diff --git a/Makefile b/Makefile
index 226c0f297..7252ca70e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,16 +1,17 @@
stockholm ?= .
+export HOSTNAME ?= $(shell cat /proc/sys/kernel/hostname)
+
export STOCKHOLM_VERSION ?= $(shell \
version=git.$$(git describe --always --dirty); \
- case $$version in (*-dirty) version=$$version@$$(hostname); esac; \
+ case $$version in (*-dirty) version=$$version@$$HOSTNAME; esac; \
date=$$(date +%y.%m); \
printf '%s' "$$date.$$version"; \
)
-ifndef nixos-config
$(if $(system),,$(error unbound variable: system))
-nixos-config = ./$(LOGNAME)/1systems/$(system).nix
-endif
+
+nixos-config ?= $(stockholm)/$(LOGNAME)/1systems/$(system).nix
# target = [target_user@]target_host[:target_port][/target_path]
ifdef target
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 24f0cdd84..1fcf07b1e 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -272,6 +272,7 @@ with config.krebs.lib;
addrs6 = ["42:f9f0::10"];
aliases = [
"omo.retiolum"
+ "omo.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index a217e7bed..e265b0e67 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -98,6 +98,19 @@ prepare_nixos_iso() {
sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install
}
+get_nixos_install() {
+ echo "installing nixos-install" 2>&1
+ c=$(mktemp)
+
+ cat <<EOF > $c
+{ fileSystems."/" = {};
+ boot.loader.grub.enable = false;
+}
+EOF
+ export NIXOS_CONFIG=$c
+ nix-env -i -A config.system.build.nixos-install -f "<nixpkgs/nixos>"
+ rm -v $c
+}
prepare_common() {(
if ! getent group nixbld >/dev/null; then
@@ -191,6 +204,7 @@ prepare_common() {(
mount --rbind /mnt/"$target_path" "$target_path"
fi
+ get_nixos_install
mkdir -p bin
rm -f bin/nixos-install
cp "$(type -p nixos-install)" bin/nixos-install
diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix
index f5fe84823..9b14bf486 100644
--- a/krebs/5pkgs/test/infest-cac-centos7/default.nix
+++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix
@@ -1,11 +1,11 @@
{ stdenv, coreutils, makeWrapper,
- cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, sshpass,
+ cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, sshpass, proot,
... }:
stdenv.mkDerivation rec {
name = "${shortname}-${version}";
shortname = "infest-cac-centos7";
- version = "0.2.0";
+ version = "0.2.7";
src = ./notes;
@@ -24,6 +24,7 @@ stdenv.mkDerivation rec {
jq
openssh
sshpass
+ proot
];
installPhase = ''
@@ -37,7 +38,7 @@ stdenv.mkDerivation rec {
'';
meta = with stdenv.lib; {
homepage = http://krebsco.de;
- description = "Krebs CI Scripts";
+ description = "infest a CaC box with stockholm";
license = licenses.wtfpl;
maintainers = [ maintainers.makefu ];
};
diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes
index 6bb0258a9..ab6bc557c 100755
--- a/krebs/5pkgs/test/infest-cac-centos7/notes
+++ b/krebs/5pkgs/test/infest-cac-centos7/notes
@@ -1,10 +1,26 @@
-# nix-shell -p gnumake jq openssh cac-api cac-panel sshpass
-set -eufx
+#! /bin/sh
+# usage: user=makefu target_system=wry debug=true \
+# krebs_cred=~/secrets/cac.json \
+# retiolum_key=~/secrets/wry/retiolum.rsa_key.priv \
+# infest-cac-centos7
+
+# IMPORTANT: set debug to TRUE if you want to actually keep the system
+
+# must be run in <stockholm>
+set -euf
# 2 secrets are required:
-
+# login to panel
krebs_cred=${krebs_cred-./cac.json}
+# tinc retiolum key for host
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
+# build this host
+user=${user:-shared}
+system=${target_system:-test-centos7}
+
+log(){
+ echo "[$(date +"%Y-%m-%d %T")] $@" 2>&1
+}
clear_defer(){
echo "${trapstr:-exit}"
@@ -14,9 +30,13 @@ defer(){
if test -z "${debug:-}"; then
trapstr="$1;${trapstr:-exit}"
trap "$trapstr" INT TERM EXIT KILL
+ else
+ log "ignored defer: $1"
fi
}
+test -z "${debug:-}" && log "debug enabled, vm will not be deleted on error"
+
# Sanity
if test ! -r "$krebs_cred";then
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
@@ -25,6 +45,11 @@ if test ! -r "$retiolum_key";then
echo "\$retiolum_key=$retiolum_key must be readable"; exit 1
fi
+if test ! -r "${user}/1systems/${system}.nix" ;then
+ echo "cannot find ${user}/1systems/${system}.nix , not started in stockholm directory?"
+ exit 1
+fi
+
krebs_secrets=$(mktemp -d)
sec_file=$krebs_secrets/cac_config
krebs_ssh=$krebs_secrets/tempssh
@@ -32,7 +57,7 @@ export cac_resources_cache=$krebs_secrets/res_cache.json
export cac_servers_cache=$krebs_secrets/servers_cache.json
export cac_tasks_cache=$krebs_secrets/tasks_cache.json
export cac_templates_cache=$krebs_secrets/templates_cache.json
-# we need to receive this key from buildmaster to speed up tinc bootstrap
+
defer "trap - INT TERM EXIT"
defer "rm -r $krebs_secrets"
@@ -42,10 +67,13 @@ cac_key="$(cac-panel --config $krebs_cred settings | jq -r .apicode)"
EOF
export cac_secrets=$sec_file
+log "adding own ip to allowed ips via cac-panel"
cac-panel --config $krebs_cred add-api-ip
# test login:
+log "updating cac-api state"
cac-api update
+log "list of cac servers:"
cac-api servers
# preserve old trap
@@ -56,10 +84,10 @@ while true;do
out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1)
if name=$(echo "$out" | jq -r .servername);then
id=servername:$name
- echo "got a working machine, id=$id"
+ log "got a working machine, id=$id"
else
- echo "Unable to build a virtual machine, retrying in 15 seconds" >&2
- echo "Output of build program: $out" >&2
+ log "Unable to build a virtual machine, retrying in 15 seconds"
+ log "Output of build program: $out"
sleep 15
continue
fi
@@ -74,22 +102,23 @@ while true;do
for t in `seq 180`;do
# now we have a working cac-api server
if cac-api ssh $1 -o ConnectTimeout=10 \
- cat /etc/redhat-release | \
- grep CentOS ;then
+ cat /etc/redhat-release >/dev/null 2>&1 ;then
return 0
fi
+ log "cac-api ssh $1 failed, retrying"
sleep 10
done
+ log "cac-api ssh failed for 30 minutes, assuming something else broke. bailing ou.t"
return 1
}
# die on timeout
if ! wait_login_cac $id;then
- echo "unable to boot a working system within time frame, retrying..." >&2
- echo "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)"
+ log "unable to boot a working system within time frame, retrying..."
+ log "Cleaning up old image,last status: $(cac-api update;cac-api getserver $id | jq -r .status)"
eval "$(clear_defer | sed 's/;exit//')"
sleep 15
else
- echo "got a working system" >&2
+ log "got a working system: $id"
break
fi
done
@@ -101,16 +130,16 @@ cac-api generatenetworking $id > \
shared/2configs/temp/networking.nix
# new temporary ssh key we will use to log in after install
ssh-keygen -f $krebs_ssh -N ""
-cp $retiolum_key $krebs_secrets/retiolum.rsa_key.priv
+cp "$retiolum_key" $krebs_secrets/retiolum.rsa_key.priv
# we override the directories for secrets and stockholm
# additionally we set the ssh key we generated
ip=$(cac-api getserver $id | jq -r .ip)
cat > shared/2configs/temp/dirs.nix <<EOF
_: {
- krebs.build.source.dir = {
- secrets.path = "$krebs_secrets";
- stockholm.path = "$(pwd)";
+ krebs.build.source = {
+ secrets = "$krebs_secrets";
+ stockholm = "$(pwd)";
};
users.extraUsers.root.openssh.authorizedKeys.keys = [
"$(cat ${krebs_ssh}.pub)"
@@ -118,14 +147,17 @@ _: {
}
EOF
+log "starting prepare and installation"
+# TODO: try harder
make install \
- LOGNAME=shared \
+ LOGNAME=${user} \
SSHPASS="$(cac-api getserver $id | jq -r .rootpass)" \
ssh='sshpass -e ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
- system=test-centos7 \
+ system=${system} \
target=$ip
-
-# TODO: generate secrets directory $krebs_secrets for nix import
+log "finalizing installation"
+cac-api ssh $id < krebs/4lib/infest/finalize.sh
+log "reset $id"
cac-api powerop $id reset
wait_login(){
@@ -137,11 +169,15 @@ wait_login(){
-i $krebs_ssh \
-o ConnectTimeout=10 \
-o BatchMode=yes \
- root@$1 nixos-version ;then
+ root@$1 nixos-version >/dev/null 2>&1;then
+ log "login to host $1 successful"
return 0
fi
+ log "unable to log into server, waiting"
sleep 10
done
+ log "unable to log in after 15 minutes, bailing out"
return 1
}
+log "waiting for system to come up"
wait_login $ip
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index e6a1434ab..aa4a8a5c9 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -10,8 +10,8 @@ let
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
- # cryptsetup luksOpen $dev crypt0
- # mkfs.xfs /dev/mapper/crypt0 -L crypt0
+ # cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
+ # mkfs.ext4 /dev/mapper/crypt0 -L crypt0 -T largefile
# omo Chassis:
# __FRONT_
@@ -27,10 +27,10 @@ let
# |_______|
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
- # cryptDisk2 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WCAZA5548487";
- cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
+ cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
+ # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
# all physical disks
- allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk3 ];
+ allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
in {
imports =
[
@@ -99,7 +99,7 @@ in {
(usbkey "home" homePartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
- (usbkey "crypt2" cryptDisk3)
+ (usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix
index 9f998b554..f6ec93a97 100644
--- a/shared/2configs/base.nix
+++ b/shared/2configs/base.nix
@@ -18,7 +18,7 @@ with config.krebs.lib;
krebs.build.source = {
nixpkgs = mkDefault {
url = https://github.com/NixOS/nixpkgs;
- rev = "77f8f35d57618c1ba456d968524f2fb2c3448295"; # for urlwatch-minidb
+ rev = "40c586b7ce2c559374df435f46d673baf711c543";
};
secrets = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}";
stockholm = mkDefault "${getEnv "HOME"}/stockholm";
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index 7a42ca9fa..4c1fba59a 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -30,6 +30,7 @@ let
load-env = {};
make-snapshot = {};
much = {};
+ newsbot-js = {};
nixpkgs = {};
push = {};
regfish = {};