From 064d0111a0f56b813dba23ca0b19438f0c2e0530 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 16 Feb 2016 05:09:09 +0100 Subject: krebs.build: refactor a bit --- krebs/3modules/build.nix | 117 +++++++++++++++++++---------------------------- 1 file changed, 48 insertions(+), 69 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index a1f446188..c700fbc56 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -20,35 +20,19 @@ let type = types.user; }; - options.krebs.build.source = let - raw = types.either types.str types.path; - url = types.submodule { + options.krebs.build.source = mkOption { + type = with types; attrsOf (either str (submodule { options = { - url = mkOption { - type = types.str; - }; - rev = mkOption { - type = types.str; - }; - dev = mkOption { - type = types.str; - }; + url = str; + rev = str; }; - }; - in mkOption { - type = types.attrsOf (types.either types.str url); - apply = let f = mapAttrs (_: value: { - string = value; - path = toString value; - set = f value; - }.${typeOf value}); in f; + })); default = {}; }; options.krebs.build.populate = mkOption { type = types.str; default = let - source = config.krebs.build.source; target-user = maybeEnv "target_user" "root"; target-host = maybeEnv "target_host" config.krebs.build.host.name; target-port = maybeEnv "target_port" "22"; @@ -75,24 +59,21 @@ let tmpdir=$(mktemp -dt stockholm.XXXXXXXX) chmod 0755 "$tmpdir" - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: let dst = removePrefix "symlink:" (get-url spec); in - "verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") - symlink-specs)} + ${concatStringsSep "\n" (mapAttrsToList (name: symlink: '' + verbose ln -s ${shell.escape symlink.target} \ + "$tmpdir"/${shell.escape name} + '') source-by-method.symlink)} verbose proot \ - -b $tmpdir:${shell.escape target-path} \ - ${concatStringsSep " \\\n " - (mapAttrsToList - (name: spec: - "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") - file-specs)} \ + -b "$tmpdir":${shell.escape target-path} \ + ${concatStringsSep " \\\n " (mapAttrsToList (name: file: + "-b ${shell.escape "${file.path}:${target-path}/${name}"}" + ) source-by-method.file)} \ rsync \ -f ${shell.escape "P /*"} \ - ${concatMapStringsSep " \\\n " - (name: "-f ${shell.escape "R /${name}"}") - (attrNames file-specs)} \ + ${concatMapStringsSep " \\\n " (name: + "-f ${shell.escape "R /${name}"}" + ) (attrNames source-by-method.file)} \ --delete \ -vFrlptD \ -e ${shell.escape "ssh -p ${target-port}"} \ @@ -100,30 +81,6 @@ let ${shell.escape "${target-user}@${target-host}:${target-path}"} ''; - get-schema = uri: - if substring 0 1 uri == "/" - then "file" - else head (splitString ":" uri); - - has-schema = schema: uri: get-schema uri == schema; - - get-url = spec: { - string = spec; - path = toString spec; - set = get-url spec.url; - }.${typeOf spec}; - - git-specs = - filterAttrs (_: spec: has-schema "https" (get-url spec)) source // - filterAttrs (_: spec: has-schema "http" (get-url spec)) source // - filterAttrs (_: spec: has-schema "git" (get-url spec)) source; - - file-specs = - filterAttrs (_: spec: has-schema "file" (get-url spec)) source; - - symlink-specs = - filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; - git-script = '' #! /bin/sh set -efu @@ -162,20 +119,42 @@ let git clean -dxf )} - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: toString (map shell.escape [ - "verbose" - "fetch_git" - "${target-path}/${name}" - spec.url - spec.rev - ])) - git-specs)} + ${concatStringsSep "\n" (mapAttrsToList (name: git: '' + verbose fetch_git ${concatMapStringsSep " " shell.escape [ + "${target-path}/${name}" + git.url + git.rev + ]} + '') source-by-method.git)} ''; in out; }; }; + source-by-method = let + known-methods = ["git" "file" "symlink"]; + in genAttrs known-methods (const {}) // recursiveUpdate source-by-scheme { + git = source-by-scheme.http or {} // + source-by-scheme.https or {}; + }; + + source-by-scheme = foldl' (out: { k, v }: recursiveUpdate out { + ${v.scheme}.${k} = v; + }) {} (mapAttrsToList (k: v: { inherit k v; }) normalized-source); + + normalized-source = mapAttrs (name: let f = x: getAttr (typeOf x) { + path = f (toString x); + string = f { + url = if substring 0 1 x == "/" then "file://${x}" else x; + }; + set = let scheme = head (splitString ":" x.url); in recursiveUpdate x { + inherit scheme; + } // { + symlink.target = removePrefix "symlink:" x.url; + file.path = # TODO file://host/... + assert hasPrefix "file:///" x.url; + removePrefix "file://" x.url; + }.${scheme} or {}; + }; in f) config.krebs.build.source; in out -- cgit v1.2.3 From 2d79335e34d639657bd0045f9a6b777778a5ad82 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 17:07:16 +0100 Subject: tv.mail: wu -> nomic --- krebs/3modules/tv/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index f8d3d8671..300fce017 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -352,7 +352,7 @@ with config.krebs.lib; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"; }; tv = { - mail = "tv@wu.retiolum"; + mail = "tv@nomic.retiolum"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu"; }; tv-nomic = { -- cgit v1.2.3 From 8c264139b294cbbea27a042263a4b76991910f02 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 01:15:58 +0100 Subject: krebs.build: use $F5 to prefix verbose commands --- krebs/3modules/build.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index c700fbc56..b8ea34ae2 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -42,12 +42,13 @@ let set -eu verbose() { - printf '+%s\n' "$(printf ' %q' "$@")" >&2 + printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 "$@" } - echo ${shell.escape git-script} \ - | ssh -p ${shell.escape target-port} \ + { printf 'PS5=%q%q\n' @ "$PS5" + echo ${shell.escape git-script} + } | verbose ssh -p ${shell.escape target-port} \ ${shell.escape "${target-user}@${target-host}"} -T unset tmpdir @@ -86,7 +87,7 @@ let set -efu verbose() { - printf '+%s\n' "$(printf ' %q' "$@")" >&2 + printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 "$@" } -- cgit v1.2.3 From 1de8d5c44d9a3fe15aaace950347986aeaa0a355 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 02:47:16 +0100 Subject: krebs.backup: talk about local and remote rsync --- krebs/3modules/backup.nix | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 0aa86dec9..97082f56a 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -117,6 +117,14 @@ let "$dst_user@$dst_host" \ -T "$with_dst_path_lock_script" } + rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}" + local_rsync() { + rsync "$@" + } + remote_rsync=${shell.escape (concatStringsSep " && " [ + "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current" + "exec flock -n ${shell.escape plan.dst.path} rsync" + ])} ''; pull = '' identity=${shell.escape plan.dst.host.ssh.privkey.path} @@ -131,6 +139,12 @@ let dst_shell() { eval "$with_dst_path_lock_script" } + rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}" + local_rsync() { + mkdir -m 0700 -p ${shell.escape plan.dst.path}/current + flock -n ${shell.escape plan.dst.path} rsync "$@" + } + remote_rsync=rsync ''; }} # Note that this only works because we trust date +%s to produce output @@ -140,13 +154,10 @@ let with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape "flock -n ${shell.escape plan.dst.path} /bin/sh" } - rsync >&2 \ + local_rsync >&2 \ -aAXF --delete \ - -e "ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}" \ - --rsync-path ${shell.escape (concatStringsSep " && " [ - "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current" - "exec flock -n ${shell.escape plan.dst.path} rsync" - ])} \ + --rsh="$rsh" \ + --rsync-path="$remote_rsync" \ --link-dest="$dst_path/current" \ "$src/" \ "$dst/.partial" -- cgit v1.2.3 From bca88ce7c65d424cdda61f4a588794e8d52ed394 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 16:42:11 +0100 Subject: krebs.urlwatch: add hooksFile and per-url filter --- krebs/3modules/urlwatch.nix | 69 +++++++++++++++++++++++++++++---------------- 1 file changed, 45 insertions(+), 24 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index cd4976a21..ed1a21260 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -3,7 +3,6 @@ # TODO multiple users # TODO inform about unused caches # cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" -# TODO hooks.py with config.krebs.lib; let @@ -32,6 +31,14 @@ let Content of the From: header of the generated mails. ''; }; + # TODO hooks :: attrsOf hook + hooksFile = mkOption { + type = with types; nullOr path; + default = null; + description = '' + File to use as hooks.py module. + ''; + }; mailto = mkOption { type = types.str; default = config.krebs.build.user.mail; @@ -48,7 +55,7 @@ let ''; }; urls = mkOption { - type = with types; listOf str; + type = with types; listOf (either str subtypes.job); default = []; description = "URL to watch."; example = [ @@ -56,7 +63,10 @@ let ]; apply = map (x: getAttr (typeOf x) { set = x; - string.url = x; + string = { + url = x; + filter = null; + }; }); }; verbose = mkOption { @@ -68,9 +78,12 @@ let }; }; - urlsFile = toFile "urls" (concatMapStringsSep "\n---\n" toJSON cfg.urls); + urlsFile = pkgs.writeText "urls" + (concatMapStringsSep "\n---\n" toJSON cfg.urls); + + hooksFile = cfg.hooksFile; - configFile = toFile "urlwatch.yaml" (toJSON { + configFile = pkgs.writeText "urlwatch.yaml" (toJSON { display = { error = true; new = true; @@ -127,10 +140,10 @@ let User = user.name; PermissionsStartOnly = "true"; PrivateTmp = "true"; + SyslogIdentifier = "urlwatch"; Type = "oneshot"; ExecStartPre = - pkgs.writeScript "urlwatch-prestart" '' - #! /bin/sh + pkgs.writeDash "urlwatch-prestart" '' set -euf dataDir=$HOME @@ -140,31 +153,29 @@ let chown ${user.name}: "$dataDir" fi ''; - ExecStart = pkgs.writeScript "urlwatch" '' - #! /bin/sh + ExecStart = pkgs.writeDash "urlwatch" '' set -euf - from=${escapeShellArg cfg.from} - mailto=${escapeShellArg cfg.mailto} - urlsFile=${escapeShellArg urlsFile} - configFile=${escapeShellArg configFile} cd /tmp urlwatch \ ${optionalString cfg.verbose "-v"} \ - --urls="$urlsFile" \ - --config="$configFile" \ + --config=${shell.escape configFile} \ + ${optionalString (hooksFile != null) + "--hooks=${shell.escape hooksFile}" + } \ + --urls=${shell.escape urlsFile} \ > changes || : if test -s changes; then - date=$(date -R) - subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ - | tr \\n \ ) { - echo "Date: $date" - echo "From: $from" - echo "Subject: $subject" - echo "To: $mailto" + echo Date: $(date -R) + echo From: ${shell.escape cfg.from} + echo Subject: $( + sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ + | tr '\n' ' ' + ) + echo To: ${shell.escape cfg.mailto} echo cat changes } | /var/setuid-wrappers/sendmail -t @@ -181,5 +192,15 @@ let name = "urlwatch"; uid = genid name; }; -in -out + + subtypes.job = types.submodule { + options = { + url = mkOption { + type = types.str; + }; + filter = mkOption { + type = with types; nullOr str; # TODO nullOr subtypes.filter + }; + }; + }; +in out -- cgit v1.2.3 From 47ef169276fcb500a3764c050dbeca1f7fc4a18b Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:28 +0100 Subject: krebs.hosts.*: set owner --- krebs/3modules/lass/default.nix | 2 +- krebs/3modules/makefu/default.nix | 2 +- krebs/3modules/miefda/default.nix | 2 +- krebs/3modules/mv/default.nix | 2 +- krebs/3modules/tv/default.nix | 2 +- krebs/4lib/types.nix | 9 +++++++++ 6 files changed, 14 insertions(+), 5 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 41a609105..4bf10ac56 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { dishfire = { cores = 4; nets = rec { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 6af77ad9b..d309c1714 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) { pnp = { cores = 1; nets = { diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 6587ad92d..9a5866294 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.miefda) { bobby = { cores = 4; nets = { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 33f941aae..3b4001e7a 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.mv) { stro = { cores = 4; nets = { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 300fce017..1a9198b4e 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -6,7 +6,7 @@ with config.krebs.lib; dns.providers = { de.viljetic = "regfish"; }; - hosts = { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { cd = rec { cores = 2; extraZones = { diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d0a537467..d63080b99 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -20,6 +20,15 @@ types // rec { default = {}; }; + owner = mkOption { + type = user; + # TODO proper user + default = { + name = "krebs"; + mail = "spam@krebsco.de"; + }; + }; + extraZones = mkOption { default = {}; # TODO: string is either MX, NS, A or AAAA -- cgit v1.2.3 From dbe2ece8ad962d654bc34f3a7c4802768df71ebb Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:18:50 +0100 Subject: krebs.hosts.*.infest: RIP --- krebs/4lib/types.nix | 13 ------------- 1 file changed, 13 deletions(-) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index d63080b99..7fb206928 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -35,19 +35,6 @@ types // rec { type = with types; attrsOf string; }; - infest = { - addr = mkOption { - type = str; - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.addr' is used. It was replaced by the `target' argument to `make` or `get`. See Makefile for more information."; - }; - port = mkOption { - type = int; - default = 22; - # TODO replacement: allow target with port, SSH-style: [lol]:666 - apply = trace "Obsolete option `krebs.hosts.${config.name}.infest.port' is used. It's gone without replacement."; - }; - }; - secure = mkOption { type = bool; default = false; -- cgit v1.2.3 From bb201b19659b1da47f212d3b74cd18da543e8d6e Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 16:37:25 +0100 Subject: push: 1.1.1 -> 1.1.2 --- krebs/5pkgs/push/default.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'krebs') diff --git a/krebs/5pkgs/push/default.nix b/krebs/5pkgs/push/default.nix index 13769c747..aa17a21a9 100644 --- a/krebs/5pkgs/push/default.nix +++ b/krebs/5pkgs/push/default.nix @@ -1,20 +1,21 @@ { fetchgit, lib, stdenv , coreutils -, get , git +, gnumake , gnused , jq +, nix , openssh , parallel , ... }: stdenv.mkDerivation { - name = "push-1.1.1"; + name = "push-1.1.2"; src = fetchgit { url = http://cgit.cd.krebsco.de/push; - rev = "ea8b76569c6b226fe148e559477669b095408472"; - sha256 = "c305a1515d30603f6ed825d44487e863fdc7d90400620ceaf2c335a3b5d1e221"; + rev = "da5b3a4b05ef822cc41d36b6cc2071a2e78506d4"; + sha256 = "0gfxz207lm11g77rw02jcqpvzhx07j9hzgjgscbmslzl5r8icd6g"; }; phases = [ @@ -26,10 +27,11 @@ stdenv.mkDerivation { let path = lib.makeSearchPath "bin" [ coreutils - get git + gnumake gnused jq + nix openssh parallel ]; -- cgit v1.2.3 From a60767166201066eea80b7f53fdcc2e623dc769a Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 18:54:20 +0100 Subject: krebs.build.populate: allow overriding ssh --- krebs/3modules/build.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index b8ea34ae2..08a7cd047 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -41,6 +41,8 @@ let #! /bin/sh set -eu + ssh=''${ssh-ssh} + verbose() { printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 "$@" @@ -48,7 +50,7 @@ let { printf 'PS5=%q%q\n' @ "$PS5" echo ${shell.escape git-script} - } | verbose ssh -p ${shell.escape target-port} \ + } | verbose $ssh -p ${shell.escape target-port} \ ${shell.escape "${target-user}@${target-host}"} -T unset tmpdir @@ -77,7 +79,7 @@ let ) (attrNames source-by-method.file)} \ --delete \ -vFrlptD \ - -e ${shell.escape "ssh -p ${target-port}"} \ + -e "$ssh -p ${shell.escape target-port}" \ ${shell.escape target-path}/ \ ${shell.escape "${target-user}@${target-host}:${target-path}"} ''; -- cgit v1.2.3 From 2ff36bad032df0900e13a3ec743b09064c3d07c6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 18:56:01 +0100 Subject: test infest-cac-centos7: use make install interface --- krebs/5pkgs/test/infest-cac-centos7/notes | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'krebs') diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes index db80c0c6c..6bb0258a9 100755 --- a/krebs/5pkgs/test/infest-cac-centos7/notes +++ b/krebs/5pkgs/test/infest-cac-centos7/notes @@ -1,4 +1,4 @@ -# nix-shell -p gnumake jq openssh cac-api cac-panel +# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass set -eufx # 2 secrets are required: @@ -99,7 +99,7 @@ defer "cac-api delete $id;$old_trapstr" mkdir -p shared/2configs/temp cac-api generatenetworking $id > \ shared/2configs/temp/networking.nix -# new temporary ssh key we will use to log in after infest +# new temporary ssh key we will use to log in after install ssh-keygen -f $krebs_ssh -N "" cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv # we override the directories for secrets and stockholm @@ -118,12 +118,12 @@ _: { } EOF -LOGNAME=shared make eval get=krebs.infest \ - target=derp system=test-centos7 filter=json \ - | sed -e "s#^ssh.*<<#cac-api ssh $id<<#" \ - -e "/^rsync/a -e 'cac-api ssh $id' \\\\" \ - -e "s#root.derp:#:#" > $krebs_secrets/infest -sh -x $krebs_secrets/infest +make install \ + LOGNAME=shared \ + SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \ + ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \ + system=test-centos7 \ + target=$ip # TODO: generate secrets directory $krebs_secrets for nix import cac-api powerop $id reset -- cgit v1.2.3 From 1226a20038fa61e8a98b31f223a59b244dd6cd03 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 19:12:09 +0100 Subject: krebs.build.populate fetch_git: checkout with force --- krebs/3modules/build.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 08a7cd047..d4c6b08df 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -116,7 +116,7 @@ let if ! test "$(git log --format=%H -1)" = "$hash"; then git fetch origin git checkout "$hash" -- "$dst_dir" - git checkout "$hash" + git checkout -f "$hash" fi git clean -dxf -- cgit v1.2.3 From d8d39f5c4a9925f2098e58dc80e36920ece6ac71 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 19 Feb 2016 19:37:00 +0100 Subject: prepare_common: simplify nixos-install installation --- krebs/4lib/infest/prepare.sh | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) (limited to 'krebs') diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index b3824c7d4..a217e7bed 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -184,26 +184,21 @@ prepare_common() {( . /root/.nix-profile/etc/profile.d/nix.sh - for i in \ - bash \ - coreutils \ - # This line intentionally left blank. - do - if ! nix-env -q $i | grep -q .; then - nix-env -iA nixpkgs.pkgs.$i - fi - done + mkdir -p /mnt/"$target_path" + mkdir -p "$target_path" + + if ! mountpoint "$target_path"; then + mount --rbind /mnt/"$target_path" "$target_path" + fi + + mkdir -p bin + rm -f bin/nixos-install + cp "$(type -p nixos-install)" bin/nixos-install + sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install - # install nixos-install - if ! type nixos-install 2>/dev/null; then - nixpkgs_expr='import { system = builtins.currentSystem; }' - nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath 'throw "no modulesPath"' \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.nixos-install + if ! grep -q '^PATH.*#krebs' .bashrc; then + echo '. /root/.nix-profile/etc/profile.d/nix.sh' >> .bashrc + echo 'PATH=$HOME/bin:$PATH #krebs' >> .bashrc fi )} -- cgit v1.2.3 From b5fbca3a365b1188c1274e3288ba39a88ecad2e3 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:27:37 +0100 Subject: krebs.secret: init --- krebs/3modules/default.nix | 1 + krebs/3modules/secret.nix | 39 +++++++++++++++++++++++++++++++++++++++ krebs/4lib/types.nix | 13 +++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 krebs/3modules/secret.nix (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index c06f3754e..df1c7db63 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./realwallpaper.nix ./retiolum-bootstrap.nix ./retiolum.nix + ./secret.nix ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix new file mode 100644 index 000000000..46802a661 --- /dev/null +++ b/krebs/3modules/secret.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }@args: with config.krebs.lib; let + cfg = config.krebs.secret; +in { + options.krebs.secret = { + files = mkOption { + type = with types; attrsOf secret-file; + default = {}; + }; + }; + config = lib.mkIf (cfg.files != {}) { + systemd.services.secret = let + # TODO fail if two files have the same path but differ otherwise + files = unique (map (flip removeAttrs ["_module"]) + (attrValues cfg.files)); + in { + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + SyslogIdentifier = "secret"; + ExecStart = pkgs.writeDash "install-secret-files" '' + exit_code=0 + ${concatMapStringsSep "\n" (file: '' + ${pkgs.coreutils}/bin/install \ + -D \ + --compare \ + --verbose \ + --mode=${shell.escape file.mode} \ + --owner=${shell.escape file.owner-name} \ + --group=${shell.escape file.group-name} \ + ${shell.escape file.source-path} \ + ${shell.escape file.path} \ + || exit_code=1 + '') files} + exit $exit_code + ''; + }; + }; + }; +} diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7fb206928..55301add5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -143,6 +143,19 @@ types // rec { merge = mergeOneOption; }; + secret-file = submodule ({ config, ... }: { + options = { + path = mkOption { type = str; }; + mode = mkOption { type = str; default = "0400"; }; + owner-name = mkOption { type = str; default = "root"; }; + group-name = mkOption { type = str; default = "root"; }; + source-path = mkOption { + type = str; + default = toString + "/${config._module.args.name}"; + }; + }; + }); + suffixed-str = suffs: mkOptionType { name = "string suffixed by ${concatStringsSep ", " suffs}"; -- cgit v1.2.3 From e4d427602c229a782297a74b50b2f67524e9e0d6 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:38:09 +0100 Subject: krebs.types.user: add home :: absolute-pathname --- krebs/4lib/types.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 55301add5..41af1cd4f 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -165,6 +165,10 @@ types // rec { user = submodule ({ config, ... }: { options = { + home = mkOption { + type = absolute-pathname; + default = "/home/${config.name}"; + }; mail = mkOption { type = str; # TODO retiolum mail address }; @@ -226,6 +230,21 @@ types // rec { merge = mergeOneOption; }; + # POSIX.1‐2013, 3.2 Absolute Pathname + # TODO normalize slashes + # TODO two slashes + absolute-pathname = mkOptionType { + name = "POSIX absolute pathname"; + check = s: pathname.check s && substring 0 1 s == "/"; + }; + + # POSIX.1‐2013, 3.267 Pathname + # TODO normalize slashes + pathname = mkOptionType { + name = "POSIX pathname"; + check = s: isString s && all filename.check (splitString "/" s); + }; + # POSIX.1-2013, 3.431 User Name username = mkOptionType { name = "POSIX username"; -- cgit v1.2.3 From 05be525be6d0896b155da7305b2cee950fb3530e Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 06:56:57 +0100 Subject: krebs.types.user: add uid :: int --- krebs/3modules/tv/default.nix | 1 + krebs/4lib/default.nix | 2 +- krebs/4lib/types.nix | 4 ++++ 3 files changed, 6 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 1a9198b4e..b0011ccf7 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -354,6 +354,7 @@ with config.krebs.lib; tv = { mail = "tv@nomic.retiolum"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu"; + uid = 1337; # TODO use default }; tv-nomic = { inherit (tv) mail; diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index d5b6d03ac..8e5cab71f 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -15,7 +15,7 @@ let out = rec { addNames = mapAttrs addName; - types = import ./types.nix { inherit lib; }; + types = import ./types.nix { lib = lib // { inherit genid; }; }; dir.has-default-nix = path: pathExists (path + "/default.nix"); diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 41af1cd4f..422627296 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -179,6 +179,10 @@ types // rec { pubkey = mkOption { type = str; }; + uid = mkOption { + type = int; + default = genid config.name; + }; }; }); -- cgit v1.2.3 From e3ddf995e92985ee14dab5735ac55045c166aaaf Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 07:18:13 +0100 Subject: krebs types.secret-file: owner-name -> owner :: user --- krebs/3modules/default.nix | 7 +++++++ krebs/3modules/secret.nix | 2 +- krebs/4lib/types.nix | 10 ++++++++-- 3 files changed, 16 insertions(+), 3 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index df1c7db63..7a343d333 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -104,6 +104,13 @@ let retiolum = "hosts"; }; + krebs.users.root = { + home = "/root"; + name = "root"; + pubkey = config.krebs.build.host.ssh.pubkey; + uid = 0; + }; + networking.extraHosts = concatStringsSep "\n" (flatten ( mapAttrsToList (hostname: host: mapAttrsToList (netname: net: diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix index 46802a661..579f375f3 100644 --- a/krebs/3modules/secret.nix +++ b/krebs/3modules/secret.nix @@ -25,7 +25,7 @@ in { --compare \ --verbose \ --mode=${shell.escape file.mode} \ - --owner=${shell.escape file.owner-name} \ + --owner=${shell.escape file.owner.name} \ --group=${shell.escape file.group-name} \ ${shell.escape file.source-path} \ ${shell.escape file.path} \ diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 422627296..7792b31d5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -147,8 +147,14 @@ types // rec { options = { path = mkOption { type = str; }; mode = mkOption { type = str; default = "0400"; }; - owner-name = mkOption { type = str; default = "root"; }; - group-name = mkOption { type = str; default = "root"; }; + owner = mkOption { + type = user; + default = config.krebs.users.root; + }; + group-name = mkOption { + type = str; + default = "root"; + }; source-path = mkOption { type = str; default = toString + "/${config._module.args.name}"; -- cgit v1.2.3 From 67e5fddc0bfe624c6b53b673582e92a28cf530f9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 07:39:24 +0100 Subject: krebs.users.krebs: init --- krebs/3modules/default.nix | 15 ++++++++++----- krebs/3modules/git.nix | 6 ++++-- krebs/3modules/lib.nix | 2 +- krebs/4lib/default.nix | 7 +++++-- krebs/4lib/types.nix | 11 ++++------- 5 files changed, 24 insertions(+), 17 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 7a343d333..aeeabfe53 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -104,11 +104,16 @@ let retiolum = "hosts"; }; - krebs.users.root = { - home = "/root"; - name = "root"; - pubkey = config.krebs.build.host.ssh.pubkey; - uid = 0; + krebs.users = { + krebs = { + home = "/krebs"; + mail = "spam@krebsco.de"; + }; + root = { + home = "/root"; + pubkey = config.krebs.build.host.ssh.pubkey; + uid = 0; + }; }; networking.extraHosts = concatStringsSep "\n" (flatten ( diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index a9542718d..0cc2f11c9 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -232,13 +232,15 @@ let ]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules)); }; - users.extraUsers = singleton rec { + # TODO cfg.user + users.users.git = rec { description = "Git repository hosting user"; name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - config.krebs.users; + (filterAttrs (_: user: isString user.pubkey) + config.krebs.users); uid = genid name; }; }; diff --git a/krebs/3modules/lib.nix b/krebs/3modules/lib.nix index b19f275b5..ccd6a6afa 100644 --- a/krebs/3modules/lib.nix +++ b/krebs/3modules/lib.nix @@ -10,6 +10,6 @@ let type = types.attrs; }; imp = { - krebs.lib = lib // import ../4lib { inherit lib; } // builtins; + krebs.lib = lib // import ../4lib { inherit config lib; } // builtins; }; in out diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 8e5cab71f..e23e42b19 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: with builtins; with lib; @@ -15,7 +15,10 @@ let out = rec { addNames = mapAttrs addName; - types = import ./types.nix { lib = lib // { inherit genid; }; }; + types = import ./types.nix { + inherit config; + lib = lib // { inherit genid; }; + }; dir.has-default-nix = path: pathExists (path + "/default.nix"); diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 7792b31d5..fcb6ff3d3 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: with builtins; with lib; @@ -22,11 +22,7 @@ types // rec { owner = mkOption { type = user; - # TODO proper user - default = { - name = "krebs"; - mail = "spam@krebsco.de"; - }; + default = config.krebs.users.krebs; }; extraZones = mkOption { @@ -183,7 +179,8 @@ types // rec { default = config._module.args.name; }; pubkey = mkOption { - type = str; + type = nullOr str; + default = null; }; uid = mkOption { type = int; -- cgit v1.2.3 From de5de37a12771db395f7bc1954be52f51f54b9e2 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 20:04:45 +0100 Subject: krebs.dns.providers: attrsOf unspecified -> attrsOf str --- krebs/3modules/default.nix | 14 +++++++------- krebs/3modules/tv/default.nix | 2 +- krebs/4lib/default.nix | 2 -- krebs/4lib/dns.nix | 31 ------------------------------- krebs/4lib/listset.nix | 11 ----------- 5 files changed, 8 insertions(+), 52 deletions(-) delete mode 100644 krebs/4lib/dns.nix delete mode 100644 krebs/4lib/listset.nix (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index aeeabfe53..662fd6489 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -43,9 +43,7 @@ let dns = { providers = mkOption { - # TODO with types; tree dns.label dns.provider, so we can merge. - # Currently providers can only be merged if aliases occur just once. - type = with types; attrsOf unspecified; + type = with types; attrsOf str; }; }; @@ -95,7 +93,7 @@ let { krebs = import ./tv { inherit config lib; }; } { krebs.dns.providers = { - de.krebsco = "zones"; + "krebsco.de" = "zones"; gg23 = "hosts"; shack = "hosts"; i = "hosts"; @@ -116,13 +114,15 @@ let }; }; - networking.extraHosts = concatStringsSep "\n" (flatten ( + networking.extraHosts = let + domains = attrNames (filterAttrs (_: eq "hosts") cfg.dns.providers); + check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; + in concatStringsSep "\n" (flatten ( mapAttrsToList (hostname: host: mapAttrsToList (netname: net: let aliases = longs ++ shorts; - providers = dns.split-by-provider net.aliases cfg.dns.providers; - longs = providers.hosts; + longs = filter check net.aliases; shorts = let s = ".${cfg.search-domain}"; in map (removeSuffix s) (filter (hasSuffix s) longs); in diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index b0011ccf7..533502914 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -4,7 +4,7 @@ with config.krebs.lib; { dns.providers = { - de.viljetic = "regfish"; + "viljetic.de" = "regfish"; }; hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { cd = rec { diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index e23e42b19..deac02bb7 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -22,10 +22,8 @@ let out = rec { dir.has-default-nix = path: pathExists (path + "/default.nix"); - dns = import ./dns.nix { inherit lib; }; genid = import ./genid.nix { lib = lib // out; }; git = import ./git.nix { lib = lib // out; }; - listset = import ./listset.nix { inherit lib; }; shell = import ./shell.nix { inherit lib; }; tree = import ./tree.nix { inherit lib; }; diff --git a/krebs/4lib/dns.nix b/krebs/4lib/dns.nix deleted file mode 100644 index b2cf3c24c..000000000 --- a/krebs/4lib/dns.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ lib, ... }: - -let - listset = import ./listset.nix { inherit lib; }; -in - -with builtins; -with lib; - -rec { - # label = string - - # TODO does it make sense to have alias = list label? - - # split-by-provider : - # [[label]] -> tree label provider -> listset provider alias - split-by-provider = as: providers: - foldl (m: a: listset.insert (provider-of a providers) a m) {} as; - - # provider-of : alias -> tree label provider -> provider - # Note that we cannot use tree.get here, because path can be longer - # than the tree depth. - provider-of = a: - let - go = path: tree: - if typeOf tree == "string" - then tree - else go (tail path) tree.${head path}; - in - go (reverseList (splitString "." a)); -} diff --git a/krebs/4lib/listset.nix b/krebs/4lib/listset.nix deleted file mode 100644 index 3aae22f20..000000000 --- a/krebs/4lib/listset.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - # listset k v = set k [v] - - # insert : k -> v -> listset k v -> listset k v - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; -} -- cgit v1.2.3 From a73eaae18c3e873c09c313590a0ab8dad1fbc5d9 Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 21:51:11 +0100 Subject: krebs.exim*: admit *.r --- krebs/3modules/default.nix | 13 +++++++----- krebs/3modules/exim-retiolum.nix | 36 +++++++++++++++++++++++---------- krebs/3modules/exim-smarthost.nix | 42 +++++++++++++++++++++++++-------------- krebs/3modules/shared/default.nix | 1 + 4 files changed, 61 insertions(+), 31 deletions(-) (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 662fd6489..186469e97 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -143,12 +143,11 @@ let { text=(stripEmptyLines value); }) all-zones; krebs.exim-smarthost.internet-aliases = let - format = from: to: + format = from: to: { + inherit from; # TODO assert is-retiolum-mail-address to; - { inherit from; - to = if typeOf to == "list" - then concatMapStringsSep "," (getAttr "mail") to - else to.mail; }; + to = concatMapStringsSep "," (getAttr "mail") (toList to); + }; in mapAttrsToList format (with config.krebs.users; let spam-ml = [ lass @@ -167,6 +166,10 @@ let "makefu@retiolum" = makefu; "spam@retiolum" = spam-ml; "tv@retiolum" = tv; + "lass@r" = lass; + "makefu@r" = makefu; + "spam@r" = spam-ml; + "tv@r" = tv; }); services.openssh.hostKeys = diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 1722eef1f..6e6928f89 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -11,6 +11,24 @@ let api = { enable = mkEnableOption "krebs.exim-retiolum"; + local_domains = mkOption { + type = with types; listOf hostname; + default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases; + }; + primary_hostname = mkOption { + type = types.str; + default = let x = "${config.krebs.build.host.name}.r"; in + assert elem x config.krebs.build.host.nets.retiolum.aliases; + x; + }; + relay_to_domains = mkOption { + # TODO hostname with wildcards + type = with types; listOf str; + default = [ + "*.r" + "*.retiolum" + ]; + }; }; imp = { @@ -21,9 +39,9 @@ let # TODO modular configuration assert config.krebs.retiolum.enable; '' - primary_hostname = ${retiolumHostname} - domainlist local_domains = @ : localhost - domainlist relay_to_domains = *.retiolum + primary_hostname = ${cfg.primary_hostname} + domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} + domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} hostlist relay_from_hosts = <; 127.0.0.1 ; ::1 acl_smtp_rcpt = acl_check_rcpt @@ -85,7 +103,7 @@ let retiolum: driver = manualroute - domains = ! ${retiolumHostname} : *.retiolum + domains = ! +local_domains : +relay_to_domains transport = remote_smtp route_list = ^.* $0 byname no_more @@ -125,8 +143,8 @@ let # mode = 0660 begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains} + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h begin rewrite @@ -134,8 +152,4 @@ let ''; }; }; - - # TODO get the hostname from somewhere else. - retiolumHostname = "${config.networking.hostName}.retiolum"; -in -out +in out diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 267ee2900..c976e89de 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -25,14 +25,31 @@ let })); }; + local_domains = mkOption { + type = with types; listOf hostname; + default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases; + }; + relay_from_hosts = mkOption { type = with types; listOf str; default = []; + apply = xs: ["127.0.0.1" "::1"] ++ xs; + }; + + relay_to_domains = mkOption { + # TODO hostname with wildcards + type = with types; listOf str; + default = [ + "*.r" + "*.retiolum" + ]; }; primary_hostname = mkOption { type = types.str; - default = "${config.networking.hostName}.retiolum"; + default = let x = "${config.krebs.build.host.name}.r"; in + assert elem x config.krebs.build.host.nets.retiolum.aliases; + x; }; sender_domains = mkOption { @@ -63,19 +80,11 @@ let # HOST_REDIR contains the real destinations for "local_domains". #HOST_REDIR = /etc/exim4/host_redirect - # Domains not listed in local_domains need to be deliverable remotely. # XXX We abuse local_domains to mean "domains, we're the gateway for". - domainlist local_domains = @ : localhost - domainlist relay_to_domains = - hostlist relay_from_hosts = <;${concatStringsSep ";" ( - [ - "127.0.0.1" - "::1" - ] - ++ - cfg.relay_from_hosts - )} + domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} + domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} + hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts} acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -144,7 +153,7 @@ let retiolum: debug_print = "R: retiolum for $local_part@$domain" driver = manualroute - domains = ! ${cfg.primary_hostname} : *.retiolum + domains = ! +local_domains : +relay_to_domains transport = retiolum_smtp route_list = ^.* $0 byname no_more @@ -197,8 +206,11 @@ let return_path_add begin retry - *.retiolum * F,42d,1m - * * F,2h,15m; G,16h,1h,1.5; F,4d,6h + ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains} + ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") + # TODO don't include relay_to_domains + (map (getAttr "from") cfg.internet-aliases)} + * * F,2h,15m; G,16h,1h,1.5; F,4d,6h begin rewrite begin authenticators diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index 208b596f8..ccd15b569 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -15,6 +15,7 @@ let addrs4 = ["10.243.111.111"]; addrs6 = ["42:0:0:0:0:0:0:7357"]; aliases = [ + "test.r" "test.retiolum" ]; tinc.pubkey = '' -- cgit v1.2.3 From 76f1f8770d1b469d42f3f48c21208100199e17a1 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 22 Feb 2016 11:20:52 +0100 Subject: krebs types.host: properly access config.krebs.users --- krebs/4lib/types.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index fcb6ff3d3..839a1a923 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -4,6 +4,11 @@ with builtins; with lib; with types; +let + # Inherited attributes are used in submodules that have their own `config`. + inherit (config.krebs) users; +in + types // rec { host = submodule ({ config, ... }: { @@ -22,7 +27,7 @@ types // rec { owner = mkOption { type = user; - default = config.krebs.users.krebs; + default = users.krebs; }; extraZones = mkOption { -- cgit v1.2.3 From 937641b6139973339eebc88a475b3b895c9aa701 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 22 Feb 2016 11:33:51 +0100 Subject: cac-api: 1.1.0 -> 1.1.1 --- krebs/5pkgs/cac-api/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/5pkgs/cac-api/default.nix b/krebs/5pkgs/cac-api/default.nix index 30c0168f3..a57e730d3 100644 --- a/krebs/5pkgs/cac-api/default.nix +++ b/krebs/5pkgs/cac-api/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchgit, bc, cac-cert, coreutils, curl, dash, gnugrep, gnused, inotifyTools, jq, ncurses, openssh, sshpass, ... }: stdenv.mkDerivation { - name = "cac-api-1.1.0"; + name = "cac-api-1.1.1"; src = fetchgit { url = http://cgit.cd.krebsco.de/cac-api; - rev = "0809fae379239687ed1170e04311dc2880ef0aba"; - sha256 = "357ced27c9ed88028967c934178a1d230bf38617a7494cd4632fabdd2a04fcdd"; + rev = "46c7af2935ccc096ba0e93cd1adf575026edf44a"; + sha256 = "0i8aspkmfw74np7hlbip3hk7zbgl6cxrnbg83x4wgqrj5dpx6vy0"; }; phases = [ @@ -29,7 +29,7 @@ stdenv.mkDerivation { ncurses openssh sshpass - ]} + ]}:"$PATH" EOF # [1]: Disable fetching tasks; listtasks is currently broken: # Unknown column 'iod.apitask.cid' in 'field list' -- cgit v1.2.3 From 8393444dce1888d369955e46dd16983a43762bb9 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 22 Feb 2016 13:24:03 +0100 Subject: cac-api: 1.1.1 -> 1.1.2 --- krebs/5pkgs/cac-api/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'krebs') diff --git a/krebs/5pkgs/cac-api/default.nix b/krebs/5pkgs/cac-api/default.nix index a57e730d3..52ada4f1b 100644 --- a/krebs/5pkgs/cac-api/default.nix +++ b/krebs/5pkgs/cac-api/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchgit, bc, cac-cert, coreutils, curl, dash, gnugrep, gnused, inotifyTools, jq, ncurses, openssh, sshpass, ... }: stdenv.mkDerivation { - name = "cac-api-1.1.1"; + name = "cac-api-1.1.2"; src = fetchgit { url = http://cgit.cd.krebsco.de/cac-api; - rev = "46c7af2935ccc096ba0e93cd1adf575026edf44a"; - sha256 = "0i8aspkmfw74np7hlbip3hk7zbgl6cxrnbg83x4wgqrj5dpx6vy0"; + rev = "67e93510e7742acae44db30275abbfe671aa9b7b"; + sha256 = "1vxh57j7vrq5sg9j1sam0538kkkhqpgf230vvdz2ifzgkj01z27l"; }; phases = [ -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/15000000.lock: No such file or directory (2)