Merge remote-tracking branch 'cd/master'

2015-10-22 20:21:01 +02:00 · 2015-10-22 20:21:01 +02:00 · 93dcfe5ad6
commit 93dcfe5ad6
parent 692a59423a 128e5feae9
15 changed files with 98 additions and 82 deletions
--- a/default.nix
+++ b/default.nix
@ -17,7 +17,8 @@
 { current-date ? abort "current-date not defined"
 , current-host-name ? abort "current-host-name not defined"
 , current-user-name ? builtins.getEnv "LOGNAME"
-}@current:
+, StrictHostKeyChecking ? "yes"
+}@args:

 let stockholm = {
    # The generated scripts to deploy (or infest) systems can be found in the
@ -44,10 +45,10 @@ let stockholm = {
    # Additionally, output lib and pkgs for easy access from the shell.
    # Notice how we're evaluating just the base module to obtain pkgs.
    inherit lib;
-    inherit (eval {}) pkgs;
+    inherit pkgs;
  };

-  krebs = import ./krebs (current // { inherit lib stockholm; });
+  krebs = import ./krebs (args // { inherit lib stockholm; });

  lib =
    let
@ -62,6 +63,8 @@ let stockholm = {
      nspath = ns: p: stockholm-path + "/${ns}/${p}";
    };

+  inherit (eval {}) pkgs;
+
  # Path resolvers for common and individual files.
  # Example: `upath "3modules"` produces the current user's 3modules directory
  kpath = lib.nspath "krebs";
--- a/makefu/3modules/bepasty-server.nix
+++ b/makefu/3modules/bepasty-server.nix
@ -10,7 +10,10 @@ let

  out = {
    options.krebs.bepasty = api;
-    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+    config = mkIf cfg.enable (mkMerge [
+      (mkIf cfg.serveNginx nginx-imp)
+      imp
+    ]);
  };

  api = {
@ -25,7 +28,7 @@ let
          type = with types; attrsOf unspecified;
          description = ''
            additional nginx configuration. see krebs.nginx for all options
-          '' ;
+          '';
        };

        secretKey = mkOption {
@ -52,7 +55,7 @@ let
          description = ''
            Defaults to the new users home dir which defaults to
            /var/lib/bepasty-server/data
-            '';
+          '';
          default = "${config.users.extraUsers.bepasty.home}/data";
        };

@ -65,14 +68,14 @@ let
              'myadminsecret': 'admin,list,create,read,delete',
            }
            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
-            '';
+          '';
        };

        defaultPermissions = mkOption {
          # TODO: listOf str
          type = types.str;
          description = ''
-          default permissions for all unauthenticated users.
+            default permissions for all unauthenticated users.
          '';
          example = "read,create,delete";
          default = "read";
@ -88,42 +91,42 @@ let
    # Configures systemd services for each configured server
    # environment.systemPackages = [ bepasty gunicorn gevent ];
    systemd.services = mapAttrs' (name: server:
-      nameValuePair ("bepasty-server-${name}")
-        ({
-          description = "Bepasty Server ${name}";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          restartIfChanged = true;
-          environment = {
-            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
-            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
-          };
-          serviceConfig = {
-            Type = "simple";
-            PrivateTmp = true;
+      nameValuePair "bepasty-server-${name}" {
+        description = "Bepasty Server ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        restartIfChanged = true;
+        environment = {
+          BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+          PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+        };

-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-              #!/bin/sh
-              mkdir -p "${server.dataDir}" "${server.workDir}"
-              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
-              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
-              SITENAME="${name}"
-              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
-              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-              ${server.extraConfig}
-              EOF
-            '';
-            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
-              -u bepasty \
-              -g bepasty \
-              --workers 3 --log-level=info \
-              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
-              --pid ${server.workDir}/gunicorn-${name}.pid \
-              -k gevent
-            '';
-          };
-        })
+        serviceConfig = {
+          Type = "simple";
+          PrivateTmp = true;
+
+          ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            #!/bin/sh
+            mkdir -p "${server.dataDir}" "${server.workDir}"
+            chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+            cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+            SITENAME="${name}"
+            STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+            SECRET_KEY="${server.secretKey}"
+            DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+            ${server.extraConfig}
+            EOF
+          '';
+          ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+            -u bepasty \
+            -g bepasty \
+            --workers 3 --log-level=info \
+            --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+            --pid ${server.workDir}/gunicorn-${name}.pid \
+            -k gevent
+          '';
+        };
+      }
    ) cfg.servers;

    users.extraUsers.bepasty = {
@ -137,8 +140,8 @@ let
  };

  nginx-imp = {
-    assertions = [ { assertion = config.krebs.nginx.enable;
-                      message = "krebs.nginx.enable must be true"; }];
+    assertions = [{ assertion = config.krebs.nginx.enable;
+                     message = "krebs.nginx.enable must be true"; }];

    krebs.nginx.servers = mapAttrs' (name: server:
      nameValuePair("bepasty-server-${name}")
@ -147,18 +150,15 @@ let
          client_max_body_size 32M;
          '';
        locations = [
-          (nameValuePair ("/")
-          (''
+          (nameValuePair "/" ''
            proxy_set_header Host $http_host;
            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
-          ''))
-          (nameValuePair ("/static/")
-          (''
+           '')
+          (nameValuePair "/static/" ''
            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
-          ''))
+          '')
          ];
-      }])
-    ) cfg.servers ;
+      }])) cfg.servers ;
  };
 in
 out
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -6,6 +6,7 @@ let

  out = {
    imports = [
+      ./bepasty-server.nix
      ./build.nix
      ./exim-retiolum.nix
      ./exim-smarthost.nix
@ -17,6 +18,7 @@ let
      ./retiolum-bootstrap.nix
      ./realwallpaper.nix
      ./retiolum.nix
+      ./tinc_graphs.nix
      ./urlwatch.nix
    ];
    options.krebs = api;
@ -103,10 +105,14 @@ let

      # Implements environment.etc."zones/<zone-name>"
      environment.etc = let
+        stripEmptyLines = s: concatStringsSep "\n"
+          (remove "\n" (remove "" (splitString "\n" s)));
        all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
-          ([cfg.zone-head-config] ++ combined-hosts) ;
+          ([cfg.zone-head-config] ++ combined-hosts);
        combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
-      in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+      in lib.mapAttrs' (name: value: nameValuePair
+        ("zones/" + name)
+        { text=(stripEmptyLines value); }) all-zones;

      krebs.exim-smarthost.internet-aliases = let
        format = from: to:
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@ -2,12 +2,12 @@

 with lib;
 let
-  cfg = config.makefu.tinc_graphs;
+  cfg = config.krebs.tinc_graphs;
  internal_dir = "${cfg.workingDir}/internal";
  external_dir = "${cfg.workingDir}/external";

  out = {
-    options.makefu.tinc_graphs = api;
+    options.krebs.tinc_graphs = api;
    config = mkIf cfg.enable imp ;
  };

--- a/krebs/default.nix
+++ b/krebs/default.nix
@ -3,6 +3,7 @@
 , current-user-name
 , lib
 , stockholm
+, StrictHostKeyChecking ? "yes"
 }:

 let out = {
@ -131,18 +132,22 @@ let out = {
          s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
        ')
        echo "nix-env is $nix_env" >&2
-        getchrootpath() {(
+        findpkg() {(
          name=$1
-          path=$(find /mnt/nix/store \
+          path=$(find /nix/store \
              -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
            | head -n 1 | sed s:^/mnt::)
-          echo "$name is $path" >&2
-          echo "$path"
+          if echo "$path" | grep .; then
+            echo "$name is $path" >&2
+          else
+            echo "Error: package not found: $name" >&2
+            exit 1
+          fi
        )}
-        cacert=$(getchrootpath cacert)
-        coreutils=$(getchrootpath coreutils)
-        env="$coreutils/bin/env \
-            SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
+        cacert=$(findpkg cacert)
+        coreutils=$(findpkg coreutils)
+        cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
+        env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
        sed -i '
          s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
          s:^nix-env:'"$nix_env"':
@ -260,7 +265,10 @@ let out = {
    in out;

  rootssh = target: script:
-    "ssh root@${target} -T ${doc ''
+    let
+      flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
+    in
+    "ssh ${flags} root@${target} -T ${doc ''
      set -efu
      ${script}
    ''}";
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@ -40,7 +40,7 @@ in {
  krebs.retiolum-bootstrap.enable = true;

  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-  makefu.tinc_graphs = {
+  krebs.tinc_graphs = {
    enable = true;
    nginx = {
      enable = true;
--- a/makefu/2configs/Reaktor/random-emoji.nix
+++ b/makefu/2configs/Reaktor/random-emoji.nix
@ -12,6 +12,7 @@ let
                        coreutils
                        gnused
                        gnugrep
+                        xmlstarlet
                        curl]);
 in {
  # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
--- a/makefu/2configs/Reaktor/random-emoji.sh
+++ b/makefu/2configs/Reaktor/random-emoji.sh
@ -2,4 +2,5 @@
 curl http://emojicons.com/random -s | \
  grep data-text | \
  sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
-  head -n 1
+  head -n 1 | \
+  xmlstarlet unesc
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@ -2,8 +2,6 @@ _:

 {
  imports = [
-    ./tinc_graphs.nix
-    ./bepasty-server.nix
  ];
 }

--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@ -114,7 +114,6 @@ with lib;
  ];

  environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
    htop
    iftop
    iotop
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@ -88,7 +88,6 @@ in
  ];

  environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
    htop
    iftop
    iotop
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@ -64,27 +64,24 @@ with lib;
  ];

  boot.initrd.luks = {
-    cryptoModules = [ "aes" "sha1" "xts" ];
+    cryptoModules = [ "aes" "sha512" "xts" ];
    devices = [
-      {
-        name = "luks1";
-        device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
-      }
+      { name = "luks1"; device = "/dev/sda2"; }
    ];
  };

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+    { device = "/dev/mapper/nomic1-root";
      fsType = "btrfs";
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+    { device = "/dev/sda1";
      fsType = "ext4";
    };

  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+    { device = "/dev/mapper/nomic1-home";
      fsType = "btrfs";
    };

--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@ -84,7 +84,6 @@ in
  ];

  environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
    htop
    iftop
    iotop
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@ -37,7 +37,6 @@ with lib;

        # stockholm
        genid
-        git
        gnumake
        hashPassword
        lentil
--- a/tv/2configs/base.nix
+++ b/tv/2configs/base.nix
@ -14,6 +14,12 @@ in
  networking.hostName = config.krebs.build.host.name;

  imports = [
+    {
+      # stockholm dependencies
+      environment.systemPackages = with pkgs; [
+        git
+      ];
+    }
    {
      # TODO never put hashedPassword into the store
      users.extraUsers =