Merge remote-tracking branch 'cd/user-toplevel' into newmaster

This commit is contained in:
lassulus 2015-07-28 21:49:48 +02:00
commit ce2b97767e
45 changed files with 90 additions and 132 deletions

View File

@ -1,4 +1,5 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
# TODO: remove tv lib :)
with import ../../4lib/tv { inherit lib pkgs; }; with import ../../4lib/tv { inherit lib pkgs; };
let let
@ -7,23 +8,31 @@ let
krebs.git = { krebs.git = {
enable = true; enable = true;
root-title = "public repositories "; root-title = "public repositories ";
root-desc = "keep calm and enrage"; root-desc = "keep on krebsing";
inherit repos rules ; inherit repos rules;
}; };
}; };
repos = priv-repos // krebs-repos ;
rules = concatMap krebs-rules (attrValues krebs-repos) ++ concatMap priv-rules (attrValues priv-repos);
repos = public-repos; krebs-repos = mapAttrs make-krebs-repo {
rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo {
stockholm = { stockholm = {
desc = "take all the computers hostage, they'll love you!"; desc = "take all the computers hostage, they'll love you!";
}; };
}; };
# TODO move users to separate module priv-repos = mapAttrs make-priv-repo {
autosync = { };
};
make-public-repo = name: { desc ? null, ... }: {
# TODO move users to separate module
make-priv-repo = name: { desc ? null, ... }: {
inherit name desc;
public = false;
};
make-krebs-repo = with git; name: { desc ? null, ... }: {
inherit name desc; inherit name desc;
public = true; public = true;
hooks = { hooks = {
@ -35,18 +44,27 @@ let
}; };
}; };
make-rules = set-owners = with git; repo: user:
with git // config.krebs.users;
repo:
singleton { singleton {
user = makefu; inherit user;
repo = [ repo ]; repo = [ repo ];
perm = push "refs/*" [ non-fast-forward create delete merge ]; perm = push "refs/*" [ non-fast-forward create delete merge ];
} ++ };
set-ro-access = with git; repo: user:
optional repo.public { optional repo.public {
user = [ lass tv uriel ]; inherit user;
repo = [ repo ]; repo = [ repo ];
perm = fetch; perm = fetch;
}; };
# TODO: get the list of all krebsministers
krebsminister = with config.krebs.users; [ lass tv uriel ];
priv-rules = with config.krebs.users; repo:
set-owners repo [ makefu ];
krebs-rules = with config.krebs.users; repo:
set-owners repo [ makefu ] ++ set-ro-access repo krebsminister ;
in out in out

View File

@ -319,6 +319,7 @@ let
}; };
users = addNames { users = addNames {
makefu = { makefu = {
mail = "root@euer.krebsco.de";
pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub; pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
}; };
}; };

View File

@ -2,7 +2,7 @@
# usage: # usage:
# make system=foo # make system=foo
# make systems='foo bar' # make systems='foo bar'
# make eval system=foo get=config.networking.extraHosts # make eval system=foo get=config.networking.extraHosts [filter=json]
# #
.ONESHELL: .ONESHELL:
@ -17,91 +17,30 @@ $(systems):
--tagstring {} \ --tagstring {} \
-q make systems= system={} ::: $(systems) -q make systems= system={} ::: $(systems)
else ifdef system else ifdef system
include 0make/$(LOGNAME)/$(system).makefile
.PHONY: deploy .PHONY: deploy
deploy:;@ deploy:;@
system_name=$(system) make eval system=$(system) get=config.krebs.build.script filter=json | sh
deploy_host=$(deploy_host)
nixpkgs_url=$(nixpkgs_url)
nixpkgs_rev=$(nixpkgs_rev)
secrets_dir=$(secrets_dir)
prepush(){(
dst=$$1
src=$$2
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--rsync-path="mkdir -p \"$$dst\" && rsync" \
--usermap=\*:0 \
--groupmap=\*:0 \
--delete-excluded \
-vrLptgoD \
"$$src/" "$$deploy_host:$$dst"
)}
prepush /root/src/stockholm "$$PWD"
prepush /root/src/secrets "$$secrets_dir"
ssh -S none "$$deploy_host" -T env \
nixpkgs_url="$$nixpkgs_url" \
nixpkgs_rev="$$nixpkgs_rev" \
system_name="$$system_name" \
user_name="$$LOGNAME" \
sh -euf \
<<-\EOF
prefetch(){(
dst=$$1
url=$$2
rev=$$3
mkdir -p "$$dst"
cd "$$dst"
if ! test -e .git; then
git init
fi
if ! cur_url=$$(git config remote.origin.url 2>/dev/null); then
git remote add origin "$$url"
elif test "$$cur_url" != "$$url"; then
git remote set-url origin "$$url"
fi
if test "$$(git rev-parse --verify HEAD 2>/dev/null)" != "$$rev"; then
git fetch origin
git checkout "$$rev" -- .
git checkout -q "$$rev"
git submodule init
git submodule update
fi
git clean -dxf
)}
prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
echo build system...
NIX_PATH=/root/src \
nix-build \
-Q \
-A system \
'<stockholm>' \
--argstr user-name "$$user_name" \
--argstr system-name "$$system_name"
result/bin/switch-to-configuration switch
EOF
.PHONY: eval .PHONY: eval
eval: eval:
@ @
ifeq ($(filter),json)
extraArgs=--json
filter() { jq -r .; }
else
filter() { cat; }
endif
NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ NIX_PATH=stockholm=$$PWD:$$NIX_PATH \
nix-instantiate \ nix-instantiate \
--json \ $${extraArgs-} \
$${json+--json} \
$${json+--strict} \
--eval \ --eval \
--strict \
-A "$$get" \ -A "$$get" \
'<stockholm>' \ '<stockholm>' \
--argstr user-name "$$LOGNAME" \ --argstr user-name "$$LOGNAME" \
--argstr system-name "$$system" \ --argstr system-name "$$system" \
| jq -r . | filter
else else
$(error unbound variable: system[s]) $(error unbound variable: system[s])
endif endif

View File

@ -5,8 +5,8 @@ let
eval = import <nixpkgs/nixos/lib/eval-config.nix> { eval = import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem; system = builtins.currentSystem;
modules = map (p: ./. + "/${p}") [ modules = map (p: ./. + "/${p}") [
"${user-name}/systems/${system-name}.nix" "${user-name}/1systems/${system-name}.nix"
"${user-name}/modules" "${user-name}/3modules"
"3modules/krebs" "3modules/krebs"
]; ];
}; };

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
tvpkgs = import ../pkgs { inherit pkgs; }; tvpkgs = import ../5pkgs { inherit pkgs; };
in in
{ {
@ -26,14 +26,14 @@ in
}; };
imports = [ imports = [
../configs/CAC-Developer-2.nix ../2configs/CAC-Developer-2.nix
../configs/CAC-CentOS-7-64bit.nix ../2configs/CAC-CentOS-7-64bit.nix
../configs/base.nix ../2configs/base.nix
../configs/consul-server.nix ../2configs/consul-server.nix
../configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../configs/git.nix ../2configs/git.nix
{ {
imports = [ ../configs/charybdis.nix ]; imports = [ ../2configs/charybdis.nix ];
tv.charybdis = { tv.charybdis = {
enable = true; enable = true;
sslCert = ../../Zcerts/charybdis_cd.crt.pem; sslCert = ../../Zcerts/charybdis_cd.crt.pem;

View File

@ -22,12 +22,12 @@ with lib;
}; };
imports = [ imports = [
../configs/CAC-Developer-1.nix ../2configs/CAC-Developer-1.nix
../configs/CAC-CentOS-7-64bit.nix ../2configs/CAC-CentOS-7-64bit.nix
../configs/base.nix ../2configs/base.nix
../configs/consul-server.nix ../2configs/consul-server.nix
../configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../configs/git.nix ../2configs/git.nix
{ {
tv.iptables = { tv.iptables = {
enable = true; enable = true;

View File

@ -22,11 +22,11 @@ with lib;
}; };
imports = [ imports = [
../configs/AO753.nix ../2configs/AO753.nix
../configs/base.nix ../2configs/base.nix
../configs/consul-server.nix ../2configs/consul-server.nix
../configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../configs/git.nix ../2configs/git.nix
{ {
tv.iptables = { tv.iptables = {
enable = true; enable = true;

View File

@ -22,12 +22,12 @@ with lib;
}; };
imports = [ imports = [
../configs/CAC-Developer-1.nix ../2configs/CAC-Developer-1.nix
../configs/CAC-CentOS-7-64bit.nix ../2configs/CAC-CentOS-7-64bit.nix
../configs/base.nix ../2configs/base.nix
../configs/consul-server.nix ../2configs/consul-server.nix
../configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../configs/git.nix ../2configs/git.nix
{ {
tv.iptables = { tv.iptables = {
enable = true; enable = true;

View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
tvpkgs = import ../pkgs { inherit pkgs; }; tvpkgs = import ../5pkgs { inherit pkgs; };
in in
{ {
@ -26,15 +26,15 @@ in
}; };
imports = [ imports = [
../configs/w110er.nix ../2configs/w110er.nix
../configs/base.nix ../2configs/base.nix
../configs/consul-client.nix ../2configs/consul-client.nix
../configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../configs/git.nix ../2configs/git.nix
../configs/mail-client.nix ../2configs/mail-client.nix
../configs/xserver.nix ../2configs/xserver.nix
../configs/synaptics.nix # TODO w110er if xserver is enabled ../2configs/synaptics.nix # TODO w110er if xserver is enabled
../configs/urlwatch.nix ../2configs/urlwatch.nix
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

View File

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
../configs/smartd.nix ../2configs/smartd.nix
]; ];
boot.loader.grub = { boot.loader.grub = {

View File

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
tvpkgs = import ../pkgs { inherit pkgs; }; tvpkgs = import ../5pkgs { inherit pkgs; };
in in
with builtins; with builtins;

View File

@ -1,6 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with import ../lib { inherit lib pkgs; }; with import ../4lib { inherit lib pkgs; };
let let
out = { out = {

View File

@ -1,6 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
with import ../pkgs { inherit pkgs; }; with import ../5pkgs { inherit pkgs; };
{ {
environment.systemPackages = [ environment.systemPackages = [

View File

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
../configs/smartd.nix ../2configs/smartd.nix
]; ];
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''

View File

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
../configs/urxvt.nix # TODO via xserver ../2configs/urxvt.nix # TODO via xserver
]; ];
services.xserver.enable = true; services.xserver.enable = true;

View File

@ -5,7 +5,7 @@
# TODO consul-bootstrap HOST that actually does is # TODO consul-bootstrap HOST that actually does is
# TODO tools to inspect state of a cluster in outage state # TODO tools to inspect state of a cluster in outage state
with import ../lib { inherit lib pkgs; }; with import ../4lib { inherit lib pkgs; };
let let
cfg = config.tv.consul; cfg = config.tv.consul;