Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'tv' into master

Browse Source
This commit is contained in:
lassulus 2015-07-27 10:09:13 +02:00
commit 54a01c0c74
43 changed files with 873 additions and 490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0make/makefu/pnp.makefile Normal file
View File

@ -0,0 +1,4 @@
deploy_host := root@pnp
nixpkgs_url := https://github.com/nixos/nixpkgs
nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870
secrets_dir := /home/makefu/secrets/pnp

2
0make/tv/nomic.makefile
View File

@ -1,4 +1,4 @@
deploy_host := root@nomic.gg23 deploy_host := root@nomic.gg23
nixpkgs_url := https://github.com/NixOS/nixpkgs nixpkgs_url := https://github.com/NixOS/nixpkgs
nixpkgs_rev := 6ad8fab785695d04a6925e8b3464ca7c71a85c3f nixpkgs_rev := 9d5508d85c33b8fb22d79dde6176792eac2c2696
secrets_dir := /home/tv/secrets/nomic secrets_dir := /home/tv/secrets/nomic

52
1systems/makefu/pnp.nix Normal file
View File

@ -0,0 +1,52 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../../2configs/makefu/base.nix
../../2configs/makefu/cgit-retiolum.nix
];
krebs.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
# networking.firewall is enabled by default
networking.firewall.allowedTCPPorts = [ 80 ];
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
krebs.retiolum = {
enable = true;
hosts = ../../Zhosts;
connectTo = [
"gum"
"pigstarter"
"fastpoke"
];
};
nix.maxJobs = 2;
networking.hostName = "pnp"; # Define your hostname.
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [
wget
git
gnumake
jq
];
}

38
1systems/tv/cd.nix
View File

@ -7,13 +7,15 @@ let
in in
{ {
krebs.build.host = config.krebs.hosts.cd;
imports = [ imports = [
../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-Developer-2.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/charybdis.nix ]; imports = [ ../../2configs/tv/charybdis.nix ];
tv.charybdis = { tv.charybdis = {
@ -22,24 +24,17 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/ejabberd.nix ];
tv.ejabberd = { tv.ejabberd = {
enable = true; enable = true;
hosts = [ "jabber.viljetic.de" ]; hosts = [ "jabber.viljetic.de" ];
}; };
} }
{ {
imports = [ ../../3modules/tv/github-hosts-sync.nix ]; krebs.github-hosts-sync.enable = true;
tv.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp = tv.iptables.input-internet-accept-new-tcp =
singleton config.tv.github-hosts-sync.port; singleton config.krebs.github-hosts-sync.port;
} }
{ {
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.cd;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -55,21 +50,13 @@ in
}; };
} }
{ {
imports = [
../../3modules/tv/iptables.nix
../../3modules/tv/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http"; tv.iptables.input-internet-accept-new-tcp = singleton "http";
tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
} }
{ {
# TODO make public_html also available to cd, cd.retiolum (AKA default) # TODO make public_html also available to cd, cd.retiolum (AKA default)
imports = [
../../3modules/tv/iptables.nix
../../3modules/tv/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http"; tv.iptables.input-internet-accept-new-tcp = singleton "http";
tv.nginx.servers.public_html = { krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de"; server-names = singleton "cd.viljetic.de";
locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2; alias /home/$1/public_html$2;
@ -77,7 +64,7 @@ in
}; };
} }
{ {
tv.nginx.servers.viljetic = { krebs.nginx.servers.viljetic = {
server-names = singleton "viljetic.de"; server-names = singleton "viljetic.de";
# TODO directly set root (instead via location) # TODO directly set root (instead via location)
locations = singleton (nameValuePair "/" '' locations = singleton (nameValuePair "/" ''
@ -86,10 +73,8 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"fastpoke" "fastpoke"
"pigstarter" "pigstarter"
@ -99,7 +84,6 @@ in
} }
]; ];
networking.hostName = "cd";
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [
{ {
address = "162.219.7.216"; address = "162.219.7.216";
@ -135,8 +119,8 @@ in
home = "/home/mv"; home = "/home/mv";
createHome = true; createHome = true;
useDefaultShell = true; useDefaultShell = true;
openssh.authorizedKeys.keys = map readFile [ openssh.authorizedKeys.keys = [
../../Zpubkeys/mv_vod.ssh.pub config.krebs.users.mv.pubkey
]; ];
}; };
}; };

14
1systems/tv/mkdir.nix
View File

@ -3,19 +3,16 @@
with lib; with lib;
{ {
krebs.build.host = config.krebs.hosts.mkdir;
imports = [ imports = [
../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-Developer-1.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.mkdir;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -29,10 +26,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"cd" "cd"
"fastpoke" "fastpoke"
@ -43,7 +38,6 @@ with lib;
} }
]; ];
networking.hostName = "mkdir";
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [
{ {
address = "162.248.167.241"; # TODO address = "162.248.167.241"; # TODO

18
1systems/tv/nomic.nix
View File

@ -3,18 +3,15 @@
with lib; with lib;
{ {
krebs.build.host = config.krebs.hosts.nomic;
imports = [ imports = [
../../2configs/tv/AO753.nix ../../2configs/tv/AO753.nix
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-retiolum.nix ../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.nomic;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -26,8 +23,7 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/nginx.nix ]; krebs.nginx = {
tv.nginx = {
enable = true; enable = true;
servers.default.locations = [ servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
@ -37,10 +33,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"gum" "gum"
"pigstarter" "pigstarter"
@ -103,6 +97,4 @@ with lib;
rxvt_unicode.terminfo rxvt_unicode.terminfo
tmux tmux
]; ];
networking.hostName = "nomic";
} }

14
1systems/tv/rmdir.nix
View File

@ -3,19 +3,16 @@
with lib; with lib;
{ {
krebs.build.host = config.krebs.hosts.rmdir;
imports = [ imports = [
../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-Developer-1.nix
../../2configs/tv/CAC-CentOS-7-64bit.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.rmdir;
}
{
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -29,10 +26,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"cd" "cd"
"mkdir" "mkdir"
@ -44,7 +39,6 @@ with lib;
} }
]; ];
networking.hostName = "rmdir";
networking.interfaces.enp2s1.ip4 = [ networking.interfaces.enp2s1.ip4 = [
{ {
address = "167.88.44.94"; address = "167.88.44.94";

74
1systems/tv/wu.nix
View File

@ -7,28 +7,27 @@ let
in in
{ {
krebs.build.host = config.krebs.hosts.wu;
imports = [ imports = [
../../2configs/tv/w110er.nix ../../2configs/tv/w110er.nix
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-client.nix ../../2configs/tv/consul-client.nix
../../2configs/tv/exim-retiolum.nix ../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
# TODO git-private.nix
../../2configs/tv/mail-client.nix ../../2configs/tv/mail-client.nix
../../2configs/tv/xserver.nix ../../2configs/tv/xserver.nix
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
{ ../../2configs/tv/urlwatch.nix
imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.wu;
}
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# shitment # stockholm
git git
gnumake gnumake
parallel parallel
Zpkgs.genid Zpkgs.genid
Zpkgs.hashPassword
Zpkgs.lentil Zpkgs.lentil
# root # root
@ -96,7 +95,6 @@ in
#ppp #ppp
#proot #proot
#pythonPackages.arandr #pythonPackages.arandr
#pythonPackages.urlwatch
#pythonPackages.youtube-dl #pythonPackages.youtube-dl
#racket #racket
#rxvt_unicode-with-plugins #rxvt_unicode-with-plugins
@ -122,7 +120,6 @@ in
]; ];
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -134,8 +131,7 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/nginx.nix ]; krebs.nginx = {
tv.nginx = {
enable = true; enable = true;
servers.default.locations = [ servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
@ -145,66 +141,14 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"gum" "gum"
"pigstarter" "pigstarter"
]; ];
}; };
} }
{
imports = [ ../../3modules/tv/urlwatch.nix ];
tv.urlwatch = {
enable = true;
mailto = "tv@wu.retiolum"; # TODO
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
http://simple-evcorr.sourceforge.net/
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
https://thp.io/2008/urlwatch/
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
https://api.github.com/repos/ioerror/tlsdate/tags
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
# 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
# ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
http://nixos.org/releases/nixops/
## other
https://nixos.org/channels/nixos-unstable/git-revision
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
];
};
}
{ {
users.extraGroups = { users.extraGroups = {
tv-sub.gid = 1337; tv-sub.gid = 1337;
@ -429,8 +373,6 @@ in
hardware.opengl.driSupport32Bit = true; hardware.opengl.driSupport32Bit = true;
hardware.pulseaudio.enable = true; hardware.pulseaudio.enable = true;
networking.hostName = "wu";
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
xlibs.fontschumachermisc xlibs.fontschumachermisc
slock slock

94
2configs/makefu/base.nix Normal file
View File

@ -0,0 +1,94 @@
{ config, lib, pkgs, ... }:
with lib;
{
imports = [ ];
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
makefu = {
uid = 9001;
group = "users";
home = "/home/makefu";
createHome = true;
useDefaultShell = true;
extraGroups = [
"wheel"
];
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
services.openssh.enable = true;
nix.useChroot = true;
users.mutableUsers = true;
boot.tmpOnTmpfs = true;
systemd.tmpfiles.rules = [
"d /tmp 1777 root root - -"
];
environment.extraInit = ''
EDITOR=vim
'';
environment.systemPackages = with pkgs; [
git
vim
rxvt_unicode.terminfo
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
case $UID in
0) PS1='\[\e[1;31m\]\w\[\e[0m\] ' ;;
9001) PS1='\[\e[1;32m\]\w\[\e[0m\] ' ;;
*) PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] ' ;;
esac
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
fi
'';
};
environment.shellAliases = {
lsl = "ls -lAtr";
};
nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.runCommand "empty" {} "mkdir -p $out";
};
services.cron.enable = false;
services.nscd.enable = false;
security.setuidPrograms = [ "sendmail" ];
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
# Enable IPv6 Privacy Extensions
boot.kernel.sysctl = {
"net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
i18n = {
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
}

52
2configs/makefu/cgit-retiolum.nix Normal file
View File

@ -0,0 +1,52 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
imports = [ ../../3modules/krebs/git.nix ];
krebs.git = {
enable = true;
root-title = "public repositories ";
root-desc = "keep calm and enrage";
inherit repos rules ;
};
};
repos = public-repos;
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
};
# TODO move users to separate module
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
public = true;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName;
channel = "#retiolum";
server = "cd.retiolum";
};
};
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = makefu;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass tv uriel ];
repo = [ repo ];
perm = fetch;
};
in out

15
2configs/tv/base.nix
View File

@ -9,6 +9,11 @@ let
in in
{ {
krebs.enable = true;
krebs.search-domain = "retiolum";
networking.hostName = config.krebs.build.host.name;
imports = [ imports = [
{ {
users.extraUsers = users.extraUsers =
@ -22,8 +27,8 @@ in
{ {
users.extraUsers = { users.extraUsers = {
root = { root = {
openssh.authorizedKeys.keys = map readFile [ openssh.authorizedKeys.keys = [
../../Zpubkeys/tv_wu.ssh.pub config.krebs.users.tv.pubkey
]; ];
}; };
tv = { tv = {
@ -37,15 +42,15 @@ in
"video" "video"
"wheel" "wheel"
]; ];
openssh.authorizedKeys.keys = map readFile [ openssh.authorizedKeys.keys = [
../../Zpubkeys/tv_wu.ssh.pub config.krebs.users.tv.pubkey
]; ];
}; };
}; };
} }
{ {
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
Defaults mailto="tv@wu.retiolum" Defaults mailto="${config.krebs.users.tv.mail}"
''; '';
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
} }

10
2configs/tv/charybdis.nix
View File

@ -123,7 +123,7 @@ let
#loadmodule "extensions/ip_cloaking.so"; #loadmodule "extensions/ip_cloaking.so";
serverinfo { serverinfo {
name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)}; name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)};
sid = "4z3"; sid = "4z3";
description = "miep!"; description = "miep!";
network_name = "irc.retiolum"; network_name = "irc.retiolum";
@ -133,9 +133,9 @@ let
/* On multi-homed hosts you may need the following. These define /* On multi-homed hosts you may need the following. These define
* the addresses we connect from to other servers. */ * the addresses we connect from to other servers. */
/* for IPv4 */ /* for IPv4 */
vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4}; vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4};
/* for IPv6 */ /* for IPv6 */
vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6}; vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6};
/* ssl_private_key: our ssl private key */ /* ssl_private_key: our ssl private key */
ssl_private_key = "/tmp/ssl.key"; ssl_private_key = "/tmp/ssl.key";
@ -170,7 +170,7 @@ let
admin { admin {
name = "tv"; name = "tv";
description = "peer"; description = "peer";
email = "tv@wu.retiolum"; mail = "${config.krebs.users.tv.mail}";
}; };
log { log {
@ -240,7 +240,7 @@ let
*/ */
# XXX This is stupid because only one host is allowed[?] # XXX This is stupid because only one host is allowed[?]
#host = ''${concatMapStringsSep ", " toJSON ( #host = ''${concatMapStringsSep ", " toJSON (
# config.tv.identity.self.nets.retiolum.addrs # config.krebs.build.host.nets.retiolum.addrs
#)}; #)};
port = 6667; port = 6667;
sslport = 6697; sslport = 6697;

5
2configs/tv/consul-server.nix
View File

@ -1,16 +1,15 @@
{ config, ... }: { config, ... }:
{ {
imports = [ ../../3modules/tv/consul.nix ];
tv.consul = rec { tv.consul = rec {
enable = true; enable = true;
inherit (config.tv.identity) self; self = config.krebs.build.host;
inherit (self) dc; inherit (self) dc;
server = true; server = true;
hosts = with config.tv.identity.hosts; [ hosts = with config.krebs.hosts; [
# TODO get this list automatically from each host where tv.consul.enable is true # TODO get this list automatically from each host where tv.consul.enable is true
cd cd
mkdir mkdir

4
2configs/tv/exim-retiolum.nix
View File

@ -4,9 +4,9 @@
services.exim = services.exim =
# This configuration makes only sense for retiolum-enabled hosts. # This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration # TODO modular configuration
assert config.tv.retiolum.enable; assert config.krebs.retiolum.enable;
let let
# TODO get the hostname from config.tv.retiolum. # TODO get the hostname from config.krebs.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum"; retiolumHostname = "${config.networking.hostName}.retiolum";
in in
{ enable = true; { enable = true;

15
2configs/tv/exim-smarthost.nix
View File

@ -11,20 +11,21 @@ in
let let
retiolumHostname = "${config.networking.hostName}.retiolum"; retiolumHostname = "${config.networking.hostName}.retiolum";
internet-aliases = [ internet-aliases = with config.krebs.users; [
{ from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; } { from = "tomislav@viljetic.de"; to = tv.mail; }
# (mindestens) lisp-stammtisch und elli haben die: # (mindestens) lisp-stammtisch und elli haben die:
{ from = "tv@viljetic.de"; to = "tv@wu.retiolum"; } { from = "tv@viljetic.de"; to = tv.mail; }
{ from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; } { from = "tv@destroy.dyn.shackspace.de"; to = tv.mail; }
{ from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; } { from = "mirko@viljetic.de"; to = mv.mail; }
# TODO killme (wo wird die benutzt?) # TODO killme (wo wird die benutzt?)
{ from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; } { from = "tv@cd.retiolum"; to = tv.mail; }
{ from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; } # TODO lists@smtp.retiolum [consul]
{ from = "postmaster@krebsco.de"; to = tv.mail; }
]; ];
system-aliases = [ system-aliases = [

87
2configs/tv/git-public.nix
View File

@ -1,87 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (builtins) map readFile;
inherit (lib) concatMap listToAttrs;
# TODO lib should already include our stuff
inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git;
public-git-repos = [
(public "cgserver")
(public "crude-mail-setup")
(public "dot-xmonad")
(public "hack")
(public "load-env")
(public "make-snapshot")
(public "mime")
(public "much")
(public "nixos-infest")
(public "nixpkgs")
(public "painload")
(public "quipper")
(public "regfish")
(public' {
name = "shitment";
desc = "turn all the computers into one computer!";
})
(public "wai-middleware-time")
(public "web-routes-wai-custom")
(public "xintmap")
];
users = addNames {
tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; };
lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; };
uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; };
makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; };
};
repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos);
rules = concatMap ({ rules, ... }: rules) public-git-repos;
public' = { name, desc }:
let
x = public name;
in
x // { repo = x.repo // { inherit desc; }; };
public = repo-name:
rec {
repo = {
name = repo-name;
hooks = {
post-receive = git.irc-announce {
nick = config.networking.hostName; # TODO make this the default
channel = "#retiolum";
server = "cd.retiolum";
};
};
public = true;
};
rules = with git; with users; [
{ user = tv;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
}
{ user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
}
];
};
in
{
imports = [
../../3modules/tv/git.nix
];
tv.git = {
enable = true;
inherit repos rules users;
root-title = "public repositories at ${config.networking.hostName}";
root-desc = "keep calm and engage";
};
}

90
2configs/tv/git.nix Normal file
View File

@ -0,0 +1,90 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
out = {
krebs.git = {
enable = true;
root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage";
inherit repos rules;
};
};
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
public-repos //
optionalAttrs config.krebs.build.host.secure restricted-repos
);
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
cgserver = {};
crude-mail-setup = {};
dot-xmonad = {};
hack = {};
load-env = {};
make-snapshot = {};
mime = {};
much = {};
nixos-infest = {};
nixpkgs = {};
painload = {};
quipper = {};
regfish = {};
stockholm = {
desc = "take all the computers hostage, they'll love you!";
};
wai-middleware-time = {};
web-routes-wai-custom = {};
xintmap = {};
};
restricted-repos = mapAttrs make-restricted-repo (
{
brain = {
collaborators = with config.krebs.users; [ lass makefu ];
};
} //
import /root/src/secrets/repos.nix { inherit config lib pkgs; }
);
make-public-repo = name: { desc ? null, ... }: {
inherit name desc;
public = true;
hooks = {
post-receive = git.irc-announce {
# TODO make nick = config.krebs.build.host.name the default
nick = config.krebs.build.host.name;
channel = "#retiolum";
server = "cd.retiolum";
};
};
};
make-restricted-repo = name: { desc ? null, ... }: {
inherit name desc;
public = false;
};
make-rules =
with git // config.krebs.users;
repo:
singleton {
user = tv;
repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++
optional repo.public {
user = [ lass makefu uriel ];
repo = [ repo ];
perm = fetch;
} ++
optional (length (repo.collaborators or []) > 0) {
user = repo.collaborators;
repo = [ repo ];
perm = fetch;
};
in out

2
2configs/tv/smartd.nix
View File

@ -8,7 +8,7 @@
device = "DEVICESCAN"; device = "DEVICESCAN";
options = toString [ options = toString [
"-a" "-a"
"-m tv@wu.retiolum" "-m ${config.krebs.users.tv.mail}"
"-s (O/../.././09|S/../.././04|L/../../6/05)" "-s (O/../.././09|S/../.././04|L/../../6/05)"
]; ];
} }

51
2configs/tv/urlwatch.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.tv.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
# 2014-07-29 when one of the following urls change
# then we have to update the package
# ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
https://api.github.com/repos/simple-evcorr/sec/tags
# ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
https://thp.io/2008/urlwatch/
# 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
https://api.github.com/repos/ioerror/tlsdate/tags
# 2015-02-18
# ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
http://www.fourmilab.ch/webtools/qprint/
# 2014-09-24 ref https://github.com/4z3/xintmap
http://www.mathstat.dal.ca/~selinger/quipper/
# 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
# ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
http://nixos.org/releases/nixops/
## other
https://nixos.org/channels/nixos-unstable/git-revision
## 2014-10-17
## TODO update ~/src/login/default.nix
#http://hackage.haskell.org/package/bcrypt
#http://hackage.haskell.org/package/cron
#http://hackage.haskell.org/package/hyphenation
#http://hackage.haskell.org/package/iso8601-time
#http://hackage.haskell.org/package/ixset-typed
#http://hackage.haskell.org/package/system-command
#http://hackage.haskell.org/package/transformers
#http://hackage.haskell.org/package/web-routes-wai
#http://hackage.haskell.org/package/web-page
];
};
}

164
2configs/tv/identity.nix → 3modules/krebs/default.nix
View File

@ -1,11 +1,145 @@
{ config, ... }: { config, lib, ... }:
{ with import ../../4lib/krebs { inherit lib; };
imports = [ ../../3modules/tv/identity.nix ]; let
tv.identity = { cfg = config.krebs;
enable = true;
search = "retiolum"; out = {
hosts = { imports = [
./github-hosts-sync.nix
./git.nix
./nginx.nix
./retiolum.nix
./urlwatch.nix
];
options.krebs = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "krebs";
build = mkOption {
type = types.submodule {
options = {
host = mkOption {
type = types.host;
};
user = mkOption {
type = types.user;
};
};
};
# Define defaul value, so unset values of the submodule get reported.
default = {};
};
hosts = mkOption {
type = with types; attrsOf host;
};
users = mkOption {
type = with types; attrsOf user;
};
# XXX is there a better place to define search-domain?
# TODO search-domains :: listOf hostname
search-domain = mkOption {
type = types.hostname;
default = "";
example = "retiolum";
};
};
imp = mkMerge [
{ krebs = lass-imp; }
{ krebs = makefu-imp; }
{ krebs = tv-imp; }
{
# XXX This overlaps with krebs.retiolum
networking.extraHosts =
let
# TODO move domain name providers to a dedicated module
# providers : tree label providername
providers = {
internet = "hosts";
retiolum = "hosts";
de.viljetic = "regfish";
de.krebsco = "ovh";
};
# splitByProvider : [alias] -> listset providername alias
splitByProvider = foldl (acc: alias: listset-insert (providerOf alias) alias acc) {};
# providerOf : alias -> providername
providerOf = alias:
tree-get (splitString "." alias) providers;
in
concatStringsSep "\n" (flatten (
# TODO deepMap ["hosts" "nets"] (hostname: host: netname: net:
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = toString (unique (longs ++ shorts));
longs = (splitByProvider net.aliases).hosts;
shorts = map (removeSuffix ".${cfg.search-domain}") longs;
in
map (addr: "${addr} ${aliases}") net.addrs
) host.nets
) config.krebs.hosts
));
}
];
lass-imp = {
hosts = addNames {
};
users = addNames {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
};
uriel = {
pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
};
};
};
makefu-imp = {
hosts = addNames {
pnp = {
cores = 1;
dc = "makefu"; #vm on 'omo'
nets = {
retiolum = {
addrs4 = ["10.243.0.210"];
addrs6 = ["42:f9f1:0000:0000:0000:0000:0000:0001"];
aliases = [
"pnp.retiolum"
"cgit.pnp.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g
Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V
pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR
SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T
TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr
Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
};
users = addNames {
makefu = {
pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
};
};
};
tv-imp = {
hosts = addNames {
cd = { cd = {
cores = 2; cores = 2;
dc = "tv"; #dc = "cac"; dc = "tv"; #dc = "cac";
@ -99,6 +233,7 @@
''; '';
}; };
}; };
secure = true;
}; };
rmdir = { rmdir = {
cores = 1; cores = 1;
@ -154,7 +289,20 @@
''; '';
}; };
}; };
secure = true;
};
};
users = addNames {
mv = {
mail = "mv@cd.retiolum";
pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub;
};
tv = {
mail = "tv@wu.retiolum";
pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub;
}; };
}; };
}; };
}
in
out

33
3modules/tv/git.nix → 3modules/krebs/git.nix
View File

@ -6,16 +6,16 @@
# TODO when authorized_keys changes, then restart ssh # TODO when authorized_keys changes, then restart ssh
# (or kill already connected users somehow) # (or kill already connected users somehow)
with builtins; with import ../../4lib/krebs { inherit lib; };
with lib;
let let
cfg = config.tv.git; cfg = config.krebs.git;
out = { out = {
# TODO don't import krebs.nginx here
imports = [ imports = [
../../3modules/tv/nginx.nix ../../3modules/krebs/nginx.nix
]; ];
options.tv.git = api; options.krebs.git = api;
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
(mkIf cfg.cgit cgit-imp) (mkIf cfg.cgit cgit-imp)
git-imp git-imp
@ -23,12 +23,20 @@ let
}; };
api = { api = {
enable = mkEnableOption "tv.git"; enable = mkEnableOption "krebs.git";
cgit = mkOption { cgit = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = "Enable cgit."; # TODO better desc; talk about nginx description = ''
Enable cgit.
Cgit is an attempt to create a fast web interface for the git version
control system, using a built in cache to decrease pressure on the
git server.
cgit in this module is being served via fastcgi nginx.This module
deploys a http://cgit.<hostname> nginx configuration and enables nginx
if not yet enabled.
'';
}; };
dataDir = mkOption { dataDir = mkOption {
type = types.str; type = types.str;
@ -64,6 +72,7 @@ let
}; };
hooks = mkOption { hooks = mkOption {
type = types.attrsOf types.str; type = types.attrsOf types.str;
default = {};
description = '' description = ''
Repository-specific hooks. Repository-specific hooks.
''; '';
@ -118,9 +127,6 @@ let
rules = mkOption { rules = mkOption {
type = types.unspecified; type = types.unspecified;
}; };
users = mkOption {
type = types.unspecified;
};
}; };
git-imp = { git-imp = {
@ -148,7 +154,8 @@ let
name = "git"; name = "git";
shell = "/bin/sh"; shell = "/bin/sh";
openssh.authorizedKeys.keys = openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
config.krebs.users;
uid = 129318403; # genid git uid = 129318403; # genid git
}; };
}; };
@ -210,7 +217,7 @@ let
chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit
''; '';
tv.nginx = { krebs.nginx = {
enable = true; enable = true;
servers.cgit = { servers.cgit = {
server-names = [ server-names = [
@ -254,7 +261,7 @@ let
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }:
# TODO assert name # TODO assert name
# TODO assert pubkey # TODO assert pubkey
let let

8
3modules/tv/github-hosts-sync.nix → 3modules/krebs/github-hosts-sync.nix
View File

@ -3,15 +3,15 @@
with builtins; with builtins;
with lib; with lib;
let let
cfg = config.tv.github-hosts-sync; cfg = config.krebs.github-hosts-sync;
out = { out = {
options.tv.github-hosts-sync = api; options.krebs.github-hosts-sync = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
}; };
api = { api = {
enable = mkEnableOption "tv.github-hosts-sync"; enable = mkEnableOption "krebs.github-hosts-sync";
port = mkOption { port = mkOption {
type = types.int; # TODO port type type = types.int; # TODO port type
default = 1028; default = 1028;
@ -78,6 +78,6 @@ let
uid = 3220554646; # genid github-hosts-sync uid = 3220554646; # genid github-hosts-sync
}; };
Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; };
in in
out out

7
3modules/tv/nginx.nix → 3modules/krebs/nginx.nix
View File

@ -3,21 +3,22 @@
with builtins; with builtins;
with lib; with lib;
let let
cfg = config.tv.nginx; cfg = config.krebs.nginx;
out = { out = {
options.tv.nginx = api; options.krebs.nginx = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
}; };
api = { api = {
enable = mkEnableOption "tv.nginx"; enable = mkEnableOption "krebs.nginx";
servers = mkOption { servers = mkOption {
type = with types; attrsOf optionSet; type = with types; attrsOf optionSet;
options = singleton { options = singleton {
server-names = mkOption { server-names = mkOption {
type = with types; listOf str; type = with types; listOf str;
# TODO use identity
default = [ default = [
"${config.networking.hostName}" "${config.networking.hostName}"
"${config.networking.hostName}.retiolum" "${config.networking.hostName}.retiolum"

60
3modules/tv/retiolum.nix → 3modules/krebs/retiolum.nix
View File

@ -3,15 +3,15 @@
with builtins; with builtins;
with lib; with lib;
let let
cfg = config.tv.retiolum; cfg = config.krebs.retiolum;
out = { out = {
options.tv.retiolum = api; options.krebs.retiolum = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
}; };
api = { api = {
enable = mkEnableOption "tv.retiolum"; enable = mkEnableOption "krebs.retiolum";
name = mkOption { name = mkOption {
type = types.str; type = types.str;
@ -57,9 +57,9 @@ let
}; };
hosts = mkOption { hosts = mkOption {
default = null; type = with types; either package path;
default = ../../Zhosts;
description = '' description = ''
Hosts package or path to use.
If a path is given, then it will be used to generate an ad-hoc package. If a path is given, then it will be used to generate an ad-hoc package.
''; '';
}; };
@ -76,13 +76,21 @@ let
# bad unsafe permissions... # bad unsafe permissions...
type = types.str; type = types.str;
default = "/root/src/secrets/retiolum.rsa_key.priv"; default = "/root/src/secrets/retiolum.rsa_key.priv";
description = "Generate file with <literal>tincd -K</literal>."; description = ''
Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to
<secrets/retiolum.rsa_key.priv>.
'';
}; };
connectTo = mkOption { connectTo = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "fastpoke" "pigstarter" "kheurop" ]; default = [ "fastpoke" "pigstarter" "gum" ];
description = "TODO describe me"; description = ''
The list of hosts in the network which the client will try to connect
to. These hosts should have an 'Address' configured which points to a
routeable IPv4 or IPv6 address.
'';
}; };
}; };
@ -123,24 +131,20 @@ let
}; };
tinc = cfg.tincPackage; tinc = cfg.tincPackage;
hostsType = builtins.typeOf cfg.hosts;
hosts = hosts = getAttr (typeOf cfg.hosts) {
if hostsType == "package" then package = cfg.hosts;
# use package as is path = pkgs.stdenv.mkDerivation {
cfg.hosts name = "custom-retiolum-hosts";
else if hostsType == "path" then src = cfg.hosts;
# use path to generate a package installPhase = ''
pkgs.stdenv.mkDerivation { mkdir $out
name = "custom-retiolum-hosts"; find . -name .git -prune -o -type f -print0 \
src = cfg.hosts; | xargs -0 cp --target-directory $out
installPhase = '' '';
mkdir $out };
find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out };
'';
}
else
abort "The option `services.retiolum.hosts' must be set to a package or a path"
;
iproute = cfg.iproutePackage; iproute = cfg.iproutePackage;
retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
@ -218,5 +222,5 @@ let
chmod +x $out/tinc-up chmod +x $out/tinc-up
''; '';
in
out in out

6
3modules/tv/urlwatch.nix → 3modules/krebs/urlwatch.nix
View File

@ -8,16 +8,16 @@
with builtins; with builtins;
with lib; with lib;
let let
cfg = config.tv.urlwatch; cfg = config.krebs.urlwatch;
# TODO assert sendmail's existence # TODO assert sendmail's existence
out = { out = {
options.tv.urlwatch = api; options.krebs.urlwatch = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
}; };
api = { api = {
enable = mkEnableOption "tv.urlwatch"; enable = mkEnableOption "krebs.urlwatch";
dataDir = mkOption { dataDir = mkOption {
type = types.str; type = types.str;

19
3modules/makefu/default.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, ... }:
with import ../../4lib/krebs { inherit lib; };
let
cfg = config.krebs;
out = {
imports = [
];
options.krebs = api;
config = mkIf cfg.enable imp;
};
api = { };
imp = { };
in
out

1
3modules/tv/consul.nix
View File

@ -10,7 +10,6 @@ let
cfg = config.tv.consul; cfg = config.tv.consul;
out = { out = {
imports = [ ../../3modules/tv/iptables.nix ];
options.tv.consul = api; options.tv.consul = api;
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
imp imp

9
3modules/tv/default.nix Normal file
View File

@ -0,0 +1,9 @@
_:
{
imports = [
./consul.nix
./ejabberd.nix
./iptables.nix
];
}

88
3modules/tv/identity.nix
View File

@ -1,88 +0,0 @@
{ config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; };
let
cfg = config.tv.identity;
out = {
options.tv.identity = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.identity";
self = mkOption {
type = types.host;
};
#others = mkOption {
# type = types.host;
# default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts;
#};
hosts = mkOption {
type = with types; attrsOf host;
apply = mapAttrs (name: value: value // { inherit name; });
};
search = mkOption {
type = types.hostname;
};
};
imp = {
networking.extraHosts =
concatStringsSep "\n" (flatten (
# TODO deepMap ["hosts" "nets"] (hostname: host: netname: net:
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = toString (unique (longs ++ shorts));
longs = (splitByProvider net.aliases).hosts;
shorts = map (removeSuffix ".${cfg.search}") longs;
in
map (addr: "${addr} ${aliases}") net.addrs
) host.nets
) cfg.hosts
));
};
# TODO move domain name providers to a dedicated module
# providers : tree label providername
providers = {
internet = "hosts";
retiolum = "hosts";
de.viljetic = "regfish";
de.krebsco = "ovh";
de.habsys = "hosts";
de.pixelpocket = "hosts";
de.karlaskop = "hosts";
de.ubikmedia = "hosts";
de.apanowicz = "hosts";
de.aidsballs = "hosts";
};
# splitByProvider : [alias] -> set providername [alias]
splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {};
# providerOf : alias -> providername
providerOf = alias:
tree-get (splitString "." alias) providers;
# insert : k -> v -> set k [v] -> set k [v]
insert = name: value: set:
set // { ${name} = set.${name} or [] ++ [value]; };
# tree k v = set k (either v (tree k v))
# tree-get : [k] -> tree k v -> v
tree-get = path: x:
let
y = x.${last path};
in
if typeOf y != "set"
then y
else tree-get (init path) y;
in
out

33
4lib/krebs/default.nix Normal file
View File

@ -0,0 +1,33 @@
{ lib, ... }:
with builtins;
with lib;
builtins // lib // rec {
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
types = import ./types.nix { inherit lib; };
# listset k v = set k [v]
# listset-insert : k -> v -> listset k v -> listset k v
listset-insert = name: value: set:
set // { ${name} = set.${name} or [] ++ [value]; };
# tree k v = set k (either v (tree k v))
# tree-get : [k] -> tree k v -> v
tree-get = path: x:
let
y = x.${last path};
in
if typeOf y != "set"
then y
else tree-get (init path) y;
}

104
4lib/krebs/types.nix Normal file
View File

@ -0,0 +1,104 @@
{ lib, ... }:
with lib;
with types;
types // rec {
host = submodule {
options = {
name = mkOption {
type = label;
};
dc = mkOption {
type = label;
};
cores = mkOption {
type = positive;
};
nets = mkOption {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
secure = mkOption {
type = bool;
default = false;
description = ''
If true, then the host is capable of keeping secret information.
TODO define minimum requirements for secure hosts
'';
};
};
};
net = submodule ({ config, ... }: {
options = {
via = mkOption {
type = nullOr net;
default = null;
};
addrs = mkOption {
type = listOf addr;
apply = _: config.addrs4 ++ config.addrs6;
};
addrs4 = mkOption {
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
};
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
};
tinc = mkOption {
type = let net-config = config; in submodule ({ config, ... }: {
options = {
config = mkOption {
type = str;
apply = _: ''
${optionalString (net-config.via != null)
(concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)}
${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs}
${config.pubkey}
'';
};
pubkey = mkOption {
type = str;
};
};
});
};
};
});
positive = mkOptionType {
name = "positive integer";
check = x: isInt x && x > 0;
merge = mergeOneOption;
};
user = submodule {
options = {
mail = mkOption {
type = str; # TODO retiolum mail address
};
name = mkOption {
type = str; # TODO
};
pubkey = mkOption {
type = str;
};
};
};
# TODO
addr = str;
addr4 = str;
addr6 = str;
hostname = str;
label = str;
}

94
4lib/tv/default.nix
View File

@ -1,9 +1,12 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
with builtins; let
with lib; krebs = import ../../4lib/krebs { inherit lib; };
in
builtins // lib // rec { with krebs;
krebs // rec {
git = import ./git.nix { git = import ./git.nix {
lib = lib // { lib = lib // {
@ -12,16 +15,9 @@ builtins // lib // rec {
inherit pkgs; inherit pkgs;
}; };
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
# "7.4.335" -> "74" # "7.4.335" -> "74"
majmin = with lib; x : concatStrings (take 2 (splitString "." x)); majmin = with lib; x : concatStrings (take 2 (splitString "." x));
concat = xs : concat = xs :
if xs == [] if xs == []
then "" then ""
@ -53,82 +49,4 @@ builtins // lib // rec {
if isSafeChar c then c if isSafeChar c then c
else if c == "\n" then "'\n'" else if c == "\n" then "'\n'"
else "\\${c}"); else "\\${c}");
types = lib.types // (with lib.types; rec {
host = submodule {
options = {
name = mkOption {
type = label;
};
dc = mkOption {
type = label;
};
cores = mkOption {
type = positive;
};
nets = mkOption {
type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x;
};
};
};
net = submodule ({ config, ... }: {
options = {
via = mkOption {
type = nullOr net;
default = null;
};
addrs = mkOption {
type = listOf addr;
apply = _: config.addrs4 ++ config.addrs6;
};
addrs4 = mkOption {
type = listOf addr4;
default = [];
};
addrs6 = mkOption {
type = listOf addr6;
default = [];
};
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
};
tinc = mkOption {
type = let net-config = config; in submodule ({ config, ... }: {
options = {
config = mkOption {
type = str;
apply = _: ''
${optionalString (net-config.via != null)
(concatMapStringsSep "\n" (a: "Address = ${a}") net-config.via.addrs)}
${concatMapStringsSep "\n" (a: "Subnet = ${a}") net-config.addrs}
${config.pubkey}
'';
};
pubkey = mkOption {
type = str;
};
};
});
};
};
});
positive = mkOptionType {
name = "positive integer";
check = x: isInt x && x > 0;
merge = mergeOneOption;
};
# TODO
addr = str;
addr4 = str;
addr6 = str;
hostname = str;
label = str;
});
} }

27
Makefile
View File

@ -41,13 +41,14 @@ deploy:;@
"$$src/" "$$deploy_host:$$dst" "$$src/" "$$deploy_host:$$dst"
)} )}
prepush /root/src/shitment "$$PWD" prepush /root/src/stockholm "$$PWD"
prepush /root/src/secrets "$$secrets_dir" prepush /root/src/secrets "$$secrets_dir"
ssh -S none "$$deploy_host" -T env \ ssh -S none "$$deploy_host" -T env \
nixpkgs_url="$$nixpkgs_url" \ nixpkgs_url="$$nixpkgs_url" \
nixpkgs_rev="$$nixpkgs_rev" \ nixpkgs_rev="$$nixpkgs_rev" \
system_name="$$system_name" \ system_name="$$system_name" \
user_name="$$LOGNAME" \
sh -euf \ sh -euf \
<<-\EOF <<-\EOF
prefetch(){( prefetch(){(
@ -77,26 +78,30 @@ deploy:;@
prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
echo build system... echo build system...
NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ NIX_PATH=/root/src \
NIX_PATH=src \ nix-build \
nix-build -Q -A system '<nixpkgs/nixos>' -Q \
-A system \
'<stockholm>' \
--argstr user-name "$$user_name" \
--argstr system-name "$$system_name"
result/bin/switch-to-configuration switch result/bin/switch-to-configuration switch
EOF EOF
.PHONY: eval .PHONY: eval
eval: eval:
@nix-instantiate \ @
NIX_PATH=stockholm=$$PWD:$$NIX_PATH \
nix-instantiate \
--json \ --json \
--eval \ --eval \
--strict \ --strict \
-A "$$get" \ -A "$$get" \
-E ' '<stockholm>' \
import <nixpkgs/nixos/lib/eval-config.nix> { --argstr user-name "$$LOGNAME" \
system = builtins.currentSystem; --argstr system-name "$$system" \
modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; | jq -r .
}
' | jq -r .
else else
$(error unbound variable: system[s]) $(error unbound variable: system[s])
endif endif

11
Zhosts/pnp Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.0.210
Subnet = 42:f9f1:0000:0000:0000:0000:0000:0001
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAugkgEK4iy2C5+VZHwhjj/q3IOhhazE3TYHuipz37KxHWX8ZbjH+g
Ewtm79dVysujAOX8ZqV8nD8JgDAvkIZDp8FCIK0/rgckhpTsy1HVlHxa7ECrOS8V
pGz4xOxgcPFRbv5H2coHtbnfQc4GdA5fcNedQ3BP3T2Tn7n/dbbVs30bOP5V0EMR
SqZwNmtqaDQxOvjpPg9EoHvAYTevrpbbIst9UzCyvmNli9R+SsiDrzEPgB7zOc4T
TG12MT+XQr6JUu4jPpzdhb6H/36V6ADCIkBjzWh0iSfWGiFDQFinD+YSWbA1NOTr
Qtd1I3Ov+He7uc2Z719mb0Og2kCGnCnPIwIDAQAB
-----END RSA PUBLIC KEY-----

14
Zpkgs/krebs/default.nix Normal file
View File

@ -0,0 +1,14 @@
{ pkgs, ... }:
let
inherit (pkgs) callPackage;
in
pkgs //
{
dic = callPackage ./dic.nix {};
genid = callPackage ./genid.nix {};
github-hosts-sync = callPackage ./github-hosts-sync.nix {};
github-known_hosts = callPackage ./github-known_hosts.nix {};
hashPassword = callPackage ./hashPassword.nix {};
}

0
Zpkgs/tv/dic.nix → Zpkgs/krebs/dic.nix
View File

0
Zpkgs/tv/genid.nix → Zpkgs/krebs/genid.nix
View File

0
Zpkgs/tv/github-hosts-sync.nix → Zpkgs/krebs/github-hosts-sync.nix
View File

0
Zpkgs/tv/github-known_hosts.nix → Zpkgs/krebs/github-known_hosts.nix
View File

16
Zpkgs/krebs/hashPassword.nix Normal file
View File

@ -0,0 +1,16 @@
{ lib, pkgs, ... }:
pkgs.writeScriptBin "hashPassword" ''
#! /bin/sh
# usage: hashPassword
set -euf
export PATH=${lib.makeSearchPath "bin" (with pkgs; [
coreutils
mkpasswd
openssl
])}
salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16)
exec mkpasswd -m sha-512 -S "$salt"
''

8
Zpkgs/tv/default.nix
View File

@ -2,15 +2,11 @@
let let
inherit (pkgs) callPackage; inherit (pkgs) callPackage;
krebs = import ../../Zpkgs/krebs { inherit pkgs; };
in in
pkgs // krebs // {
{
charybdis = callPackage ./charybdis {}; charybdis = callPackage ./charybdis {};
dic = callPackage ./dic.nix {};
genid = callPackage ./genid.nix {};
github-hosts-sync = callPackage ./github-hosts-sync.nix {};
github-known_hosts = callPackage ./github-known_hosts.nix {};
lentil = callPackage ./lentil {}; lentil = callPackage ./lentil {};
much = callPackage ./much.nix {}; much = callPackage ./much.nix {};
viljetic-pages = callPackage ./viljetic-pages {}; viljetic-pages = callPackage ./viljetic-pages {};

0
Zpubkeys/makefu.ssh.pub → Zpubkeys/makefu_arch.ssh.pub
View File

20
default.nix Normal file
View File

@ -0,0 +1,20 @@
{ user-name, system-name }:
let
eval = import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = [
(./1systems + "/${user-name}/${system-name}.nix")
(./3modules/krebs)
(./3modules + "/${user-name}")
];
};
in
{
inherit (eval) config options;
system = eval.config.system.build.toplevel;
}