diff options
36 files changed, 907 insertions, 433 deletions
@@ -1,8 +1,9 @@ # # usage: -# make system=foo -# make systems='foo bar' -# make eval system=foo get=config.networking.extraHosts [filter=json] +# make infest system=foo [target=bar] +# make [deploy] system=foo [target=bar] +# make [deploy] systems='foo bar' +# make eval get=tv.wu.config.time.timeZone [filter=json] # .ONESHELL: @@ -10,20 +11,20 @@ ifdef systems $(systems): + @ + unset target parallel \ --line-buffer \ -j0 \ --no-notice \ --tagstring {} \ - -q make systems= system={} ::: $(systems) + -q make -s systems= system={} ::: $(systems) else ifdef system -.PHONY: deploy -deploy:;@ - make -s eval system=$(system) get=config.krebs.build.script filter=json | sh - -.PHONY: infest -infest:;@ - make -s eval system=$(system) get=config.krebs.build.infest filter=json | sh +.PHONY: deploy infest +deploy infest:;@ + export get=krebs.$@ + export filter=json + make -s eval | sh .PHONY: eval eval: @@ -40,8 +41,11 @@ endif --eval \ -A "$$get" \ '<stockholm>' \ - --argstr user-name "$$LOGNAME" \ - --argstr system-name "$$system" \ + --argstr current-date "$$(date -Is)" \ + --argstr current-host-name "$$HOSTNAME" \ + --argstr current-user-name "$$LOGNAME" \ + $${system+--argstr system "$$system"} \ + $${target+--argstr target "$$target"} \ | filter else $(error unbound variable: system[s]) diff --git a/default.nix b/default.nix index 875f0d5b4..c6a635c29 100644 --- a/default.nix +++ b/default.nix @@ -1,26 +1,80 @@ -{ user-name, system-name }: +{ current-date +, current-host-name +, current-user-name +}: let + lib = import <nixpkgs/lib>; - eval = import <nixpkgs/nixos/lib/eval-config.nix> { + krebs-modules-path = ./krebs/3modules; + krebs-pkgs-path = ./krebs/5pkgs; + user-modules-path = ./. + "/${current-user-name}/3modules"; + user-pkgs-path = ./. + "/${current-user-name}/5pkgs"; + + out = + lib.mapAttrs (_: builtins.getAttr "main") + (lib.filterAttrs (_: builtins.hasAttr "main") + (lib.mapAttrs + (k: v: + if lib.hasPrefix "." k || v != "directory" then + {} + else if builtins.pathExists (./. + "/${k}/default.nix") then + { main = import (./. + "/${k}"); } + else if builtins.pathExists (./. + "/${k}/1systems") then + { main = mk-namespace (./. + "/${k}"); } + else + {}) + (builtins.readDir ./.))); + + eval = path: import <nixpkgs/nixos/lib/eval-config.nix> { system = builtins.currentSystem; - modules = map (p: ./. + "/${p}") [ - "${user-name}/1systems/${system-name}.nix" - "${user-name}/3modules" - "krebs/3modules" + modules = [ + path + krebs-modules-path + user-modules-path ] ++ [ - ({ lib, pkgs, ... }: { + ({ config, lib, pkgs, ... }@args: { _module.args.pkgs = - (import ./krebs/5pkgs { inherit lib pkgs; }) // - (import (./. + "/${user-name}/5pkgs") { inherit lib pkgs; }); + (import krebs-pkgs-path args) // + (import user-pkgs-path args); }) ]; }; -in + mk-namespace = path: mapNixDir mk-system (path + "/1systems"); + + mk-system = path: rec { + inherit (eval path) config options; + system = config.system.build.toplevel; + fetch = import ./krebs/0tools/fetch.nix { inherit config lib; }; + }; + + mapNixDir = f: path: lib.mapAttrs (_: f) (nixDir path); + + nixDir = path: + builtins.listToAttrs + (catMaybes + (lib.mapAttrsToList + (k: v: { + directory = + let p = path + "/${k}/default.nix"; in + if builtins.pathExists p + then Just (lib.nameValuePair k p) + else Nothing; + regular = + let p = path + "/${k}"; in + if lib.hasSuffix ".nix" p + then Just (lib.nameValuePair (lib.removeSuffix ".nix" k) p) + else Nothing; + }.${v} or Nothing) + (builtins.readDir path))); -{ - inherit (eval) config options; + # TODO move to lib + Just = x: { type = "maybe"; value = x; }; + Nothing = { type = "maybe"; }; + isMaybe = x: builtins.typeOf x == "set" && x.type or false == "maybe"; + isJust = x: isMaybe x && builtins.hasAttr "value" x; + fromJust = x: assert isJust x; x.value; + catMaybes = xs: map fromJust (builtins.filter isJust xs); - system = eval.config.system.build.toplevel; -} +in out diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index fce24fa63..82089a660 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -2,7 +2,6 @@ let - kpkgs = import ../5pkgs { inherit pkgs; inherit lib; }; inherit (lib) mkIf @@ -63,13 +62,20 @@ let configuration appended to the default or overridden configuration ''; }; - - ReaktorPkg = mkOption { - default = kpkgs.Reaktor; + extraEnviron = mkOption { + default = {}; + type = types.attrsOf types.str; description = '' - the Reaktor pkg to use. + Environment to be provided to the service, can be: + REAKTOR_HOST + REAKTOR_PORT + REAKTOR_STATEDIR + REAKTOR_CHANNELS + + debug and nickname can be set separately via the Reaktor api ''; }; + debug = mkOption { default = false; description = '' @@ -80,7 +86,6 @@ let imp = { # for reaktor get-config - environment.systemPackages = [ cfg.ReaktorPkg ]; users.extraUsers = singleton { name = "Reaktor"; # uid = config.ids.uids.Reaktor; @@ -98,7 +103,7 @@ let systemd.services.Reaktor = { path = with pkgs; [ utillinux #flock for tell_on-join - # git # for nag + git # for nag python # for caps ]; description = "Reaktor IRC Bot"; @@ -108,17 +113,17 @@ let GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; REAKTOR_NICKNAME = cfg.nickname; REAKTOR_DEBUG = (if cfg.debug then "True" else "False"); - }; + } // cfg.extraEnviron; serviceConfig= { ExecStartPre = pkgs.writeScript "Reaktor-init" '' #! /bin/sh ${if (isString cfg.overrideConfig) then ''cp ${ReaktorConfig} /tmp/config.py'' else - ''(${cfg.ReaktorPkg}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py'' + ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py'' } ''; - ExecStart = "${cfg.ReaktorPkg}/bin/reaktor run /tmp/config.py"; + ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/config.py"; PrivateTmp = "true"; User = "Reaktor"; Restart = "on-abort"; diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix new file mode 100644 index 000000000..57495ea69 --- /dev/null +++ b/krebs/3modules/build.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: + +with import ../4lib { inherit lib; }; + +let + target = config.krebs.build // { user.name = "root"; }; + + out = { + # TODO deprecate krebs.build.host + options.krebs.build.host = mkOption { + type = types.host; + }; + + # TODO make krebs.build.profile shell safe + options.krebs.build.profile = mkOption { + type = types.str; + default = "/nix/var/nix/profiles/system"; + }; + + # TODO make krebs.build.target.host :: host + options.krebs.build.target = mkOption { + type = with types; nullOr str; + default = null; + }; + + # TODO deprecate krebs.build.user + options.krebs.build.user = mkOption { + type = types.user; + }; + + options.krebs.build.source.dir = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + host = mkOption { + type = types.host; + }; + path = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + url = mkOption { + type = types.str; + default = "file://${config.host.name}${config.path}"; + }; + }; + })); + default = {}; + }; + + options.krebs.build.source.git = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + url = mkOption { + type = types.str; # TODO must be shell safe + }; + rev = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + }; + })); + default = {}; + }; + }; + +in out diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 0ffdec5f8..de265b914 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,6 +6,7 @@ let out = { imports = [ + ./build.nix ./exim-retiolum.nix ./exim-smarthost.nix ./github-hosts-sync.nix @@ -22,225 +23,6 @@ let api = { enable = mkEnableOption "krebs"; - build = mkOption { - type = types.submodule ({ config, ... }: { - options = { - target = mkOption { - type = with types; nullOr str; - default = null; - }; - deps = mkOption { - type = with types; attrsOf (submodule { - options = { - url = mkOption { - type = str; - }; - rev = mkOption { - type = nullOr str; - default = null; - }; - }; - }); - default = {}; - }; - script = mkOption { - type = types.str; - default = '' - #! /bin/sh - set -efux - - target=${escapeShellArg cfg.build.target} - - push(){( - src=$1/ - dst=$target:$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"$2\" && rsync" \ - --delete-excluded \ - -vrLptgoD \ - "$src" "$dst" - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev == null) '' - push ${toString (map escapeShellArg [ - "${url}" - "/root/src/${name}" - ])} - '') config.deps)} - - exec ssh -S none "$target" /bin/sh <<\EOF - set -efux - fetch(){( - url=$1 - rev=$2 - dst=$3 - mkdir -p "$dst" - cd "$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$url" - elif test "$cur_url" != "$url"; then - git remote set-url origin "$url" - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then - git fetch origin - git checkout "$rev" -- . - git checkout -q "$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev != null) '' - fetch ${toString (map escapeShellArg [ - url - rev - "/root/src/${name}" - ])} - '') config.deps)} - - echo build system... - profile=/nix/var/nix/profiles/system - NIX_PATH=/root/src \ - nix-env \ - -Q \ - -p "$profile" \ - -f '<stockholm>' \ - --set \ - -A system \ - --argstr user-name ${escapeShellArg cfg.build.user.name} \ - --argstr system-name ${escapeShellArg cfg.build.host.name} - - exec "$profile"/bin/switch-to-configuration switch - EOF - - ''; - }; - infest = mkOption { - type = types.str; - default = '' - #! /bin/sh - set -efux - - target=${escapeShellArg cfg.build.target} - - push(){( - src=$1/ - dst=$target:/mnt$2 - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --rsync-path="mkdir -p \"/mnt$2\" && rsync" \ - --delete-excluded \ - -vrLptgoD \ - "$src" "$dst" - )} - - cat krebs/4lib/infest/1prepare | ssh "$target" - cat krebs/4lib/infest/2install-nix | ssh "$target" - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev == null) '' - push ${toString (map escapeShellArg [ - "${url}" - "/root/src/${name}" - ])} - '') config.deps)} - - ssh -S none "$target" /bin/sh <<\EOF - set -efux - - fetch(){( - url=$1 - rev=$2 - dst=$3 - mkdir -p "$dst" - cd "$dst" - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin "$url" - elif test "$cur_url" != "$url"; then - git remote set-url origin "$url" - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then - git fetch origin - git checkout "$rev" -- . - git checkout -q "$rev" - git submodule init - git submodule update - fi - git clean -dxf - )} - - ${concatStrings (mapAttrsToList (name: { url, rev, ... }: - optionalString (rev != null) '' - fetch ${toString (map escapeShellArg [ - url - rev - "/mnt/root/src/${name}" - ])} - '') config.deps)} - - export PATH=/root/.nix-profile/bin:/root/.nix-profile/sbin:$PATH - - sed < "$(type -p nixos-install)" > nixos-install ' - /^echo "building the system configuration..."/,/--set -A system/{ - s/.*/# &/ - s@.*--set -A system.*@&\n${concatStringsSep " " [ - "NIX_PATH=/mnt/root/src/" - "nix-env" - "-Q" - "-p /nix/var/nix/profiles/system" - "-f \"<stockholm>\"" - "--set" - "-A system" - "--argstr user-name ${escapeShellArg cfg.build.user.name}" - "--argstr system-name ${escapeShellArg cfg.build.host.name}" - ]}@ - } - ' - - sed -i 's/^nixpkgs=.*$/#&/' nixos-install - - - chmod +x nixos-install - - echo {} > /root/dummy.nix - - echo build system... - profile=/nix/var/nix/profiles/system - NIXOS_CONFIG=/root/dummy.nix \ - ./nixos-install -I /root/src/ - #nl -bp nixos-install - - EOF - - cat krebs/4lib/infest/4finalize | ssh "$target" - ''; - }; - host = mkOption { - type = types.host; - }; - user = mkOption { - type = types.user; - }; - }; - }); - # Define defaul value, so unset values of the submodule get reported. - default = {}; - }; - dns = { providers = mkOption { # TODO with types; tree dns.label dns.provider, so we can merge. @@ -302,13 +84,16 @@ let mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let - aliases = toString (unique (longs ++ shorts)); + aliases = longs ++ shorts; providers = dns.split-by-provider net.aliases cfg.dns.providers; longs = providers.hosts; - shorts = map (removeSuffix ".${cfg.search-domain}") longs; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets + map (addr: "${addr} ${toString aliases}") net.addrs + ) (filterAttrs (name: host: host.aliases != []) host.nets) ) cfg.hosts )); @@ -318,6 +103,36 @@ let ([cfg.zone-head-config] ++ combined-hosts) ; combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; + + services.openssh.hostKeys = + let inherit (config.krebs.build.host.ssh) privkey; in + mkIf (privkey != null) (mkForce [privkey]); + + services.openssh.knownHosts = + mapAttrs + (name: host: { + hostNames = + concatLists + (mapAttrsToList + (net-name: net: + let + aliases = shorts ++ longs; + longs = net.aliases; + shorts = + map (removeSuffix ".${cfg.search-domain}") + (filter (hasSuffix ".${cfg.search-domain}") + longs); + add-port = a: + if net.ssh.port != null + then "[${a}]:${toString net.ssh.port}" + else a; + in + aliases ++ map add-port net.addrs) + host.nets); + + publicKey = host.ssh.pubkey; + }) + (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); } ]; @@ -537,8 +352,8 @@ let extraZones = { "krebsco.de" = '' - mediengewitter IN A ${elemAt nets.internet.addrs4 0} - flap IN A ${elemAt nets.internet.addrs4 0}''; + mediengewitter IN A ${head nets.internet.addrs4} + flap IN A ${head nets.internet.addrs4}''; }; nets = { internet = { @@ -575,14 +390,13 @@ let IN MX 10 mx42 euer IN MX 1 aspmx.l.google.com. io IN NS pigstarter.krebsco.de. - euer IN A ${elemAt nets.internet.addrs4 0} - pigstarter IN A ${elemAt nets.internet.addrs4 0} - conf IN A ${elemAt nets.internet.addrs4 0} - gold IN A ${elemAt nets.internet.addrs4 0} - graph IN A ${elemAt nets.internet.addrs4 0} - tinc IN A ${elemAt nets.internet.addrs4 0} - boot IN A ${elemAt nets.internet.addrs4 0} - mx42 IN A ${elemAt nets.internet.addrs4 0}''; + pigstarter IN A ${head nets.internet.addrs4} + conf IN A ${head nets.internet.addrs4} + gold IN A ${head nets.internet.addrs4} + graph IN A ${head nets.internet.addrs4} + tinc IN A ${head nets.internet.addrs4} + boot IN A ${head nets.internet.addrs4} + mx42 IN A ${head nets.internet.addrs4}''; }; nets = { internet = { @@ -611,15 +425,56 @@ let }; }; }; + wry = rec { + cores = 1; + dc = "makefu"; #dc = "cac"; + extraZones = { + "krebsco.de" = '' + wry IN A ${head nets.internet.addrs4} + ''; + }; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "wry.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.29.169"]; + addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; + aliases = [ + "wry.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; gum = rec { cores = 1; dc = "online.net"; #root-server extraZones = { "krebsco.de" = '' - omo IN A ${elemAt nets.internet.addrs4 0} - gum IN A ${elemAt nets.internet.addrs4 0} - paste IN A ${elemAt nets.internet.addrs4 0}''; + omo IN A ${head nets.internet.addrs4} + euer IN A ${head nets.internet.addrs4} + gum IN A ${head nets.internet.addrs4} + paste IN A ${head nets.internet.addrs4}''; }; nets = { internet = { @@ -679,6 +534,7 @@ let "cgit.cd.viljetic.de" "cd.krebsco.de" ]; + ssh.port = 11423; }; retiolum = { via = internet; @@ -705,13 +561,15 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6"; }; - mkdir = { + mkdir = rec { cores = 1; dc = "tv"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["162.248.167.241"]; + addrs4 = ["104.233.84.215"]; aliases = [ "mkdir.internet" ]; @@ -736,6 +594,35 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw"; + }; + ire = { + nets = { + internet = { + addrs4 = ["198.147.22.115"]; + ssh.port = 11423; + }; + retiolum = { + addrs4 = ["10.243.231.66"]; + addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"]; + aliases = [ + "ire.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7 + rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt + 6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU + 1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K + LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu + nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + ssh.port = 11423; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY"; }; nomic = { cores = 2; @@ -761,13 +648,14 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09"; }; - rmdir = { + rmdir = rec { cores = 1; dc = "tv"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["167.88.44.94"]; + addrs4 = ["104.233.84.70"]; aliases = [ "rmdir.internet" ]; @@ -792,6 +680,8 @@ let ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4"; }; wu = { cores = 4; @@ -817,6 +707,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; }; xu = { cores = 4; @@ -842,6 +733,7 @@ let }; }; secure = true; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw"; }; }; users = addNames { diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index dbc0cc1de..f44fe3ad8 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; + default = toString <secrets/github-hosts-sync.ssh.id_rsa>; }; }; diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 2617644d9..633642537 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -75,7 +75,7 @@ let # TODO if it's types.path then it gets copied to /nix/store with # bad unsafe permissions... type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; + default = toString <secrets/retiolum.rsa_key.priv>; description = '' Generate file with <literal>tincd -K</literal>. This file must exist on the local system. The default points to diff --git a/krebs/4lib/infest/3install-nix-tools b/krebs/4lib/infest/3install-nix-tools deleted file mode 100644 index 59fa6f14a..000000000 --- a/krebs/4lib/infest/3install-nix-tools +++ /dev/null @@ -1,9 +0,0 @@ -#! /bin/sh -set -efu - -install-nix-tools() {( - - -)} - -install-nix-tools "$@" diff --git a/krebs/4lib/infest/4finalize b/krebs/4lib/infest/finalize.sh index d095fa31b..ced5a4d4d 100644 --- a/krebs/4lib/infest/4finalize +++ b/krebs/4lib/infest/finalize.sh @@ -7,7 +7,7 @@ set -eux umount /mnt || [ $? -eq 32 ] umount /boot || [ $? -eq 32 ] - PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i) + PATH=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i) export PATH mkdir /oldshit diff --git a/krebs/4lib/infest/2install-nix b/krebs/4lib/infest/install-nix.sh index 3021c1143..88c8c3e1e 100644 --- a/krebs/4lib/infest/2install-nix +++ b/krebs/4lib/infest/install-nix.sh @@ -2,9 +2,9 @@ set -efu nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2 -nix_sha256="504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4" +nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4 -install-nix() {( +install_nix() {( # install nix on host (cf. https://nixos.org/nix/install) if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then @@ -23,7 +23,7 @@ install-nix() {( $nix_src_dir/install fi - #TODO: make this general or move to 1prepare + #TODO: make this general or move to prepare if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then mkdir -p /mnt/nix mount --bind /nix /mnt/nix @@ -54,4 +54,4 @@ install-nix() {( fi )} -install-nix "$@" +install_nix "$@" diff --git a/krebs/4lib/infest/1prepare b/krebs/4lib/infest/prepare.sh index 07c00c3a5..07c00c3a5 100644 --- a/krebs/4lib/infest/1prepare +++ b/krebs/4lib/infest/prepare.sh diff --git a/krebs/4lib/shell.nix b/krebs/4lib/shell.nix index 2a6da5c16..5910adacc 100644 --- a/krebs/4lib/shell.nix +++ b/krebs/4lib/shell.nix @@ -6,7 +6,7 @@ with lib; rec { escape = let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + isSafeChar = c: match "[-+./0-9:=A-Z_a-z]" c != null; in stringAsChars (c: if isSafeChar c then c diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index f6b4bd8b1..039f803ef 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,11 +1,12 @@ { lib, ... }: +with builtins; with lib; with types; types // rec { - host = submodule { + host = submodule ({ config, ... }: { options = { name = mkOption { type = label; @@ -27,6 +28,19 @@ types // rec { type = with types; attrsOf string; }; + infest = { + addr = mkOption { + type = str; + apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.addr' is used. It was replaced by the `target' argument to `make` or `get`. See Makefile for more information."; + }; + port = mkOption { + type = int; + default = 22; + # TODO replacement: allow target with port, SSH-style: [lol]:666 + apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.port' is used. It's gone without replacement."; + }; + }; + secure = mkOption { type = bool; default = false; @@ -36,8 +50,39 @@ types // rec { TODO define minimum requirements for secure hosts ''; }; + + ssh.pubkey = mkOption { + type = nullOr str; + default = null; + apply = x: + if x != null + then x + else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; + }; + ssh.privkey = mkOption { + type = nullOr (submodule { + options = { + bits = mkOption { + type = nullOr (enum ["4096"]); + default = null; + }; + path = mkOption { + type = either path str; + apply = x: { + path = toString x; + string = x; + }.${typeOf x}; + }; + type = mkOption { + type = enum ["rsa" "ed25519"]; + default = "ed25519"; + }; + }; + }); + default = null; + }; }; - }; + }); net = submodule ({ config, ... }: { options = { @@ -61,6 +106,18 @@ types // rec { aliases = mkOption { # TODO nonEmptyListOf hostname type = listOf hostname; + default = []; + }; + ssh = mkOption { + type = submodule { + options = { + port = mkOption { + type = nullOr int; + default = null; + }; + }; + }; + default = {}; }; tinc = mkOption { type = let net-config = config; in nullOr (submodule ({ config, ... }: { diff --git a/krebs/5pkgs/cac/default.nix b/krebs/5pkgs/cac/default.nix index 838eddd2f..e29f091e4 100644 --- a/krebs/5pkgs/cac/default.nix +++ b/krebs/5pkgs/cac/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchgit, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }: stdenv.mkDerivation { - name = "cac"; + name = "cac-1.0.0"; src = fetchgit { url = http://cgit.cd.retiolum/cac; - rev = "f4589158572ab35969b9bccf801ea07e115705e1"; - sha256 = "9d761cd1d7ff68507392cbfd6c3f6000ddff9cc540293da2b3c4ee902321fb27"; + rev = "14de1d3c78385e3f8b6d694f5d799eb1b613159e"; + sha256 = "9b2a3d47345d6f8f27d9764c4f2f2acff17d3dde145dd0e674e4183e9312fec3"; }; phases = [ diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/get/default.nix index 87e5808b9..20bbfd014 100644 --- a/krebs/5pkgs/get/default.nix +++ b/krebs/5pkgs/get/default.nix @@ -1,12 +1,12 @@ { coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }: stdenv.mkDerivation { - name = "get-1.1.0"; + name = "get-1.3.0"; src = fetchgit { url = http://cgit.cd.retiolum/get; - rev = "e75084e39f0402107bb520b5c9d5434a9d7f5d64"; - sha256 = "5bafc9fa68cdb8ab76437a00354cbe4af4020cbbbbce848c325cae55863d9477"; + rev = "fbe8f8d12ede9762fceb15b9944b69a4ee6331eb"; + sha256 = "bcdf036f8b5d1467285d0998aeac7e48280adfb9e1278f9f424c9c8b5e6ed8fa"; }; phases = [ diff --git a/krebs/Zhosts/ire b/krebs/Zhosts/ire index 724158cb0..db4f9808c 100644 --- a/krebs/Zhosts/ire +++ b/krebs/Zhosts/ire @@ -1,4 +1,4 @@ -Address = 198.147.23.143 +Address = 198.147.22.115 Subnet = 10.243.231.66 Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c diff --git a/krebs/default.nix b/krebs/default.nix new file mode 100644 index 000000000..0ec4c6079 --- /dev/null +++ b/krebs/default.nix @@ -0,0 +1,263 @@ +{ current-date +, current-host-name +, current-user-name +}@current: rec { + + deploy = + { system ? current-host-name + , target ? system + }@args: let + config = lib.get-config system; + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.deploy + set -efu + (${lib.populate args}) + ${lib.rootssh target '' + ${lib.install args} + ${config.krebs.build.profile}/bin/switch-to-configuration switch + ''} + echo OK + ''; + + infest = + { system ? current-host-name + , target ? system + }@args: let + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.infest + set -efu + + # XXX type -p is non-standard + #export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ + # -o 'HostName $ {target.host.infest.addr}' \ + # -o 'Port $ {toString target.host.infest.port}' \ + #" + #ssh() { + # eval "$RSYNC_RSH \"\$@\"" + #} + + ${lib.rootssh target '' + ${builtins.readFile ./4lib/infest/prepare.sh} + ${builtins.readFile ./4lib/infest/install-nix.sh} + ''} + + (${lib.populate args}) + + ${lib.rootssh target '' + export PATH; PATH=/root/.nix-profile/bin:$PATH + + src=$(type -p nixos-install) + cat_src() { + sed < "$src" "$( + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' + )" + } + + # Location to insert lib.install + i=$(sed -n '/^echo "building the system configuration/=' "$src") + + { + cat_src | sed -n "1,$i{p}" + cat ${lib.doc (lib.install args)} + cat_src | sed -n "$i,\''${$i!p}" + } > nixos-install + chmod +x nixos-install + + ## Wrap inserted lib.install into chroot. + #nix_env=$(cat_src | sed -n ' + # s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q + #') + #echo nix-env is $nix_env + #sed -i ' + # s:^nix-env:chroot $mountPoint '"$nix_env"': + #' nixos-install + + ./nixos-install + + ${builtins.readFile ./4lib/infest/finalize.sh} + ''} + ''; + + init = + { system ? current-host-name + }@args: let + config = lib.get-config system; + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.init + set -efu + + system=${lib.shell.escape system} + secrets_dir=${config.krebs.build.source.dir.secrets.path} + key_type=ed25519 + key_file=$secrets_dir/ssh.id_$key_type + key_comment=$system + + if test -e "$key_file"; then + echo "Warning: privkey already exists: $key_file" >&2 + else + ssh-keygen \ + -C "$key_comment" \ + -t "$key_type" \ + -f "$key_file" \ + -N "" + rm "$key_file.pub" + fi + + pubkey=$(ssh-keygen -y -f "$key_file") + + cat<<EOF + # put following into config.krebs.hosts.$system: + ssh.pubkey = $(echo $pubkey | jq -R .); + EOF + ''; + + lib = import ./4lib { lib = import <nixpkgs/lib>; } // rec { + + stockholm = import ../. current; + + get-config = system: + stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + doc = s: + let b = "EOF${builtins.hashString "sha256" s}"; in + '' + <<\${b} + ${s} + ${b} + ''; + + rootssh = target: script: + "ssh root@${target} -T ${lib.doc '' + set -efu + ${script} + ''}"; + + install = + { system ? current-host-name + , target ? system + }: + let + stockholm = import ../. { + inherit current-date; + inherit current-host-name; + inherit current-user-name; + }; + + config = stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + nix-path = + lib.concatStringsSep ":" + (lib.mapAttrsToList (name: _: "${name}=/root/${name}") + (config.krebs.build.source.dir // + config.krebs.build.source.git)); + in '' + set -efu + NIX_PATH=${lib.shell.escape nix-path} \ + nix-env \ + --show-trace \ + -f '<stockholm>' \ + -Q \ + --argstr current-date ${lib.shell.escape current-date} \ + --argstr current-host-name ${lib.shell.escape current-host-name} \ + --argstr current-user-name ${lib.shell.escape current-user-name} \ + --profile ${lib.shell.escape config.krebs.build.profile} \ + --set \ + -A ${lib.escapeShellArg (lib.concatStringsSep "." [ + config.krebs.build.user.name + config.krebs.build.host.name + "system" + ])} + ''; + + populate = + { system ? current-host-name + , target ? system + }@args: + let out = '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + set -efu + ${lib.concatStringsSep "\n" + (lib.concatMap + (type: lib.mapAttrsToList (_: methods.${type}) + config.krebs.build.source.${type}) + ["dir" "git"])} + ''; + + stockholm = import ../. { + inherit current-date; + inherit current-host-name; + inherit current-user-name; + }; + + config = stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + current-host = config.krebs.hosts.${current-host-name}; + current-user = config.krebs.users.${current-user-name}; + + target-host = config.krebs.hosts.${system}; + + methods.dir = config: + let + can-link = config.host.name == target-host.name; + can-push = config.host.name == current-host.name; + push-method = '' + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --exclude tmp \ + --rsync-path='mkdir -p ${config.target-path} && rsync' \ + --delete-excluded \ + -vrLptgoD \ + ${config.path}/ \ + root@${target}:${config.target-path} + ''; + url = "file://${config.host.name}${config.path}"; + in + #if can-link then link-method else + if can-push then push-method else + throw "cannot source ${url}"; + + methods.git = config: + lib.rootssh target '' + mkdir -p ${config.target-path} + cd ${config.target-path} + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin ${config.url} + elif test "$cur_url" != ${config.url}; then + git remote set-url origin ${config.url} + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then + git fetch origin + git checkout ${config.rev} -- . + git checkout -q ${config.rev} + git submodule init + git submodule update + fi + git clean -dxf + ''; + in out; + }; +} diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index 2dce87d5d..7698ea14d 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -9,6 +9,7 @@ [ # Include the results of the hardware scan. # Base ../2configs/base.nix + ../2configs/base-sources.nix ../2configs/tinc-basic-retiolum.nix # HW/FS @@ -31,6 +32,10 @@ ]; krebs.Reaktor.enable = true; krebs.Reaktor.debug = true; + krebs.Reaktor.nickname = "Reaktor|bot"; + krebs.Reaktor.extraEnviron = { + REAKTOR_CHANNELS = "#krebs,#binaergewitter"; + }; krebs.build.host = config.krebs.hosts.pnp; krebs.build.user = config.krebs.users.makefu; @@ -38,12 +43,6 @@ nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "03921972268934d900cc32dad253ff383926771c"; - }; - }; networking.firewall.allowedTCPPorts = [ # nginx runs on 80 diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 4dcfe4eca..d43f89a03 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -9,6 +9,9 @@ ../2configs/base.nix ../2configs/main-laptop.nix #< base-gui + # configures sources + ../2configs/base-sources.nix + # Krebs ../2configs/tinc-basic-retiolum.nix #../2configs/disable_v6.nix @@ -18,34 +21,30 @@ # applications ../2configs/exim-retiolum.nix - ../2configs/virtualization.nix + #../2configs/virtualization.nix + ../2configs/virtualization-virtualbox.nix ../2configs/wwan.nix # services ../2configs/git/brain-retiolum.nix - # ../2configs/Reaktor/simpleExtend.nix + ../2configs/tor.nix # hardware specifics are in here ../2configs/hw/tp-x220.nix # mount points ../2configs/fs/sda-crypto-root-home.nix ]; + krebs.Reaktor.enable = true; + krebs.Reaktor.debug = true; + krebs.Reaktor.nickname = "makefu|r"; krebs.build.host = config.krebs.hosts.pornocauster; krebs.build.user = config.krebs.users.makefu; krebs.build.target = "root@pornocauster"; - #krebs.Reaktor.nickname = "makefu|r"; networking.firewall.allowedTCPPorts = [ 25 ]; - krebs.build.deps = { - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - #url = https://github.com/makefu/nixpkgs; - rev = "03921972268934d900cc32dad253ff383926771c"; - }; - }; } diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix new file mode 100644 index 000000000..29ad82d4c --- /dev/null +++ b/makefu/1systems/wry.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +let + + ip = (lib.elemAt config.krebs.build.host.nets.internet.addrs4 0); +in { + imports = [ + ../../tv/2configs/CAC-CentOS-7-64bit.nix + ../2configs/base.nix + ../2configs/tinc-basic-retiolum.nix + { + } + ]; + networking.firewall.allowPing = true; + networking.interfaces.enp2s1.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.233.80.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + # based on ../../tv/2configs/CAC-Developer-2.nix + sound.enable = false; + krebs.build = { + user = config.krebs.users.makefu; + target = "root@${ip}"; + host = config.krebs.hosts.wry; + }; + +} diff --git a/makefu/2configs/base-sources.nix b/makefu/2configs/base-sources.nix new file mode 100644 index 000000000..a2715ba4c --- /dev/null +++ b/makefu/2configs/base-sources.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: + +{ + krebs.build.source = { + git.nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + #url = https://github.com/makefu/nixpkgs; + rev = "68bd8e4a9dc247726ae89cc8739574261718e328"; + }; + dir.secrets = { + host = config.krebs.hosts.pornocauster; + path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; + }; + dir.stockholm = { + host = config.krebs.hosts.pornocauster; + path = toString ../.. ; + }; + }; +} diff --git a/makefu/2configs/base.nix b/makefu/2configs/base.nix index a5c64f4f3..34b413024 100644 --- a/makefu/2configs/base.nix +++ b/makefu/2configs/base.nix @@ -37,15 +37,6 @@ with lib; time.timeZone = "Europe/Berlin"; #nix.maxJobs = 1; - krebs.build.deps = { - secrets = { - url = "/home/makefu/secrets/${config.krebs.build.host.name}"; - }; - stockholm = { - url = toString ../..; - }; - }; - services.openssh.enable = true; nix.useChroot = true; diff --git a/makefu/2configs/tor.nix b/makefu/2configs/tor.nix new file mode 100644 index 000000000..e466a1839 --- /dev/null +++ b/makefu/2configs/tor.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +{ + services.tor.enable = true; + services.tor.client.enable = true; + # also enables services.tor.client.privoxy +} diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix new file mode 100644 index 000000000..610b63732 --- /dev/null +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +let + mainUser = config.krebs.build.user; + version = "5.0.4"; + rev = "102546"; + vboxguestpkg = pkgs.fetchurl { + url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; + sha256 = "1ykwpjvfgj11iwhx70bh2hbxhyy3hg6rnqzl4qac7xzg8xw8wqg4"; + }; +in { + #inherit vboxguestpkg; + virtualisation.virtualbox.host.enable = true; + nixpkgs.config.virtualbox.enableExtensionPack = true; + + users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; + environment.systemPackages = [ vboxguestpkg ]; +} diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index b385848f1..4f66b3592 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -8,16 +8,18 @@ with lib; krebs.build.target = "root@cd.internet"; - krebs.build.deps = { - nixpkgs = { + krebs.build.source = { + git.nixpkgs = { url = https://github.com/4z3/nixpkgs; rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/cd"; }; - stockholm = { - url = toString ../..; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; }; }; @@ -26,6 +28,7 @@ with lib; ../2configs/CAC-CentOS-7-64bit.nix ../2configs/base.nix #../2configs/consul-server.nix + ../2configs/exim-smarthost.nix ../2configs/git.nix { imports = [ ../2configs/charybdis.nix ]; @@ -41,59 +44,6 @@ with lib; }; } { - krebs.exim-smarthost = { - enable = true; - primary_hostname = "${config.networking.hostName}.retiolum"; - sender_domains = [ - "shackspace.de" - "viljetic.de" - ]; - relay_from_hosts = [ - "10.243.13.37" - ]; - internet-aliases = with config.krebs.users; [ - { from = "tomislav@viljetic.de"; to = tv.mail; } - - # (mindestens) lisp-stammtisch und elli haben die: - { from = "tv@viljetic.de"; to = tv.mail; } - - { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } - - { from = "mirko@viljetic.de"; to = mv.mail; } - - # TODO killme (wo wird die benutzt?) - { from = "tv@cd.retiolum"; to = tv.mail; } - - # TODO lists@smtp.retiolum [consul] - { from = "postmaster@krebsco.de"; to = tv.mail; } - - { from = "spam@krebsco.de"; - to = pkgs.lib.concatStringsSep "," [ - tv.mail - "lass@mors.retiolum" - makefu.mail - ]; - } - ]; - system-aliases = [ - { from = "mailer-daemon"; to = "postmaster"; } - { from = "postmaster"; to = "root"; } - { from = "nobody"; to = "root"; } - { from = "hostmaster"; to = "root"; } - { from = "usenet"; to = "root"; } - { from = "news"; to = "root"; } - { from = "webmaster"; to = "root"; } - { from = "www"; to = "root"; } - { from = "ftp"; to = "root"; } - { from = "abuse"; to = "root"; } - { from = "noc"; to = "root"; } - { from = "security"; to = "root"; } - { from = "root"; to = "tv"; } - { from = "mirko"; to = "mv"; } - ]; - }; - } - { krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index cd3d3b5c4..76432ba03 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -2,22 +2,37 @@ with lib; +let + # TODO merge with lass + getDefaultGateway = ip: + concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + + + primary-addr4 = + builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0; + + #secondary-addr4 = + # builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1; +in + { krebs.build.host = config.krebs.hosts.mkdir; krebs.build.user = config.krebs.users.tv; - krebs.build.target = "root@mkdir.internet"; + krebs.build.target = "root@${primary-addr4}"; - krebs.build.deps = { - nixpkgs = { + krebs.build.source = { + git.nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696"; + rev = "68bd8e4a9dc247726ae89cc8739574261718e328"; }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/mkdir"; }; - stockholm = { - url = toString ../..; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; }; }; @@ -56,11 +71,18 @@ with lib; networking.interfaces.enp2s1.ip4 = [ { - address = "162.248.167.241"; # TODO + address = primary-addr4; prefixLength = 24; } + #{ + # address = secondary-addr4; + # prefixLength = 24; + #} ]; - networking.defaultGateway = "162.248.167.1"; + + # TODO define gateway in krebs/3modules/default.nix + networking.defaultGateway = getDefaultGateway primary-addr4; + networking.nameservers = [ "8.8.8.8" ]; diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index f08e74bbe..718f6ae24 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -8,16 +8,18 @@ with lib; krebs.build.target = "root@nomic.gg23"; - krebs.build.deps = { - nixpkgs = { + krebs.build.source = { + git.nixpkgs = { url = https://github.com/4z3/nixpkgs; rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/nomic"; }; - stockholm = { - url = toString ../..; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; }; }; @@ -112,6 +114,7 @@ with lib; exit 23 esac '') + gnupg ntp # ntpate rxvt_unicode.terminfo tmux diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index c8ac43e4c..79e47c539 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -2,22 +2,37 @@ with lib; +let + # TODO merge with lass + getDefaultGateway = ip: + concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + + + primary-addr4 = + builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0; + + #secondary-addr4 = + # builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1; +in + { krebs.build.host = config.krebs.hosts.rmdir; krebs.build.user = config.krebs.users.tv; krebs.build.target = "root@rmdir.internet"; - krebs.build.deps = { - nixpkgs = { + krebs.build.source = { + git.nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + rev = "68bd8e4a9dc247726ae89cc8739574261718e328"; }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/rmdir"; }; - stockholm = { - url = toString ../..; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; }; }; @@ -57,11 +72,13 @@ with lib; networking.interfaces.enp2s1.ip4 = [ { - address = "167.88.44.94"; + address = primary-addr4; prefixLength = 24; } ]; - networking.defaultGateway = "167.88.44.1"; + # TODO define gateway in krebs/3modules/default.nix + networking.defaultGateway = getDefaultGateway primary-addr4; + networking.nameservers = [ "8.8.8.8" ]; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 36733ac41..e54aed056 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -8,16 +8,18 @@ with lib; krebs.build.target = "root@wu"; - krebs.build.deps = { - nixpkgs = { - url = https://github.com/4z3/nixpkgs; - rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692 + krebs.build.source = { + git.nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "e916273209560b302ab231606babf5ce1c481f08"; }; - secrets = { - url = "/home/tv/secrets/${config.krebs.build.host.name}"; + dir.secrets = { + host = config.krebs.hosts.wu; + path = "/home/tv/secrets/wu"; }; - stockholm = { - url = toString ../..; + dir.stockholm = { + host = config.krebs.hosts.wu; + path = "/home/tv/stockholm"; }; }; @@ -214,7 +216,6 @@ with lib; extraGroups = [ "audio" "video" - "bumblebee" ]; }; @@ -255,7 +256,6 @@ with lib; extraGroups = [ "audio" "video" - "bumblebee" ]; }; @@ -264,7 +264,6 @@ with lib; extraGroups = [ "audio" "video" - "bumblebee" ]; }; @@ -332,6 +331,7 @@ with lib; }; "/home" = { device = "/dev/mapper/home"; + fsType = "btrfs"; options = "defaults,noatime,ssd,compress=lzo"; }; "/boot" = { diff --git a/tv/2configs/base.nix b/tv/2configs/base.nix index 89a66115a..1c6eba662 100644 --- a/tv/2configs/base.nix +++ b/tv/2configs/base.nix @@ -15,9 +15,10 @@ in imports = [ { + # TODO never put hashedPassword into the store users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/src/secrets/hashedPasswords.nix); + (import <secrets/hashedPasswords.nix>); } { users.defaultUserShell = "/run/current-system/sw/bin/bash"; diff --git a/tv/2configs/charybdis.nix b/tv/2configs/charybdis.nix index a949026de..80c6f7c4a 100644 --- a/tv/2configs/charybdis.nix +++ b/tv/2configs/charybdis.nix @@ -21,7 +21,7 @@ let }; dhParams = mkOption { type = types.str; - default = "/root/src/secrets/charybdis.dh.pem"; + default = toString <secrets/charybdis.dh.pem>; }; motd = mkOption { type = types.str; @@ -32,7 +32,7 @@ let }; sslKey = mkOption { type = types.str; - default = "/root/src/secrets/charybdis.key.pem"; + default = toString <secrets/charybdis.key.pem>; }; }; diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix new file mode 100644 index 000000000..811c8e4c7 --- /dev/null +++ b/tv/2configs/exim-smarthost.nix @@ -0,0 +1,55 @@ +{ config, pkgs, ... }: + +{ + krebs.exim-smarthost = { + enable = true; + primary_hostname = "${config.networking.hostName}.retiolum"; + sender_domains = [ + "shackspace.de" + "viljetic.de" + ]; + relay_from_hosts = [ + "10.243.13.37" + ]; + internet-aliases = with config.krebs.users; [ + { from = "tomislav@viljetic.de"; to = tv.mail; } + + # (mindestens) lisp-stammtisch und elli haben die: + { from = "tv@viljetic.de"; to = tv.mail; } + + { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } + + { from = "mirko@viljetic.de"; to = mv.mail; } + + # TODO killme (wo wird die benutzt?) + { from = "tv@cd.retiolum"; to = tv.mail; } + + # TODO lists@smtp.retiolum [consul] + { from = "postmaster@krebsco.de"; to = tv.mail; } + + { from = "spam@krebsco.de"; + to = pkgs.lib.concatStringsSep "," [ + tv.mail + "lass@mors.retiolum" + makefu.mail + ]; + } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "tv"; } + { from = "mirko"; to = "mv"; } + ]; + }; +} diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 6624d62dc..5f5fae483 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -51,7 +51,8 @@ let collaborators = with config.krebs.users; [ lass makefu ]; }; } // - import /root/src/secrets/repos.nix { inherit config lib pkgs; } + # TODO don't put secrets/repos.nix into the store + import <secrets/repos.nix> { inherit config lib pkgs; } ); make-public-repo = name: { desc ? null, ... }: { diff --git a/tv/3modules/consul.nix b/tv/3modules/consul.nix index 82a15c024..e764ab7b2 100644 --- a/tv/3modules/consul.nix +++ b/tv/3modules/consul.nix @@ -29,7 +29,7 @@ let }; encrypt-file = mkOption { type = types.str; # TODO path (but not just into store) - default = "/root/src/secrets/consul-encrypt.json"; + default = toString <secrets/consul-encrypt.json>; }; data-dir = mkOption { type = types.str; # TODO path (but not just into store) diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix index 2910a9a69..6b231fb56 100644 --- a/tv/3modules/ejabberd.nix +++ b/tv/3modules/ejabberd.nix @@ -15,7 +15,7 @@ let certFile = mkOption { type = types.str; - default = "/root/src/secrets/ejabberd.pem"; + default = toString <secrets/ejabberd.pem>; }; hosts = mkOption { diff --git a/tv/4lib/git.nix b/tv/4lib/git.nix index 2b25debdc..748b77269 100644 --- a/tv/4lib/git.nix +++ b/tv/4lib/git.nix @@ -114,6 +114,18 @@ let gnused ])} + green() { printf '\x0303,99%s\x0F' "$1"; } + red() { printf '\x0304,99%s\x0F' "$1"; } + orange() { printf '\x0307,99%s\x0F' "$1"; } + pink() { printf '\x0313,99%s\x0F' "$1"; } + gray() { printf '\x0314,99%s\x0F' "$1"; } + + unset message + add_message() { + message="''${message+$message + }$*" + } + nick=${escapeShellArg nick} channel=${escapeShellArg channel} server=${escapeShellArg server} @@ -124,7 +136,6 @@ let empty=0000000000000000000000000000000000000000 - unset message while read oldrev newrev ref; do if [ $oldrev = $empty ]; then @@ -157,14 +168,23 @@ let link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)" ;; fast-forward|non-fast-forward) - #git diff --stat $id..$id2 link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2" ;; esac #$host $GIT_SSH_REPO $ref $link - message="''${message+$message - }$GIT_SSH_USER $receive_mode $link" + add_message $(pink push) $link $(gray "($receive_mode)") + + add_message "$( + git log \ + --format="$(orange %h) %s $(gray '(%ar)')" \ + --reverse \ + $id2..$id + + git diff --stat $id2..$id \ + | sed '$!s/\(+*\)\(-*\)$/'$(green '\1')$(red '\2')'/' + )" + done if test -n "''${message-}"; then |