deploy: merge next

This commit is contained in:
tv 2015-05-21 23:52:06 +02:00
parent ac76439405
commit f8b1e849a6
30 changed files with 51 additions and 338 deletions

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
/.graveyard /.graveyard
/hosts /hosts
/secrets /secrets
/tmp

View file

@ -1,32 +0,0 @@
#! /bin/sh
set -euf
exec >&2
pid=$$
while :; do
cd /proc/$pid
cmdline=$(cat cmdline | tr '\0' ' ' | sed 's/ $//')
ppid=$(grep PPid status | awk '{print$2}')
printf '%5d %s\n' $pid "$cmdline"
if [ $pid = 1 ]; then
break
else
pid=$ppid
fi
done \
| sed \
"$(printf '
s:\(/bin/sh \)%s/\([^ ]\+\):\e[32m\\2\e[m:g
s:%s/\([^ ]\+\):\e[32;1m\\1\e[m:g
' \
"$(dirname "$0" | bre-escape | sed 's/:/\\:/g')" \
"$(dirname "$0" | bre-escape | sed 's/:/\\:/g')" \
)" \
| tac
ps='Press ^C to abort: '
while :; do
printf '\e[K\e[31;1m%s\e[m' "$ps"
read -r _input
done

View file

@ -1,5 +0,0 @@
#! /bin/sh
# bre-escape : lines string |> lines bre-escaped-string
set -euf
sed 's:[\.\[\\\*\^\$]:\\&:g'

View file

@ -1,15 +0,0 @@
#! /bin/sh
# bre-invert-word : string -> BRE
set -euf
# TODO escape chars in the resulting BRE.
awk -v input="$1" '
BEGIN {
split(input,s,"")
for (i in s) {
c=s[i]
printf "\\|%s[^%s]", y, c
y = y c
}
}
'

View file

@ -1,7 +1,7 @@
#! /bin/sh #! /bin/sh
set -euf set -euf
server=$(json-assert-type object "$1") server=$1
shift shift
address=$(echo $server | jq -r .ip) address=$(echo $server | jq -r .ip)

View file

@ -13,11 +13,11 @@ if ! test -e "$secrets_rsync"; then
exit # nothing to do exit # nothing to do
fi fi
retiolum_secret=$(query $host services.retiolum.privateKeyFile) retiolum_secret=$(nixos-query $host services.retiolum.privateKeyFile)
retiolum_uid=$(query $host users.extraUsers.retiolum-tinc.uid) retiolum_uid=$(nixos-query $host users.extraUsers.retiolum-tinc.uid)
ejabberd_secret=/etc/ejabberd/ejabberd.pem ejabberd_secret=/etc/ejabberd/ejabberd.pem
ejabberd_uid=$(query $host users.extraUsers.ejabberd.uid) ejabberd_uid=$(nixos-query $host users.extraUsers.ejabberd.uid)
rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/" rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/"

View file

@ -1,6 +0,0 @@
#! /bin/sh
# filter_secrets : lines string |> lines secrets-file-candidate
set -euf
# Notice how false positives are possible.
sed -n 's:^\(.*/\)\?\(secrets/.*\):'"${PWD//:/\\:}"'/\2:p'

View file

@ -1,10 +0,0 @@
#! /bin/sh
# import-statements : lines (path ":" string) |> lines (path ":" relpath)
set -euf
sed -n '
s@^\([^:]\+:\)\('"$(bre-invert-word import)"'\)*\<import\s\+@\1@
t1;d
:1; s@^\([^:]\+:\)\(\.*/\S*\)@\1\2\n@
t2;d
:2; P;D
'

View file

@ -1,18 +0,0 @@
#! /bin/sh
set -euf
formal_type=$1
actual_value=$2
actual_type=$(echo $actual_value | jq -r type)
if [ "$actual_type" != "$formal_type" ]; then
backtrace
printf 'error: expected %s, got %s\n' \
"$formal_type" \
"$actual_type" \
>&2
exit 1
fi
echo "$actual_value"

View file

@ -1,7 +0,0 @@
#! /bin/sh
# list-hosts : lines tinc-host-file
set -euf
# Precondition: $PWD/hosts is the correct repository :)
git -C hosts ls-tree --name-only HEAD \
| awk '{print ENVIRON["PWD"]"/hosts/"$$0}'

View file

@ -1,20 +0,0 @@
#! /bin/sh
# list-module-imports : nix-file -> lines nix-file
set -euf
if echo "$1" | grep -q ^/; then
:
else
set -- "./$1"
fi
imports=$(nix-instantiate \
-I secrets=secrets \
--strict \
--json \
--eval \
-E \
"with builtins; with import ./lib/modules.nix; map toString (list-imports $1)")
echo "$imports" \
| jq -r .[]

View file

@ -1,12 +0,0 @@
#! /bin/sh
# ls-bre : directory -> BRE
# Create a BRE from the files in a directory.
set -euf
ls "$1" \
| tr \\n / \
| sed '
s:[\.\[\\\*\^\$]:\\&:g
s:/$::
s:/:\\|:g
'

View file

@ -1,10 +0,0 @@
#! /bin/sh
# make-parent-dirs : lines path |> lines directory
# List all parent directories of a path.
set -euf
set -- "$(sed -n 's|/[^/]*$||p' | grep . | sort | uniq)"
if echo "$1" | grep -q .; then
echo "$1"
echo "$1" | make-parent-dirs
fi

View file

@ -1,6 +0,0 @@
#! /bin/sh
# make-relative-to : lines path |> directory -> lines path
# Non-matching paths won't get altered.
set -euf
sed "s:^$(echo "$1/" | bre-escape | sed 's/:/\\:/g')::"

View file

@ -1,33 +0,0 @@
#! /bin/sh
# make-rsync-filter : nixos-config -> rsync-filter
set -euf
main=$1
hosts=$(list-hosts)
module_imports=$(list-module-imports "$main")
other_imports=$(
echo "$module_imports" \
| xargs grep -H . \
| import-statements \
| slash-path-relpath \
| undot-paths \
| sort \
| uniq \
| sed '/\.nix$/!s:$:/default.nix:' \
)
secrets=$(echo "$module_imports" | xargs cat | quoted-strings | filter-secrets)
# TODO collect all other paths from *_imports
abs_deps=$(
echo "$hosts"
echo "$module_imports"
echo "$other_imports"
echo "$secrets"
)
rel_deps=$(echo "$abs_deps" | make-relative-to "$PWD")
filter=$(echo "$rel_deps" | make-rsync-whitelist)
echo "$filter"

View file

@ -1,15 +0,0 @@
#! /bin/sh
# make-rsync-whitelist : lines relpath |> liens rsync-filter
set -euf
set -- "$(cat)"
# include all files in stdin and their directories
{
echo "$1"
echo "$1" | make-parent-dirs | sort | uniq
} \
| sed 's|^|+ /|'
# exclude everything else
echo '- *'

View file

@ -8,10 +8,13 @@ host=$1
#target=root@$host #target=root@$host
nixpkgs=$nixpkgs_root/$host
nixos_config=$config_root/modules/$host nixos_config=$config_root/modules/$host
secrets_nix=$secrets_root/$host/nix secrets_nix=$secrets_root/$host/nix
secrets_rsync=$secrets_root/$host/rsync secrets_rsync=$secrets_root/$host/rsync
nixos-fetch-git "$host"
nix-build \ nix-build \
-I "$nixpkgs" \ -I "$nixpkgs" \
-I nixos-config="$nixos_config" \ -I nixos-config="$nixos_config" \

View file

@ -5,7 +5,7 @@
set -euf set -euf
host=$1 host=$1
system=${2-$(build "$host")} system=${2-$(nixos-build "$host")}
target=root@$host target=root@$host

32
bin/nixos-fetch-git Executable file
View file

@ -0,0 +1,32 @@
#! /bin/sh
#
# nixos-fetch-git : nixos-config -> ...
#
set -euf
host=$1
target=root@$host
git_rev=$(nixos-query "$host" nixpkgs.rev)
git_url=$(nixos-query "$host" nixpkgs.url)
worktree=$nixpkgs_root/$host
if [ ! -d "$worktree" ]; then
mkdir -p "$worktree"
fi
cd "$worktree"
git init -q
if ! current_url=$(git config remote.src.url); then
git remote add src "$git_url"
elif [ "$current_url" != "$git_url" ]; then
git remote set-url src "$git_url"
fi
git fetch src
git checkout "$git_rev"

View file

@ -4,6 +4,7 @@ set -euf
host=$1 host=$1
attr=$2 attr=$2
nixpkgs=$nixpkgs_root/$host
nixos_config=$config_root/modules/$host nixos_config=$config_root/modules/$host
secrets_nix=$secrets_root/$host/nix secrets_nix=$secrets_root/$host/nix
secrets_rsync=$secrets_root/$host/rsync secrets_rsync=$secrets_root/$host/rsync

View file

@ -1,13 +0,0 @@
#! /bin/sh
# nixpkgs-rev : nixos-config -> git_rev
set -euf
nix-instantiate \
-I nixos-config="$1" \
--eval \
--json \
-E \
'
(import <nixos-config> {config={}; pkgs={};}).nixpkgs.rev
' \
2> /dev/null \
| jq -r . 2> /dev/null

View file

@ -1,13 +0,0 @@
#! /bin/sh
# nixpkgs-url : nixos-config -> git_url
set -euf
nix-instantiate \
-I nixos-config="$1" \
--eval \
--json \
-E \
'
(import <nixos-config> {config={}; pkgs={};}).nixpkgs.url
' \
2> /dev/null \
| jq -r . 2> /dev/null

View file

@ -1,15 +0,0 @@
#! /bin/sh
# quoted_strings : lines string |> lines string
# Extract all (double-) quoted strings from stdin.
#
# 0. find begin of string or skip line
# 1. find end of string or skip line
# 2. print string and continue after string
set -euf
sed '
s:[^"]*":: ;t1;d
:1; s:\(\([^"]\|\\"\)*\)":\1\n: ;t2;d
:2; P;D
' \
| sed 's:\\":":g'

View file

@ -1,8 +0,0 @@
#! /bin/sh
# slash_path_relpath : lines (path ":" relpath) |> lines path
#
# Example: "/foo/bar: baz" => "/foo/baz"
#
set -euf
sed -n 's@/[^/]\+:@/@p'

View file

@ -1,26 +0,0 @@
#! /bin/sh
# ssh-deploy : nixos-config x [user@]hostname -> ()
set -xeuf
main=$1
target=$2
nixpkgs_dir=/var/nixpkgs # TODO make configurable
git_url=$(nixpkgs-url $main)
git_rev=$(nixpkgs-rev $main)
if [ "$git_url" = '' ] || [ "$git_rev" = '' ]; then
echo "specify nixpkgs.url and nixpkgs.rev in $main !"
exit 23
fi
filter=$(make-rsync-filter "$main")
echo "$filter" \
| rsync -f '. -' -zvrlptD --delete-excluded ./ "$target":/etc/nixos/
ssh-fetch-git "$target" "$nixpkgs_dir" "$git_url" "$git_rev"
ssh "$target" nixos-rebuild switch \
-I nixos-config=/etc/nixos/"$main" \
-I nixpkgs="$nixpkgs_dir" \
-I secrets=/etc/nixos/secrets \

View file

@ -1,35 +0,0 @@
#! /bin/sh
# ssh-fetch-git : [user@]hostname x remote_dir x git_url x git_rev -> ()
set -euf
target=$1
remote_dir=$2
git_url=$3
git_rev=$4
echo '
set -euf
if [ ! -d "$remote_dir" ]; then
mkdir -p "$remote_dir"
fi
cd "$remote_dir"
git init -q
if ! current_url=$(git config remote.src.url); then
git remote add src "$git_url"
elif [ $current_url != $git_url ]; then
git remote set-url src "$git_url"
fi
git fetch src
git checkout "$git_rev"
' \
| ssh "$target" env \
remote_dir="$remote_dir" \
git_rev="$git_rev" \
git_url="$git_url" \
/bin/sh

View file

@ -1,14 +0,0 @@
#! /bin/sh
# undot_paths : lines path |> lines path
# Remove all dots (. and ..) from input paths.
set -euf
sed '
:0
s://\+:/:g
s:/\.\(/\|$\):\1:g
s:/[^/]\+/\.\.\(/\|$\):\1:g
s:^/\(\.\./\)\+:/:
t0
s:^$:/:
'

16
deploy
View file

@ -1,16 +1,16 @@
#! /bin/sh #! /bin/sh
# #
# usage: ./deploy HOST [[USER@]HOST] # usage: ./deploy HOST
# #
set -euf set -euf
PATH="$PWD/bin${PATH+:$PATH}"
export PATH
user=root
host=$1 host=$1
config=./modules/$host/default.nix export PATH="$PWD/bin:$PATH"
target=${2-$user@$host} #export nixpkgs=/var/nixpkgs
export nixpkgs_root=$PWD/tmp/nixpkgs
export config_root=$PWD
export retiolum_hosts=$PWD/hosts
export secrets_root=$PWD/secrets
exec ssh-deploy "$config" "$target" exec nixos-deploy "$host"

View file

@ -322,7 +322,7 @@ in
services.retiolum = { services.retiolum = {
enable = true; enable = true;
hosts = /etc/nixos/hosts; hosts = <retiolum-hosts>;
connectTo = [ connectTo = [
"gum" "gum"
"pigstarter" "pigstarter"

View file

@ -1,11 +0,0 @@
#! /bin/sh
export PATH=$HOME/src/config/next/bin:$PATH
export nixpkgs=/var/nixpkgs
export config_root=$HOME/src/config
export retiolum_hosts=$HOME/src/config/hosts
export secrets_root=$HOME/src/config/secrets
export PS1='\[\e[1;35m\]config>\[\e[m\] '
cd /var/empty
exec /bin/sh