next: initial commit

2015-05-21 22:33:16 +02:00 · 2015-05-21 22:33:16 +02:00 · ac76439405
commit ac76439405
parent b27ec1aafa
8 changed files with 101 additions and 4 deletions
--- a/modules/cd/default.nix
+++ b/modules/cd/default.nix
@ -3,7 +3,7 @@
 {
  imports =
    [
-      <secrets/cd.hashedPasswords.nix>
+      <secrets/hashedPasswords.nix>
      ./iptables.nix
      ./networking.nix
      ../common/nixpkgs.nix
--- a/modules/tv/ejabberd.nix
+++ b/modules/tv/ejabberd.nix
@ -221,7 +221,7 @@ in
                %% file and uncomment this line:
                %%
                starttls,
-                {certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"},
+                {certfile, "/etc/ejabberd/ejabberd.pem"},

                {access, c2s},
                {shaper, c2s_shaper},
@ -274,7 +274,7 @@ in
          %%
          %% s2s_certfile: Specify a certificate file.
          %%
-          {s2s_certfile, "/etc/nixos/secrets/ejabberd.cd.retiolum.pem"}.
+          {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

          %%
          %% domain_certfile: Specify a different certificate for each served hostname.
--- a/modules/wu/users.nix
+++ b/modules/wu/users.nix
@ -210,7 +210,7 @@ in

 {
  imports = [
-    <secrets/wu.hashedPasswords.nix>
+    <secrets/hashedPasswords.nix>
  ];

  users.defaultUserShell = "/run/current-system/sw/bin/bash";
--- a/next/bin/build
+++ b/next/bin/build
@ -0,0 +1,22 @@
+#! /bin/sh
+#
+# build : hostname -> system-path
+#
+set -euf
+
+host=$1
+
+#target=root@$host
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+nix-build \
+    -I "$nixpkgs" \
+    -I nixos-config="$nixos_config" \
+    -I retiolum-hosts="$retiolum_hosts" \
+    -I secrets="$secrets_nix" \
+    -A system \
+    --no-out-link \
+    '<nixos>'
--- a/next/bin/copy-secrets
+++ b/next/bin/copy-secrets
@ -0,0 +1,28 @@
+#! /bin/sh
+set -euf
+
+host=$1
+
+target=root@$host
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+if ! test -e "$secrets_rsync"; then
+  exit # nothing to do
+fi
+
+retiolum_secret=$(query $host services.retiolum.privateKeyFile)
+retiolum_uid=$(query $host users.extraUsers.retiolum-tinc.uid)
+
+ejabberd_secret=/etc/ejabberd/ejabberd.pem
+ejabberd_uid=$(query $host users.extraUsers.ejabberd.uid)
+
+rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/"
+
+ssh "$target" -T <<EOF
+set -euf
+! test -f $retiolum_secret || chown -v $retiolum_uid:0 $retiolum_secret
+! test -f $ejabberd_secret || chown -v $ejabberd_uid:0 $ejabberd_secret
+EOF
--- a/next/bin/deploy
+++ b/next/bin/deploy
@ -0,0 +1,16 @@
+#! /bin/sh
+#
+# deploy
+#
+set -euf
+
+host=$1
+system=${2-$(build "$host")}
+
+target=root@$host
+
+nix-copy-closure --gzip --to "$target" "$system"
+
+copy-secrets "$host"
+
+ssh ${NIX_SSHOPTS-} "$target" "$system/bin/switch-to-configuration" switch
--- a/next/bin/query
+++ b/next/bin/query
@ -0,0 +1,20 @@
+#! /bin/sh
+set -euf
+
+host=$1
+attr=$2
+
+nixos_config=$config_root/modules/$host
+secrets_nix=$secrets_root/$host/nix
+secrets_rsync=$secrets_root/$host/rsync
+
+nix-instantiate \
+    -I "$nixpkgs" \
+    -I nixos-config="$nixos_config" \
+    -I retiolum-hosts="$retiolum_hosts" \
+    -I secrets="$secrets_nix" \
+    -A config."$attr" \
+    '<nixos>' \
+    --eval \
+    --json \
+  | jq -r .
--- a/next/profile
+++ b/next/profile
@ -0,0 +1,11 @@
+#! /bin/sh
+export PATH=$HOME/src/config/next/bin:$PATH
+export nixpkgs=/var/nixpkgs
+export config_root=$HOME/src/config
+export retiolum_hosts=$HOME/src/config/hosts
+export secrets_root=$HOME/src/config/secrets
+
+export PS1='\[\e[1;35m\]config>\[\e[m\] '
+
+cd /var/empty
+exec /bin/sh