Merge remote-tracking branch 'lass/master'

2017-07-23 21:11:11 +02:00 · 2017-07-23 21:11:11 +02:00 · 1e3931d983
parent fd7d1531ac 1bf9e1e1ee
commit 1e3931d983
22 changed files with 248 additions and 116 deletions
--- a/8
+++ b/8
@ -102,13 +102,7 @@ ifneq ($(ssh),)
 populate: populate-flags += --ssh=$(ssh)
 endif
 populate:
-	nix-instantiate \
-		--eval \
-		--json \
-		--readonly-mode \
-		--show-trace \
-		--strict \
-		$(LOGNAME)/1systems/$(system)/source.nix | \
+	nix-shell --run 'get-source $(LOGNAME)/1systems/$(system)/source.nix' \
 	populate $(populate-target) $(populate-flags)

 # usage: make pkgs.populate
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@ -0,0 +1,17 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+  ];
+
+  krebs.build.host = config.krebs.hosts.hotdog;
+
+  boot.isContainer = true;
+  networking.useDHCP = false;
+}
--- a/krebs/1systems/hotdog/source.nix
+++ b/krebs/1systems/hotdog/source.nix
@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+  name = "hotdog";
+}
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@ -5,6 +5,7 @@
    <stockholm/krebs>
    <stockholm/krebs/2configs>
    <stockholm/krebs/2configs/secret-passwords.nix>
+    <stockholm/krebs/2configs/hw/x220.nix>

    <stockholm/krebs/2configs/repo-sync.nix>
    <stockholm/krebs/2configs/shared-buildbot.nix>
@ -48,10 +49,6 @@
    };
  };

-  hardware.enableAllFirmware = true;
-  networking.wireless.enable = true;
-  nixpkgs.config.allowUnfree = true;
-
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  networking.wireless.enable = lib.mkDefault true;
+
+  hardware.enableRedistributableFirmware = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  services.tlp.enable = true;
+
+  boot = {
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
+    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
+    kernelParams = [ "acpi_backlight=none" ];
+  };
+
+  hardware.opengl.extraPackages = [
+    pkgs.vaapiIntel
+    pkgs.vaapiVdpau
+  ];
+
+  security.rngd.enable = true;
+
+  services.xserver = {
+    videoDriver = "intel";
+  };
+}
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@ -30,6 +30,30 @@ let
  });
 in {
  hosts = {
+    hotdog = {
+      owner = config.krebs.users.krebs;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.77.3";
+          ip6.addr = "42:0:0:0:0:0:77:3";
+          aliases = [
+            "hotdog.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
+            bZBrvxkIOyVs5oVtolPcaI0/nvtpIhSlmM6hg9qe1rZO6jXt53GVNvgdcUIfVHbX
+            mQmp4oVXOjPIeDqLn32Mc0O73Kp6i66zQGAXi8ejczuO0h6oSvAnjolT4wM9jugk
+            JBGCDlpl9mxAGDN5VOqbg2i0FxwtUk2UA9XghEaRcfBkVdsOrtW8sCwOg8YttQt9
+            fs7JjezUtw7JBxN754ynaahSRODcjyJhwjE18tKx6P7wsNbgbmULFQz+7IxZ01/P
+            h5ZUzfd1r1pTzQ0nYD5aRtlDd7zP7y5tUwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
+    };
    puyak = {
      owner = config.krebs.users.krebs;
      nets = {
--- a/krebs/5pkgs/writers.nix
+++ b/krebs/5pkgs/writers.nix
@ -262,7 +262,12 @@ with import <stockholm/lib>;
        };
      };

-    writeJSON = name: value: pkgs.writeText name (toJSON value);
+    writeJSON = name: value: pkgs.runCommand name {
+      json = toJSON value;
+      passAsFile = [ "json" ];
+    } /* sh */ ''
+      ${pkgs.jq}/bin/jq . "$jsonPath" > "$out"
+    '';

    writeNixFromCabal =
      trace (toString [
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@ -151,25 +151,41 @@ with import <stockholm/lib>;
      systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
    }
    {
-      krebs.iptables = {
+      networking.firewall = {
        enable = true;
-        tables = {
-          filter.INPUT.policy = "DROP";
-          filter.FORWARD.policy = "DROP";
-          filter.INPUT.rules = [
-            { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
-            { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
-            { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
-            { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
-            { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
-            { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
-            { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
-          ];
-        };
+        allowedTCPPorts = [ 22 ];
      };
    }
    {
      krebs.hidden-ssh.enable = true;
    }
+    {
+      services.xserver = {
+        enable = true;
+        #videoDrivers = mkForce [ "ati_unfree" ];
+
+        desktopManager.xterm.enable = false;
+        desktopManager.default = "none";
+        displayManager.lightdm.enable = true;
+        displayManager.lightdm.autoLogin = {
+          enable = true;
+          user = "lass";
+        };
+        windowManager.default = "xmonad";
+        windowManager.session = [{
+          name = "xmonad";
+          start = ''
+            ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
+            ${pkgs.xmonad-lass}/bin/xmonad &
+            waitPID=$!
+          '';
+        }];
+
+        layout = "us";
+        xkbModel = "evdev";
+        xkbVariant = "altgr-intl";
+        xkbOptions = "caps:backspace";
+      };
+    }
  ];
 }
--- a/lib/eval-source.nix
+++ b/lib/eval-source.nix
@ -10,6 +10,12 @@ let
      };
    };
  };
+  sanitize = x: getAttr (typeOf x) {
+    set = mapAttrs
+            (const sanitize)
+            (filterAttrs (name: value: name != "_module" && value != null) x);
+    string = x;
+  };
 in
  # This function's return value can be used as pkgs.populate input.
-  _file: source: (eval _file source).config.source
+  _file: source: sanitize (eval _file source).config.source
--- a/shell.nix
+++ b/shell.nix
@ -2,6 +2,10 @@ let
  lib = import ./lib;
  pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; };

+  #
+  # high level commands
+  #
+
  # usage: deploy [--user=USER] --system=SYSTEM [--target=TARGET]
  cmds.deploy = pkgs.writeDash "cmds.deploy" ''
    set -efu
@ -29,6 +33,69 @@ let
    exec ${utils.build} config.system.build.toplevel
  '';

+  #
+  # low level commands
+  #
+
+  # usage: get-source SOURCE_FILE
+  cmds.get-source = pkgs.writeDash "cmds.get-source" ''
+    set -efu
+    exec ${pkgs.nix}/bin/nix-instantiate \
+        --eval \
+        --json \
+        --readonly-mode \
+        --show-trace \
+        --strict \
+        "$1"
+  '';
+
+  # usage: parse-target [--default=TARGET] TARGET
+  # TARGET = [USER@]HOST[:PORT][/PATH]
+  cmds.parse-target = pkgs.writeDash "cmds.parse-target" ''
+    set -efu
+    args=$(${pkgs.utillinux}/bin/getopt -n "$0" -s sh \
+        -o d: \
+        -l default: \
+        -- "$@")
+    if \test $? != 0; then exit 1; fi
+    eval set -- "$args"
+    default_target=
+    while :; do case $1 in
+      -d|--default) default_target=$2; shift 2;;
+      --) shift; break;;
+    esac; done
+    target=$1; shift
+    for arg; do echo "$0: bad argument: $arg" >&2; done
+    if \test $# != 0; then exit 2; fi
+    exec ${pkgs.jq}/bin/jq \
+        -enr \
+        --arg default_target "$default_target" \
+        --arg target "$target" \
+        -f ${pkgs.writeText "cmds.parse-target.jq" ''
+          def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
+            user: .captures[0].string,
+            host: .captures[1].string,
+            port: .captures[2].string,
+            path: .captures[3].string,
+          };
+          def sanitize: with_entries(select(.value != null));
+          ($default_target | parse) + ($target | parse | sanitize) |
+          . + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) }
+        ''}
+  '';
+
+  # usage: quote [ARGS...]
+  cmds.quote = pkgs.writeDash "cmds.quote" ''
+    set -efu
+    prefix=
+    for x; do
+      y=$(${pkgs.jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"')
+      echo -n "$prefix$y"
+      prefix=' '
+    done
+    echo
+  '';
+
  init.args = pkgs.writeText "init.args" /* sh */ ''
    args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \
        -o s:t:u: \
@ -54,7 +121,9 @@ let
    export target
    export user

-    export target_object="$(${init.env.parsetarget} $target)"
+    default_target=root@$system:22/var/src
+
+    export target_object="$(parse-target "$target" -d "$default_target")"
    export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
    export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
    export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
@ -68,35 +137,9 @@ let
      fi
    fi
  '' // {
-    parsetarget = pkgs.writeDash "init.env.parsetarget" ''
-      set -efu
-      exec ${pkgs.jq}/bin/jq \
-          -enr \
-          --arg target "$1" \
-          -f ${init.env.parsetarget.jq}
-    '' // {
-      jq = pkgs.writeText "init.env.parsetarget.jq" ''
-        def when(c; f): if c then f else . end;
-        def capturesDef(i; v): .captures[i].string | when(. == null; v);
-        $target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
-          user: capturesDef(0; "root"),
-          host: capturesDef(1; env.system),
-          port: capturesDef(2; "22"),
-          path: capturesDef(3; "/var/src"),
-        } | . + {
-          local: (.user == env.LOGNAME and .host == env.HOSTNAME),
-        }
-      '';
-    };
    populate = pkgs.writeDash "init.env.populate" ''
      set -efu
-      _source=$(${pkgs.nix}/bin/nix-instantiate \
-          --eval \
-          --json \
-          --readonly-mode \
-          --show-trace \
-          --strict \
-          "$source")
+      _source=$(get-source "$source")
      echo $_source |
      ${pkgs.populate}/bin/populate \
          "$target_user@$target_host:$target_port$target_path" \
@ -105,21 +148,17 @@ let
    '';
    proxy = pkgs.writeDash "init.env.proxy" ''
      set -efu
-      q() {
-        ${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"'
-      }
      exec ${pkgs.openssh}/bin/ssh \
        "$target_user@$target_host" -p "$target_port" \
        cd "$target_path/stockholm" \; \
-        NIX_PATH=$(q "$target_path") \
-        STOCKHOLM_VERSION=$STOCKHOLM_VERSION \
-        nix-shell \
-            --run $(q \
-                system=$system \
-                target=$target \
-                using_proxy=true \
-                "$*"
-            )
+        NIX_PATH=$(quote "$target_path") \
+        STOCKHOLM_VERSION=$(quote "$STOCKHOLM_VERSION") \
+        nix-shell --run "$(quote "
+          system=$(quote "$system") \
+          target=$(quote "$target") \
+          using_proxy=true \
+          $(quote "$@")
+        ")"
    '';
  };

@ -162,7 +201,8 @@ let
 in pkgs.stdenv.mkDerivation {
  name = "stockholm";
  shellHook = /* sh */ ''
-    export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}"
+    export NIX_PATH=stockholm=$PWD:nixpkgs=${toString <nixpkgs>}
+    export NIX_REMOTE=daemon
    export PATH=${lib.makeBinPath [
      shell.cmdspkg
    ]}
--- a/tv/1systems/caxi/config.nix
+++ b/tv/1systems/caxi/config.nix
@ -1,25 +0,0 @@
-{ config, ... }:
-
-with import <stockholm/lib>;
-
-{
-  krebs.build.host = config.krebs.hosts.caxi;
-
-  imports = [
-    <stockholm/tv>
-    <stockholm/tv/2configs/hw/CAC-Developer-1.nix>
-    <stockholm/tv/2configs/fs/CAC-CentOS-7-64bit.nix>
-    <stockholm/tv/2configs/retiolum.nix>
-  ];
-
-  networking = let
-    inherit (config.krebs.build.host.nets.internet) ip4;
-  in {
-    interfaces.enp2s1.ip4 = singleton {
-      address = ip4.addr;
-      prefixLength = fromJSON (head (match ".*/([0-9]+)" ip4.prefix));
-    };
-    defaultGateway = head (match "([^/]*)\.0/[0-9]+" ip4.prefix) + ".1";
-    nameservers = ["8.8.8.8"];
-  };
-}
--- a/tv/1systems/caxi/source.nix
+++ b/tv/1systems/caxi/source.nix
@ -1,3 +0,0 @@
-import <stockholm/tv/source.nix> {
-  name = "caxi";
-}
--- a/tv/2configs/nginx/krebs-pages.nix
+++ b/tv/2configs/nginx/krebs-pages.nix
@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+{
+  services.nginx = {
+    virtualHosts.krebs-pages = {
+      serverAliases = [
+        "krebs.${config.krebs.build.host.name}.r"
+      ];
+      extraConfig = ''
+        root ${pkgs.krebs-pages};
+      '';
+    };
+  };
+}
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@ -230,6 +230,7 @@ let {
            ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''
            ''[a-z]*Phase[ \t\r\n]*=''
          ];
+          yaml = {};
          vim.extraStart =
            ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
          xdefaults = {};
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@ -1,22 +1,18 @@
 with import <stockholm/lib>;
-self: super: let

-  # This callPackage will try to detect obsolete overrides.
-  callPackage = path: args: let
-    override = super.callPackage path args;
-    upstream = optionalAttrs (override ? "name")
-      (super.${(parseDrvName override.name).name} or {});
-  in if upstream ? "name" &&
-        override ? "name" &&
-        compareVersions upstream.name override.name != -1
-    then
-      trace
-        "Upstream `${upstream.name}' gets overridden by `${override.name}'."
-        override
-    else override;
+self: super:

-in {
+# Import files and subdirectories like they are overlays.
+foldl' mergeAttrs {}
+  (map
+    (name: import (./. + "/${name}") self super)
+    (filter
+      (name: name != "default.nix" && !hasPrefix "." name)
+      (attrNames (readDir ./.))))

+//
+
+{
  # TODO use XDG_RUNTIME_DIR?
  cr = self.writeDashBin "cr" ''
    set -efu
@ -42,9 +38,4 @@ in {
      sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
    }) {};
  in nixpkgs-1509.wvdial;
-
 }
-
-// mapAttrs (_: flip callPackage {})
-            (filterAttrs (_: dir: pathExists (dir + "/default.nix"))
-                         (subdirsOf ./.))
--- a/tv/5pkgs/simple/default.nix
+++ b/tv/5pkgs/simple/default.nix
@ -0,0 +1,24 @@
+with import <stockholm/lib>;
+
+self: super:
+
+let
+  # This callPackage will try to detect obsolete overrides.
+  callPackage = path: args: let
+    override = self.callPackage path args;
+    upstream = optionalAttrs (override ? "name")
+      (super.${(parseDrvName override.name).name} or {});
+  in if upstream ? "name" &&
+        override ? "name" &&
+        compareVersions upstream.name override.name != -1
+    then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
+    else override;
+in
+
+  listToAttrs
+    (map
+      (name: nameValuePair (removeSuffix ".nix" name)
+                           (callPackage (./. + "/${name}") {}))
+      (filter
+        (name: name != "default.nix" && !hasPrefix "." name)
+        (attrNames (readDir ./.))))
--- a/tv/5pkgs/simple/djbdns/default.nix
+++ b/tv/5pkgs/simple/djbdns/default.nix
--- a/tv/5pkgs/simple/q/default.nix
+++ b/tv/5pkgs/simple/q/default.nix
--- a/tv/5pkgs/simple/viljetic-pages/default.nix
+++ b/tv/5pkgs/simple/viljetic-pages/default.nix
--- a/tv/5pkgs/simple/viljetic-pages/index.html
+++ b/tv/5pkgs/simple/viljetic-pages/index.html
--- a/tv/5pkgs/simple/viljetic-pages/logo.xpm
+++ b/tv/5pkgs/simple/viljetic-pages/logo.xpm
--- a/tv/5pkgs/simple/xmonad-tv/default.nix
+++ b/tv/5pkgs/simple/xmonad-tv/default.nix