From e082da2c23ebff82717df11d266ecfd22a70db56 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:34:25 +0200 Subject: 3 tv retiolum: RIP --- 1systems/tv/cd.nix | 4 ++-- 1systems/tv/mkdir.nix | 4 ++-- 1systems/tv/nomic.nix | 4 ++-- 1systems/tv/rmdir.nix | 4 ++-- 1systems/tv/wu.nix | 4 ++-- 2configs/tv/exim-retiolum.nix | 4 ++-- 3modules/tv/retiolum.nix | 29 ----------------------------- 7 files changed, 12 insertions(+), 41 deletions(-) delete mode 100644 3modules/tv/retiolum.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 463d643a6..2f8cf8197 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -86,8 +86,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d63..05d76c4cb 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 8e6812e43..bae12d364 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -37,8 +37,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c39e..2cf9668c8 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 1d7bbe55b..c5678a193 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -145,8 +145,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix deleted file mode 100644 index d00377446..000000000 --- a/3modules/tv/retiolum.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.tv.retiolum; - - out = { - imports = [ ../../3modules/krebs/retiolum.nix ]; - options.tv.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.retiolum"; - - connectTo = mkOption { - type = with types; listOf str; - }; - - hosts = mkOption { - type = types.path; - }; - }; - - imp = { - krebs.retiolum = cfg; - }; - -in out -- cgit v1.2.3 From faf5f6c172d6a6915e18cdec85e3543051eb0449 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:41:41 +0200 Subject: krebs.retiolum: define type of hosts --- 1systems/tv/cd.nix | 1 - 1systems/tv/mkdir.nix | 1 - 1systems/tv/nomic.nix | 1 - 1systems/tv/rmdir.nix | 1 - 1systems/tv/wu.nix | 1 - 3modules/krebs/retiolum.nix | 40 ++++++++++++++++++---------------------- 6 files changed, 18 insertions(+), 27 deletions(-) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 2f8cf8197..bf556e017 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -89,7 +89,6 @@ in imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "fastpoke" "pigstarter" diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 05d76c4cb..823f04430 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -32,7 +32,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "fastpoke" diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index bae12d364..ef4a5ca34 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -40,7 +40,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 2cf9668c8..f15c7902b 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -32,7 +32,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "mkdir" diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index c5678a193..0b5b8289b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -148,7 +148,6 @@ in imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix index 447592eef..1406f2fc4 100644 --- a/3modules/krebs/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -57,9 +57,9 @@ let }; hosts = mkOption { - default = null; + type = with types; either package path; + default = ../../Zhosts; description = '' - Hosts package or path to use. If a path is given, then it will be used to generate an ad-hoc package. ''; }; @@ -127,24 +127,20 @@ let }; tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; + + hosts = getAttr (typeOf cfg.hosts) { + package = cfg.hosts; + path = pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 \ + | xargs -0 cp --target-directory $out + ''; + }; + }; + iproute = cfg.iproutePackage; retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" @@ -222,5 +218,5 @@ let chmod +x $out/tinc-up ''; -in -out + +in out -- cgit v1.2.3 From f1ebbc73395e733e222b7f51e3fb554579ec1916 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 17:34:08 +0200 Subject: autoimport 3*/{krebs,$(LOGNAME)} --- 1systems/tv/cd.nix | 12 ------------ 1systems/tv/mkdir.nix | 2 -- 1systems/tv/nomic.nix | 3 --- 1systems/tv/rmdir.nix | 2 -- 1systems/tv/wu.nix | 6 +----- 2configs/tv/consul-server.nix | 1 - 2configs/tv/git-public.nix | 1 - 2configs/tv/identity.nix | 1 - 3modules/krebs/default.nix | 11 +++++++++++ 3modules/tv/consul.nix | 1 - 3modules/tv/default.nix | 10 ++++++++++ Makefile | 27 ++++++++++++++++----------- default.nix | 20 ++++++++++++++++++++ 13 files changed, 58 insertions(+), 39 deletions(-) create mode 100644 3modules/krebs/default.nix create mode 100644 3modules/tv/default.nix create mode 100644 default.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index bf556e017..b15b1897e 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -22,14 +22,12 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; @@ -39,7 +37,6 @@ in tv.identity.self = config.tv.identity.hosts.cd; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,19 +52,11 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; @@ -86,7 +75,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 823f04430..03d0c00f1 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.mkdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index ef4a5ca34..367502eed 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -14,7 +14,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.nomic; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,7 +25,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -37,7 +35,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index f15c7902b..497354e68 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.rmdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 0b5b8289b..8470a4f23 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -24,7 +24,7 @@ in { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel @@ -122,7 +122,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,7 +133,6 @@ in }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -145,7 +143,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ @@ -155,7 +152,6 @@ in }; } { - imports = [ ../../3modules/krebs/urlwatch.nix ]; krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..5d3fd5579 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7f2b51308..1bf44e0fc 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -3,7 +3,6 @@ with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/krebs/git.nix ]; krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 44208c956..bcfdc290d 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { enable = true; search = "retiolum"; diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix new file mode 100644 index 000000000..fe94e09b3 --- /dev/null +++ b/3modules/krebs/default.nix @@ -0,0 +1,11 @@ +_: + +{ + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; +} diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix index 312faa02f..4e54c2ab0 100644 --- a/3modules/tv/consul.nix +++ b/3modules/tv/consul.nix @@ -10,7 +10,6 @@ let cfg = config.tv.consul; out = { - imports = [ ../../3modules/tv/iptables.nix ]; options.tv.consul = api; config = mkIf cfg.enable (mkMerge [ imp diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix new file mode 100644 index 000000000..e267d0b9f --- /dev/null +++ b/3modules/tv/default.nix @@ -0,0 +1,10 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./identity.nix + ./iptables.nix + ]; +} diff --git a/Makefile b/Makefile index da234677b..6d075e6f2 100644 --- a/Makefile +++ b/Makefile @@ -41,13 +41,14 @@ deploy:;@ "$$src/" "$$deploy_host:$$dst" )} - prepush /root/src/shitment "$$PWD" + prepush /root/src/stockholm "$$PWD" prepush /root/src/secrets "$$secrets_dir" ssh -S none "$$deploy_host" -T env \ nixpkgs_url="$$nixpkgs_url" \ nixpkgs_rev="$$nixpkgs_rev" \ system_name="$$system_name" \ + user_name="$$LOGNAME" \ sh -euf \ <<-\EOF prefetch(){( @@ -77,26 +78,30 @@ deploy:;@ prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" echo build system... - NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ - NIX_PATH=src \ - nix-build -Q -A system '' + NIX_PATH=/root/src \ + nix-build \ + -Q \ + -A system \ + '' \ + --argstr user-name "$$user_name" \ + --argstr system-name "$$system_name" result/bin/switch-to-configuration switch EOF .PHONY: eval eval: - @nix-instantiate \ + @ + NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ + nix-instantiate \ --json \ --eval \ --strict \ -A "$$get" \ - -E ' - import { - system = builtins.currentSystem; - modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; - } - ' | jq -r . + '' \ + --argstr user-name "$$LOGNAME" \ + --argstr system-name "$$system" \ + | jq -r . else $(error unbound variable: system[s]) endif diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..2deb7539a --- /dev/null +++ b/default.nix @@ -0,0 +1,20 @@ +{ user-name, system-name }: + +let + + eval = import { + system = builtins.currentSystem; + modules = [ + (./1systems + "/${user-name}/${system-name}.nix") + (./3modules/krebs) + (./3modules + "/${user-name}") + ]; + }; + +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; +} -- cgit v1.2.3 From f10523afd37c07a3c3cec55f68a100c176b5b20f Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 18:36:16 +0200 Subject: 4 krebs.types.host: add option: secure --- 4lib/krebs/types.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index 38ed8a916..9d02c779f 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -20,6 +20,15 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + secure = mkOption { + type = bool; + default = false; + description = '' + If true, then the host is capable of keeping secret information. + + TODO define minimum requirements for secure hosts + ''; + }; }; }; -- cgit v1.2.3 From f4309272e2531a136a40d2332d1bfecec16d9a91 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 18:37:30 +0200 Subject: 2 tv identity: {nomic,wu}.secure = true --- 2configs/tv/identity.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index bcfdc290d..379d02e45 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -98,6 +98,7 @@ ''; }; }; + secure = true; }; rmdir = { cores = 1; @@ -153,6 +154,7 @@ ''; }; }; + secure = true; }; }; }; -- cgit v1.2.3 From 54becaa19fcbc11ac709ddaf86e56ee3b736931d Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 19:33:20 +0200 Subject: tv git: add restricted repos --- 1systems/tv/cd.nix | 2 +- 1systems/tv/mkdir.nix | 2 +- 1systems/tv/nomic.nix | 2 +- 1systems/tv/rmdir.nix | 2 +- 1systems/tv/wu.nix | 3 +- 2configs/tv/git-public.nix | 79 ---------------------------------- 2configs/tv/git.nix | 103 +++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 108 insertions(+), 85 deletions(-) delete mode 100644 2configs/tv/git-public.nix create mode 100644 2configs/tv/git.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index b15b1897e..d30e7ed8f 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -13,7 +13,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 03d0c00f1..3e5fb7286 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.mkdir; diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 367502eed..2d32d9e1f 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -8,7 +8,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.nomic; diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 497354e68..c470086ce 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.rmdir; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 8470a4f23..234b80559 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -12,8 +12,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix deleted file mode 100644 index 1bf44e0fc..000000000 --- a/2configs/tv/git-public.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ../../4lib/tv { inherit lib pkgs; }; -let - - out = { - krebs.git = { - enable = true; - root-title = "public repositories at ${config.tv.identity.self.name}"; - root-desc = "keep calm and engage"; - inherit repos rules users; - }; - }; - - repos = public-repos; - rules = concatMap make-rules (attrValues repos); - - public-repos = mapAttrs make-public-repo { - cgserver = {}; - crude-mail-setup = {}; - dot-xmonad = {}; - hack = {}; - load-env = {}; - make-snapshot = {}; - mime = {}; - much = {}; - nixos-infest = {}; - nixpkgs = {}; - painload = {}; - quipper = {}; - regfish = {}; - stockholm = { - desc = "take all the computers hostage, they'll love you!"; - }; - wai-middleware-time = {}; - web-routes-wai-custom = {}; - xintmap = {}; - }; - - # TODO move users to separate module - users = mapAttrs make-user { - tv = ../../Zpubkeys/tv_wu.ssh.pub; - lass = ../../Zpubkeys/lass.ssh.pub; - uriel = ../../Zpubkeys/uriel.ssh.pub; - makefu = ../../Zpubkeys/makefu.ssh.pub; - }; - - make-public-repo = name: { desc ? null, ... }: { - inherit name desc; - public = true; - hooks = { - post-receive = git.irc-announce { - # TODO make nick = config.tv.identity.self.name the default - nick = config.tv.identity.self.name; - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - }; - - make-rules = - with git // users; - repo: - singleton { - user = tv; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional repo.public { - user = [ lass makefu uriel ]; - repo = [ repo ]; - perm = fetch; - }; - - make-user = name: pubkey-file: { - inherit name; - pubkey = readFile pubkey-file; - }; - -in out diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix new file mode 100644 index 000000000..ac1c413c4 --- /dev/null +++ b/2configs/tv/git.nix @@ -0,0 +1,103 @@ +{ config, lib, pkgs, ... }: +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.tv.identity.self.name}"; + root-desc = "keep calm and engage"; + inherit repos rules users; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.tv.identity.self.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + cgserver = {}; + crude-mail-setup = {}; + dot-xmonad = {}; + hack = {}; + load-env = {}; + make-snapshot = {}; + mime = {}; + much = {}; + nixos-infest = {}; + nixpkgs = {}; + painload = {}; + quipper = {}; + regfish = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + xintmap = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs users; } + ); + + # TODO move users to separate module + users = mapAttrs make-user { + tv = ../../Zpubkeys/tv_wu.ssh.pub; + lass = ../../Zpubkeys/lass.ssh.pub; + uriel = ../../Zpubkeys/uriel.ssh.pub; + makefu = ../../Zpubkeys/makefu.ssh.pub; + }; + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.tv.identity.self.name the default + nick = config.tv.identity.self.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + hooks = {}; # TODO default + }; + + make-rules = + with git // users; + repo: + singleton { + user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + + make-user = name: pubkey-file: { + inherit name; + pubkey = readFile pubkey-file; + }; + +in out -- cgit v1.2.3 From a62be1cef8726a2afa61df3dac9e19a71882b370 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 20:48:00 +0200 Subject: {2 tv git -> 3 krebs}.users --- 2configs/tv/git.nix | 22 +++++-------------- 3modules/krebs/default.nix | 54 ++++++++++++++++++++++++++++++++++++---------- 3modules/krebs/git.nix | 11 ++++------ 4lib/krebs/default.nix | 10 ++++++++- 4lib/krebs/types.nix | 11 ++++++++++ 4lib/tv/default.nix | 7 ------ 6 files changed, 72 insertions(+), 43 deletions(-) diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix index ac1c413c4..b7f9983a1 100644 --- a/2configs/tv/git.nix +++ b/2configs/tv/git.nix @@ -1,4 +1,5 @@ { config, lib, pkgs, ... }: + with import ../../4lib/tv { inherit lib pkgs; }; let @@ -7,7 +8,7 @@ let enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; - inherit repos rules users; + inherit repos rules; }; }; @@ -43,20 +44,12 @@ let restricted-repos = mapAttrs make-restricted-repo ( { brain = { - collaborators = with users; [ lass makefu ]; + collaborators = with config.krebs.users; [ lass makefu ]; }; } // - import /root/src/secrets/repos.nix { inherit config lib pkgs users; } + import /root/src/secrets/repos.nix { inherit config lib pkgs; } ); - # TODO move users to separate module - users = mapAttrs make-user { - tv = ../../Zpubkeys/tv_wu.ssh.pub; - lass = ../../Zpubkeys/lass.ssh.pub; - uriel = ../../Zpubkeys/uriel.ssh.pub; - makefu = ../../Zpubkeys/makefu.ssh.pub; - }; - make-public-repo = name: { desc ? null, ... }: { inherit name desc; public = true; @@ -77,7 +70,7 @@ let }; make-rules = - with git // users; + with git // config.krebs.users; repo: singleton { user = tv; @@ -95,9 +88,4 @@ let perm = fetch; }; - make-user = name: pubkey-file: { - inherit name; - pubkey = readFile pubkey-file; - }; - in out diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index fe94e09b3..b8722d18f 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -1,11 +1,43 @@ -_: - -{ - imports = [ - ./github-hosts-sync.nix - ./git.nix - ./nginx.nix - ./retiolum.nix - ./urlwatch.nix - ]; -} +{ config, lib, ... }: + +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { + users = mkOption { + type = with types; attrsOf user; + default = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + }; + + imp = { + }; + +in +out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix index 3c3e93426..be6619b4b 100644 --- a/3modules/krebs/git.nix +++ b/3modules/krebs/git.nix @@ -6,8 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with builtins; -with lib; +with import ../../4lib/krebs { inherit lib; }; let cfg = config.krebs.git; @@ -119,9 +118,6 @@ let rules = mkOption { type = types.unspecified; }; - users = mkOption { - type = types.unspecified; - }; }; git-imp = { @@ -149,7 +145,8 @@ let name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) + config.krebs.users; uid = 129318403; # genid git }; }; @@ -255,7 +252,7 @@ let isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: # TODO assert name # TODO assert pubkey let diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix index 38c2a97d6..0c59076b6 100644 --- a/4lib/krebs/default.nix +++ b/4lib/krebs/default.nix @@ -1,6 +1,14 @@ { lib, ... }: -builtins // lib // { +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; types = import ./types.nix { inherit lib; }; diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index 9d02c779f..ca92c6900 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -81,6 +81,17 @@ types // rec { merge = mergeOneOption; }; + user = submodule { + options = { + name = mkOption { + type = str; # TODO + }; + pubkey = mkOption { + type = str; + }; + }; + }; + # TODO addr = str; addr4 = str; diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix index 267a858d2..16888c214 100644 --- a/4lib/tv/default.nix +++ b/4lib/tv/default.nix @@ -15,16 +15,9 @@ krebs // rec { inherit pkgs; }; - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - # "7.4.335" -> "74" majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - concat = xs : if xs == [] then "" -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/8a000000.lock: No such file or directory (2)