Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'cd/master'

Browse Source
This commit is contained in:
lassulus 2015-10-22 20:21:01 +02:00
commit 93dcfe5ad6
15 changed files with 98 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
default.nix
View File

@ -17,7 +17,8 @@
{ current-date ? abort "current-date not defined" { current-date ? abort "current-date not defined"
, current-host-name ? abort "current-host-name not defined" , current-host-name ? abort "current-host-name not defined"
, current-user-name ? builtins.getEnv "LOGNAME" , current-user-name ? builtins.getEnv "LOGNAME"
}@current: , StrictHostKeyChecking ? "yes"
}@args:
let stockholm = { let stockholm = {
# The generated scripts to deploy (or infest) systems can be found in the # The generated scripts to deploy (or infest) systems can be found in the
@ -44,10 +45,10 @@ let stockholm = {
# Additionally, output lib and pkgs for easy access from the shell. # Additionally, output lib and pkgs for easy access from the shell.
# Notice how we're evaluating just the base module to obtain pkgs. # Notice how we're evaluating just the base module to obtain pkgs.
inherit lib; inherit lib;
inherit (eval {}) pkgs; inherit pkgs;
}; };
krebs = import ./krebs (current // { inherit lib stockholm; }); krebs = import ./krebs (args // { inherit lib stockholm; });
lib = lib =
let let
@ -62,6 +63,8 @@ let stockholm = {
nspath = ns: p: stockholm-path + "/${ns}/${p}"; nspath = ns: p: stockholm-path + "/${ns}/${p}";
}; };
inherit (eval {}) pkgs;
# Path resolvers for common and individual files. # Path resolvers for common and individual files.
# Example: `upath "3modules"` produces the current user's 3modules directory # Example: `upath "3modules"` produces the current user's 3modules directory
kpath = lib.nspath "krebs"; kpath = lib.nspath "krebs";

100
makefu/3modules/bepasty-server.nix → krebs/3modules/bepasty-server.nix
View File

@ -10,7 +10,10 @@ let
out = { out = {
options.krebs.bepasty = api; options.krebs.bepasty = api;
config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ; config = mkIf cfg.enable (mkMerge [
(mkIf cfg.serveNginx nginx-imp)
imp
]);
}; };
api = { api = {
@ -25,7 +28,7 @@ let
type = with types; attrsOf unspecified; type = with types; attrsOf unspecified;
description = '' description = ''
additional nginx configuration. see krebs.nginx for all options additional nginx configuration. see krebs.nginx for all options
'' ; '';
}; };
secretKey = mkOption { secretKey = mkOption {
@ -52,7 +55,7 @@ let
description = '' description = ''
Defaults to the new users home dir which defaults to Defaults to the new users home dir which defaults to
/var/lib/bepasty-server/data /var/lib/bepasty-server/data
''; '';
default = "${config.users.extraUsers.bepasty.home}/data"; default = "${config.users.extraUsers.bepasty.home}/data";
}; };
@ -65,14 +68,14 @@ let
'myadminsecret': 'admin,list,create,read,delete', 'myadminsecret': 'admin,list,create,read,delete',
} }
MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000 MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
''; '';
}; };
defaultPermissions = mkOption { defaultPermissions = mkOption {
# TODO: listOf str # TODO: listOf str
type = types.str; type = types.str;
description = '' description = ''
default permissions for all unauthenticated users. default permissions for all unauthenticated users.
''; '';
example = "read,create,delete"; example = "read,create,delete";
default = "read"; default = "read";
@ -88,42 +91,42 @@ let
# Configures systemd services for each configured server # Configures systemd services for each configured server
# environment.systemPackages = [ bepasty gunicorn gevent ]; # environment.systemPackages = [ bepasty gunicorn gevent ];
systemd.services = mapAttrs' (name: server: systemd.services = mapAttrs' (name: server:
nameValuePair ("bepasty-server-${name}") nameValuePair "bepasty-server-${name}" {
({ description = "Bepasty Server ${name}";
description = "Bepasty Server ${name}"; wantedBy = [ "multi-user.target" ];
wantedBy = [ "multi-user.target" ]; after = [ "network.target" ];
after = [ "network.target" ]; restartIfChanged = true;
restartIfChanged = true; environment = {
environment = { BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf"; PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages"; };
};
serviceConfig = {
Type = "simple";
PrivateTmp = true;
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" '' serviceConfig = {
#!/bin/sh Type = "simple";
mkdir -p "${server.dataDir}" "${server.workDir}" PrivateTmp = true;
chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
cat > "${server.workDir}/bepasty-${name}.conf" <<EOF ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
SITENAME="${name}" #!/bin/sh
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}" mkdir -p "${server.dataDir}" "${server.workDir}"
SECRET_KEY="${server.secretKey}" chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
DEFAULT_PERMISSIONS="${server.defaultPermissions}" cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
${server.extraConfig} SITENAME="${name}"
EOF STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
''; SECRET_KEY="${server.secretKey}"
ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \ DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-u bepasty \ ${server.extraConfig}
-g bepasty \ EOF
--workers 3 --log-level=info \ '';
--bind=unix:${server.workDir}/gunicorn-${name}.sock \ ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
--pid ${server.workDir}/gunicorn-${name}.pid \ -u bepasty \
-k gevent -g bepasty \
''; --workers 3 --log-level=info \
}; --bind=unix:${server.workDir}/gunicorn-${name}.sock \
}) --pid ${server.workDir}/gunicorn-${name}.pid \
-k gevent
'';
};
}
) cfg.servers; ) cfg.servers;
users.extraUsers.bepasty = { users.extraUsers.bepasty = {
@ -137,8 +140,8 @@ let
}; };
nginx-imp = { nginx-imp = {
assertions = [ { assertion = config.krebs.nginx.enable; assertions = [{ assertion = config.krebs.nginx.enable;
message = "krebs.nginx.enable must be true"; }]; message = "krebs.nginx.enable must be true"; }];
krebs.nginx.servers = mapAttrs' (name: server: krebs.nginx.servers = mapAttrs' (name: server:
nameValuePair("bepasty-server-${name}") nameValuePair("bepasty-server-${name}")
@ -147,18 +150,15 @@ let
client_max_body_size 32M; client_max_body_size 32M;
''; '';
locations = [ locations = [
(nameValuePair ("/") (nameValuePair "/" ''
(''
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock; proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
'')) '')
(nameValuePair ("/static/") (nameValuePair "/static/" ''
(''
alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
'')) '')
]; ];
}]) }])) cfg.servers ;
) cfg.servers ;
}; };
in in
out out

10
krebs/3modules/default.nix
View File

@ -6,6 +6,7 @@ let
out = { out = {
imports = [ imports = [
./bepasty-server.nix
./build.nix ./build.nix
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix ./exim-smarthost.nix
@ -17,6 +18,7 @@ let
./retiolum-bootstrap.nix ./retiolum-bootstrap.nix
./realwallpaper.nix ./realwallpaper.nix
./retiolum.nix ./retiolum.nix
./tinc_graphs.nix
./urlwatch.nix ./urlwatch.nix
]; ];
options.krebs = api; options.krebs = api;
@ -103,10 +105,14 @@ let
# Implements environment.etc."zones/<zone-name>" # Implements environment.etc."zones/<zone-name>"
environment.etc = let environment.etc = let
stripEmptyLines = s: concatStringsSep "\n"
(remove "\n" (remove "" (splitString "\n" s)));
all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
([cfg.zone-head-config] ++ combined-hosts) ; ([cfg.zone-head-config] ++ combined-hosts);
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones; in lib.mapAttrs' (name: value: nameValuePair
("zones/" + name)
{ text=(stripEmptyLines value); }) all-zones;
krebs.exim-smarthost.internet-aliases = let krebs.exim-smarthost.internet-aliases = let
format = from: to: format = from: to:

4
makefu/3modules/tinc_graphs.nix → krebs/3modules/tinc_graphs.nix
View File

@ -2,12 +2,12 @@
with lib; with lib;
let let
cfg = config.makefu.tinc_graphs; cfg = config.krebs.tinc_graphs;
internal_dir = "${cfg.workingDir}/internal"; internal_dir = "${cfg.workingDir}/internal";
external_dir = "${cfg.workingDir}/external"; external_dir = "${cfg.workingDir}/external";
out = { out = {
options.makefu.tinc_graphs = api; options.krebs.tinc_graphs = api;
config = mkIf cfg.enable imp ; config = mkIf cfg.enable imp ;
}; };

26
krebs/default.nix
View File

@ -3,6 +3,7 @@
, current-user-name , current-user-name
, lib , lib
, stockholm , stockholm
, StrictHostKeyChecking ? "yes"
}: }:
let out = { let out = {
@ -131,18 +132,22 @@ let out = {
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
') ')
echo "nix-env is $nix_env" >&2 echo "nix-env is $nix_env" >&2
getchrootpath() {( findpkg() {(
name=$1 name=$1
path=$(find /mnt/nix/store \ path=$(find /nix/store \
-mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \ -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
| head -n 1 | sed s:^/mnt::) | head -n 1 | sed s:^/mnt::)
echo "$name is $path" >&2 if echo "$path" | grep .; then
echo "$path" echo "$name is $path" >&2
else
echo "Error: package not found: $name" >&2
exit 1
fi
)} )}
cacert=$(getchrootpath cacert) cacert=$(findpkg cacert)
coreutils=$(getchrootpath coreutils) coreutils=$(findpkg coreutils)
env="$coreutils/bin/env \ cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt" env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
sed -i ' sed -i '
s:^NIX_PATH=:chroot $mountPoint '"$env"' &: s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
s:^nix-env:'"$nix_env"': s:^nix-env:'"$nix_env"':
@ -260,7 +265,10 @@ let out = {
in out; in out;
rootssh = target: script: rootssh = target: script:
"ssh root@${target} -T ${doc '' let
flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
in
"ssh ${flags} root@${target} -T ${doc ''
set -efu set -efu
${script} ${script}
''}"; ''}";

2
makefu/1systems/wry.nix
View File

@ -40,7 +40,7 @@ in {
krebs.retiolum-bootstrap.enable = true; krebs.retiolum-bootstrap.enable = true;
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
makefu.tinc_graphs = { krebs.tinc_graphs = {
enable = true; enable = true;
nginx = { nginx = {
enable = true; enable = true;

1
makefu/2configs/Reaktor/random-emoji.nix
View File

@ -12,6 +12,7 @@ let
coreutils coreutils
gnused gnused
gnugrep gnugrep
xmlstarlet
curl]); curl]);
in { in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm

3
makefu/2configs/Reaktor/random-emoji.sh
View File

@ -2,4 +2,5 @@
curl http://emojicons.com/random -s | \ curl http://emojicons.com/random -s | \
grep data-text | \ grep data-text | \
sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \ sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
head -n 1 head -n 1 | \
xmlstarlet unesc

2
makefu/3modules/default.nix
View File

@ -2,8 +2,6 @@ _:
{ {
imports = [ imports = [
./tinc_graphs.nix
./bepasty-server.nix
]; ];
} }

1
tv/1systems/cd.nix
View File

@ -114,7 +114,6 @@ with lib;
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop htop
iftop iftop
iotop iotop

1
tv/1systems/mkdir.nix
View File

@ -88,7 +88,6 @@ in
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop htop
iftop iftop
iotop iotop

13
tv/1systems/nomic.nix
View File

@ -64,27 +64,24 @@ with lib;
]; ];
boot.initrd.luks = { boot.initrd.luks = {
cryptoModules = [ "aes" "sha1" "xts" ]; cryptoModules = [ "aes" "sha512" "xts" ];
devices = [ devices = [
{ { name = "luks1"; device = "/dev/sda2"; }
name = "luks1";
device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
}
]; ];
}; };
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; { device = "/dev/mapper/nomic1-root";
fsType = "btrfs"; fsType = "btrfs";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; { device = "/dev/sda1";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/home" = fileSystems."/home" =
{ device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; { device = "/dev/mapper/nomic1-home";
fsType = "btrfs"; fsType = "btrfs";
}; };

1
tv/1systems/rmdir.nix
View File

@ -84,7 +84,6 @@ in
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git # required for ./deploy, clone_or_update
htop htop
iftop iftop
iotop iotop

1
tv/1systems/wu.nix
View File

@ -37,7 +37,6 @@ with lib;
# stockholm # stockholm
genid genid
git
gnumake gnumake
hashPassword hashPassword
lentil lentil

6
tv/2configs/base.nix
View File

@ -14,6 +14,12 @@ in
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;
imports = [ imports = [
{
# stockholm dependencies
environment.systemPackages = with pkgs; [
git
];
}
{ {
# TODO never put hashedPassword into the store # TODO never put hashedPassword into the store
users.extraUsers = users.extraUsers =