Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'gum/master' into new-populate

Browse Source
This commit is contained in:
lassulus 2016-07-18 12:15:50 +02:00
commit af1959e3bd
19 changed files with 366 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Makefile
View File

@ -41,23 +41,25 @@ target_path ?= $(_target_path)
endif endif
endif endif
export target_host ?= $(system) target_host ?= $(system)
export target_user ?= root target_user ?= root
export target_port ?= 22 target_port ?= 22
export target_path ?= /var/src target_path ?= /var/src
$(if $(target_host),,$(error unbound variable: target_host)) $(if $(target_host),,$(error unbound variable: target_host))
$(if $(target_user),,$(error unbound variable: target_user)) $(if $(target_user),,$(error unbound variable: target_user))
$(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_port),,$(error unbound variable: target_port))
$(if $(target_path),,$(error unbound variable: target_path)) $(if $(target_path),,$(error unbound variable: target_path))
target ?= $(target_user)@$(target_host):$(target_port)$(target_path)
build = \ build = \
nix-build \ nix-build \
--no-out-link \ --no-out-link \
--show-trace \ --show-trace \
-I nixos-config=$(nixos-config) \ -I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \ -I stockholm=$(stockholm) \
-E "let build = import <stockholm>; in $(1)" -E "with import <stockholm>; $(1)"
evaluate = \ evaluate = \
nix-instantiate \ nix-instantiate \
@ -68,26 +70,37 @@ evaluate = \
-I stockholm=$(stockholm) \ -I stockholm=$(stockholm) \
-E "let eval = import <stockholm>; in with eval; $(1)" -E "let eval = import <stockholm>; in with eval; $(1)"
execute = \
result=$$($(call evaluate,config.krebs.build.$(1))) && \
script=$$(echo "$$result" | jq -r .) && \
echo "$$script" | PS5=% sh
ifeq ($(MAKECMDGOALS),) ifeq ($(MAKECMDGOALS),)
$(error No goals specified) $(error No goals specified)
endif endif
# usage: make deploy system=foo [target_host=bar] # usage: make deploy system=foo [target_host=bar]
ifeq ($(debug),true)
deploy: rebuild-command = dry-activate
else
deploy: rebuild-command = switch
endif
deploy: ssh ?= ssh deploy: ssh ?= ssh
deploy: deploy:
$(call execute,populate) $(MAKE) populate debug=false
$(ssh) $(target_user)@$(target_host) -p $(target_port) \ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \
nixos-rebuild switch --show-trace -I $(target_path) nixos-rebuild $(rebuild-command) --show-trace -I $(target_path)
# usage: make build.pkgs.get # usage: make populate system=foo
build build.:;@$(call build,$${expr-eval}) ifeq ($(debug),true)
build.%:;@$(call build,$@) populate: populate-flags += --debug
endif
ifneq ($(ssh),)
populate: populate-flags += --ssh=$(ssh)
endif
populate:
$(call evaluate,config.krebs.build.source) --json --strict | \
populate $(target) $(populate-flags)
# usage: make pkgs.populate
pkgs:;@$(error no package selected)
pkgs.%:;@$(call build,$@)
# usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name # usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name
eval eval.:;@$(call evaluate,$${expr-eval}) eval eval.:;@$(call evaluate,$${expr-eval})
@ -99,7 +112,7 @@ install:
$(ssh) $(target_user)@$(target_host) -p $(target_port) \ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
env target_path=$(target_path) \ env target_path=$(target_path) \
sh -s prepare < krebs/4lib/infest/prepare.sh sh -s prepare < krebs/4lib/infest/prepare.sh
target_path=/mnt$(target_path) $(call execute,populate) $(MAKE) populate target_path=/mnt$(target_path)
$(ssh) $(target_user)@$(target_host) -p $(target_port) \ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
env NIXOS_CONFIG=$(target_path)/nixos-config \ env NIXOS_CONFIG=$(target_path)/nixos-config \
STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \
@ -117,8 +130,7 @@ $(error bad method: $(method))
endif endif
endif endif
test: ssh ?= ssh test: ssh ?= ssh
test: test: populate
$(call execute,populate)
$(ssh) $(target_user)@$(target_host) -p $(target_port) \ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
$(command) --show-trace -I $(target_path) \ $(command) --show-trace -I $(target_path) \
-A config.system.build.toplevel $(target_path)/stockholm -A config.system.build.toplevel $(target_path)/stockholm

162
krebs/3modules/build.nix
View File

@ -1,165 +1,27 @@
{ config, lib, ... }: { config, ... }:
with config.krebs.lib; with config.krebs.lib;
let {
out = { options.krebs.build = {
# TODO deprecate krebs.build.host # TODO deprecate krebs.build.host
options.krebs.build.host = mkOption { host = mkOption {
type = types.host; type = types.host;
}; };
# TODO make krebs.build.profile shell safe profile = mkOption {
options.krebs.build.profile = mkOption { type = types.absolute-path;
type = types.str;
default = "/nix/var/nix/profiles/system"; default = "/nix/var/nix/profiles/system";
}; };
# TODO deprecate krebs.build.user source = mkOption {
options.krebs.build.user = mkOption { type = types.attrsOf types.source;
type = types.user;
};
options.krebs.build.source = mkOption {
type = with types; attrsOf (either str (submodule {
options = {
url = str;
rev = str;
};
}));
default = {}; default = {};
}; };
options.krebs.build.populate = mkOption { # TODO deprecate krebs.build.user
type = types.str; user = mkOption {
default = let type = types.user;
target-user = maybeEnv "target_user" "root";
target-host = maybeEnv "target_host" config.krebs.build.host.name;
target-port = maybeEnv "target_port" "22";
target-path = maybeEnv "target_path" "/var/src";
out = ''
#! /bin/sh
set -eu
ssh=''${ssh-ssh}
verbose() {
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}
{ printf 'PS5=%q%q\n' @ "$PS5"
echo ${shell.escape git-script}
} | verbose $ssh -p ${shell.escape target-port} \
${shell.escape "${target-user}@${target-host}"} -T
unset tmpdir
trap '
rm -f "$tmpdir"/*
rmdir "$tmpdir"
trap - EXIT INT QUIT
' EXIT INT QUIT
tmpdir=$(mktemp -dt stockholm.XXXXXXXX)
chmod 0755 "$tmpdir"
${concatStringsSep "\n" (mapAttrsToList (name: symlink: ''
verbose ln -s ${shell.escape symlink.target} \
"$tmpdir"/${shell.escape name}
'') source-by-method.symlink)}
verbose proot \
-b "$tmpdir":${shell.escape target-path} \
${concatStringsSep " \\\n " (mapAttrsToList (name: file:
"-b ${shell.escape "${file.path}:${target-path}/${name}"}"
) source-by-method.file)} \
rsync \
-f ${shell.escape "P /*"} \
${concatMapStringsSep " \\\n " (name:
"-f ${shell.escape "R /${name}"}"
) (attrNames source-by-method.file)} \
--delete \
-vFrlptD \
-e "$ssh -p ${shell.escape target-port}" \
${shell.escape target-path}/ \
${shell.escape "${target-user}@${target-host}:${target-path}"}
'';
git-script = ''
#! /bin/sh
set -efu
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
verbose() {
printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2
"$@"
}
fetch_git() {(
dst_dir=$1
src_url=$2
src_ref=$3
if ! test -e "$dst_dir"; then
git clone "$src_url" "$dst_dir"
fi
cd "$dst_dir"
if ! url=$(git config remote.origin.url); then
git remote add origin "$src_url"
elif test "$url" != "$src_url"; then
git remote set-url origin "$src_url"
fi
# TODO resolve src_ref to commit hash
hash=$src_ref
if ! test "$(git log --format=%H -1)" = "$hash"; then
git fetch origin
git checkout "$hash" -- "$dst_dir"
git checkout -f "$hash"
fi
git clean -dxf
)}
${concatStringsSep "\n" (mapAttrsToList (name: git: ''
verbose fetch_git ${concatMapStringsSep " " shell.escape [
"${target-path}/${name}"
git.url
git.rev
]}
'') source-by-method.git)}
'';
in out;
}; };
}; };
}
source-by-method = let
known-methods = ["git" "file" "symlink"];
in genAttrs known-methods (const {}) // recursiveUpdate source-by-scheme {
git = source-by-scheme.http or {} //
source-by-scheme.https or {};
};
source-by-scheme = foldl' (out: { k, v }: recursiveUpdate out {
${v.scheme}.${k} = v;
}) {} (mapAttrsToList (k: v: { inherit k v; }) normalized-source);
normalized-source = mapAttrs (name: let f = x: getAttr (typeOf x) {
path = f (toString x);
string = f {
url = if substring 0 1 x == "/" then "file://${x}" else x;
};
set = let scheme = head (splitString ":" x.url); in recursiveUpdate x {
inherit scheme;
} // {
symlink.target = removePrefix "symlink:" x.url;
file.path = # TODO file://host/...
assert hasPrefix "file:///" x.url;
removePrefix "file://" x.url;
}.${scheme} or {};
}; in f) config.krebs.build.source;
in out

27
krebs/3modules/tv/default.nix
View File

@ -7,6 +7,30 @@ with config.krebs.lib;
"viljetic.de" = "regfish"; "viljetic.de" = "regfish";
}; };
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) { hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) {
alnus = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
ip6.addr = "42:0:0:0:0:0:0:2101";
aliases = [
"alnus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAyDGucukxY1xFSkqDaicpiCXZe3NX1Max7N+E9PKXO2yE0EFoGdUP
/4hZFO9IbteDwlsTd/RQIhhUWF818TLWzwasUxgmqBFN4d23IIDLHJxgRZ8cPzAs
gmBWwnVWRetDETc6HZK6m2rLU6PG53rRLvheZHW/B9nSfUp7n+puehJdGLnBQ8W+
q5d/yUmN8hqS6h62yfAZEJSr7Gh/AW6Irmf3gjKRJlRmD2z28hR5tFH+Q/ulxJXQ
rNVzusASjRBO9VYOSWnNWI3Zl9vaUtbtEnvyl3PaV9N3gcHzB2HHlyDIotjqXvxU
cPLMN0lWOZeDae/9SDT62l/YuETYQo6TxwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
caxi = { caxi = {
cores = 2; cores = 2;
extraZones = { extraZones = {
@ -391,6 +415,9 @@ with config.krebs.lib;
}; };
}; };
users = { users = {
dv = {
mail = "dv@alnus.r";
};
mv = { mv = {
mail = "mv@cd.r"; mail = "mv@cd.r";
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGer9e2+Lew7vnisgBbsFNECEIkpNJgEaqQqgb9inWkQ mv@vod";

69
krebs/4lib/types.nix
View File

@ -188,6 +188,75 @@ types // rec {
}; };
}); });
source = submodule ({ config, ... }: {
options = {
type = let
types = ["file" "git" "symlink"];
in mkOption {
type = enum types;
default = let
cands = filter (k: config.${k} != null) types;
in
if length cands == 1
then head cands
else throw "cannot determine type";
};
file = let
file-path = (file-source.getSubOptions "FIXME").path.type;
in mkOption {
type = nullOr (either file-source file-path);
default = null;
apply = x:
if file-path.check x
then { path = x; }
else x;
};
git = mkOption {
type = nullOr git-source;
default = null;
};
symlink = let
symlink-target = (symlink-source.getSubOptions "FIXME").target.type;
in mkOption {
type = nullOr (either symlink-source symlink-target);
default = null;
apply = x:
if symlink-target.check x
then { target = x; }
else x;
};
};
});
file-source = submodule {
options = {
path = mkOption {
type = absolute-pathname;
};
};
};
git-source = submodule {
options = {
ref = mkOption {
type = str; # TODO types.git.ref
};
url = mkOption {
type = str; # TODO types.git.url
};
};
};
symlink-source = submodule {
options = {
target = mkOption {
type = pathname; # TODO relative-pathname
};
};
};
suffixed-str = suffs: suffixed-str = suffs:
mkOptionType { mkOptionType {
name = "string suffixed by ${concatStringsSep ", " suffs}"; name = "string suffixed by ${concatStringsSep ", " suffs}";

36
krebs/5pkgs/populate/default.nix Normal file
View File

@ -0,0 +1,36 @@
{ coreutils, fetchgit, git, jq, openssh, proot, rsync, stdenv, ... }:
let
PATH = stdenv.lib.makeBinPath [
coreutils
git
jq
openssh
proot
rsync
];
in
stdenv.mkDerivation rec {
name = "populate";
version = "1.1.1";
src = fetchgit {
url = http://cgit.cd.krebsco.de/populate;
rev = "refs/tags/v${version}";
sha256 = "139f4lzn56lca3qgqy9g33r94m3xi1mqns9340lkb4qm6626yvqd";
};
phases = [
"unpackPhase"
"installPhase"
];
installPhase = ''
sed \
'1s,.*,&\nPATH=${PATH},' \
-i bin/populate
cp -r . $out
'';
}

4
krebs/5pkgs/test/infest-cac-centos7/notes
View File

@ -138,8 +138,8 @@ ip=$(cac-api getserver $id | jq -r .ip)
cat > shared/2configs/temp/dirs.nix <<EOF cat > shared/2configs/temp/dirs.nix <<EOF
_: { _: {
krebs.build.source = { krebs.build.source = {
secrets = "$krebs_secrets"; secrets.file = "$krebs_secrets";
stockholm = "$(pwd)"; stockholm.file = "$(pwd)";
}; };
users.extraUsers.root.openssh.authorizedKeys.keys = [ users.extraUsers.root.openssh.authorizedKeys.keys = [
"$(cat ${krebs_ssh}.pub)" "$(cat ${krebs_ssh}.pub)"

8
krebs/5pkgs/urlwatch/default.nix
View File

@ -1,11 +1,11 @@
{ stdenv, fetchurl, python3Packages }: { stdenv, fetchurl, python3Packages }:
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
name = "urlwatch-2.2"; name = "urlwatch-2.5";
src = fetchurl { src = fetchurl {
url = "https://thp.io/2008/urlwatch/${name}.tar.gz"; url = "https://thp.io/2008/urlwatch/${name}.tar.gz";
sha256 = "0s9056mm1hkj5gpzsb5bz6fwxk0nm73i0dhnqwa1bfddjnvpl9d3"; sha256 = "0qirpymdmpsx0klmhbx3icmiwpm6fx4wjma646gl9m90pifs8430";
}; };
propagatedBuildInputs = with python3Packages; [ propagatedBuildInputs = with python3Packages; [
@ -15,10 +15,6 @@ python3Packages.buildPythonPackage rec {
requests2 requests2
]; ];
patches = [
./setup.patch
];
postFixup = '' postFixup = ''
wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH" wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH"
''; '';

42
krebs/5pkgs/urlwatch/setup.patch
View File

@ -1,42 +0,0 @@
From ebe7b90100a3d960f53fdc9409d2d89eaa61bf11 Mon Sep 17 00:00:00 2001
From: Thomas Perl <m@thp.io>
Date: Tue, 28 Jun 2016 18:15:51 +0200
Subject: [PATCH] Check current directory and use os.path.relpath (Fixes #73)
---
setup.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/setup.py b/setup.py
index 947a7c8..45405cd 100644
--- a/setup.py
+++ b/setup.py
@@ -7,10 +7,15 @@
import os
import re
+import sys
PACKAGE_NAME = 'urlwatch'
DEPENDENCIES = ['minidb', 'PyYAML', 'requests']
-HERE = os.path.dirname(__file__)
+HERE = os.path.abspath(os.path.dirname(__file__))
+
+if os.path.normpath(os.getcwd()) != os.path.normpath(HERE):
+ print('You must run {} inside {} (cwd={})'.format(os.path.basename(__file__), HERE, os.getcwd()))
+ sys.exit(1)
# Assumptions:
# 1. Package name equals main script file name (and only one script)
@@ -29,9 +34,9 @@
m['scripts'] = [os.path.join(HERE, PACKAGE_NAME)]
m['package_dir'] = {'': os.path.join(HERE, 'lib')}
-m['packages'] = ['.'.join(dirname[len(HERE)+1:].split(os.sep)[1:])
+m['packages'] = ['.'.join(os.path.relpath(dirname, HERE).split(os.sep)[1:])
for dirname, _, files in os.walk(os.path.join(HERE, 'lib')) if '__init__.py' in files]
-m['data_files'] = [(dirname[len(HERE)+1:], [os.path.join(dirname[len(HERE)+1:], fn) for fn in files])
+m['data_files'] = [(os.path.relpath(dirname, HERE), [os.path.join(os.path.relpath(dirname, HERE), fn) for fn in files])
for dirname, _, files in os.walk(os.path.join(HERE, 'share')) if files]
m['install_requires'] = DEPENDENCIES

7
lass/2configs/buildbot-standalone.nix
View File

@ -64,7 +64,7 @@ in {
# prepare nix-shell # prepare nix-shell
# the dependencies which are used by the test script # the dependencies which are used by the test script
deps = [ "gnumake", "jq", "nix", "rsync", "proot" ] deps = [ "gnumake", "jq", "nix", "(import <stockholm>).pkgs.populate" ]
# TODO: --pure , prepare ENV in nix-shell command: # TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE # SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell", nixshell = ["nix-shell",
@ -112,8 +112,7 @@ in {
for i in [ "prism", "mors", "echelon" ]: for i in [ "prism", "mors", "echelon" ]:
addShell(f,name="populate-{}".format(i),env=env_lass, addShell(f,name="populate-{}".format(i),env=env_lass,
command=nixshell + \ command=nixshell + \
["{}( make system={} eval.config.krebs.build.populate \ ["{}(make system={} populate debug=true)".format("!" if "failing" in i else "",i)])
| jq -er .)".format("!" if "failing" in i else "",i)])
addShell(f,name="build-test-minimal",env=env_lass, addShell(f,name="build-test-minimal",env=env_lass,
command=nixshell + \ command=nixshell + \
@ -146,7 +145,7 @@ in {
masterhost = "localhost"; masterhost = "localhost";
username = "testslave"; username = "testslave";
password = "lasspass"; password = "lasspass";
packages = with pkgs;[ git nix gnumake jq rsync ]; packages = with pkgs; [ gnumake jq nix populate ];
extraEnviron = { extraEnviron = {
NIX_PATH="nixpkgs=/var/src/nixpkgs"; NIX_PATH="nixpkgs=/var/src/nixpkgs";
}; };

18
lass/2configs/default.nix
View File

@ -53,16 +53,14 @@ with config.krebs.lib;
search-domain = "retiolum"; search-domain = "retiolum";
build = { build = {
user = config.krebs.users.lass; user = config.krebs.users.lass;
source = mapAttrs (_: mkDefault) ({ source = let inherit (config.krebs.build) host; in {
nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; nixos-config.symlink = "stockholm/lass/1systems/${host.name}.nix";
secrets = if getEnv "dummy_secrets" == "true" secrets.file =
then toString <stockholm/lass/2configs/tests/dummy-secrets> if getEnv "dummy_secrets" == "true"
else "/home/lass/secrets/${config.krebs.build.host.name}"; then toString <stockholm/lass/2configs/tests/dummy-secrets>
#secrets-common = "/home/lass/secrets/common"; else "/home/lass/secrets/${host.name}";
stockholm = getEnv "PWD"; stockholm.file = getEnv "PWD";
} // optionalAttrs config.krebs.build.host.secure { };
#secrets-master = "/home/lass/secrets/master";
});
}; };
}; };

20
makefu/1systems/vbob.nix
View File

@ -5,23 +5,23 @@
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
../. ../.
<nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui ../2configs/main-laptop.nix #< base-gui
# (toString <secrets>)/extra-hosts.nix
# environment # environment
]; ];
nixpkgs.config.allowUnfree = true; # workaround for https://github.com/NixOS/nixpkgs/issues/16641
services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
nixpkgs.config.allowUnfree = true;
fileSystems."/nix" = { fileSystems."/nix" = {
device ="/dev/disk/by-label/nixstore"; device ="/dev/disk/by-label/nixstore";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/var/lib/docker" = {
device ="/dev/disk/by-label/nix-docker";
fsType = "ext4";
};
#makefu.buildbot.master.enable = true;
# allow vbob to deploy self # allow vbob to deploy self
users.extraUsers = { users.extraUsers = {
root = { root = {
@ -52,11 +52,7 @@
"gum" "gum"
]; ];
}; };
virtualisation.docker.enable = false;
networking.extraHosts = ''
172.17.20.190 gitlab
172.17.62.27 svbittool01 tool
'';
fileSystems."/media/share" = { fileSystems."/media/share" = {
fsType = "vboxsf"; fsType = "vboxsf";

19
makefu/2configs/default.nix
View File

@ -18,21 +18,24 @@ with config.krebs.lib;
enable = true; enable = true;
dns.providers.siem = "hosts"; dns.providers.siem = "hosts";
dns.providers.lan = "hosts";
search-domain = "retiolum"; search-domain = "retiolum";
build = { build = {
user = config.krebs.users.makefu; user = config.krebs.users.makefu;
source = mapAttrs (_: mkDefault) { source = let inherit (config.krebs.build) host user; in {
nixpkgs = { nixpkgs.git = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
rev = "0546a4a"; # stable @ 2016-06-11 rev = "0546a4a"; # stable @ 2016-06-11
}; };
secrets = if getEnv "dummy_secrets" == "true" secrets.file =
then toString <stockholm/makefu/6tests/data/secrets> if getEnv "dummy_secrets" == "true"
else "/home/makefu/secrets/${config.krebs.build.host.name}"; then toString <stockholm/makefu/6tests/data/secrets>
stockholm = "/home/makefu/stockholm"; else "/home/makefu/secrets/${host.name}";
stockholm.file = "/home/makefu/stockholm";
# Defaults for all stockholm users? # Defaults for all stockholm users?
nixos-config = "symlink:stockholm/${config.krebs.build.user.name}/1systems/${config.krebs.build.host.name}.nix"; nixos-config.symlink =
"stockholm/${user.name}/1systems/${host.name}.nix";
}; };
}; };
}; };

6
makefu/5pkgs/awesomecfg/kiosk.lua
View File

@ -521,13 +521,15 @@ awful.rules.rules = {
} }
-- awful.util.spawn_with_shell("chromium --new-window --kiosk https://www.checkpoint.com/ThreatPortal/livemap.html") -- awful.util.spawn_with_shell("chromium --new-window --kiosk https://www.checkpoint.com/ThreatPortal/livemap.html")
awful.util.spawn_with_shell("chromium --new-window --kiosk http://wolf:3000/dashboard/db/soc-critical-values") --awful.util.spawn_with_shell("chromium --new-window --kiosk http://wolf:3000/dashboard/db/soc-critical-values")
-- awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://wolf:3000/dashboard/db/aralast") -- awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://wolf:3000/dashboard/db/aralast")
--awful.util.spawn_with_shell("chromium --new-window --kiosk http://gast.aramark.de/thales-deutschland/menu/pdf/woche_de.php") --awful.util.spawn_with_shell("chromium --new-window --kiosk http://gast.aramark.de/thales-deutschland/menu/pdf/woche_de.php")
awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://map.norsecorp.com") --awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://map.norsecorp.com")
--awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://threatmap.fortiguard.com") --awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://threatmap.fortiguard.com")
awful.util.spawn_with_shell("chromium --new-window --kiosk 'https://ossim.siem/ossim/#dashboard/overview/overview'")
awful.util.spawn_with_shell("chromium --new-window --kiosk 'https://ossim.siem/ossim/#analysis/alarms/alarms'")
-- }}} -- }}}

30
makefu/5pkgs/git-xlsx-textconv/default.nix Normal file
View File

@ -0,0 +1,30 @@
{ stdenv, lib, goPackages, fetchFromGitHub }:
let
go-xlsx = goPackages.buildGoPackage rec {
name = "go-xlsx-${version}";
version = "46e6e472d";
goPackagePath = "github.com/tealeg/xlsx";
src = fetchFromGitHub {
rev = version;
owner = "tealeg";
repo = "xlsx";
sha256 = "1vls05asms7azhyszbqpgdby9l45jpgisbzzmbrzi30n6cvs89zg";
};
};
in
(goPackages.buildGoPackage rec {
name = "git-xlsx-textconv-${version}";
version = "70685e7f8";
goPackagePath = "github.com/tokuhirom/git-xlsx-textconv";
src = fetchFromGitHub {
rev = version;
owner = "tokuhirom";
repo = "git-xlsx-textconv";
sha256 = "055f3caj1y8v7sc2pz9q0dfyi2ij77d499pby4sjfvm5kjy9msdi";
};
propagatedBuildInputs = [ go-xlsx ];
}).bin

13
shared/2configs/base.nix
View File

@ -7,15 +7,14 @@ with config.krebs.lib;
# TODO rename shared user to "krebs" # TODO rename shared user to "krebs"
krebs.build.user = mkDefault config.krebs.users.shared; krebs.build.user = mkDefault config.krebs.users.shared;
krebs.build.source = { krebs.build.source = let inherit (config.krebs.build) host user; in {
nixpkgs = mkDefault { nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix";
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "63b9785"; # stable @ 2016-06-01 ref = "63b9785"; # stable @ 2016-06-01
}; };
secrets = mkDefault "${getEnv "HOME"}/secrets/krebs/${config.krebs.build.host.name}"; secrets.file = "${getEnv "HOME"}/secrets/krebs/${host.name}";
stockholm = mkDefault "${getEnv "HOME"}/stockholm"; stockholm.file = "${getEnv "HOME"}/stockholm";
nixos-config = "symlink:stockholm/${config.krebs.build.user.name}/1systems/${config.krebs.build.host.name}.nix";
}; };
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;

8
shared/2configs/shared-buildbot.nix
View File

@ -75,7 +75,8 @@
# prepare nix-shell # prepare nix-shell
# the dependencies which are used by the test script # the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync", deps = [ "gnumake", "jq", "nix",
"(import <stockholm>).pkgs.populate",
"(import <stockholm>).pkgs.test.infest-cac-centos7" ] "(import <stockholm>).pkgs.test.infest-cac-centos7" ]
# TODO: --pure , prepare ENV in nix-shell command: # TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE # SSL_CERT_FILE,LOGNAME,NIX_REMOTE
@ -95,8 +96,7 @@
for i in [ "test-centos7", "wolf", "test-failing" ]: for i in [ "test-centos7", "wolf", "test-failing" ]:
addShell(f,name="populate-{}".format(i),env=env, addShell(f,name="populate-{}".format(i),env=env,
command=nixshell + \ command=nixshell + \
["{}( make system={} eval.config.krebs.build.populate \ ["{}(make system={} populate debug=true)".format("!" if "failing" in i else "",i)])
| jq -er .)".format("!" if "failing" in i else "",i)])
# XXX we must prepare ./retiolum.rsa_key.priv for secrets to work # XXX we must prepare ./retiolum.rsa_key.priv for secrets to work
addShell(f,name="instantiate-test-all-modules",env=env, addShell(f,name="instantiate-test-all-modules",env=env,
@ -179,7 +179,7 @@
masterhost = "localhost"; masterhost = "localhost";
username = "testslave"; username = "testslave";
password = "krebspass"; password = "krebspass";
packages = with pkgs;[ git nix gnumake jq rsync ]; packages = with pkgs; [ gnumake jq nix populate ];
# all nix commands will need a working nixpkgs installation # all nix commands will need a working nixpkgs installation
extraEnviron = { extraEnviron = {
NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; }; NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; };

103
tv/1systems/alnus.nix Normal file
View File

@ -0,0 +1,103 @@
{ config, pkgs, ... }:
with config.krebs.lib;
{
imports = [
../.
../2configs/hw/x220.nix
../2configs/exim-retiolum.nix
../2configs/retiolum.nix
];
# TODO remove non-hardware stuff from ../2configs/hw/x220.nix
# networking.wireless.enable collides with networkmanager
networking.wireless.enable = mkForce false;
boot = {
initrd = {
availableKernelModules = [ "ahci" ];
luks = {
cryptoModules = [ "aes" "sha512" "xts" ];
devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
};
};
loader = {
efi.canTouchEfiVariables = true;
gummiboot.enable = true;
};
};
environment.systemPackages = with pkgs; [
chromium
firefoxWrapper
networkmanagerapplet
pidginotr
pidgin-with-plugins
];
fileSystems = {
"/boot" = {
device = "/dev/sda1";
};
"/" = {
device = "/dev/mapper/main-root";
fsType = "btrfs";
options = [ "defaults" "noatime" ];
};
"/home" = {
device = "/dev/mapper/main-home";
fsType = "btrfs";
options = [ "defaults" "noatime" ];
};
};
hardware = {
enableAllFirmware = true;
opengl.driSupport32Bit = true;
pulseaudio.enable = true;
};
i18n.defaultLocale = "de_DE.UTF-8";
krebs.build = {
host = config.krebs.hosts.alnus;
user = mkForce config.krebs.users.dv;
source.nixpkgs.git.ref = mkForce "d7450443c42228832c68fba203a7c15cfcfb264e";
};
networking.networkmanager.enable = true;
nixpkgs.config = {
allowUnfree = true;
chromium.enablePepperFlash = true;
firefox.enableAdobeFlash = true;
};
services.xserver = {
enable = true;
layout = "de";
xkbOptions = "eurosign:e";
synaptics = {
enable = true;
twoFingerScroll = true;
};
desktopManager.xfce.enable = true;
displayManager.auto = {
enable = true;
user = "dv";
};
};
swapDevices =[ ];
users.users.dv = {
inherit (config.krebs.users.dv) home uid;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"networkmanager"
];
};
}

20
tv/2configs/default.nix
View File

@ -7,18 +7,18 @@ with config.krebs.lib;
krebs.build = { krebs.build = {
user = config.krebs.users.tv; user = config.krebs.users.tv;
source = mapAttrs (_: mkDefault) ({ source = let inherit (config.krebs.build) host; in {
nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix"; nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix";
secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets.file = "/home/tv/secrets/${host.name}";
secrets-common = "/home/tv/secrets/common"; secrets-common.file = "/home/tv/secrets/common";
stockholm = "/home/tv/stockholm"; stockholm.file = "/home/tv/stockholm";
nixpkgs = { nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
}; };
} // optionalAttrs config.krebs.build.host.secure { } // optionalAttrs host.secure {
secrets-master = "/home/tv/secrets/master"; secrets-master.file = "/home/tv/secrets/master";
}); };
}; };
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;

1
tv/2configs/git.nix
View File

@ -36,6 +36,7 @@ let
much = {}; much = {};
newsbot-js = {}; newsbot-js = {};
nixpkgs = {}; nixpkgs = {};
populate.desc = "source code installer";
push = {}; push = {};
regfish = {}; regfish = {};
soundcloud = { soundcloud = {