makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

Merge branch 'master' of nomic:config into tv

Browse source
This commit is contained in:
lassulus 2015-06-18 22:27:45 +02:00
parent 2874f6ed04 1325e5a675
commit cfbfa6db86
8 changed files with 307 additions and 26 deletions

3
lib/default.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }: { lib, pkgs, ... }:
with builtins; with builtins;
@ -11,6 +11,7 @@ rec {
lib = lib // { lib = lib // {
inherit addNames; inherit addNames;
}; };
inherit pkgs;
}; };
addName = name: set: addName = name: set:

140
lib/git.nix
View file

@ -1,7 +1,7 @@
{ lib, ... }: { lib, pkgs, ... }:
let let
inherit (lib) addNames; inherit (lib) addNames escapeShellArg makeSearchPath;
commands = addNames { commands = addNames {
git-receive-pack = {}; git-receive-pack = {};
@ -37,5 +37,139 @@ let
master = "refs/heads/master"; master = "refs/heads/master";
all-heads = "refs/heads/*"; all-heads = "refs/heads/*";
}; };
irc-announce-script = pkgs.writeScript "irc-announce-script" ''
#! /bin/sh
set -euf
export PATH=${makeSearchPath "bin" (with pkgs; [
coreutils
gawk
gnused
netcat
])}
IRC_SERVER="$1"
IRC_PORT="$2"
IRC_NICK="$3"
IRC_CHANNEL="$4"
message=$5
export IRC_CHANNEL # for privmsg_cat
# echo2 and cat2 are used output to both, stdout and stderr
# This is used to see what we send to the irc server. (debug output)
echo2() { echo "$*"; echo "$*" >&2; }
cat2() { tee /dev/stderr; }
# privmsg_cat transforms stdin to a privmsg
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
# ircin is used to feed the output of netcat back to the "irc client"
# so we can implement expect-like behavior with sed^_^
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
cd "$tmpdir"
mkfifo ircin
trap "
rm ircin
cd '$OLDPWD'
rmdir '$tmpdir'
trap - EXIT INT QUIT
" EXIT INT QUIT
{
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
echo2 "NICK $IRC_NICK"
# wait for MODE message
sed -n '/^:[^ ]* MODE /q'
echo2 "JOIN $IRC_CHANNEL"
printf '%s' "$message" \
| privmsg_cat \
| cat2
echo2 "PART $IRC_CHANNEL"
# wait for PART confirmation
sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
echo2 'QUIT :Gone to have lunch'
} < ircin \
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
'';
hooks = {
# TODO make this a package?
irc-announce = { nick, channel, server, port ? 6667 }: ''
#! /bin/sh
set -euf
export PATH=${makeSearchPath "bin" (with pkgs; [
coreutils
git
gnused
])}
nick=${escapeShellArg nick}
channel=${escapeShellArg channel}
server=${escapeShellArg server}
port=${toString port}
empty=0000000000000000000000000000000000000000
unset message
while read oldrev newrev ref; do
if [ $oldrev = $empty ]; then
receive_mode=create
elif [ $newrev = $empty ]; then
receive_mode=delete
elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then
receive_mode=fast-forward
else
receive_mode=non-fast-forward
fi
h=$(echo $ref | sed 's:^refs/heads/::')
# empty_tree=$(git hash-object -t tree /dev/null
empty_tree=4b825dc6
id=$(echo $oldrev | cut -b-7)
id2=$(echo $newrev | cut -b-7)
if [ $oldrev = $empty ]; then id=$empty_tree; fi
if [ $newrev = $empty ]; then id2=$empty_tree; fi
case $receive_mode in
create)
#git log --oneline $id2
link="http://cd/cgit/$GIT_SSH_REPO/"
;;
fast-forward|non-fast-forward)
#git diff --stat $id..$id2
link="http://cd/cgit/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
;;
esac
#host=$nick
#$host $GIT_SSH_REPO $ref $link
message="''${message+$message
}$GIT_SSH_USER $receive_mode pushed $link"
done
if test -n "''${message-}"; then
exec ${irc-announce-script} \
"$server" \
"$port" \
"$nick" \
"$channel" \
"$message"
fi
'';
};
in in
commands // receive-modes // permissions // refs commands // receive-modes // permissions // refs // hooks

39
modules/cd/default.nix
View file

@ -11,7 +11,7 @@
../tv/base-cac-CentOS-7-64bit.nix ../tv/base-cac-CentOS-7-64bit.nix
../tv/ejabberd.nix # XXX echtes modul ../tv/ejabberd.nix # XXX echtes modul
../tv/exim-smarthost.nix ../tv/exim-smarthost.nix
../tv/git.nix ../tv/git
../tv/retiolum.nix ../tv/retiolum.nix
../tv/sanitize.nix ../tv/sanitize.nix
]; ];
@ -48,7 +48,7 @@
let let
inherit (builtins) readFile; inherit (builtins) readFile;
# TODO lib should already include our stuff # TODO lib should already include our stuff
inherit (import ../../lib { inherit lib; }) addNames git; inherit (import ../../lib { inherit lib pkgs; }) addNames git;
in in
rec { rec {
enable = true; enable = true;
@ -59,31 +59,38 @@
makefu = { pubkey = "xxx"; }; makefu = { pubkey = "xxx"; };
}; };
# TODO warn about stale repodirs
repos = addNames { repos = addNames {
testing = { shitment = {
desc = "shitment repository";
hooks = { hooks = {
update = '' post-receive = git.irc-announce {
#! /bin/sh nick = config.networking.hostName; # TODO make this the default
set -euf channel = "#retiolum";
echo update hook: $* >&2 server = "ire.retiolum";
'';
post-update = ''
#! /bin/sh
set -euf
echo post-update hook: $* >&2
'';
}; };
}; };
public = true;
};
testing = {
desc = "testing repository";
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#repository";
server = "ire.retiolum";
};
};
public = true;
};
}; };
rules = with git; with users; with repos; [ rules = with git; with users; with repos; [
{ user = tv; { user = tv;
repo = testing; repo = [ testing shitment ];
perm = push master [ non-fast-forward create delete merge ]; perm = push master [ non-fast-forward create delete merge ];
} }
{ user = [ lass makefu ]; { user = [ lass makefu ];
repo = testing; repo = [ testing shitment ];
perm = fetch; perm = fetch;
} }
]; ];

1
modules/cd/iptables.nix
View file

@ -63,6 +63,7 @@
ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset

110
modules/tv/git/cgit.nix Normal file
View file

@ -0,0 +1,110 @@
{ config, lib, pkgs, ... }:
let
inherit (builtins) attrValues filter getAttr;
inherit (lib) concatMapStringsSep mkIf optionalString;
cfg = config.services.git;
isPublicRepo = getAttr "public"; # TODO this is also in ./default.nix
in
{
config = mkIf cfg.cgit {
users.extraUsers = lib.singleton {
name = "fcgiwrap";
uid = 2851179180; # genid fcgiwrap
group = "fcgiwrap";
home = "/var/empty";
};
users.extraGroups = lib.singleton {
name = "fcgiwrap";
gid = 2851179180; # genid fcgiwrap
};
services.fcgiwrap = {
enable = true;
user = "fcgiwrap";
group = "fcgiwrap";
# socketAddress = "/run/fcgiwrap.sock" (default)
# socketType = "unix" (default)
};
environment.etc."cgitrc".text = ''
css=/cgit-static/cgit.css
logo=/cgit-static/cgit.png
# if you do not want that webcrawler (like google) index your site
robots=noindex, nofollow
virtual-root=/cgit
# TODO make this nicer
cache-root=/tmp/cgit
cache-size=1000
enable-commit-graph=1
enable-index-links=1
enable-index-owner=0
enable-log-filecount=1
enable-log-linecount=1
enable-remote-branches=1
root-title=repositories at ${config.networking.hostName}
root-desc=keep calm and engage
snapshots=0
max-stats=year
${concatMapStringsSep "\n" (repo: ''
repo.url=${repo.name}
repo.path=${cfg.dataDir}/${repo.name}
${optionalString (repo.desc != null) "repo.desc=${repo.desc}"}
'') (filter isPublicRepo (attrValues cfg.repos))}
'';
# TODO modular nginx configuration
services.nginx =
let
name = config.networking.hostName;
qname = "${name}.retiolum";
in
{
enable = true;
httpConfig = ''
include ${pkgs.nginx}/conf/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
server_name ${name} ${qname} localhost;
root ${pkgs.cgit}/cgit;
location /cgit-static {
rewrite ^/cgit-static(/.*)$ $1 break;
#expires 30d;
}
location /cgit {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
#fastcgi_param PATH_INFO $uri;
fastcgi_split_path_info ^(/cgit/?)(.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
}
location / {
return 404;
}
}
'';
};
};
}

33
modules/tv/git.nix → modules/tv/git/default.nix
View file

@ -2,8 +2,8 @@
let let
inherit (builtins) inherit (builtins)
attrNames attrValues concatLists filter hasAttr head lessThan removeAttrs attrNames attrValues concatLists getAttr filter hasAttr head lessThan
tail toJSON typeOf; removeAttrs tail toJSON typeOf;
inherit (lib) inherit (lib)
concatMapStringsSep concatStringsSep escapeShellArg hasPrefix concatMapStringsSep concatStringsSep escapeShellArg hasPrefix
literalExample makeSearchPath mapAttrsToList mkIf mkOption optionalString literalExample makeSearchPath mapAttrsToList mkIf mkOption optionalString
@ -16,6 +16,8 @@ let
getName = x: x.name; getName = x: x.name;
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
makeAuthorizedKey = command-script: user@{ name, pubkey }: makeAuthorizedKey = command-script: user@{ name, pubkey }:
# TODO assert name # TODO assert name
# TODO assert pubkey # TODO assert pubkey
@ -78,12 +80,21 @@ in
# (or kill already connected users somehow) # (or kill already connected users somehow)
{ {
imports = [
./cgit.nix
];
options.services.git = { options.services.git = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = "Enable Git repository hosting."; description = "Enable Git repository hosting.";
}; };
cgit = mkOption {
type = types.bool;
default = true;
description = "Enable cgit."; # TODO better desc; talk about nginx
};
dataDir = mkOption { dataDir = mkOption {
type = types.str; type = types.str;
default = "/var/lib/git"; default = "/var/lib/git";
@ -99,6 +110,13 @@ in
repos = mkOption { repos = mkOption {
type = types.attrsOf (types.submodule ({ type = types.attrsOf (types.submodule ({
options = { options = {
desc = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Repository description.
'';
};
name = mkOption { name = mkOption {
type = types.str; type = types.str;
description = '' description = ''
@ -111,6 +129,14 @@ in
Repository-specific hooks. Repository-specific hooks.
''; '';
}; };
public = mkOption {
type = types.bool;
default = false;
description = ''
Allow everybody to read the repository via HTTP if cgit enabled.
'';
# TODO allow every configured user to fetch the repository via SSH.
};
}; };
})); }));
@ -230,8 +256,9 @@ in
'' ''
reponame=${escapeShellArg repo.name} reponame=${escapeShellArg repo.name}
repodir=$dataDir/$reponame repodir=$dataDir/$reponame
mode=${toString (if isPublicRepo repo then 0711 else 0700)}
if ! test -d "$repodir"; then if ! test -d "$repodir"; then
mkdir -m 0700 "$repodir" mkdir -m "$mode" "$repodir"
git init --bare --template=/var/empty "$repodir" git init --bare --template=/var/empty "$repodir"
chown -R git: "$repodir" chown -R git: "$repodir"
fi fi

2
modules/wu/default.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
lib = import ../../lib { inherit pkgs; }; lib = import ../../lib { lib = pkgs.lib; inherit pkgs; };
inherit (lib) majmin; inherit (lib) majmin;
in in

5
modules/wu/users.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (builtins) attrValues; inherit (builtins) attrValues;
@ -194,7 +194,8 @@ let
sudoers = sudoers =
let let
inherit (builtins) filter hasAttr; inherit (builtins) filter hasAttr;
inherit (import ../../lib { inherit pkgs; }) concat isSuffixOf removeSuffix setToList; inherit (import ../../lib { inherit lib pkgs; })
concat isSuffixOf removeSuffix setToList;
hasMaster = { group ? "", ... }: hasMaster = { group ? "", ... }:
isSuffixOf "-sub" group; isSuffixOf "-sub" group;