diff options
Diffstat (limited to 'krebs')
40 files changed, 334 insertions, 347 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index 92400139c..d58661a28 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let ReaktorConfig = pkgs.writeText "config.py" '' @@ -16,7 +16,7 @@ let out = { options.krebs.Reaktor = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix index 371d39b6f..46b405842 100644 --- a/krebs/3modules/apt-cacher-ng.nix +++ b/krebs/3modules/apt-cacher-ng.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let acng-config = pkgs.writeTextFile { name = "acng-configuration"; @@ -151,5 +151,5 @@ let in { options.krebs.apt-cacher-ng = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 66a325ed9..0aa86dec9 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -1,9 +1,9 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let out = { options.krebs.backup = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; cfg = config.krebs.backup; @@ -210,7 +210,7 @@ let | ${pkgs.coreutils}/bin/head -1; } ''; - # Note that we don't escape word on purpose, so we deref shell vars. + # Note that we don't escape word on purpose, so we can deref shell vars. # TODO type word network-ssh-port = host: word: '' case ${word} in diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index e74841205..9e777a5ef 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let gunicorn = pkgs.pythonPackages.gunicorn; bepasty = pkgs.pythonPackages.bepasty-server; @@ -10,8 +10,8 @@ let out = { options.krebs.bepasty = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.serveNginx nginx-imp) + config = lib.mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf cfg.serveNginx nginx-imp) imp ]); }; diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 3530fd595..a1f446188 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with lib; +with config.krebs.lib; let out = { @@ -51,6 +51,7 @@ let source = config.krebs.build.source; target-user = maybeEnv "target_user" "root"; target-host = maybeEnv "target_host" config.krebs.build.host.name; + target-port = maybeEnv "target_port" "22"; target-path = maybeEnv "target_path" "/var/src"; out = '' #! /bin/sh @@ -62,7 +63,8 @@ let } echo ${shell.escape git-script} \ - | ssh ${shell.escape "${target-user}@${target-host}"} -T + | ssh -p ${shell.escape target-port} \ + ${shell.escape "${target-user}@${target-host}"} -T unset tmpdir trap ' @@ -93,6 +95,7 @@ let (attrNames file-specs)} \ --delete \ -vFrlptD \ + -e ${shell.escape "ssh -p ${target-port}"} \ ${shell.escape target-path}/ \ ${shell.escape "${target-user}@${target-host}:${target-path}"} ''; diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index 74385a433..825cb3413 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let buildbot = pkgs.buildbot; buildbot-master-config = pkgs.writeText "buildbot-master.cfg" '' @@ -381,5 +381,5 @@ let in { options.krebs.buildbot.master = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 0e7796d8a..7705ac31c 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let buildbot-slave-init = pkgs.writeText "buildbot-slave.tac" '' import os @@ -182,5 +182,5 @@ let in { options.krebs.buildbot.slave = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/current.nix b/krebs/3modules/current.nix index 41941e289..9f63e33ac 100644 --- a/krebs/3modules/current.nix +++ b/krebs/3modules/current.nix @@ -1,13 +1,13 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.current; out = { options.krebs.current = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 060b4445d..c06f3754e 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs; @@ -9,9 +9,9 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix - ./build.nix ./buildbot/master.nix ./buildbot/slave.nix + ./build.nix ./current.nix ./exim-retiolum.nix ./exim-smarthost.nix @@ -20,19 +20,21 @@ let ./git.nix ./go.nix ./iptables.nix + ./lib.nix ./nginx.nix ./nixpkgs.nix ./per-user.nix ./Reaktor.nix - ./retiolum-bootstrap.nix ./realwallpaper.nix + ./retiolum-bootstrap.nix ./retiolum.nix + ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix ./repo-sync.nix ]; options.krebs = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -83,13 +85,13 @@ let }; }; - imp = mkMerge [ - { krebs = import ./lass { inherit lib; }; } - { krebs = import ./makefu { inherit lib; }; } - { krebs = import ./miefda { inherit lib; }; } - { krebs = import ./mv { inherit lib; }; } - { krebs = import ./shared { inherit lib; }; } - { krebs = import ./tv { inherit lib; }; } + imp = lib.mkMerge [ + { krebs = import ./lass { inherit config lib; }; } + { krebs = import ./makefu { inherit config lib; }; } + { krebs = import ./miefda { inherit config lib; }; } + { krebs = import ./mv { inherit config lib; }; } + { krebs = import ./shared { inherit config lib; }; } + { krebs = import ./tv { inherit config lib; }; } { krebs.dns.providers = { de.krebsco = "zones"; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index ea012c38c..1722eef1f 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,12 +1,12 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.exim-retiolum; out = { options.krebs.exim-retiolum = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index a564430ea..267ee2900 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -1,13 +1,12 @@ { config, pkgs, lib, ... }: -with builtins; -with lib; +with config.krebs.lib; let cfg = config.krebs.exim-smarthost; out = { options.krebs.exim-smarthost = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 225f00803..53fe0839d 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.fetchWallpaper; out = { options.krebs.fetchWallpaper = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 11cf21b5f..a9542718d 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: # TODO unify logging of shell scripts to user and journal # TODO move all scripts to ${etcDir}, so ControlMaster connections @@ -6,13 +6,13 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with lib; +with config.krebs.lib; let cfg = config.krebs.git; out = { options.krebs.git = api; - config = mkIf cfg.enable (mkMerge [ + config = with lib; mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) git-imp ]); @@ -86,7 +86,7 @@ let singleton { user = [ config.krebs.users.tv ]; repo = [ testing ]; # see literal example of repos - perm = push "refs/*" (with lib.git; [ + perm = push "refs/*" (with config.krebs.lib.git; [ non-fast-forward create delete merge ]); } diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 2aa18d53a..1d3873232 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,12 +1,12 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.github-hosts-sync; out = { options.krebs.github-hosts-sync = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index 08a93dab7..52a104bb9 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.go; out = { options.krebs.go = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 749d3ff49..41a609105 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/lib.nix b/krebs/3modules/lib.nix new file mode 100644 index 000000000..b19f275b5 --- /dev/null +++ b/krebs/3modules/lib.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +with lib; +let + out = { + options.krebs.lib = api; + config = imp; + }; + api = mkOption { + default = {}; + type = types.attrs; + }; + imp = { + krebs.lib = lib // import ../4lib { inherit lib; } // builtins; + }; +in out diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 2811c0c52..ca83d6906 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { @@ -292,8 +292,8 @@ with lib; cores = 1; nets = { retiolm = { - addrs4 = ["10.243.214.15/32"]; - addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732/128"]; + addrs4 = ["10.243.214.15"]; + addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; aliases = [ "wbob.retiolum" ]; diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 0cfa8bd27..6587ad92d 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 8803cb249..33f941aae 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 921771033..7b7163071 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -1,13 +1,12 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: -with builtins; -with lib; +with config.krebs.lib; let cfg = config.krebs.nginx; out = { options.krebs.nginx = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -34,6 +33,7 @@ let }; locations = mkOption { type = with types; listOf (attrsOf str); + default = []; }; extraConfig = mkOption { type = with types; string; @@ -76,8 +76,8 @@ let server { ${concatMapStringsSep "\n" (x: "listen ${x};") listen} server_name ${toString server-names}; - ${extraConfig} - ${indent (concatStrings (map to-location locations))} + ${indent extraConfig} + ${indent (concatMapStrings to-location locations)} } ''; diff --git a/krebs/3modules/nixpkgs.nix b/krebs/3modules/nixpkgs.nix index 4129f9483..5816b8a30 100644 --- a/krebs/3modules/nixpkgs.nix +++ b/krebs/3modules/nixpkgs.nix @@ -1,11 +1,11 @@ -{ config, pkgs, lib, ... }: -with lib; +{ config, lib, pkgs, ... }: +with config.krebs.lib; let cfg = config.krebs.nixpkgs; out = { options.krebs.nixpkgs = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -37,7 +37,7 @@ let }; }; - imp = mkIf (cfg.allowUnfreePredicate != null) { + imp = lib.mkIf (cfg.allowUnfreePredicate != null) { nixpkgs.config.allowUnfreePredicate = cfg.allowUnfreePredicate; }; in out diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index ee213deda..13da5c4c3 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.per-user; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index b377368f7..df374e184 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -1,12 +1,12 @@ -arg@{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.realwallpaper; out = { options.krebs.realwallpaper = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 65bb51193..40382d098 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -1,12 +1,12 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.retiolum-bootstrap; out = { options.krebs.retiolum-bootstrap = api; - config = mkIf cfg.enable imp ; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 407695273..d0162eae9 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -1,11 +1,11 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.retiolum; out = { options.krebs.retiolum = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix new file mode 100644 index 000000000..1137788d8 --- /dev/null +++ b/krebs/3modules/setuid.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, ... }: +with config.krebs.lib; +let + cfg = config.krebs.setuid; + + out = { + options.krebs.setuid = api; + config = imp; + }; + + api = mkOption { + default = {}; + type = let + # TODO make wrapperDir configurable + inherit (config.security) wrapperDir; + inherit (config.users) groups users; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.filename; + default = config._module.args.name; + }; + filename = mkOption { + type = mkOptionType { + # TODO unyuck string and merge with toC + name = "derivation or string"; + check = x: + isDerivation x || + isString x; + }; + apply = toString; + }; + owner = mkOption { + default = "root"; + type = types.enum (attrNames users); + }; + group = mkOption { + default = "root"; + type = types.enum (attrNames groups); + }; + mode = mkOption { + default = "4710"; + type = mkOptionType { + # TODO admit symbolic mode + name = "octal mode"; + check = x: + isString x && + match "[0-7][0-7][0-7][0-7]" x != null; + }; + }; + activate = mkOption { + type = types.str; + visible = false; + readOnly = true; + }; + }; + config.activate = let + src = pkgs.execve config.name { + inherit (config) filename; + }; + dst = "${wrapperDir}/${config.name}"; + in '' + cp ${src} ${dst} + chown ${config.owner}.${config.group} ${dst} + chmod ${config.mode} ${dst} + ''; + })); + }; + + imp = { + system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); + }; + +in out diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index df4c529bf..208b596f8 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -1,9 +1,8 @@ -{ lib, ... }: - -with lib; +{ config, ... }: +with config.krebs.lib; let - testHosts = lib.genAttrs [ + testHosts = genAttrs [ "test-arch" "test-centos6" "test-centos7" diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index dc0484a8b..2692de982 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.tinc_graphs; internal_dir = "${cfg.workingDir}/internal"; @@ -8,7 +8,7 @@ let out = { options.krebs.tinc_graphs = api; - config = mkIf cfg.enable imp ; + config = lib.mkIf cfg.enable imp ; }; api = { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 9a0b99396..f8d3d8671 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, ... }: -with lib; +with config.krebs.lib; { dns.providers = { diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 7a9fb55fd..cd4976a21 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -5,14 +5,14 @@ # cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" # TODO hooks.py -with lib; +with config.krebs.lib; let cfg = config.krebs.urlwatch; # TODO assert sendmail's existence out = { options.krebs.urlwatch = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 4d7e0b549..d5b6d03ac 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -26,11 +26,15 @@ let out = rec { shell = import ./shell.nix { inherit lib; }; tree = import ./tree.nix { inherit lib; }; - toC = x: { + toC = x: let + type = typeOf x; + reject = throw "cannot convert ${type}"; + in { list = "{ ${concatStringsSep ", " (map toC x)} }"; null = "NULL"; + set = if isDerivation x then toJSON x else reject; string = toJSON x; # close enough - }.${typeOf x}; + }.${type} or reject; subdirsOf = path: mapAttrs (name: _: path + "/${name}") diff --git a/krebs/4lib/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh deleted file mode 100644 index af1a8bd16..000000000 --- a/krebs/4lib/infest/install-nix.sh +++ /dev/null @@ -1,50 +0,0 @@ -#! /bin/sh -set -efu - -nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2 -nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4 - -install_nix() {( - - # install nix on host (cf. https://nixos.org/nix/install) - if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then - ( - verify() { - printf '%s %s\n' $nix_sha256 $(basename $nix_url) | sha256sum -c - } - if ! verify; then - curl -C - -O "$nix_url" - verify - fi - ) - nix_src_dir=$(basename $nix_url .tar.bz2) - tar jxf $nix_src_dir.tar.bz2 - $nix_src_dir/install - fi - - . /root/.nix-profile/etc/profile.d/nix.sh - - for i in \ - bash \ - coreutils \ - # This line intentionally left blank. - do - if ! nix-env -q $i | grep -q .; then - nix-env -iA nixpkgs.pkgs.$i - fi - done - - # install nixos-install - if ! type nixos-install 2>/dev/null; then - nixpkgs_expr='import <nixpkgs> { system = builtins.currentSystem; }' - nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath 'throw "no modulesPath"' \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.nixos-install - fi -)} - -install_nix "$@" diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 0bfc49380..b3824c7d4 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -1,6 +1,9 @@ #! /bin/sh set -efu +nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2 +nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4 + prepare() {( if test -e /etc/os-release; then . /etc/os-release @@ -33,6 +36,13 @@ prepare() {( ;; esac ;; + nixos) + case $(cat /proc/cmdline) in + *' root=LABEL=NIXOS_ISO '*) + prepare_nixos_iso "$@" + exit + esac + ;; esac elif test -e /etc/centos-release; then case $(cat /etc/centos-release) in @@ -70,7 +80,25 @@ prepare_debian() { prepare_common } -prepare_common() { +prepare_nixos_iso() { + mountpoint /mnt + + type git 2>/dev/null || nix-env -iA nixos.git + + mkdir -p /mnt/"$target_path" + mkdir -p "$target_path" + + if ! mountpoint "$target_path"; then + mount --rbind /mnt/"$target_path" "$target_path" + fi + + mkdir -p bin + rm -f bin/nixos-install + cp "$(type -p nixos-install)" bin/nixos-install + sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install +} + +prepare_common() {( if ! getent group nixbld >/dev/null; then groupadd -g 30000 -r nixbld @@ -133,6 +161,50 @@ prepare_common() { mkdir -p /mnt/nix mount --bind /nix /mnt/nix fi -} + + # + # install nix + # + + # install nix on host (cf. https://nixos.org/nix/install) + if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then + ( + verify() { + printf '%s %s\n' $nix_sha256 $(basename $nix_url) | sha256sum -c + } + if ! verify; then + curl -C - -O "$nix_url" + verify + fi + ) + nix_src_dir=$(basename $nix_url .tar.bz2) + tar jxf $nix_src_dir.tar.bz2 + $nix_src_dir/install + fi + + . /root/.nix-profile/etc/profile.d/nix.sh + + for i in \ + bash \ + coreutils \ + # This line intentionally left blank. + do + if ! nix-env -q $i | grep -q .; then + nix-env -iA nixpkgs.pkgs.$i + fi + done + + # install nixos-install + if ! type nixos-install 2>/dev/null; then + nixpkgs_expr='import <nixpkgs> { system = builtins.currentSystem; }' + nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) + nix-env \ + --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ + --arg pkgs "$nixpkgs_expr" \ + --arg modulesPath 'throw "no modulesPath"' \ + -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ + -iA config.system.build.nixos-install + fi +)} prepare "$@" diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 873f3ddfb..d0a537467 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -17,6 +17,7 @@ types // rec { }; nets = mkOption { type = attrsOf net; + default = {}; }; extraZones = mkOption { diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix index b3cb1c943..fa51857ba 100644 --- a/krebs/5pkgs/builders.nix +++ b/krebs/5pkgs/builders.nix @@ -1,19 +1,30 @@ -{ lib, pkgs, ... }: -with lib; -{ - execve = name: { filename, argv, envp ? {}, destination ? "" }: - writeC name { inherit destination; } '' - #include <unistd.h> - int main () { - const char *filename = ${toC filename}; - char *const argv[] = ${toC (argv ++ [null])}; - char *const envp[] = ${toC ( - mapAttrsToList (k: v: "${k}=${v}") envp ++ [null] - )}; - execve(filename, argv, envp); - return -1; - } - ''; +{ config, lib, pkgs, ... }: +with config.krebs.lib; +rec { + execve = name: { filename, argv ? null, envp ? {}, destination ? "" }: let + in writeC name { inherit destination; } '' + #include <unistd.h> + + static char *const filename = ${toC filename}; + + ${if argv == null + then /* Propagate arguments */ '' + #define MAIN_ARGS int argc, char **argv + '' + else /* Provide fixed arguments */ '' + #define MAIN_ARGS void + static char *const argv[] = ${toC (argv ++ [null])}; + ''} + + static char *const envp[] = ${toC ( + mapAttrsToList (k: v: "${k}=${v}") envp ++ [null] + )}; + + int main (MAIN_ARGS) { + execve(filename, argv, envp); + return -1; + } + ''; execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; }); diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 1cf3de56e..d395fe00a 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -1,5 +1,5 @@ -{ lib, pkgs, ... }@args: -with lib; +{ config, lib, pkgs, ... }@args: +with config.krebs.lib; { nixpkgs.config.packageOverrides = pkgs: { haskellPackages = pkgs.haskellPackages.override { diff --git a/krebs/5pkgs/noVNC/default.nix b/krebs/5pkgs/noVNC/default.nix new file mode 100644 index 000000000..629d288ae --- /dev/null +++ b/krebs/5pkgs/noVNC/default.nix @@ -0,0 +1,21 @@ +{ fetchgit, lib, stdenv, ... }: +with builtins; +with lib; +stdenv.mkDerivation rec { + name = "${baseNameOf src.name}-${removePrefix "refs/tags/v" src.rev}"; + + src = fetchgit { + url = https://github.com/kanaka/noVNC; + rev = "refs/tags/v0.5.1"; + sha256 = "1azsnppwnrsv3axj0r5bw8lfarkibgz5vhgcyj8dzn4afn98f55w"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = '' + cp -R . $out + ''; +} diff --git a/krebs/5pkgs/vncdotool/default.nix b/krebs/5pkgs/vncdotool/default.nix new file mode 100644 index 000000000..95e2ca706 --- /dev/null +++ b/krebs/5pkgs/vncdotool/default.nix @@ -0,0 +1,20 @@ +{ lib, pythonPackages, fetchurl, ... }: +with pythonPackages; buildPythonPackage rec { + name = lib.removeSuffix ".tar.gz" (builtins.baseNameOf src.name); + + src = fetchurl { + url = https://pypi.python.org/packages/source/v/vncdotool/vncdotool-0.9.0.tar.gz; + sha256 = "1hl44w4x9c8air0g6kp9h1af2vj4lmc50vnsxmca9g080740iyvi"; + }; + + propagatedBuildInputs = [ + twisted + pillow + ]; + + meta = { + homepage = https://github.com/sibson/vncdotool; + description = "A command line VNC client and python library"; + license = lib.licenses.mit; + }; +} diff --git a/krebs/default.nix b/krebs/default.nix index 17c035896..93e006f3d 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -1,193 +1,8 @@ -assert false; - -{ current-host-name -, current-user-name -, lib -, stockholm -, StrictHostKeyChecking ? "yes" -}: - -let out = { - inherit infest; - inherit init; - inherit nixos-install; - }; - - infest = - { system ? current-host-name - , target ? system - }@args: let - config = get-config system; - in '' - #! /bin/sh - # krebs.infest - set -efu - - ${rootssh target '' - ${builtins.readFile ./4lib/infest/prepare.sh} - ${builtins.readFile ./4lib/infest/install-nix.sh} - ''} - - (${nixos-install args}) - - ${rootssh target '' - ${builtins.readFile ./4lib/infest/finalize.sh} - ''} - ''; - - init = - { system ? current-host-name - }@args: let - config = get-config system; - in '' - #! /bin/sh - # krebs.init - set -efu - - system=${lib.shell.escape system} - secrets_dir=${config.krebs.build.source.dir.secrets.path} - key_type=ed25519 - key_file=$secrets_dir/ssh.id_$key_type - key_comment=$system - - if test -e "$key_file"; then - echo "Warning: privkey already exists: $key_file" >&2 - else - ssh-keygen \ - -C "$key_comment" \ - -t "$key_type" \ - -f "$key_file" \ - -N "" - rm "$key_file.pub" - fi - - pubkey=$(ssh-keygen -y -f "$key_file") - - cat<<EOF - # put following into config.krebs.hosts.$system: - ssh.privkey.path = <secrets/ssh.$key_type>; - ssh.pubkey = $(echo $pubkey | jq -R .); - EOF - ''; - - nixos-install = - { system ? current-host-name - , target ? system - }@args: let - in '' - #! /bin/sh - # krebs.nixos-install - (${populate (args // { root = "/mnt"; })}) - - ${rootssh target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - { sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - - # Disable: Copy the NixOS/Nixpkgs sources to the target as - # the initial contents of the NixOS channel. - /^srcs=/,/^ln -sfn /= - ' - } | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert `nix-install` - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${doc (nix-install args)} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - # Wrap inserted nix-install into chroot. - nix_env=$(cat_src | sed -n ' - s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - ') - echo "nix-env is $nix_env" >&2 - findpkg() {( - name=$1 - path=$(find /nix/store \ - -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \ - | head -n 1 | sed s:^/mnt::) - if echo "$path" | grep .; then - echo "$name is $path" >&2 - else - echo "Error: package not found: $name" >&2 - exit 1 - fi - )} - cacert=$(findpkg cacert) - coreutils=$(findpkg coreutils) - cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE - env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE" - sed -i ' - s:^NIX_PATH=:chroot $mountPoint '"$env"' &: - s:^nix-env:'"$nix_env"': - ' nixos-install - - ./nixos-install - ''} - ''; - - doc = s: - let b = "EOF${builtins.hashString "sha256" s}"; in - '' - <<\${b} - ${s} - ${b} - ''; - - get-config = system: let - config = stockholm.users.${current-user-name}.${system}.config - or (abort "unknown system: ${system}, user: ${current-user-name}"); - in config; - - nix-install = - { system ? current-host-name - , target ? system - }: - let - config = get-config system; - - nix-path = - lib.concatStringsSep ":" - (lib.mapAttrsToList (name: src: "${name}=${src.target-path}") - (config.krebs.build.source.dir // - config.krebs.build.source.git)); - in '' - set -efu - NIX_PATH=${lib.shell.escape nix-path} \ - nix-env \ - --show-trace \ - -f '<stockholm>' \ - --argstr current-host-name ${lib.shell.escape current-host-name} \ - --argstr current-user-name ${lib.shell.escape current-user-name} \ - --profile ${lib.shell.escape config.krebs.build.profile} \ - --set \ - -A ${lib.escapeShellArg (lib.concatStringsSep "." [ - "users" - config.krebs.build.user.name - config.krebs.build.host.name - "system" - ])} - ''; - - rootssh = target: script: - let - flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; - in - "ssh ${flags} root@${target} -T ${doc '' - set -efu - ${script} - ''}"; - -in out +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + imports = [ + ./3modules + ./5pkgs + ]; +} |