Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'cd/master'

Browse Source
This commit is contained in:
lassulus 2016-02-18 17:07:49 +01:00
commit 0f22538575
15 changed files with 211 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -51,7 +51,7 @@ evaluate = \
execute = \
result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \
script=$$(echo "$$result" | jq -r .) && \
echo "$$script" | sh
echo "$$script" | PS5=% sh
# usage: make deploy system=foo [target_host=bar]
deploy: ssh ?= ssh

23
krebs/3modules/backup.nix
View File

@ -117,6 +117,14 @@ let
"$dst_user@$dst_host" \
-T "$with_dst_path_lock_script"
}
rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}"
local_rsync() {
rsync "$@"
}
remote_rsync=${shell.escape (concatStringsSep " && " [
"mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
"exec flock -n ${shell.escape plan.dst.path} rsync"
])}
'';
pull = ''
identity=${shell.escape plan.dst.host.ssh.privkey.path}
@ -131,6 +139,12 @@ let
dst_shell() {
eval "$with_dst_path_lock_script"
}
rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}"
local_rsync() {
mkdir -m 0700 -p ${shell.escape plan.dst.path}/current
flock -n ${shell.escape plan.dst.path} rsync "$@"
}
remote_rsync=rsync
'';
}}
# Note that this only works because we trust date +%s to produce output
@ -140,13 +154,10 @@ let
with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape
"flock -n ${shell.escape plan.dst.path} /bin/sh"
}
rsync >&2 \
local_rsync >&2 \
-aAXF --delete \
-e "ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}" \
--rsync-path ${shell.escape (concatStringsSep " && " [
"mkdir -m 0700 -p ${shell.escape plan.dst.path}/current"
"exec flock -n ${shell.escape plan.dst.path} rsync"
])} \
--rsh="$rsh" \
--rsync-path="$remote_rsync" \
--link-dest="$dst_path/current" \
"$src/" \
"$dst/.partial"

9
krebs/3modules/build.nix
View File

@ -42,12 +42,13 @@ let
set -eu
verbose() {
printf '+%s\n' "$(printf ' %q' "$@")" >&2
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}
echo ${shell.escape git-script} \
| ssh -p ${shell.escape target-port} \
{ printf 'PS5=%q%q\n' @ "$PS5"
echo ${shell.escape git-script}
} | verbose ssh -p ${shell.escape target-port} \
${shell.escape "${target-user}@${target-host}"} -T
unset tmpdir
@ -86,7 +87,7 @@ let
set -efu
verbose() {
printf '+%s\n' "$(printf ' %q' "$@")" >&2
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}

2
krebs/3modules/tv/default.nix
View File

@ -352,7 +352,7 @@ with config.krebs.lib;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod";
};
tv = {
mail = "tv@wu.retiolum";
mail = "tv@nomic.retiolum";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu";
};
tv-nomic = {

69
krebs/3modules/urlwatch.nix
View File

@ -3,7 +3,6 @@
# TODO multiple users
# TODO inform about unused caches
# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"
# TODO hooks.py
with config.krebs.lib;
let
@ -32,6 +31,14 @@ let
Content of the From: header of the generated mails.
'';
};
# TODO hooks :: attrsOf hook
hooksFile = mkOption {
type = with types; nullOr path;
default = null;
description = ''
File to use as hooks.py module.
'';
};
mailto = mkOption {
type = types.str;
default = config.krebs.build.user.mail;
@ -48,7 +55,7 @@ let
'';
};
urls = mkOption {
type = with types; listOf str;
type = with types; listOf (either str subtypes.job);
default = [];
description = "URL to watch.";
example = [
@ -56,7 +63,10 @@ let
];
apply = map (x: getAttr (typeOf x) {
set = x;
string.url = x;
string = {
url = x;
filter = null;
};
});
};
verbose = mkOption {
@ -68,9 +78,12 @@ let
};
};
urlsFile = toFile "urls" (concatMapStringsSep "\n---\n" toJSON cfg.urls);
urlsFile = pkgs.writeText "urls"
(concatMapStringsSep "\n---\n" toJSON cfg.urls);
configFile = toFile "urlwatch.yaml" (toJSON {
hooksFile = cfg.hooksFile;
configFile = pkgs.writeText "urlwatch.yaml" (toJSON {
display = {
error = true;
new = true;
@ -127,10 +140,10 @@ let
User = user.name;
PermissionsStartOnly = "true";
PrivateTmp = "true";
SyslogIdentifier = "urlwatch";
Type = "oneshot";
ExecStartPre =
pkgs.writeScript "urlwatch-prestart" ''
#! /bin/sh
pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
@ -140,31 +153,29 @@ let
chown ${user.name}: "$dataDir"
fi
'';
ExecStart = pkgs.writeScript "urlwatch" ''
#! /bin/sh
ExecStart = pkgs.writeDash "urlwatch" ''
set -euf
from=${escapeShellArg cfg.from}
mailto=${escapeShellArg cfg.mailto}
urlsFile=${escapeShellArg urlsFile}
configFile=${escapeShellArg configFile}
cd /tmp
urlwatch \
${optionalString cfg.verbose "-v"} \
--urls="$urlsFile" \
--config="$configFile" \
--config=${shell.escape configFile} \
${optionalString (hooksFile != null)
"--hooks=${shell.escape hooksFile}"
} \
--urls=${shell.escape urlsFile} \
> changes || :
if test -s changes; then
date=$(date -R)
subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \
| tr \\n \ )
{
echo "Date: $date"
echo "From: $from"
echo "Subject: $subject"
echo "To: $mailto"
echo Date: $(date -R)
echo From: ${shell.escape cfg.from}
echo Subject: $(
sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \
| tr '\n' ' '
)
echo To: ${shell.escape cfg.mailto}
echo
cat changes
} | /var/setuid-wrappers/sendmail -t
@ -181,5 +192,15 @@ let
name = "urlwatch";
uid = genid name;
};
in
out
subtypes.job = types.submodule {
options = {
url = mkOption {
type = types.str;
};
filter = mkOption {
type = with types; nullOr str; # TODO nullOr subtypes.filter
};
};
};
in out

2
tv/1systems/nomic.nix
View File

@ -10,6 +10,8 @@ with config.krebs.lib;
../2configs/hw/AO753.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/im.nix
../2configs/mail-client.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix

28
tv/1systems/wu.nix
View File

@ -10,7 +10,9 @@ with config.krebs.lib;
../2configs/hw/w110er.nix
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/im.nix
../2configs/mail-client.nix
../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@ -23,19 +25,6 @@ with config.krebs.lib;
hashPassword
haskellPackages.lentil
parallel
(pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash
export PATH=${makeSearchPath "bin" (with pkgs; [
tmux
gnugrep
weechat
])}
if tmux list-sessions -F\#S | grep -q '^im''$'; then
exec tmux attach -t im
else
exec tmux new -s im weechat
fi
'')
# root
cryptsetup
@ -52,14 +41,12 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
manpages
mkpasswd
netcat
nix-repl
nmap
nq
p7zip
posix_man_pages
push
qrencode
texLive
@ -165,11 +152,7 @@ with config.krebs.lib;
hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
xlibs.fontschumachermisc
slock
ethtool
#firefoxWrapper # with plugins
#chromiumDevWrapper
tinc
iptables
#jack2
@ -177,7 +160,6 @@ with config.krebs.lib;
security.setuidPrograms = [
"sendmail" # for cron
"slock"
];
services.printing.enable = true;
@ -201,12 +183,6 @@ with config.krebs.lib;
KERNEL=="hpet", GROUP="audio"
'';
services.bitlbee = {
enable = true;
plugins = [
pkgs.bitlbee-facebook
];
};
services.tor.client.enable = true;
services.tor.enable = true;
services.virtualboxHost.enable = true;

7
tv/1systems/xu.nix
View File

@ -11,6 +11,7 @@ with config.krebs.lib;
../2configs/exim-retiolum.nix
../2configs/git.nix
../2configs/mail-client.nix
../2configs/man.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix
../2configs/retiolum.nix
@ -52,7 +53,6 @@ with config.krebs.lib;
haskellPackages.hledger
htop
jq
manpages
mkpasswd
netcat
nix-repl
@ -60,7 +60,6 @@ with config.krebs.lib;
nq
p7zip
pass
posix_man_pages
qrencode
texLive
tmux
@ -163,11 +162,7 @@ with config.krebs.lib;
#hardware.opengl.driSupport32Bit = true;
environment.systemPackages = with pkgs; [
#xlibs.fontschumachermisc
#slock
ethtool
#firefoxWrapper # with plugins
#chromiumDevWrapper
tinc
iptables
#jack2

38
tv/2configs/backup.nix
View File

@ -2,29 +2,43 @@
with config.krebs.lib;
{
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
nomic-home-xu = {
method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; };
startAt = "05:00";
};
wu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.wu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
startAt = "05:00";
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
xu-home-wu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; };
startAt = "06:00";
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
xu-pull-cd-ejabberd = {
method = "pull";
src = { host = config.krebs.hosts.cd; path = "/var/ejabberd"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/cd-ejabberd"; };
startAt = "07:00";
};
xu-pull-cd-home = {
method = "pull";
src = { host = config.krebs.hosts.cd; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
startAt = "07:00";
};
} // mapAttrs (_: recursiveUpdate {
snapshots = {

1
tv/2configs/default.nix
View File

@ -50,6 +50,7 @@ with config.krebs.lib;
{
security.sudo.extraConfig = ''
Defaults mailto="${config.krebs.users.tv.mail}"
Defaults !lecture
'';
time.timeZone = "Europe/Berlin";
}

24
tv/2configs/im.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
with config.krebs.lib;
{
environment.systemPackages = with pkgs; [
(pkgs.writeDashBin "im" ''
export PATH=${makeSearchPath "bin" (with pkgs; [
tmux
gnugrep
weechat
])}
if tmux list-sessions -F\#S | grep -q '^im''$'; then
exec tmux attach -t im
else
exec tmux new -s im weechat
fi
'')
];
services.bitlbee = {
enable = true;
plugins = [
pkgs.bitlbee-facebook
];
};
}

12
tv/2configs/man.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
{
environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
s:^NROFF\t.*:& -Wbreak:
'
'';
environment.systemPackages = with pkgs; [
manpages
posix_man_pages
];
}

41
tv/2configs/urlwatch.nix
View File

@ -1,5 +1,5 @@
{ config, ... }:
{ config, pkgs, ... }:
with config.krebs.lib;
{
krebs.urlwatch = {
enable = true;
@ -52,8 +52,43 @@
# is derived from `configFile` in:
https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix
https://pypi.python.org/pypi/vncdotool
{
url = https://pypi.python.org/pypi/vncdotool/json;
filter = "system:${pkgs.jq}/bin/jq -r '.releases|keys[]'";
}
https://api.github.com/repos/kanaka/noVNC/tags
];
hooksFile = toFile "hooks.py" ''
import subprocess
import urlwatch
class CaseFilter(urlwatch.filters.FilterBase):
"""Filter for piping data through an external process"""
__kind__ = 'system'
def filter(self, data, subfilter=None):
if subfilter is None:
raise ValueError('The system filter needs a command')
proc = subprocess.Popen(
subfilter,
shell=True,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
(stdout, stderr) = proc.communicate(data.encode())
if proc.returncode != 0:
raise RuntimeError(
"system filter returned non-zero exit status %d; stderr:\n"
% proc.returncode
+ stderr.decode()
)
return stdout.decode()
'';
};
}

20
tv/2configs/xu-qemu0.nix
View File

@ -15,18 +15,26 @@ in
#
# make [install] system=xu-qemu0 target_host=10.56.0.101
# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT
# TODO iptables -A POSTROUTING -t nat -j MASQUERADE
# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT
# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT
with config.krebs.lib;
{
networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
tv.iptables.extra = {
nat.POSTROUTING = ["-j MASQUERADE"];
filter.FORWARD = [
"-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
"-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
];
filter.INPUT = [
"-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
"-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
];
};
systemd.network.enable = true;
systemd.services.systemd-networkd-wait-online.enable = false;
services.resolved.enable = mkForce false;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

22
tv/3modules/iptables.nix
View File

@ -26,6 +26,21 @@ let
type = with types; listOf (either int str);
default = [];
};
extra = {
nat.POSTROUTING = mkOption {
type = with types; listOf str;
default = [];
};
filter.FORWARD = mkOption {
type = with types; listOf str;
default = [];
};
filter.INPUT = mkOption {
type = with types; listOf str;
default = [];
};
};
};
imp = {
@ -57,6 +72,11 @@ let
};
};
formatTable = table:
(concatStringsSep "\n"
(mapAttrsToList
(chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}"))
table));
rules = iptables-version: let
accept-echo-request = {
@ -79,6 +99,7 @@ let
${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
"-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
]}
${formatTable cfg.extra.nat}
COMMIT
*filter
:INPUT DROP [0:0]
@ -94,6 +115,7 @@ let
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
${formatTable cfg.extra.filter}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))