diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index bd17c3765..5dde50ea4 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -3,15 +3,8 @@ with config.krebs.lib; let - # https://github.com/NixOS/nixpkgs/issues/14026 - nixpkgs-fix = import (pkgs.fetchgit { - url = https://github.com/nixos/nixpkgs; - rev = "e026b5c243ea39810826e68362718f5d703fb5d0"; - sha256 = "87e0724910a6df0371f883f99a8cf42e366fb4119f676f6f74ffb404beca2632"; - }) {}; - - buildbot = nixpkgs-fix.buildbot; - buildbot-master-config = pkgs.writeText "buildbot-master.cfg" '' + buildbot = pkgs.buildbot; + buildbot-master-config = pkgs.writePython2 "buildbot-master.cfg" '' # -*- python -*- from buildbot.plugins import * import re diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 9af42acc9..17eae1778 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -153,6 +153,7 @@ let to = concatMapStringsSep "," (getAttr "mail") (toList to); }; in mapAttrsToList format (with config.krebs.users; let + eloop-ml = spam-ml ++ [ ciko Mic92 ]; spam-ml = [ lass makefu @@ -161,8 +162,10 @@ let ciko.mail = "wieczorek.stefan@gmail.com"; Mic92.mail = "joerg@higgsboson.tk"; in { - "*@eloop.org" = [{ mail = "eloop2016@krebsco.de"; }]; - "eloop2016@krebsco.de" = spam-ml ++ [ ciko Mic92 ]; + "cfp@eloop.org" = eloop-ml; + "kontakt@eloop.org" = eloop-ml; + "root@eloop.org" = eloop-ml; + "eloop2016@krebsco.de" = eloop-ml; "postmaster@krebsco.de" = spam-ml; # RFC 822 "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; diff --git a/krebs/5pkgs/apt-cacher-ng/default.nix b/krebs/5pkgs/apt-cacher-ng/default.nix index abf8d677a..53736dcfb 100644 --- a/krebs/5pkgs/apt-cacher-ng/default.nix +++ b/krebs/5pkgs/apt-cacher-ng/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "apt-cacher-ng-${version}"; - version = "0.9.3"; + version = "0.9.3.2"; src = fetchurl { url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz"; - sha256 = "1bd7l1wg0q1p9pg0v6lqflf2znydx8mrh2jxbvv6xsrp1473nfwg"; + sha256 = "1bvng9mwrggvc93q2alj0x72i56wifnjs2dsycr17mapsv0f2gnc"; }; NIX_LDFLAGS = "-lpthread"; diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix index 4c087bc44..841543819 100644 --- a/krebs/5pkgs/builders.nix +++ b/krebs/5pkgs/builders.nix @@ -253,5 +253,27 @@ rec { ${pkgs.cabal2nix}/bin/cabal2nix ${path} > $out ''); + writePython2 = name: src: pkgs.runCommand name {} /* sh */ '' + name=${assert types.filename.check name; name} + src=${shell.escape src} + + # syntax check + printf '%s' "$src" > src.py + ${pkgs.python2}/bin/python -m py_compile src.py + + cp src.py "$out" + ''; + + writePython3 = name: src: pkgs.runCommand name {} /* sh */ '' + name=${assert types.filename.check name; name} + src=${shell.escape src} + + # syntax check + printf '%s' "$src" > src.py + ${pkgs.python3}/bin/python -m py_compile src.py + + cp src.py "$out" + ''; + writeSed = makeScriptWriter "${pkgs.gnused}/bin/sed -f"; } diff --git a/krebs/5pkgs/games-user-env/default.nix b/krebs/5pkgs/games-user-env/default.nix new file mode 100644 index 000000000..abe770ed1 --- /dev/null +++ b/krebs/5pkgs/games-user-env/default.nix @@ -0,0 +1,34 @@ +{ lib, pkgs, ... }: let + +#TODO: make sure env exists prior to running +env_nix = pkgs.writeText "env.nix" '' + { pkgs ? import {} }: + + (pkgs.buildFHSUserEnv { + name = "simple-x11-env"; + targetPkgs = pkgs: with pkgs; [ + coreutils + ]; + multiPkgs = pkgs: with pkgs; [ + alsaLib + zlib + xorg.libXxf86vm + curl + openal + openssl_1_0_2 + xorg.libXext + xorg.libX11 + xorg.libXrandr + xorg.libXcursor + xorg.libXinerama + xorg.libXi + mesa_glu + ]; + runScript = "bash"; + }).env +''; + + +in pkgs.writeDashBin "games-user-env" '' + nix-shell ${env_nix} +'' diff --git a/krebs/5pkgs/tarantool/default.nix b/krebs/5pkgs/tarantool/default.nix new file mode 100644 index 000000000..9e22fd4f3 --- /dev/null +++ b/krebs/5pkgs/tarantool/default.nix @@ -0,0 +1,21 @@ +{ stdenv, fetchgit, cmake, ncurses, openssl, readline, ... }: + +stdenv.mkDerivation rec { + name = "tarantool-1.7.1-164-g0fd0239"; + src = fetchgit { + url = https://github.com/tarantool/tarantool; + rev = builtins.elemAt (builtins.match ".*-g([0-9a-f]+)" name) 0; + sha256 = "1jnaiizbl9j4a8vsihqx75iqa9bkh1kpwsyrgmim8ikiyzfw54dz"; + fetchSubmodules = true; + }; + buildInputs = [ + cmake + ncurses + openssl + readline + ]; + preConfigure = '' + echo ${(builtins.parseDrvName name).version} > VERSION + sed -i 's/NAMES termcap/NAMES ncurses/' cmake/FindTermcap.cmake + ''; +} diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 84191da0b..92a1b51e9 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -17,7 +17,6 @@ ../2configs/wine.nix ../2configs/chromium-patched.nix ../2configs/git.nix - ../2configs/bitlbee.nix ../2configs/skype.nix ../2configs/teamviewer.nix ../2configs/libvirt.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 1bc8d5744..9da261ed4 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -188,9 +188,16 @@ in { "fullchain.pem" "full.pem" ]; - user = "ejabberd"; + allowKeysForGroup = true; + group = "lasscert"; }; }; + users.groups.lasscert.members = [ + "dovecot2" + "ejabberd" + "exim" + "nginx" + ]; krebs.nginx.servers."lassul.us" = { server-names = [ "lassul.us" ]; locations = [ diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6d26ff89a..dce7dae40 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -16,7 +16,7 @@ in { systemWide = true; }; - users.extraUsers.mainUser.extraGroups = [ "audio" ]; + users.extraUsers.mainUser.extraGroups = [ "audio" "video" ]; time.timeZone = "Europe/Berlin"; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 1db3ffd1f..12a5a7365 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -8,9 +8,6 @@ let ControlPath /tmp/%u_sshmux_%r@%h:%p ControlPersist 4h ''; - sshWrapper = pkgs.writeDash "ssh-wrapper" '' - ${pkgs.openssh}/bin/ssh -F ${sshHostConfig} -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" - ''; in { config.krebs.buildbot.master = let @@ -47,8 +44,8 @@ in { sched.append(schedulers.SingleBranchScheduler( change_filter=util.ChangeFilter(branch_re=".*"), treeStableTimer=10, - name="prism-all-branches", - builderNames=["build-all"])) + name="build-all-branches", + builderNames=["build-all", "build-pkgs"])) ''; }; builder_pre = '' @@ -74,7 +71,7 @@ in { # prepare nix-shell # the dependencies which are used by the test script - deps = [ "gnumake", "jq", "nix", "(import ).pkgs.populate" ] + deps = [ "gnumake", "jq", "nix", "(import ).pkgs.populate", "openssh" ] # TODO: --pure , prepare ENV in nix-shell command: # SSL_CERT_FILE,LOGNAME,NIX_REMOTE nixshell = ["nix-shell", @@ -93,20 +90,20 @@ in { for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]: addShell(f,name="build-{}".format(i),env=env_lass, command=nixshell + \ - ["make \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ test \ - ssh=${sshWrapper} \ - target=build@localhost${config.users.users.build.home}/testbuild \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ method=build \ system={}".format(i)]) for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ - ["make \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ test \ - ssh=${sshWrapper} \ - target=build@localhost${config.users.users.build.home}/testbuild \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ method=build \ system={}".format(i)]) @@ -114,7 +111,7 @@ in { slavenames=slavenames, factory=f)) - ''; + ''; fast-tests = '' f = util.BuildFactory() @@ -122,37 +119,94 @@ in { for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]: addShell(f,name="build-{}".format(i),env=env_lass, command=nixshell + \ - ["make \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ test \ - ssh=${sshWrapper} \ - target=build@localhost${config.users.users.build.home}/testbuild \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ method=eval \ system={}".format(i)]) for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ - ["make \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ test \ - ssh=${sshWrapper} \ - target=build@localhost${config.users.users.build.home}/testbuild \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ method=eval \ system={}".format(i)]) - for i in [ "test-minimal-deploy" ]: + for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf" ]: addShell(f,name="build-{}".format(i),env=env_shared, command=nixshell + \ - ["make \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ test \ - ssh=${sshWrapper} \ - target=build@localhost${config.users.users.build.home}/testbuild \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ method=eval \ system={}".format(i)]) bu.append(util.BuilderConfig(name="fast-tests", slavenames=slavenames, factory=f)) + ''; + build-pkgs = '' + f = util.BuildFactory() + f.addStep(grab_repo) + for i in [ + "apt-cacher-ng", + "bepasty-client-cli", + "cac-api", + "cac-cert", + "cac-panel", + "charybdis", + "collectd-connect-time", + "dic", + "drivedroid-gen-repo", + "exim", + "fortclientsslvpn", + "get", + "git-hooks", + "github-hosts-sync", + "go", + "hashPassword", + "haskellPackages.blessings", + "haskellPackages.email-header", + "haskellPackages.megaparsec", + "haskellPackages.scanner", + "haskellPackages.xmonad-stockholm", + "krebspaste", + "krebszones", + "logf", + "much", + "newsbot-js", + "noVNC", + "passwdqc-utils", + "populate", + "posix-array", + "pssh", + "push", + "Reaktor", + "realwallpaper", + "repo-sync", + "retiolum-bootstrap", + "tarantool", + "test", + "tinc_graphs", + "translate-shell", + "urlwatch", + "vncdotool", + "with-tmpdir", + "youtube-tools", + ]: + addShell(f,name="build-{}".format(i),env=env_lass, + command=nixshell + \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make system=prism pkgs.{}".format(i)]) + bu.append(util.BuilderConfig(name="build-pkgs", + slavenames=slavenames, + factory=f)) ''; }; enable = true; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 622ef1185..dbb2a853a 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -44,6 +44,11 @@ with config.krebs.lib; }; }; } + { + environment.variables = { + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; + }; + } ]; networking.hostName = config.krebs.build.host.name; diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 597d20721..a6de7c581 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -15,10 +15,11 @@ in { extraGroups = [ "download" ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-shodan.pubkey + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-uriel.pubkey + lass-shodan.pubkey + makefu.pubkey ]; }; diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index ff5698e4e..9988e788f 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -28,6 +28,9 @@ let good = moveToDir "G" "./.good"; delete = moveToDir "D" "./.graveyard"; + up = moveToDir "U" "./up"; + down = moveToDir "Y" "./down"; + deleteCurrentTrack = pkgs.writeText "delete.lua" '' deleted_tmp = "./.graveyard" diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index f2b70d831..46ff3fbf9 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -159,7 +159,6 @@ let torrentfreak|http://feeds.feedburner.com/Torrentfreak|#news torr_news|http://feed.torrentfreak.com/Torrentfreak/|#news travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#news - #truther|http://truthernews.wordpress.com/feed/|#news un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#news un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#news un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#news diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index b758bc24a..576447542 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/lassulus/nixpkgs; - ref = "c6ca9c8c8b7eb8f8e68868e36fb90e162adf080f"; + ref = "a75c0d9342ecb86dedd11f61a4e6f59ecc42d151"; }; } diff --git a/shared/1systems/test-arch.nix b/shared/1systems/test-arch.nix index 14fc0384b..a13fea425 100644 --- a/shared/1systems/test-arch.nix +++ b/shared/1systems/test-arch.nix @@ -3,7 +3,6 @@ { imports = [ ../. - ../2configs/base.nix { boot.loader.grub = { device = "/dev/sda"; diff --git a/shared/1systems/test-centos6.nix b/shared/1systems/test-centos6.nix index 8add0b7c1..ebcece383 100644 --- a/shared/1systems/test-centos6.nix +++ b/shared/1systems/test-centos6.nix @@ -8,7 +8,6 @@ let in { imports = [ ../. - ../2configs/base.nix ../2configs/os-templates/CAC-CentOS-6.5-64bit.nix { networking.interfaces.enp11s0.ip4 = [ diff --git a/shared/1systems/test-centos7.nix b/shared/1systems/test-centos7.nix index 65daff509..9ea063c9b 100644 --- a/shared/1systems/test-centos7.nix +++ b/shared/1systems/test-centos7.nix @@ -6,7 +6,6 @@ let in { imports = [ ../. - ../2configs/base.nix ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/temp/networking.nix ../2configs/temp/dirs.nix diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 3818cf2c5..8b0976537 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -7,7 +7,6 @@ in { imports = [ ../. - ../2configs/base.nix ../2configs/collectd-base.nix ../2configs/shack-nix-cacher.nix diff --git a/shared/2configs/base.nix b/shared/2configs/default.nix similarity index 83% rename from shared/2configs/base.nix rename to shared/2configs/default.nix index 5aa5897d7..31f786d1d 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/default.nix @@ -11,10 +11,13 @@ with config.krebs.lib; nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "63b9785"; # stable @ 2016-06-01 + ref = "9cb194cfa449c43f63185a25c8d10307aea3b358"; # nixos-16.03 @ 2016-08-05 }; - secrets.file = "${getEnv "HOME"}/secrets/krebs/${host.name}"; - stockholm.file = "${getEnv "HOME"}/stockholm"; + secrets.file = + if getEnv "dummy_secrets" == "true" + then toString + else "${getEnv "HOME"}/secrets/krebs/${host.name}"; + stockholm.file = getEnv "PWD"; }; networking.hostName = config.krebs.build.host.name; diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix index 688f8f9aa..22144e9ec 100644 --- a/shared/2configs/shared-buildbot.nix +++ b/shared/2configs/shared-buildbot.nix @@ -71,7 +71,11 @@ # prepare grab_repo step for stockholm grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') - env = {"LOGNAME": "shared", "NIX_REMOTE": "daemon"} + env = { + "LOGNAME": "shared", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } # prepare nix-shell # the dependencies which are used by the test script @@ -91,52 +95,39 @@ ''; builder = { fast-tests = '' - f = util.BuildFactory() - f.addStep(grab_repo) - for i in [ "test-centos7", "wolf", "test-failing" ]: - addShell(f,name="populate-{}".format(i),env=env, - command=nixshell + \ - ["{}(make system={} populate debug=true)".format("!" if "failing" in i else "",i)]) + f = util.BuildFactory() + f.addStep(grab_repo) - # XXX we must prepare ./retiolum.rsa_key.priv for secrets to work - addShell(f,name="instantiate-test-all-modules",env=env, - command=nixshell + \ - ["touch retiolum.rsa_key.priv; \ - nix-instantiate \ - --show-trace --eval --strict --json \ - -I nixos-config=./shared/1systems/test-all-krebs-modules.nix \ - -I secrets=. \ - -A config.system.build.toplevel"] - ) + for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]: + addShell(f,name="build-{}".format(i),env=env, + command=nixshell + \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ + test \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ + method=eval \ + system={}".format(i)]) - addShell(f,name="build-test-minimal",env=env, - command=nixshell + \ - ["nix-instantiate \ - --show-trace --eval --strict --json \ - -I nixos-config=./shared/1systems/test-minimal-deploy.nix \ - -I secrets=. \ - -A config.system.build.toplevel"] - ) + bu.append(util.BuilderConfig(name="fast-tests", + slavenames=slavenames, + factory=f)) - bu.append(util.BuilderConfig(name="fast-tests", - slavenames=slavenames, - factory=f)) - ''; + ''; # this build will try to build against local nixpkgs # TODO change to do a 'local' populate and use the retrieved nixpkgs build-local = '' f = util.BuildFactory() f.addStep(grab_repo) - addShell(f,name="build-test-all-modules",env=env, + for i in [ "test-all-krebs-modules", "wolf" ]: + addShell(f,name="build-{}".format(i),env=env, command=nixshell + \ - ["touch retiolum.rsa_key.priv; \ - nix-build \ - --show-trace --no-out-link \ - -I nixos-config=./shared/1systems/test-all-krebs-modules.nix \ - -I secrets=. \ - -A config.system.build.toplevel"] - ) + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ + test \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ + method=build \ + system={}".format(i)]) bu.append(util.BuilderConfig(name="build-local", slavenames=slavenames, diff --git a/shared/6tests/data/secrets/grafana_security.nix b/shared/6tests/data/secrets/grafana_security.nix new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/shared/6tests/data/secrets/grafana_security.nix @@ -0,0 +1 @@ +{} diff --git a/shared/6tests/data/secrets/retiolum.rsa_key.priv b/shared/6tests/data/secrets/retiolum.rsa_key.priv new file mode 100644 index 000000000..e69de29bb diff --git a/shared/6tests/data/secrets/ssh.id_ed25519 b/shared/6tests/data/secrets/ssh.id_ed25519 new file mode 100644 index 000000000..e69de29bb diff --git a/shared/default.nix b/shared/default.nix index 69b4abaac..320e1a133 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -2,6 +2,7 @@ _: { imports = [ ../krebs + ./2configs ./3modules ]; } diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index cade6fa7b..591edafb6 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -19,6 +19,7 @@ with config.krebs.lib; config.krebs.hosts.xu ]; internet-aliases = with config.krebs.users; [ + { from = "bku-eppler@viljetic.de"; to = tv.mail; } { from = "postmaster@viljetic.de"; to = tv.mail; } # RFC 822 { from = "mirko@viljetic.de"; to = mv-cd.mail; } { from = "tomislav@viljetic.de"; to = tv.mail; }