = "lasspass"; + packages = with pkgs; [ gnumake jq nix populate ]; + }; +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 90aaa254a..7b970923d 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -50,6 +50,7 @@ with import <stockholm/lib>; users.extraUsers.root.openssh.authorizedKeys.keys = [ # TODO config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey # TODO HARDER: config.krebs.users.makefu-omo.pubkey diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix index 69c503bf9..a3f39b40e 100644 --- a/krebs/2configs/news-spam.nix +++ b/krebs/2configs/news-spam.nix @@ -94,7 +94,7 @@ [SPAM]npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews [SPAM]nsa|https://www.nsa.gov/rss.xml|#snews #bullerei [SPAM]nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews - [SPAM]painload|https://github.com/krebscode/painload/commits/master.atom|#snews + [SPAM]painload|https://github.com/krebs/painload/commits/master.atom|#snews [SPAM]phys|http://phys.org/rss-feed/|#snews [SPAM]piraten|https://www.piratenpartei.de/feed/|#snews [SPAM]polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 49a5e3459..6c59f4d84 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -8,7 +8,7 @@ ethereum|http://blog.ethereum.org/feed|#news LtU|http://lambda-the-ultimate.org/rss.xml|#news mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#news - painload|https://github.com/krebscode/painload/commits/master.atom|#news + painload|https://github.com/krebs/painload/commits/master.atom|#news reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news reddit_nix|http://www.reddit.com/r/nixos/.rss|#news shackspace|http://shackspace.de/atom.xml|#news @@ -16,7 +16,7 @@ vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news weechat|http://dev.weechat.org/feed/atom|#news xkcd|https://xkcd.com/rss.xml|#news - painload|https://github.com/krebscode/painload/commits/master.atom|#news + painload|https://github.com/krebs/painload/commits/master.atom|#news ''; }; } diff --git a/krebs/2configs/reaktor-krebs.nix b/krebs/2configs/reaktor-krebs.nix index 6b17b457d..fa51b84f0 100644 --- a/krebs/2configs/reaktor-krebs.nix +++ b/krebs/2configs/reaktor-krebs.nix @@ -13,13 +13,8 @@ with import <stockholm/lib>; }; plugins = with pkgs.ReaktorPlugins; [ sed-plugin - wiki-todo-add - wiki-todo-done - wiki-todo-show - ]; + ] ++ + (attrValues (todo "agenda")) + ; }; - services.nginx.virtualHosts."lassul.us".locations."/wiki-todo".extraConfig = '' - default_type "text/plain"; - alias /var/lib/Reaktor/state/wiki-todo; - ''; } diff --git a/krebs/2configs/reaktor-retiolum.nix b/krebs/2configs/reaktor-retiolum.nix index 144b7d484..b32d39b7e 100644 --- a/krebs/2configs/reaktor-retiolum.nix +++ b/krebs/2configs/reaktor-retiolum.nix @@ -10,6 +10,8 @@ with import <stockholm/lib>; }; plugins = with pkgs.ReaktorPlugins; [ sed-plugin - ]; + ] ++ + (attrValues (todo "agenda")) + ; }; } diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix deleted file mode 100644 index bb19f0602..000000000 --- a/krebs/3modules/ci.nix +++ /dev/null @@ -1,192 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -let - cfg = config.krebs.ci; - - hostname = config.networking.hostName; -in -{ - options.krebs.ci = { - enable = mkEnableOption "krebs continous integration"; - stockholmSrc = mkOption { - type = types.str; - default = "http://cgit.${hostname}.r/stockholm"; - }; - treeStableTimer = mkOption { - type = types.int; - default = 10; - description = "how long to wait until we test changes (in minutes)"; - }; - hosts = mkOption { - type = types.listOf types.host; - default = []; - description = '' - List of hosts that should be build - ''; - }; - tests = mkOption { - type = types.listOf types.str; - default = []; - description = '' - List of tests that should be build - ''; - }; - }; - - config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts.build = { - serverAliases = [ "build.${hostname}.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; - ''; - }; - }; - - krebs.buildbot.master = { - slaves = { - testslave = "lasspass"; - }; - change_source.stockholm = '' - stockholm_repo = '${cfg.stockholmSrc}' - cs.append( - changes.GitPoller( - stockholm_repo, - workdir='stockholm-poller', branches=True, - project='stockholm', - pollinterval=10 - ) - ) - ''; - scheduler = { - build-scheduler = '' - sched.append( - schedulers.SingleBranchScheduler( - change_filter=util.ChangeFilter(branch_re=".*"), - treeStableTimer=${toString cfg.treeStableTimer}*60, - name="build-all-branches", - builderNames=[ - ${optionalString (cfg.hosts != []) ''"hosts",''} - ${optionalString (cfg.tests != []) ''"tests",''} - ] - ) - ) - ''; - force-scheduler = '' - sched.append( - schedulers.ForceScheduler( - name="force", - builderNames=[ - ${optionalString (cfg.hosts != []) ''"hosts",''} - ${optionalString (cfg.tests != []) ''"tests",''} - ] - ) - ) - ''; - }; - builder_pre = '' - # prepare grab_repo step for stockholm - grab_repo = steps.Git( - repourl=stockholm_repo, - mode='full' - ) - - # prepare addShell function - def addShell(factory,**kwargs): - factory.addStep(steps.ShellCommand(**kwargs)) - ''; - builder = { - hosts = mkIf (cfg.hosts != []) '' - f = util.BuildFactory() - f.addStep(grab_repo) - - def build_host(user, host): - addShell(f, - name="{}".format(host), - env={ - "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - }, - command=[ - "nix-shell", "-I", "stockholm=.", "--run", " ".join(["test", - "--user={}".format(user), - "--system={}".format(host), - "--force-populate", - "--target=$LOGNAME@${config.krebs.build.host.name}$HOME/{}".format(user), - ]) - ], - timeout=90001 - ) - - ${concatMapStringsSep "\n" (host: - "build_host(\"${host.owner.name}\", \"${host.name}\")" - ) cfg.hosts} - - bu.append( - util.BuilderConfig( - name="hosts", - slavenames=slavenames, - factory=f - ) - ) - ''; - tests = mkIf (cfg.tests != []) '' - f = util.BuildFactory() - f.addStep(grab_repo) - - def run_test(test): - addShell(f, - name="{}".format(test), - env={ - "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - }, - command=[ - "nix-build", "-I", "stockholm=.", "krebs/6tests", - "-A", "{}".format(test) - ], - timeout=90001 - ) - - ${concatMapStringsSep "\n" (test: - "run_test(\"${test}\")" - ) cfg.tests} - - bu.append( - util.BuilderConfig( - name="tests", - slavenames=slavenames, - factory=f - ) - ) - ''; - }; - enable = true; - web.enable = true; - irc = { - enable = true; - nick = "build|${hostname}"; - server = "irc.r"; - channels = [ "xxx" "noise" ]; - allowForce = true; - }; - extraConfig = '' - c['buildbotURL'] = "http://build.${hostname}.r/" - ''; - }; - - krebs.buildbot.slave = { - enable = true; - masterhost = "localhost"; - username = "testslave"; - password = "lasspass"; - packages = with pkgs; [ gnumake jq nix populate ]; - }; - - }; -} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6fe01e466..afc96e9ee 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -13,7 +13,6 @@ let ./buildbot/master.nix ./buildbot/slave.nix ./build.nix - ./ci.nix ./current.nix ./exim.nix ./exim-retiolum.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 48df04bcb..fd74983fa 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -65,6 +65,7 @@ with import <stockholm/lib>; io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { @@ -670,9 +671,45 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; }; + blue = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.77"; + ip6.addr = "42:0:0:0:0:0:0:77"; + aliases = [ + "blue.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd + QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc + sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM + wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu + PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ + RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ + HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm + khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP + 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N + w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 + ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J + Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; + }; }; - users = { - lass = { + users = rec { + lass = lass-blue; + lass-blue = { + mail = "lass@blue.r"; + pubkey = builtins.readFile ./ssh/blue.rsa; + pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp; + }; + lass-mors = { mail = "lass@mors.r"; pubkey = builtins.readFile ./ssh/mors.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp; @@ -697,6 +734,7 @@ with import <stockholm/lib>; lass-icarus = { mail = "lass@icarus.r"; pubkey = builtins.readFile ./ssh/icarus.rsa; + pgp.pubkeys.default = builtins.readFile ./pgp/icarus.pgp; }; lass-xerxes = { mail = "lass@xerxes.r"; diff --git a/krebs/3modules/lass/pgp/blue.pgp b/krebs/3modules/lass/pgp/blue.pgp new file mode 100644 index 000000000..e7a1ac0e1 --- /dev/null +++ b/krebs/3modules/lass/pgp/blue.pgp @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFr9fAEBEACz2E2E7uBulVBBtPmk9IR2yB+uAWSe8Hi7vNiGc1Dbs40jzWuy +AqouqyC5xnVw66+cQaYOsgXiwencmu/cFEV2x2uRLDVh1E/fvc8yxAOizEIY0jm/ +WZ/4IWvTZLVPF3BOhM4p/HGNbdZhRc4RoljLTB34VuY1KSMhs3Vx7n3HgZzdbD7D +itUFU4oY5CnkQp4yl1Htat08cZmbD51VTZB1hDw2Uea+VuMQ/ImRtTqW+Ss4xyPA +DwUE/vRM3CKwBvcjbNL3uUqc5dtZuvruuFeK3ScmdNLytcgXqJzLlwuzHmSt/Tnc +DQZWKGiHnMvrAOkMEvsmiKhboWSAq4sRUPhISq |