diff options
43 files changed, 873 insertions, 490 deletions
diff --git a/0make/makefu/pnp.makefile b/0make/makefu/pnp.makefile new file mode 100644 index 000000000..a18efe0e0 --- /dev/null +++ b/0make/makefu/pnp.makefile @@ -0,0 +1,4 @@ +deploy_host := root@pnp +nixpkgs_url := https://github.com/nixos/nixpkgs +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 +secrets_dir := /home/makefu/secrets/pnp diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile index 4ae1ccd10..9e0b8671b 100644 --- a/0make/tv/nomic.makefile +++ b/0make/tv/nomic.makefile @@ -1,4 +1,4 @@ deploy_host := root@nomic.gg23 nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 6ad8fab785695d04a6925e8b3464ca7c71a85c3f +nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696 secrets_dir := /home/tv/secrets/nomic diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix new file mode 100644 index 000000000..7e4ccf2c1 --- /dev/null +++ b/1systems/makefu/pnp.nix @@ -0,0 +1,52 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ../../2configs/makefu/base.nix + ../../2configs/makefu/cgit-retiolum.nix + ]; + krebs.enable = true; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + +# networking.firewall is enabled by default + networking.firewall.allowedTCPPorts = [ 80 ]; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; + + nix.maxJobs = 2; + networking.hostName = "pnp"; # Define your hostname. + +# $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + wget + git + gnumake + jq + ]; +} diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d3cae6f4a..6913508b5 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -7,13 +7,15 @@ let in { + krebs.build.host = config.krebs.hosts.cd; + imports = [ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { @@ -22,24 +24,17 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/tv/github-hosts-sync.nix ]; - tv.github-hosts-sync.enable = true; + krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = - singleton config.tv.github-hosts-sync.port; - } - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.cd; + singleton config.krebs.github-hosts-sync.port; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,21 +50,13 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; + krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.public_html = { + krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; @@ -77,7 +64,7 @@ in }; } { - tv.nginx.servers.viljetic = { + krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' @@ -86,10 +73,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "fastpoke" "pigstarter" @@ -99,7 +84,6 @@ in } ]; - networking.hostName = "cd"; networking.interfaces.enp2s1.ip4 = [ { address = "162.219.7.216"; @@ -135,8 +119,8 @@ in home = "/home/mv"; createHome = true; useDefaultShell = true; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/mv_vod.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.mv.pubkey ]; }; }; diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d63..7542ad0ce 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -3,19 +3,16 @@ with lib; { + krebs.build.host = config.krebs.hosts.mkdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.mkdir; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "fastpoke" @@ -43,7 +38,6 @@ with lib; } ]; - networking.hostName = "mkdir"; networking.interfaces.enp2s1.ip4 = [ { address = "162.248.167.241"; # TODO diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 6f984c44d..cd6e02596 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -3,18 +3,15 @@ with lib; { + krebs.build.host = config.krebs.hosts.nomic; + imports = [ ../../2configs/tv/AO753.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.nomic; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,8 +23,7 @@ with lib; }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' @@ -37,10 +33,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" @@ -103,6 +97,4 @@ with lib; rxvt_unicode.terminfo tmux ]; - - networking.hostName = "nomic"; } diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c39e..9233014ba 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -3,19 +3,16 @@ with lib; { + krebs.build.host = config.krebs.hosts.rmdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.rmdir; - } + ../../2configs/tv/git.nix { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,10 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "mkdir" @@ -44,7 +39,6 @@ with lib; } ]; - networking.hostName = "rmdir"; networking.interfaces.enp2s1.ip4 = [ { address = "167.88.44.94"; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 400005cb7..37264635b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -7,28 +7,27 @@ let in { + krebs.build.host = config.krebs.hosts.wu; + imports = [ ../../2configs/tv/w110er.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.wu; - } + ../../2configs/tv/urlwatch.nix { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel Zpkgs.genid + Zpkgs.hashPassword Zpkgs.lentil # root @@ -96,7 +95,6 @@ in #ppp #proot #pythonPackages.arandr - #pythonPackages.urlwatch #pythonPackages.youtube-dl #racket #rxvt_unicode-with-plugins @@ -122,7 +120,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,8 +131,7 @@ in }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' @@ -145,10 +141,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" @@ -156,56 +150,6 @@ in }; } { - imports = [ ../../3modules/tv/urlwatch.nix ]; - tv.urlwatch = { - enable = true; - mailto = "tv@wu.retiolum"; # TODO - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - - # 2014-07-29 when one of the following urls change - # then we have to update the package - - # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix - http://simple-evcorr.sourceforge.net/ - - # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix - https://thp.io/2008/urlwatch/ - - # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix - https://api.github.com/repos/ioerror/tlsdate/tags - - # 2015-02-18 - # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix - http://www.fourmilab.ch/webtools/qprint/ - - # 2014-09-24 ref https://github.com/4z3/xintmap - http://www.mathstat.dal.ca/~selinger/quipper/ - - # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 - # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix - http://nixos.org/releases/nixops/ - - ## other - - https://nixos.org/channels/nixos-unstable/git-revision - - ## 2014-10-17 - ## TODO update ~/src/login/default.nix - #http://hackage.haskell.org/package/bcrypt - #http://hackage.haskell.org/package/cron - #http://hackage.haskell.org/package/hyphenation - #http://hackage.haskell.org/package/iso8601-time - #http://hackage.haskell.org/package/ixset-typed - #http://hackage.haskell.org/package/system-command - #http://hackage.haskell.org/package/transformers - #http://hackage.haskell.org/package/web-routes-wai - #http://hackage.haskell.org/package/web-page - ]; - }; - } - { users.extraGroups = { tv-sub.gid = 1337; }; @@ -429,8 +373,6 @@ in hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.enable = true; - networking.hostName = "wu"; - environment.systemPackages = with pkgs; [ xlibs.fontschumachermisc slock diff --git a/2configs/makefu/base.nix b/2configs/makefu/base.nix new file mode 100644 index 000000000..25b80930b --- /dev/null +++ b/2configs/makefu/base.nix @@ -0,0 +1,94 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + }; + makefu = { + uid = 9001; + group = "users"; + home = "/home/makefu"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + }; + }; + + services.openssh.enable = true; + nix.useChroot = true; + + users.mutableUsers = true; + + boot.tmpOnTmpfs = true; + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + environment.extraInit = '' + EDITOR=vim + ''; + + environment.systemPackages = with pkgs; [ + git + vim + rxvt_unicode.terminfo + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + ''; + + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + environment.shellAliases = { + lsl = "ls -lAtr"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + + security.setuidPrograms = [ "sendmail" ]; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + # Enable IPv6 Privacy Extensions + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; +} diff --git a/2configs/makefu/cgit-retiolum.nix b/2configs/makefu/cgit-retiolum.nix new file mode 100644 index 000000000..d5ad35fda --- /dev/null +++ b/2configs/makefu/cgit-retiolum.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + imports = [ ../../3modules/krebs/git.nix ]; + krebs.git = { + enable = true; + root-title = "public repositories "; + root-desc = "keep calm and enrage"; + inherit repos rules ; + }; + }; + + repos = public-repos; + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + }; + + # TODO move users to separate module + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = makefu; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass tv uriel ]; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index 0494ea08e..06f83ea9e 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -9,6 +9,11 @@ let in { + krebs.enable = true; + krebs.search-domain = "retiolum"; + + networking.hostName = config.krebs.build.host.name; + imports = [ { users.extraUsers = @@ -22,8 +27,8 @@ in { users.extraUsers = { root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; tv = { @@ -37,15 +42,15 @@ in "video" "wheel" ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; }; } { security.sudo.extraConfig = '' - Defaults mailto="tv@wu.retiolum" + Defaults mailto="${config.krebs.users.tv.mail}" ''; time.timeZone = "Europe/Berlin"; } diff --git a/2configs/tv/charybdis.nix b/2configs/tv/charybdis.nix index a45c7aebe..d78e162cb 100644 --- a/2configs/tv/charybdis.nix +++ b/2configs/tv/charybdis.nix @@ -123,7 +123,7 @@ let #loadmodule "extensions/ip_cloaking.so"; serverinfo { - name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)}; + name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; description = "miep!"; network_name = "irc.retiolum"; @@ -133,9 +133,9 @@ let /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4}; + vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6}; + vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; @@ -170,7 +170,7 @@ let admin { name = "tv"; description = "peer"; - email = "tv@wu.retiolum"; + mail = "${config.krebs.users.tv.mail}"; }; log { @@ -240,7 +240,7 @@ let */ # XXX This is stupid because only one host is allowed[?] #host = ''${concatMapStringsSep ", " toJSON ( - # config.tv.identity.self.nets.retiolum.addrs + # config.krebs.build.host.nets.retiolum.addrs #)}; port = 6667; sslport = 6697; diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..d10f9ea75 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,16 +1,15 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; - inherit (config.tv.identity) self; + self = config.krebs.build.host; inherit (self) dc; server = true; - hosts = with config.tv.identity.hosts; [ + hosts = with config.krebs.hosts; [ # TODO get this list automatically from each host where tv.consul.enable is true cd mkdir diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/2configs/tv/exim-smarthost.nix b/2configs/tv/exim-smarthost.nix index a4c47b399..c93189b8a 100644 --- a/2configs/tv/exim-smarthost.nix +++ b/2configs/tv/exim-smarthost.nix @@ -11,20 +11,21 @@ in let retiolumHostname = "${config.networking.hostName}.retiolum"; - internet-aliases = [ - { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + internet-aliases = with config.krebs.users; [ + { from = "tomislav@viljetic.de"; to = tv.mail; } # (mindestens) lisp-stammtisch und elli haben die: - { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + { from = "tv@viljetic.de"; to = tv.mail; } - { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } - { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + { from = "mirko@viljetic.de"; to = mv.mail; } # TODO killme (wo wird die benutzt?) - { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + { from = "tv@cd.retiolum"; to = tv.mail; } - { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + # TODO lists@smtp.retiolum [consul] + { from = "postmaster@krebsco.de"; to = tv.mail; } ]; system-aliases = [ diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix deleted file mode 100644 index aef83667f..000000000 --- a/2configs/tv/git-public.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - public-git-repos = [ - (public "cgserver") - (public "crude-mail-setup") - (public "dot-xmonad") - (public "hack") - (public "load-env") - (public "make-snapshot") - (public "mime") - (public "much") - (public "nixos-infest") - (public "nixpkgs") - (public "painload") - (public "quipper") - (public "regfish") - (public' { - name = "shitment"; - desc = "turn all the computers into one computer!"; - }) - (public "wai-middleware-time") - (public "web-routes-wai-custom") - (public "xintmap") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos); - - rules = concatMap ({ rules, ... }: rules) public-git-repos; - - public' = { name, desc }: - let - x = public name; - in - x // { repo = x.repo // { inherit desc; }; }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = tv; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ lass makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ]; - tv.git = { - enable = true; - inherit repos rules users; - root-title = "public repositories at ${config.networking.hostName}"; - root-desc = "keep calm and engage"; - }; -} diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix new file mode 100644 index 000000000..2c0cc6b14 --- /dev/null +++ b/2configs/tv/git.nix @@ -0,0 +1,90 @@ +{ config, lib, pkgs, ... }: + +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + cgserver = {}; + crude-mail-setup = {}; + dot-xmonad = {}; + hack = {}; + load-env = {}; + make-snapshot = {}; + mime = {}; + much = {}; + nixos-infest = {}; + nixpkgs = {}; + painload = {}; + quipper = {}; + regfish = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + xintmap = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/2configs/tv/smartd.nix b/2configs/tv/smartd.nix index 2e9d955d1..9c4d8b2d8 100644 --- a/2configs/tv/smartd.nix +++ b/2configs/tv/smartd.nix @@ -8,7 +8,7 @@ device = "DEVICESCAN"; options = toString [ "-a" - "-m tv@wu.retiolum" + "-m ${config.krebs.users.tv.mail}" "-s (O/../.././09|S/../.././04|L/../../6/05)" ]; } diff --git a/2configs/tv/urlwatch.nix b/2configs/tv/urlwatch.nix new file mode 100644 index 000000000..a69b1519c --- /dev/null +++ b/2configs/tv/urlwatch.nix @@ -0,0 +1,51 @@ +{ config, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.tv.mail; + onCalendar = "*-*-* 05:00:00"; + urls = [ + ## nixpkgs maintenance + + # 2014-07-29 when one of the following urls change + # then we have to update the package + + # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix + https://api.github.com/repos/simple-evcorr/sec/tags + + # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix + https://thp.io/2008/urlwatch/ + + # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix + https://api.github.com/repos/ioerror/tlsdate/tags + + # 2015-02-18 + # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix + http://www.fourmilab.ch/webtools/qprint/ + + # 2014-09-24 ref https://github.com/4z3/xintmap + http://www.mathstat.dal.ca/~selinger/quipper/ + + # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 + # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix + http://nixos.org/releases/nixops/ + + ## other + + https://nixos.org/channels/nixos-unstable/git-revision + + ## 2014-10-17 + ## TODO update ~/src/login/default.nix + #http://hackage.haskell.org/package/bcrypt + #http://hackage.haskell.org/package/cron + #http://hackage.haskell.org/package/hyphenation + #http://hackage.haskell.org/package/iso8601-time + #http://hackage.haskell.org/package/ixset-typed + #http://hackage.haskell.org/package/system-command + #http://hackage.haskell.org/package/transformers + #http://hackage.haskell.org/package/web-routes-wai + #http://hackage.haskell.org/package/web-page + ]; + }; +} diff --git a/2configs/tv/identity.nix b/3modules/krebs/default.nix index 44208c956..33c108811 100644 --- a/2configs/tv/identity.nix +++ b/3modules/krebs/default.nix @@ -1,11 +1,145 @@ -{ config, ... }: +{ config, lib, ... }: -{ - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; - search = "retiolum"; - hosts = { +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs"; + + build = mkOption { + type = types.submodule { + options = { + host = mkOption { + type = types.host; + }; + user = mkOption { + type = types.user; + }; + }; + }; + # Define defaul value, so unset values of the submodule get reported. + default = {}; + }; + + hosts = mkOption { + type = with types; attrsOf host; + }; + + users = mkOption { + type = with types; attrsOf user; + }; + + # XXX is there a better place to define search-domain? + # TODO search-domains :: listOf hostname + search-domain = mkOption { + type = types.hostname; + default = ""; + example = "retiolum"; + }; + }; + + imp = mkMerge [ + { krebs = lass-imp; } + { krebs = makefu-imp; } + { krebs = tv-imp; } + { + # XXX This overlaps with krebs.retiolum + networking.extraHosts = + let + # TODO move domain name providers to a dedicated module + # providers : tree label providername + providers = { + internet = "hosts"; + retiolum = "hosts"; + de.viljetic = "regfish"; + de.krebsco = "ovh"; + }; + + # splitByProvider : [alias] -> listset providername alias + splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {}; + + # providerOf : alias -> providername + providerOf = alias: + tree-get (splitString "." alias) providers; + in + concatStringsSep "\n" (flatten ( + # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: + mapAttrsToList (hostname: host: + mapAttrsToList (netname: net: + let + aliases = toString (unique (longs ++ shorts)); + longs = (splitByProvider net.aliases).hosts; + shorts = map (removeSuffix ".${cfg.search-domain}") longs; + in + map (addr: "${addr} ${aliases}") net.addrs + ) host.nets + ) config.krebs.hosts + )); + } + ]; + + lass-imp = { + hosts = addNames { + }; + users = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + + makefu-imp = { + hosts = addNames { + pnp = { + cores = 1; + dc = "makefu"; #vm on 'omo' + nets = { + retiolum = { + addrs4 = ["10.243.0.210"]; + addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; + aliases = [ + "pnp.retiolum" + "cgit.pnp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g + Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V + pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR + SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T + TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr + Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + users = addNames { + makefu = { + pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; + }; + }; + }; + + tv-imp = { + hosts = addNames { cd = { cores = 2; dc = "tv"; #dc = "cac"; @@ -99,6 +233,7 @@ ''; }; }; + secure = true; }; rmdir = { cores = 1; @@ -154,7 +289,20 @@ ''; }; }; + secure = true; + }; + }; + users = addNames { + mv = { + mail = "mv@cd.retiolum"; + pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; + }; + tv = { + mail = "tv@wu.retiolum"; + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; }; }; -} + +in +out diff --git a/3modules/tv/git.nix b/3modules/krebs/git.nix index 8c73d0354..604645189 100644 --- a/3modules/tv/git.nix +++ b/3modules/krebs/git.nix @@ -6,16 +6,16 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with builtins; -with lib; +with import ../../4lib/krebs { inherit lib; }; let - cfg = config.tv.git; + cfg = config.krebs.git; out = { + # TODO don't import krebs.nginx here imports = [ - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; - options.tv.git = api; + options.krebs.git = api; config = mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) git-imp @@ -23,12 +23,20 @@ let }; api = { - enable = mkEnableOption "tv.git"; + enable = mkEnableOption "krebs.git"; cgit = mkOption { type = types.bool; default = true; - description = "Enable cgit."; # TODO better desc; talk about nginx + description = '' + Enable cgit. + Cgit is an attempt to create a fast web interface for the git version + control system, using a built in cache to decrease pressure on the + git server. + cgit in this module is being served via fastcgi nginx.This module + deploys a http://cgit.<hostname> nginx configuration and enables nginx + if not yet enabled. + ''; }; dataDir = mkOption { type = types.str; @@ -64,6 +72,7 @@ let }; hooks = mkOption { type = types.attrsOf types.str; + default = {}; description = '' Repository-specific hooks. ''; @@ -118,9 +127,6 @@ let rules = mkOption { type = types.unspecified; }; - users = mkOption { - type = types.unspecified; - }; }; git-imp = { @@ -148,7 +154,8 @@ let name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) + config.krebs.users; uid = 129318403; # genid git }; }; @@ -210,7 +217,7 @@ let chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit ''; - tv.nginx = { + krebs.nginx = { enable = true; servers.cgit = { server-names = [ @@ -254,7 +261,7 @@ let isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: # TODO assert name # TODO assert pubkey let diff --git a/3modules/tv/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix index f50bf2b1b..c3b56ef94 100644 --- a/3modules/tv/github-hosts-sync.nix +++ b/3modules/krebs/github-hosts-sync.nix @@ -3,15 +3,15 @@ with builtins; with lib; let - cfg = config.tv.github-hosts-sync; + cfg = config.krebs.github-hosts-sync; out = { - options.tv.github-hosts-sync = api; + options.krebs.github-hosts-sync = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.github-hosts-sync"; + enable = mkEnableOption "krebs.github-hosts-sync"; port = mkOption { type = types.int; # TODO port type default = 1028; @@ -78,6 +78,6 @@ let uid = 3220554646; # genid github-hosts-sync }; - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; in out diff --git a/3modules/tv/nginx.nix b/3modules/krebs/nginx.nix index a58c49520..702e8a7f6 100644 --- a/3modules/tv/nginx.nix +++ b/3modules/krebs/nginx.nix @@ -3,21 +3,22 @@ with builtins; with lib; let - cfg = config.tv.nginx; + cfg = config.krebs.nginx; out = { - options.tv.nginx = api; + options.krebs.nginx = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.nginx"; + enable = mkEnableOption "krebs.nginx"; servers = mkOption { type = with types; attrsOf optionSet; options = singleton { server-names = mkOption { type = with types; listOf str; + # TODO use identity default = [ "${config.networking.hostName}" "${config.networking.hostName}.retiolum" diff --git a/3modules/tv/retiolum.nix b/3modules/krebs/retiolum.nix index ca1418c32..481d6565c 100644 --- a/3modules/tv/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -3,15 +3,15 @@ with builtins; with lib; let - cfg = config.tv.retiolum; + cfg = config.krebs.retiolum; out = { - options.tv.retiolum = api; + options.krebs.retiolum = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.retiolum"; + enable = mkEnableOption "krebs.retiolum"; name = mkOption { type = types.str; @@ -57,9 +57,9 @@ let }; hosts = mkOption { - default = null; + type = with types; either package path; + default = ../../Zhosts; description = '' - Hosts package or path to use. If a path is given, then it will be used to generate an ad-hoc package. ''; }; @@ -76,13 +76,21 @@ let # bad unsafe permissions... type = types.str; default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = "Generate file with <literal>tincd -K</literal>."; + description = '' + Generate file with <literal>tincd -K</literal>. + This file must exist on the local system. The default points to + <secrets/retiolum.rsa_key.priv>. + ''; }; connectTo = mkOption { type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = "TODO describe me"; + default = [ "fastpoke" "pigstarter" "gum" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; }; }; @@ -123,24 +131,20 @@ let }; tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; + + hosts = getAttr (typeOf cfg.hosts) { + package = cfg.hosts; + path = pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 \ + | xargs -0 cp --target-directory $out + ''; + }; + }; + iproute = cfg.iproutePackage; retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" @@ -218,5 +222,5 @@ let chmod +x $out/tinc-up ''; -in -out + +in out diff --git a/3modules/tv/urlwatch.nix b/3modules/krebs/urlwatch.nix index a659fc74f..58de72fc6 100644 --- a/3modules/tv/urlwatch.nix +++ b/3modules/krebs/urlwatch.nix @@ -8,16 +8,16 @@ with builtins; with lib; let - cfg = config.tv.urlwatch; + cfg = config.krebs.urlwatch; # TODO assert sendmail's existence out = { - options.tv.urlwatch = api; + options.krebs.urlwatch = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.urlwatch"; + enable = mkEnableOption "krebs.urlwatch"; dataDir = mkOption { type = types.str; diff --git a/3modules/makefu/default.nix b/3modules/makefu/default.nix new file mode 100644 index 000000000..45ca8c3eb --- /dev/null +++ b/3modules/makefu/default.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: + +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { }; + + imp = { }; + +in +out diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix index 312faa02f..4e54c2ab0 100644 --- a/3modules/tv/consul.nix +++ b/3modules/tv/consul.nix @@ -10,7 +10,6 @@ let cfg = config.tv.consul; out = { - imports = [ ../../3modules/tv/iptables.nix ]; options.tv.consul = api; config = mkIf cfg.enable (mkMerge [ imp diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix new file mode 100644 index 000000000..bb10d8261 --- /dev/null +++ b/3modules/tv/default.nix @@ -0,0 +1,9 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./iptables.nix + ]; +} diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix deleted file mode 100644 index 9a83908a6..000000000 --- a/3modules/tv/identity.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../4lib/tv { inherit lib pkgs; }; -let - cfg = config.tv.identity; - - out = { - options.tv.identity = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.identity"; - - self = mkOption { - type = types.host; - }; - - #others = mkOption { - # type = types.host; - # default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts; - #}; - - hosts = mkOption { - type = with types; attrsOf host; - apply = mapAttrs (name: value: value // { inherit name; }); - }; - - search = mkOption { - type = types.hostname; - }; - }; - - imp = { - networking.extraHosts = - concatStringsSep "\n" (flatten ( - # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - longs = (splitByProvider net.aliases).hosts; - shorts = map (removeSuffix ".${cfg.search}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) cfg.hosts - )); - }; - - # TODO move domain name providers to a dedicated module - # providers : tree label providername - providers = { - internet = "hosts"; - retiolum = "hosts"; - de.viljetic = "regfish"; - de.krebsco = "ovh"; - de.habsys = "hosts"; - de.pixelpocket = "hosts"; - de.karlaskop = "hosts"; - de.ubikmedia = "hosts"; - de.apanowicz = "hosts"; - de.aidsballs = "hosts"; - }; - - # splitByProvider : [alias] -> set providername [alias] - splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; - - # providerOf : alias -> providername - providerOf = alias: - tree-get (splitString "." alias) providers; - - # insert : k -> v -> set k [v] -> set k [v] - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; -in -out diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix new file mode 100644 index 000000000..0c42a5de3 --- /dev/null +++ b/4lib/krebs/default.nix @@ -0,0 +1,33 @@ +{ lib, ... }: + +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; + + types = import ./types.nix { inherit lib; }; + + + # listset k v = set k [v] + + # listset-insert : k -> v -> listset k v -> listset k v + listset-insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; + + # tree k v = set k (either v (tree k v)) + + # tree-get : [k] -> tree k v -> v + tree-get = path: x: + let + y = x.${last path}; + in + if typeOf y != "set" + then y + else tree-get (init path) y; + +} diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix new file mode 100644 index 000000000..3d3d75a65 --- /dev/null +++ b/4lib/krebs/types.nix @@ -0,0 +1,104 @@ +{ lib, ... }: + +with lib; +with types; + +types // rec { + + host = submodule { + options = { + name = mkOption { + type = label; + }; + dc = mkOption { + type = label; + }; + cores = mkOption { + type = positive; + }; + nets = mkOption { + type = attrsOf net; + apply = x: assert hasAttr "retiolum" x; x; + }; + secure = mkOption { + type = bool; + default = false; + description = '' + If true, then the host is capable of keeping secret information. + + TODO define minimum requirements for secure hosts + ''; + }; + }; + }; + + net = submodule ({ config, ... }: { + options = { + via = mkOption { + type = nullOr net; + default = null; + }; + addrs = mkOption { + type = listOf addr; + apply = _: config.addrs4 ++ config.addrs6; + }; + addrs4 = mkOption { + type = listOf addr4; + default = []; + }; + addrs6 = mkOption { + type = listOf addr6; + default = []; + }; + aliases = mkOption { + # TODO nonEmptyListOf hostname + type = listOf hostname; + }; + tinc = mkOption { + type = let net-config = config; in submodule ({ config, ... }: { + options = { + config = mkOption { + type = str; + apply = _: '' + ${optionalString (net-config.via != null) + (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} + ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} + ${config.pubkey} + ''; + }; + pubkey = mkOption { + type = str; + }; + }; + }); + }; + }; + }); + + positive = mkOptionType { + name = "positive integer"; + check = x: isInt x && x > 0; + merge = mergeOneOption; + }; + + user = submodule { + options = { + mail = mkOption { + type = str; # TODO retiolum mail address + }; + name = mkOption { + type = str; # TODO + }; + pubkey = mkOption { + type = str; + }; + }; + }; + + # TODO + addr = str; + addr4 = str; + addr6 = str; + hostname = str; + label = str; +} diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix index 092a9626c..16888c214 100644 --- a/4lib/tv/default.nix +++ b/4lib/tv/default.nix @@ -1,9 +1,12 @@ { lib, pkgs, ... }: -with builtins; -with lib; +let + krebs = import ../../4lib/krebs { inherit lib; }; +in -builtins // lib // rec { +with krebs; + +krebs // rec { git = import ./git.nix { lib = lib // { @@ -12,16 +15,9 @@ builtins // lib // rec { inherit pkgs; }; - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - # "7.4.335" -> "74" majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - concat = xs : if xs == [] then "" @@ -53,82 +49,4 @@ builtins // lib // rec { if isSafeChar c then c else if c == "\n" then "'\n'" else "\\${c}"); - - types = lib.types // (with lib.types; rec { - - host = submodule { - options = { - name = mkOption { - type = label; - }; - dc = mkOption { - type = label; - }; - cores = mkOption { - type = positive; - }; - nets = mkOption { - type = attrsOf net; - apply = x: assert hasAttr "retiolum" x; x; - }; - }; - }; - - net = submodule ({ config, ... }: { - options = { - via = mkOption { - type = nullOr net; - default = null; - }; - addrs = mkOption { - type = listOf addr; - apply = _: config.addrs4 ++ config.addrs6; - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; - }; - aliases = mkOption { - # TODO nonEmptyListOf hostname - type = listOf hostname; - }; - tinc = mkOption { - type = let net-config = config; in submodule ({ config, ... }: { - options = { - config = mkOption { - type = str; - apply = _: '' - ${optionalString (net-config.via != null) - (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} - ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} - ${config.pubkey} - ''; - }; - pubkey = mkOption { - type = str; - }; - }; - }); - }; - }; - }); - - positive = mkOptionType { - name = "positive integer"; - check = x: isInt x && x > 0; - merge = mergeOneOption; - }; - - # TODO - addr = str; - addr4 = str; - addr6 = str; - hostname = str; - label = str; - }); - } @@ -41,13 +41,14 @@ deploy:;@ "$$src/" "$$deploy_host:$$dst" )} - prepush /root/src/shitment "$$PWD" + prepush /root/src/stockholm "$$PWD" prepush /root/src/secrets "$$secrets_dir" ssh -S none "$$deploy_host" -T env \ nixpkgs_url="$$nixpkgs_url" \ nixpkgs_rev="$$nixpkgs_rev" \ system_name="$$system_name" \ + user_name="$$LOGNAME" \ sh -euf \ <<-\EOF prefetch(){( @@ -77,26 +78,30 @@ deploy:;@ prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" echo build system... - NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ - NIX_PATH=src \ - nix-build -Q -A system '<nixpkgs/nixos>' + NIX_PATH=/root/src \ + nix-build \ + -Q \ + -A system \ + '<stockholm>' \ + --argstr user-name "$$user_name" \ + --argstr system-name "$$system_name" result/bin/switch-to-configuration switch EOF .PHONY: eval eval: - @nix-instantiate \ + @ + NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ + nix-instantiate \ --json \ --eval \ --strict \ -A "$$get" \ - -E ' - import <nixpkgs/nixos/lib/eval-config.nix> { - system = builtins.currentSystem; - modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; - } - ' | jq -r . + '<stockholm>' \ + --argstr user-name "$$LOGNAME" \ + --argstr system-name "$$system" \ + | jq -r . else $(error unbound variable: system[s]) endif diff --git a/Zhosts/pnp b/Zhosts/pnp new file mode 100644 index 000000000..66c99f24d --- /dev/null +++ b/Zhosts/pnp @@ -0,0 +1,11 @@ +Subnet = 10.243.0.210 +Subnet = 42:f9f1:0000:0000:0000:0000:0000:0001 + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g +Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V +pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR +SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T +TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr +Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix new file mode 100644 index 000000000..231fda797 --- /dev/null +++ b/Zpkgs/krebs/default.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; +in + +pkgs // +{ + dic = callPackage ./dic.nix {}; + genid = callPackage ./genid.nix {}; + github-hosts-sync = callPackage ./github-hosts-sync.nix {}; + github-known_hosts = callPackage ./github-known_hosts.nix {}; + hashPassword = callPackage ./hashPassword.nix {}; +} diff --git a/Zpkgs/tv/dic.nix b/Zpkgs/krebs/dic.nix index 571773d22..571773d22 100644 --- a/Zpkgs/tv/dic.nix +++ b/Zpkgs/krebs/dic.nix diff --git a/Zpkgs/tv/genid.nix b/Zpkgs/krebs/genid.nix index c75bec317..c75bec317 100644 --- a/Zpkgs/tv/genid.nix +++ b/Zpkgs/krebs/genid.nix diff --git a/Zpkgs/tv/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix index d69b2b12b..d69b2b12b 100644 --- a/Zpkgs/tv/github-hosts-sync.nix +++ b/Zpkgs/krebs/github-hosts-sync.nix diff --git a/Zpkgs/tv/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix index 302fdd8d5..302fdd8d5 100644 --- a/Zpkgs/tv/github-known_hosts.nix +++ b/Zpkgs/krebs/github-known_hosts.nix diff --git a/Zpkgs/krebs/hashPassword.nix b/Zpkgs/krebs/hashPassword.nix new file mode 100644 index 000000000..a10340cc4 --- /dev/null +++ b/Zpkgs/krebs/hashPassword.nix @@ -0,0 +1,16 @@ +{ lib, pkgs, ... }: + +pkgs.writeScriptBin "hashPassword" '' + #! /bin/sh + # usage: hashPassword + set -euf + + export PATH=${lib.makeSearchPath "bin" (with pkgs; [ + coreutils + mkpasswd + openssl + ])} + + salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) + exec mkpasswd -m sha-512 -S "$salt" +'' diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index fa9fff84c..50625f868 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -2,15 +2,11 @@ let inherit (pkgs) callPackage; + krebs = import ../../Zpkgs/krebs { inherit pkgs; }; in -pkgs // -{ +krebs // { charybdis = callPackage ./charybdis {}; - dic = callPackage ./dic.nix {}; - genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; diff --git a/Zpubkeys/makefu.ssh.pub b/Zpubkeys/makefu_arch.ssh.pub index 6092ec469..6092ec469 100644 --- a/Zpubkeys/makefu.ssh.pub +++ b/Zpubkeys/makefu_arch.ssh.pub diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..49e889924 --- /dev/null +++ b/default.nix @@ -0,0 +1,20 @@ +{ user-name, system-name }: + +let + + eval = import <nixpkgs/nixos/lib/eval-config.nix> { + system = builtins.currentSystem; + modules = [ + (./1systems + "/${user-name}/${system-name}.nix") + (./3modules/krebs) + (./3modules + "/${user-name}") + ]; + }; + +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; +} |