From e09559bb786c7cf639dc1428bbe2ed6ba7ced9fb Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 5 Jan 2016 21:47:55 +0100 Subject: krebs.backup.plans.*.{snapshots,startAt} += default --- tv/2configs/backup.nix | 21 --------------------- 1 file changed, 21 deletions(-) (limited to 'tv') diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 51d3bb8a7..4b31bc844 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -4,20 +4,8 @@ with lib; krebs.backup.plans = addNames { xu-test-cd = { method = "push"; - src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; }; dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; }; - - #startAt = "0,6,12,18:00"; - startAt = "minutely"; - snapshots = { - minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; - hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; }; #xu-test-wu = { # method = "push"; @@ -27,15 +15,6 @@ with lib; method = "pull"; src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; }; dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; }; - startAt = "minutely"; - snapshots = { - minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; }; - hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; }; }; -- cgit v1.3.1 From b44615eebec6055f3b49a8170354ce4bb3213cb4 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 5 Jan 2016 22:35:05 +0100 Subject: tv backup: wu:/home → xu:/bku/wu-home @ 05:00 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- krebs/3modules/tv/default.nix | 1 + tv/2configs/backup.nix | 23 ++++++++++------------- 2 files changed, 11 insertions(+), 13 deletions(-) (limited to 'tv') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 6fd1c4224..31c1a375a 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -247,6 +247,7 @@ with lib; }; }; secure = true; + ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 4b31bc844..ce937a744 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -2,20 +2,17 @@ with lib; { krebs.backup.plans = addNames { - xu-test-cd = { + wu-home-xu = { method = "push"; - src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; }; - dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; }; + src = { host = config.krebs.hosts.wu; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; }; + startAt = "05:00"; + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; }; - #xu-test-wu = { - # method = "push"; - # dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; }; - #}; - cd-test-xu = { - method = "pull"; - src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; }; - dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; }; - }; - }; } -- cgit v1.3.1 From 417cb0a8736780568f9fa67ff32b7d47040ba5e3 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 15:45:41 +0100 Subject: tv pulse: lol tmpfiles No combination of systemd options could be identified to automatically restart systemd-tmpfiles-setup.service whenever pulse.service gets started, so deploying systemd.services.pulse to a running system will leave pulse.service in a failed state. --- tv/2configs/pulse.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'tv') diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix index 3db3532d5..c12c3c531 100644 --- a/tv/2configs/pulse.nix +++ b/tv/2configs/pulse.nix @@ -35,11 +35,6 @@ let in { - systemd.tmpfiles.rules = [ - "d ${runDir} 0750 pulse pulse - -" - "d ${runDir}/home 0700 pulse pulse - -" - ]; - system.activationScripts.pulseaudio-hack = '' ln -fns ${clientConf} /etc/pulse/client.conf ''; @@ -65,6 +60,12 @@ in }; serviceConfig = { ExecStart = "${pkg}/bin/pulseaudio"; + ExecStartPre = pkgs.writeScript "pulse-start" '' + #! /bin/sh + install -o pulse -g pulse -m 0750 -d ${runDir} + install -o pulse -g pulse -m 0700 -d ${runDir}/home + ''; + PermissionsStartOnly = "true"; User = "pulse"; }; }; -- cgit v1.3.1 From 7c97b64549913863498c4dca214cd9a890a0d00c Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 15:48:16 +0100 Subject: tv pulse: explain pulseaudio-hack --- tv/2configs/pulse.nix | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'tv') diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix index c12c3c531..55ee8d8e4 100644 --- a/tv/2configs/pulse.nix +++ b/tv/2configs/pulse.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: +with lib; let pkg = pkgs.pulseaudioLight; runDir = "/run/pulse"; @@ -35,14 +36,13 @@ let in { - system.activationScripts.pulseaudio-hack = '' - ln -fns ${clientConf} /etc/pulse/client.conf - ''; - environment = { etc = { "asound.conf".source = alsaConf; - #"pulse/client.conf" = lib.mkForce { source = clientConf; }; + # XXX mkForce is not strong enough (and neither is mkOverride) to create + # /etc/pulse/client.conf, see pulseaudio-hack below for a solution. + #"pulse/client.conf" = mkForce { source = clientConf; }; + #"pulse/client.conf".source = mkForce clientConf; "pulse/default.pa".source = configFile; }; systemPackages = [ pkg ]; @@ -51,12 +51,15 @@ in # Allow PulseAudio to get realtime priority using rtkit. security.rtkit.enable = true; + system.activationScripts.pulseaudio-hack = '' + ln -fns ${clientConf} /etc/pulse/client.conf + ''; + systemd.services.pulse = { wantedBy = [ "sound.target" ]; before = [ "sound.target" ]; environment = { PULSE_RUNTIME_PATH = "${runDir}/home"; - #DISPLAY = ":${toString config.services.xserver.display}"; }; serviceConfig = { ExecStart = "${pkg}/bin/pulseaudio"; -- cgit v1.3.1 From f648c930fe2da2760b86c4bcf35b9e05803b8534 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 15:51:41 +0100 Subject: tv: install pavucontrol only when xserver is enabled --- tv/2configs/pulse.nix | 6 +++++- tv/2configs/xserver/default.nix | 1 - 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'tv') diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix index 55ee8d8e4..e1894ca64 100644 --- a/tv/2configs/pulse.nix +++ b/tv/2configs/pulse.nix @@ -45,7 +45,11 @@ in #"pulse/client.conf".source = mkForce clientConf; "pulse/default.pa".source = configFile; }; - systemPackages = [ pkg ]; + systemPackages = [ + pkg + ] ++ optionals config.services.xserver.enable [ + pkgs.pavucontrol + ]; }; # Allow PulseAudio to get realtime priority using rtkit. diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix index facde4e76..5cd17aa1d 100644 --- a/tv/2configs/xserver/default.nix +++ b/tv/2configs/xserver/default.nix @@ -37,7 +37,6 @@ let pkgs.ff pkgs.gitAndTools.qgit pkgs.mpv - pkgs.pavucontrol pkgs.slock pkgs.sxiv pkgs.xsel -- cgit v1.3.1 From 06906064662b4e8163bef70b5b02f1001bedba17 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 15:53:33 +0100 Subject: nomic: use pulse and xserver --- tv/1systems/nomic.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'tv') diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 0c6c935a3..7bc7b70d2 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -11,6 +11,8 @@ with lib; ../2configs/hw/AO753.nix #../2configs/consul-server.nix ../2configs/git.nix + ../2configs/pulse.nix + ../2configs/xserver { tv.iptables = { enable = true; -- cgit v1.3.1 From df017132338d1c22adbc414a301e879035e5ba4f Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 15:54:44 +0100 Subject: tv nixpkgs: c44a593 -> b7ff030 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index c300633bb..17e260b56 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -11,7 +11,7 @@ with lib; source = { git.nixpkgs = { url = mkDefault https://github.com/NixOS/nixpkgs; - rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613"; + rev = mkDefault "b7ff0301d6f26bd8419e888fd0e129f3dc8bd328"; target-path = mkDefault "/var/src/nixpkgs"; }; dir.secrets = { -- cgit v1.3.1 From 780ddec4ab268fbfd43ea9bf511ed4b3b0d35783 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 16:31:48 +0100 Subject: tv ssh_config: UseRoaming=no --- tv/2configs/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 17e260b56..d3a1778f0 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -142,7 +142,12 @@ with lib; ''; }; - programs.ssh.startAgent = false; + programs.ssh = { + extraConfig = '' + UseRoaming no + ''; + startAgent = false; + }; } { -- cgit v1.3.1 From 3718289010117943a7ee79ef87c07d4a867215d8 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 14 Jan 2016 17:11:08 +0100 Subject: tv vim hs syn region String start: bump --- tv/2configs/vim.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 0537fa7d8..bab949270 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -89,7 +89,7 @@ let \ | hi Normal ctermfg=White au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" '' - syn region String start=+\[[^|]*|+ end=+|]+ + syn region String start=+\[[[:alnum:]]*|+ end=+|]+ ''} au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" '' -- cgit v1.3.1 From b523df7a6ce1099ac36ccec54f6df117aa573ea5 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 17 Jan 2016 21:31:36 +0100 Subject: lentil: RIP; upstream is good enough --- krebs/5pkgs/lentil/default.nix | 15 --------------- krebs/5pkgs/lentil/syntaxes.patch | 11 ----------- tv/1systems/wu.nix | 2 +- 3 files changed, 1 insertion(+), 27 deletions(-) delete mode 100644 krebs/5pkgs/lentil/default.nix delete mode 100644 krebs/5pkgs/lentil/syntaxes.patch (limited to 'tv') diff --git a/krebs/5pkgs/lentil/default.nix b/krebs/5pkgs/lentil/default.nix deleted file mode 100644 index fc9b4fd31..000000000 --- a/krebs/5pkgs/lentil/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ pkgs, ... }: - -(pkgs.haskellngPackages.override { - overrides = self: super: { - lentil = super.lentil.override { - mkDerivation = (attrs: self.mkDerivation (attrs // { - version = "0.1.3.0"; - sha256 = "0xa59avh0bvfg69xh9p5b8dppfhx29mvfq8v41sk9j7qbcnzjivg"; - patches = [ - ./syntaxes.patch - ]; - })); - }; - }; -}).lentil diff --git a/krebs/5pkgs/lentil/syntaxes.patch b/krebs/5pkgs/lentil/syntaxes.patch deleted file mode 100644 index a9390ae51..000000000 --- a/krebs/5pkgs/lentil/syntaxes.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -rN -u old-lentil/src/Lentil/Parse/Syntaxes.hs new-lentil/src/Lentil/Parse/Syntaxes.hs ---- old-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200 -+++ new-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200 -@@ -30,6 +30,7 @@ - | ext `elem` [".pas", ".pp", ".inc"] = Just pascal - | ext `elem` [".py"] = Just python - | ext `elem` [".rb"] = Just ruby -+ | ext `elem` [".nix"] = Just perl -- Nix - | ext `elem` [".pl", ".pm", ".t"] = Just perl - | ext `elem` [".sh"] = Just perl -- shell - | ext `elem` [".txt"] = Just text diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 54ceb7783..3bdf8d37a 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -18,7 +18,7 @@ with lib; # stockholm gnumake hashPassword - lentil + haskellPackages.lentil parallel (pkgs.writeScriptBin "im" '' #! ${pkgs.bash}/bin/bash -- cgit v1.3.1 From 14e45bda122bf73e70a2f8c822b88cf1b68f4f52 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 18 Jan 2016 00:48:00 +0100 Subject: tv ejabberd: init at 2.1.13 --- tv/5pkgs/default.nix | 3 +++ tv/5pkgs/ejabberd/default.nix | 28 ++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 tv/5pkgs/ejabberd/default.nix (limited to 'tv') diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 2108d972c..be10e91eb 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -11,6 +11,9 @@ --disk-cache-size=50000000 \ "%@" ''; + ejabberd = pkgs.callPackage ./ejabberd { + erlang = pkgs.erlangR16; + }; ff = pkgs.callPackage ./ff {}; viljetic-pages = pkgs.callPackage ./viljetic-pages {}; xmonad-tv = diff --git a/tv/5pkgs/ejabberd/default.nix b/tv/5pkgs/ejabberd/default.nix new file mode 100644 index 000000000..3a77c5cd1 --- /dev/null +++ b/tv/5pkgs/ejabberd/default.nix @@ -0,0 +1,28 @@ +{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}: + +stdenv.mkDerivation rec { + version = "2.1.13"; + name = "ejabberd-${version}"; + src = fetchurl { + url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; + sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8"; + }; + buildInputs = [ expat erlang zlib openssl pam ]; + patchPhase = '' + sed -i \ + -e "s|erl \\\|${erlang}/bin/erl \\\|" \ + -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \ + src/ejabberdctl.template + ''; + preConfigure = '' + cd src + ''; + configureFlags = ["--enable-pam"]; + + meta = { + description = "Open-source XMPP application server written in Erlang"; + license = stdenv.lib.licenses.gpl2; + homepage = http://www.ejabberd.im; + maintainers = [ lib.maintainers.sander ]; + }; +} -- cgit v1.3.1 From 1a4437cb26a29400d33486d6c8a220a9e88f4132 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 28 Jan 2016 13:49:14 +0100 Subject: tv nixpkgs: b7ff030 -> 77f8f35 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index d3a1778f0..dc55a4330 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -11,7 +11,7 @@ with lib; source = { git.nixpkgs = { url = mkDefault https://github.com/NixOS/nixpkgs; - rev = mkDefault "b7ff0301d6f26bd8419e888fd0e129f3dc8bd328"; + rev = mkDefault "77f8f35d57618c1ba456d968524f2fb2c3448295"; target-path = mkDefault "/var/src/nixpkgs"; }; dir.secrets = { -- cgit v1.3.1 From c3c4aac670cf0ac26340061cef1527b3d7f64386 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 03:00:48 +0100 Subject: make deploy2: deploy using nixos-rebuild switch --- .rsync-filter | 2 + Makefile | 19 ++++++++ krebs/3modules/build.nix | 109 ++++++++++++++++++++++++++++--------------- krebs/default.nix | 7 ++- krebs/populate.nix | 115 ++++++++++++++++++++++++++++++++++++++++++++++ nixpkgs/default.nix | 1 + nixpkgs/nixos/default.nix | 65 ++++++++++++++++++++++++++ nixpkgs/nixos/modules | 1 + tv/1systems/cd.nix | 5 ++ tv/2configs/default.nix | 36 +++++++-------- 10 files changed, 302 insertions(+), 58 deletions(-) create mode 100644 .rsync-filter create mode 100644 krebs/populate.nix create mode 100644 nixpkgs/default.nix create mode 100644 nixpkgs/nixos/default.nix create mode 120000 nixpkgs/nixos/modules (limited to 'tv') diff --git a/.rsync-filter b/.rsync-filter new file mode 100644 index 000000000..d7657cd00 --- /dev/null +++ b/.rsync-filter @@ -0,0 +1,2 @@ +- /.git +- /.graveyard diff --git a/Makefile b/Makefile index 5b898c54c..3798240e1 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,25 @@ deploy infest:;@ export filter=json make -s eval | sh +.PHONY: deploy2 +ifdef target +deploy2: export target-host = $(target) +else +deploy2: export target-host = $(system) +endif +deploy2:;@ + target=$${target-$$system} + result=$$(nix-instantiate \ + --json \ + --eval \ + krebs/populate.nix \ + --arg source 'with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; assert source-version == 2; source' \ + --argstr target-host "$$target" \ + --argstr target-path /var/src) + script=$$(echo "$$result" | jq -r .) + echo "$$script" | sh + ssh root@$$target nixos-rebuild switch -I /var/src + .PHONY: eval eval: @ diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 7f004cd81..0f8aec89d 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -28,48 +28,83 @@ let type = types.user; }; - options.krebs.build.source.dir = mkOption { - type = let - default-host = config.krebs.current.host; - in types.attrsOf (types.submodule ({ config, ... }: { - options = { - host = mkOption { - type = types.host; - default = default-host; - }; - path = mkOption { - type = types.str; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - url = mkOption { - type = types.str; - default = "file://${config.host.name}${config.path}"; - }; - }; - })); - default = {}; + options.krebs.build.source-version = mkOption { + type = types.enum [ 1 2 ]; + default = 1; }; - options.krebs.build.source.git = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - url = mkOption { - type = types.str; # TODO must be shell safe - }; - rev = mkOption { - type = types.str; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; + options.krebs.build.source = getAttr "v${toString config.krebs.build.source-version}" { + v1 = { + dir = mkOption { + type = let + default-host = config.krebs.current.host; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + host = mkOption { + type = types.host; + default = default-host; + }; + path = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + url = mkOption { + type = types.str; + default = "file://${config.host.name}${config.path}"; + }; + }; + })); + default = {}; + }; + + git = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + url = mkOption { + type = types.str; # TODO must be shell safe + }; + rev = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + }; + })); + default = {}; + }; + }; + + v2 = let + raw = types.either types.str types.path; + url = types.submodule { + options = { + url = mkOption { + type = types.str; + }; + rev = mkOption { + type = types.str; + }; + dev = mkOption { + type = types.str; + }; }; }; - })); - default = {}; + in mkOption { + type = types.attrsOf (types.either types.str url); + apply = let f = mapAttrs (_: value: { + string = value; + path = toString value; + set = f value; + }.${typeOf value}); in f; + default = {}; + }; }; + }; in out diff --git a/krebs/default.nix b/krebs/default.nix index 15d0e8e2e..2cdecaccb 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -171,9 +171,12 @@ let out = { ${b} ''; - get-config = system: - stockholm.users.${current-user-name}.${system}.config + get-config = system: let + config = stockholm.users.${current-user-name}.${system}.config or (abort "unknown system: ${system}, user: ${current-user-name}"); + in + assert config.krebs.build.source-version == 1; + config; nix-install = { system ? current-host-name diff --git a/krebs/populate.nix b/krebs/populate.nix new file mode 100644 index 000000000..9994fda82 --- /dev/null +++ b/krebs/populate.nix @@ -0,0 +1,115 @@ +{ source +, target-user ? "root" +, target-host +, target-path ? "/var/src" +}: +with import ; +with import ~/stockholm/krebs/4lib { + lib = import ; +}; +with builtins; +let + out = '' + #! /bin/sh + set -efu + + echo ${shell.escape git-script} \ + | ssh ${shell.escape "${target-user}@${target-host}"} -T + + tmpdir=$(mktemp -dt stockholm.XXXXXXXX) + trap ' + set +f + rm "$tmpdir"/* + rmdir "$tmpdir" + trap - EXIT INT QUIT + ' EXIT INT QUIT + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: let dst = removePrefix "symlink:" (get-url spec); in + "ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") + symlink-specs)} + + proot \ + -b $tmpdir:${shell.escape target-path} \ + ${concatStringsSep " \\\n " + (mapAttrsToList + (name: spec: + "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") + file-specs)} \ + rsync \ + -f ${shell.escape "P /*"} \ + ${concatMapStringsSep " \\\n " + (name: "-f ${shell.escape "R /${name}"}") + (attrNames file-specs)} \ + --delete \ + -vFrlptD \ + ${shell.escape target-path}/ \ + ${shell.escape "${target-user}@${target-host}:${target-path}"} + ''; + + get-schema = uri: + if substring 0 1 uri == "/" + then "file" + else head (splitString ":" uri); + + has-schema = schema: uri: get-schema uri == schema; + + get-url = spec: { + string = spec; + path = toString spec; + set = get-url spec.url; + }.${typeOf spec}; + + git-specs = + filterAttrs (_: spec: has-schema "https" (get-url spec)) source // + filterAttrs (_: spec: has-schema "http" (get-url spec)) source // + filterAttrs (_: spec: has-schema "git" (get-url spec)) source; + + file-specs = + filterAttrs (_: spec: has-schema "file" (get-url spec)) source; + + symlink-specs = + filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; + + git-script = '' + fetch_git() {( + dst_dir=$1 + src_url=$2 + src_ref=$3 + + if ! test -e "$dst_dir"; then + git clone "$src_url" "$dst_dir" + fi + + cd "$dst_dir" + + if ! url=$(git config remote.origin.url); then + git remote add origin "$src_url" + elif test "$url" != "$src_url"; then + git remote set-url origin "$src_url" + fi + + # TODO resolve src_ref to commit hash + hash=$src_ref + + if ! test "$(git log --format=%H -1)" = "$hash"; then + git fetch origin + git checkout "$hash" -- "$dst_dir" + git checkout "$hash" + fi + + git clean -dxf + )} + + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: toString (map shell.escape [ + "fetch_git" + "${target-path}/${name}" + spec.url + spec.rev + ])) + git-specs)} + ''; + +in out diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix new file mode 100644 index 000000000..92da82c35 --- /dev/null +++ b/nixpkgs/default.nix @@ -0,0 +1 @@ +import diff --git a/nixpkgs/nixos/default.nix b/nixpkgs/nixos/default.nix new file mode 100644 index 000000000..6c5adf365 --- /dev/null +++ b/nixpkgs/nixos/default.nix @@ -0,0 +1,65 @@ +{ configuration ? import "NIXOS_CONFIG" +, system ? builtins.currentSystem +}: + +let + eval-config = modules: import { + inherit system; + modules = modules ++ [({ config, lib, ... }: with lib; { + imports = filter dir.has-default-nix (concatLists [ + (map (p: p + "/2configs") [ ]) + (map (p: p + "/3modules") [ ]) + ]); + + krebs.current = { + enable = true; + host = config.krebs.hosts.${readFile /proc/sys/kernel/hostname}; + user = config.krebs.users.${getEnv "LOGNAME"}; + }; + + nixpkgs.config.packageOverrides = pkgs: let + kpkgs = import { inherit lib pkgs; }; + upkgs = import { inherit lib; pkgs = pkgs // kpkgs; }; + in kpkgs // upkgs; + })]; + specialArgs = { + lib = let + nlib = import // builtins; + klib = nlib // import { lib = nlib; }; + ulib = klib // (with klib; let p = + "/4lib"; in + optionalAttrs (dir.has-default-nix p) + (import p { lib = klib; })); + in ulib; + }; + }; + + eval = eval-config [ + configuration + ]; + + # This is for `nixos-rebuild build-vm'. + vm = eval-config [ + configuration + + ]; + + # This is for `nixos-rebuild build-vm-with-bootloader'. + vm-with-bootloader = eval-config [ + configuration + + { virtualisation.useBootLoader = true; } + ]; +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; + + vm = vm.config.system.build.vm; + + vmWithBootLoader = vm-with-bootloader.config.system.build.vm; + + # The following are used by nixos-rebuild. + nixFallback = eval.pkgs.nixUnstable; +} diff --git a/nixpkgs/nixos/modules b/nixpkgs/nixos/modules new file mode 120000 index 000000000..8fbc4373e --- /dev/null +++ b/nixpkgs/nixos/modules @@ -0,0 +1 @@ +../../upstream-nixpkgs/nixos/modules \ No newline at end of file diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 8c2a9ae43..b69d7655a 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -6,6 +6,11 @@ with lib; krebs.build.host = config.krebs.hosts.cd; krebs.build.target = "root@cd.internet"; + krebs.build.source.upstream-nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "b7ff030"; + }; + imports = [ ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index dc55a4330..e7197c4c4 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -8,20 +8,23 @@ with lib; krebs.build = { user = config.krebs.users.tv; target = mkDefault "root@${config.krebs.build.host.name}"; - source = { - git.nixpkgs = { - url = mkDefault https://github.com/NixOS/nixpkgs; - rev = mkDefault "77f8f35d57618c1ba456d968524f2fb2c3448295"; - target-path = mkDefault "/var/src/nixpkgs"; + source-version = 2; + source = mapAttrs (_: mkDefault) ({ + nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; + nixpkgs = symlink:stockholm-nixpkgs; + secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; + secrets-common = "/home/tv/secrets/common"; + stockholm-krebs = "/home/tv/stockholm/krebs"; + stockholm-nixpkgs = "/home/tv/stockholm/nixpkgs"; + stockholm-private = "/home/tv/stockholm/tv"; + upstream-nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; + dev = "/home/tv/nixpkgs"; }; - dir.secrets = { - path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - path = mkDefault "/home/tv/stockholm"; - target-path = mkDefault "/var/src/stockholm"; - }; - }; + } // optionalAttrs config.krebs.build.host.secure { + secrets-master = "/home/tv/secrets/master"; + }); }; networking.hostName = config.krebs.build.host.name; @@ -98,12 +101,7 @@ with lib; }; environment.variables = { - NIX_PATH = - with config.krebs.build.source; with dir; with git; - mkForce (concatStringsSep ":" [ - "nixpkgs=${nixpkgs.target-path}" - "secrets=${stockholm.target-path}/null" - ]); + NIX_PATH = mkForce "/var/src"; }; programs.bash = { -- cgit v1.3.1 From 36caa1771b5e3ca4e5c18531605b315311c34643 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 03:11:17 +0100 Subject: xu: use upstream lentil --- tv/1systems/xu.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 1f3e010a4..e6894b55e 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -21,7 +21,7 @@ with lib; # stockholm gnumake hashPassword - lentil + haskellPackages.lentil parallel (pkgs.writeScriptBin "im" '' #! ${pkgs.bash}/bin/bash -- cgit v1.3.1 From 8217472e99ad5c9392a4da443dd2fe66343c8668 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 03:31:24 +0100 Subject: tv config: isUser root == true --- tv/2configs/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index e7197c4c4..310077021 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -180,7 +180,8 @@ with lib; { systemd.tmpfiles.rules = let forUsers = flip map users; - isUser = { group, ... }: hasSuffix "users" group; + isUser = { name, group, ... }: + name == "root" || hasSuffix "users" group; users = filter isUser (mapAttrsToList (_: id) config.users.users); in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; -- cgit v1.3.1 From f6a4131daecd6e5c1a0727adbcac43ba8530ec13 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:13:46 +0100 Subject: tv exim-retiolum: init --- tv/1systems/nomic.nix | 7 +------ tv/1systems/wu.nix | 5 +---- tv/1systems/xu.nix | 8 +------- tv/2configs/exim-retiolum.nix | 5 +++++ 4 files changed, 8 insertions(+), 17 deletions(-) create mode 100644 tv/2configs/exim-retiolum.nix (limited to 'tv') diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 7bc7b70d2..145e9b236 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -5,11 +5,9 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; - krebs.build.target = "root@nomic.gg23"; - imports = [ ../2configs/hw/AO753.nix - #../2configs/consul-server.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/pulse.nix ../2configs/xserver @@ -24,9 +22,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 3bdf8d37a..47fdb2092 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -7,7 +7,7 @@ with lib; imports = [ ../2configs/hw/w110er.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/pulse.nix @@ -134,9 +134,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index e6894b55e..12c115eb8 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -5,12 +5,9 @@ with lib; { krebs.build.host = config.krebs.hosts.xu; - krebs.build.source.git.nixpkgs.rev = - "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; - imports = [ ../2configs/hw/x220.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/pulse.nix @@ -135,9 +132,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix new file mode 100644 index 000000000..1af72c28f --- /dev/null +++ b/tv/2configs/exim-retiolum.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + krebs.exim-retiolum.enable = true; +} -- cgit v1.3.1 From a7e1709a466cee24783e20b6219ef5112b00e8c9 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:18:07 +0100 Subject: tv nginx-public_html: init --- tv/1systems/nomic.nix | 11 +---------- tv/1systems/wu.nix | 11 +---------- tv/1systems/xu.nix | 11 +---------- tv/2configs/nginx-public_html.nix | 14 ++++++++++++++ 4 files changed, 17 insertions(+), 30 deletions(-) create mode 100644 tv/2configs/nginx-public_html.nix (limited to 'tv') diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 145e9b236..64fe5a635 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -9,6 +9,7 @@ with lib; ../2configs/hw/AO753.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -22,16 +23,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 47fdb2092..6dd051210 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -10,6 +10,7 @@ with lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -134,16 +135,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 12c115eb8..409129581 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -10,6 +10,7 @@ with lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -132,16 +133,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix new file mode 100644 index 000000000..50c623915 --- /dev/null +++ b/tv/2configs/nginx-public_html.nix @@ -0,0 +1,14 @@ +{ lib, ... }: + +with lib; + +{ + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; +} -- cgit v1.3.1 From d6ded00d012d4fb2a2a0a824604b25dac35ee349 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:32:04 +0100 Subject: tv retiolum: init --- tv/1systems/cd.nix | 11 +---------- tv/1systems/nomic.nix | 10 +--------- tv/1systems/wu.nix | 10 +--------- tv/1systems/xu.nix | 11 +---------- tv/2configs/retiolum.nix | 16 ++++++++++++++++ 5 files changed, 20 insertions(+), 38 deletions(-) create mode 100644 tv/2configs/retiolum.nix (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index b69d7655a..da44f5077 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -17,6 +17,7 @@ with lib; #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix + ../2configs/retiolum.nix ../2configs/urlwatch.nix { imports = [ ../2configs/charybdis.nix ]; @@ -77,16 +78,6 @@ with lib; ''); }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } ]; networking.interfaces.enp2s1.ip4 = [ diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 64fe5a635..b7e77e973 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -11,6 +11,7 @@ with lib; ../2configs/git.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { tv.iptables = { @@ -23,15 +24,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 6dd051210..f52bbc091 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -12,6 +12,7 @@ with lib; ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -135,15 +136,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 409129581..54e16868f 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -12,6 +12,7 @@ with lib; ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -133,16 +134,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix new file mode 100644 index 000000000..91fe81d69 --- /dev/null +++ b/tv/2configs/retiolum.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: + +with lib; + +{ + krebs.retiolum = { + enable = true; + connectTo = filter (ne config.krebs.build.host.name) [ + "gum" + "prism" + "echelon" + "cd" + "ire" + ]; + }; +} -- cgit v1.3.1 From bb1dbae8187601cea2ddfbdcdc9baa456bc5b4ab Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:40:25 +0100 Subject: tv: open ssh port by default --- tv/1systems/cd.nix | 4 ---- tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/default.nix | 5 +++++ 5 files changed, 5 insertions(+), 7 deletions(-) (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index da44f5077..6db78ca89 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "tinc" "smtp" "xmpp-client" @@ -58,10 +57,7 @@ with lib; "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" ]; - } - { # TODO make public_html also available to cd, cd.retiolum (AKA default) - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index b7e77e973..f176a5f23 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -17,7 +17,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index f52bbc091..16709052b 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -129,7 +129,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 54e16868f..c6f1a393e 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -127,7 +127,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 310077021..abe9d3de8 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -162,6 +162,10 @@ with lib; }; } + { + tv.iptables.enable = true; + } + { services.openssh = { enable = true; @@ -169,6 +173,7 @@ with lib; { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; } { -- cgit v1.3.1 From b172630f894362dc32cb6af7d5c9d44902ec5752 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:44:19 +0100 Subject: tv retiolum: open tinc port --- tv/1systems/cd.nix | 1 - tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/retiolum.nix | 1 + 5 files changed, 1 insertion(+), 4 deletions(-) (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 6db78ca89..783d23ca9 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "tinc" "smtp" "xmpp-client" "xmpp-server" diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index f176a5f23..6f2c41823 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -18,7 +18,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 16709052b..7635f6162 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -130,7 +130,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index c6f1a393e..91b761d24 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -128,7 +128,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index 91fe81d69..d2bb9e6cf 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -13,4 +13,5 @@ with lib; "ire" ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "tinc"; } -- cgit v1.3.1 From d85c70d1d669636fe2fcbb1179dca2c4aecb0802 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:46:33 +0100 Subject: tv nginx-public_html: open http port --- tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/nginx-public_html.nix | 1 + 4 files changed, 1 insertion(+), 3 deletions(-) (limited to 'tv') diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 6f2c41823..2b71a974e 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -17,7 +17,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 7635f6162..a51e0e678 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -129,7 +129,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 91b761d24..847b57249 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -127,7 +127,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix index 50c623915..dc74f7f8d 100644 --- a/tv/2configs/nginx-public_html.nix +++ b/tv/2configs/nginx-public_html.nix @@ -11,4 +11,5 @@ with lib; '') ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } -- cgit v1.3.1 From fe025213ea5c15012fd83f1064269a315a2d576a Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:50:00 +0100 Subject: tv exim-retiolum: open smtp port to retiolum --- tv/1systems/nomic.nix | 8 -------- tv/1systems/wu.nix | 8 -------- tv/1systems/xu.nix | 8 -------- tv/2configs/exim-retiolum.nix | 5 ++++- 4 files changed, 4 insertions(+), 25 deletions(-) (limited to 'tv') diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 2b71a974e..37ef204c7 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -13,14 +13,6 @@ with lib; ../2configs/pulse.nix ../2configs/retiolum.nix ../2configs/xserver - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index a51e0e678..aef8ca761 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -125,14 +125,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 847b57249..31a8a3e99 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -123,14 +123,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 1af72c28f..aedf25823 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -1,5 +1,8 @@ -{ ... }: +{ lib, ... }: + +with lib; { krebs.exim-retiolum.enable = true; + tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; } -- cgit v1.3.1 From b58f37ce3833b7800c0a9ec83367dc888ea571b3 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:53:16 +0100 Subject: tv exim-smarthost: open smtp port --- tv/1systems/cd.nix | 1 - tv/2configs/exim-smarthost.nix | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 783d23ca9..1d9457600 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "smtp" "xmpp-client" "xmpp-server" ]; diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index f5f63d284..bcfea7821 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { krebs.exim-smarthost = { @@ -34,4 +36,5 @@ { from = "mirko"; to = "mv"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; } -- cgit v1.3.1 From 0c1a2d11b18c73ddc7fdb429e0d09dcffa3906f8 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:56:10 +0100 Subject: cd: redistribute iptable rules --- tv/1systems/cd.nix | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 1d9457600..27e94aef0 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -31,6 +31,10 @@ with lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; + tv.iptables.input-internet-accept-new-tcp = [ + "xmpp-client" + "xmpp-server" + ]; } { krebs.github-hosts-sync.enable = true; @@ -38,19 +42,6 @@ with lib; singleton config.krebs.github-hosts-sync.port; } { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = [ "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" @@ -62,8 +53,6 @@ with lib; alias /home/$1/public_html$2; ''); }; - } - { krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) @@ -71,6 +60,7 @@ with lib; root ${pkgs.viljetic-pages}; ''); }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } ]; -- cgit v1.3.1 From 7dbfc126fb329a67d68b32803e866ba9f0e7b2f0 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 15:34:22 +0100 Subject: tv git public-repos += with-tmpdir --- tv/2configs/git.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'tv') diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 800deff1b..5e0f95c15 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -39,6 +39,7 @@ let stockholm = { desc = "take all the computers hostage, they'll love you!"; }; + with-tmpdir = {}; } // mapAttrValues (setAttr "section" "2. Haskell libraries") { blessings = {}; mime = {}; -- cgit v1.3.1 From 03e5d03c129190451e1431fac6aae70f745812f9 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 19:17:19 +0100 Subject: tv config: use null for dummy secrets --- tv/2configs/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index abe9d3de8..777cd4ea3 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -12,6 +12,7 @@ with lib; source = mapAttrs (_: mkDefault) ({ nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; nixpkgs = symlink:stockholm-nixpkgs; + null = "/home/tv/stockholm/null"; secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets-common = "/home/tv/secrets/common"; stockholm-krebs = "/home/tv/stockholm/krebs"; @@ -101,7 +102,7 @@ with lib; }; environment.variables = { - NIX_PATH = mkForce "/var/src"; + NIX_PATH = mkForce "secrets=/var/src/null:/var/src"; }; programs.bash = { -- cgit v1.3.1 From 28382e43e0df74a6b10bfcf23465d8415fa86460 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 19:51:01 +0100 Subject: tv: RIP consul --- tv/1systems/cd.nix | 1 - tv/1systems/mkdir.nix | 1 - tv/1systems/rmdir.nix | 1 - tv/2configs/consul-client.nix | 9 ---- tv/2configs/consul-server.nix | 21 -------- tv/3modules/consul.nix | 118 ------------------------------------------ tv/3modules/default.nix | 1 - 7 files changed, 152 deletions(-) delete mode 100644 tv/2configs/consul-client.nix delete mode 100644 tv/2configs/consul-server.nix delete mode 100644 tv/3modules/consul.nix (limited to 'tv') diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 27e94aef0..e42d5750a 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -14,7 +14,6 @@ with lib; imports = [ ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix ../2configs/retiolum.nix diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 9d8a0bcfa..79e5f73b9 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,7 +22,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 1f1d975c9..6fd79c596 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -23,7 +23,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix deleted file mode 100644 index 0a8bf4d75..000000000 --- a/tv/2configs/consul-client.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ ./consul-server.nix ]; - - tv.consul = { - server = pkgs.lib.mkForce false; - }; -} diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix deleted file mode 100644 index d10f9ea75..000000000 --- a/tv/2configs/consul-server.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -{ - tv.consul = rec { - enable = true; - - self = config.krebs.build.host; - inherit (self) dc; - - server = true; - - hosts = with config.krebs.hosts; [ - # TODO get this list automatically from each host where tv.consul.enable is true - cd - mkdir - nomic - rmdir - #wu - ]; - }; -} diff --git a/tv/3modules/consul.nix b/tv/3modules/consul.nix deleted file mode 100644 index 5c955fdb5..000000000 --- a/tv/3modules/consul.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, lib, pkgs, ... }: - -# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect -# but -bootstrap -# TODO consul-bootstrap HOST that actually does is -# TODO tools to inspect state of a cluster in outage state - -with lib; -let - cfg = config.tv.consul; - - out = { - options.tv.consul = api; - config = mkIf cfg.enable (mkMerge [ - imp - { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; } - # TODO udp for 8301 - ]); - }; - - api = { - enable = mkEnableOption "tv.consul"; - - dc = mkOption { - type = types.label; - }; - hosts = mkOption { - type = with types; listOf host; - }; - encrypt-file = mkOption { - type = types.str; # TODO path (but not just into store) - default = toString ; - }; - data-dir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/consul"; - }; - self = mkOption { - type = types.host; - }; - server = mkOption { - type = types.bool; - default = false; - }; - GOMAXPROCS = mkOption { - type = types.int; - default = cfg.self.cores; - }; - }; - - consul-config = { - datacenter = cfg.dc; - data_dir = cfg.data-dir; - log_level = "INFO"; - #node_name = - server = cfg.server; - enable_syslog = true; - retry_join = - # TODO allow consul in other nets than retiolum [maybe] - concatMap (host: host.nets.retiolum.addrs) - (filter (host: host.name != cfg.self.name) cfg.hosts); - leave_on_terminate = true; - } // optionalAttrs cfg.server { - bootstrap_expect = length cfg.hosts; - leave_on_terminate = false; - }; - - imp = { - environment.systemPackages = with pkgs; [ - consul - ]; - - systemd.services.consul = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - consul - ]; - environment = { - GOMAXPROCS = toString cfg.GOMAXPROCS; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "consul"; - User = user.name; - PrivateTmp = "true"; - Restart = "always"; - ExecStartPre = pkgs.writeScript "consul-init" '' - #! /bin/sh - mkdir -p ${cfg.data-dir} - chown ${user.name}: ${cfg.data-dir} - install -o ${user.name} -m 0400 ${cfg.encrypt-file} /tmp/encrypt.json - ''; - ExecStart = pkgs.writeScript "consul-service" '' - #! /bin/sh - set -euf - exec >/dev/null - exec consul agent \ - -config-file=${toFile "consul.json" (toJSON consul-config)} \ - -config-file=/tmp/encrypt.json - ''; - #-node=${cfg.self.fqdn} \ - #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = rec { - name = "consul"; - uid = genid name; - }; - -in -out diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index bb10d8261..f7889b245 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -2,7 +2,6 @@ _: { imports = [ - ./consul.nix ./ejabberd.nix ./iptables.nix ]; -- cgit v1.3.1 From d341d1ad1006d49299007c2210dfd8f9903ae21a Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:01:28 +0100 Subject: tv vim: drop noise --- tv/2configs/vim.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'tv') diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index bab949270..83cc6e117 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -7,11 +7,6 @@ let vim ]; - # Nano really is just a stupid name for Vim. - nixpkgs.config.packageOverrides = pkgs: { - nano = pkgs.vim; - }; - environment.etc.vimrc.source = vimrc; environment.variables.EDITOR = mkForce "vim"; -- cgit v1.3.1 From ef0ce9065f312140cbcb51fc5102c4c5d4e80568 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:02:01 +0100 Subject: tv nix.vim: let b:current_syntax --- tv/2configs/vim.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'tv') diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 83cc6e117..23f90af05 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -105,6 +105,8 @@ let syn match String /"\([^\\"]\|\\.\)*"/ syn match Comment /\(^\|\s\)#.*/ + + let b:current_syntax = "nix" ''} au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile -- cgit v1.3.1 From ba4bfed2715cb3973f9dbaa6f0a6010c59121a54 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:05:12 +0100 Subject: wu: selectively allowUnfree nvidia-x11 --- tv/1systems/wu.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tv') diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index aef8ca761..2fa0e8ab7 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -157,7 +157,7 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; hardware.bumblebee.enable = true; hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; -- cgit v1.3.1 From 34dcaa692382072889e7e796461933ff129d5a13 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:06:15 +0100 Subject: xu: don't unconditionally allowUnfree --- tv/1systems/xu.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'tv') diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 31a8a3e99..8c4af2bd3 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -155,7 +155,6 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; #hardware.bumblebee.enable = true; #hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; -- cgit v1.3.1 From 44b9f90b2c70c997399afcc550dac2fff155af6b Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:12:06 +0100 Subject: tv config: allowUnfree = false --- tv/2configs/default.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'tv') diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 777cd4ea3..ee1d9521d 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -70,6 +70,9 @@ with lib; nix.useChroot = true; } + { + nixpkgs.config.allowUnfree = false; + } { environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; -- cgit v1.3.1 From afd09edbd3ec1739fb95eaab664a2400386ce7a0 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:17:10 +0100 Subject: tv: cleanup allowUnfree --- tv/2configs/hw/AO753.nix | 9 ++++----- tv/2configs/hw/x220.nix | 1 - 2 files changed, 4 insertions(+), 6 deletions(-) (limited to 'tv') diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index acd9ee32b..72a40819f 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { imports = [ @@ -39,8 +41,5 @@ HandleSuspendKey=ignore ''; - nixpkgs.config = { - allowUnfree = false; - allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); - }; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name; } diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 8549311e7..7cec670fa 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -14,7 +14,6 @@ networking.wireless.enable = true; #hardware.enableAllFirmware = true; - #nixpkgs.config.allowUnfree = true; #zramSwap.enable = true; #zramSwap.numDevices = 2; -- cgit v1.3.1 From cdb590be5072712c9552a98f8979aa94288dcbc8 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 3 Feb 2016 13:36:54 +0100 Subject: krebs.git.rules: specify type --- krebs/3modules/git.nix | 193 +++++++++++++++++++++++++++++++++++-------------- tv/2configs/git.nix | 4 +- 2 files changed, 142 insertions(+), 55 deletions(-) (limited to 'tv') diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 0fa6b240b..7b28ffca8 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -44,48 +44,8 @@ let default = "/etc/git"; }; repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { - type = types.str; - description = '' - Repository name. - ''; - }; - hooks = mkOption { - type = types.attrsOf types.str; - default = {}; - description = '' - Repository-specific hooks. - ''; - }; - public = mkOption { - type = types.bool; - default = false; - description = '' - Allow everybody to read the repository via HTTP if cgit enabled. - ''; - # TODO allow every configured user to fetch the repository via SSH. - }; - }; - })); - + type = types.attrsOf subtypes.repo; default = {}; - example = literalExample '' { testing = { @@ -99,7 +59,6 @@ let testing2 = { name = "testing2"; }; } ''; - description = '' Repositories. ''; @@ -121,28 +80,156 @@ let ''; }; rules = mkOption { - type = types.unspecified; + type = types.listOf subtypes.rule; + default = []; + example = literalExample '' + singleton { + user = [ config.krebs.users.tv ]; + repo = [ testing ]; # see literal example of repos + perm = push "refs/*" (with lib.git; [ + non-fast-forward create delete merge + ]); + } + ''; + description = '' + Rules. + ''; }; }; + # TODO put into krebs/4lib/types.nix? + subtypes = { + repo = types.submodule ({ + options = { + collaborators = mkOption { + type = types.listOf types.user; + default = []; + description = '' + List of users that should be able to fetch from this repo. + + This option is currently not used by krebs.git but instead can be + used to create rules. See e.g. for + an example. + ''; + }; + desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository description. + ''; + }; + section = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository section. + ''; + }; + name = mkOption { + type = types.str; + description = '' + Repository name. + ''; + }; + hooks = mkOption { + type = types.attrsOf types.str; + default = {}; + description = '' + Repository-specific hooks. + ''; + }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Allow everybody to read the repository via HTTP if cgit enabled. + ''; + # TODO allow every configured user to fetch the repository via SSH. + }; + }; + }); + rule = types.submodule ({ config, ... }: { + options = { + user = mkOption { + type = types.listOf types.user; + description = '' + List of users this rule should apply to. + Checked by authorize-command. + ''; + }; + repo = mkOption { + type = types.listOf subtypes.repo; + description = '' + List of repos this rule should apply to. + Checked by authorize-command. + ''; + }; + perm = mkOption { + type = types.submodule { + # TODO generate enum argument from krebs/4lib/git.nix + options = { + allow-commands = mkOption { + type = types.listOf (types.enum (with git; [ + git-receive-pack + git-upload-pack + ])); + default = []; + description = '' + List of commands the rule's users are allowed to execute. + Checked by authorize-command. + ''; + }; + allow-receive-ref = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Ref that can receive objects. + Checked by authorize-push. + ''; + }; + allow-receive-modes = mkOption { + type = types.listOf (types.enum (with git; [ + fast-forward + non-fast-forward + create + delete + merge + ])); + default = []; + description = '' + List of allowed receive modes. + Checked by pre-receive hook. + ''; + }; + }; + }; + description = '' + Permissions granted. + ''; + }; + }; + }); + }; + git-imp = { system.activationScripts.git-init = "${init-script}"; # TODO maybe put all scripts here and then use PATH? environment.etc."${etc-base}".source = scriptFarm "git-ssh-authorizers" { - authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (map getName perm.allow-commands) + authorize-command = makeAuthorizeScript (map (rule: [ + (map getName (ensureList rule.user)) + (map getName (ensureList rule.repo)) + (map getName rule.perm.allow-commands) ]) cfg.rules); - authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (ensureList perm.allow-receive-ref) - (map getName perm.allow-receive-modes) - ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); + authorize-push = makeAuthorizeScript (map (rule: [ + (map getName (ensureList rule.user)) + (map getName (ensureList rule.repo)) + (ensureList rule.perm.allow-receive-ref) + (map getName rule.perm.allow-receive-modes) + ]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules)); }; users.extraUsers = singleton rec { diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 5e0f95c15..01dc7de9b 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -9,7 +9,7 @@ let enable = true; root-title = "public repositories at ${config.krebs.build.host.name}"; root-desc = "keep calm and engage"; - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; + repos = repos; rules = rules; }; }; @@ -99,7 +99,7 @@ let repo = [ repo ]; perm = fetch; } ++ - optional (length (repo.collaborators or []) > 0) { + optional (repo.collaborators or [] != []) { user = repo.collaborators; repo = [ repo ]; perm = fetch; -- cgit v1.3.1 From 5bc7523bb54e960f5ac00492b16519b1bce21007 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 3 Feb 2016 19:39:00 +0100 Subject: cac-1.0.3 -> cac-api-1.1.0 --- krebs/5pkgs/cac-api/default.nix | 37 +++++++++++++++++++++++ krebs/5pkgs/cac/default.nix | 39 ------------------------- krebs/5pkgs/test/infest-cac-centos7/default.nix | 4 +-- krebs/5pkgs/test/infest-cac-centos7/notes | 32 ++++++++++---------- tv/1systems/wu.nix | 2 +- tv/2configs/git.nix | 4 +-- 6 files changed, 58 insertions(+), 60 deletions(-) create mode 100644 krebs/5pkgs/cac-api/default.nix delete mode 100644 krebs/5pkgs/cac/default.nix (limited to 'tv') diff --git a/krebs/5pkgs/cac-api/default.nix b/krebs/5pkgs/cac-api/default.nix new file mode 100644 index 000000000..2a32bb096 --- /dev/null +++ b/krebs/5pkgs/cac-api/default.nix @@ -0,0 +1,37 @@ +{ stdenv, fetchgit, bc, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }: + +stdenv.mkDerivation { + name = "cac-api-1.1.0"; + + src = fetchgit { + url = http://cgit.cd.krebsco.de/cac-api; + rev = "0809fae379239687ed1170e04311dc2880ef0aba"; + sha256 = "357ced27c9ed88028967c934178a1d230bf38617a7494cd4632fabdd2a04fcdd"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + path = stdenv.lib.makeSearchPath "bin" [ + bc + coreutils + curl + gnused + inotifyTools + jq + ncurses + sshpass + ]; + in + '' + mkdir -p $out/bin + cp cac-api $out/bin/cac-api + sed -i ' + s;^_cac_cli_main .*;PATH=${path}''${PATH+:$PATH} &; + ' $out/bin/cac-api + ''; +} diff --git a/krebs/5pkgs/cac/default.nix b/krebs/5pkgs/cac/default.nix deleted file mode 100644 index 4d39ce2fb..000000000 --- a/krebs/5pkgs/cac/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ stdenv, fetchgit, bc, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }: - -stdenv.mkDerivation { - name = "cac-1.0.3"; - - src = fetchgit { - url = http://cgit.cd.retiolum/cac; - rev = "22acc1b990ac7d97c16344fbcbc2621e24cdf915"; - sha256 = "135b740617c983b3f46a1983d4744be17340d5146a0a0de0dff4bb7a53688f2f"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - path = stdenv.lib.makeSearchPath "bin" [ - bc - coreutils - curl - gnused - inotifyTools - jq - ncurses - sshpass - ]; - in - '' - mkdir -p $out/bin - - sed < ./cac > $out/bin/cac ' - s;^_cac_main .*;PATH=${path}''${PATH+:$PATH} &; - ' - - chmod +x $out/bin/cac - ''; -} diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix index 7f2e3f231..ebea5ae1c 100644 --- a/krebs/5pkgs/test/infest-cac-centos7/default.nix +++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix @@ -1,4 +1,4 @@ -{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }: +{ stdenv, coreutils,makeWrapper, cac-api, cacpanel, gnumake, gnused, jq, openssh, ... }: stdenv.mkDerivation rec { name = "${shortname}-${version}"; @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { path = stdenv.lib.makeSearchPath "bin" [ coreutils - cac + cac-api cacpanel gnumake gnused diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes index 6bfb6906e..7b9cbb46f 100755 --- a/krebs/5pkgs/test/infest-cac-centos7/notes +++ b/krebs/5pkgs/test/infest-cac-centos7/notes @@ -1,6 +1,6 @@ #! /bin/sh -# nix-shell -p gnumake jq openssh cac cacpanel +# nix-shell -p gnumake jq openssh cac-api cacpanel set -eufx # 2 secrets are required: @@ -47,15 +47,15 @@ export cac_secrets=$sec_file cac-cli --config $krebs_cred panel add-api-ip # test login: -cac update -cac servers +cac-api update +cac-api servers # preserve old trap old_trapstr=$(clear_defer) while true;do # Template 26: CentOS7 - # TODO: use cac templates to determine the real Centos7 template in case it changes - out=$(cac build cpu=1 ram=512 storage=10 os=26 2>&1) + # TODO: use cac-api templates to determine the real Centos7 template in case it changes + out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1) if name=$(echo "$out" | jq -r .servername);then id=servername:$name echo "got a working machine, id=$id" @@ -67,15 +67,15 @@ while true;do fi clear_defer >/dev/null - defer "cac delete $id" + defer "cac-api delete $id" # TODO: timeout? wait_login_cac(){ # we wait for 30 minutes for t in `seq 180`;do - # now we have a working cac server - if cac ssh $1 -o ConnectTimeout=10 \ + # now we have a working cac-api server + if cac-api ssh $1 -o ConnectTimeout=10 \ cat /etc/redhat-release | \ grep CentOS ;then return 0 @@ -87,7 +87,7 @@ while true;do # die on timeout if ! wait_login_cac $id;then echo "unable to boot a working system within time frame, retrying..." >&2 - echo "Cleaning up old image,last status: $(cac update;cac getserver $id | jq -r .status)" + echo "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)" eval "$(clear_defer | sed 's/;exit//')" sleep 15 else @@ -96,17 +96,17 @@ while true;do fi done clear_defer >/dev/null -defer "cac delete $id;$old_trapstr" +defer "cac-api delete $id;$old_trapstr" mkdir -p shared/2configs/temp -cac generatenetworking $id > \ +cac-api generatenetworking $id > \ shared/2configs/temp/networking.nix # new temporary ssh key we will use to log in after infest ssh-keygen -f $krebs_ssh -N "" cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv # we override the directories for secrets and stockholm # additionally we set the ssh key we generated -ip=$(cac getserver $id | jq -r .ip) +ip=$(cac-api getserver $id | jq -r .ip) cat > shared/2configs/temp/dirs.nix < $krebs_secrets/infest sh -x $krebs_secrets/infest # TODO: generate secrets directory $krebs_secrets for nix import -cac powerop $id reset +cac-api powerop $id reset wait_login(){ # timeout for t in `seq 90`;do - # now we have a working cac server + # now we have a working cac-api server if ssh -o StrictHostKeyChecking=no \ -o UserKnownHostsFile=/dev/null \ -i $krebs_ssh \ diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 2fa0e8ab7..29e6de08b 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -43,7 +43,7 @@ with lib; # tv bc bind # dig - cac + cac-api dic file get diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 01dc7de9b..b8180085f 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -22,8 +22,8 @@ let public-repos = mapAttrs make-public-repo ({ } // mapAttrValues (setAttr "section" "1. Miscellaneous") { - cac = { - desc = "CloudAtCost command line interface"; + cac-api = { + desc = "CloudAtCost API command line interface"; }; get = {}; hack = {}; -- cgit v1.3.1 From fb734eded558aad5a728eb1b1b350235a921d541 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 4 Feb 2016 03:07:47 +0100 Subject: stockholm: stockholm-path -> ./. --- default.nix | 3 +-- tv/2configs/default.nix | 11 +++++------ 2 files changed, 6 insertions(+), 8 deletions(-) (limited to 'tv') diff --git a/default.nix b/default.nix index 1637aa464..b2b57ea4c 100644 --- a/default.nix +++ b/default.nix @@ -17,8 +17,7 @@ let stockholm = { nlib = import ; klib = import (slib.kpath "4lib") { lib = nlib; }; slib = rec { - stockholm-path = ./.; - nspath = ns: p: stockholm-path + "/${ns}/${p}"; + nspath = ns: p: ./. + "/${ns}/${p}"; kpath = nspath "krebs"; upath = nspath current-user-name; }; diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index ee1d9521d..46320b738 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -10,14 +10,13 @@ with lib; target = mkDefault "root@${config.krebs.build.host.name}"; source-version = 2; source = mapAttrs (_: mkDefault) ({ - nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; - nixpkgs = symlink:stockholm-nixpkgs; - null = "/home/tv/stockholm/null"; + nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix"; + nixpkgs = symlink:stockholm/nixpkgs; + null = "symlink:stockholm/null"; secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets-common = "/home/tv/secrets/common"; - stockholm-krebs = "/home/tv/stockholm/krebs"; - stockholm-nixpkgs = "/home/tv/stockholm/nixpkgs"; - stockholm-private = "/home/tv/stockholm/tv"; + stockholm = "/home/tv/stockholm"; + stockholm-user = "symlink:stockholm/tv"; upstream-nixpkgs = { url = https://github.com/NixOS/nixpkgs; rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; -- cgit v1.3.1 From b857a48632128be0324c68be95bee16fb0f1b15f Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 4 Feb 2016 05:40:26 +0100 Subject: krebs.build.populate: init and drop support for v1 --- Makefile | 108 ++++++++--------------- default.nix | 16 +++- krebs/3modules/build.nix | 218 +++++++++++++++++++++++++++++++--------------- krebs/default.nix | 95 +------------------- krebs/v2/default.nix | 132 ---------------------------- nixpkgs/krebs | 0 nixpkgs/nixos/default.nix | 66 +------------- nixpkgs/nixos/lib | 2 +- nixpkgs/nixos/modules | 2 +- root | 1 + tv/2configs/default.nix | 4 +- 11 files changed, 203 insertions(+), 441 deletions(-) delete mode 100644 krebs/v2/default.nix create mode 100644 nixpkgs/krebs create mode 120000 root (limited to 'tv') diff --git a/Makefile b/Makefile index a1559b48c..87a636e72 100644 --- a/Makefile +++ b/Makefile @@ -1,87 +1,51 @@ -# -# usage: -# make infest system=foo [target=bar] -# make [deploy] system=foo [target=bar] -# make [deploy] systems='foo bar' -# make eval get=users.tv.wu.config.time.timeZone [filter=json] -# - .ONESHELL: .SHELLFLAGS := -eufc -ifdef systems -$(systems): - @ - unset target - parallel \ - --line-buffer \ - -j0 \ - --no-notice \ - --tagstring {} \ - -q make -s systems= system={} ::: $(systems) -else ifdef system -.PHONY: deploy infest -deploy infest:;@ - export get=krebs.$@ - export filter=json - script=$$(make -s eval) - echo "$$script" | sh - -.PHONY: eval -eval: - @ -ifeq ($(filter),json) - extraArgs='--json --strict' - filter() { jq -r .; } -else - filter() { cat; } +ifndef system +$(error unbound variable: system) endif - result=$$(nix-instantiate \ - $${extraArgs-} \ - --eval \ - -A "$$get" \ - -I stockholm="$$PWD" \ - '' \ - --argstr current-host-name "$$HOSTNAME" \ - --argstr current-user-name "$$LOGNAME" \ - $${system+--argstr system "$$system"} \ - $${target+--argstr target "$$target"}) - echo "$$result" | filter export target_host ?= $(system) export target_user ?= root export target_path ?= /var/src +# usage: make deploy system=foo [target_host=bar] +.PHONY: deploy +deploy: populate ;@set -x + ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path" + # usage: make populate system=foo [target_host=bar] .PHONY: populate -populate: export lib = \ - let nlib = import ; in \ - nlib // import krebs/4lib { lib = nlib; } // builtins -populate: export source = \ - with builtins; \ - with (import ./. {}).users.$${getEnv "LOGNAME"}.$${getEnv "system"}; \ - assert config.krebs.build.source-version == 2; \ - config.krebs.build.source populate:;@ - result=$$(nix-instantiate \ - --eval \ - --json \ - --arg lib "$$lib" \ - --arg source "$$source" \ - --argstr target-user "$$target_user" \ - --argstr target-host "$$target_host" \ - --argstr target-path "$$target_path" \ - -A populate \ - krebs/v2) - script=$$(echo "$$result" | jq -r .) - echo "$$script" | sh - -# usage: make rebuild system=foo [target_host=bar] [operation=switch] -.PHONY: rebuild -rebuild: populate ;@set -x - ssh "$$target_user@$$target_host" \ - nixos-rebuild "$${operation-switch}" -I "$$target_path" + result=$$(make -s eval get=config.krebs.build.populate filter=json) + echo "$$result" | sh +# usage: make eval system=foo get=config.krebs.build [LOGNAME=tv] [filter=json] +.PHONY: eval +eval:;@ +ifeq ($(filter),json) + extraArgs='--json --strict' + filter() { echo "$$1" | jq -r .; } else -$(error unbound variable: system[s]) + filter() { echo "$$1"; } endif + result=$$(nix-instantiate \ + $${extraArgs-} \ + --show-trace \ + --readonly-mode \ + --eval \ + -A "$$get" \ + --arg configuration "") + filter "$$result" + +## usage: make install system=foo target= +#.PHONY: install +#install: ssh = ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null +#install:;@set -x +# $(ssh) "$$target_user@$$target_host" \ +# env target_path=/var/src \ +# sh -s prepare < krebs/4lib/infest/prepare.sh +# make -s populate target_path=/mnt"$$target_path" +# $(ssh) "$$target_user@$$target_host" \ +# env NIXOS_CONFIG=/var/src/nixos-config \ +# nixos-install diff --git a/default.nix b/default.nix index 656a7f4b3..278f1d14d 100644 --- a/default.nix +++ b/default.nix @@ -1,9 +1,15 @@ -{ current-host-name ? +{ configuration ? import (nixpkgs-path + "/nixos/lib/from-env.nix") "NIXOS_CONFIG" +, system ? builtins.currentSystem +, current-host-name ? let v = builtins.getEnv "HOSTNAME"; in if v != "" then v else builtins.readFile /proc/sys/kernel/hostname , current-user-name ? let v = builtins.getEnv "LOGNAME"; in if v != "" then v else abort "undefined variable: LOGNAME" +, nixpkgs-path ? + if (builtins.tryEval ).success + then + else , StrictHostKeyChecking ? "yes" }@args: @@ -11,7 +17,8 @@ let stockholm = { inherit krebs; inherit users; inherit lib; - inherit pkgs; + inherit config options pkgs; + system = config.system.build.toplevel; }; krebs = import ./krebs (args // { inherit lib stockholm; }); @@ -20,7 +27,7 @@ let stockholm = { nlib = import (slib.npath "lib"); klib = import (slib.kpath "4lib") { lib = nlib; }; slib = rec { - npath = p: + "/${p}"; + npath = p: nixpkgs-path + "/${p}"; kpath = p: ./. + "/krebs/${p}"; upath = p: ./. + "/${current-user-name}/${p}"; }; @@ -29,7 +36,7 @@ let stockholm = { (import p { lib = nlib // klib; }); in nlib // klib // slib // ulib // builtins; - inherit (eval {}) pkgs; + inherit (eval configuration) config options pkgs; base-module = { config, ... }: { imports = builtins.filter lib.dir.has-default-nix (lib.concatLists [ @@ -48,6 +55,7 @@ let stockholm = { }; eval = config: import (lib.npath "nixos/lib/eval-config.nix") { + inherit system; specialArgs = { inherit lib; }; diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 0f8aec89d..00142acdd 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -28,81 +28,157 @@ let type = types.user; }; - options.krebs.build.source-version = mkOption { - type = types.enum [ 1 2 ]; - default = 1; + options.krebs.build.source = let + raw = types.either types.str types.path; + url = types.submodule { + options = { + url = mkOption { + type = types.str; + }; + rev = mkOption { + type = types.str; + }; + dev = mkOption { + type = types.str; + }; + }; + }; + in mkOption { + type = types.attrsOf (types.either types.str url); + apply = let f = mapAttrs (_: value: { + string = value; + path = toString value; + set = f value; + }.${typeOf value}); in f; + default = {}; }; - options.krebs.build.source = getAttr "v${toString config.krebs.build.source-version}" { - v1 = { - dir = mkOption { - type = let - default-host = config.krebs.current.host; - in types.attrsOf (types.submodule ({ config, ... }: { - options = { - host = mkOption { - type = types.host; - default = default-host; - }; - path = mkOption { - type = types.str; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - url = mkOption { - type = types.str; - default = "file://${config.host.name}${config.path}"; - }; - }; - })); - default = {}; - }; + options.krebs.build.populate = mkOption { + type = types.str; + default = let + source = config.krebs.build.source; + target-user = maybeEnv "target_user" "root"; + target-host = maybeEnv "target_host" config.krebs.build.host.name; + target-path = maybeEnv "target_path" "/var/src"; + out = '' + #! /bin/sh + set -eu - git = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - url = mkOption { - type = types.str; # TODO must be shell safe - }; - rev = mkOption { - type = types.str; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - }; - })); - default = {}; - }; - }; + verbose() { + printf '+%s\n' "$(printf ' %q' "$@")" >&2 + "$@" + } - v2 = let - raw = types.either types.str types.path; - url = types.submodule { - options = { - url = mkOption { - type = types.str; - }; - rev = mkOption { - type = types.str; - }; - dev = mkOption { - type = types.str; - }; - }; - }; - in mkOption { - type = types.attrsOf (types.either types.str url); - apply = let f = mapAttrs (_: value: { - string = value; - path = toString value; - set = f value; - }.${typeOf value}); in f; - default = {}; - }; + echo ${shell.escape git-script} \ + | ssh ${shell.escape "${target-user}@${target-host}"} -T + + unset tmpdir + trap ' + rm "$tmpdir"/* + rmdir "$tmpdir" + trap - EXIT INT QUIT + ' EXIT INT QUIT + tmpdir=$(mktemp -dt stockholm.XXXXXXXX) + chmod 0755 "$tmpdir" + + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: let dst = removePrefix "symlink:" (get-url spec); in + "verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") + symlink-specs)} + + verbose proot \ + -b $tmpdir:${shell.escape target-path} \ + ${concatStringsSep " \\\n " + (mapAttrsToList + (name: spec: + "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") + file-specs)} \ + rsync \ + -f ${shell.escape "P /*"} \ + ${concatMapStringsSep " \\\n " + (name: "-f ${shell.escape "R /${name}"}") + (attrNames file-specs)} \ + --delete \ + -vFrlptD \ + ${shell.escape target-path}/ \ + ${shell.escape "${target-user}@${target-host}:${target-path}"} + ''; + + get-schema = uri: + if substring 0 1 uri == "/" + then "file" + else head (splitString ":" uri); + + has-schema = schema: uri: get-schema uri == schema; + + get-url = spec: { + string = spec; + path = toString spec; + set = get-url spec.url; + }.${typeOf spec}; + + git-specs = + filterAttrs (_: spec: has-schema "https" (get-url spec)) source // + filterAttrs (_: spec: has-schema "http" (get-url spec)) source // + filterAttrs (_: spec: has-schema "git" (get-url spec)) source; + + file-specs = + filterAttrs (_: spec: has-schema "file" (get-url spec)) source; + + symlink-specs = + filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; + + git-script = '' + #! /bin/sh + set -efu + + verbose() { + printf '+%s\n' "$(printf ' %q' "$@")" >&2 + "$@" + } + + fetch_git() {( + dst_dir=$1 + src_url=$2 + src_ref=$3 + + if ! test -e "$dst_dir"; then + git clone "$src_url" "$dst_dir" + fi + + cd "$dst_dir" + + if ! url=$(git config remote.origin.url); then + git remote add origin "$src_url" + elif test "$url" != "$src_url"; then + git remote set-url origin "$src_url" + fi + + # TODO resolve src_ref to commit hash + hash=$src_ref + + if ! test "$(git log --format=%H -1)" = "$hash"; then + git fetch origin + git checkout "$hash" -- "$dst_dir" + git checkout "$hash" + fi + + git clean -dxf + )} + + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: toString (map shell.escape [ + "verbose" + "fetch_git" + "${target-path}/${name}" + spec.url + spec.rev + ])) + git-specs)} + ''; + in out; }; }; diff --git a/krebs/default.nix b/krebs/default.nix index e9ee71b34..17c035896 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -1,3 +1,5 @@ +assert false; + { current-host-name , current-user-name , lib @@ -6,30 +8,11 @@ }: let out = { - inherit deploy; inherit infest; inherit init; inherit nixos-install; - inherit populate; }; - deploy = - { system ? current-host-name - , target ? system - }@args: let - config = get-config system; - in '' - #! /bin/sh - # krebs.deploy - set -efu - (${populate args}) - ${rootssh target '' - ${nix-install args} - ${config.krebs.build.profile}/bin/switch-to-configuration switch - ''} - echo OK - ''; - infest = { system ? current-host-name , target ? system @@ -45,9 +28,6 @@ let out = { ${builtins.readFile ./4lib/infest/install-nix.sh} ''} - # Prepare target source via bind-mounting - - (${nixos-install args}) ${rootssh target '' @@ -169,9 +149,7 @@ let out = { get-config = system: let config = stockholm.users.${current-user-name}.${system}.config or (abort "unknown system: ${system}, user: ${current-user-name}"); - in - assert config.krebs.build.source-version == 1; - config; + in config; nix-install = { system ? current-host-name @@ -203,73 +181,6 @@ let out = { ])} ''; - populate = - { system ? current-host-name - , target ? system - , root ? "" - }@args: - let out = '' - #! /bin/sh - set -efu - ${lib.concatStringsSep "\n" - (lib.concatMap - (type: lib.mapAttrsToList (_: methods.${type}) - config.krebs.build.source.${type}) - ["dir" "git"])} - ''; - - - config = get-config system; - - current-host = config.krebs.hosts.${current-host-name}; - current-user = config.krebs.users.${current-user-name}; - - methods.dir = config: - let - can-push = config.host.name == current-host.name; - target-path = root + config.target-path; - push-method = '' - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --exclude tmp \ - --rsync-path='mkdir -p ${target-path} && rsync' \ - --delete-excluded \ - -vrlptD \ - ${config.path}/ \ - root@${target}:${target-path} - ''; - in - if can-push then push-method else - let dir = "file://${config.host.name}${config.path}"; in - # /!\ revise this message when using more than just push-method - throw "No way to push ${dir} from ${current-host.name} to ${target}"; - - methods.git = config: - let target-path = root + config.target-path; - in rootssh target '' - mkdir -p ${target-path} - cd ${target-path} - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin ${config.url} - elif test "$cur_url" != ${config.url}; then - git remote set-url origin ${config.url} - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then - git fetch origin - git checkout ${config.rev} -- . - git checkout -q ${config.rev} - git submodule init - git submodule update - fi - git clean -dxf - ''; - in out; - rootssh = target: script: let flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; diff --git a/krebs/v2/default.nix b/krebs/v2/default.nix deleted file mode 100644 index cba7a75ff..000000000 --- a/krebs/v2/default.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ lib -, source -, target-user ? "root" -, target-host -, target-path ? "/var/src" -}: -with lib; -let - out = { - inherit populate; - }; - - populate = '' - #! /bin/sh - set -eu - - verbose() { - printf '+%s\n' "$(printf ' %q' "$@")" >&2 - "$@" - } - - echo ${shell.escape git-script} \ - | ssh ${shell.escape "${target-user}@${target-host}"} -T - - unset tmpdir - trap ' - rm "$tmpdir"/* - rmdir "$tmpdir" - trap - EXIT INT QUIT - ' EXIT INT QUIT - tmpdir=$(mktemp -dt stockholm.XXXXXXXX) - chmod 0755 "$tmpdir" - - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: let dst = removePrefix "symlink:" (get-url spec); in - "verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") - symlink-specs)} - - verbose proot \ - -b $tmpdir:${shell.escape target-path} \ - ${concatStringsSep " \\\n " - (mapAttrsToList - (name: spec: - "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") - file-specs)} \ - rsync \ - -f ${shell.escape "P /*"} \ - ${concatMapStringsSep " \\\n " - (name: "-f ${shell.escape "R /${name}"}") - (attrNames file-specs)} \ - --delete \ - -vFrlptD \ - ${shell.escape target-path}/ \ - ${shell.escape "${target-user}@${target-host}:${target-path}"} - ''; - - get-schema = uri: - if substring 0 1 uri == "/" - then "file" - else head (splitString ":" uri); - - has-schema = schema: uri: get-schema uri == schema; - - get-url = spec: { - string = spec; - path = toString spec; - set = get-url spec.url; - }.${typeOf spec}; - - git-specs = - filterAttrs (_: spec: has-schema "https" (get-url spec)) source // - filterAttrs (_: spec: has-schema "http" (get-url spec)) source // - filterAttrs (_: spec: has-schema "git" (get-url spec)) source; - - file-specs = - filterAttrs (_: spec: has-schema "file" (get-url spec)) source; - - symlink-specs = - filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; - - git-script = '' - #! /bin/sh - set -efu - - verbose() { - printf '+%s\n' "$(printf ' %q' "$@")" >&2 - "$@" - } - - fetch_git() {( - dst_dir=$1 - src_url=$2 - src_ref=$3 - - if ! test -e "$dst_dir"; then - git clone "$src_url" "$dst_dir" - fi - - cd "$dst_dir" - - if ! url=$(git config remote.origin.url); then - git remote add origin "$src_url" - elif test "$url" != "$src_url"; then - git remote set-url origin "$src_url" - fi - - # TODO resolve src_ref to commit hash - hash=$src_ref - - if ! test "$(git log --format=%H -1)" = "$hash"; then - git fetch origin - git checkout "$hash" -- "$dst_dir" - git checkout "$hash" - fi - - git clean -dxf - )} - - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: toString (map shell.escape [ - "verbose" - "fetch_git" - "${target-path}/${name}" - spec.url - spec.rev - ])) - git-specs)} - ''; - -in out diff --git a/nixpkgs/krebs b/nixpkgs/krebs new file mode 100644 index 000000000..e69de29bb diff --git a/nixpkgs/nixos/default.nix b/nixpkgs/nixos/default.nix index 6c5adf365..4fe08efd2 100644 --- a/nixpkgs/nixos/default.nix +++ b/nixpkgs/nixos/default.nix @@ -1,65 +1 @@ -{ configuration ? import "NIXOS_CONFIG" -, system ? builtins.currentSystem -}: - -let - eval-config = modules: import { - inherit system; - modules = modules ++ [({ config, lib, ... }: with lib; { - imports = filter dir.has-default-nix (concatLists [ - (map (p: p + "/2configs") [ ]) - (map (p: p + "/3modules") [ ]) - ]); - - krebs.current = { - enable = true; - host = config.krebs.hosts.${readFile /proc/sys/kernel/hostname}; - user = config.krebs.users.${getEnv "LOGNAME"}; - }; - - nixpkgs.config.packageOverrides = pkgs: let - kpkgs = import { inherit lib pkgs; }; - upkgs = import { inherit lib; pkgs = pkgs // kpkgs; }; - in kpkgs // upkgs; - })]; - specialArgs = { - lib = let - nlib = import // builtins; - klib = nlib // import { lib = nlib; }; - ulib = klib // (with klib; let p = + "/4lib"; in - optionalAttrs (dir.has-default-nix p) - (import p { lib = klib; })); - in ulib; - }; - }; - - eval = eval-config [ - configuration - ]; - - # This is for `nixos-rebuild build-vm'. - vm = eval-config [ - configuration - - ]; - - # This is for `nixos-rebuild build-vm-with-bootloader'. - vm-with-bootloader = eval-config [ - configuration - - { virtualisation.useBootLoader = true; } - ]; -in - -{ - inherit (eval) config options; - - system = eval.config.system.build.toplevel; - - vm = vm.config.system.build.vm; - - vmWithBootLoader = vm-with-bootloader.config.system.build.vm; - - # The following are used by nixos-rebuild. - nixFallback = eval.pkgs.nixUnstable; -} +import diff --git a/nixpkgs/nixos/lib b/nixpkgs/nixos/lib index eb942f88b..9e69d1a67 120000 --- a/nixpkgs/nixos/lib +++ b/nixpkgs/nixos/lib @@ -1 +1 @@ -../../upstream-nixpkgs/nixos/lib \ No newline at end of file +../../../upstream-nixpkgs/nixos/lib \ No newline at end of file diff --git a/nixpkgs/nixos/modules b/nixpkgs/nixos/modules index 8fbc4373e..8aa24885c 120000 --- a/nixpkgs/nixos/modules +++ b/nixpkgs/nixos/modules @@ -1 +1 @@ -../../upstream-nixpkgs/nixos/modules \ No newline at end of file +../../../upstream-nixpkgs/nixos/modules \ No newline at end of file diff --git a/root b/root new file mode 120000 index 000000000..1cd18253d --- /dev/null +++ b/root @@ -0,0 +1 @@ +../stockholm-user \ No newline at end of file diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 46320b738..57c4620c4 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -8,11 +8,9 @@ with lib; krebs.build = { user = config.krebs.users.tv; target = mkDefault "root@${config.krebs.build.host.name}"; - source-version = 2; source = mapAttrs (_: mkDefault) ({ nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix"; nixpkgs = symlink:stockholm/nixpkgs; - null = "symlink:stockholm/null"; secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets-common = "/home/tv/secrets/common"; stockholm = "/home/tv/stockholm"; @@ -104,7 +102,7 @@ with lib; }; environment.variables = { - NIX_PATH = mkForce "secrets=/var/src/null:/var/src"; + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; }; programs.bash = { -- cgit v1.3.1