diff options
49 files changed, 860 insertions, 912 deletions
diff --git a/.gitignore b/.gitignore index a37850ab7..bad1d00ee 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /.graveyard /hosts /secrets +/tmp diff --git a/bin/_cac_curl_api_v1 b/bin/_cac_curl_api_v1 new file mode 100755 index 000000000..65acebd9a --- /dev/null +++ b/bin/_cac_curl_api_v1 @@ -0,0 +1,10 @@ +#! /bin/sh +set -euf + +exec _cac_exec curl -fsS "$1" "https://panel.cloudatcost.com/api/v1/$2.php" $( + shift 2 + set -- "$@" login="$cac_login" key="$cac_key" + for arg; do + echo -d $(printf '%s' "$arg" | urlencode) + done +) diff --git a/bin/_cac_exec b/bin/_cac_exec new file mode 100755 index 000000000..c932454e2 --- /dev/null +++ b/bin/_cac_exec @@ -0,0 +1,8 @@ +#! /bin/sh +set -euf + +if test -z "${cac_via-}"; then + exec "$@" +else + exec ssh -q "$cac_via" -t "$@" +fi diff --git a/bin/_cac_get_api_v1 b/bin/_cac_get_api_v1 new file mode 100755 index 000000000..67aac8560 --- /dev/null +++ b/bin/_cac_get_api_v1 @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_curl_api_v1 -G "$@" diff --git a/bin/_cac_post_api_v1 b/bin/_cac_post_api_v1 new file mode 100755 index 000000000..b946ed9fa --- /dev/null +++ b/bin/_cac_post_api_v1 @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_curl_api_v1 -XPOST "$@" diff --git a/bin/cac-cloudpro-build b/bin/cac-cloudpro-build new file mode 100755 index 000000000..782fa0d72 --- /dev/null +++ b/bin/cac-cloudpro-build @@ -0,0 +1,5 @@ +#! /bin/sh +set -euf + +# default os=26 is CentOS-7-64bit +exec _cac_post_api_v1 cloudpro/build cpu="$1" ram="$2" storage="$3" os="${4-26}" diff --git a/bin/cac-cloudpro-delete b/bin/cac-cloudpro-delete new file mode 100755 index 000000000..ee1dbbc7e --- /dev/null +++ b/bin/cac-cloudpro-delete @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 cloudpro/delete sid="$1" diff --git a/bin/cac-cloudpro-resources b/bin/cac-cloudpro-resources new file mode 100755 index 000000000..9ec5872e7 --- /dev/null +++ b/bin/cac-cloudpro-resources @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_get_api_v1 cloudpro/resources diff --git a/bin/cac-console b/bin/cac-console new file mode 100755 index 000000000..ed1cbd5ff --- /dev/null +++ b/bin/cac-console @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 console sid="$1" diff --git a/bin/cac-get-server-by b/bin/cac-get-server-by new file mode 100755 index 000000000..b6d6b4ba3 --- /dev/null +++ b/bin/cac-get-server-by @@ -0,0 +1,17 @@ +#! /bin/sh +set -euf + +cac-listservers \ + | jq \ + --arg k "$1" \ + --arg v "$2" \ + ' + map(select(.[$k]==$v)) | + if (. | length) == 0 then + null + elif (. | length) == 1 then + .[0] + else + . + end + ' diff --git a/bin/cac-listservers b/bin/cac-listservers new file mode 100755 index 000000000..1e815d2af --- /dev/null +++ b/bin/cac-listservers @@ -0,0 +1,12 @@ +#! /bin/sh +set -euf + +listservers=$(_cac_get_api_v1 listservers) +status=$(echo "$listservers" | jq -r .status) + +if [ "$status" = ok ]; then + echo "$listservers" | jq -r .data +else + echo "$0: bad listservers status: $status" >&2 + exit 1 +fi diff --git a/bin/cac-listtasks b/bin/cac-listtasks new file mode 100755 index 000000000..14be3948a --- /dev/null +++ b/bin/cac-listtasks @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_get_api_v1 listtasks diff --git a/bin/cac-listtemplates b/bin/cac-listtemplates new file mode 100755 index 000000000..c4414e019 --- /dev/null +++ b/bin/cac-listtemplates @@ -0,0 +1,4 @@ +#! /bin/sh +set -euf + +exec _cac_get_api_v1 listtemplates diff --git a/bin/cac-powerop b/bin/cac-powerop new file mode 100755 index 000000000..c897835f0 --- /dev/null +++ b/bin/cac-powerop @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 powerop sid="$1" action="$2" diff --git a/bin/cac-rdns b/bin/cac-rdns new file mode 100755 index 000000000..c2d9ecdab --- /dev/null +++ b/bin/cac-rdns @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 rdns sid="$1" hostname="$2" diff --git a/bin/cac-renameserver b/bin/cac-renameserver new file mode 100755 index 000000000..f0eff9b3d --- /dev/null +++ b/bin/cac-renameserver @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 renameserver sid="$1" name="$2" diff --git a/bin/cac-runmode b/bin/cac-runmode new file mode 100755 index 000000000..200b9fb79 --- /dev/null +++ b/bin/cac-runmode @@ -0,0 +1,3 @@ +#! /bin/sh +set -euf +exec _cac_post_api_v1 rdns sid="$1" mode="$2" diff --git a/bin/cac-ssh b/bin/cac-ssh new file mode 100755 index 000000000..a0ec5dcf3 --- /dev/null +++ b/bin/cac-ssh @@ -0,0 +1,17 @@ +#! /bin/sh +set -euf + +server=$1 +shift + +address=$(echo $server | jq -r .ip) +target=root@$address + +SSHPASS=$(echo $server | jq -r .rootpass) +export SSHPASS + +exec sshpass -e ssh \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + "$target" \ + "$@" diff --git a/bin/cacnixos-networking b/bin/cacnixos-networking new file mode 100755 index 000000000..4b246ebf1 --- /dev/null +++ b/bin/cacnixos-networking @@ -0,0 +1,28 @@ +#! /bin/sh +# cacnixos-networking : cac-server x hostname -> nixos-module +# TODO use label for hostname +set -euf + +server=$1 +hostname=$2 + +address=$(echo $server | jq -r .ip) +gateway=$(echo $server | jq -r .gateway) +nameserver=8.8.8.8 +netmask=$(echo $server | jq -r .netmask) +prefix=$(netmask-to-prefix $netmask) + +printf '{...}:\n' +printf '{\n' +printf ' networking.hostName = "%s";\n' $hostname +printf ' networking.interfaces.enp2s1.ip4 = [\n' +printf ' {\n' +printf ' address = "%s";\n' $address +printf ' prefixLength = %d;\n' $prefix +printf ' }\n' +printf ' ];\n' +printf ' networking.defaultGateway = "%s";\n' $gateway +printf ' networking.nameservers = [\n' +printf ' "%s"\n' $nameserver +printf ' ];\n' +printf '}\n' diff --git a/bin/copy-secrets b/bin/copy-secrets new file mode 100755 index 000000000..36854eaf1 --- /dev/null +++ b/bin/copy-secrets @@ -0,0 +1,28 @@ +#! /bin/sh +set -euf + +host=$1 + +target=root@$host + +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +if ! test -e "$secrets_rsync"; then + exit # nothing to do +fi + +retiolum_secret=$(nixos-query $host services.retiolum.privateKeyFile) +retiolum_uid=$(nixos-query $host users.extraUsers.retiolum-tinc.uid) + +ejabberd_secret=/etc/ejabberd/ejabberd.pem +ejabberd_uid=$(nixos-query $host users.extraUsers.ejabberd.uid) + +rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/" + +ssh "$target" -T <<EOF +set -euf +! test -f $retiolum_secret || chown -v $retiolum_uid:0 $retiolum_secret +! test -f $ejabberd_secret || chown -v $ejabberd_uid:0 $ejabberd_secret +EOF diff --git a/bin/infest-CentOS-7-64bit b/bin/infest-CentOS-7-64bit new file mode 100755 index 000000000..a8afea14b --- /dev/null +++ b/bin/infest-CentOS-7-64bit @@ -0,0 +1,150 @@ +#! /bin/sh +set -euf + +server=$1 +hostname=$2 + +address=$(echo $server | jq -r .ip) +RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' +SSHPASS=$(echo $server | jq -r .rootpass) +export SSHPASS +export RSYNC_RSH + +main="modules/$hostname/default.nix" +target="root@$address" + +cacnixos-networking "$server" $hostname \ + > modules/$hostname/networking.nix + +echo '( + set -xeuf + type bzip2 || yum install -y bzip2 + type rsync || yum install -y rsync +)' \ + | sshpass -e ssh \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + "root@$address" \ + /bin/sh + +make-rsync-filter "$main" \ + | rsync -f '. -' -zvrlptD --delete-excluded ./ "$target":/etc/nixos/ + +# +# +# +echo '( + set -xeuf + groupadd -g 30000 nixbld || : + for i in `seq 1 10`; do + useradd -c "foolsgarden Nix build user $i" \ + -d /var/empty \ + -s /sbin/nologin \ + -g 30000 \ + -G 30000 \ + -l -u $(expr 30000 + $i) \ + nixbld$i || : + rm -f /var/spool/mail/nixbld$i + done + + #curl https://nixos.org/nix/install | sh + nix_tar=$nix_basename.tar.bz2 + if ! echo $nix_sha256 $nix_tar | sha256sum -c; then + curl -O -C - $nix_url || : + if ! echo $nix_sha256 $nix_tar | sha256sum -c; then + curl -O $nix_url || : + if ! echo $nix_sha256 $nix_tar | sha256sum -c; then + echo $0: cannot download $nix_url >&2 + exit 5 + fi + fi + fi + + if ! test -d $nix_basename; then + tar jxf $nix_basename.tar.bz2 + fi + + nix_find=$nix_basename.find.txt + if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then + find $nix_basename | sort > $nix_find + if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then + echo $0: cannot unpack $nix_basename.tar.bz2 >&2 + # TODO we could retry + exit 6 + fi + fi + + mkdir -p bin + PATH=$HOME/bin:$PATH + export PATH + + # generate fake sudo because + # sudo: sorry, you must have a tty to run sudo + { + echo "#! /bin/sh" + echo "exec env \"\$@\"" + } > bin/sudo + chmod +x bin/sudo + + ./$nix_basename/install + + . /root/.nix-profile/etc/profile.d/nix.sh + + nixpkgs_expr="import <nixpkgs> { system = builtins.currentSystem; }" + nixpkgs_path=$( + find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d + ) + + for i in nixos-generate-config nixos-install; do + nix-env \ + --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ + --arg pkgs "$nixpkgs_expr" \ + --arg modulesPath "throw \"no modulesPath\"" \ + -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ + -iA config.system.build.$i + done + + # TODO following fail when aborted in-between + if ! test -d /int; then + mkdir -p /int + mount --bind /int /mnt + fi + if ! test -d /mnt/boot; then + mkdir -p /mnt/boot + mount /dev/sda1 /mnt/boot + fi + + mkdir -p /mnt/etc/nixos + rsync -zvrlptD --delete-excluded /etc/nixos/ /mnt/etc/nixos/ + + mkdir -m 0444 -p /mnt/var/empty + + ln -s $main /mnt/etc/nixos/configuration.nix + nixos-install \ + -I secrets=/etc/nixos/secrets + + find / \ + 1> /root/pre-rsync-find.out \ + 2> /root/pre-rsync-find.err + + rsync -va --force /int/ / + + # find / -type f -mtime +1 -exec rm -v {} \; 2>&1 > rm.log + # ^ too aggressive, kills journal which is bad + # shutdown -r now + # nix-channel --add https://nixos.org/channels/nixos-unstable nixos + # nix-channel --remove nixpkgs + # nix-channel --update + +)' \ + | sshpass -e ssh \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + "root@$address" \ + -T /usr/bin/env \ + nix_url="$nix_url" \ + nix_basename="$(basename $nix_url .tar.bz2)" \ + nix_sha256="$nix_sha256" \ + nix_find_sha1sum="$nix_find_sha1sum" \ + main="$main" \ + /bin/sh diff --git a/bin/infest-cac b/bin/infest-cac new file mode 100755 index 000000000..d7d7bb96c --- /dev/null +++ b/bin/infest-cac @@ -0,0 +1,21 @@ +#! /bin/sh +set -euf + +server=$(cac-get-server-by servername "$1") +hostname=$2 + +serverstatus=$(echo $server | jq -r .status) +case $serverstatus in + 'Powered On') : ;; + *) + echo $0: bad server status: $serverstatus >&2 + exit 2 +esac + +template=$(echo $server | jq -r .template) +case $template in + 'CentOS-7-64bit') infest-"$template" "$server" "$hostname";; + *) + echo $0: bad template: $template >&2 + exit 3 +esac diff --git a/bin/netmask-to-prefix b/bin/netmask-to-prefix new file mode 100755 index 000000000..1c4dbeb28 --- /dev/null +++ b/bin/netmask-to-prefix @@ -0,0 +1,12 @@ +#! /bin/sh +set -euf + +netmask=$1 + +binaryNetmask=$(echo $1 | sed 's/^/obase=2;/;s/\./;/g' | bc | tr -d \\n) +binaryPrefix=$(echo $binaryNetmask | sed -n 's/^\(1*\)0*$/\1/p') +if ! echo $binaryPrefix | grep -q .; then + echo $0: bad netmask: $netmask >&2 + exit 4 +fi +printf %s $binaryPrefix | tr -d 0 | wc -c diff --git a/bin/nixos-build b/bin/nixos-build new file mode 100755 index 000000000..a0c9551fa --- /dev/null +++ b/bin/nixos-build @@ -0,0 +1,25 @@ +#! /bin/sh +# +# build : hostname -> system-path +# +set -euf + +host=$1 + +#target=root@$host + +nixpkgs=$nixpkgs_root/$host +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +nixos-fetch-git "$host" + +nix-build \ + -I "$nixpkgs" \ + -I nixos-config="$nixos_config" \ + -I retiolum-hosts="$retiolum_hosts" \ + -I secrets="$secrets_nix" \ + -A system \ + --no-out-link \ + '<nixos>' diff --git a/bin/nixos-deploy b/bin/nixos-deploy new file mode 100755 index 000000000..6b8418696 --- /dev/null +++ b/bin/nixos-deploy @@ -0,0 +1,16 @@ +#! /bin/sh +# +# deploy +# +set -euf + +host=$1 +system=${2-$(nixos-build "$host")} + +target=root@$host + +nix-copy-closure --gzip --to "$target" "$system" + +copy-secrets "$host" + +ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch diff --git a/bin/nixos-fetch-git b/bin/nixos-fetch-git new file mode 100755 index 000000000..7002208b5 --- /dev/null +++ b/bin/nixos-fetch-git @@ -0,0 +1,32 @@ +#! /bin/sh +# +# nixos-fetch-git : nixos-config -> ... +# +set -euf + +host=$1 + +target=root@$host + +git_rev=$(nixos-query "$host" nixpkgs.rev) +git_url=$(nixos-query "$host" nixpkgs.url) + +worktree=$nixpkgs_root/$host + +if [ ! -d "$worktree" ]; then + mkdir -p "$worktree" +fi + +cd "$worktree" + +git init -q + +if ! current_url=$(git config remote.src.url); then + git remote add src "$git_url" +elif [ "$current_url" != "$git_url" ]; then + git remote set-url src "$git_url" +fi + +git fetch src + +git checkout "$git_rev" diff --git a/bin/nixos-query b/bin/nixos-query new file mode 100755 index 000000000..65b5c9672 --- /dev/null +++ b/bin/nixos-query @@ -0,0 +1,21 @@ +#! /bin/sh +set -euf + +host=$1 +attr=$2 + +nixpkgs=$nixpkgs_root/$host +nixos_config=$config_root/modules/$host +secrets_nix=$secrets_root/$host/nix +secrets_rsync=$secrets_root/$host/rsync + +nix-instantiate \ + -I "$nixpkgs" \ + -I nixos-config="$nixos_config" \ + -I retiolum-hosts="$retiolum_hosts" \ + -I secrets="$secrets_nix" \ + -A config."$attr" \ + '<nixos>' \ + --eval \ + --json \ + | jq -r . diff --git a/bin/urlencode b/bin/urlencode new file mode 100755 index 000000000..02ca03075 --- /dev/null +++ b/bin/urlencode @@ -0,0 +1,35 @@ +#! /bin/sh +set -euf +exec sed ' + s/%/%25/g + s/ /%20/g + s/!/%21/g + s/"/%22/g + s/#/%23/g + s/\$/%24/g + s/\&/%26/g + s/'\''/%27/g + s/(/%28/g + s/)/%29/g + s/\*/%2a/g + s/+/%2b/g + s/,/%2c/g + s/-/%2d/g + s/\./%2e/g + s/\//%2f/g + s/:/%3a/g + s/;/%3b/g + s//%3e/g + s/?/%3f/g + s/@/%40/g + s/\[/%5b/g + s/\\/%5c/g + s/\]/%5d/g + s/\^/%5e/g + s/_/%5f/g + s/`/%60/g + s/{/%7b/g + s/|/%7c/g + s/}/%7d/g + s/~/%7e/g +' @@ -1,15 +1,16 @@ #! /bin/sh # -# usage: ./deploy HOST [[USER@]HOST] +# usage: ./deploy HOST # set -euf -. ./lib/prelude.sh - -user=root host=$1 -config=./modules/$host/default.nix -target=${2-$user@$host} +export PATH="$PWD/bin:$PATH" +#export nixpkgs=/var/nixpkgs +export nixpkgs_root=$PWD/tmp/nixpkgs +export config_root=$PWD +export retiolum_hosts=$PWD/hosts +export secrets_root=$PWD/secrets -verbose deploy "$config" "$target" +exec nixos-deploy "$host" @@ -1,187 +1,15 @@ #! /bin/sh -set -xeuf +# +# usage: ./infest cac-servername hostname +# +set -euf -. ./lib/prelude.sh -. ./lib/cac.sh -. ./lib/cacnixos.sh +PATH="$PWD/bin${PATH+:$PATH}" +export PATH nix_url=https://nixos.org/releases/nix/nix-1.8/nix-1.8-x86_64-linux.tar.bz2 nix_sha256=52fab207b4ce4d098a12d85357d0353e972c492bab0aa9e08e1600363e76fefb nix_find_sha1sum=86f8775bd4f0841edd4c816df861cebf509d58c3 +export nix_url nix_sha256 nix_find_sha1sum -# This is somewhat required because cloudatcost requires whitelisting -# of hosts. If you whitelist your localhost, then leave this empty. -# cac_via= -# -# cac_key= -# cac_login= -# cac_servername= - -# hostname= - -main() { - server=$(cac_getserver_by_servername "$cac_servername") - - serverstatus=$(echo $server | jq -r .status) - case $serverstatus in - 'Powered On') : ;; - *) - echo $0: bad server status: $serverstatus >&2 - exit 2 - esac - - template=$(echo $server | jq -r .template) - case $template in - 'CentOS-7-64bit') infest_centos7_64bit "$server";; - *) - echo $0: bad template: $template >&2 - exit 3 - esac -} - - -infest_centos7_64bit() { - server=$1 - address=$(echo $server | jq -r .ip) - RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' - SSHPASS=$(echo $server | jq -r .rootpass) - export SSHPASS - export RSYNC_RSH - - main="modules/$hostname/default.nix" - target="root@$address" - - cacnixos_networking "$server" $hostname \ - > modules/$hostname/networking.nix - - echo '( - set -xeuf - type bzip2 || yum install -y bzip2 - type rsync || yum install -y rsync - )' \ - | sshpass -e ssh \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - "root@$address" \ - /bin/sh - - rsync_filter "$main" \ - | rsync -f '. -' -zvrlptD --delete-excluded ./ "$target":/etc/nixos/ - - # - # - # - echo '( - set -xeuf - groupadd -g 30000 nixbld || : - for i in `seq 1 10`; do - useradd -c "foolsgarden Nix build user $i" \ - -d /var/empty \ - -s /sbin/nologin \ - -g 30000 \ - -G 30000 \ - -l -u $(expr 30000 + $i) \ - nixbld$i || : - rm -f /var/spool/mail/nixbld$i - done - - #curl https://nixos.org/nix/install | sh - nix_tar=$nix_basename.tar.bz2 - if ! echo $nix_sha256 $nix_tar | sha256sum -c; then - curl -O -C - $nix_url || : - if ! echo $nix_sha256 $nix_tar | sha256sum -c; then - curl -O $nix_url || : - if ! echo $nix_sha256 $nix_tar | sha256sum -c; then - echo $0: cannot download $nix_url >&2 - exit 5 - fi - fi - fi - - if ! test -d $nix_basename; then - tar jxf $nix_basename.tar.bz2 - fi - - nix_find=$nix_basename.find.txt - if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then - find $nix_basename | sort > $nix_find - if ! echo $nix_find_sha1sum $nix_find | sha1sum -c; then - echo $0: cannot unpack $nix_basename.tar.bz2 >&2 - # TODO we could retry - exit 6 - fi - fi - - mkdir -p bin - PATH=$HOME/bin:$PATH - export PATH - - # generate fake sudo because - # sudo: sorry, you must have a tty to run sudo - { - echo "#! /bin/sh" - echo "exec env \"\$@\"" - } > bin/sudo - chmod +x bin/sudo - - ./$nix_basename/install - - . /root/.nix-profile/etc/profile.d/nix.sh - - nixpkgs_expr="import <nixpkgs> { system = builtins.currentSystem; }" - nixpkgs_path=$( - find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d - ) - - for i in nixos-generate-config nixos-install; do - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath "throw \"no modulesPath\"" \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.$i - done - - # TODO following fail when aborted in-between - if ! test -d /int; then - mkdir -p /int - mount --bind /int /mnt - fi - if ! test -d /mnt/boot; then - mkdir -p /mnt/boot - mount /dev/sda1 /mnt/boot - fi - - mkdir -p /mnt/etc/nixos - rsync -zvrlptD --delete-excluded /etc/nixos/ /mnt/etc/nixos/ - - mkdir -m 0444 -p /mnt/var/empty - - ln -s $main /mnt/etc/nixos/configuration.nix - nixos-install \ - -I secrets=/etc/nixos/secrets - - rsync -va --force /int/ / - - # find / -type f -mtime +1 -exec rm -v {} \; 2>&1 > rm.log - # ^ too aggressive, kills journal which is bad - # shutdown -r now - # nix-channel --add https://nixos.org/channels/nixos-unstable nixos - # nix-channel --remove nixpkgs - # nix-channel --update - - )' \ - | sshpass -e ssh \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - "root@$address" \ - -T /usr/bin/env \ - nix_url="$nix_url" \ - nix_basename="$(basename $nix_url .tar.bz2)" \ - nix_sha256="$nix_sha256" \ - nix_find_sha1sum="$nix_find_sha1sum" \ - main="$main" \ - /bin/sh -} - -main "$@" +exec infest-cac "$@" diff --git a/lib/cac.sh b/lib/cac.sh deleted file mode 100644 index fea6886be..000000000 --- a/lib/cac.sh +++ /dev/null @@ -1,105 +0,0 @@ -. ./lib/url.sh - -cac_ssh() {( - server=$1 - shift - - address=$(echo $server | jq -r .ip) - target=root@$address - - SSHPASS=$(echo $server | jq -r .rootpass) - export SSHPASS - - exec sshpass -e ssh \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - "$target" \ - "$@" -)} - -cac_getserver_by_servername() {( - serverlist=$(cac_listservers) - echo $serverlist \ - | jq \ - --arg name "$1" \ - '.[]|select(.servername==$name)' -)} - - -cac_listservers() {( - listservers=$(_cac_get_api_v1 listservers) - status=$(echo "$listservers" | jq -r .status) - if [ "$status" = ok ]; then - echo "$listservers" | jq -r .data - else - echo "$0: bad listservers status: $status" >&2 - exit 1 - fi -)} - -cac_listtasks() { - _cac_get_api_v1 listtasks -} - -cac_listtemplates() { - _cac_get_api_v1 listtemplates -} - -cac_console() { - _cac_post_api_v1 console sid="$1" -} - -cac_powerop() { - _cac_post_api_v1 powerop sid="$1" action="$2" -} - -cac_renameserver() { - _cac_post_api_v1 renameserver sid="$1" name="$2" -} - -cac_rnds() { - _cac_post_api_v1 rdns sid="$1" hostname="$2" -} - -cac_runmode() { - _cac_post_api_v1 rdns sid="$1" mode="$2" -} - -# default os=26 is CentOS-7-64bit -cac_cloudpro_build() { - _cac_post_api_v1 cloudpro/build cpu="$1" ram="$2" storage="$3" os="${4-26}" -} - -cac_cloudpro_delete() { - _cac_post_api_v1 cloudpro/delete sid="$1" -} - -cac_cloudpro_resources() { - _cac_get_api_v1 cloudpro/resources -} - -_cac_get_api_v1() { - _cac_curl_api_v1 -G "$@" -} - -_cac_post_api_v1() { - _cac_curl_api_v1 -XPOST "$@" -} - -_cac_curl_api_v1() { - _cac_exec curl -fsS "$1" "https://panel.cloudatcost.com/api/v1/$2.php" $( - shift 2 - set -- "$@" login="$cac_login" key="$cac_key" - for arg; do - echo -d $(printf '%s' "$arg" | url_encode) - done - ) -} - -_cac_exec() { - if test -z "${cac_via-}"; then - (exec "$@") - else - ssh -q "$cac_via" -t "$@" - fi -} diff --git a/lib/cacnixos.sh b/lib/cacnixos.sh deleted file mode 100644 index 24502d694..000000000 --- a/lib/cacnixos.sh +++ /dev/null @@ -1,28 +0,0 @@ -. ./lib/net.sh - -# cacnixos_networking : cac-server x hostname -> nixos-module -cacnixos_networking() {( - server=$1 - hostname=$2 - - address=$(echo $server | jq -r .ip) - gateway=$(echo $server | jq -r .gateway) - nameserver=8.8.8.8 - netmask=$(echo $server | jq -r .netmask) - prefix=$(net_netmask_to_prefix $netmask) - - printf '{...}:\n' - printf '{\n' - printf ' networking.hostName = "%s";\n' $hostname - printf ' networking.interfaces.enp2s1.ip4 = [\n' - printf ' {\n' - printf ' address = "%s";\n' $address - printf ' prefixLength = %d;\n' $prefix - printf ' }\n' - printf ' ];\n' - printf ' networking.defaultGateway = "%s";\n' $gateway - printf ' networking.nameservers = [\n' - printf ' "%s"\n' $nameserver - printf ' ];\n' - printf '}\n' -)} diff --git a/lib/net.sh b/lib/net.sh deleted file mode 100644 index 518c955b6..000000000 --- a/lib/net.sh +++ /dev/null @@ -1,9 +0,0 @@ -net_netmask_to_prefix() {( - binaryNetmask=$(echo $1 | sed 's/^/obase=2;/;s/\./;/g' | bc | tr -d \\n) - binaryPrefix=$(echo $binaryNetmask | sed -n 's/^\(1*\)0*$/\1/p') - if ! echo $binaryPrefix | grep -q .; then - echo $0: bad netmask: $netmask >&2 - exit 4 - fi - printf %s $binaryPrefix | tr -d 0 | wc -c -)} diff --git a/lib/prelude.sh b/lib/prelude.sh deleted file mode 100644 index 2adfb5651..000000000 --- a/lib/prelude.sh +++ /dev/null @@ -1,261 +0,0 @@ -# clone_or_update : [user@]hostname x local_dir x git_url x git_rev -> () -clone_or_update() {( - target=$1 - nixpkgs_dir=$2 - git_url=$3 - git_rev=$4 - - echo ' - set -euf - - if [ ! -d "$nixpkgs_dir" ]; then - mkdir -p "$nixpkgs_dir" - fi - - cd "$nixpkgs_dir" - - git init -q - - if ! current_url=$(git config remote.src.url); then - git remote add src "$git_url" - elif [ $current_url != $git_url ]; then - git remote set-url src "$git_url" - fi - - git fetch src - - git checkout "$git_rev" - ' \ - | ssh "$target" env \ - nixpkgs_dir="$nixpkgs_dir" \ - git_rev="$git_rev" \ - git_url="$git_url" \ - /bin/sh -)} - -# deploy : nixos-config x [user@]hostname -> () -deploy() {( - main=$1 - target=$2 - nixpkgs_dir=/var/nixpkgs # TODO make configurable - - git_url=$(nixpkgs_url $main) - git_rev=$(nixpkgs_rev $main) - - if [ "$git_url" = '' ] || [ "$git_rev" = '' ]; then - echo "specify nixpkgs.url and nixpkgs.rev in $main !" - exit 23 - fi - - filter=$(rsync_filter "$main") - - echo "$filter" \ - | rsync -f '. -' -zvrlptD --delete-excluded ./ "$target":/etc/nixos/ - - clone_or_update "$target" "$nixpkgs_dir" "$git_url" "$git_rev" - ssh "$target" nixos-rebuild switch \ - -I nixos-config=/etc/nixos/"$main" \ - -I nixpkgs="$nixpkgs_dir" \ - -I secrets=/etc/nixos/secrets \ -)} - -# rsync_filter : nixos-config -> rsync-filter -rsync_filter() {( - main=$1 - - hosts=$(list_hosts) - module_imports=$(set -euf; list_module_imports "$main") - other_imports=$( - echo "$module_imports" \ - | xargs grep -H . \ - | import_statements \ - | slash_path_relpath \ - | undot_paths \ - | sort \ - | uniq \ - | sed '/\.nix$/!s:$:/default.nix:' \ - ) - secrets=$(echo "$module_imports" | xargs cat | quoted_strings | filter_secrets) - - # TODO collect all other paths from *_imports - - abs_deps=$( - echo "$hosts" - echo "$module_imports" - echo "$other_imports" - echo "$secrets" - ) - - rel_deps=$(echo "$abs_deps" | make_relative_to "$PWD") - filter=$(echo "$rel_deps" | make_rsync_whitelist) - - echo "$filter" -)} - -# list_module_imports : nix-file -> lines nix-file -list_module_imports() { - if echo "$1" | grep -q ^/; then - : - else - set -- "./$1" - fi - imports=$(nix-instantiate \ - -I secrets=secrets \ - --strict \ - --json \ - --eval \ - -E \ - "with builtins; with import ./lib/modules.nix; map toString (list-imports $1)") - echo "$imports" \ - | jq -r .[] -} - -# list_hosts : lines tinc-host-file -# Precondition: $PWD/hosts is the correct repository :) -list_hosts() { - git -C hosts ls-tree --name-only HEAD \ - | awk '{print ENVIRON["PWD"]"/hosts/"$$0}' -} - -# filter_secrets : lines string |> lines secrets-file-candidate -# Notice how false positives are possible. -filter_secrets() { - sed -n 's:^\(.*/\)\?\(secrets/.*\):'"${PWD//:/\\:}"'/\2:p' -} - -# import_statements : lines (path ":" string) |> lines (path ":" relpath) -import_statements() { - sed -n ' - s@^\([^:]\+:\)\('"$(bre_invert_word import)"'\)*\<import\s\+@\1@ - t1;d - :1; s@^\([^:]\+:\)\(\.*/\S*\)@\1\2\n@ - t2;d - :2; P;D - ' -} - -# slash_path_relpath : lines (path ":" relpath) |> lines path -# -# Example: "/foo/bar: baz" => "/foo/baz" -# -slash_path_relpath() { - sed -n 's@/[^/]\+:@/@p' -} - -# undot_paths : lines path |> lines path -# Remove all dots (. and ..) from input paths. -undot_paths() { - sed ' - :0 - s://\+:/:g - s:/\.\(/\|$\):\1:g - s:/[^/]\+/\.\.\(/\|$\):\1:g - s:^/\(\.\./\)\+:/: - t0 - s:^$:/: - ' -} - -# quoted_strings : lines string |> lines string -# Extract all (double-) quoted strings from stdin. -# -# 0. find begin of string or skip line -# 1. find end of string or skip line -# 2. print string and continue after string -quoted_strings() { - sed ' - s:[^"]*":: ;t1;d - :1; s:\(\([^"]\|\\"\)*\)":\1\n: ;t2;d - :2; P;D - ' \ - | sed 's:\\":":g' -} - -# bre_escape : lines string |> lines bre-escaped-string -bre_escape() { - sed 's:[\.\[\\\*\^\$]:\\&:g' -} - -# bre_invert_word : string -> BRE -# TODO escape chars in the resulting BRE. -bre_invert_word() { - awk -v input="$1" ' - BEGIN { - split(input,s,"") - for (i in s) { - c=s[i] - printf "\\|%s[^%s]", y, c - y = y c - } - } - ' -} - -# ls_bre : directory -> BRE -# Create a BRE from the files in a directory. -ls_bre() { - ls "$1" \ - | tr \\n / \ - | sed ' - s:[\.\[\\\*\^\$]:\\&:g - s:/$:: - s:/:\\|:g - ' -} - -# make_relative_to : lines path |> directory -> lines path -# Non-matching paths won't get altered. -make_relative_to() { - sed "s:^$(echo "$1/" | bre_escape | sed 's/:/\\:/g')::" -} - -# make_rsync_whitelist : lines relpath |> liens rsync-filter -make_rsync_whitelist() { - set -- "$(cat)" - - # include all files in stdin and their directories - { - echo "$1" - echo "$1" | make_parent_dirs | sort | uniq - } \ - | sed 's|^|+ /|' - - # exclude everything else - echo '- *' -} - -# make_parent_dirs : lines path |> lines directory -# List all parent directories of a path. -make_parent_dirs() { - set -- "$(sed -n 's|/[^/]*$||p' | grep . | sort | uniq)" - if echo "$1" | grep -q .; then - echo "$1" - echo "$1" | make_parent_dirs - fi -} - -# nixpkgs_url : nixos-config -> git_url -nixpkgs_url() { - nix-instantiate \ - -I nixos-config="$1" \ - --eval \ - --json \ - -E '(import <nixos-config> {config={}; pkgs={};}).nixpkgs.url' 2> /dev/null \ - | jq -r . -} - -# nixpkgs_rev : nixos-config -> git_rev -nixpkgs_rev() { - nix-instantiate \ - -I nixos-config="$1" \ - --eval \ - --json \ - -E '(import <nixos-config> {config={}; pkgs={};}).nixpkgs.rev' 2> /dev/null \ - | jq -r . 2> /dev/null -} - -# verbose COMMAND [ARGS...] -verbose() { - echo "$@" >&2 - "$@" -} diff --git a/lib/url.sh b/lib/url.sh deleted file mode 100644 index 05f93a94f..000000000 --- a/lib/url.sh +++ /dev/null @@ -1,35 +0,0 @@ -url_encode() { - sed ' - s/%/%25/g - s/ /%20/g - s/!/%21/g - s/"/%22/g - s/#/%23/g - s/\$/%24/g - s/\&/%26/g - s/'\''/%27/g - s/(/%28/g - s/)/%29/g - s/\*/%2a/g - s/+/%2b/g - s/,/%2c/g - s/-/%2d/g - s/\./%2e/g - s/\//%2f/g - s/:/%3a/g - s/;/%3b/g - s//%3e/g - s/?/%3f/g - s/@/%40/g - s/\[/%5b/g - s/\\/%5c/g - s/\]/%5d/g - s/\^/%5e/g - s/_/%5f/g - s/`/%60/g - s/{/%7b/g - s/|/%7c/g - s/}/%7d/g - s/~/%7e/g - ' -} diff --git a/modules/cd/default.nix b/modules/cd/default.nix index 3ee370443..7ceaf71f3 100644 --- a/modules/cd/default.nix +++ b/modules/cd/default.nix @@ -3,7 +3,7 @@ { imports = [ - <secrets/cd.hashedPasswords.nix> + <secrets/hashedPasswords.nix> ./iptables.nix ./networking.nix ../common/nixpkgs.nix diff --git a/modules/lass/gitolite-base.nix b/modules/lass/gitolite-base.nix new file mode 100644 index 000000000..1448e8604 --- /dev/null +++ b/modules/lass/gitolite-base.nix @@ -0,0 +1,173 @@ +{ config, ... }: + +{ + services.gitolite = { + mutable = false; + keys = { + lass = config.sshKeys.lass.pub; + uriel = config.sshKeys.uriel.pub; + }; + rc = '' + %RC = ( + UMASK => 0077, + GIT_CONFIG_KEYS => "", + LOG_EXTRA => 1, + ROLES => { + READERS => 1, + WRITERS => 1, + }, + LOCAL_CODE => "$ENV{HOME}/.gitolite", + ENABLE => [ + 'help', + 'desc', + 'info', + 'perms', + 'writable', + 'ssh-authkeys', + 'git-config', + 'daemon', + 'gitweb', + 'repo-specific-hooks', + ], + ); + 1; + ''; + + hooks.repoSpecific = { + irc-announce = '' + #! /bin/sh + set -euf + + config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" + if test -f "$config_file"; then + . "$config_file" + fi + + # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update + # any relevant gitolite LOCAL_CODE! + # CAVEAT we hope that IRC_NICK is unique + IRC_NICK="''${IRC_NICK-gl$GL_TID}" + IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" + IRC_SERVER="''${IRC_SERVER-ire.retiolum}" + IRC_PORT="''${IRC_PORT-6667}" + + # for privmsg_cat below + export IRC_CHANNEL + + # collect users that are mentioned in the gitolite configuration + interested_users="$(perl -e ' + do "gl-conf"; + print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); + ')" + + # CAVEAT beware of real TABs in grep pattern! + # CAVEAT there will never be more than 42 relevant log entries! + tab=$(printf '\x09') + log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" + + update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" + + # (debug output) + env | sed 's/^/env: /' + echo "$log" | sed 's/^/log: /' + + # see http://gitolite.com/gitolite/dev-notes.html#lff + reponame=$(echo "$update_log" | cut -f 4) + username=$(echo "$update_log" | cut -f 5) + ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') + old_sha=$(echo "$update_log" | cut -f 8) + new_sha=$(echo "$update_log" | cut -f 9) + + # check if new branch is created + if test $old_sha = 0000000000000000000000000000000000000000; then + # TODO what should we really show? + old_sha=$new_sha^ + fi + + # + git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" + commit_count=$(echo "$git_log" | wc -l) + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + # + # + # + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + echo "$interested_users" \ + | tr ' ' '\n' \ + | grep -v "^$GL_USER" \ + | sed 's/$/: poke/' \ + | privmsg_cat \ + | cat2 + + printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ + "$reponame" \ + "$username" \ + "$commit_count" \ + "$(test $commit_count = 1 || echo s)" \ + "$(hostname)" \ + "$ref_name" \ + | privmsg_cat \ + | cat2 + + echo "$git_log" \ + | sed 's/^/\x0314/;s/ /\x03 /' \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + }; + customFiles = [ + { + filename = ".gitolite/conf/irc-announce.conf"; + content = '' + IRC_NICK="$(hostname)$GL_TID" + case "$GL_REPO" in + brain|painload|services|load-env|config) + IRC_CHANNEL='#retiolum' + ;; + *) + IRC_CHANNEL='&testing' + ;; + esac + ''; + } + ]; + }; +} diff --git a/modules/lass/sshkeys.nix b/modules/lass/sshkeys.nix index 24c056644..f2b0786e5 100644 --- a/modules/lass/sshkeys.nix +++ b/modules/lass/sshkeys.nix @@ -6,4 +6,6 @@ ]; config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; + + config.sshKeys.uriel.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDExWuRcltGM2FqXO695nm6/QY3wU3r1bDTyCpMrLfUSym7TxcXDSmZSWcueexPXV6GENuUfjJPZswOdWqIo5u2AXw9t0aGvwEDmI6uJ7K5nzQOsXIneGMdYuoOaAzWI8pxZ4N+lIP1HsOYttIPDp8RwU6kyG+Ud8mnVHWSTO13C7xC9vePnDP6b+44nHS691Zj3X/Cq35Ls0ISC3EM17jreucdP62L3TKk2R4NCm3Sjqj+OYEv0LAqIpgqSw5FypTYQgNByxRcIcNDlri63Q1yVftUP1338UiUfxtraUu6cqa2CdsHQmtX5mTNWEluVWO3uUKTz9zla3rShC+d3qvr lass@uriel"; } diff --git a/modules/lass/urxvt.nix b/modules/lass/urxvt.nix index 9c9702e58..889f768ac 100644 --- a/modules/lass/urxvt.nix +++ b/modules/lass/urxvt.nix @@ -31,31 +31,10 @@ in URxvt.intensityStyles: false - !solarized colors - URxvt*fading: 5 - URxvt*background: #002b36 - URxvt*foreground: #657b83 - URxvt*fadeColor: #002b36 - URxvt*cursorColor: #93a1a1 - URxvt*pointerColorBackground: #586e75 - URxvt*pointerColorForeground: #93a1a1 - URxvt*colorUL: #859900 - URxvt*colorBD: #268bd2 - URxvt*color0: #073642 - URxvt*color8: #002b36 - URxvt*color1: #dc322f - URxvt*color9: #cb4b16 - URxvt*color2: #859900 - URxvt*color10: #586e75 - URxvt*color3: #b58900 - URxvt*color11: #657b83 + URxvt*background: #000000 + URxvt*foreground: #ffffff + + !change unreadable blue URxvt*color4: #268bd2 - URxvt*color12: #839496 - URxvt*color5: #d33682 - URxvt*color13: #6c71c4 - URxvt*color6: #2aa198 - URxvt*color14: #93a1a1 - URxvt*color7: #eee8d5 - URxvt*color15: #fdf6e3 ''; } diff --git a/modules/lass/vim.nix b/modules/lass/vim.nix index e277bd725..1000b8da6 100644 --- a/modules/lass/vim.nix +++ b/modules/lass/vim.nix @@ -1,9 +1,20 @@ { config, pkgs, ... }: -{ - - environment.systemPackages = with pkgs; [ - (vim_configurable.customize { +let + customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { + name = "Mustang2"; + src = pkgs.fetchFromGitHub { + owner = "croaker"; + repo = "mustang-vim"; + rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; + sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + }; + }; + +in { + + environment.systemPackages = [ + (pkgs.vim_configurable.customize { name = "vim"; vimrcConfig.customRC = '' @@ -12,7 +23,7 @@ syntax on " TODO autoload colorscheme file set background=dark - colorscheme solarized + colorscheme mustang filetype off filetype plugin indent on @@ -47,8 +58,6 @@ "Tabwidth set ts=2 sts=2 sw=2 et - autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et - autocmd BufRead *.hs set ts=4 sts=4 sw=4 et " create Backup/tmp/undo dirs function! InitBackupDir() @@ -79,15 +88,26 @@ set viminfo='20,<1000,s100,h,n~/.vim/tmp/info set undodir=$HOME/.vim/undo set undofile + + " highlight whitespaces + highlight ExtraWhitespace ctermbg=red guibg=red + match ExtraWhitespace /\s\+$/ + autocmd BufWinEnter * match ExtraWhitespace /\s\+$/ + autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/ + autocmd InsertLeave * match ExtraWhitespace /\s\+$/ + autocmd BufWinLeave * call clearmatches() + + "ft specific stuff + autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et + autocmd BufRead *.hs set ts=4 sts=4 sw=4 et ''; - vimrcConfig.vam.knownPlugins = vimPlugins; + vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; vimrcConfig.vam.pluginDictionaries = [ - { name = "Gundo"; } - { name = "commentary"; } - { name = "vim-addon-nix"; } - { name = "colors-solarized"; } + { names = [ "Gundo" "commentary" "mustang2" ]; } + { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; + }) ]; } diff --git a/modules/lass/virtualbox.nix b/modules/lass/virtualbox.nix index 82d32bb1a..026203124 100644 --- a/modules/lass/virtualbox.nix +++ b/modules/lass/virtualbox.nix @@ -12,7 +12,7 @@ in { description = "user for running VirtualBox"; home = "/home/virtual"; useDefaultShell = true; - extraGroups = [ "vboxusers" ]; + extraGroups = [ "vboxusers" "audio" ]; createHome = true; }; }; diff --git a/modules/lass/wine.nix b/modules/lass/wine.nix index b9413d662..8d55da7fd 100644 --- a/modules/lass/wine.nix +++ b/modules/lass/wine.nix @@ -13,7 +13,7 @@ in { description = "user for running wine"; home = "/home/wine"; useDefaultShell = true; - extraGroups = []; + extraGroups = [ "audio" ]; createHome = true; }; }; diff --git a/modules/mors/default.nix b/modules/mors/default.nix index 8768cd1ec..6dfd05039 100644 --- a/modules/mors/default.nix +++ b/modules/mors/default.nix @@ -24,10 +24,11 @@ ../lass/binary-caches.nix ../lass/ircd.nix ../../secrets/mors-pw.nix + ./repos.nix ]; nixpkgs = { url = "https://github.com/Lassulus/nixpkgs"; - rev = "eba85883a07a9fc414d7860f8d6fee4d9f09b2ac"; + rev = "0b1dfed50d9ec2222b94d68f84376f66e82d19e3"; }; networking.hostName = "mors"; @@ -54,8 +55,6 @@ initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; #kernelModules = [ "kvm-intel" "msr" ]; kernelModules = [ "msr" ]; - extraModprobeConfig = '' - ''; }; fileSystems = { "/" = { @@ -145,7 +144,6 @@ ''; services.xserver = { - videoDriver = "intel"; vaapiDrivers = [ pkgs.vaapiIntel ]; deviceSection = '' diff --git a/modules/mors/repos.nix b/modules/mors/repos.nix new file mode 100644 index 000000000..6d3cf2157 --- /dev/null +++ b/modules/mors/repos.nix @@ -0,0 +1,75 @@ +{ ... }: + +{ + imports = [ + ../lass/gitolite-base.nix + ]; + + services.gitolite = { + repos = { + + config = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + pass = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + load-env = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-hsdb = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + painload = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + brain = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + services = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + reaktor = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + }; + }; +} diff --git a/modules/tv/ejabberd.nix b/modules/tv/ejabberd.nix index e836d2cdd..008fe2cda 100644 --- a/modules/tv/ejabberd.nix +++ b/modules/tv/ejabberd.nix @@ -221,7 +221,7 @@ in %% file and uncomment this line: %% starttls, - {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}, + {certfile, "/etc/ejabberd/ejabberd.pem"}, {access, c2s}, {shaper, c2s_shaper}, @@ -274,7 +274,7 @@ in %% %% s2s_certfile: Specify a certificate file. %% - {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}. + {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. %% %% domain_certfile: Specify a different certificate for each served hostname. diff --git a/modules/uriel/default.nix b/modules/uriel/default.nix index 5ff37117d..3d7935362 100644 --- a/modules/uriel/default.nix +++ b/modules/uriel/default.nix @@ -16,250 +16,13 @@ ../../secrets/uriel-pw.nix ../lass/sshkeys.nix ../lass/bird.nix + ./repos.nix ]; nixpkgs = { url = "https://github.com/Lassulus/nixpkgs"; - rev = "ffe3f799a2eb565e1755a6a18260ece5cbbd746b"; + rev = "0b1dfed50d9ec2222b94d68f84376f66e82d19e3"; }; - services.gitolite = { - keys = { - uriel = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1v/N0G7k48thX1vIALTdqrdYUvYM+SvHRq/rCcKLC2 lass@mors"; - lass = config.sshKeys.lass.pub; - }; - config = '' - repo emse-hsdb - RW+ = lass - R = tv - option hook.post-receive = irc-announce - - repo pong - RW+ = lass - R = tv - option hook.post-receive = irc-announce - - repo load-env - RW+ = lass - RW+ = uriel - R = tv - option hook.post-receive = irc-announce - - repo pass - RW+ = lass - RW+ = uriel - - repo testing - RW+ = @all - - repo painload - RW+ = lass - R = tv - R = makefu - option hook.post-receive = irc-announce - - repo brain - RW+ = uriel - R = lass - R = tv - R = makefu - option hook.post-receive = irc-announce - - repo services - RW+ = lass - R = tv - R = makefu - option hook.post-receive = irc-announce - - repo emse-drywall - RW+ = lass - R = tv - R = uriel - option hook.post-receive = irc-announce - - repo emse-db - RW+ = lass - R = tv - option hook.post-receive = irc-announce - - repo config - RW+ = lass - RW+ = uriel - option hook.post-receive = irc-announce - - repo teeest - RW+ = lass - option hook.post-receive = irc-announce - ''; - - rc = '' - %RC = ( - UMASK => 0077, - GIT_CONFIG_KEYS => "", - LOG_EXTRA => 1, - ROLES => { - READERS => 1, - WRITERS => 1, - }, - LOCAL_CODE => "$ENV{HOME}/.gitolite", - ENABLE => [ - 'help', - 'desc', - 'info', - 'perms', - 'writable', - 'ssh-authkeys', - 'git-config', - 'daemon', - 'gitweb', - 'repo-specific-hooks', - ], - ); - 1; - ''; - - hooks.repoSpecific = { - irc-announce = '' - #! /bin/sh - set -euf - - config_file="$GL_ADMIN_BASE/conf/irc-announce.conf" - if test -f "$config_file"; then - . "$config_file" - fi - - # XXX when changing IRC_CHANNEL or IRC_SERVER/_PORT, don't forget to update - # any relevant gitolite LOCAL_CODE! - # CAVEAT we hope that IRC_NICK is unique - IRC_NICK="''${IRC_NICK-gl$GL_TID}" - IRC_CHANNEL="''${IRC_CHANNEL-#retiolum}" - IRC_SERVER="''${IRC_SERVER-ire.retiolum}" - IRC_PORT="''${IRC_PORT-6667}" - - # for privmsg_cat below - export IRC_CHANNEL - - # collect users that are mentioned in the gitolite configuration - interested_users="$(perl -e ' - do "gl-conf"; - print join(" ", keys%{ $one_repo{$ENV{"GL_REPO"}} }); - ')" - - # CAVEAT beware of real TABs in grep pattern! - # CAVEAT there will never be more than 42 relevant log entries! - tab=$(printf '\x09') - log="$(tail -n 42 "$GL_LOGFILE" | grep "^[^$tab]*$tab$GL_TID$tab" || :)" - - update_log="$(echo "$log" | grep "^[^$tab]*$tab$GL_TID''${tab}update")" - - # (debug output) - env | sed 's/^/env: /' - echo "$log" | sed 's/^/log: /' - - # see http://gitolite.com/gitolite/dev-notes.html#lff - reponame=$(echo "$update_log" | cut -f 4) - username=$(echo "$update_log" | cut -f 5) - ref_name=$(echo "$update_log" | cut -f 7 | sed 's|^refs/heads/||') - old_sha=$(echo "$update_log" | cut -f 8) - new_sha=$(echo "$update_log" | cut -f 9) - - # check if new branch is created - if test $old_sha = 0000000000000000000000000000000000000000; then - # TODO what should we really show? - old_sha=$new_sha^ - fi - - # - git_log="$(git log $old_sha..$new_sha --pretty=oneline --abbrev-commit)" - commit_count=$(echo "$git_log" | wc -l) - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - # - # - # - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - echo "$interested_users" \ - | tr ' ' '\n' \ - | grep -v "^$GL_USER" \ - | sed 's/$/: poke/' \ - | privmsg_cat \ - | cat2 - - printf '[\x0313%s\x03] %s pushed %s new commit%s to \x036%s %s\x03\n' \ - "$reponame" \ - "$username" \ - "$commit_count" \ - "$(test $commit_count = 1 || echo s)" \ - "$(hostname)" \ - "$ref_name" \ - | privmsg_cat \ - | cat2 - - echo "$git_log" \ - | sed 's/^/\x0314/;s/ /\x03 /' \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - }; - - customFiles = [ - { - filename = ".gitolite/conf/irc-announce.conf"; - content = '' - IRC_NICK="$(hostname)$GL_TID" - case "$GL_REPO" in - brain|painload|services|load-env|pong|config) - IRC_CHANNEL='#retiolum' - ;; - emse*) - IRC_CHANNEL='#emse' - ;; - *) - IRC_CHANNEL='&testing' - ;; - esac - ''; - } - ]; - }; - - networking.hostName = "uriel"; networking.wireless.enable = true; nix.maxJobs = 2; diff --git a/modules/uriel/repos.nix b/modules/uriel/repos.nix new file mode 100644 index 000000000..6d3cf2157 --- /dev/null +++ b/modules/uriel/repos.nix @@ -0,0 +1,75 @@ +{ ... }: + +{ + imports = [ + ../lass/gitolite-base.nix + ]; + + services.gitolite = { + repos = { + + config = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + pass = { + users = { + lass = "RW+"; + uriel = "R"; + }; + }; + + load-env = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + emse-hsdb = { + users = { + lass = "RW+"; + uriel = "R"; + tv = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + painload = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + brain = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + services = { + users = { + lass = "RW+"; + tv = "R"; + makefu = "R"; + reaktor = "R"; + }; + extraConfig = "option hook.post-receive = irc-announce"; + }; + + }; + }; +} diff --git a/modules/wu/default.nix b/modules/wu/default.nix index 3258779ee..84a8361af 100644 --- a/modules/wu/default.nix +++ b/modules/wu/default.nix @@ -322,7 +322,7 @@ in services.retiolum = { enable = true; - hosts = /etc/nixos/hosts; + hosts = <retiolum-hosts>; connectTo = [ "gum" "pigstarter" diff --git a/modules/wu/users.nix b/modules/wu/users.nix index 654d49cef..88f2b658e 100644 --- a/modules/wu/users.nix +++ b/modules/wu/users.nix @@ -210,7 +210,7 @@ in { imports = [ - <secrets/wu.hashedPasswords.nix> + <secrets/hashedPasswords.nix> ]; users.defaultUserShell = "/run/current-system/sw/bin/bash"; |