Mic92
/
stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

krebs.build: merge deploy and infest

This commit is contained in:
tv 2015-09-27 00:22:50 +02:00
parent 9157c6fbc9
commit c9ccf22b15
21 changed files with 458 additions and 308 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Makefile
View File

@ -2,7 +2,7 @@
# usage:
# make system=foo
# make systems='foo bar'
# make eval system=foo get=config.networking.extraHosts [filter=json]
# make eval get=tv.wu.config.time.timeZone [filter=json]
#
.ONESHELL:
@ -10,20 +10,19 @@
ifdef systems
$(systems):
@
parallel \
--line-buffer \
-j0 \
--no-notice \
--tagstring {} \
-q make systems= system={} ::: $(systems)
-q make -s systems= system={} ::: $(systems)
else ifdef system
.PHONY: deploy
deploy:;@
make -s eval system=$(system) get=config.krebs.build.script filter=json | sh
.PHONY: infest
infest:;@
make -s eval system=$(system) get=config.krebs.build.infest filter=json | sh
.PHONY: deploy infest
deploy infest:;@
export get=$$LOGNAME.${system}.config.krebs.build.scripts.$@
export filter=json
make -s eval | sh
.PHONY: eval
eval:
@ -41,7 +40,7 @@ endif
-A "$$get" \
'<stockholm>' \
--argstr user-name "$$LOGNAME" \
--argstr system-name "$$system" \
--argstr host-name "$$HOSTNAME" \
| filter
else
$(error unbound variable: system[s])

83
default.nix
View File

@ -1,26 +1,81 @@
{ user-name, system-name }:
{ user-name, host-name }:
let
lib = import <nixpkgs/lib>;
eval = import <nixpkgs/nixos/lib/eval-config.nix> {
krebs-modules-path = ./krebs/3modules;
krebs-pkgs-path = ./krebs/5pkgs;
user-modules-path = ./. + "/${user-name}/3modules";
user-pkgs-path = ./. + "/${user-name}/5pkgs";
out =
(lib.mapAttrs (k: v: mk-namespace (./. + "/${k}"))
(lib.filterAttrs
(k: v: !lib.hasPrefix "." k && v == "directory")
(builtins.readDir ./.)));
eval = path: import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = map (p: ./. + "/${p}") [
"${user-name}/1systems/${system-name}.nix"
"${user-name}/3modules"
"krebs/3modules"
modules = [
({ config, ... }:
with import ./krebs/4lib { inherit lib; };
{
options.krebs.exec.host = mkOption {
type = types.host;
default = config.krebs.hosts.${host-name};
};
options.krebs.exec.user = mkOption {
type = types.user;
default = config.krebs.users.${user-name};
};
}
)
path
krebs-modules-path
user-modules-path
] ++ [
({ lib, pkgs, ... }: {
({ config, lib, pkgs, ... }@args: {
_module.args.pkgs =
(import ./krebs/5pkgs { inherit lib pkgs; }) //
(import (./. + "/${user-name}/5pkgs") { inherit lib pkgs; });
(import krebs-pkgs-path args) //
(import user-pkgs-path args);
})
];
};
in
mk-namespace = path: mapNixDir mk-system (path + "/1systems");
{
inherit (eval) config options;
mk-system = path: rec {
inherit (eval path) config options;
system = config.system.build.toplevel;
fetch = import ./krebs/0tools/fetch.nix { inherit config lib; };
};
system = eval.config.system.build.toplevel;
}
mapNixDir = f: path: lib.mapAttrs (_: f) (nixDir path);
nixDir = path:
builtins.listToAttrs
(catMaybes
(lib.mapAttrsToList
(k: v: {
directory =
let p = path + "/${k}/default.nix"; in
if builtins.pathExists p
then Just (lib.nameValuePair k p)
else Nothing;
regular =
let p = path + "/${k}"; in
if lib.hasSuffix ".nix" p
then Just (lib.nameValuePair (lib.removeSuffix ".nix" k) p)
else Nothing;
}.${v} or Nothing)
(builtins.readDir path)));
# TODO move to lib
Just = x: { type = "maybe"; value = x; };
Nothing = { type = "maybe"; };
isMaybe = x: builtins.typeOf x == "set" && x.type or false == "maybe";
isJust = x: isMaybe x && builtins.hasAttr "value" x;
fromJust = x: assert isJust x; x.value;
catMaybes = xs: map fromJust (builtins.filter isJust xs);
in out

264
krebs/3modules/build/default.nix Normal file
View File

@ -0,0 +1,264 @@
{ config, lib, ... }:
with import ../../4lib { inherit lib; };
let
target = config.krebs.build // { user.name = "root"; };
out = {
# TODO deprecate krebs.build.host
options.krebs.build.host = mkOption {
type = types.host;
};
# TODO make krebs.build.profile shell safe
options.krebs.build.profile = mkOption {
type = types.str;
default = "/nix/var/nix/profiles/system";
};
# TODO make krebs.build.target.host :: host
options.krebs.build.target = mkOption {
type = with types; nullOr str;
default = null;
};
# TODO deprecate krebs.build.user
options.krebs.build.user = mkOption {
type = types.user;
};
options.krebs.build.scripts.deploy = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
(${config.krebs.build.scripts._source})
${ssh-target ''
${config.krebs.build.scripts._nix-env}
${config.krebs.build.profile}/bin/switch-to-configuration switch
''}
echo OK
'';
};
options.krebs.build.scripts.infest = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \
-o 'HostName ${target.host.infest.addr}' \
-o 'Port ${toString target.host.infest.port}' \
"
ssh() {
eval "$RSYNC_RSH \"\$@\""
}
${ssh-target ''
${readFile ./infest/prepare.sh}
${readFile ./infest/install-nix.sh}
''}
(${config.krebs.build.scripts._source})
${ssh-target ''
export PATH; PATH=/root/.nix-profile/bin:$PATH
src=$(type -p nixos-install)
cat_src() {
sed < "$src" "$(
sed < "$src" -n '
/^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/=
/^nixpkgs=/=
/^NIX_PATH=/,/^$/{/./=}
' \
| sed 's:$:s/^/#krebs#/:'
)"
}
# Location to insert config.krebs.build.scripts._nix-env
i=$(sed -n '/^echo "building the system configuration/=' "$src")
{
cat_src | sed -n "1,$i{p}"
cat ${doc config.krebs.build.scripts._nix-env}
cat_src | sed -n "$i,\''${$i!p}"
} > nixos-install
chmod +x nixos-install
# Wrap inserted config.krebs.build.scripts._nix-env into chroot.
nix_env=$(cat_src | sed -n '
s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
')
echo nix-env is $nix_env
sed -i '
s:^nix-env:chroot $mountPoint '"$nix_env"':
' nixos-install
./nixos-install
${readFile ./infest/finalize.sh}
''}
'';
};
options.krebs.build.scripts._nix-env = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
NIX_PATH=${config.krebs.build.source.NIX_PATH} \
nix-env \
-f '<stockholm>' \
-Q \
--argstr user-name ${config.krebs.exec.user.name} \
--argstr host-name ${target.host.name} \
--profile ${config.krebs.build.profile} \
--set \
-A ${lib.escapeShellArg (lib.concatStringsSep "." [
config.krebs.build.user.name
config.krebs.build.host.name
"system"
])}
'';
};
options.krebs.build.scripts._source = lib.mkOption {
type = lib.types.str;
default = ''
set -efu
${
lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: { scripts, url, ... }: "(${scripts._source})")
(config.krebs.build.source.dir //
config.krebs.build.source.git))
}
'';
};
options.krebs.build.source.NIX_PATH = mkOption {
type = types.str;
default =
lib.concatStringsSep ":"
(lib.mapAttrsToList (name: _: "${name}=/root/${name}")
(config.krebs.build.source.dir //
config.krebs.build.source.git));
};
options.krebs.build.source.dir = mkOption {
type =
let
exec = config.krebs.exec;
in
types.attrsOf (types.submodule ({ config, ... }:
let
url = "file://${config.host.name}${config.path}";
can-link = config.host.name == target.host.name;
can-push = config.host.name == exec.host.name;
push-method = ''
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--exclude tmp \
--rsync-path='mkdir -p ${config.target-path} && rsync' \
--delete-excluded \
-vrLptgoD \
${config.path}/ \
${target.user.name}@${target.host.name}:${config.target-path}
'';
in
{
options = {
host = mkOption {
type = types.host;
};
path = mkOption {
type = types.str;
};
scripts._source = mkOption {
type = types.str;
default =
#if can-link then link-method else
if can-push then push-method else
throw "cannot source ${url}";
};
target-path = mkOption {
type = types.str;
default = "/root/${config._module.args.name}";
};
url = mkOption {
type = types.str;
default = "file://${config.host.name}${config.path}";
};
};
}
));
default = {};
};
options.krebs.build.source.git = mkOption {
type =
let
target = config.krebs.build // { user.name = "root"; };
in
with types; attrsOf (submodule ({ config, ... }:
{
options = {
url = mkOption {
type = types.str; # TODO must be shell safe
};
rev = mkOption {
type = types.str;
};
scripts._source = mkOption {
type = types.str;
default = ssh-target ''
mkdir -p ${config.target-path}
cd ${config.target-path}
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin ${config.url}
elif test "$cur_url" != ${config.url}; then
git remote set-url origin ${config.url}
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then
git fetch origin
git checkout ${config.rev} -- .
git checkout -q ${config.rev}
git submodule init
git submodule update
fi
git clean -dxf
'';
};
target-path = mkOption {
type = types.str;
default = "/root/${config._module.args.name}";
};
};
}
));
default = {};
};
};
doc = s:
let b = "EOF${hashString "sha256" s}"; in
''
<<\${b}
${s}
${b}
'';
ssh-target = script:
"ssh root@${target.host.name} -T ${doc ''
set -efu
${script}
''}";
in out

2
krebs/4lib/infest/4finalize → krebs/3modules/build/infest/finalize.sh
View File

@ -7,7 +7,7 @@ set -eux
umount /mnt || [ $? -eq 32 ]
umount /boot || [ $? -eq 32 ]
PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i)
PATH=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i)
export PATH
mkdir /oldshit

8
krebs/4lib/infest/2install-nix → krebs/3modules/build/infest/install-nix.sh
View File

@ -2,9 +2,9 @@
set -efu
nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2
nix_sha256="504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4"
nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4
install-nix() {(
install_nix() {(
# install nix on host (cf. https://nixos.org/nix/install)
if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
@ -23,7 +23,7 @@ install-nix() {(
$nix_src_dir/install
fi
#TODO: make this general or move to 1prepare
#TODO: make this general or move to prepare
if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then
mkdir -p /mnt/nix
mount --bind /nix /mnt/nix
@ -54,4 +54,4 @@ install-nix() {(
fi
)}
install-nix "$@"
install_nix "$@"

0
krebs/4lib/infest/1prepare → krebs/3modules/build/infest/prepare.sh
View File

230
krebs/3modules/default.nix
View File

@ -6,6 +6,7 @@ let
out = {
imports = [
./build
./exim-retiolum.nix
./exim-smarthost.nix
./github-hosts-sync.nix
@ -22,225 +23,6 @@ let
api = {
enable = mkEnableOption "krebs";
build = mkOption {
type = types.submodule ({ config, ... }: {
options = {
target = mkOption {
type = with types; nullOr str;
default = null;
};
deps = mkOption {
type = with types; attrsOf (submodule {
options = {
url = mkOption {
type = str;
};
rev = mkOption {
type = nullOr str;
default = null;
};
};
});
default = {};
};
script = mkOption {
type = types.str;
default = ''
#! /bin/sh
set -efux
target=${escapeShellArg cfg.build.target}
push(){(
src=$1/
dst=$target:$2
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--rsync-path="mkdir -p \"$2\" && rsync" \
--delete-excluded \
-vrLptgoD \
"$src" "$dst"
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev == null) ''
push ${toString (map escapeShellArg [
"${url}"
"/root/src/${name}"
])}
'') config.deps)}
exec ssh -S none "$target" /bin/sh <<\EOF
set -efux
fetch(){(
url=$1
rev=$2
dst=$3
mkdir -p "$dst"
cd "$dst"
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin "$url"
elif test "$cur_url" != "$url"; then
git remote set-url origin "$url"
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then
git fetch origin
git checkout "$rev" -- .
git checkout -q "$rev"
git submodule init
git submodule update
fi
git clean -dxf
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev != null) ''
fetch ${toString (map escapeShellArg [
url
rev
"/root/src/${name}"
])}
'') config.deps)}
echo build system...
profile=/nix/var/nix/profiles/system
NIX_PATH=/root/src \
nix-env \
-Q \
-p "$profile" \
-f '<stockholm>' \
--set \
-A system \
--argstr user-name ${escapeShellArg cfg.build.user.name} \
--argstr system-name ${escapeShellArg cfg.build.host.name}
exec "$profile"/bin/switch-to-configuration switch
EOF
'';
};
infest = mkOption {
type = types.str;
default = ''
#! /bin/sh
set -efux
target=${escapeShellArg cfg.build.target}
push(){(
src=$1/
dst=$target:/mnt$2
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--rsync-path="mkdir -p \"/mnt$2\" && rsync" \
--delete-excluded \
-vrLptgoD \
"$src" "$dst"
)}
cat krebs/4lib/infest/1prepare | ssh "$target"
cat krebs/4lib/infest/2install-nix | ssh "$target"
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev == null) ''
push ${toString (map escapeShellArg [
"${url}"
"/root/src/${name}"
])}
'') config.deps)}
ssh -S none "$target" /bin/sh <<\EOF
set -efux
fetch(){(
url=$1
rev=$2
dst=$3
mkdir -p "$dst"
cd "$dst"
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin "$url"
elif test "$cur_url" != "$url"; then
git remote set-url origin "$url"
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != "$rev"; then
git fetch origin
git checkout "$rev" -- .
git checkout -q "$rev"
git submodule init
git submodule update
fi
git clean -dxf
)}
${concatStrings (mapAttrsToList (name: { url, rev, ... }:
optionalString (rev != null) ''
fetch ${toString (map escapeShellArg [
url
rev
"/mnt/root/src/${name}"
])}
'') config.deps)}
export PATH=/root/.nix-profile/bin:/root/.nix-profile/sbin:$PATH
sed < "$(type -p nixos-install)" > nixos-install '
/^echo "building the system configuration..."/,/--set -A system/{
s/.*/# &/
s@.*--set -A system.*@&\n${concatStringsSep " " [
"NIX_PATH=/mnt/root/src/"
"nix-env"
"-Q"
"-p /nix/var/nix/profiles/system"
"-f \"<stockholm>\""
"--set"
"-A system"
"--argstr user-name ${escapeShellArg cfg.build.user.name}"
"--argstr system-name ${escapeShellArg cfg.build.host.name}"
]}@
}
'
sed -i 's/^nixpkgs=.*$/#&/' nixos-install
chmod +x nixos-install
echo {} > /root/dummy.nix
echo build system...
profile=/nix/var/nix/profiles/system
NIXOS_CONFIG=/root/dummy.nix \
./nixos-install -I /root/src/
#nl -bp nixos-install
EOF
cat krebs/4lib/infest/4finalize | ssh "$target"
'';
};
host = mkOption {
type = types.host;
};
user = mkOption {
type = types.user;
};
};
});
# Define defaul value, so unset values of the submodule get reported.
default = {};
};
dns = {
providers = mkOption {
# TODO with types; tree dns.label dns.provider, so we can merge.
@ -706,12 +488,13 @@ let
};
};
};
mkdir = {
mkdir = rec {
cores = 1;
dc = "tv"; #dc = "cac";
infest.addr = head nets.internet.addrs4;
nets = rec {
internet = {
addrs4 = ["162.248.167.241"];
addrs4 = ["104.233.84.102"];
aliases = [
"mkdir.internet"
];
@ -762,12 +545,13 @@ let
};
secure = true;
};
rmdir = {
rmdir = rec {
cores = 1;
dc = "tv"; #dc = "cac";
infest.addr = head nets.internet.addrs4;
nets = rec {
internet = {
addrs4 = ["167.88.44.94"];
addrs4 = ["104.233.84.70"];
aliases = [
"rmdir.internet"
];

2
krebs/3modules/github-hosts-sync.nix
View File

@ -22,7 +22,7 @@ let
};
ssh-identity-file = mkOption {
type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa";
default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
};
};

2
krebs/3modules/retiolum.nix
View File

@ -75,7 +75,7 @@ let
# TODO if it's types.path then it gets copied to /nix/store with
# bad unsafe permissions...
type = types.str;
default = "/root/src/secrets/retiolum.rsa_key.priv";
default = toString <secrets/retiolum.rsa_key.priv>;
description = ''
Generate file with <literal>tincd -K</literal>.
This file must exist on the local system. The default points to

9
krebs/4lib/infest/3install-nix-tools
View File

@ -1,9 +0,0 @@
#! /bin/sh
set -efu
install-nix-tools() {(
)}
install-nix-tools "$@"

10
krebs/4lib/types.nix
View File

@ -27,6 +27,16 @@ types // rec {
type = with types; attrsOf string;
};
infest = {
addr = mkOption {
type = str;
};
port = mkOption {
type = int;
default = 22;
};
};
secure = mkOption {
type = bool;
default = false;

14
tv/1systems/cd.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@cd.internet";
krebs.build.deps = {
nixpkgs = {
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/4z3/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692
};
secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}";
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/cd";
};
stockholm = {
url = toString ../..;
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};

42
tv/1systems/mkdir.nix
View File

@ -2,22 +2,37 @@
with lib;
let
# TODO merge with lass
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in
{
krebs.build.host = config.krebs.hosts.mkdir;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@mkdir.internet";
krebs.build.target = "root@${primary-addr4}";
krebs.build.deps = {
nixpkgs = {
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "9d5508d85c33b8fb22d79dde6176792eac2c2696";
rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
};
secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}";
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/mkdir";
};
stockholm = {
url = toString ../..;
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
@ -56,11 +71,18 @@ with lib;
networking.interfaces.enp2s1.ip4 = [
{
address = "162.248.167.241"; # TODO
address = primary-addr4;
prefixLength = 24;
}
#{
# address = secondary-addr4;
# prefixLength = 24;
#}
];
networking.defaultGateway = "162.248.167.1";
# TODO define gateway in krebs/3modules/default.nix
networking.defaultGateway = getDefaultGateway primary-addr4;
networking.nameservers = [
"8.8.8.8"
];

14
tv/1systems/nomic.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@nomic.gg23";
krebs.build.deps = {
nixpkgs = {
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/4z3/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692
};
secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}";
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/nomic";
};
stockholm = {
url = toString ../..;
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};

35
tv/1systems/rmdir.nix
View File

@ -2,22 +2,37 @@
with lib;
let
# TODO merge with lass
getDefaultGateway = ip:
concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
primary-addr4 =
builtins.elemAt config.krebs.build.host.nets.internet.addrs4 0;
#secondary-addr4 =
# builtins.elemAt config.krebs.build.host.nets.internet.addrs4 1;
in
{
krebs.build.host = config.krebs.hosts.rmdir;
krebs.build.user = config.krebs.users.tv;
krebs.build.target = "root@rmdir.internet";
krebs.build.deps = {
nixpkgs = {
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870";
rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
};
secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}";
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/rmdir";
};
stockholm = {
url = toString ../..;
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};
@ -57,11 +72,13 @@ with lib;
networking.interfaces.enp2s1.ip4 = [
{
address = "167.88.44.94";
address = primary-addr4;
prefixLength = 24;
}
];
networking.defaultGateway = "167.88.44.1";
# TODO define gateway in krebs/3modules/default.nix
networking.defaultGateway = getDefaultGateway primary-addr4;
networking.nameservers = [
"8.8.8.8"
];

18
tv/1systems/wu.nix
View File

@ -8,16 +8,18 @@ with lib;
krebs.build.target = "root@wu";
krebs.build.deps = {
nixpkgs = {
url = https://github.com/4z3/nixpkgs;
rev = "03130ec91356cd250b80f144022ee2f4d665ca36"; # 1357692
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "bd84ebaa1e0359f41350e053ed24592b169b5714";
};
secrets = {
url = "/home/tv/secrets/${config.krebs.build.host.name}";
dir.secrets = {
host = config.krebs.hosts.wu;
path = "/home/tv/secrets/wu";
};
stockholm = {
url = toString ../..;
dir.stockholm = {
host = config.krebs.hosts.wu;
path = "/home/tv/stockholm";
};
};

3
tv/2configs/base.nix
View File

@ -15,9 +15,10 @@ in
imports = [
{
# TODO never put hashedPassword into the store
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import /root/src/secrets/hashedPasswords.nix);
(import <secrets/hashedPasswords.nix>);
}
{
users.defaultUserShell = "/run/current-system/sw/bin/bash";

4
tv/2configs/charybdis.nix
View File

@ -21,7 +21,7 @@ let
};
dhParams = mkOption {
type = types.str;
default = "/root/src/secrets/charybdis.dh.pem";
default = toString <secrets/charybdis.dh.pem>;
};
motd = mkOption {
type = types.str;
@ -32,7 +32,7 @@ let
};
sslKey = mkOption {
type = types.str;
default = "/root/src/secrets/charybdis.key.pem";
default = toString <secrets/charybdis.key.pem>;
};
};

3
tv/2configs/git.nix
View File

@ -51,7 +51,8 @@ let
collaborators = with config.krebs.users; [ lass makefu ];
};
} //
import /root/src/secrets/repos.nix { inherit config lib pkgs; }
# TODO don't put secrets/repos.nix into the store
import <secrets/repos.nix> { inherit config lib pkgs; }
);
make-public-repo = name: { desc ? null, ... }: {

2
tv/3modules/consul.nix
View File

@ -29,7 +29,7 @@ let
};
encrypt-file = mkOption {
type = types.str; # TODO path (but not just into store)
default = "/root/src/secrets/consul-encrypt.json";
default = toString <secrets/consul-encrypt.json>;
};
data-dir = mkOption {
type = types.str; # TODO path (but not just into store)

2
tv/3modules/ejabberd.nix
View File

@ -15,7 +15,7 @@ let
certFile = mkOption {
type = types.str;
default = "/root/src/secrets/ejabberd.pem";
default = toString <secrets/ejabberd.pem>;
};
hosts = mkOption {