From e3b72bb66e7c6bf410c8db81ff04e355a7b22116 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:03:51 +0200 Subject: 3: {tv -> krebs}.github-hosts-sync --- 1systems/tv/cd.nix | 6 +-- 3modules/krebs/github-hosts-sync.nix | 83 ++++++++++++++++++++++++++++++++++++ 3modules/tv/github-hosts-sync.nix | 83 ------------------------------------ Zpkgs/krebs/default.nix | 11 +++++ Zpkgs/krebs/github-hosts-sync.nix | 40 +++++++++++++++++ Zpkgs/krebs/github-known_hosts.nix | 13 ++++++ Zpkgs/tv/default.nix | 2 - Zpkgs/tv/github-hosts-sync.nix | 40 ----------------- Zpkgs/tv/github-known_hosts.nix | 13 ------ 9 files changed, 150 insertions(+), 141 deletions(-) create mode 100644 3modules/krebs/github-hosts-sync.nix delete mode 100644 3modules/tv/github-hosts-sync.nix create mode 100644 Zpkgs/krebs/default.nix create mode 100644 Zpkgs/krebs/github-hosts-sync.nix create mode 100644 Zpkgs/krebs/github-known_hosts.nix delete mode 100644 Zpkgs/tv/github-hosts-sync.nix delete mode 100644 Zpkgs/tv/github-known_hosts.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 407fc25cf..463d643a6 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -29,10 +29,10 @@ in }; } { - imports = [ ../../3modules/tv/github-hosts-sync.nix ]; - tv.github-hosts-sync.enable = true; + imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; + krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = - singleton config.tv.github-hosts-sync.port; + singleton config.krebs.github-hosts-sync.port; } { imports = [ ../../2configs/tv/identity.nix ]; diff --git a/3modules/krebs/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix new file mode 100644 index 000000000..c3b56ef94 --- /dev/null +++ b/3modules/krebs/github-hosts-sync.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.github-hosts-sync; + + out = { + options.krebs.github-hosts-sync = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.github-hosts-sync"; + port = mkOption { + type = types.int; # TODO port type + default = 1028; + }; + dataDir = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/var/lib/github-hosts-sync"; + }; + ssh-identity-file = mkOption { + type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} + default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; + }; + }; + + imp = { + systemd.services.github-hosts-sync = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + port = toString cfg.port; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "github-hosts-sync"; + User = user.name; + Restart = "always"; + ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' + #! /bin/sh + set -euf + + ssh_identity_file_target=$( + case ${cfg.ssh-identity-file} in + *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; + *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; + *) + echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 + exit 1 + esac + ) + + mkdir -p ${cfg.dataDir} + chown ${user.name}: ${cfg.dataDir} + + install \ + -o ${user.name} \ + -m 0400 \ + ${cfg.ssh-identity-file} \ + "$ssh_identity_file_target" + + ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ''; + ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + home = cfg.dataDir; + }; + }; + + user = { + name = "github-hosts-sync"; + uid = 3220554646; # genid github-hosts-sync + }; + + Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; +in +out diff --git a/3modules/tv/github-hosts-sync.nix b/3modules/tv/github-hosts-sync.nix deleted file mode 100644 index f50bf2b1b..000000000 --- a/3modules/tv/github-hosts-sync.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; -let - cfg = config.tv.github-hosts-sync; - - out = { - options.tv.github-hosts-sync = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; - dataDir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/github-hosts-sync"; - }; - ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; - }; - }; - - imp = { - systemd.services.github-hosts-sync = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - port = toString cfg.port; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "github-hosts-sync"; - User = user.name; - Restart = "always"; - ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' - #! /bin/sh - set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ - ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts - ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = cfg.dataDir; - }; - }; - - user = { - name = "github-hosts-sync"; - uid = 3220554646; # genid github-hosts-sync - }; - - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; -in -out diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix new file mode 100644 index 000000000..be8f72011 --- /dev/null +++ b/Zpkgs/krebs/default.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; +in + +pkgs // +{ + github-hosts-sync = callPackage ./github-hosts-sync.nix {}; + github-known_hosts = callPackage ./github-known_hosts.nix {}; +} diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix new file mode 100644 index 000000000..d69b2b12b --- /dev/null +++ b/Zpkgs/krebs/github-hosts-sync.nix @@ -0,0 +1,40 @@ +{ stdenv, fetchgit, pkgs, ... }: + +stdenv.mkDerivation { + name = "github-hosts-sync"; + + src = fetchgit { + url = https://github.com/krebscode/painload; + rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; + sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; + path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + git + gnugrep + gnused + openssh + socat + ]); + in + '' + mkdir -p $out/bin + + sed \ + 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ + < ./retiolum/scripts/github_hosts_sync/hosts-sync \ + > $out/bin/github-hosts-sync + + chmod +x $out/bin/github-hosts-sync + ''; +} diff --git a/Zpkgs/krebs/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix new file mode 100644 index 000000000..302fdd8d5 --- /dev/null +++ b/Zpkgs/krebs/github-known_hosts.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +with builtins; +with lib; + +let + github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); +in + +toFile "github-known_hosts" + (concatMapStrings + (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") + (range 0 255)) diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index fa9fff84c..e3e12bd18 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -9,8 +9,6 @@ pkgs // charybdis = callPackage ./charybdis {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; diff --git a/Zpkgs/tv/github-hosts-sync.nix b/Zpkgs/tv/github-hosts-sync.nix deleted file mode 100644 index d69b2b12b..000000000 --- a/Zpkgs/tv/github-hosts-sync.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchgit, pkgs, ... }: - -stdenv.mkDerivation { - name = "github-hosts-sync"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - git - gnugrep - gnused - openssh - socat - ]); - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ - < ./retiolum/scripts/github_hosts_sync/hosts-sync \ - > $out/bin/github-hosts-sync - - chmod +x $out/bin/github-hosts-sync - ''; -} diff --git a/Zpkgs/tv/github-known_hosts.nix b/Zpkgs/tv/github-known_hosts.nix deleted file mode 100644 index 302fdd8d5..000000000 --- a/Zpkgs/tv/github-known_hosts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/56000000.lock: No such file or directory (2)