From a1a307d7643007e51d54803b30178dd9791a0737 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 15 Feb 2016 19:46:26 +0100 Subject: ma default.nix: import ./5pkgs --- makefu/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/default.nix b/makefu/default.nix index 320e1a133..b1c7c1be8 100644 --- a/makefu/default.nix +++ b/makefu/default.nix @@ -4,5 +4,6 @@ _: ../krebs ./2configs ./3modules + ./5pkgs ]; } -- cgit v1.2.3 From 8a88dbe1739d23eb6003d2f2cbe49fd260f7727e Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 15 Feb 2016 20:14:31 +0100 Subject: s 2 buildbot: use new nixpkgs compat structure --- shared/2configs/shared-buildbot.nix | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix index ebf5f4a1e..eff44b280 100644 --- a/shared/2configs/shared-buildbot.nix +++ b/shared/2configs/shared-buildbot.nix @@ -69,7 +69,7 @@ # SSL_CERT_FILE,LOGNAME,NIX_REMOTE nixshell = ["nix-shell", "-I", "stockholm=.", - "-I", "nixpkgs=/var/src/upstream-nixpkgs", + "-I", "nixpkgs=/var/src/nixpkgs", "-p" ] + deps + [ "--run" ] # prepare addShell function @@ -90,21 +90,21 @@ addShell(f,name="instantiate-test-all-modules",env=env, command=nixshell + \ ["touch retiolum.rsa_key.priv; \ - nix-instantiate --eval -A \ - users.shared.test-all-krebs-modules.system \ - -I stockholm=. \ - --show-trace \ - -I secrets=. '' \ - --strict --json"]) + nix-instantiate \ + --show-trace --eval --strict --json \ + -I nixos-config=./shared/1systems/test-all-krebs-modules.nix \ + -I secrets=. \ + -A config.system.build.toplevel"] + ) - addShell(f,name="instantiate-test-minimal-deploy",env=env, + addShell(f,name="build-test-minimal",env=env, command=nixshell + \ - ["nix-instantiate --eval -A \ - users.shared.test-minimal-deploy.system \ - -I stockholm=. \ - -I secrets=. '' \ - --show-trace \ - --strict --json"]) + ["nix-instantiate \ + --show-trace --eval --strict --json \ + -I nixos-config=./shared/1systems/test-minimal-deploy.nix \ + -I secrets=. \ + -A config.system.build.toplevel"] + ) bu.append(util.BuilderConfig(name="fast-tests", slavenames=slavenames, @@ -151,6 +151,6 @@ packages = with pkgs;[ git nix ]; # all nix commands will need a working nixpkgs installation extraEnviron = { - NIX_PATH="nixpkgs=/var/src/upstream-nixpkgs:nixos-config=./shared/1systems/wolf.nix"; }; + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; }; }; } -- cgit v1.2.3 From 5d98f98b8df7dc40b0b76a3d5b6b6545493309bb Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 16 Feb 2016 18:03:18 +0100 Subject: s 2 buildbot: add auto-gc --- shared/2configs/shared-buildbot.nix | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix index eff44b280..b474af7b3 100644 --- a/shared/2configs/shared-buildbot.nix +++ b/shared/2configs/shared-buildbot.nix @@ -7,6 +7,11 @@ # TODO for all users schedule a build for fast tests { + # due to the fact that we actually build stuff on the box via the daemon, + # /nix/store should be cleaned up automatically as well + nix.gc.automatic = true; + nix.gc.dates = "05:23"; + networking.firewall.allowedTCPPorts = [ 8010 9989 ]; krebs.buildbot.master = let stockholm-mirror-url = http://cgit.wolf/stockholm-mirror ; @@ -27,7 +32,7 @@ force-scheduler = '' sched.append(schedulers.ForceScheduler( name="force", - builderNames=["full-tests","fast-tests"])) + builderNames=["full-tests","fast-tests","build-local"])) ''; fast-tests-scheduler = '' # test everything real quick @@ -35,7 +40,7 @@ ## all branches change_filter=util.ChangeFilter(branch_re=".*"), # treeStableTimer=10, - name="fast-test-all-branches", + name="fast-all-branches", builderNames=["fast-tests"])) ''; test-cac-infest-master = '' @@ -51,8 +56,8 @@ change_filter=util.ChangeFilter(branch="master"), fileIsImportant=shared_files, treeStableTimer=60*60, # master was stable for the last hour - name="full-master-test", - builderNames=["full-tests"])) + name="full-master", + builderNames=["full-tests","build-local"])) ''; }; builder_pre = '' @@ -110,6 +115,26 @@ slavenames=slavenames, factory=f)) ''; + # this build will try to build against local nixpkgs + # TODO change to do a 'local' populate and use the retrieved nixpkgs + build-local = '' + f = util.BuildFactory() + f.addStep(grab_repo) + + addShell(f,name="build-test-all-modules",env=env, + command=nixshell + \ + ["touch retiolum.rsa_key.priv; \ + nix-build \ + --show-trace --no-out-link \ + -I nixos-config=./shared/1systems/test-all-krebs-modules.nix \ + -I secrets=. \ + -A config.system.build.toplevel"] + ) + + bu.append(util.BuilderConfig(name="build-local", + slavenames=slavenames, + factory=f)) + ''; slow-tests = '' s = util.BuildFactory() s.addStep(grab_repo) -- cgit v1.2.3 From b9eae4bf0986a04fb2b19b9da98e6aa93151eb44 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 16 Feb 2016 22:44:00 +0100 Subject: ma 2 mycube.connector.one: init --- makefu/2configs/nginx/mycube.connector.one.nix | 28 ++++++++++++++++++++++++++ makefu/2configs/nginx/update.connector.one.nix | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 makefu/2configs/nginx/mycube.connector.one.nix diff --git a/makefu/2configs/nginx/mycube.connector.one.nix b/makefu/2configs/nginx/mycube.connector.one.nix new file mode 100644 index 000000000..209c376fb --- /dev/null +++ b/makefu/2configs/nginx/mycube.connector.one.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + hostname = config.krebs.build.host.name; + external-ip = head config.krebs.build.host.nets.internet.addrs4; +in { + services.redis.enable = true; + + krebs.nginx = { + enable = mkDefault true; + servers = { + mybox-connector-one = { + listen = [ "${external-ip}:80" ]; + server-names = [ + "mycube.connector.one" + "mybox.connector.one" + ]; + locations = singleton (nameValuePair "/" '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:8001/; + ''); + }; + }; + }; +} diff --git a/makefu/2configs/nginx/update.connector.one.nix b/makefu/2configs/nginx/update.connector.one.nix index 044a14075..ac5e6b17b 100644 --- a/makefu/2configs/nginx/update.connector.one.nix +++ b/makefu/2configs/nginx/update.connector.one.nix @@ -8,7 +8,7 @@ in { krebs.nginx = { enable = mkDefault true; servers = { - omo-share = { + update-connector-one = { listen = [ "${external-ip}:80" ]; server-names = [ "update.connector.one" -- cgit v1.2.3 From 513b33e7a207412c30cfbcd00c7df8aaafe2dee7 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 01:44:46 +0100 Subject: ma 5 add mycube-flask --- makefu/5pkgs/default.nix | 1 + makefu/5pkgs/mycube-flask/default.nix | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 makefu/5pkgs/mycube-flask/default.nix diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index c4a7f498f..33e280f0e 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -10,5 +10,6 @@ in alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";}; awesomecfg = callPackage ./awesomecfg {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; + mycube-flask = callPackage ./mycube-flask {}; }; } diff --git a/makefu/5pkgs/mycube-flask/default.nix b/makefu/5pkgs/mycube-flask/default.nix new file mode 100644 index 000000000..ce86087ca --- /dev/null +++ b/makefu/5pkgs/mycube-flask/default.nix @@ -0,0 +1,22 @@ +{ lib, pkgs, fetchFromGitHub, ... }: + +with pkgs.pythonPackages;buildPythonPackage rec { + name = "mycube-flask-${version}"; + version = "0.2.3"; + disabled = isPy3k || isPyPy; + propagatedBuildInputs = [ + flask + redis + ]; + src = fetchFromGitHub { + owner = "makefu"; + repo = "mycube-flask"; + rev = "5f5260a"; + sha256 = "1jx0h81nlmi1xry2vw46rvsanq0sdca6hlq31lhh7klqrg885hgh"; + }; + meta = { + homepage = https://github.com/makefu/mycube-flask; + description = "flask app for mycube"; + license = lib.licenses.asl20; + }; +} -- cgit v1.2.3 From daaf21193a0104659bb5e17f41331fb7b1fe629c Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 03:12:09 +0100 Subject: ma 2 mycube: standalone version based on uwsgi what a motherf*ckn pain --- .../2configs/deployment/mycube.connector.one.nix | 46 ++++++++++++++++++++++ makefu/2configs/nginx/mycube.connector.one.nix | 28 ------------- 2 files changed, 46 insertions(+), 28 deletions(-) create mode 100644 makefu/2configs/deployment/mycube.connector.one.nix delete mode 100644 makefu/2configs/nginx/mycube.connector.one.nix diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix new file mode 100644 index 000000000..6a32656b4 --- /dev/null +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -0,0 +1,46 @@ +{ config, lib, pkgs, ... }: +# more than just nginx config but not enough to become a module +with config.krebs.lib; +let + hostname = config.krebs.build.host.name; + external-ip = head config.krebs.build.host.nets.internet.addrs4; + wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; +in { + services.redis.enable = true; + services.uwsgi = { + enable = true; + user = "nginx"; + plugins = [ "python2" ]; + instance = { + type = "emperor"; + vassals = { + mycube-flask = { + type = "normal"; + python2Packages = self: with self; [ pkgs.mycube-flask self.flask self.redis self.werkzeug self.jinja2 self.markupsafe itsdangerous ]; + socket = wsgi-sock; + }; + }; + }; + }; + + krebs.nginx = { + enable = mkDefault true; + servers = { + mybox-connector-one = { + listen = [ "${external-ip}:80" ]; + server-names = [ + "mycube.connector.one" + "mybox.connector.one" + ]; + locations = singleton (nameValuePair "/" '' + uwsgi_pass unix://${wsgi-sock}; + uwsgi_param UWSGI_CHDIR ${pkgs.mycube-flask}/${pkgs.python.sitePackages}; + uwsgi_param UWSGI_MODULE mycube.websrv; + uwsgi_param UWSGI_CALLABLE app; + + include ${pkgs.nginx}/conf/uwsgi_params; + ''); + }; + }; + }; +} diff --git a/makefu/2configs/nginx/mycube.connector.one.nix b/makefu/2configs/nginx/mycube.connector.one.nix deleted file mode 100644 index 209c376fb..000000000 --- a/makefu/2configs/nginx/mycube.connector.one.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -let - hostname = config.krebs.build.host.name; - external-ip = head config.krebs.build.host.nets.internet.addrs4; -in { - services.redis.enable = true; - - krebs.nginx = { - enable = mkDefault true; - servers = { - mybox-connector-one = { - listen = [ "${external-ip}:80" ]; - server-names = [ - "mycube.connector.one" - "mybox.connector.one" - ]; - locations = singleton (nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:8001/; - ''); - }; - }; - }; -} -- cgit v1.2.3 From 05b22528716b1fd5f8fd5b4909c869e1ff55b153 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 03:12:45 +0100 Subject: ma 5 mycube: do not disable for py3k --- makefu/5pkgs/mycube-flask/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/makefu/5pkgs/mycube-flask/default.nix b/makefu/5pkgs/mycube-flask/default.nix index ce86087ca..d01abbbd4 100644 --- a/makefu/5pkgs/mycube-flask/default.nix +++ b/makefu/5pkgs/mycube-flask/default.nix @@ -3,7 +3,6 @@ with pkgs.pythonPackages;buildPythonPackage rec { name = "mycube-flask-${version}"; version = "0.2.3"; - disabled = isPy3k || isPyPy; propagatedBuildInputs = [ flask redis -- cgit v1.2.3 From 829f801f80c2bb80e3c3301f6fb9599fcbe46548 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 03:13:42 +0100 Subject: ma 1 gum: deploy mycube --- makefu/1systems/gum.nix | 1 + makefu/2configs/git/cgit-retiolum.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 04adc4941..906c72de4 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -17,6 +17,7 @@ in { ../2configs/mattermost-docker.nix ../2configs/nginx/euer.test.nix ../2configs/nginx/update.connector.one.nix + ../2configs/deployment/mycube.connector.one.nix ../2configs/exim-retiolum.nix ../2configs/urlwatch.nix diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index a488d98f2..15700e10d 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -57,7 +57,7 @@ let # TODO: get the list of all krebsministers - krebsminister = with config.krebs.users; [ lass tv uriel ]; + krebsminister = with config.krebs.users; [ lass tv ]; all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob ]; all-exco = with config.krebs.users; [ exco ]; -- cgit v1.2.3 From 521d5989db76a25c3a8082e8bb933baf397562e0 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 08:33:15 +0100 Subject: ma 2 hw/tp-x2x0: wireless.enable = mkDefault true resolves TODO --- makefu/2configs/hw/tp-x2x0.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 892be07b8..d5ce34bd4 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -2,8 +2,7 @@ with config.krebs.lib; { - # TODO: put this somewhere else - networking.wireless.enable = true; + networking.wireless.enable = lib.mkDefault true; hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; -- cgit v1.2.3 From ae3a6110c69ee1c5339befa73b52ac274ebfc260 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Feb 2016 10:51:26 +0100 Subject: k 3 makefu/wolf: fix typo --- krebs/3modules/makefu/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ca83d6906..6af77ad9b 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -291,7 +291,7 @@ with config.krebs.lib; wbob = rec { cores = 1; nets = { - retiolm = { + retiolum = { addrs4 = ["10.243.214.15"]; addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; aliases = [ -- cgit v1.2.3 From 644649e7250f7ef5c553cd6ad404d544097ed698 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 08:36:18 +0100 Subject: ma 2 mycube: cleanup --- makefu/2configs/deployment/mycube.connector.one.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 6a32656b4..38fc4a243 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -16,7 +16,7 @@ in { vassals = { mycube-flask = { type = "normal"; - python2Packages = self: with self; [ pkgs.mycube-flask self.flask self.redis self.werkzeug self.jinja2 self.markupsafe itsdangerous ]; + python2Packages = self: with self; [ pkgs.mycube-flask flask redis werkzeug jinja2 markupsafe itsdangerous ]; socket = wsgi-sock; }; }; -- cgit v1.2.3 From 54dc51d341f5a3b253341a20a4e35b1ed03a3244 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 08:37:40 +0100 Subject: ma 2 laptop: add user to "dialout" --- makefu/2configs/main-laptop.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index c3e43723c..452cdfb23 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -12,6 +12,9 @@ with config.krebs.lib; ./fetchWallpaper.nix ./zsh-user.nix ]; + + users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; + environment.systemPackages = with pkgs;[ vlc firefox -- cgit v1.2.3 From 74cfe87654638106f2d2a1a698814b41c2e904f2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 18 Feb 2016 22:14:16 +0100 Subject: ma 2 default: apply cve-2015-7547 hotfix --- makefu/2configs/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 83018e9f8..3043a1af3 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -4,6 +4,13 @@ with config.krebs.lib; { system.stateVersion = "15.09"; + system.replaceRuntimeDependencies = with pkgs.lib; + [{original = pkgs.glibc; replacement = pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = oldAttr.patches ++ + [(pkgs.fetchurl { url = "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch"; + sha256 = "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})]; + });} + ]; + imports = [ { users.extraUsers = -- cgit v1.2.3