Merge remote-tracking branch 'cd/master'
This commit is contained in:
commit
93dcfe5ad6
@ -17,7 +17,8 @@
|
|||||||
{ current-date ? abort "current-date not defined"
|
{ current-date ? abort "current-date not defined"
|
||||||
, current-host-name ? abort "current-host-name not defined"
|
, current-host-name ? abort "current-host-name not defined"
|
||||||
, current-user-name ? builtins.getEnv "LOGNAME"
|
, current-user-name ? builtins.getEnv "LOGNAME"
|
||||||
}@current:
|
, StrictHostKeyChecking ? "yes"
|
||||||
|
}@args:
|
||||||
|
|
||||||
let stockholm = {
|
let stockholm = {
|
||||||
# The generated scripts to deploy (or infest) systems can be found in the
|
# The generated scripts to deploy (or infest) systems can be found in the
|
||||||
@ -44,10 +45,10 @@ let stockholm = {
|
|||||||
# Additionally, output lib and pkgs for easy access from the shell.
|
# Additionally, output lib and pkgs for easy access from the shell.
|
||||||
# Notice how we're evaluating just the base module to obtain pkgs.
|
# Notice how we're evaluating just the base module to obtain pkgs.
|
||||||
inherit lib;
|
inherit lib;
|
||||||
inherit (eval {}) pkgs;
|
inherit pkgs;
|
||||||
};
|
};
|
||||||
|
|
||||||
krebs = import ./krebs (current // { inherit lib stockholm; });
|
krebs = import ./krebs (args // { inherit lib stockholm; });
|
||||||
|
|
||||||
lib =
|
lib =
|
||||||
let
|
let
|
||||||
@ -62,6 +63,8 @@ let stockholm = {
|
|||||||
nspath = ns: p: stockholm-path + "/${ns}/${p}";
|
nspath = ns: p: stockholm-path + "/${ns}/${p}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
inherit (eval {}) pkgs;
|
||||||
|
|
||||||
# Path resolvers for common and individual files.
|
# Path resolvers for common and individual files.
|
||||||
# Example: `upath "3modules"` produces the current user's 3modules directory
|
# Example: `upath "3modules"` produces the current user's 3modules directory
|
||||||
kpath = lib.nspath "krebs";
|
kpath = lib.nspath "krebs";
|
||||||
|
@ -10,7 +10,10 @@ let
|
|||||||
|
|
||||||
out = {
|
out = {
|
||||||
options.krebs.bepasty = api;
|
options.krebs.bepasty = api;
|
||||||
config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
|
config = mkIf cfg.enable (mkMerge [
|
||||||
|
(mkIf cfg.serveNginx nginx-imp)
|
||||||
|
imp
|
||||||
|
]);
|
||||||
};
|
};
|
||||||
|
|
||||||
api = {
|
api = {
|
||||||
@ -25,7 +28,7 @@ let
|
|||||||
type = with types; attrsOf unspecified;
|
type = with types; attrsOf unspecified;
|
||||||
description = ''
|
description = ''
|
||||||
additional nginx configuration. see krebs.nginx for all options
|
additional nginx configuration. see krebs.nginx for all options
|
||||||
'' ;
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
secretKey = mkOption {
|
secretKey = mkOption {
|
||||||
@ -52,7 +55,7 @@ let
|
|||||||
description = ''
|
description = ''
|
||||||
Defaults to the new users home dir which defaults to
|
Defaults to the new users home dir which defaults to
|
||||||
/var/lib/bepasty-server/data
|
/var/lib/bepasty-server/data
|
||||||
'';
|
'';
|
||||||
default = "${config.users.extraUsers.bepasty.home}/data";
|
default = "${config.users.extraUsers.bepasty.home}/data";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -65,14 +68,14 @@ let
|
|||||||
'myadminsecret': 'admin,list,create,read,delete',
|
'myadminsecret': 'admin,list,create,read,delete',
|
||||||
}
|
}
|
||||||
MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
|
MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
defaultPermissions = mkOption {
|
defaultPermissions = mkOption {
|
||||||
# TODO: listOf str
|
# TODO: listOf str
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = ''
|
description = ''
|
||||||
default permissions for all unauthenticated users.
|
default permissions for all unauthenticated users.
|
||||||
'';
|
'';
|
||||||
example = "read,create,delete";
|
example = "read,create,delete";
|
||||||
default = "read";
|
default = "read";
|
||||||
@ -88,42 +91,42 @@ let
|
|||||||
# Configures systemd services for each configured server
|
# Configures systemd services for each configured server
|
||||||
# environment.systemPackages = [ bepasty gunicorn gevent ];
|
# environment.systemPackages = [ bepasty gunicorn gevent ];
|
||||||
systemd.services = mapAttrs' (name: server:
|
systemd.services = mapAttrs' (name: server:
|
||||||
nameValuePair ("bepasty-server-${name}")
|
nameValuePair "bepasty-server-${name}" {
|
||||||
({
|
description = "Bepasty Server ${name}";
|
||||||
description = "Bepasty Server ${name}";
|
wantedBy = [ "multi-user.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
after = [ "network.target" ];
|
||||||
after = [ "network.target" ];
|
restartIfChanged = true;
|
||||||
restartIfChanged = true;
|
environment = {
|
||||||
environment = {
|
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
|
||||||
BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
|
PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
|
||||||
PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
|
};
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "simple";
|
|
||||||
PrivateTmp = true;
|
|
||||||
|
|
||||||
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
|
serviceConfig = {
|
||||||
#!/bin/sh
|
Type = "simple";
|
||||||
mkdir -p "${server.dataDir}" "${server.workDir}"
|
PrivateTmp = true;
|
||||||
chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
|
|
||||||
cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
|
ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
|
||||||
SITENAME="${name}"
|
#!/bin/sh
|
||||||
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
|
mkdir -p "${server.dataDir}" "${server.workDir}"
|
||||||
SECRET_KEY="${server.secretKey}"
|
chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
|
||||||
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
|
cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
|
||||||
${server.extraConfig}
|
SITENAME="${name}"
|
||||||
EOF
|
STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
|
||||||
'';
|
SECRET_KEY="${server.secretKey}"
|
||||||
ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
|
DEFAULT_PERMISSIONS="${server.defaultPermissions}"
|
||||||
-u bepasty \
|
${server.extraConfig}
|
||||||
-g bepasty \
|
EOF
|
||||||
--workers 3 --log-level=info \
|
'';
|
||||||
--bind=unix:${server.workDir}/gunicorn-${name}.sock \
|
ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
|
||||||
--pid ${server.workDir}/gunicorn-${name}.pid \
|
-u bepasty \
|
||||||
-k gevent
|
-g bepasty \
|
||||||
'';
|
--workers 3 --log-level=info \
|
||||||
};
|
--bind=unix:${server.workDir}/gunicorn-${name}.sock \
|
||||||
})
|
--pid ${server.workDir}/gunicorn-${name}.pid \
|
||||||
|
-k gevent
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
) cfg.servers;
|
) cfg.servers;
|
||||||
|
|
||||||
users.extraUsers.bepasty = {
|
users.extraUsers.bepasty = {
|
||||||
@ -137,8 +140,8 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
nginx-imp = {
|
nginx-imp = {
|
||||||
assertions = [ { assertion = config.krebs.nginx.enable;
|
assertions = [{ assertion = config.krebs.nginx.enable;
|
||||||
message = "krebs.nginx.enable must be true"; }];
|
message = "krebs.nginx.enable must be true"; }];
|
||||||
|
|
||||||
krebs.nginx.servers = mapAttrs' (name: server:
|
krebs.nginx.servers = mapAttrs' (name: server:
|
||||||
nameValuePair("bepasty-server-${name}")
|
nameValuePair("bepasty-server-${name}")
|
||||||
@ -147,18 +150,15 @@ let
|
|||||||
client_max_body_size 32M;
|
client_max_body_size 32M;
|
||||||
'';
|
'';
|
||||||
locations = [
|
locations = [
|
||||||
(nameValuePair ("/")
|
(nameValuePair "/" ''
|
||||||
(''
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
|
proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
|
||||||
''))
|
'')
|
||||||
(nameValuePair ("/static/")
|
(nameValuePair "/static/" ''
|
||||||
(''
|
|
||||||
alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
|
alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
|
||||||
''))
|
'')
|
||||||
];
|
];
|
||||||
}])
|
}])) cfg.servers ;
|
||||||
) cfg.servers ;
|
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
out
|
out
|
@ -6,6 +6,7 @@ let
|
|||||||
|
|
||||||
out = {
|
out = {
|
||||||
imports = [
|
imports = [
|
||||||
|
./bepasty-server.nix
|
||||||
./build.nix
|
./build.nix
|
||||||
./exim-retiolum.nix
|
./exim-retiolum.nix
|
||||||
./exim-smarthost.nix
|
./exim-smarthost.nix
|
||||||
@ -17,6 +18,7 @@ let
|
|||||||
./retiolum-bootstrap.nix
|
./retiolum-bootstrap.nix
|
||||||
./realwallpaper.nix
|
./realwallpaper.nix
|
||||||
./retiolum.nix
|
./retiolum.nix
|
||||||
|
./tinc_graphs.nix
|
||||||
./urlwatch.nix
|
./urlwatch.nix
|
||||||
];
|
];
|
||||||
options.krebs = api;
|
options.krebs = api;
|
||||||
@ -103,10 +105,14 @@ let
|
|||||||
|
|
||||||
# Implements environment.etc."zones/<zone-name>"
|
# Implements environment.etc."zones/<zone-name>"
|
||||||
environment.etc = let
|
environment.etc = let
|
||||||
|
stripEmptyLines = s: concatStringsSep "\n"
|
||||||
|
(remove "\n" (remove "" (splitString "\n" s)));
|
||||||
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
|
all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
|
||||||
([cfg.zone-head-config] ++ combined-hosts) ;
|
([cfg.zone-head-config] ++ combined-hosts);
|
||||||
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
|
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
|
||||||
in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
|
in lib.mapAttrs' (name: value: nameValuePair
|
||||||
|
("zones/" + name)
|
||||||
|
{ text=(stripEmptyLines value); }) all-zones;
|
||||||
|
|
||||||
krebs.exim-smarthost.internet-aliases = let
|
krebs.exim-smarthost.internet-aliases = let
|
||||||
format = from: to:
|
format = from: to:
|
||||||
|
@ -2,12 +2,12 @@
|
|||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.makefu.tinc_graphs;
|
cfg = config.krebs.tinc_graphs;
|
||||||
internal_dir = "${cfg.workingDir}/internal";
|
internal_dir = "${cfg.workingDir}/internal";
|
||||||
external_dir = "${cfg.workingDir}/external";
|
external_dir = "${cfg.workingDir}/external";
|
||||||
|
|
||||||
out = {
|
out = {
|
||||||
options.makefu.tinc_graphs = api;
|
options.krebs.tinc_graphs = api;
|
||||||
config = mkIf cfg.enable imp ;
|
config = mkIf cfg.enable imp ;
|
||||||
};
|
};
|
||||||
|
|
@ -3,6 +3,7 @@
|
|||||||
, current-user-name
|
, current-user-name
|
||||||
, lib
|
, lib
|
||||||
, stockholm
|
, stockholm
|
||||||
|
, StrictHostKeyChecking ? "yes"
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let out = {
|
let out = {
|
||||||
@ -131,18 +132,22 @@ let out = {
|
|||||||
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
|
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
|
||||||
')
|
')
|
||||||
echo "nix-env is $nix_env" >&2
|
echo "nix-env is $nix_env" >&2
|
||||||
getchrootpath() {(
|
findpkg() {(
|
||||||
name=$1
|
name=$1
|
||||||
path=$(find /mnt/nix/store \
|
path=$(find /nix/store \
|
||||||
-mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
|
-mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
|
||||||
| head -n 1 | sed s:^/mnt::)
|
| head -n 1 | sed s:^/mnt::)
|
||||||
echo "$name is $path" >&2
|
if echo "$path" | grep .; then
|
||||||
echo "$path"
|
echo "$name is $path" >&2
|
||||||
|
else
|
||||||
|
echo "Error: package not found: $name" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
)}
|
)}
|
||||||
cacert=$(getchrootpath cacert)
|
cacert=$(findpkg cacert)
|
||||||
coreutils=$(getchrootpath coreutils)
|
coreutils=$(findpkg coreutils)
|
||||||
env="$coreutils/bin/env \
|
cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
|
||||||
SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
|
env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
|
||||||
sed -i '
|
sed -i '
|
||||||
s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
|
s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
|
||||||
s:^nix-env:'"$nix_env"':
|
s:^nix-env:'"$nix_env"':
|
||||||
@ -260,7 +265,10 @@ let out = {
|
|||||||
in out;
|
in out;
|
||||||
|
|
||||||
rootssh = target: script:
|
rootssh = target: script:
|
||||||
"ssh root@${target} -T ${doc ''
|
let
|
||||||
|
flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
|
||||||
|
in
|
||||||
|
"ssh ${flags} root@${target} -T ${doc ''
|
||||||
set -efu
|
set -efu
|
||||||
${script}
|
${script}
|
||||||
''}";
|
''}";
|
||||||
|
@ -40,7 +40,7 @@ in {
|
|||||||
krebs.retiolum-bootstrap.enable = true;
|
krebs.retiolum-bootstrap.enable = true;
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
|
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
|
||||||
makefu.tinc_graphs = {
|
krebs.tinc_graphs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
nginx = {
|
nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -12,6 +12,7 @@ let
|
|||||||
coreutils
|
coreutils
|
||||||
gnused
|
gnused
|
||||||
gnugrep
|
gnugrep
|
||||||
|
xmlstarlet
|
||||||
curl]);
|
curl]);
|
||||||
in {
|
in {
|
||||||
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
|
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
|
||||||
|
@ -2,4 +2,5 @@
|
|||||||
curl http://emojicons.com/random -s | \
|
curl http://emojicons.com/random -s | \
|
||||||
grep data-text | \
|
grep data-text | \
|
||||||
sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
|
sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
|
||||||
head -n 1
|
head -n 1 | \
|
||||||
|
xmlstarlet unesc
|
||||||
|
@ -2,8 +2,6 @@ _:
|
|||||||
|
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./tinc_graphs.nix
|
|
||||||
./bepasty-server.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -114,7 +114,6 @@ with lib;
|
|||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git # required for ./deploy, clone_or_update
|
|
||||||
htop
|
htop
|
||||||
iftop
|
iftop
|
||||||
iotop
|
iotop
|
||||||
|
@ -88,7 +88,6 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git # required for ./deploy, clone_or_update
|
|
||||||
htop
|
htop
|
||||||
iftop
|
iftop
|
||||||
iotop
|
iotop
|
||||||
|
@ -64,27 +64,24 @@ with lib;
|
|||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.luks = {
|
boot.initrd.luks = {
|
||||||
cryptoModules = [ "aes" "sha1" "xts" ];
|
cryptoModules = [ "aes" "sha512" "xts" ];
|
||||||
devices = [
|
devices = [
|
||||||
{
|
{ name = "luks1"; device = "/dev/sda2"; }
|
||||||
name = "luks1";
|
|
||||||
device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
|
|
||||||
}
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
|
{ device = "/dev/mapper/nomic1-root";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
|
{ device = "/dev/sda1";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/home" =
|
fileSystems."/home" =
|
||||||
{ device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
|
{ device = "/dev/mapper/nomic1-home";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -84,7 +84,6 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git # required for ./deploy, clone_or_update
|
|
||||||
htop
|
htop
|
||||||
iftop
|
iftop
|
||||||
iotop
|
iotop
|
||||||
|
@ -37,7 +37,6 @@ with lib;
|
|||||||
|
|
||||||
# stockholm
|
# stockholm
|
||||||
genid
|
genid
|
||||||
git
|
|
||||||
gnumake
|
gnumake
|
||||||
hashPassword
|
hashPassword
|
||||||
lentil
|
lentil
|
||||||
|
@ -14,6 +14,12 @@ in
|
|||||||
networking.hostName = config.krebs.build.host.name;
|
networking.hostName = config.krebs.build.host.name;
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
{
|
||||||
|
# stockholm dependencies
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
git
|
||||||
|
];
|
||||||
|
}
|
||||||
{
|
{
|
||||||
# TODO never put hashedPassword into the store
|
# TODO never put hashedPassword into the store
|
||||||
users.extraUsers =
|
users.extraUsers =
|
||||||
|
Loading…
Reference in New Issue
Block a user