From feed949d47ada12077a1a9eca3f83f5c8138487b Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jul 2015 17:54:31 +0200 Subject: [PATCH 01/48] add pnp --- 0make/makefu/pnp.makefile | 4 ++++ 1systems/makefu/pnp.nix | 0 2 files changed, 4 insertions(+) create mode 100644 0make/makefu/pnp.makefile create mode 100644 1systems/makefu/pnp.nix diff --git a/0make/makefu/pnp.makefile b/0make/makefu/pnp.makefile new file mode 100644 index 000000000..c2099f748 --- /dev/null +++ b/0make/makefu/pnp.makefile @@ -0,0 +1,4 @@ +deploy_host := root@uriel +nixpkgs_url := https://github.com/nixos/nixpkgs +nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90 +secrets_dir := /home/makefu/secrets/pnp diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix new file mode 100644 index 000000000..e69de29bb From f076edf90a47117dcf4029e6458b59b7f318fa8e Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 23 Jul 2015 18:20:41 +0200 Subject: [PATCH 02/48] 2 tv git-public: s/shitment/stockholm/ --- 2configs/tv/git-public.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index aef83667f..7babcbb5b 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -22,8 +22,8 @@ let (public "quipper") (public "regfish") (public' { - name = "shitment"; - desc = "turn all the computers into one computer!"; + name = "stockholm"; + desc = "take all the computers hostage, they'll love you!"; }) (public "wai-middleware-time") (public "web-routes-wai-custom") From b2f4cc4b124f7fa67203e0b46cc308eab6813f5e Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jul 2015 19:07:27 +0200 Subject: [PATCH 03/48] 3 tv.retiolum: describe connectTo --- 3modules/tv/retiolum.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix index ca1418c32..e8a1f6c2b 100644 --- a/3modules/tv/retiolum.nix +++ b/3modules/tv/retiolum.nix @@ -82,7 +82,11 @@ let connectTo = mkOption { type = types.listOf types.str; default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = "TODO describe me"; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; }; }; From 461bacfd6a63ee1d4c12805724c408fb21ff9b7d Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jul 2015 19:07:05 +0200 Subject: [PATCH 04/48] tv/retiolum.nix: add doc for ConnectTo --- 3modules/tv/retiolum.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix index ca1418c32..7a5ab70db 100644 --- a/3modules/tv/retiolum.nix +++ b/3modules/tv/retiolum.nix @@ -82,7 +82,12 @@ let connectTo = mkOption { type = types.listOf types.str; default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = "TODO describe me"; + description = '' + The list of hosts in the network which the client will try to connect to. + These hosts should have an 'Address' configured which points to a routeable + IPv4 or IPv6 address + '' + ; }; }; From 9be3c091d31d3ffc1d18a67bbf2523e4afc796cd Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 00:24:12 +0200 Subject: [PATCH 05/48] 2 tv git-public: simplify --- 2configs/tv/git-public.nix | 157 ++++++++++++++++++------------------- 1 file changed, 75 insertions(+), 82 deletions(-) diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7babcbb5b..7222f99eb 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -1,87 +1,80 @@ { config, lib, pkgs, ... }: - -with lib; +with import ../../4lib/tv { inherit lib pkgs; }; let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - public-git-repos = [ - (public "cgserver") - (public "crude-mail-setup") - (public "dot-xmonad") - (public "hack") - (public "load-env") - (public "make-snapshot") - (public "mime") - (public "much") - (public "nixos-infest") - (public "nixpkgs") - (public "painload") - (public "quipper") - (public "regfish") - (public' { - name = "stockholm"; - desc = "take all the computers hostage, they'll love you!"; - }) - (public "wai-middleware-time") - (public "web-routes-wai-custom") - (public "xintmap") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos); - - rules = concatMap ({ rules, ... }: rules) public-git-repos; - - public' = { name, desc }: - let - x = public name; - in - x // { repo = x.repo // { inherit desc; }; }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "cd.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = tv; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ lass makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; + out = { + imports = [ ../../3modules/tv/git.nix ]; + tv.git = { + enable = true; + root-title = "public repositories at ${config.tv.identity.self.name}"; + root-desc = "keep calm and engage"; + inherit repos rules users; }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ]; - tv.git = { - enable = true; - inherit repos rules users; - root-title = "public repositories at ${config.networking.hostName}"; - root-desc = "keep calm and engage"; }; -} + + repos = public-repos; + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + cgserver = {}; + crude-mail-setup = {}; + dot-xmonad = {}; + hack = {}; + load-env = {}; + make-snapshot = {}; + mime = {}; + much = {}; + nixos-infest = {}; + nixpkgs = {}; + painload = {}; + quipper = {}; + regfish = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + xintmap = {}; + }; + + # TODO move users to separate module + users = mapAttrs make-user { + tv = ../../Zpubkeys/tv_wu.ssh.pub; + lass = ../../Zpubkeys/lass.ssh.pub; + uriel = ../../Zpubkeys/uriel.ssh.pub; + makefu = ../../Zpubkeys/makefu.ssh.pub; + }; + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.tv.identity.self.name the default + nick = config.tv.identity.self.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-rules = + with git // users; + repo: + singleton { + user = tv; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass makefu uriel ]; + repo = [ repo ]; + perm = fetch; + }; + + make-user = name: pubkey-file: { + inherit name; + pubkey = readFile pubkey-file; + }; + +in out From ea498c46bc98771ab0e66eec21612cbf78b3ef01 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 09:38:59 +0200 Subject: [PATCH 06/48] tv urlwatch: simple-evcorr has moved to GitHub --- 1systems/tv/wu.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 400005cb7..76bb43eca 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -168,7 +168,7 @@ in # then we have to update the package # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix - http://simple-evcorr.sourceforge.net/ + https://api.github.com/repos/simple-evcorr/sec/tags # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix https://thp.io/2008/urlwatch/ From 2b3030c7b27f98b8f00d91c63bd60c980e64071b Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 10:52:43 +0200 Subject: [PATCH 07/48] makefu: init pnp this is the first entry for my hosts, it provides only very basic support with a lot of copy-paste from tv/lass --- 0make/makefu/pnp.makefile | 4 +- 1systems/makefu/pnp.nix | 38 ++++++++ 2configs/makefu/base.nix | 96 +++++++++++++++++++ .../{makefu.ssh.pub => makefu_arch.ssh.pub} | 0 4 files changed, 136 insertions(+), 2 deletions(-) create mode 100644 2configs/makefu/base.nix rename Zpubkeys/{makefu.ssh.pub => makefu_arch.ssh.pub} (100%) diff --git a/0make/makefu/pnp.makefile b/0make/makefu/pnp.makefile index c2099f748..a18efe0e0 100644 --- a/0make/makefu/pnp.makefile +++ b/0make/makefu/pnp.makefile @@ -1,4 +1,4 @@ -deploy_host := root@uriel +deploy_host := root@pnp nixpkgs_url := https://github.com/nixos/nixpkgs -nixpkgs_rev := 961fcbabd7643171ea74bd550fee1ce5c13c2e90 +nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870 secrets_dir := /home/makefu/secrets/pnp diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix index e69de29bb..51f5bb00c 100644 --- a/1systems/makefu/pnp.nix +++ b/1systems/makefu/pnp.nix @@ -0,0 +1,38 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + + ../../2configs/makefu/base.nix + ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; + + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + nix.maxJobs = 1; + networking.hostName = "pnp"; # Define your hostname. + +# $ nix-env -qaP | grep wget + environment.systemPackages = with pkgs; [ + wget + git + gnumake + ]; + +} diff --git a/2configs/makefu/base.nix b/2configs/makefu/base.nix new file mode 100644 index 000000000..ab2e6f247 --- /dev/null +++ b/2configs/makefu/base.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + imports = [ ]; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/makefu_arch.ssh.pub + ]; + }; + makefu = { + uid = 9001; + group = "users"; + home = "/home/makefu"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/makefu_arch.ssh.pub + ]; + }; + }; + + services.openssh.enable = true; + nix.useChroot = true; + + users.mutableUsers = true; + + boot.tmpOnTmpfs = true; + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + environment.extraInit = '' + EDITOR=vim + ''; + + environment.systemPackages = with pkgs; [ + git + vim + rxvt_unicode.terminfo + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + ''; + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + environment.shellAliases = { + lsl = "ls -latr"; + }; + + security.setuidPrograms = [ "sendmail" ]; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + nixpkgs.config.packageOverrides = pkgs: { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + services.cron.enable = false; + services.nscd.enable = false; + boot.kernel.sysctl = { +# Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; + +} diff --git a/Zpubkeys/makefu.ssh.pub b/Zpubkeys/makefu_arch.ssh.pub similarity index 100% rename from Zpubkeys/makefu.ssh.pub rename to Zpubkeys/makefu_arch.ssh.pub From 7846e26f8660b58d67eb90a21e7249715f49ac89 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:22:21 +0200 Subject: [PATCH 08/48] 3: {tv -> krebs}.retiolum --- 3modules/krebs/retiolum.nix | 226 ++++++++++++++++++++++++++++++++++++ 3modules/tv/retiolum.nix | 211 ++------------------------------- 2 files changed, 233 insertions(+), 204 deletions(-) create mode 100644 3modules/krebs/retiolum.nix diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix new file mode 100644 index 000000000..447592eef --- /dev/null +++ b/3modules/krebs/retiolum.nix @@ -0,0 +1,226 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.retiolum; + + out = { + options.krebs.retiolum = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.retiolum"; + + name = mkOption { + type = types.str; + default = config.networking.hostName; + # Description stolen from tinc.conf(5). + description = '' + This is the name which identifies this tinc daemon. It must + be unique for the virtual private network this daemon will + connect to. The Name may only consist of alphanumeric and + underscore characters. If Name starts with a $, then the + contents of the environment variable that follows will be + used. In that case, invalid characters will be converted to + underscores. If Name is $HOST, but no such environment + variable exist, the hostname will be read using the + gethostnname() system call This is the name which identifies + the this tinc daemon. + ''; + }; + + generateEtcHosts = mkOption { + type = types.str; + default = "both"; + description = '' + If set to short, long, or both, + then generate entries in /etc/hosts from subnets. + ''; + }; + + network = mkOption { + type = types.str; + default = "retiolum"; + description = '' + The tinc network name. + It is used to generate long host entries, + and name the TUN device. + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + default = null; + description = '' + Hosts package or path to use. + If a path is given, then it will be used to generate an ad-hoc package. + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + + privateKeyFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.str; + default = "/root/src/secrets/retiolum.rsa_key.priv"; + description = "Generate file with tincd -K."; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "pigstarter" "kheurop" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; + }; + + }; + + imp = { + environment.systemPackages = [ tinc hosts iproute ]; + + networking.extraHosts = retiolumExtraHosts; + + systemd.services.retiolum = { + description = "Tinc daemon for Retiolum"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ tinc iproute ]; + serviceConfig = { + PermissionsStartOnly = "true"; + PrivateTmp = "true"; + Restart = "always"; + # TODO we cannot chroot (-R) b/c we use symlinks to hosts + # and the private key. + ExecStartPre = pkgs.writeScript "retiolum-init" '' + #! /bin/sh + install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv + ''; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; + SyslogIdentifier = "retiolum"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "retiolum"; + uid = 301281149; # genid retiolum + }; + + tinc = cfg.tincPackage; + hostsType = builtins.typeOf cfg.hosts; + hosts = + if hostsType == "package" then + # use package as is + cfg.hosts + else if hostsType == "path" then + # use path to generate a package + pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out + ''; + } + else + abort "The option `services.retiolum.hosts' must be set to a package or a path" + ; + iproute = cfg.iproutePackage; + + retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" + { } + '' + generate() { + (cd ${hosts} + printf \'\' + for i in `ls`; do + names=$(hostnames $i) + for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do + names="$names $(hostnames $j)" + done + sed -En ' + s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p + ' $i + done | sort + printf \'\' + ) + } + + case ${cfg.generateEtcHosts} in + short) + hostnames() { echo "$1"; } + generate + ;; + long) + hostnames() { echo "$1.${cfg.network}"; } + generate + ;; + both) + hostnames() { echo "$1.${cfg.network} $1"; } + generate + ;; + *) + echo '""' + ;; + esac > $out + ''); + + + confDir = pkgs.runCommand "retiolum" { + # TODO text + executable = true; + preferLocalBuild = true; + } '' + set -euf + + mkdir -p $out + + ln -s ${hosts} $out/hosts + + cat > $out/tinc.conf < $out/tinc-up <short, long, or both, - then generate entries in /etc/hosts from subnets. - ''; - }; - - network = mkOption { - type = types.str; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; + connectTo = mkOption { + type = with types; listOf str; }; hosts = mkOption { - default = null; - description = '' - Hosts package or path to use. - If a path is given, then it will be used to generate an ad-hoc package. - ''; + type = types.path; }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = "Generate file with tincd -K."; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - ''; - }; - }; imp = { - environment.systemPackages = [ tinc hosts iproute ]; - - networking.extraHosts = retiolumExtraHosts; - - systemd.services.retiolum = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; - SyslogIdentifier = "retiolum"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; + krebs.retiolum = cfg; }; - user = { - name = "retiolum"; - uid = 301281149; # genid retiolum - }; - - tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up < Date: Fri, 24 Jul 2015 11:35:24 +0200 Subject: [PATCH 09/48] remove kheurop from defaults (dead node) --- 3modules/tv/retiolum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix index e8a1f6c2b..adc056a90 100644 --- a/3modules/tv/retiolum.nix +++ b/3modules/tv/retiolum.nix @@ -81,7 +81,7 @@ let connectTo = mkOption { type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "kheurop" ]; + default = [ "fastpoke" "pigstarter" "gum" ]; description = '' The list of hosts in the network which the client will try to connect to. These hosts should have an 'Address' configured which points to a From 734ec4ae00c93d48297b7c3ee226ef890187bfa3 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:50:23 +0200 Subject: [PATCH 10/48] 3 {tv -> krebs}.nginx --- 1systems/tv/cd.nix | 10 +++++----- 1systems/tv/nomic.nix | 4 ++-- 1systems/tv/wu.nix | 4 ++-- 3modules/{tv => krebs}/nginx.nix | 7 ++++--- 3modules/tv/git.nix | 5 +++-- 5 files changed, 16 insertions(+), 14 deletions(-) rename 3modules/{tv => krebs}/nginx.nix (91%) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d3cae6f4a..407fc25cf 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -57,19 +57,19 @@ in { imports = [ ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; + krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) imports = [ ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.public_html = { + krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; @@ -77,7 +77,7 @@ in }; } { - tv.nginx.servers.viljetic = { + krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 6f984c44d..8e6812e43 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -26,8 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + imports = [ ../../3modules/krebs/nginx.nix ]; + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 76bb43eca..7a12bc571 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -134,8 +134,8 @@ in }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + imports = [ ../../3modules/krebs/nginx.nix ]; + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/3modules/tv/nginx.nix b/3modules/krebs/nginx.nix similarity index 91% rename from 3modules/tv/nginx.nix rename to 3modules/krebs/nginx.nix index a58c49520..702e8a7f6 100644 --- a/3modules/tv/nginx.nix +++ b/3modules/krebs/nginx.nix @@ -3,21 +3,22 @@ with builtins; with lib; let - cfg = config.tv.nginx; + cfg = config.krebs.nginx; out = { - options.tv.nginx = api; + options.krebs.nginx = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.nginx"; + enable = mkEnableOption "krebs.nginx"; servers = mkOption { type = with types; attrsOf optionSet; options = singleton { server-names = mkOption { type = with types; listOf str; + # TODO use identity default = [ "${config.networking.hostName}" "${config.networking.hostName}.retiolum" diff --git a/3modules/tv/git.nix b/3modules/tv/git.nix index 8c73d0354..ea014e2a7 100644 --- a/3modules/tv/git.nix +++ b/3modules/tv/git.nix @@ -12,8 +12,9 @@ let cfg = config.tv.git; out = { + # TODO don't import krebs.nginx here imports = [ - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; options.tv.git = api; config = mkIf cfg.enable (mkMerge [ @@ -210,7 +211,7 @@ let chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit ''; - tv.nginx = { + krebs.nginx = { enable = true; servers.cgit = { server-names = [ From 5f63c4071c7b1680e75671c0acede8a9bce4b14c Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:44:49 +0200 Subject: [PATCH 11/48] 3: {tv -> krebs}.git --- 2configs/tv/git-public.nix | 4 ++-- 3modules/{tv => krebs}/git.nix | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) rename 3modules/{tv => krebs}/git.nix (99%) diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7222f99eb..7f2b51308 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -3,8 +3,8 @@ with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/tv/git.nix ]; - tv.git = { + imports = [ ../../3modules/krebs/git.nix ]; + krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; diff --git a/3modules/tv/git.nix b/3modules/krebs/git.nix similarity index 99% rename from 3modules/tv/git.nix rename to 3modules/krebs/git.nix index ea014e2a7..3c3e93426 100644 --- a/3modules/tv/git.nix +++ b/3modules/krebs/git.nix @@ -9,14 +9,14 @@ with builtins; with lib; let - cfg = config.tv.git; + cfg = config.krebs.git; out = { # TODO don't import krebs.nginx here imports = [ ../../3modules/krebs/nginx.nix ]; - options.tv.git = api; + options.krebs.git = api; config = mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) git-imp @@ -24,7 +24,7 @@ let }; api = { - enable = mkEnableOption "tv.git"; + enable = mkEnableOption "krebs.git"; cgit = mkOption { type = types.bool; From b6987329fe6dca5aca96fc651f06867c26dbf236 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:55:16 +0200 Subject: [PATCH 12/48] 3: {tv -> krebs}.urlwatch --- 1systems/tv/wu.nix | 4 ++-- 3modules/{tv => krebs}/urlwatch.nix | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) rename 3modules/{tv => krebs}/urlwatch.nix (96%) diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 7a12bc571..1d7bbe55b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -156,8 +156,8 @@ in }; } { - imports = [ ../../3modules/tv/urlwatch.nix ]; - tv.urlwatch = { + imports = [ ../../3modules/krebs/urlwatch.nix ]; + krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO onCalendar = "*-*-* 05:00:00"; diff --git a/3modules/tv/urlwatch.nix b/3modules/krebs/urlwatch.nix similarity index 96% rename from 3modules/tv/urlwatch.nix rename to 3modules/krebs/urlwatch.nix index a659fc74f..58de72fc6 100644 --- a/3modules/tv/urlwatch.nix +++ b/3modules/krebs/urlwatch.nix @@ -8,16 +8,16 @@ with builtins; with lib; let - cfg = config.tv.urlwatch; + cfg = config.krebs.urlwatch; # TODO assert sendmail's existence out = { - options.tv.urlwatch = api; + options.krebs.urlwatch = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.urlwatch"; + enable = mkEnableOption "krebs.urlwatch"; dataDir = mkOption { type = types.str; From e3b72bb66e7c6bf410c8db81ff04e355a7b22116 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:03:51 +0200 Subject: [PATCH 13/48] 3: {tv -> krebs}.github-hosts-sync --- 1systems/tv/cd.nix | 6 +++--- 3modules/{tv => krebs}/github-hosts-sync.nix | 8 ++++---- Zpkgs/krebs/default.nix | 11 +++++++++++ Zpkgs/{tv => krebs}/github-hosts-sync.nix | 0 Zpkgs/{tv => krebs}/github-known_hosts.nix | 0 Zpkgs/tv/default.nix | 2 -- 6 files changed, 18 insertions(+), 9 deletions(-) rename 3modules/{tv => krebs}/github-hosts-sync.nix (91%) create mode 100644 Zpkgs/krebs/default.nix rename Zpkgs/{tv => krebs}/github-hosts-sync.nix (100%) rename Zpkgs/{tv => krebs}/github-known_hosts.nix (100%) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 407fc25cf..463d643a6 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -29,10 +29,10 @@ in }; } { - imports = [ ../../3modules/tv/github-hosts-sync.nix ]; - tv.github-hosts-sync.enable = true; + imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; + krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = - singleton config.tv.github-hosts-sync.port; + singleton config.krebs.github-hosts-sync.port; } { imports = [ ../../2configs/tv/identity.nix ]; diff --git a/3modules/tv/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix similarity index 91% rename from 3modules/tv/github-hosts-sync.nix rename to 3modules/krebs/github-hosts-sync.nix index f50bf2b1b..c3b56ef94 100644 --- a/3modules/tv/github-hosts-sync.nix +++ b/3modules/krebs/github-hosts-sync.nix @@ -3,15 +3,15 @@ with builtins; with lib; let - cfg = config.tv.github-hosts-sync; + cfg = config.krebs.github-hosts-sync; out = { - options.tv.github-hosts-sync = api; + options.krebs.github-hosts-sync = api; config = mkIf cfg.enable imp; }; api = { - enable = mkEnableOption "tv.github-hosts-sync"; + enable = mkEnableOption "krebs.github-hosts-sync"; port = mkOption { type = types.int; # TODO port type default = 1028; @@ -78,6 +78,6 @@ let uid = 3220554646; # genid github-hosts-sync }; - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; + Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; in out diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix new file mode 100644 index 000000000..be8f72011 --- /dev/null +++ b/Zpkgs/krebs/default.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; +in + +pkgs // +{ + github-hosts-sync = callPackage ./github-hosts-sync.nix {}; + github-known_hosts = callPackage ./github-known_hosts.nix {}; +} diff --git a/Zpkgs/tv/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix similarity index 100% rename from Zpkgs/tv/github-hosts-sync.nix rename to Zpkgs/krebs/github-hosts-sync.nix diff --git a/Zpkgs/tv/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix similarity index 100% rename from Zpkgs/tv/github-known_hosts.nix rename to Zpkgs/krebs/github-known_hosts.nix diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index fa9fff84c..e3e12bd18 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -9,8 +9,6 @@ pkgs // charybdis = callPackage ./charybdis {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; From ee52522cc139670c3eeaeeb462dff98ea870d2e4 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:23:52 +0200 Subject: [PATCH 14/48] 4: {tv -> krebs}.types --- 4lib/krebs/default.nix | 7 ++++ 4lib/krebs/types.nix | 81 +++++++++++++++++++++++++++++++++++++++ 4lib/tv/default.nix | 87 +++--------------------------------------- 3 files changed, 94 insertions(+), 81 deletions(-) create mode 100644 4lib/krebs/default.nix create mode 100644 4lib/krebs/types.nix diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix new file mode 100644 index 000000000..38c2a97d6 --- /dev/null +++ b/4lib/krebs/default.nix @@ -0,0 +1,7 @@ +{ lib, ... }: + +builtins // lib // { + + types = import ./types.nix { inherit lib; }; + +} diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix new file mode 100644 index 000000000..38ed8a916 --- /dev/null +++ b/4lib/krebs/types.nix @@ -0,0 +1,81 @@ +{ lib, ... }: + +with lib; +with types; + +types // rec { + + host = submodule { + options = { + name = mkOption { + type = label; + }; + dc = mkOption { + type = label; + }; + cores = mkOption { + type = positive; + }; + nets = mkOption { + type = attrsOf net; + apply = x: assert hasAttr "retiolum" x; x; + }; + }; + }; + + net = submodule ({ config, ... }: { + options = { + via = mkOption { + type = nullOr net; + default = null; + }; + addrs = mkOption { + type = listOf addr; + apply = _: config.addrs4 ++ config.addrs6; + }; + addrs4 = mkOption { + type = listOf addr4; + default = []; + }; + addrs6 = mkOption { + type = listOf addr6; + default = []; + }; + aliases = mkOption { + # TODO nonEmptyListOf hostname + type = listOf hostname; + }; + tinc = mkOption { + type = let net-config = config; in submodule ({ config, ... }: { + options = { + config = mkOption { + type = str; + apply = _: '' + ${optionalString (net-config.via != null) + (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} + ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} + ${config.pubkey} + ''; + }; + pubkey = mkOption { + type = str; + }; + }; + }); + }; + }; + }); + + positive = mkOptionType { + name = "positive integer"; + check = x: isInt x && x > 0; + merge = mergeOneOption; + }; + + # TODO + addr = str; + addr4 = str; + addr6 = str; + hostname = str; + label = str; +} diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix index 092a9626c..267a858d2 100644 --- a/4lib/tv/default.nix +++ b/4lib/tv/default.nix @@ -1,9 +1,12 @@ { lib, pkgs, ... }: -with builtins; -with lib; +let + krebs = import ../../4lib/krebs { inherit lib; }; +in -builtins // lib // rec { +with krebs; + +krebs // rec { git = import ./git.nix { lib = lib // { @@ -53,82 +56,4 @@ builtins // lib // rec { if isSafeChar c then c else if c == "\n" then "'\n'" else "\\${c}"); - - types = lib.types // (with lib.types; rec { - - host = submodule { - options = { - name = mkOption { - type = label; - }; - dc = mkOption { - type = label; - }; - cores = mkOption { - type = positive; - }; - nets = mkOption { - type = attrsOf net; - apply = x: assert hasAttr "retiolum" x; x; - }; - }; - }; - - net = submodule ({ config, ... }: { - options = { - via = mkOption { - type = nullOr net; - default = null; - }; - addrs = mkOption { - type = listOf addr; - apply = _: config.addrs4 ++ config.addrs6; - }; - addrs4 = mkOption { - type = listOf addr4; - default = []; - }; - addrs6 = mkOption { - type = listOf addr6; - default = []; - }; - aliases = mkOption { - # TODO nonEmptyListOf hostname - type = listOf hostname; - }; - tinc = mkOption { - type = let net-config = config; in submodule ({ config, ... }: { - options = { - config = mkOption { - type = str; - apply = _: '' - ${optionalString (net-config.via != null) - (concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)} - ${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs} - ${config.pubkey} - ''; - }; - pubkey = mkOption { - type = str; - }; - }; - }); - }; - }; - }); - - positive = mkOptionType { - name = "positive integer"; - check = x: isInt x && x > 0; - merge = mergeOneOption; - }; - - # TODO - addr = str; - addr4 = str; - addr6 = str; - hostname = str; - label = str; - }); - } From e082da2c23ebff82717df11d266ecfd22a70db56 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:34:25 +0200 Subject: [PATCH 15/48] 3 tv retiolum: RIP --- 1systems/tv/cd.nix | 4 ++-- 1systems/tv/mkdir.nix | 4 ++-- 1systems/tv/nomic.nix | 4 ++-- 1systems/tv/rmdir.nix | 4 ++-- 1systems/tv/wu.nix | 4 ++-- 2configs/tv/exim-retiolum.nix | 4 ++-- 3modules/tv/retiolum.nix | 29 ----------------------------- 7 files changed, 12 insertions(+), 41 deletions(-) delete mode 100644 3modules/tv/retiolum.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 463d643a6..2f8cf8197 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -86,8 +86,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d63..05d76c4cb 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 8e6812e43..bae12d364 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -37,8 +37,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c39e..2cf9668c8 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 1d7bbe55b..c5678a193 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -145,8 +145,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf32..851a0c625 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix deleted file mode 100644 index d00377446..000000000 --- a/3modules/tv/retiolum.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.tv.retiolum; - - out = { - imports = [ ../../3modules/krebs/retiolum.nix ]; - options.tv.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.retiolum"; - - connectTo = mkOption { - type = with types; listOf str; - }; - - hosts = mkOption { - type = types.path; - }; - }; - - imp = { - krebs.retiolum = cfg; - }; - -in out From faf5f6c172d6a6915e18cdec85e3543051eb0449 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:41:41 +0200 Subject: [PATCH 16/48] krebs.retiolum: define type of hosts --- 1systems/tv/cd.nix | 1 - 1systems/tv/mkdir.nix | 1 - 1systems/tv/nomic.nix | 1 - 1systems/tv/rmdir.nix | 1 - 1systems/tv/wu.nix | 1 - 3modules/krebs/retiolum.nix | 40 +++++++++++++++++-------------------- 6 files changed, 18 insertions(+), 27 deletions(-) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 2f8cf8197..bf556e017 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -89,7 +89,6 @@ in imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "fastpoke" "pigstarter" diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 05d76c4cb..823f04430 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -32,7 +32,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "fastpoke" diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index bae12d364..ef4a5ca34 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -40,7 +40,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 2cf9668c8..f15c7902b 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -32,7 +32,6 @@ with lib; imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "cd" "mkdir" diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index c5678a193..0b5b8289b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -148,7 +148,6 @@ in imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; - hosts = ../../Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix index 447592eef..1406f2fc4 100644 --- a/3modules/krebs/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -57,9 +57,9 @@ let }; hosts = mkOption { - default = null; + type = with types; either package path; + default = ../../Zhosts; description = '' - Hosts package or path to use. If a path is given, then it will be used to generate an ad-hoc package. ''; }; @@ -127,24 +127,20 @@ let }; tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; + + hosts = getAttr (typeOf cfg.hosts) { + package = cfg.hosts; + path = pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 \ + | xargs -0 cp --target-directory $out + ''; + }; + }; + iproute = cfg.iproutePackage; retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" @@ -222,5 +218,5 @@ let chmod +x $out/tinc-up ''; -in -out + +in out From c63c87311d9cc533aaf3a5a6e59d8bc1aea9067b Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 14:06:48 +0200 Subject: [PATCH 17/48] krebs/retiolum.nix: add doc for secretKeyFile --- 3modules/krebs/retiolum.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix index 447592eef..e9b1244e1 100644 --- a/3modules/krebs/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -76,7 +76,11 @@ let # bad unsafe permissions... type = types.str; default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = "Generate file with tincd -K."; + description = '' + Generate file with tincd -K. + This file must exist on the local system. The default points to + . + ''; }; connectTo = mkOption { From 4826257ea3c239d77a58934d34bb02505426e39f Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 14:07:39 +0200 Subject: [PATCH 18/48] krebs/retiolum.nix: remove kheurop from default list for connectTo kheurop is a dead host for a long time now --- 3modules/krebs/retiolum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix index e9b1244e1..5c26dff18 100644 --- a/3modules/krebs/retiolum.nix +++ b/3modules/krebs/retiolum.nix @@ -85,7 +85,7 @@ let connectTo = mkOption { type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "kheurop" ]; + default = [ "fastpoke" "pigstarter" "gum" ]; description = '' The list of hosts in the network which the client will try to connect to. These hosts should have an 'Address' configured which points to a From f1ebbc73395e733e222b7f51e3fb554579ec1916 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 17:34:08 +0200 Subject: [PATCH 19/48] autoimport 3*/{krebs,$(LOGNAME)} --- 1systems/tv/cd.nix | 12 ------------ 1systems/tv/mkdir.nix | 2 -- 1systems/tv/nomic.nix | 3 --- 1systems/tv/rmdir.nix | 2 -- 1systems/tv/wu.nix | 6 +----- 2configs/tv/consul-server.nix | 1 - 2configs/tv/git-public.nix | 1 - 2configs/tv/identity.nix | 1 - 3modules/krebs/default.nix | 11 +++++++++++ 3modules/tv/consul.nix | 1 - 3modules/tv/default.nix | 10 ++++++++++ Makefile | 27 ++++++++++++++++----------- default.nix | 20 ++++++++++++++++++++ 13 files changed, 58 insertions(+), 39 deletions(-) create mode 100644 3modules/krebs/default.nix create mode 100644 3modules/tv/default.nix create mode 100644 default.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index bf556e017..b15b1897e 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -22,14 +22,12 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; @@ -39,7 +37,6 @@ in tv.identity.self = config.tv.identity.hosts.cd; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,19 +52,11 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; @@ -86,7 +75,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 823f04430..03d0c00f1 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.mkdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index ef4a5ca34..367502eed 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -14,7 +14,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.nomic; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,7 +25,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -37,7 +35,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index f15c7902b..497354e68 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.rmdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 0b5b8289b..8470a4f23 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -24,7 +24,7 @@ in { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel @@ -122,7 +122,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,7 +133,6 @@ in }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -145,7 +143,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ @@ -155,7 +152,6 @@ in }; } { - imports = [ ../../3modules/krebs/urlwatch.nix ]; krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb884..5d3fd5579 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7f2b51308..1bf44e0fc 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -3,7 +3,6 @@ with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/krebs/git.nix ]; krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 44208c956..bcfdc290d 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { enable = true; search = "retiolum"; diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix new file mode 100644 index 000000000..fe94e09b3 --- /dev/null +++ b/3modules/krebs/default.nix @@ -0,0 +1,11 @@ +_: + +{ + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; +} diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix index 312faa02f..4e54c2ab0 100644 --- a/3modules/tv/consul.nix +++ b/3modules/tv/consul.nix @@ -10,7 +10,6 @@ let cfg = config.tv.consul; out = { - imports = [ ../../3modules/tv/iptables.nix ]; options.tv.consul = api; config = mkIf cfg.enable (mkMerge [ imp diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix new file mode 100644 index 000000000..e267d0b9f --- /dev/null +++ b/3modules/tv/default.nix @@ -0,0 +1,10 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./identity.nix + ./iptables.nix + ]; +} diff --git a/Makefile b/Makefile index da234677b..6d075e6f2 100644 --- a/Makefile +++ b/Makefile @@ -41,13 +41,14 @@ deploy:;@ "$$src/" "$$deploy_host:$$dst" )} - prepush /root/src/shitment "$$PWD" + prepush /root/src/stockholm "$$PWD" prepush /root/src/secrets "$$secrets_dir" ssh -S none "$$deploy_host" -T env \ nixpkgs_url="$$nixpkgs_url" \ nixpkgs_rev="$$nixpkgs_rev" \ system_name="$$system_name" \ + user_name="$$LOGNAME" \ sh -euf \ <<-\EOF prefetch(){( @@ -77,26 +78,30 @@ deploy:;@ prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" echo build system... - NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ - NIX_PATH=src \ - nix-build -Q -A system '' + NIX_PATH=/root/src \ + nix-build \ + -Q \ + -A system \ + '' \ + --argstr user-name "$$user_name" \ + --argstr system-name "$$system_name" result/bin/switch-to-configuration switch EOF .PHONY: eval eval: - @nix-instantiate \ + @ + NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ + nix-instantiate \ --json \ --eval \ --strict \ -A "$$get" \ - -E ' - import { - system = builtins.currentSystem; - modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; - } - ' | jq -r . + '' \ + --argstr user-name "$$LOGNAME" \ + --argstr system-name "$$system" \ + | jq -r . else $(error unbound variable: system[s]) endif diff --git a/default.nix b/default.nix new file mode 100644 index 000000000..2deb7539a --- /dev/null +++ b/default.nix @@ -0,0 +1,20 @@ +{ user-name, system-name }: + +let + + eval = import { + system = builtins.currentSystem; + modules = [ + (./1systems + "/${user-name}/${system-name}.nix") + (./3modules/krebs) + (./3modules + "/${user-name}") + ]; + }; + +in + +{ + inherit (eval) config options; + + system = eval.config.system.build.toplevel; +} From f10523afd37c07a3c3cec55f68a100c176b5b20f Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 18:36:16 +0200 Subject: [PATCH 20/48] 4 krebs.types.host: add option: secure --- 4lib/krebs/types.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index 38ed8a916..9d02c779f 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -20,6 +20,15 @@ types // rec { type = attrsOf net; apply = x: assert hasAttr "retiolum" x; x; }; + secure = mkOption { + type = bool; + default = false; + description = '' + If true, then the host is capable of keeping secret information. + + TODO define minimum requirements for secure hosts + ''; + }; }; }; From f4309272e2531a136a40d2332d1bfecec16d9a91 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 18:37:30 +0200 Subject: [PATCH 21/48] 2 tv identity: {nomic,wu}.secure = true --- 2configs/tv/identity.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index bcfdc290d..379d02e45 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -98,6 +98,7 @@ ''; }; }; + secure = true; }; rmdir = { cores = 1; @@ -153,6 +154,7 @@ ''; }; }; + secure = true; }; }; }; From 54becaa19fcbc11ac709ddaf86e56ee3b736931d Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 19:33:20 +0200 Subject: [PATCH 22/48] tv git: add restricted repos --- 1systems/tv/cd.nix | 2 +- 1systems/tv/mkdir.nix | 2 +- 1systems/tv/nomic.nix | 2 +- 1systems/tv/rmdir.nix | 2 +- 1systems/tv/wu.nix | 3 +-- 2configs/tv/{git-public.nix => git.nix} | 26 ++++++++++++++++++++++++- 6 files changed, 30 insertions(+), 7 deletions(-) rename 2configs/tv/{git-public.nix => git.nix} (73%) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index b15b1897e..d30e7ed8f 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -13,7 +13,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/charybdis.nix ]; tv.charybdis = { diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 03d0c00f1..3e5fb7286 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.mkdir; diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 367502eed..2d32d9e1f 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -8,7 +8,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.nomic; diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 497354e68..c470086ce 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -9,7 +9,7 @@ with lib; ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix - ../../2configs/tv/git-public.nix + ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; tv.identity.self = config.tv.identity.hosts.rmdir; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 8470a4f23..234b80559 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -12,8 +12,7 @@ in ../../2configs/tv/base.nix ../../2configs/tv/consul-client.nix ../../2configs/tv/exim-retiolum.nix - ../../2configs/tv/git-public.nix - # TODO git-private.nix + ../../2configs/tv/git.nix ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled diff --git a/2configs/tv/git-public.nix b/2configs/tv/git.nix similarity index 73% rename from 2configs/tv/git-public.nix rename to 2configs/tv/git.nix index 1bf44e0fc..ac1c413c4 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git.nix @@ -11,7 +11,11 @@ let }; }; - repos = public-repos; + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.tv.identity.self.secure restricted-repos + ); + rules = concatMap make-rules (attrValues repos); public-repos = mapAttrs make-public-repo { @@ -36,6 +40,15 @@ let xintmap = {}; }; + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with users; [ lass makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs users; } + ); + # TODO move users to separate module users = mapAttrs make-user { tv = ../../Zpubkeys/tv_wu.ssh.pub; @@ -57,6 +70,12 @@ let }; }; + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + hooks = {}; # TODO default + }; + make-rules = with git // users; repo: @@ -69,6 +88,11 @@ let user = [ lass makefu uriel ]; repo = [ repo ]; perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; }; make-user = name: pubkey-file: { From a62be1cef8726a2afa61df3dac9e19a71882b370 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 20:48:00 +0200 Subject: [PATCH 23/48] {2 tv git -> 3 krebs}.users --- 2configs/tv/git.nix | 22 ++++------------ 3modules/krebs/default.nix | 52 ++++++++++++++++++++++++++++++-------- 3modules/krebs/git.nix | 11 +++----- 4lib/krebs/default.nix | 10 +++++++- 4lib/krebs/types.nix | 11 ++++++++ 4lib/tv/default.nix | 7 ----- 6 files changed, 71 insertions(+), 42 deletions(-) diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix index ac1c413c4..b7f9983a1 100644 --- a/2configs/tv/git.nix +++ b/2configs/tv/git.nix @@ -1,4 +1,5 @@ { config, lib, pkgs, ... }: + with import ../../4lib/tv { inherit lib pkgs; }; let @@ -7,7 +8,7 @@ let enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; - inherit repos rules users; + inherit repos rules; }; }; @@ -43,20 +44,12 @@ let restricted-repos = mapAttrs make-restricted-repo ( { brain = { - collaborators = with users; [ lass makefu ]; + collaborators = with config.krebs.users; [ lass makefu ]; }; } // - import /root/src/secrets/repos.nix { inherit config lib pkgs users; } + import /root/src/secrets/repos.nix { inherit config lib pkgs; } ); - # TODO move users to separate module - users = mapAttrs make-user { - tv = ../../Zpubkeys/tv_wu.ssh.pub; - lass = ../../Zpubkeys/lass.ssh.pub; - uriel = ../../Zpubkeys/uriel.ssh.pub; - makefu = ../../Zpubkeys/makefu.ssh.pub; - }; - make-public-repo = name: { desc ? null, ... }: { inherit name desc; public = true; @@ -77,7 +70,7 @@ let }; make-rules = - with git // users; + with git // config.krebs.users; repo: singleton { user = tv; @@ -95,9 +88,4 @@ let perm = fetch; }; - make-user = name: pubkey-file: { - inherit name; - pubkey = readFile pubkey-file; - }; - in out diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index fe94e09b3..b8722d18f 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -1,11 +1,43 @@ -_: +{ config, lib, ... }: -{ - imports = [ - ./github-hosts-sync.nix - ./git.nix - ./nginx.nix - ./retiolum.nix - ./urlwatch.nix - ]; -} +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { + users = mkOption { + type = with types; attrsOf user; + default = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + }; + + imp = { + }; + +in +out diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix index 3c3e93426..be6619b4b 100644 --- a/3modules/krebs/git.nix +++ b/3modules/krebs/git.nix @@ -6,8 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with builtins; -with lib; +with import ../../4lib/krebs { inherit lib; }; let cfg = config.krebs.git; @@ -119,9 +118,6 @@ let rules = mkOption { type = types.unspecified; }; - users = mkOption { - type = types.unspecified; - }; }; git-imp = { @@ -149,7 +145,8 @@ let name = "git"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) + config.krebs.users; uid = 129318403; # genid git }; }; @@ -255,7 +252,7 @@ let isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }: # TODO assert name # TODO assert pubkey let diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix index 38c2a97d6..0c59076b6 100644 --- a/4lib/krebs/default.nix +++ b/4lib/krebs/default.nix @@ -1,6 +1,14 @@ { lib, ... }: -builtins // lib // { +with builtins; +with lib; + +builtins // lib // rec { + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; types = import ./types.nix { inherit lib; }; diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index 9d02c779f..ca92c6900 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -81,6 +81,17 @@ types // rec { merge = mergeOneOption; }; + user = submodule { + options = { + name = mkOption { + type = str; # TODO + }; + pubkey = mkOption { + type = str; + }; + }; + }; + # TODO addr = str; addr4 = str; diff --git a/4lib/tv/default.nix b/4lib/tv/default.nix index 267a858d2..16888c214 100644 --- a/4lib/tv/default.nix +++ b/4lib/tv/default.nix @@ -15,16 +15,9 @@ krebs // rec { inherit pkgs; }; - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - # "7.4.335" -> "74" majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - concat = xs : if xs == [] then "" From 7d71db1eb0ce36f8be914f53412615eba0090747 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 21:04:18 +0200 Subject: [PATCH 24/48] add git.nix docs, add pnp --- 3modules/krebs/git.nix | 10 +++++++++- Zhosts/pnp | 11 +++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 Zhosts/pnp diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix index 3c3e93426..2d747cc1a 100644 --- a/3modules/krebs/git.nix +++ b/3modules/krebs/git.nix @@ -29,7 +29,15 @@ let cgit = mkOption { type = types.bool; default = true; - description = "Enable cgit."; # TODO better desc; talk about nginx + description = '' + Enable cgit. + Cgit is an attempt to create a fast web interface for the git version + control system, using a built in cache to decrease pressure on the + git server. + cgit in this module is being served via fastcgi nginx.This module + deploys a http://cgit. nginx configuration and enables nginx + if not yet enabled. + ''; }; dataDir = mkOption { type = types.str; diff --git a/Zhosts/pnp b/Zhosts/pnp new file mode 100644 index 000000000..66c99f24d --- /dev/null +++ b/Zhosts/pnp @@ -0,0 +1,11 @@ +Subnet = 10.243.0.210 +Subnet = 42:f9f1:0000:0000:0000:0000:0000:0001 + +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g +Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V +pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR +SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T +TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr +Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB +-----END RSA PUBLIC KEY----- From 62ad5ff9d2bb41acdad20b68ee47c4a32ce928b6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 21:15:18 +0200 Subject: [PATCH 25/48] { * tv identity -> 3 krebs}.hosts --- 1systems/tv/cd.nix | 2 +- 1systems/tv/mkdir.nix | 2 +- 1systems/tv/nomic.nix | 2 +- 1systems/tv/rmdir.nix | 2 +- 1systems/tv/wu.nix | 2 +- 2configs/tv/consul-server.nix | 2 +- 2configs/tv/identity.nix | 153 --------------------------------- 3modules/krebs/default.nix | 157 ++++++++++++++++++++++++++++++++++ 3modules/tv/identity.nix | 7 +- 9 files changed, 164 insertions(+), 165 deletions(-) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d30e7ed8f..c0c41e96c 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -34,7 +34,7 @@ in } { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.cd; + tv.identity.self = config.krebs.hosts.cd; } { tv.iptables = { diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 3e5fb7286..113fc9596 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -12,7 +12,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.mkdir; + tv.identity.self = config.krebs.hosts.mkdir; } { tv.iptables = { diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 2d32d9e1f..fc58c1698 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -11,7 +11,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.nomic; + tv.identity.self = config.krebs.hosts.nomic; } { tv.iptables = { diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index c470086ce..15d624d1c 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -12,7 +12,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.rmdir; + tv.identity.self = config.krebs.hosts.rmdir; } { tv.iptables = { diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 234b80559..4a74d552f 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -18,7 +18,7 @@ in ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.wu; + tv.identity.self = config.krebs.hosts.wu; } { environment.systemPackages = with pkgs; [ diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 5d3fd5579..63dabdc2a 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -9,7 +9,7 @@ server = true; - hosts = with config.tv.identity.hosts; [ + hosts = with config.krebs.hosts; [ # TODO get this list automatically from each host where tv.consul.enable is true cd mkdir diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 379d02e45..481ac72a6 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -4,158 +4,5 @@ tv.identity = { enable = true; search = "retiolum"; - hosts = { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; }; } diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index b8722d18f..b60ce789a 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -17,6 +17,163 @@ let }; api = { + hosts = mkOption { + type = with types; attrsOf host; + default = addNames { + cd = { + cores = 2; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "cd.internet" + "cd.viljetic.de" + "cgit.cd.viljetic.de" + "cd.krebsco.de" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.222"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + aliases = [ + "cd.retiolum" + "cgit.cd.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mkdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.248.167.241"]; + aliases = [ + "mkdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.223"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + aliases = [ + "mkdir.retiolum" + "cgit.mkdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ + dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev + voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF + 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ + Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 + 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + nomic = { + cores = 2; + dc = "tv"; #dc = "gg23"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.110"]; + addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + aliases = [ + "nomic.retiolum" + "cgit.nomic.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + rmdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["167.88.44.94"]; + aliases = [ + "rmdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "rmdir.retiolum" + "cgit.rmdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf + i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM + Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz + hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF + 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH + SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + wu = { + cores = 4; + # TODO wu is mobile, so dc means "home data center" + dc = "tv"; #dc = "gg23"; + nets = { + retiolum = { + addrs4 = ["10.243.13.37"]; + addrs6 = ["42:0:0:0:0:0:0:1337"]; + aliases = [ + "wu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; + }; + users = mkOption { type = with types; attrsOf user; default = addNames { diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix index 584b27165..9de432203 100644 --- a/3modules/tv/identity.nix +++ b/3modules/tv/identity.nix @@ -21,11 +21,6 @@ let # default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts; #}; - hosts = mkOption { - type = with types; attrsOf host; - apply = mapAttrs (name: value: value // { inherit name; }); - }; - search = mkOption { type = types.hostname; }; @@ -44,7 +39,7 @@ let in map (addr: "${addr} ${aliases}") net.addrs ) host.nets - ) cfg.hosts + ) config.krebs.hosts )); }; From b61f19e6edc0a583bf4cae45c62d75fce4ac910a Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 21:27:19 +0200 Subject: [PATCH 26/48] krebs.hosts: populate if enable, not via default --- 2configs/tv/base.nix | 2 + 3modules/krebs/default.nix | 350 +++++++++++++++++++------------------ 2 files changed, 184 insertions(+), 168 deletions(-) diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index 0494ea08e..14d84c9f6 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -9,6 +9,8 @@ let in { + krebs.enable = true; + imports = [ { users.extraUsers = diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index b60ce789a..979cc35ad 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -13,187 +13,201 @@ let ./urlwatch.nix ]; options.krebs = api; - config = mkIf cfg.enable imp; + config = mkIf cfg.enable (mkMerge [ + imp + { krebs.hosts = lass-hosts; } + { krebs.hosts = makefu-hosts; } + { krebs.hosts = tv-hosts; } + ]); }; api = { + enable = mkEnableOption "krebs"; + hosts = mkOption { type = with types; attrsOf host; - default = addNames { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; }; users = mkOption { type = with types; attrsOf user; - default = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; - }; - makefu = { - pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; - }; - tv = { - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; - }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; - }; - }; }; }; imp = { + krebs.users = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; + }; + }; + + lass-hosts = addNames { + }; + + makefu-hosts = addNames { + }; + + tv-hosts = addNames { + cd = { + cores = 2; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "cd.internet" + "cd.viljetic.de" + "cgit.cd.viljetic.de" + "cd.krebsco.de" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.222"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + aliases = [ + "cd.retiolum" + "cgit.cd.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mkdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.248.167.241"]; + aliases = [ + "mkdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.223"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + aliases = [ + "mkdir.retiolum" + "cgit.mkdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ + dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev + voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF + 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ + Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 + 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + nomic = { + cores = 2; + dc = "tv"; #dc = "gg23"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.110"]; + addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + aliases = [ + "nomic.retiolum" + "cgit.nomic.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + rmdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["167.88.44.94"]; + aliases = [ + "rmdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "rmdir.retiolum" + "cgit.rmdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf + i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM + Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz + hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF + 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH + SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + wu = { + cores = 4; + # TODO wu is mobile, so dc means "home data center" + dc = "tv"; #dc = "gg23"; + nets = { + retiolum = { + addrs4 = ["10.243.13.37"]; + addrs6 = ["42:0:0:0:0:0:0:1337"]; + aliases = [ + "wu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; }; in From 7e43b2cc3e7eb903f972003ea8cd21fad97ae9f5 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 21:35:36 +0200 Subject: [PATCH 27/48] krebs.users: populate if enable, not via default --- 3modules/krebs/default.nix | 39 ++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 979cc35ad..9aec879f9 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -14,10 +14,12 @@ let ]; options.krebs = api; config = mkIf cfg.enable (mkMerge [ - imp { krebs.hosts = lass-hosts; } { krebs.hosts = makefu-hosts; } { krebs.hosts = tv-hosts; } + { krebs.users = lass-users; } + { krebs.users = makefu-users; } + { krebs.users = tv-users; } ]); }; @@ -33,28 +35,24 @@ let }; }; - imp = { - krebs.users = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; - }; - makefu = { - pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; - }; - tv = { - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; - }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; - }; + lass-hosts = addNames { + }; + lass-users = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; }; - lass-hosts = addNames { - }; - makefu-hosts = addNames { }; + makefu-users = addNames { + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; + }; tv-hosts = addNames { cd = { @@ -209,6 +207,11 @@ let secure = true; }; }; + tv-users = addNames { + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; + }; + }; in out From 85077a0cde6498d919c67a5f476cc25a068e06f6 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 21:38:41 +0200 Subject: [PATCH 28/48] 3 krebs: put imps into user namespaces --- 3modules/krebs/default.nix | 337 +++++++++++++++++++------------------ 1 file changed, 171 insertions(+), 166 deletions(-) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 9aec879f9..4da2d7fa2 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -13,14 +13,7 @@ let ./urlwatch.nix ]; options.krebs = api; - config = mkIf cfg.enable (mkMerge [ - { krebs.hosts = lass-hosts; } - { krebs.hosts = makefu-hosts; } - { krebs.hosts = tv-hosts; } - { krebs.users = lass-users; } - { krebs.users = makefu-users; } - { krebs.users = tv-users; } - ]); + config = mkIf cfg.enable imp; }; api = { @@ -35,181 +28,193 @@ let }; }; - lass-hosts = addNames { - }; - lass-users = addNames { - lass = { - pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + imp = mkMerge [ + { krebs = lass-imp; } + { krebs = makefu-imp; } + { krebs = tv-imp; } + ]; + + lass-imp = { + hosts = addNames { }; - uriel = { - pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + users = addNames { + lass = { + pubkey = readFile ../../Zpubkeys/lass.ssh.pub; + }; + uriel = { + pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; + }; }; }; - makefu-hosts = addNames { - }; - makefu-users = addNames { - makefu = { - pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + makefu-imp = { + hosts = addNames { + }; + users = addNames { + makefu = { + pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + }; }; }; - tv-hosts = addNames { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; + tv-imp = { + hosts = addNames { + cd = { + cores = 2; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "cd.internet" + "cd.viljetic.de" + "cgit.cd.viljetic.de" + "cd.krebsco.de" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.222"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + aliases = [ + "cd.retiolum" + "cgit.cd.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; }; }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; + mkdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.248.167.241"]; + aliases = [ + "mkdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.223"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + aliases = [ + "mkdir.retiolum" + "cgit.mkdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ + dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev + voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF + 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ + Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 + 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; }; }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; + nomic = { + cores = 2; + dc = "tv"; #dc = "gg23"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.110"]; + addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + aliases = [ + "nomic.retiolum" + "cgit.nomic.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + rmdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["167.88.44.94"]; + aliases = [ + "rmdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "rmdir.retiolum" + "cgit.rmdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf + i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM + Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz + hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF + 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH + SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; }; }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; + wu = { + cores = 4; + # TODO wu is mobile, so dc means "home data center" + dc = "tv"; #dc = "gg23"; + nets = { + retiolum = { + addrs4 = ["10.243.13.37"]; + addrs6 = ["42:0:0:0:0:0:0:1337"]; + aliases = [ + "wu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; }; + secure = true; }; }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; + users = addNames { + tv = { + pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - secure = true; - }; - }; - tv-users = addNames { - tv = { - pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; }; From 13cc704c60ce97a8d7404a3558ad925100fcc1a9 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 22:39:11 +0200 Subject: [PATCH 29/48] pnp provides cgit, update identity --- 1systems/makefu/pnp.nix | 20 ++++++++++-- 2configs/makefu/cgit-retiolum.nix | 52 +++++++++++++++++++++++++++++++ 3modules/krebs/default.nix | 26 +++++++++++++++- 3modules/makefu/default.nix | 19 +++++++++++ 4 files changed, 114 insertions(+), 3 deletions(-) create mode 100644 2configs/makefu/cgit-retiolum.nix create mode 100644 3modules/makefu/default.nix diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix index 51f5bb00c..f98cd5276 100644 --- a/1systems/makefu/pnp.nix +++ b/1systems/makefu/pnp.nix @@ -9,7 +9,10 @@ [ # Include the results of the hardware scan. ../../2configs/makefu/base.nix + ../../3modules/krebs/retiolum.nix + ../../2configs/makefu/cgit-retiolum.nix ]; + krebs.enable = true; boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; @@ -20,19 +23,32 @@ hardware.enableAllFirmware = true; hardware.cpu.amd.updateMicrocode = true; + # networking.firewall is enabled by default + networking.firewall.allowedTCPPorts = [ 80 ]; + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; nix.maxJobs = 1; networking.hostName = "pnp"; # Define your hostname. # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ + environment.systemPackages = with pkgs; [ wget git gnumake - ]; + jq + ]; } diff --git a/2configs/makefu/cgit-retiolum.nix b/2configs/makefu/cgit-retiolum.nix new file mode 100644 index 000000000..d5ad35fda --- /dev/null +++ b/2configs/makefu/cgit-retiolum.nix @@ -0,0 +1,52 @@ +{ config, lib, pkgs, ... }: +with import ../../4lib/tv { inherit lib pkgs; }; +let + + out = { + imports = [ ../../3modules/krebs/git.nix ]; + krebs.git = { + enable = true; + root-title = "public repositories "; + root-desc = "keep calm and enrage"; + inherit repos rules ; + }; + }; + + repos = public-repos; + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + }; + + # TODO move users to separate module + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + nick = config.networking.hostName; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = makefu; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ lass tv uriel ]; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 4da2d7fa2..999e68da2 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -49,10 +49,34 @@ let makefu-imp = { hosts = addNames { + pnp = { + cores = 1; + dc = "makefu"; #vm on 'omo' + nets = { + retiolum = { + addrs4 = ["10.243.0.210"]; + addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"]; + aliases = [ + "pnp.retiolum" + "cgit.pnp.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g + Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V + pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR + SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T + TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr + Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; }; users = addNames { makefu = { - pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; + pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; }; }; }; diff --git a/3modules/makefu/default.nix b/3modules/makefu/default.nix new file mode 100644 index 000000000..45ca8c3eb --- /dev/null +++ b/3modules/makefu/default.nix @@ -0,0 +1,19 @@ +{ config, lib, ... }: + +with import ../../4lib/krebs { inherit lib; }; +let + cfg = config.krebs; + + out = { + imports = [ + ]; + options.krebs = api; + config = mkIf cfg.enable imp; + }; + + api = { }; + + imp = { }; + +in +out From f9c46e9d43c765d426f88f0f318bf02962a67578 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 23:03:50 +0200 Subject: [PATCH 30/48] makefu: fix whitespace, use registry instead of readfile --- 1systems/makefu/pnp.nix | 79 +++++++++--------- 2configs/makefu/base.nix | 170 +++++++++++++++++++-------------------- 2 files changed, 123 insertions(+), 126 deletions(-) diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix index f98cd5276..158a4f8c2 100644 --- a/1systems/makefu/pnp.nix +++ b/1systems/makefu/pnp.nix @@ -5,50 +5,49 @@ { config, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - - ../../2configs/makefu/base.nix - ../../3modules/krebs/retiolum.nix - ../../2configs/makefu/cgit-retiolum.nix - ]; - krebs.enable = true; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.device = "/dev/vda"; + imports = + [ # Include the results of the hardware scan. + + ../../2configs/makefu/base.nix + ../../3modules/krebs/retiolum.nix + ../../2configs/makefu/cgit-retiolum.nix + ]; + krebs.enable = true; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - hardware.enableAllFirmware = true; - hardware.cpu.amd.updateMicrocode = true; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + hardware.enableAllFirmware = true; + hardware.cpu.amd.updateMicrocode = true; - # networking.firewall is enabled by default - networking.firewall.allowedTCPPorts = [ 80 ]; +# networking.firewall is enabled by default + networking.firewall.allowedTCPPorts = [ 80 ]; - fileSystems."/" = - { device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - }; - krebs.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; + fileSystems."/" = + { device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "gum" + "pigstarter" + "fastpoke" + ]; + }; - nix.maxJobs = 1; - networking.hostName = "pnp"; # Define your hostname. + nix.maxJobs = 1; + networking.hostName = "pnp"; # Define your hostname. # $ nix-env -qaP | grep wget - environment.systemPackages = with pkgs; [ - wget - git - gnumake - jq - ]; - + environment.systemPackages = with pkgs; [ + wget + git + gnumake + jq + ]; } diff --git a/2configs/makefu/base.nix b/2configs/makefu/base.nix index ab2e6f247..b1dd83049 100644 --- a/2configs/makefu/base.nix +++ b/2configs/makefu/base.nix @@ -2,95 +2,93 @@ with lib; { - imports = [ ]; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/makefu_arch.ssh.pub - ]; - }; - makefu = { - uid = 9001; - group = "users"; - home = "/home/makefu"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "wheel" - ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/makefu_arch.ssh.pub - ]; - }; + imports = [ ]; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; - - services.openssh.enable = true; - nix.useChroot = true; - - users.mutableUsers = true; - - boot.tmpOnTmpfs = true; - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - environment.extraInit = '' - EDITOR=vim - ''; - - environment.systemPackages = with pkgs; [ - git - vim - rxvt_unicode.terminfo - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=900001 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - ''; - promptInit = '' - case $UID in - 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; - 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; - *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; - esac - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - environment.shellAliases = { - lsl = "ls -latr"; + makefu = { + uid = 9001; + group = "users"; + home = "/home/makefu"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "wheel" + ]; + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; + }; - security.setuidPrograms = [ "sendmail" ]; + services.openssh.enable = true; + nix.useChroot = true; - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - nixpkgs.config.packageOverrides = pkgs: { - nano = pkgs.runCommand "empty" {} "mkdir -p $out"; - }; - services.cron.enable = false; - services.nscd.enable = false; - boot.kernel.sysctl = { -# Enable IPv6 Privacy Extensions - "net.ipv6.conf.all.use_tempaddr" = 2; - "net.ipv6.conf.default.use_tempaddr" = 2; - }; - i18n = { - consoleKeyMap = "us"; - defaultLocale = "en_US.UTF-8"; - }; + users.mutableUsers = true; + boot.tmpOnTmpfs = true; + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + environment.extraInit = '' + EDITOR=vim + ''; + + environment.systemPackages = with pkgs; [ + git + vim + rxvt_unicode.terminfo + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=900001 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + ''; + + promptInit = '' + case $UID in + 0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;; + 9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;; + *) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;; + esac + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + environment.shellAliases = { + lsl = "ls -latr"; + }; + + nixpkgs.config.packageOverrides = pkgs: { + nano = pkgs.runCommand "empty" {} "mkdir -p $out"; + }; + + services.cron.enable = false; + services.nscd.enable = false; + + security.setuidPrograms = [ "sendmail" ]; + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + # Enable IPv6 Privacy Extensions + boot.kernel.sysctl = { + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + i18n = { + consoleKeyMap = "us"; + defaultLocale = "en_US.UTF-8"; + }; } From 51a698475ea5f2ac7c8ac2a4a8df26905e4af4c1 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 23:13:16 +0200 Subject: [PATCH 31/48] makefu: ls -lAtr --- 2configs/makefu/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2configs/makefu/base.nix b/2configs/makefu/base.nix index b1dd83049..25b80930b 100644 --- a/2configs/makefu/base.nix +++ b/2configs/makefu/base.nix @@ -66,7 +66,7 @@ with lib; }; environment.shellAliases = { - lsl = "ls -latr"; + lsl = "ls -lAtr"; }; nixpkgs.config.packageOverrides = pkgs: { From a4d2509918c3ce1400071eb0ef2b5421023976ca Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 24 Jul 2015 23:13:33 +0200 Subject: [PATCH 32/48] pnp: maxJobs++ --- 1systems/makefu/pnp.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/1systems/makefu/pnp.nix b/1systems/makefu/pnp.nix index 158a4f8c2..7e4ccf2c1 100644 --- a/1systems/makefu/pnp.nix +++ b/1systems/makefu/pnp.nix @@ -9,7 +9,6 @@ [ # Include the results of the hardware scan. ../../2configs/makefu/base.nix - ../../3modules/krebs/retiolum.nix ../../2configs/makefu/cgit-retiolum.nix ]; krebs.enable = true; @@ -40,7 +39,7 @@ ]; }; - nix.maxJobs = 1; + nix.maxJobs = 2; networking.hostName = "pnp"; # Define your hostname. # $ nix-env -qaP | grep wget From 311e837c9135270e4031caf4f7764fc07a100454 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 23:16:48 +0200 Subject: [PATCH 33/48] Zpkgs krebs: add hashPassword --- Zpkgs/krebs/default.nix | 1 + Zpkgs/krebs/hashPassword.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 Zpkgs/krebs/hashPassword.nix diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix index be8f72011..883890476 100644 --- a/Zpkgs/krebs/default.nix +++ b/Zpkgs/krebs/default.nix @@ -8,4 +8,5 @@ pkgs // { github-hosts-sync = callPackage ./github-hosts-sync.nix {}; github-known_hosts = callPackage ./github-known_hosts.nix {}; + hashPassword = callPackage ./hashPassword.nix {}; } diff --git a/Zpkgs/krebs/hashPassword.nix b/Zpkgs/krebs/hashPassword.nix new file mode 100644 index 000000000..a10340cc4 --- /dev/null +++ b/Zpkgs/krebs/hashPassword.nix @@ -0,0 +1,16 @@ +{ lib, pkgs, ... }: + +pkgs.writeScriptBin "hashPassword" '' + #! /bin/sh + # usage: hashPassword + set -euf + + export PATH=${lib.makeSearchPath "bin" (with pkgs; [ + coreutils + mkpasswd + openssl + ])} + + salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16) + exec mkpasswd -m sha-512 -S "$salt" +'' From 103c00849e126aa592af0a7fb47c84312ca50304 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 23:18:12 +0200 Subject: [PATCH 34/48] 1 tv wu: systemPackages += hashPassword --- 1systems/tv/wu.nix | 1 + Zpkgs/tv/default.nix | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 4a74d552f..5ca64ce9e 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -28,6 +28,7 @@ in gnumake parallel Zpkgs.genid + Zpkgs.hashPassword Zpkgs.lentil # root diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index e3e12bd18..bad7e9d23 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; + krebs = import ../../Zpkgs/krebs { inherit pkgs; }; in -pkgs // -{ +krebs // { charybdis = callPackage ./charybdis {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; From 78c12a8adca9f55e8faa5c86f102050c8a557b64 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 23:19:49 +0200 Subject: [PATCH 35/48] Zpkgs {tv -> krebs} genid --- Zpkgs/krebs/default.nix | 1 + Zpkgs/{tv => krebs}/genid.nix | 0 Zpkgs/tv/default.nix | 1 - 3 files changed, 1 insertion(+), 1 deletion(-) rename Zpkgs/{tv => krebs}/genid.nix (100%) diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix index 883890476..e07b96b56 100644 --- a/Zpkgs/krebs/default.nix +++ b/Zpkgs/krebs/default.nix @@ -6,6 +6,7 @@ in pkgs // { + genid = callPackage ./genid.nix {}; github-hosts-sync = callPackage ./github-hosts-sync.nix {}; github-known_hosts = callPackage ./github-known_hosts.nix {}; hashPassword = callPackage ./hashPassword.nix {}; diff --git a/Zpkgs/tv/genid.nix b/Zpkgs/krebs/genid.nix similarity index 100% rename from Zpkgs/tv/genid.nix rename to Zpkgs/krebs/genid.nix diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index bad7e9d23..a8ca2b2ab 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -8,7 +8,6 @@ in krebs // { charybdis = callPackage ./charybdis {}; dic = callPackage ./dic.nix {}; - genid = callPackage ./genid.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; From 99527e88aec089b4fea496248cf03f738bfed257 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 23:24:46 +0200 Subject: [PATCH 36/48] Zpkgs {tv -> krebs} dic --- Zpkgs/krebs/default.nix | 1 + Zpkgs/{tv => krebs}/dic.nix | 0 Zpkgs/tv/default.nix | 1 - 3 files changed, 1 insertion(+), 1 deletion(-) rename Zpkgs/{tv => krebs}/dic.nix (100%) diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix index e07b96b56..231fda797 100644 --- a/Zpkgs/krebs/default.nix +++ b/Zpkgs/krebs/default.nix @@ -6,6 +6,7 @@ in pkgs // { + dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; github-hosts-sync = callPackage ./github-hosts-sync.nix {}; github-known_hosts = callPackage ./github-known_hosts.nix {}; diff --git a/Zpkgs/tv/dic.nix b/Zpkgs/krebs/dic.nix similarity index 100% rename from Zpkgs/tv/dic.nix rename to Zpkgs/krebs/dic.nix diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index a8ca2b2ab..50625f868 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -7,7 +7,6 @@ in krebs // { charybdis = callPackage ./charybdis {}; - dic = callPackage ./dic.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; From 6840ea1191dd7fc1ad02ae698875e044265d716b Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 00:04:04 +0200 Subject: [PATCH 37/48] tv.identity -> krebs.build + extraHosts hack --- 1systems/tv/cd.nix | 6 +-- 1systems/tv/mkdir.nix | 6 +-- 1systems/tv/nomic.nix | 6 +-- 1systems/tv/rmdir.nix | 6 +-- 1systems/tv/wu.nix | 6 +-- 2configs/tv/charybdis.nix | 8 ++-- 2configs/tv/consul-server.nix | 2 +- 2configs/tv/git.nix | 8 ++-- 2configs/tv/identity.nix | 8 ---- 3modules/krebs/default.nix | 72 ++++++++++++++++++++++++++++++++ 3modules/tv/default.nix | 1 - 3modules/tv/identity.nix | 77 ----------------------------------- 12 files changed, 91 insertions(+), 115 deletions(-) delete mode 100644 2configs/tv/identity.nix delete mode 100644 3modules/tv/identity.nix diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index c0c41e96c..4b8c40f35 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -7,6 +7,8 @@ let in { + krebs.build.host = config.krebs.hosts.cd; + imports = [ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -32,10 +34,6 @@ in tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; } - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.cd; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 113fc9596..938f50118 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -3,6 +3,8 @@ with lib; { + krebs.build.host = config.krebs.hosts.mkdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -10,10 +12,6 @@ with lib; ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.mkdir; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index fc58c1698..1f7f6b188 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -3,16 +3,14 @@ with lib; { + krebs.build.host = config.krebs.hosts.nomic; + imports = [ ../../2configs/tv/AO753.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.nomic; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 15d624d1c..45e9997e4 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -3,6 +3,8 @@ with lib; { + krebs.build.host = config.krebs.hosts.rmdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -10,10 +12,6 @@ with lib; ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.rmdir; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 5ca64ce9e..0b2dab9df 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -7,6 +7,8 @@ let in { + krebs.build.host = config.krebs.hosts.wu; + imports = [ ../../2configs/tv/w110er.nix ../../2configs/tv/base.nix @@ -16,10 +18,6 @@ in ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.wu; - } { environment.systemPackages = with pkgs; [ diff --git a/2configs/tv/charybdis.nix b/2configs/tv/charybdis.nix index a45c7aebe..265f85132 100644 --- a/2configs/tv/charybdis.nix +++ b/2configs/tv/charybdis.nix @@ -123,7 +123,7 @@ let #loadmodule "extensions/ip_cloaking.so"; serverinfo { - name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)}; + name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; description = "miep!"; network_name = "irc.retiolum"; @@ -133,9 +133,9 @@ let /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4}; + vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6}; + vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; @@ -240,7 +240,7 @@ let */ # XXX This is stupid because only one host is allowed[?] #host = ''${concatMapStringsSep ", " toJSON ( - # config.tv.identity.self.nets.retiolum.addrs + # config.krebs.build.host.nets.retiolum.addrs #)}; port = 6667; sslport = 6697; diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 63dabdc2a..d10f9ea75 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -4,7 +4,7 @@ tv.consul = rec { enable = true; - inherit (config.tv.identity) self; + self = config.krebs.build.host; inherit (self) dc; server = true; diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix index b7f9983a1..f884ea464 100644 --- a/2configs/tv/git.nix +++ b/2configs/tv/git.nix @@ -6,7 +6,7 @@ let out = { krebs.git = { enable = true; - root-title = "public repositories at ${config.tv.identity.self.name}"; + root-title = "public repositories at ${config.krebs.build.host.name}"; root-desc = "keep calm and engage"; inherit repos rules; }; @@ -14,7 +14,7 @@ let repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( public-repos // - optionalAttrs config.tv.identity.self.secure restricted-repos + optionalAttrs config.krebs.build.host.secure restricted-repos ); rules = concatMap make-rules (attrValues repos); @@ -55,8 +55,8 @@ let public = true; hooks = { post-receive = git.irc-announce { - # TODO make nick = config.tv.identity.self.name the default - nick = config.tv.identity.self.name; + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; channel = "#retiolum"; server = "cd.retiolum"; }; diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix deleted file mode 100644 index 481ac72a6..000000000 --- a/2configs/tv/identity.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: - -{ - tv.identity = { - enable = true; - search = "retiolum"; - }; -} diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 999e68da2..601ecf017 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -19,6 +19,21 @@ let api = { enable = mkEnableOption "krebs"; + build = mkOption { + type = types.submodule { + options = { + host = mkOption { + type = types.host; + }; + user = mkOption { + type = types.user; + }; + }; + }; + # Define defaul value, so unset values of the submodule get reported. + default = {}; + }; + hosts = mkOption { type = with types; attrsOf host; }; @@ -26,12 +41,69 @@ let users = mkOption { type = with types; attrsOf user; }; + + # XXX is there a better place to define search-domain? + # TODO search-domains :: listOf hostname + search-domain = mkOption { + type = types.hostname; + default = ""; + example = "retiolum"; + }; }; imp = mkMerge [ { krebs = lass-imp; } { krebs = makefu-imp; } { krebs = tv-imp; } + { + # XXX This overlaps with krebs.retiolum + networking.extraHosts = + let + # TODO move domain name providers to a dedicated module + # providers : tree label providername + providers = { + internet = "hosts"; + retiolum = "hosts"; + de.viljetic = "regfish"; + de.krebsco = "ovh"; + }; + + # splitByProvider : [alias] -> set providername [alias] + splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; + + # providerOf : alias -> providername + providerOf = alias: + tree-get (splitString "." alias) providers; + + # insert : k -> v -> set k [v] -> set k [v] + insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; + + # tree k v = set k (either v (tree k v)) + + # tree-get : [k] -> tree k v -> v + tree-get = path: x: + let + y = x.${last path}; + in + if typeOf y != "set" + then y + else tree-get (init path) y; + in + concatStringsSep "\n" (flatten ( + # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: + mapAttrsToList (hostname: host: + mapAttrsToList (netname: net: + let + aliases = toString (unique (longs ++ shorts)); + longs = (splitByProvider net.aliases).hosts; + shorts = map (removeSuffix ".${cfg.search-domain}") longs; + in + map (addr: "${addr} ${aliases}") net.addrs + ) host.nets + ) config.krebs.hosts + )); + } ]; lass-imp = { diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix index e267d0b9f..bb10d8261 100644 --- a/3modules/tv/default.nix +++ b/3modules/tv/default.nix @@ -4,7 +4,6 @@ _: imports = [ ./consul.nix ./ejabberd.nix - ./identity.nix ./iptables.nix ]; } diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix deleted file mode 100644 index 9de432203..000000000 --- a/3modules/tv/identity.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../4lib/tv { inherit lib pkgs; }; -let - cfg = config.tv.identity; - - out = { - options.tv.identity = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.identity"; - - self = mkOption { - type = types.host; - }; - - #others = mkOption { - # type = types.host; - # default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts; - #}; - - search = mkOption { - type = types.hostname; - }; - }; - - imp = { - networking.extraHosts = - concatStringsSep "\n" (flatten ( - # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - longs = (splitByProvider net.aliases).hosts; - shorts = map (removeSuffix ".${cfg.search}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) config.krebs.hosts - )); - }; - - # TODO move domain name providers to a dedicated module - # providers : tree label providername - providers = { - internet = "hosts"; - retiolum = "hosts"; - de.viljetic = "regfish"; - de.krebsco = "ovh"; - }; - - # splitByProvider : [alias] -> set providername [alias] - splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; - - # providerOf : alias -> providername - providerOf = alias: - tree-get (splitString "." alias) providers; - - # insert : k -> v -> set k [v] -> set k [v] - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; -in -out From 14250e66a7b15a6ece190ba55f672fb103eadaa3 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 00:44:24 +0200 Subject: [PATCH 38/48] krebs.users += mv --- 3modules/krebs/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 601ecf017..23b3ab7ec 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -308,6 +308,9 @@ let }; }; users = addNames { + mv = { + pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; + }; tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; From a489c7be84ffa76bb71542277af6c114c40961f2 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 00:44:51 +0200 Subject: [PATCH 39/48] tv: source pubkeys from registry --- 1systems/tv/cd.nix | 4 ++-- 2configs/tv/base.nix | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 4b8c40f35..fcaf19cb5 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -120,8 +120,8 @@ in home = "/home/mv"; createHome = true; useDefaultShell = true; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/mv_vod.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.mv.pubkey ]; }; }; diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index 14d84c9f6..c7d3e0d2a 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -24,8 +24,8 @@ in { users.extraUsers = { root = { - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; tv = { @@ -39,8 +39,8 @@ in "video" "wheel" ]; - openssh.authorizedKeys.keys = map readFile [ - ../../Zpubkeys/tv_wu.ssh.pub + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey ]; }; }; From 939f1b20c2d9e7da6fbe83005057a5e14d5abf4d Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:05:14 +0200 Subject: [PATCH 40/48] krebs.types.user += mail --- 4lib/krebs/types.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/4lib/krebs/types.nix b/4lib/krebs/types.nix index ca92c6900..3d3d75a65 100644 --- a/4lib/krebs/types.nix +++ b/4lib/krebs/types.nix @@ -83,6 +83,9 @@ types // rec { user = submodule { options = { + mail = mkOption { + type = str; # TODO retiolum mail address + }; name = mkOption { type = str; # TODO }; From d03dba41d6543adc2c73a7818cd32ca79046c64b Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:06:13 +0200 Subject: [PATCH 41/48] krebs.users.[mt]v: set mail --- 1systems/tv/wu.nix | 2 +- 2configs/tv/base.nix | 2 +- 2configs/tv/charybdis.nix | 2 +- 2configs/tv/exim-smarthost.nix | 15 ++++++++------- 2configs/tv/smartd.nix | 2 +- 3modules/krebs/default.nix | 2 ++ 6 files changed, 14 insertions(+), 11 deletions(-) diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 0b2dab9df..ccb2dd141 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -152,7 +152,7 @@ in { krebs.urlwatch = { enable = true; - mailto = "tv@wu.retiolum"; # TODO + mailto = config.krebs.users.tv.mail; onCalendar = "*-*-* 05:00:00"; urls = [ ## nixpkgs maintenance diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index c7d3e0d2a..ab6d24769 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -47,7 +47,7 @@ in } { security.sudo.extraConfig = '' - Defaults mailto="tv@wu.retiolum" + Defaults mailto="${config.krebs.users.tv.mail}" ''; time.timeZone = "Europe/Berlin"; } diff --git a/2configs/tv/charybdis.nix b/2configs/tv/charybdis.nix index 265f85132..d78e162cb 100644 --- a/2configs/tv/charybdis.nix +++ b/2configs/tv/charybdis.nix @@ -170,7 +170,7 @@ let admin { name = "tv"; description = "peer"; - email = "tv@wu.retiolum"; + mail = "${config.krebs.users.tv.mail}"; }; log { diff --git a/2configs/tv/exim-smarthost.nix b/2configs/tv/exim-smarthost.nix index a4c47b399..c93189b8a 100644 --- a/2configs/tv/exim-smarthost.nix +++ b/2configs/tv/exim-smarthost.nix @@ -11,20 +11,21 @@ in let retiolumHostname = "${config.networking.hostName}.retiolum"; - internet-aliases = [ - { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } + internet-aliases = with config.krebs.users; [ + { from = "tomislav@viljetic.de"; to = tv.mail; } # (mindestens) lisp-stammtisch und elli haben die: - { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } + { from = "tv@viljetic.de"; to = tv.mail; } - { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } + { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; } - { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } + { from = "mirko@viljetic.de"; to = mv.mail; } # TODO killme (wo wird die benutzt?) - { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } + { from = "tv@cd.retiolum"; to = tv.mail; } - { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } + # TODO lists@smtp.retiolum [consul] + { from = "postmaster@krebsco.de"; to = tv.mail; } ]; system-aliases = [ diff --git a/2configs/tv/smartd.nix b/2configs/tv/smartd.nix index 2e9d955d1..9c4d8b2d8 100644 --- a/2configs/tv/smartd.nix +++ b/2configs/tv/smartd.nix @@ -8,7 +8,7 @@ device = "DEVICESCAN"; options = toString [ "-a" - "-m tv@wu.retiolum" + "-m ${config.krebs.users.tv.mail}" "-s (O/../.././09|S/../.././04|L/../../6/05)" ]; } diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 23b3ab7ec..43e7e4c59 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -309,9 +309,11 @@ let }; users = addNames { mv = { + mail = "mv@cd.retiolum"; pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub; }; tv = { + mail = "tv@wu.retiolum"; pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; }; From 4df0d6e75b7e34db2fda4c8b782b93d265475272 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:14:34 +0200 Subject: [PATCH 42/48] tv base: set krebs.search-domain --- 2configs/tv/base.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index ab6d24769..40fe9ee04 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -10,6 +10,7 @@ in { krebs.enable = true; + krebs.search-domain = "retiolum"; imports = [ { From 1eb292f0c9eeb7d0fad6738bc4f06e646cae289e Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:29:37 +0200 Subject: [PATCH 43/48] krebs.git.repos.*.hooks: default = {} --- 2configs/tv/git.nix | 1 - 3modules/krebs/git.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix index f884ea464..2c0cc6b14 100644 --- a/2configs/tv/git.nix +++ b/2configs/tv/git.nix @@ -66,7 +66,6 @@ let make-restricted-repo = name: { desc ? null, ... }: { inherit name desc; public = false; - hooks = {}; # TODO default }; make-rules = diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix index 499d33095..604645189 100644 --- a/3modules/krebs/git.nix +++ b/3modules/krebs/git.nix @@ -72,6 +72,7 @@ let }; hooks = mkOption { type = types.attrsOf types.str; + default = {}; description = '' Repository-specific hooks. ''; From 8d7c80aac644558768a689012d7b31d23f559d66 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:38:26 +0200 Subject: [PATCH 44/48] {1 tv * -> 2 tv base} networking.hostName --- 1systems/tv/cd.nix | 1 - 1systems/tv/mkdir.nix | 1 - 1systems/tv/nomic.nix | 2 -- 1systems/tv/rmdir.nix | 1 - 1systems/tv/wu.nix | 2 -- 2configs/tv/base.nix | 2 ++ 6 files changed, 2 insertions(+), 7 deletions(-) diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index fcaf19cb5..6913508b5 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -84,7 +84,6 @@ in } ]; - networking.hostName = "cd"; networking.interfaces.enp2s1.ip4 = [ { address = "162.219.7.216"; diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 938f50118..7542ad0ce 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -38,7 +38,6 @@ with lib; } ]; - networking.hostName = "mkdir"; networking.interfaces.enp2s1.ip4 = [ { address = "162.248.167.241"; # TODO diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 1f7f6b188..cd6e02596 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -97,6 +97,4 @@ with lib; rxvt_unicode.terminfo tmux ]; - - networking.hostName = "nomic"; } diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 45e9997e4..9233014ba 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -39,7 +39,6 @@ with lib; } ]; - networking.hostName = "rmdir"; networking.interfaces.enp2s1.ip4 = [ { address = "167.88.44.94"; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index ccb2dd141..809f43c8b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -422,8 +422,6 @@ in hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.enable = true; - networking.hostName = "wu"; - environment.systemPackages = with pkgs; [ xlibs.fontschumachermisc slock diff --git a/2configs/tv/base.nix b/2configs/tv/base.nix index 40fe9ee04..06f83ea9e 100644 --- a/2configs/tv/base.nix +++ b/2configs/tv/base.nix @@ -12,6 +12,8 @@ in krebs.enable = true; krebs.search-domain = "retiolum"; + networking.hostName = config.krebs.build.host.name; + imports = [ { users.extraUsers = From fca9bf179a5cd29b6804b2e16bb21374b82876bf Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 01:46:10 +0200 Subject: [PATCH 45/48] {1 tv wu -> 2 tv} urlwatch --- 1systems/tv/wu.nix | 51 +--------------------------------------- 2configs/tv/urlwatch.nix | 51 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+), 50 deletions(-) create mode 100644 2configs/tv/urlwatch.nix diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 809f43c8b..37264635b 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -18,6 +18,7 @@ in ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled + ../../2configs/tv/urlwatch.nix { environment.systemPackages = with pkgs; [ @@ -94,7 +95,6 @@ in #ppp #proot #pythonPackages.arandr - #pythonPackages.urlwatch #pythonPackages.youtube-dl #racket #rxvt_unicode-with-plugins @@ -149,55 +149,6 @@ in ]; }; } - { - krebs.urlwatch = { - enable = true; - mailto = config.krebs.users.tv.mail; - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - - # 2014-07-29 when one of the following urls change - # then we have to update the package - - # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix - https://api.github.com/repos/simple-evcorr/sec/tags - - # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix - https://thp.io/2008/urlwatch/ - - # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix - https://api.github.com/repos/ioerror/tlsdate/tags - - # 2015-02-18 - # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix - http://www.fourmilab.ch/webtools/qprint/ - - # 2014-09-24 ref https://github.com/4z3/xintmap - http://www.mathstat.dal.ca/~selinger/quipper/ - - # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 - # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix - http://nixos.org/releases/nixops/ - - ## other - - https://nixos.org/channels/nixos-unstable/git-revision - - ## 2014-10-17 - ## TODO update ~/src/login/default.nix - #http://hackage.haskell.org/package/bcrypt - #http://hackage.haskell.org/package/cron - #http://hackage.haskell.org/package/hyphenation - #http://hackage.haskell.org/package/iso8601-time - #http://hackage.haskell.org/package/ixset-typed - #http://hackage.haskell.org/package/system-command - #http://hackage.haskell.org/package/transformers - #http://hackage.haskell.org/package/web-routes-wai - #http://hackage.haskell.org/package/web-page - ]; - }; - } { users.extraGroups = { tv-sub.gid = 1337; diff --git a/2configs/tv/urlwatch.nix b/2configs/tv/urlwatch.nix new file mode 100644 index 000000000..a69b1519c --- /dev/null +++ b/2configs/tv/urlwatch.nix @@ -0,0 +1,51 @@ +{ config, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.tv.mail; + onCalendar = "*-*-* 05:00:00"; + urls = [ + ## nixpkgs maintenance + + # 2014-07-29 when one of the following urls change + # then we have to update the package + + # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix + https://api.github.com/repos/simple-evcorr/sec/tags + + # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix + https://thp.io/2008/urlwatch/ + + # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix + https://api.github.com/repos/ioerror/tlsdate/tags + + # 2015-02-18 + # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix + http://www.fourmilab.ch/webtools/qprint/ + + # 2014-09-24 ref https://github.com/4z3/xintmap + http://www.mathstat.dal.ca/~selinger/quipper/ + + # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 + # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix + http://nixos.org/releases/nixops/ + + ## other + + https://nixos.org/channels/nixos-unstable/git-revision + + ## 2014-10-17 + ## TODO update ~/src/login/default.nix + #http://hackage.haskell.org/package/bcrypt + #http://hackage.haskell.org/package/cron + #http://hackage.haskell.org/package/hyphenation + #http://hackage.haskell.org/package/iso8601-time + #http://hackage.haskell.org/package/ixset-typed + #http://hackage.haskell.org/package/system-command + #http://hackage.haskell.org/package/transformers + #http://hackage.haskell.org/package/web-routes-wai + #http://hackage.haskell.org/package/web-page + ]; + }; +} From 0a5548c379a373157448c3b3798073c6d426033b Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 02:14:44 +0200 Subject: [PATCH 46/48] {3 -> 4} krebs {listset,tree} --- 3modules/krebs/default.nix | 19 ++----------------- 4lib/krebs/default.nix | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 43e7e4c59..33c108811 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -68,27 +68,12 @@ let de.krebsco = "ovh"; }; - # splitByProvider : [alias] -> set providername [alias] - splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; + # splitByProvider : [alias] -> listset providername alias + splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {}; # providerOf : alias -> providername providerOf = alias: tree-get (splitString "." alias) providers; - - # insert : k -> v -> set k [v] -> set k [v] - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; in concatStringsSep "\n" (flatten ( # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: diff --git a/4lib/krebs/default.nix b/4lib/krebs/default.nix index 0c59076b6..0c42a5de3 100644 --- a/4lib/krebs/default.nix +++ b/4lib/krebs/default.nix @@ -12,4 +12,22 @@ builtins // lib // rec { types = import ./types.nix { inherit lib; }; + + # listset k v = set k [v] + + # listset-insert : k -> v -> listset k v -> listset k v + listset-insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; + + # tree k v = set k (either v (tree k v)) + + # tree-get : [k] -> tree k v -> v + tree-get = path: x: + let + y = x.${last path}; + in + if typeOf y != "set" + then y + else tree-get (init path) y; + } From 3ddc26515aa21295f89bf1c9839a18427f9f61e7 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 18:16:51 +0200 Subject: [PATCH 47/48] default.nix: retab --- default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/default.nix b/default.nix index 2deb7539a..49e889924 100644 --- a/default.nix +++ b/default.nix @@ -2,19 +2,19 @@ let - eval = import { + eval = import { system = builtins.currentSystem; - modules = [ + modules = [ (./1systems + "/${user-name}/${system-name}.nix") - (./3modules/krebs) - (./3modules + "/${user-name}") - ]; - }; + (./3modules/krebs) + (./3modules + "/${user-name}") + ]; + }; in { - inherit (eval) config options; + inherit (eval) config options; - system = eval.config.system.build.toplevel; + system = eval.config.system.build.toplevel; } From 3197897292f0fc8f38d30ad6ddc9742be4a7cc1d Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 26 Jul 2015 12:09:55 +0200 Subject: [PATCH 48/48] 0 tv nomic nixpkgs: 6ad8fab -> 9d5508d --- 0make/tv/nomic.makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/0make/tv/nomic.makefile b/0make/tv/nomic.makefile index 4ae1ccd10..9e0b8671b 100644 --- a/0make/tv/nomic.makefile +++ b/0make/tv/nomic.makefile @@ -1,4 +1,4 @@ deploy_host := root@nomic.gg23 nixpkgs_url := https://github.com/NixOS/nixpkgs -nixpkgs_rev := 6ad8fab785695d04a6925e8b3464ca7c71a85c3f +nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696 secrets_dir := /home/tv/secrets/nomic