Merge remote-tracking branch 'ni/master'

This commit is contained in:
lassulus 2018-09-11 23:43:11 +02:00
commit 637d9fb880
50 changed files with 2 additions and 567 deletions

View file

@ -13,10 +13,7 @@ import <nixpkgs/nixos/lib/eval-config.nix> {
(attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems"))))
(name: let
config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix");
source = import (<stockholm> + "/${ns}/1systems/${name}/source.nix");
in import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [ config ];
} // {
inherit source;
});
}

View file

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "bln";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "bolide";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "brauerei";
secure = true;
}

View file

@ -1,3 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "enklave";
}

View file

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "reagenzglas";
secure = true;
}

View file

@ -1,26 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "jeschli";
_file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
secrets.file = getAttr builder {
buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
jeschli = "${getEnv "HOME"}/secrets/${name}";
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
}
override
]

View file

@ -44,11 +44,6 @@ let
exec >&2
source=${pkgs.writeJSON "source.json" populate-source}
LOGNAME=krebs ${pkgs.populate}/bin/populate --force root@server:22/var/src/ < "$source"
# TODO: make deploy work
#LOGNAME=krebs ${pkgs.stockholm}/bin/deploy \
# --force-populate \
# --source=${./data/test-source.nix} \
# --system=server \
'';
minimalSystem = (import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "hotdog";
}

View file

@ -1,13 +0,0 @@
with import <stockholm/lib>;
let
pkgs = import <nixpkgs> {};
nixpkgs = builtins.fetchTarball {
url = https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz;
};
in import <stockholm/krebs/source.nix> {
name = "onebutton";
override.nixpkgs = mkForce {
file = toString nixpkgs;
};
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "puyak";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-all-krebs-modules";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-arch";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-centos6";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-centos7";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-failing";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-minimal-deploy";
}

View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "wolf";
}

View file

@ -1,230 +0,0 @@
{ pkgs }: let
stockholm-dir = ../../../..;
lib = import (stockholm-dir + "/lib");
#
# high level commands
#
cmds.deploy = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target.default = /* sh */ "$system";
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeDash "stockholm.deploy" ''
set -efu
. ${init.env}
. ${init.proxy "deploy" opts}
# Use system's nixos-rebuild, which is not self-contained
export PATH=/run/current-system/sw/bin
exec ${utils.with-whatsupnix} \
nixos-rebuild switch \
--show-trace \
-I "$target_path"
'');
cmds.get-version = pkgs.writeDash "get-version" ''
set -efu
hostname=''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}
version=git.$(${pkgs.git}/bin/git describe --always --dirty)
case $version in (*-dirty)
version=$version@$hostname
esac
date=$(${pkgs.coreutils}/bin/date +%y.%m)
echo "$date.$version"
'';
cmds.install = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target = {};
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeBash "stockholm.install" ''
set -efu
. ${init.env}
if \test "''${using_proxy-}" != true; then
${pkgs.openssh}/bin/ssh \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
"$target_user@$target_host" -p "$target_port" \
env target_path=$(${pkgs.quote}/bin/quote "$target_path") \
sh -s prepare \
< ${stockholm-dir + "/krebs/4lib/infest/prepare.sh"}
# TODO inline prepare.sh?
fi
. ${init.proxy "install" opts}
# these variables get defined by nix-shell (i.e. nix-build) from
# XDG_RUNTIME_DIR and reference the wrong directory (/run/user/0),
# which only exists on / and not at /mnt.
export NIX_BUILD_TOP=/tmp
export TEMPDIR=/tmp
export TEMP=/tmp
export TMPDIR=/tmp
export TMP=/tmp
export XDG_RUNTIME_DIR=/tmp
export NIXOS_CONFIG="$target_path/nixos-config"
cd
exec nixos-install
'');
cmds.test = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target = {};
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeDash "stockholm.test" /* sh */ ''
set -efu
export dummy_secrets=true
. ${init.env}
. ${init.proxy "test" opts}
exec ${utils.build} config.system.build.toplevel
'');
#
# low level commands
#
# usage: get-source SOURCE_FILE
cmds.get-source = pkgs.writeDash "stockholm.get-source" ''
set -efu
exec ${pkgs.nix}/bin/nix-instantiate \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
"$1"
'';
# usage: parse-target [--default=TARGET] TARGET
# TARGET = [USER@]HOST[:PORT][/PATH]
cmds.parse-target = pkgs.withGetopt {
default_target = {
long = "default";
short = "d";
};
} (opts: pkgs.writeDash "stockholm.parse-target" ''
set -efu
target=$1; shift
for arg; do echo "$0: bad argument: $arg" >&2; done
if \test $# != 0; then exit 2; fi
exec ${pkgs.jq}/bin/jq \
-enr \
--arg default_target "$default_target" \
--arg target "$target" \
-f ${pkgs.writeText "stockholm.parse-target.jq" ''
def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: .captures[0].string,
host: .captures[1].string,
port: .captures[2].string,
path: .captures[3].string,
};
def sanitize: with_entries(select(.value != null));
($default_target | parse) + ($target | parse | sanitize) |
. + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) }
''}
'');
init.env = pkgs.writeText "init.env" /* sh */ ''
export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
export quiet
export system
export target
export user
default_target=root@$system:22/var/src
export target_object="$(
${cmds.parse-target} "$target" -d "$default_target"
)"
export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
'';
init.proxy = command: opts: pkgs.writeText "init.proxy" /* sh */ ''
if \test "''${using_proxy-}" != true; then
source=$(${cmds.get-source} "$source_file")
qualified_target=$target_user@$target_host:$target_port$target_path
if \test "$force_populate" = true; then
echo "$source" | ${pkgs.populate}/bin/populate --force "$qualified_target"
else
echo "$source" | ${pkgs.populate}/bin/populate "$qualified_target"
fi
if \test "$target_local" != true; then
exec ${pkgs.openssh}/bin/ssh \
"$target_user@$target_host" -p "$target_port" \
cd "$target_path/stockholm" \; \
NIX_PATH=$(${pkgs.quote}/bin/quote "$target_path") \
nix-shell --run "$(${pkgs.quote}/bin/quote "
${lib.concatStringsSep " " (lib.mapAttrsToList
(name: opt: /* sh */
"${opt.varname}=\$(${pkgs.quote}/bin/quote ${opt.ref})")
opts
)} \
using_proxy=true \
${lib.shell.escape command} \
$WITHGETOPT_ORIG_ARGS \
")"
fi
fi
'';
utils.build = pkgs.writeDash "utils.build" ''
set -efu
${utils.with-whatsupnix} \
${pkgs.nix}/bin/nix-build \
--no-out-link \
--show-trace \
-E "with import <stockholm>; $1" \
-I "$target_path" \
'';
utils.with-whatsupnix = pkgs.writeDash "utils.with-whatsupnix" ''
set -efu
if \test "$quiet" = true; then
"$@" -Q 2>&1 | ${pkgs.whatsupnix}/bin/whatsupnix
else
exec "$@"
fi
'';
in
pkgs.write "stockholm" (lib.mapAttrs' (name: link:
lib.nameValuePair "/bin/${name}" { inherit link; }
) cmds)

View file

@ -18,7 +18,7 @@
stockholm.file = toString ../.;
stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" ''
set -efu
cd $HOME/stockholm
cd ${lib.escapeShellArg krebs-source.stockholm.file}
V=$(${pkgs.coreutils}/bin/date +%y.%m)
if test -d .git; then
V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty)

View file

@ -1,29 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "krebs";
_file = <stockholm> + "/krebs/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = getAttr builder {
buildbot.file = toString <stockholm/krebs/0tests/data/secrets>;
krebs.pass = {
dir = "${getEnv "HOME"}/brain";
name = "krebs-secrets/${name}";
};
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
nixpkgs = (import ./krops.nix { name = ""; }).krebs-source.nixpkgs;
}
override
]

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "blue";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "cabal";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "daedalus";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "icarus";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "littleT";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "mors";
secure = true;
}

View file

@ -1,4 +0,0 @@
with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "prism";
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "red";
secure = true;
}

View file

@ -1,3 +0,0 @@
import <stockholm/lass/source.nix> {
name = "shodan";
}

View file

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "skynet";
secure = true;
}

View file

@ -1,3 +0,0 @@
import <stockholm/lass/source.nix> {
name = "uriel";
}

View file

@ -1,5 +0,0 @@
with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "xerxes";
secure = true;
}

View file

@ -1,29 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "lass";
_file = <stockholm> + "/lass/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
secrets = getAttr builder {
buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
lass.pass = {
dir = "${getEnv "HOME"}/.password-store";
name = "hosts/${name}";
};
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
}
override
]

View file

@ -20,7 +20,6 @@
brain
gen-oath-safe
cdrtools
stockholm
# nix related
nix-repl
nix-index

View file

@ -57,7 +57,7 @@ in
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
stockholm-version.pipe = "${pkgs.coreutils}/bin/echo derp";
}
(mkIf ( musnix ) {
musnix.git = {

View file

@ -1,4 +0,0 @@
import <stockholm/nin/source.nix> {
name = "axon";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/nin/source.nix> {
name = "hiawatha";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/nin/source.nix> {
name = "onondaga";
secure = true;
}

View file

@ -1,23 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "nin";
_file = <stockholm> + "/nin/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) {
nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix";
secrets.file = getAttr builder {
buildbot = toString <stockholm/nin/0tests/dummysecrets>;
nin = "/home/nin/secrets/${name}";
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
}

View file

@ -1,38 +0,0 @@
let
lib = import ./lib;
pkgs = import <nixpkgs> {
overlays = [
(import ./krebs/5pkgs)
(import ./submodules/nix-writers/pkgs)
];
};
in pkgs.stdenv.mkDerivation {
name = "stockholm";
shellHook = /* sh */ ''
export NIX_PATH=stockholm=${toString ./.}:nixpkgs=${toString <nixpkgs>}
if test -e /nix/var/nix/daemon-socket/socket; then
export NIX_REMOTE=daemon
fi
export PATH=${lib.makeBinPath [
pkgs.stockholm
]}''${PATH+:$PATH}
eval "$(declare -F | ${pkgs.gnused}/bin/sed s/declare/unset/)"
shopt -u no_empty_cmd_completion
unalias -a
enable -n \
. [ alias bg bind break builtin caller cd command compgen complete \
compopt continue dirs disown eval exec false fc fg getopts hash \
help history jobs kill let local logout mapfile popd printf pushd \
pwd read readarray readonly shift source suspend test times trap \
true typeset ulimit umask unalias wait
exitHandler() {
:
}
PS1='\[\e[38;5;162m\]\w\[\e[0m\] '
'';
}

View file

@ -1,4 +0,0 @@
import <stockholm/tv/source.nix> {
name = "alnus";
override.nixpkgs.git.ref = "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
}

View file

@ -1,3 +0,0 @@
import <stockholm/tv/source.nix> {
name = "mu";
}

View file

@ -1,4 +0,0 @@
import <stockholm/tv/source.nix> {
name = "nomic";
secure = true;
}

View file

@ -1,3 +0,0 @@
import <stockholm/tv/source.nix> {
name = "querel";
}

View file

@ -1,4 +0,0 @@
import <stockholm/tv/source.nix> {
name = "wu";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/tv/source.nix> {
name = "xu";
secure = true;
}

View file

@ -1,4 +0,0 @@
import <stockholm/tv/source.nix> {
name = "zu";
secure = true;
}

View file

@ -1,37 +0,0 @@
with import <stockholm/lib>;
{ name
, dummy_secrets ? getEnv "dummy_secrets" == "true"
, override ? {}
, secure ? false
}@host: let
builder = if dummy_secrets then "buildbot" else "tv";
_file = <stockholm> + "/tv/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix";
nixpkgs.git = {
ref = mkDefault "7cbf6ca1c84dfc917c1a99524e082fb677501844";
url = https://github.com/NixOS/nixpkgs;
};
secrets.file = getAttr builder {
buildbot = toString <stockholm/tv/dummy_secrets>;
tv = "/home/tv/secrets/${name}";
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
}
(mkIf (builder == "tv") {
secrets-common.file = "/home/tv/secrets/common";
})
(mkIf (builder == "tv" && secure) {
secrets-master.file = "/home/tv/secrets/master";
})
override
]