Merge branch 'tv'

This commit is contained in:
lassulus 2015-09-28 18:43:56 +02:00
commit ad5ef39476
6 changed files with 190 additions and 16 deletions

View File

@ -11,7 +11,8 @@ let
out =
(lib.mapAttrs (k: v: mk-namespace (./. + "/${k}"))
(lib.filterAttrs
(k: v: !lib.hasPrefix "." k && v == "directory")
(k: v: !lib.hasPrefix "." k && v == "directory" &&
builtins.pathExists (./. + "/${k}/1systems"))
(builtins.readDir ./.)));
eval = path: import <nixpkgs/nixos/lib/eval-config.nix> {

View File

@ -28,6 +28,42 @@ let
type = types.user;
};
options.krebs.build.scripts.init = lib.mkOption {
type = lib.types.str;
default =
let
inherit (config.krebs.build) host;
in
''
#! /bin/sh
set -efu
hostname=${host.name}
secrets_dir=${config.krebs.build.source.dir.secrets.path}
key_type=ed25519
key_file=$secrets_dir/ssh.id_$key_type
key_comment=$hostname
if test -e "$key_file"; then
echo "Warning: privkey already exists: $key_file" >&2
else
ssh-keygen \
-C "$key_comment" \
-t "$key_type" \
-f "$key_file" \
-N ""
rm "$key_file.pub"
fi
pubkey=$(ssh-keygen -y -f "$key_file")
cat<<EOF
# put following into config.krebs.hosts.$hostname:
ssh.pubkey = $(echo $pubkey | jq -R .);
EOF
'';
};
options.krebs.build.scripts.deploy = lib.mkOption {
type = lib.types.str;
default = ''
@ -67,12 +103,16 @@ let
src=$(type -p nixos-install)
cat_src() {
sed < "$src" "$(
sed < "$src" -n '
/^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
/^nixpkgs=/=
/^NIX_PATH=/,/^$/{/./=}
' \
| sed 's:$:s/^/#krebs#/:'
{ sed < "$src" -n '
/^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
/^nixpkgs=/=
/^NIX_PATH=/,/^$/{/./=}
# Disable: Copy the NixOS/Nixpkgs sources to the target as
# the initial contents of the NixOS channel.
/^srcs=/,/^ln -sfn /=
'
} | sed 's:$:s/^/#krebs#/:'
)"
}

View File

@ -84,13 +84,16 @@ let
mapAttrsToList (hostname: host:
mapAttrsToList (netname: net:
let
aliases = toString (unique (longs ++ shorts));
aliases = longs ++ shorts;
providers = dns.split-by-provider net.aliases cfg.dns.providers;
longs = providers.hosts;
shorts = map (removeSuffix ".${cfg.search-domain}") longs;
shorts =
map (removeSuffix ".${cfg.search-domain}")
(filter (hasSuffix ".${cfg.search-domain}")
longs);
in
map (addr: "${addr} ${aliases}") net.addrs
) host.nets
map (addr: "${addr} ${toString aliases}") net.addrs
) (filterAttrs (name: host: host.aliases != []) host.nets)
) cfg.hosts
));
@ -100,6 +103,36 @@ let
([cfg.zone-head-config] ++ combined-hosts) ;
combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts );
in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
services.openssh.hostKeys =
let inherit (config.krebs.build.host.ssh) privkey; in
mkIf (privkey != null) (mkForce [privkey]);
services.openssh.knownHosts =
mapAttrs
(name: host: {
hostNames =
concatLists
(mapAttrsToList
(net-name: net:
let
aliases = shorts ++ longs;
longs = net.aliases;
shorts =
map (removeSuffix ".${cfg.search-domain}")
(filter (hasSuffix ".${cfg.search-domain}")
longs);
add-port = a:
if net.ssh.port != null
then "[${a}]:${toString net.ssh.port}"
else a;
in
aliases ++ map add-port net.addrs)
host.nets);
publicKey = host.ssh.pubkey;
})
(filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts);
}
];
@ -501,6 +534,7 @@ let
"cgit.cd.viljetic.de"
"cd.krebsco.de"
];
ssh.port = 11423;
};
retiolum = {
via = internet;
@ -527,6 +561,8 @@ let
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOd/HqZIO9Trn3eycl23GZAz21HQCISaVNfNyaLSQvJ6";
};
mkdir = rec {
cores = 1;
@ -534,7 +570,7 @@ let
infest.addr = head nets.internet.addrs4;
nets = rec {
internet = {
addrs4 = ["104.233.84.102"];
addrs4 = ["104.233.84.173"];
aliases = [
"mkdir.internet"
];
@ -559,6 +595,35 @@ let
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuShEqU0Cdm7KCaMD5x1D6mgj+cr7qoqbzFJDKoBbbw";
};
ire = {
nets = {
internet = {
addrs4 = ["198.147.22.115"];
ssh.port = 11423;
};
retiolum = {
addrs4 = ["10.243.231.66"];
addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
aliases = [
"ire.retiolum"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7
rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt
6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU
1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K
LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu
nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB
-----END RSA PUBLIC KEY-----
'';
ssh.port = 11423;
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaMjBJ/BfYlHjyn5CO0xzFNaQ0LPvMP3W9UlOs1OxGY";
};
nomic = {
cores = 2;
@ -584,6 +649,7 @@ let
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILn7C3LxAs9kUynENdRNgQs4qjrhNDfXzlHTpVJt6e09";
};
rmdir = rec {
cores = 1;
@ -616,6 +682,8 @@ let
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLuhLRmt8M5s2Edwwl9XY0KAAivzmPCEweesH5/KhR4";
};
wu = {
cores = 4;
@ -641,6 +709,7 @@ let
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
};
xu = {
cores = 4;
@ -666,6 +735,7 @@ let
};
};
secure = true;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID554niVFWomJjuSuQoiCdMUYrCFPpPzQuaoXXYYDxlw";
};
};
users = addNames {

View File

@ -1,11 +1,12 @@
{ lib, ... }:
with builtins;
with lib;
with types;
types // rec {
host = submodule {
host = submodule ({ config, ... }: {
options = {
name = mkOption {
type = label;
@ -46,8 +47,39 @@ types // rec {
TODO define minimum requirements for secure hosts
'';
};
ssh.pubkey = mkOption {
type = nullOr str;
default = null;
apply = x:
if x != null
then x
else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
};
ssh.privkey = mkOption {
type = nullOr (submodule {
options = {
bits = mkOption {
type = nullOr (enum ["4096"]);
default = null;
};
path = mkOption {
type = either path str;
apply = x: {
path = toString x;
string = x;
}.${typeOf x};
};
type = mkOption {
type = enum ["rsa" "ed25519"];
default = "ed25519";
};
};
});
default = null;
};
};
};
});
net = submodule ({ config, ... }: {
options = {
@ -71,6 +103,18 @@ types // rec {
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
default = [];
};
ssh = mkOption {
type = submodule {
options = {
port = mkOption {
type = nullOr int;
default = null;
};
};
};
default = {};
};
tinc = mkOption {
type = let net-config = config; in nullOr (submodule ({ config, ... }: {

View File

@ -1,4 +1,4 @@
Address = 198.147.23.143
Address = 198.147.22.115
Subnet = 10.243.231.66
Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c

View File

@ -157,7 +157,6 @@ let
link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)"
;;
fast-forward|non-fast-forward)
#git diff --stat $id..$id2
link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
;;
esac
@ -165,6 +164,26 @@ let
#$host $GIT_SSH_REPO $ref $link
message="''${message+$message
}$GIT_SSH_USER $receive_mode $link"
message=''${message+$message
}$(
green() { printf '\x0303,99%s\x0F' "$1"; }
red() { printf '\x0304,99%s\x0F' "$1"; }
orange() { printf '\x0307,99%s\x0F' "$1"; }
gray() { printf '\x0314,99%s\x0F' "$1"; }
git log \
--format="$(orange %h) %s $(gray '(%ar)')" \
--reverse \
$id2..$id
git diff --stat $id2..$id \
| sed '
$!s/+/'$(green '&')'/g
$!s/-/'$(red '&')'/g
'
)
done
if test -n "''${message-}"; then