Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'tv' into master

Browse Source
This commit is contained in:
lassulus 2015-07-27 10:09:13 +02:00
commit 54a01c0c74
43 changed files with 873 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0make/makefu/pnp.makefile Normal file
View File

@ -0,0 +1,4 @@
deploy_host := root@pnp
nixpkgs_url := https://github.com/nixos/nixpkgs
nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870
secrets_dir := /home/makefu/secrets/pnp

2
0make/tv/nomic.makefile
View File

@ -1,4 +1,4 @@
deploy_host := root@nomic.gg23
nixpkgs_url := https://github.com/NixOS/nixpkgs
nixpkgs_rev := 6ad8fab785695d04a6925e8b3464ca7c71a85c3f
nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696
secrets_dir := /home/tv/secrets/nomic

52
1systems/makefu/pnp.nix Normal file
View File

@ -0,0 +1,52 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../../2configs/makefu/base.nix
../../2configs/makefu/cgit-retiolum.nix
];
krebs.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
# networking.firewall is enabled by default
networking.firewall.allowedTCPPorts = [ 80 ];
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
"fastpoke"
];
};
nix.maxJobs = 2;
networking.hostName = "pnp"; # Define your hostname.
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [
wget
git
gnumake
jq
];
}

38
1systems/tv/cd.nix
View File

@ -7,13 +7,15 @@ let
in
{
krebs.build.host = config.krebs.hosts.cd;
imports = [
../../2configs/tv/CAC-Developer-2.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix
../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/charybdis.nix ];
tv.charybdis = {
@ -22,24 +24,17 @@ in
};
}
{
imports = [ ../../3modules/tv/ejabberd.nix ];
tv.ejabberd = {
enable = true;
hosts = [ "jabber.viljetic.de" ];
};
}
{
imports = [ ../../3modules/tv/github-hosts-sync.nix ];
tv.github-hosts-sync.enable = true;
krebs.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp =
singleton config.tv.github-hosts-sync.port;
singleton config.krebs.github-hosts-sync.port;
}
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.cd;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@ -55,21 +50,13 @@ in
};
}
{
imports = [
../../3modules/tv/iptables.nix
../../3modules/tv/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http";
tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
}
{
# TODO make public_html also available to cd, cd.retiolum (AKA default)
imports = [
../../3modules/tv/iptables.nix
../../3modules/tv/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http";
tv.nginx.servers.public_html = {
krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de";
locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
@ -77,7 +64,7 @@ in
};
}
{
tv.nginx.servers.viljetic = {
krebs.nginx.servers.viljetic = {
server-names = singleton "viljetic.de";
# TODO directly set root (instead via location)
locations = singleton (nameValuePair "/" ''
@ -86,10 +73,8 @@ in
};
}
{
imports = [ ../../3modules/tv/retiolum.nix ];
tv.retiolum = {
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"fastpoke"
"pigstarter"
@ -99,7 +84,6 @@ in
}
];
networking.hostName = "cd";
networking.interfaces.enp2s1.ip4 = [
{
address = "162.219.7.216";
@ -135,8 +119,8 @@ in
home = "/home/mv";
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = map readFile [
../../Zpubkeys/mv_vod.ssh.pub
openssh.authorizedKeys.keys = [
config.krebs.users.mv.pubkey
];
};
};

14
1systems/tv/mkdir.nix
View File

@ -3,19 +3,16 @@
with lib;
{
krebs.build.host = config.krebs.hosts.mkdir;
imports = [
../../2configs/tv/CAC-Developer-1.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix
../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.mkdir;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@ -29,10 +26,8 @@ with lib;
};
}
{
imports = [ ../../3modules/tv/retiolum.nix ];
tv.retiolum = {
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"cd"
"fastpoke"
@ -43,7 +38,6 @@ with lib;
}
];
networking.hostName = "mkdir";
networking.interfaces.enp2s1.ip4 = [
{
address = "162.248.167.241"; # TODO

18
1systems/tv/nomic.nix
View File

@ -3,18 +3,15 @@
with lib;
{
krebs.build.host = config.krebs.hosts.nomic;
imports = [
../../2configs/tv/AO753.nix
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix
../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.nomic;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@ -26,8 +23,7 @@ with lib;
};
}
{
imports = [ ../../3modules/tv/nginx.nix ];
tv.nginx = {
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
@ -37,10 +33,8 @@ with lib;
};
}
{
imports = [ ../../3modules/tv/retiolum.nix ];
tv.retiolum = {
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
@ -103,6 +97,4 @@ with lib;
rxvt_unicode.terminfo
tmux
];
networking.hostName = "nomic";
}

14
1systems/tv/rmdir.nix
View File

@ -3,19 +3,16 @@
with lib;
{
krebs.build.host = config.krebs.hosts.rmdir;
imports = [
../../2configs/tv/CAC-Developer-1.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix
../../2configs/tv/git.nix
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.rmdir;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@ -29,10 +26,8 @@ with lib;
};
}
{
imports = [ ../../3modules/tv/retiolum.nix ];
tv.retiolum = {
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"cd"
"mkdir"
@ -44,7 +39,6 @@ with lib;
}
];
networking.hostName = "rmdir";
networking.interfaces.enp2s1.ip4 = [
{
address = "167.88.44.94";

74
1systems/tv/wu.nix
View File

@ -7,28 +7,27 @@ let
in
{
krebs.build.host = config.krebs.hosts.wu;
imports = [
../../2configs/tv/w110er.nix
../../2configs/tv/base.nix
../../2configs/tv/consul-client.nix
../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix
# TODO git-private.nix
../../2configs/tv/git.nix
../../2configs/tv/mail-client.nix
../../2configs/tv/xserver.nix
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
{
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.wu;
}
../../2configs/tv/urlwatch.nix
{
environment.systemPackages = with pkgs; [
# shitment
# stockholm
git
gnumake
parallel
Zpkgs.genid
Zpkgs.hashPassword
Zpkgs.lentil
# root
@ -96,7 +95,6 @@ in
#ppp
#proot
#pythonPackages.arandr
#pythonPackages.urlwatch
#pythonPackages.youtube-dl
#racket
#rxvt_unicode-with-plugins
@ -122,7 +120,6 @@ in
];
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
@ -134,8 +131,7 @@ in
};
}
{
imports = [ ../../3modules/tv/nginx.nix ];
tv.nginx = {
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
@ -145,66 +141,14 @@ in
};
}
{
imports = [ ../../3modules/tv/retiolum.nix ];
tv.retiolum = {
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
];
};
}
{
imports = [ ../../3modules/tv/urlwatch.nix ];
tv.urlwatch = {
enable = true;
mailto = "tv@wu.retiolum"; # TODO
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
http://simple-evcorr.sourceforge.net/
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
https://thp.io/2008/urlwatch/
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
https://api.github.com/repos/ioerror/tlsdate/tags
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
# 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
# ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
http://nixos.org/releases/nixops/
## other
https://nixos.org/channels/nixos-unstable/git-revision
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
];
};
}
{
users.extraGroups = {
tv-sub.gid = 1337;
@ -429,8 +373,6 @@ in
hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true;
networking.hostName = "wu";
environment.systemPackages = with pkgs; [
xlibs.fontschumachermisc
slock

94
2configs/makefu/base.nix Normal file
View File

@ -0,0 +1,94 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ];
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
makefu = {
uid = 9001;
group = "users";
home = "/home/makefu";
createHome = true;
useDefaultShell = true;
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
services.openssh.enable = true;
nix.useChroot = true;
users.mutableUsers = true;
boot.tmpOnTmpfs = true;
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
environment.extraInit = ''
EDITOR=vim
'';
environment.systemPackages = with pkgs; [
git
vim
rxvt_unicode.terminfo
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
case $UID in
0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;;
9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;;
*) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;;
esac
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
fi
'';
};
environment.shellAliases = {
lsl = "ls -lAtr";
};
nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.runCommand "empty" {} "mkdir -p $out";
};
services.cron.enable = false;
services.nscd.enable = false;
security.setuidPrograms = [ "sendmail" ];
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# Enable IPv6 Privacy Extensions
boot.kernel.sysctl = {
"net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
i18n = {
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
}

52
2configs/makefu/cgit-retiolum.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
imports = [ ../../3modules/krebs/git.nix ];
krebs.git = {
enable = true;
root-title = "public repositories ";
root-desc = "keep calm and enrage";
inherit repos rules ;
};
};
repos = public-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
};
# TODO move users to separate module
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
public = true;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName;
channel = "#retiolum";
server = "cd.retiolum";
};
};
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = makefu;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass tv uriel ];
repo = [ repo ];
perm = fetch;
};
in out

15
2configs/tv/base.nix
View File

@ -9,6 +9,11 @@ let
in
{
krebs.enable = true;
krebs.search-domain = "retiolum";
networking.hostName = config.krebs.build.host.name;
imports = [
{
users.extraUsers =
@ -22,8 +27,8 @@ in
{
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = map readFile [
../../Zpubkeys/tv_wu.ssh.pub
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
tv = {
@ -37,15 +42,15 @@ in
"video"
"wheel"
];
openssh.authorizedKeys.keys = map readFile [
../../Zpubkeys/tv_wu.ssh.pub
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
};
}
{
security.sudo.extraConfig = ''
Defaults mailto="tv@wu.retiolum"
Defaults mailto="${config.krebs.users.tv.mail}"
'';
time.timeZone = "Europe/Berlin";
}

10
2configs/tv/charybdis.nix
View File

@ -123,7 +123,7 @@ let
#loadmodule "extensions/ip_cloaking.so";
serverinfo {
name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)};
name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)};
sid = "4z3";
description = "miep!";
network_name = "irc.retiolum";
@ -133,9 +133,9 @@ let
/* On multi-homed hosts you may need the following. These define
* the addresses we connect from to other servers. */
/* for IPv4 */
vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4};
vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4};
/* for IPv6 */
vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6};
vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6};
/* ssl_private_key: our ssl private key */
ssl_private_key = "/tmp/ssl.key";
@ -170,7 +170,7 @@ let
admin {
name = "tv";
description = "peer";
email = "tv@wu.retiolum";
mail = "${config.krebs.users.tv.mail}";
};
log {
@ -240,7 +240,7 @@ let
*/
# XXX This is stupid because only one host is allowed[?]
#host = ''${concatMapStringsSep ", " toJSON (
# config.tv.identity.self.nets.retiolum.addrs
# config.krebs.build.host.nets.retiolum.addrs
#)};
port = 6667;
sslport = 6697;

5
2configs/tv/consul-server.nix
View File

@ -1,16 +1,15 @@
{ config, ... }:
{
imports = [ ../../3modules/tv/consul.nix ];
tv.consul = rec {
enable = true;
inherit (config.tv.identity) self;
self = config.krebs.build.host;
inherit (self) dc;
server = true;
hosts = with config.tv.identity.hosts; [
hosts = with config.krebs.hosts; [
# TODO get this list automatically from each host where tv.consul.enable is true
cd
mkdir

4
2configs/tv/exim-retiolum.nix
View File

@ -4,9 +4,9 @@
services.exim =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.tv.retiolum.enable;
assert config.krebs.retiolum.enable;
let
# TODO get the hostname from config.tv.retiolum.
# TODO get the hostname from config.krebs.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum";
in
{ enable = true;

15
2configs/tv/exim-smarthost.nix
View File

@ -11,20 +11,21 @@ in
let
retiolumHostname = "${config.networking.hostName}.retiolum";
internet-aliases = [
{ from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; }
internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = "tv@wu.retiolum"; }
{ from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; }
{ from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; }
{ from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; }
{ from = "tv@cd.retiolum"; to = tv.mail; }
{ from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; }
# TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
];
system-aliases = [

87
2configs/tv/git-public.nix
View File

@ -1,87 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (builtins) map readFile;
inherit (lib) concatMap listToAttrs;
# TODO lib should already include our stuff
inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git;
public-git-repos = [
(public "cgserver")
(public "crude-mail-setup")
(public "dot-xmonad")
(public "hack")
(public "load-env")
(public "make-snapshot")
(public "mime")
(public "much")
(public "nixos-infest")
(public "nixpkgs")
(public "painload")
(public "quipper")
(public "regfish")
(public' {
name = "shitment";
desc = "turn all the computers into one computer!";
})
(public "wai-middleware-time")
(public "web-routes-wai-custom")
(public "xintmap")
];
users = addNames {
tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; };
lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; };
uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; };
makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; };
};
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos);
rules = concatMap ({ rules, ... }: rules) public-git-repos;
public' = { name, desc }:
let
x = public name;
in
x // { repo = x.repo // { inherit desc; }; };
public = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "cd.retiolum";
};
};
public = true;
};
rules = with git; with users; [
{ user = tv;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
in
{
imports = [
../../3modules/tv/git.nix
];
tv.git = {
enable = true;
inherit repos rules users;
root-title = "public repositories at ${config.networking.hostName}";
root-desc = "keep calm and engage";
};
}

90
2configs/tv/git.nix Normal file
View File

@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
krebs.git = {
enable = true;
root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage";
inherit repos rules;
};
};
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
public-repos //
optionalAttrs config.krebs.build.host.secure restricted-repos
);
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
cgserver = {};
crude-mail-setup = {};
dot-xmonad = {};
hack = {};
load-env = {};
make-snapshot = {};
mime = {};
much = {};
nixos-infest = {};
nixpkgs = {};
painload = {};
quipper = {};
regfish = {};
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
wai-middleware-time = {};
web-routes-wai-custom = {};
xintmap = {};
};
restricted-repos = mapAttrs make-restricted-repo (
{
brain = {
collaborators = with config.krebs.users; [ lass makefu ];
};
} //
import /root/src/secrets/repos.nix { inherit config lib pkgs; }
);
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
public = true;
hooks = {
post-receive = git.irc-announce {
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
channel = "#retiolum";
server = "cd.retiolum";
};
};
};
make-restricted-repo = name: { desc ? null, ... }: {
inherit name desc;
public = false;
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = tv;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
} ++
optional (length (repo.collaborators or []) > 0) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
in out

2
2configs/tv/smartd.nix
View File

@ -8,7 +8,7 @@
device = "DEVICESCAN";
options = toString [
"-a"
"-m tv@wu.retiolum"
"-m ${config.krebs.users.tv.mail}"
"-s (O/../.././09|S/../.././04|L/../../6/05)"
];
}

51
2configs/tv/urlwatch.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.tv.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
https://api.github.com/repos/simple-evcorr/sec/tags
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
https://thp.io/2008/urlwatch/
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
https://api.github.com/repos/ioerror/tlsdate/tags
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
# 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
# ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
http://nixos.org/releases/nixops/
## other
https://nixos.org/channels/nixos-unstable/git-revision
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
];
};
}

164
2configs/tv/identity.nix → 3modules/krebs/default.nix
View File

@ -1,11 +1,145 @@
{ config, ... }:
{ config, lib, ... }:
{
imports = [ ../../3modules/tv/identity.nix ];
tv.identity = {
enable = true;
search = "retiolum";
hosts = {
with import ../../4lib/krebs { inherit lib; };
let
cfg = config.krebs;
out = {
imports = [
./github-hosts-sync.nix
./git.nix
./nginx.nix
./retiolum.nix
./urlwatch.nix
];
options.krebs = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "krebs";
build = mkOption {
type = types.submodule {
options = {
host = mkOption {
type = types.host;
};
user = mkOption {
type = types.user;
};
};
};
# Define defaul value, so unset values of the submodule get reported.
default = {};
};
hosts = mkOption {
type = with types; attrsOf host;
};
users = mkOption {
type = with types; attrsOf user;
};
# XXX is there a better place to define search-domain?
# TODO search-domains :: listOf hostname
search-domain = mkOption {
type = types.hostname;
default = "";
example = "retiolum";
};
};
imp = mkMerge [
{ krebs = lass-imp; }
{ krebs = makefu-imp; }
{ krebs = tv-imp; }
{
# XXX This overlaps with krebs.retiolum
networking.extraHosts =
let
# TODO move domain name providers to a dedicated module
# providers : tree label providername
providers = {
internet = "hosts";
retiolum = "hosts";
de.viljetic = "regfish";
de.krebsco = "ovh";
};
# splitByProvider : [alias] -> listset providername alias
splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {};
# providerOf : alias -> providername
providerOf = alias:
tree-get (splitString "." alias) providers;
in
concatStringsSep "\n" (flatten (
# TODO deepMap ["hosts" "nets"] (hostname: host: netname: net:
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = toString (unique (longs ++ shorts));
longs = (splitByProvider net.aliases).hosts;
shorts = map (removeSuffix ".${cfg.search-domain}") longs;
in
map (addr: "${addr} ${aliases}") net.addrs
) host.nets
) config.krebs.hosts
));
}
];
lass-imp = {
hosts = addNames {
};
users = addNames {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
};
uriel = {
pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
};
};
};
makefu-imp = {
hosts = addNames {
pnp = {
cores = 1;
dc = "makefu"; #vm on 'omo'
nets = {
retiolum = {
addrs4 = ["10.243.0.210"];
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"];
aliases = [
"pnp.retiolum"
"cgit.pnp.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g
Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V
pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR
SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T
TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr
Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
};
users = addNames {
makefu = {
pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
};
};
};
tv-imp = {
hosts = addNames {
cd = {
cores = 2;
dc = "tv"; #dc = "cac";
@ -99,6 +233,7 @@
'';
};
};
secure = true;
};
rmdir = {
cores = 1;
@ -154,7 +289,20 @@
'';
};
};
secure = true;
};
};
users = addNames {
mv = {
mail = "mv@cd.retiolum";
pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub;
};
tv = {
mail = "tv@wu.retiolum";
pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub;
};
};
};
}
in
out

33
3modules/tv/git.nix → 3modules/krebs/git.nix
View File

@ -6,16 +6,16 @@
# TODO when authorized_keys changes, then restart ssh
# (or kill already connected users somehow)
with builtins;
with lib;
with import ../../4lib/krebs { inherit lib; };
let
cfg = config.tv.git;
cfg = config.krebs.git;
out = {
# TODO don't import krebs.nginx here
imports = [
../../3modules/tv/nginx.nix
../../3modules/krebs/nginx.nix
];
options.tv.git = api;
options.krebs.git = api;
config = mkIf cfg.enable (mkMerge [
(mkIf cfg.cgit cgit-imp)
git-imp
@ -23,12 +23,20 @@ let
};
api = {
enable = mkEnableOption "tv.git";
enable = mkEnableOption "krebs.git";
cgit = mkOption {
type = types.bool;
default = true;
description = "Enable cgit."; # TODO better desc; talk about nginx
description = ''
Enable cgit.
Cgit is an attempt to create a fast web interface for the git version
control system, using a built in cache to decrease pressure on the
git server.
cgit in this module is being served via fastcgi nginx.This module
deploys a http://cgit.<hostname> nginx configuration and enables nginx
if not yet enabled.
'';
};
dataDir = mkOption {
type = types.str;
@ -64,6 +72,7 @@ let
};
hooks = mkOption {
type = types.attrsOf types.str;
default = {};
description = ''
Repository-specific hooks.
'';
@ -118,9 +127,6 @@ let
rules = mkOption {
type = types.unspecified;
};
users = mkOption {
type = types.unspecified;
};
};
git-imp = {
@ -148,7 +154,8 @@ let
name = "git";
shell = "/bin/sh";
openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users;
mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
config.krebs.users;
uid = 129318403; # genid git
};
};
@ -210,7 +217,7 @@ let
chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit
'';
tv.nginx = {
krebs.nginx = {
enable = true;
servers.cgit = {
server-names = [
@ -254,7 +261,7 @@ let
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }:
makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }:
# TODO assert name
# TODO assert pubkey
let

8
3modules/tv/github-hosts-sync.nix → 3modules/krebs/github-hosts-sync.nix
View File

@ -3,15 +3,15 @@
with builtins;
with lib;
let
cfg = config.tv.github-hosts-sync;
cfg = config.krebs.github-hosts-sync;
out = {
options.tv.github-hosts-sync = api;
options.krebs.github-hosts-sync = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.github-hosts-sync";
enable = mkEnableOption "krebs.github-hosts-sync";
port = mkOption {
type = types.int; # TODO port type
default = 1028;
@ -78,6 +78,6 @@ let
uid = 3220554646; # genid github-hosts-sync
};
Zpkgs = import ../../Zpkgs/tv { inherit pkgs; };
Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; };
in
out

7
3modules/tv/nginx.nix → 3modules/krebs/nginx.nix
View File

@ -3,21 +3,22 @@
with builtins;
with lib;
let
cfg = config.tv.nginx;
cfg = config.krebs.nginx;
out = {
options.tv.nginx = api;
options.krebs.nginx = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.nginx";
enable = mkEnableOption "krebs.nginx";
servers = mkOption {
type = with types; attrsOf optionSet;
options = singleton {
server-names = mkOption {
type = with types; listOf str;
# TODO use identity
default = [
"${config.networking.hostName}"
"${config.networking.hostName}.retiolum"

60
3modules/tv/retiolum.nix → 3modules/krebs/retiolum.nix
View File

@ -3,15 +3,15 @@
with builtins;
with lib;
let
cfg = config.tv.retiolum;
cfg = config.krebs.retiolum;
out = {
options.tv.retiolum = api;
options.krebs.retiolum = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.retiolum";
enable = mkEnableOption "krebs.retiolum";
name = mkOption {
type = types.str;
@ -57,9 +57,9 @@ let
};
hosts = mkOption {
default = null;
type = with types; either package path;
default = ../../Zhosts;
description = ''
Hosts package or path to use.
If a path is given, then it will be used to generate an ad-hoc package.
'';
};
@ -76,13 +76,21 @@ let
# bad unsafe permissions...
type = types.str;
default = "/root/src/secrets/retiolum.rsa_key.priv";
description = "Generate file with <literal>tincd -K</literal>.";
description = ''
Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to
<secrets/retiolum.rsa_key.priv>.
'';
};
connectTo = mkOption {
type = types.listOf types.str;
default = [ "fastpoke" "pigstarter" "kheurop" ];
description = "TODO describe me";
default = [ "fastpoke" "pigstarter" "gum" ];
description = ''
The list of hosts in the network which the client will try to connect
to. These hosts should have an 'Address' configured which points to a
routeable IPv4 or IPv6 address.
'';
};
};
@ -123,24 +131,20 @@ let
};
tinc = cfg.tincPackage;
hostsType = builtins.typeOf cfg.hosts;
hosts =
if hostsType == "package" then
# use package as is
cfg.hosts
else if hostsType == "path" then
# use path to generate a package
pkgs.stdenv.mkDerivation {
name = "custom-retiolum-hosts";
src = cfg.hosts;
installPhase = ''
mkdir $out
find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
'';
}
else
abort "The option `services.retiolum.hosts' must be set to a package or a path"
;
hosts = getAttr (typeOf cfg.hosts) {
package = cfg.hosts;
path = pkgs.stdenv.mkDerivation {
name = "custom-retiolum-hosts";
src = cfg.hosts;
installPhase = ''
mkdir $out
find . -name .git -prune -o -type f -print0 \
| xargs -0 cp --target-directory $out
'';
};
};
iproute = cfg.iproutePackage;
retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
@ -218,5 +222,5 @@ let
chmod +x $out/tinc-up
'';
in
out
in out

6
3modules/tv/urlwatch.nix → 3modules/krebs/urlwatch.nix
View File

@ -8,16 +8,16 @@
with builtins;
with lib;
let
cfg = config.tv.urlwatch;
cfg = config.krebs.urlwatch;
# TODO assert sendmail's existence
out = {
options.tv.urlwatch = api;
options.krebs.urlwatch = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.urlwatch";
enable = mkEnableOption "krebs.urlwatch";
dataDir = mkOption {
type = types.str;

19
3modules/makefu/default.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
with import ../../4lib/krebs { inherit lib; };
let
cfg = config.krebs;
out = {
imports = [
];
options.krebs = api;
config = mkIf cfg.enable imp;
};
api = { };
imp = { };
in
out

1
3modules/tv/consul.nix
View File

@ -10,7 +10,6 @@ let
cfg = config.tv.consul;
out = {
imports = [ ../../3modules/tv/iptables.nix ];
options.tv.consul = api;
config = mkIf cfg.enable (mkMerge [
imp

9
3modules/tv/default.nix Normal file
View File

@ -0,0 +1,9 @@
_:
{
imports = [
./consul.nix
./ejabberd.nix
./iptables.nix
];
}

88
3modules/tv/identity.nix
View File

@ -1,88 +0,0 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
cfg = config.tv.identity;
out = {
options.tv.identity = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.identity";
self = mkOption {
type = types.host;
};
#others = mkOption {
# type = types.host;
# default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts;
#};
hosts = mkOption {
type = with types; attrsOf host;
apply = mapAttrs (name: value: value // { inherit name; });
};
search = mkOption {
type = types.hostname;
};
};
imp = {
networking.extraHosts =
concatStringsSep "\n" (flatten (
# TODO deepMap ["hosts" "nets"] (hostname: host: netname: net:
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = toString (unique (longs ++ shorts));
longs = (splitByProvider net.aliases).hosts;
shorts = map (removeSuffix ".${cfg.search}") longs;
in
map (addr: "${addr} ${aliases}") net.addrs
) host.nets
) cfg.hosts
));
};
# TODO move domain name providers to a dedicated module
# providers : tree label providername
providers = {
internet = "hosts";
retiolum = "hosts";
de.viljetic = "regfish";
de.krebsco = "ovh";
de.habsys = "hosts";
de.pixelpocket = "hosts";
de.karlaskop = "hosts";
de.ubikmedia = "hosts";
de.apanowicz = "hosts";
de.aidsballs = "hosts";
};
# splitByProvider : [alias] -> set providername [alias]
splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {};
# providerOf : alias -> providername
providerOf = alias:
tree-get (splitString "." alias) providers;
# insert : k -> v -> set k [v] -> set k [v]
insert = name: value: set:
set // { ${name} = set.${name} or [] ++ [value]; };
# tree k v = set k (either v (tree k v))
# tree-get : [k] -> tree k v -> v
tree-get = path: x:
let
y = x.${last path};
in
if typeOf y != "set"
then y
else tree-get (init path) y;
in
out

33
4lib/krebs/default.nix Normal file
View File

@ -0,0 +1,33 @@
{ lib, ... }:
with builtins;
with lib;
builtins // lib // rec {
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
types = import ./types.nix { inherit lib; };
# listset k v = set k [v]
# listset-insert : k -> v -> listset k v -> listset k v
listset-insert = name: value: set:
set // { ${name} = set.${name} or [] ++ [value]; };
# tree k v = set k (either v (tree k v))
# tree-get : [k] -> tree k v -> v
tree-get = path: x:
let
y = x.${last path};
in
if typeOf y != "set"
then y
else tree-get (init path) y;
}

104
4lib/krebs/types.nix Normal file
View File

@ -0,0 +1,104 @@
{ lib, ... }:
with lib;
with types;
types // rec {
host = submodule {
options = {
name = mkOption {
type = label;
};
dc = mkOption {
type = label;
};
cores = mkOption {
type = positive;
};
nets = mkOption {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
secure = mkOption {
type = bool;
default = false;
description = ''
If true, then the host is capable of keeping secret information.
TODO define minimum requirements for secure hosts
'';
};
};
};
net = submodule ({ config, ... }: {
options = {
via = mkOption {
type = nullOr net;
default = null;
};
addrs = mkOption {
type = listOf addr;
apply = _: config.addrs4 ++ config.addrs6;
};
addrs4 = mkOption {
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
};
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
};
tinc = mkOption {
type = let net-config = config; in submodule ({ config, ... }: {
options = {
config = mkOption {
type = str;
apply = _: ''
${optionalString (net-config.via != null)
(concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)}
${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs}
${config.pubkey}
'';
};
pubkey = mkOption {
type = str;
};
};
});
};
};
});
positive = mkOptionType {
name = "positive integer";
check = x: isInt x && x > 0;
merge = mergeOneOption;
};
user = submodule {
options = {
mail = mkOption {
type = str; # TODO retiolum mail address
};
name = mkOption {
type = str; # TODO
};
pubkey = mkOption {
type = str;
};
};
};
# TODO
addr = str;
addr4 = str;
addr6 = str;
hostname = str;
label = str;
}

94
4lib/tv/default.nix
View File

@ -1,9 +1,12 @@
{ lib, pkgs, ... }:
with builtins;
with lib;
let
krebs = import ../../4lib/krebs { inherit lib; };
in
builtins // lib // rec {
with krebs;
krebs // rec {
git = import ./git.nix {
lib = lib // {
@ -12,16 +15,9 @@ builtins // lib // rec {
inherit pkgs;
};
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
# "7.4.335" -> "74"
majmin = with lib; x : concatStrings (take 2 (splitString "." x));
concat = xs :
if xs == []
then ""
@ -53,82 +49,4 @@ builtins // lib // rec {
if isSafeChar c then c
else if c == "\n" then "'\n'"
else "\\${c}");
types = lib.types // (with lib.types; rec {
host = submodule {
options = {
name = mkOption {
type = label;
};
dc = mkOption {
type = label;
};
cores = mkOption {
type = positive;
};
nets = mkOption {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
};
};
net = submodule ({ config, ... }: {
options = {
via = mkOption {
type = nullOr net;
default = null;
};
addrs = mkOption {
type = listOf addr;
apply = _: config.addrs4 ++ config.addrs6;
};
addrs4 = mkOption {
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
};
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
};
tinc = mkOption {
type = let net-config = config; in submodule ({ config, ... }: {
options = {
config = mkOption {
type = str;
apply = _: ''
${optionalString (net-config.via != null)
(concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)}
${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs}
${config.pubkey}
'';
};
pubkey = mkOption {
type = str;
};
};
});
};
};
});
positive = mkOptionType {
name = "positive integer";
check = x: isInt x && x > 0;
merge = mergeOneOption;
};
# TODO
addr = str;
addr4 = str;
addr6 = str;
hostname = str;
label = str;
});
}

27
Makefile
View File

@ -41,13 +41,14 @@ deploy:;@
"$$src/" "$$deploy_host:$$dst"
)}
prepush /root/src/shitment "$$PWD"
prepush /root/src/stockholm "$$PWD"
prepush /root/src/secrets "$$secrets_dir"
ssh -S none "$$deploy_host" -T env \
nixpkgs_url="$$nixpkgs_url" \
nixpkgs_rev="$$nixpkgs_rev" \
system_name="$$system_name" \
user_name="$$LOGNAME" \
sh -euf \
<<-\EOF
prefetch(){(
@ -77,26 +78,30 @@ deploy:;@
prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
echo build system...
NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \
NIX_PATH=src \
nix-build -Q -A system '<nixpkgs/nixos>'
NIX_PATH=/root/src \
nix-build \
-Q \
-A system \
'<stockholm>' \
--argstr user-name "$$user_name" \
--argstr system-name "$$system_name"
result/bin/switch-to-configuration switch
EOF
.PHONY: eval
eval:
@nix-instantiate \
@
NIX_PATH=stockholm=$$PWD:$$NIX_PATH \
nix-instantiate \
--json \
--eval \
--strict \
-A "$$get" \
-E '
import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = [ ./1systems/$(LOGNAME)/$(system).nix ];
}
' | jq -r .
'<stockholm>' \
--argstr user-name "$$LOGNAME" \
--argstr system-name "$$system" \
| jq -r .
else
$(error unbound variable: system[s])
endif

11
Zhosts/pnp Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.0.210
Subnet = 42:f9f1:0000:0000:0000:0000:0000:0001
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g
Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V
pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR
SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T
TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr
Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB
-----END RSA PUBLIC KEY-----

14
Zpkgs/krebs/default.nix Normal file
View File

@ -0,0 +1,14 @@
{ pkgs, ... }:
let
inherit (pkgs) callPackage;
in
pkgs //
{
dic = callPackage ./dic.nix {};
genid = callPackage ./genid.nix {};
github-hosts-sync = callPackage ./github-hosts-sync.nix {};
github-known_hosts = callPackage ./github-known_hosts.nix {};
hashPassword = callPackage ./hashPassword.nix {};
}

0
Zpkgs/tv/dic.nix → Zpkgs/krebs/dic.nix
View File

0
Zpkgs/tv/genid.nix → Zpkgs/krebs/genid.nix
View File

0
Zpkgs/tv/github-hosts-sync.nix → Zpkgs/krebs/github-hosts-sync.nix
View File

0
Zpkgs/tv/github-known_hosts.nix → Zpkgs/krebs/github-known_hosts.nix
View File

16
Zpkgs/krebs/hashPassword.nix Normal file
View File

@ -0,0 +1,16 @@
{ lib, pkgs, ... }:
pkgs.writeScriptBin "hashPassword" ''
#! /bin/sh
# usage: hashPassword
set -euf
export PATH=${lib.makeSearchPath "bin" (with pkgs; [
coreutils
mkpasswd
openssl
])}
salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16)
exec mkpasswd -m sha-512 -S "$salt"
''

8
Zpkgs/tv/default.nix
View File

@ -2,15 +2,11 @@
let
inherit (pkgs) callPackage;
krebs = import ../../Zpkgs/krebs { inherit pkgs; };
in
pkgs //
{
krebs // {
charybdis = callPackage ./charybdis {};
dic = callPackage ./dic.nix {};
genid = callPackage ./genid.nix {};
github-hosts-sync = callPackage ./github-hosts-sync.nix {};
github-known_hosts = callPackage ./github-known_hosts.nix {};
lentil = callPackage ./lentil {};
much = callPackage ./much.nix {};
viljetic-pages = callPackage ./viljetic-pages {};

0
Zpubkeys/makefu.ssh.pub → Zpubkeys/makefu_arch.ssh.pub
View File

20
default.nix Normal file
View File

@ -0,0 +1,20 @@
{ user-name, system-name }:
let
eval = import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = [
(./1systems + "/${user-name}/${system-name}.nix")
(./3modules/krebs)
(./3modules + "/${user-name}")
];
};
in
{
inherit (eval) config options;
system = eval.config.system.build.toplevel;
}