Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2017-07-23 21:11:11 +02:00
commit 1e3931d983
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
22 changed files with 248 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Makefile
View File

@ -102,13 +102,7 @@ ifneq ($(ssh),)
populate: populate-flags += --ssh=$(ssh) populate: populate-flags += --ssh=$(ssh)
endif endif
populate: populate:
nix-instantiate \ nix-shell --run 'get-source $(LOGNAME)/1systems/$(system)/source.nix' \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
$(LOGNAME)/1systems/$(system)/source.nix | \
populate $(populate-target) $(populate-flags) populate $(populate-target) $(populate-flags)
# usage: make pkgs.populate # usage: make pkgs.populate

17
krebs/1systems/hotdog/config.nix Normal file
View File

@ -0,0 +1,17 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
];
krebs.build.host = config.krebs.hosts.hotdog;
boot.isContainer = true;
networking.useDHCP = false;
}

3
krebs/1systems/hotdog/source.nix Normal file
View File

@ -0,0 +1,3 @@
import <stockholm/krebs/source.nix> {
name = "hotdog";
}

5
krebs/1systems/puyak/config.nix
View File

@ -5,6 +5,7 @@
<stockholm/krebs> <stockholm/krebs>
<stockholm/krebs/2configs> <stockholm/krebs/2configs>
<stockholm/krebs/2configs/secret-passwords.nix> <stockholm/krebs/2configs/secret-passwords.nix>
<stockholm/krebs/2configs/hw/x220.nix>
<stockholm/krebs/2configs/repo-sync.nix> <stockholm/krebs/2configs/repo-sync.nix>
<stockholm/krebs/2configs/shared-buildbot.nix> <stockholm/krebs/2configs/shared-buildbot.nix>
@ -48,10 +49,6 @@
}; };
}; };
hardware.enableAllFirmware = true;
networking.wireless.enable = true;
nixpkgs.config.allowUnfree = true;
services.logind.extraConfig = '' services.logind.extraConfig = ''
HandleLidSwitch=ignore HandleLidSwitch=ignore
''; '';

29
krebs/2configs/hw/x220.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
networking.wireless.enable = lib.mkDefault true;
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
services.tlp.enable = true;
boot = {
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
kernelParams = [ "acpi_backlight=none" ];
};
hardware.opengl.extraPackages = [
pkgs.vaapiIntel
pkgs.vaapiVdpau
];
security.rngd.enable = true;
services.xserver = {
videoDriver = "intel";
};
}

24
krebs/3modules/krebs/default.nix
View File

@ -30,6 +30,30 @@ let
}); });
in { in {
hosts = { hosts = {
hotdog = {
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.77.3";
ip6.addr = "42:0:0:0:0:0:77:3";
aliases = [
"hotdog.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
bZBrvxkIOyVs5oVtolPcaI0/nvtpIhSlmM6hg9qe1rZO6jXt53GVNvgdcUIfVHbX
mQmp4oVXOjPIeDqLn32Mc0O73Kp6i66zQGAXi8ejczuO0h6oSvAnjolT4wM9jugk
JBGCDlpl9mxAGDN5VOqbg2i0FxwtUk2UA9XghEaRcfBkVdsOrtW8sCwOg8YttQt9
fs7JjezUtw7JBxN754ynaahSRODcjyJhwjE18tKx6P7wsNbgbmULFQz+7IxZ01/P
h5ZUzfd1r1pTzQ0nYD5aRtlDd7zP7y5tUwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
};
puyak = { puyak = {
owner = config.krebs.users.krebs; owner = config.krebs.users.krebs;
nets = { nets = {

7
krebs/5pkgs/writers.nix
View File

@ -262,7 +262,12 @@ with import <stockholm/lib>;
}; };
}; };
writeJSON = name: value: pkgs.writeText name (toJSON value); writeJSON = name: value: pkgs.runCommand name {
json = toJSON value;
passAsFile = [ "json" ];
} /* sh */ ''
${pkgs.jq}/bin/jq . "$jsonPath" > "$out"
'';
writeNixFromCabal = writeNixFromCabal =
trace (toString [ trace (toString [

44
lass/1systems/iso.nix
View File

@ -151,25 +151,41 @@ with import <stockholm/lib>;
systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ]; systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
} }
{ {
krebs.iptables = { networking.firewall = {
enable = true; enable = true;
tables = { allowedTCPPorts = [ 22 ];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
];
};
}; };
} }
{ {
krebs.hidden-ssh.enable = true; krebs.hidden-ssh.enable = true;
} }
{
services.xserver = {
enable = true;
#videoDrivers = mkForce [ "ati_unfree" ];
desktopManager.xterm.enable = false;
desktopManager.default = "none";
displayManager.lightdm.enable = true;
displayManager.lightdm.autoLogin = {
enable = true;
user = "lass";
};
windowManager.default = "xmonad";
windowManager.session = [{
name = "xmonad";
start = ''
${pkgs.xorg.xhost}/bin/xhost +LOCAL:
${pkgs.xmonad-lass}/bin/xmonad &
waitPID=$!
'';
}];
layout = "us";
xkbModel = "evdev";
xkbVariant = "altgr-intl";
xkbOptions = "caps:backspace";
};
}
]; ];
} }

8
lib/eval-source.nix
View File

@ -10,6 +10,12 @@ let
}; };
}; };
}; };
sanitize = x: getAttr (typeOf x) {
set = mapAttrs
(const sanitize)
(filterAttrs (name: value: name != "_module" && value != null) x);
string = x;
};
in in
# This function's return value can be used as pkgs.populate input. # This function's return value can be used as pkgs.populate input.
_file: source: (eval _file source).config.source _file: source: sanitize (eval _file source).config.source

122
shell.nix
View File

@ -2,6 +2,10 @@ let
lib = import ./lib; lib = import ./lib;
pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; }; pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; };
#
# high level commands
#
# usage: deploy [--user=USER] --system=SYSTEM [--target=TARGET] # usage: deploy [--user=USER] --system=SYSTEM [--target=TARGET]
cmds.deploy = pkgs.writeDash "cmds.deploy" '' cmds.deploy = pkgs.writeDash "cmds.deploy" ''
set -efu set -efu
@ -29,6 +33,69 @@ let
exec ${utils.build} config.system.build.toplevel exec ${utils.build} config.system.build.toplevel
''; '';
#
# low level commands
#
# usage: get-source SOURCE_FILE
cmds.get-source = pkgs.writeDash "cmds.get-source" ''
set -efu
exec ${pkgs.nix}/bin/nix-instantiate \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
"$1"
'';
# usage: parse-target [--default=TARGET] TARGET
# TARGET = [USER@]HOST[:PORT][/PATH]
cmds.parse-target = pkgs.writeDash "cmds.parse-target" ''
set -efu
args=$(${pkgs.utillinux}/bin/getopt -n "$0" -s sh \
-o d: \
-l default: \
-- "$@")
if \test $? != 0; then exit 1; fi
eval set -- "$args"
default_target=
while :; do case $1 in
-d|--default) default_target=$2; shift 2;;
--) shift; break;;
esac; done
target=$1; shift
for arg; do echo "$0: bad argument: $arg" >&2; done
if \test $# != 0; then exit 2; fi
exec ${pkgs.jq}/bin/jq \
-enr \
--arg default_target "$default_target" \
--arg target "$target" \
-f ${pkgs.writeText "cmds.parse-target.jq" ''
def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: .captures[0].string,
host: .captures[1].string,
port: .captures[2].string,
path: .captures[3].string,
};
def sanitize: with_entries(select(.value != null));
($default_target | parse) + ($target | parse | sanitize) |
. + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) }
''}
'';
# usage: quote [ARGS...]
cmds.quote = pkgs.writeDash "cmds.quote" ''
set -efu
prefix=
for x; do
y=$(${pkgs.jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"')
echo -n "$prefix$y"
prefix=' '
done
echo
'';
init.args = pkgs.writeText "init.args" /* sh */ '' init.args = pkgs.writeText "init.args" /* sh */ ''
args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \ args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \
-o s:t:u: \ -o s:t:u: \
@ -54,7 +121,9 @@ let
export target export target
export user export user
export target_object="$(${init.env.parsetarget} $target)" default_target=root@$system:22/var/src
export target_object="$(parse-target "$target" -d "$default_target")"
export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)" export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)" export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)" export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
@ -68,35 +137,9 @@ let
fi fi
fi fi
'' // { '' // {
parsetarget = pkgs.writeDash "init.env.parsetarget" ''
set -efu
exec ${pkgs.jq}/bin/jq \
-enr \
--arg target "$1" \
-f ${init.env.parsetarget.jq}
'' // {
jq = pkgs.writeText "init.env.parsetarget.jq" ''
def when(c; f): if c then f else . end;
def capturesDef(i; v): .captures[i].string | when(. == null; v);
$target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: capturesDef(0; "root"),
host: capturesDef(1; env.system),
port: capturesDef(2; "22"),
path: capturesDef(3; "/var/src"),
} | . + {
local: (.user == env.LOGNAME and .host == env.HOSTNAME),
}
'';
};
populate = pkgs.writeDash "init.env.populate" '' populate = pkgs.writeDash "init.env.populate" ''
set -efu set -efu
_source=$(${pkgs.nix}/bin/nix-instantiate \ _source=$(get-source "$source")
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
"$source")
echo $_source | echo $_source |
${pkgs.populate}/bin/populate \ ${pkgs.populate}/bin/populate \
"$target_user@$target_host:$target_port$target_path" \ "$target_user@$target_host:$target_port$target_path" \
@ -105,21 +148,17 @@ let
''; '';
proxy = pkgs.writeDash "init.env.proxy" '' proxy = pkgs.writeDash "init.env.proxy" ''
set -efu set -efu
q() {
${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"'
}
exec ${pkgs.openssh}/bin/ssh \ exec ${pkgs.openssh}/bin/ssh \
"$target_user@$target_host" -p "$target_port" \ "$target_user@$target_host" -p "$target_port" \
cd "$target_path/stockholm" \; \ cd "$target_path/stockholm" \; \
NIX_PATH=$(q "$target_path") \ NIX_PATH=$(quote "$target_path") \
STOCKHOLM_VERSION=$STOCKHOLM_VERSION \ STOCKHOLM_VERSION=$(quote "$STOCKHOLM_VERSION") \
nix-shell \ nix-shell --run "$(quote "
--run $(q \ system=$(quote "$system") \
system=$system \ target=$(quote "$target") \
target=$target \ using_proxy=true \
using_proxy=true \ $(quote "$@")
"$*" ")"
)
''; '';
}; };
@ -162,7 +201,8 @@ let
in pkgs.stdenv.mkDerivation { in pkgs.stdenv.mkDerivation {
name = "stockholm"; name = "stockholm";
shellHook = /* sh */ '' shellHook = /* sh */ ''
export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}" export NIX_PATH=stockholm=$PWD:nixpkgs=${toString <nixpkgs>}
export NIX_REMOTE=daemon
export PATH=${lib.makeBinPath [ export PATH=${lib.makeBinPath [
shell.cmdspkg shell.cmdspkg
]} ]}

25
tv/1systems/caxi/config.nix
View File

@ -1,25 +0,0 @@
{ config, ... }:
with import <stockholm/lib>;
{
krebs.build.host = config.krebs.hosts.caxi;
imports = [
<stockholm/tv>
<stockholm/tv/2configs/hw/CAC-Developer-1.nix>
<stockholm/tv/2configs/fs/CAC-CentOS-7-64bit.nix>
<stockholm/tv/2configs/retiolum.nix>
];
networking = let
inherit (config.krebs.build.host.nets.internet) ip4;
in {
interfaces.enp2s1.ip4 = singleton {
address = ip4.addr;
prefixLength = fromJSON (head (match ".*/([0-9]+)" ip4.prefix));
};
defaultGateway = head (match "([^/]*)\.0/[0-9]+" ip4.prefix) + ".1";
nameservers = ["8.8.8.8"];
};
}

3
tv/1systems/caxi/source.nix
View File

@ -1,3 +0,0 @@
import <stockholm/tv/source.nix> {
name = "caxi";
}

13
tv/2configs/nginx/krebs-pages.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
services.nginx = {
virtualHosts.krebs-pages = {
serverAliases = [
"krebs.${config.krebs.build.host.name}.r"
];
extraConfig = ''
root ${pkgs.krebs-pages};
'';
};
};
}

1
tv/2configs/vim.nix
View File

@ -230,6 +230,7 @@ let {
''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'' ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''
''[a-z]*Phase[ \t\r\n]*='' ''[a-z]*Phase[ \t\r\n]*=''
]; ];
yaml = {};
vim.extraStart = vim.extraStart =
''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
xdefaults = {}; xdefaults = {};

31
tv/5pkgs/default.nix
View File

@ -1,22 +1,18 @@
with import <stockholm/lib>; with import <stockholm/lib>;
self: super: let
# This callPackage will try to detect obsolete overrides. self: super:
callPackage = path: args: let
override = super.callPackage path args;
upstream = optionalAttrs (override ? "name")
(super.${(parseDrvName override.name).name} or {});
in if upstream ? "name" &&
override ? "name" &&
compareVersions upstream.name override.name != -1
then
trace
"Upstream `${upstream.name}' gets overridden by `${override.name}'."
override
else override;
in { # Import files and subdirectories like they are overlays.
foldl' mergeAttrs {}
(map
(name: import (./. + "/${name}") self super)
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))))
//
{
# TODO use XDG_RUNTIME_DIR? # TODO use XDG_RUNTIME_DIR?
cr = self.writeDashBin "cr" '' cr = self.writeDashBin "cr" ''
set -efu set -efu
@ -42,9 +38,4 @@ in {
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73"; sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {}; }) {};
in nixpkgs-1509.wvdial; in nixpkgs-1509.wvdial;
} }
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir: pathExists (dir + "/default.nix"))
(subdirsOf ./.))

24
tv/5pkgs/simple/default.nix Normal file
View File

@ -0,0 +1,24 @@
with import <stockholm/lib>;
self: super:
let
# This callPackage will try to detect obsolete overrides.
callPackage = path: args: let
override = self.callPackage path args;
upstream = optionalAttrs (override ? "name")
(super.${(parseDrvName override.name).name} or {});
in if upstream ? "name" &&
override ? "name" &&
compareVersions upstream.name override.name != -1
then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
else override;
in
listToAttrs
(map
(name: nameValuePair (removeSuffix ".nix" name)
(callPackage (./. + "/${name}") {}))
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))))

0
tv/5pkgs/djbdns/default.nix → tv/5pkgs/simple/djbdns/default.nix
View File

0
tv/5pkgs/q/default.nix → tv/5pkgs/simple/q/default.nix
View File

0
tv/5pkgs/viljetic-pages/default.nix → tv/5pkgs/simple/viljetic-pages/default.nix
View File

0
tv/5pkgs/viljetic-pages/index.html → tv/5pkgs/simple/viljetic-pages/index.html
View File

0
tv/5pkgs/viljetic-pages/logo.xpm → tv/5pkgs/simple/viljetic-pages/logo.xpm
View File

0
tv/5pkgs/xmonad-tv/default.nix → tv/5pkgs/simple/xmonad-tv/default.nix
View File