summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/makefu/default.nix3
-rw-r--r--krebs/3modules/nginx.nix53
-rw-r--r--krebs/3modules/setuid.nix1
-rw-r--r--krebs/3modules/tv/default.nix8
-rw-r--r--krebs/5pkgs/default.nix2
-rw-r--r--krebs/5pkgs/jq/default.nix33
-rw-r--r--tv/1systems/nomic.nix1
-rw-r--r--tv/1systems/wu.nix7
-rw-r--r--tv/1systems/xu.nix7
-rw-r--r--tv/2configs/default.nix18
-rw-r--r--tv/2configs/exim-retiolum.nix4
-rw-r--r--tv/2configs/exim-smarthost.nix4
-rw-r--r--tv/2configs/vim.nix14
-rw-r--r--tv/2configs/wu-binary-cache/client.nix7
-rw-r--r--tv/2configs/wu-binary-cache/default.nix25
15 files changed, 96 insertions, 91 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index d309c1714..ccf21c868 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -323,7 +323,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
cgit.euer IN A ${head nets.internet.addrs4}
'';
};
- nets = {
+ nets = rec {
internet = {
addrs4 = ["195.154.108.70"];
aliases = [
@@ -331,6 +331,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
];
};
retiolum = {
+ via = internet;
addrs4 = ["10.243.0.211"];
addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"];
aliases = [
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 7b7163071..ec39715d8 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -13,33 +13,34 @@ let
enable = mkEnableOption "krebs.nginx";
servers = mkOption {
- type = with types; attrsOf optionSet;
- options = singleton {
- server-names = mkOption {
- type = with types; listOf str;
- # TODO use identity
- default = [
- "${config.networking.hostName}"
- "${config.networking.hostName}.retiolum"
- ];
+ type = types.attrsOf (types.submodule {
+ options = {
+ server-names = mkOption {
+ type = with types; listOf str;
+ # TODO use identity
+ default = [
+ "${config.networking.hostName}"
+ "${config.networking.hostName}.retiolum"
+ ];
+ };
+ listen = mkOption {
+ type = with types; either str (listOf str);
+ default = "80";
+ apply = x:
+ if typeOf x != "list"
+ then [x]
+ else x;
+ };
+ locations = mkOption {
+ type = with types; listOf (attrsOf str);
+ default = [];
+ };
+ extraConfig = mkOption {
+ type = with types; string;
+ default = "";
+ };
};
- listen = mkOption {
- type = with types; either str (listOf str);
- default = "80";
- apply = x:
- if typeOf x != "list"
- then [x]
- else x;
- };
- locations = mkOption {
- type = with types; listOf (attrsOf str);
- default = [];
- };
- extraConfig = mkOption {
- type = with types; string;
- default = "";
- };
- };
+ });
default = {};
};
};
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 1137788d8..cfb8382e8 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -46,6 +46,7 @@ let
check = x:
isString x &&
match "[0-7][0-7][0-7][0-7]" x != null;
+ merge = mergeOneOption;
};
};
activate = mkOption {
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 533502914..a0237d361 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -104,7 +104,7 @@ with config.krebs.lib;
ire 60 IN A ${elemAt nets.internet.addrs4 0}
'';
};
- nets = {
+ nets = rec {
internet = {
addrs4 = ["198.147.22.115"];
aliases = [
@@ -115,6 +115,7 @@ with config.krebs.lib;
ssh.port = 11423;
};
retiolum = {
+ via = internet;
addrs4 = ["10.243.231.66"];
addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
aliases = [
@@ -286,7 +287,10 @@ with config.krebs.lib;
nets = {
gg23 = {
addrs4 = ["10.23.1.37"];
- aliases = ["wu.gg23"];
+ aliases = [
+ "wu.gg23"
+ "cache.wu.gg23"
+ ];
ssh.port = 11423;
};
retiolum = {
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index d395fe00a..f7997dd63 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -17,7 +17,7 @@ with config.krebs.lib;
};
push = pkgs.callPackage ./push {
- inherit (subdirs) get jq;
+ inherit (subdirs) get;
};
ReaktorPlugins = pkgs.callPackage ./Reaktor/plugins.nix {};
diff --git a/krebs/5pkgs/jq/default.nix b/krebs/5pkgs/jq/default.nix
deleted file mode 100644
index 41db0f284..000000000
--- a/krebs/5pkgs/jq/default.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{stdenv, fetchurl}:
-let
- s = # Generated upstream information
- rec {
- baseName="jq";
- version="1.5";
- name="${baseName}-${version}";
- url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz;
- sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
- };
- buildInputs = [
- ];
-in
-stdenv.mkDerivation {
- inherit (s) name version;
- inherit buildInputs;
- src = fetchurl {
- inherit (s) url sha256;
- };
-
- # jq is linked to libjq:
- configureFlags = [
- "LDFLAGS=-Wl,-rpath,\\\${libdir}"
- ];
- meta = {
- inherit (s) version;
- description = ''A lightweight and flexible command-line JSON processor'';
- license = stdenv.lib.licenses.mit ;
- maintainers = [stdenv.lib.maintainers.raskin];
- platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
- };
-}
-
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 45320690b..fa9c90816 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -15,6 +15,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache/client.nix
../2configs/xserver
];
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 8c363d9fc..0bf242109 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -16,6 +16,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache
../2configs/xserver
{
environment.systemPackages = with pkgs; [
@@ -126,12 +127,12 @@ with config.krebs.lib;
"/" = {
device = "/dev/mapper/vg840-wuroot";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/home";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
@@ -139,7 +140,7 @@ with config.krebs.lib;
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
- options = "nosuid,nodev,noatime";
+ options = ["nosuid" "nodev" "noatime"];
};
};
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index c6a69a85a..46fb59ff3 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -15,6 +15,7 @@ with config.krebs.lib;
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
+ ../2configs/wu-binary-cache/client.nix
../2configs/xserver
../2configs/xu-qemu0.nix
{
@@ -137,12 +138,12 @@ with config.krebs.lib;
"/" = {
device = "/dev/mapper/xuvga-root";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home" = {
device = "/dev/mapper/xuvga-home";
fsType = "btrfs";
- options = "defaults,noatime,ssd,compress=lzo";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/boot" = {
device = "/dev/sda1";
@@ -150,7 +151,7 @@ with config.krebs.lib;
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
- options = "nosuid,nodev,noatime";
+ options = ["nosuid" "nodev" "noatime"];
};
};
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 9b83997bb..0a3e40a5c 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,8 +14,7 @@ with config.krebs.lib;
stockholm = "/home/tv/stockholm";
nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
- rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
- dev = "/home/tv/nixpkgs";
+ rev = "40c586b7ce2c559374df435f46d673baf711c543";
};
} // optionalAttrs config.krebs.build.host.secure {
secrets-master = "/home/tv/secrets/master";
@@ -55,15 +54,14 @@ with config.krebs.lib;
'';
time.timeZone = "Europe/Berlin";
}
+
{
# TODO check if both are required:
nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
- nix.trustedBinaryCaches = [
- "https://cache.nixos.org"
- "http://cache.nixos.org"
- "http://hydra.nixos.org"
- ];
+ nix.requireSignedBinaryCaches = true;
+
+ nix.binaryCaches = ["https://cache.nixos.org"];
nix.useChroot = true;
}
@@ -179,12 +177,6 @@ with config.krebs.lib;
}
{
- # TODO: exim
- security.setuidPrograms = [
- "sendmail" # for sudo
- ];
- }
- {
environment.systemPackages = [
pkgs.get
pkgs.krebszones
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
index 9197a3c30..dbe83dcf1 100644
--- a/tv/2configs/exim-retiolum.nix
+++ b/tv/2configs/exim-retiolum.nix
@@ -4,5 +4,9 @@ with config.krebs.lib;
{
krebs.exim-retiolum.enable = true;
+ krebs.setuid.sendmail = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index 75dd9b42f..3ea010524 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -40,5 +40,9 @@ with config.krebs.lib;
{ from = "mirko"; to = "mv"; }
];
};
+ krebs.setuid.sendmail = {
+ filename = "${pkgs.exim}/bin/exim";
+ mode = "4111";
+ };
tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index b0c26e50e..6e2059484 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -13,21 +13,17 @@ let
environment.variables.VIMINIT = ":so /etc/vimrc";
};
- extra-runtimepath = let
- inherit (pkgs.vimUtils) buildVimPlugin rtpPath;
- fromVimPlugins = pkgs: concatStringsSep ","
- (mapAttrsToList (name: pkg: "${pkg}/${rtpPath}/${name}") pkgs);
- in fromVimPlugins {
- inherit (pkgs.vimPlugins) undotree;
- file-line = buildVimPlugin {
+ extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+ pkgs.vimPlugins.undotree
+ (pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
- };
- };
+ })
+ ];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
diff --git a/tv/2configs/wu-binary-cache/client.nix b/tv/2configs/wu-binary-cache/client.nix
new file mode 100644
index 000000000..9634c21d4
--- /dev/null
+++ b/tv/2configs/wu-binary-cache/client.nix
@@ -0,0 +1,7 @@
+_:
+{
+ nix = {
+ binaryCaches = ["http://cache.wu.gg23"];
+ binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
+ };
+}
diff --git a/tv/2configs/wu-binary-cache/default.nix b/tv/2configs/wu-binary-cache/default.nix
new file mode 100644
index 000000000..6fcac21af
--- /dev/null
+++ b/tv/2configs/wu-binary-cache/default.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }: with config.krebs.lib;
+{
+ services.nix-serve = assert config.krebs.build.host.name == "wu"; {
+ enable = true;
+ secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+ };
+ systemd.services.nix-serve = {
+ requires = ["secret.service"];
+ after = ["secret.service"];
+ };
+ krebs.secret.files.nix-serve-key = {
+ path = "/run/secret/nix-serve.key";
+ owner.name = "nix-serve";
+ source-path = toString <secrets> + "/nix-serve.key";
+ };
+ krebs.nginx = {
+ enable = true;
+ servers.nix-serve = {
+ server-names = [ "cache.wu.gg23" ];
+ locations = singleton (nameValuePair "/" ''
+ proxy_pass http://localhost:${toString config.services.nix-serve.port};
+ '');
+ };
+ };
+}