Merge remote-tracking branch 'cd/master'

krebs/3modules/nginx.nix

@@ -13,33 +13,34 @@ let
     enable = mkEnableOption "krebs.nginx";
 
     servers = mkOption {
-      type = with types; attrsOf optionSet;
+      type = types.attrsOf (types.submodule {
-      options = singleton {
+        options = {
-        server-names = mkOption {
+          server-names = mkOption {
-          type = with types; listOf str;
+            type = with types; listOf str;
-          # TODO use identity
+            # TODO use identity
-          default = [
+            default = [
-            "${config.networking.hostName}"
+              "${config.networking.hostName}"
-            "${config.networking.hostName}.retiolum"
+              "${config.networking.hostName}.retiolum"
-          ];
+            ];
+          };
+          listen = mkOption {
+            type = with types; either str (listOf str);
+            default = "80";
+            apply = x:
+              if typeOf x != "list"
+                then [x]
+                else x;
+          };
+          locations = mkOption {
+            type = with types; listOf (attrsOf str);
+            default = [];
+          };
+          extraConfig = mkOption {
+            type = with types; string;
+            default = "";
+          };
         };
-        listen = mkOption {
+      });
-          type = with types; either str (listOf str);
-          default = "80";
-          apply = x:
-            if typeOf x != "list"
-              then [x]
-              else x;
-        };
-        locations = mkOption {
-          type = with types; listOf (attrsOf str);
-          default = [];
-        };
-        extraConfig = mkOption {
-          type = with types; string;
-          default = "";
-        };
-      };
       default = {};
     };
   };

krebs/3modules/setuid.nix

@@ -46,6 +46,7 @@ let
             check = x:
               isString x &&
               match "[0-7][0-7][0-7][0-7]" x != null;
+            merge = mergeOneOption;
           };
         };
         activate = mkOption {

krebs/3modules/tv/default.nix

@@ -104,7 +104,7 @@ with config.krebs.lib;
           ire 60 IN A ${elemAt nets.internet.addrs4 0}
         '';
       };
-      nets = {
+      nets = rec {
         internet = {
           addrs4 = ["198.147.22.115"];
           aliases = [
@@ -115,6 +115,7 @@ with config.krebs.lib;
           ssh.port = 11423;
         };
         retiolum = {
+          via = internet;
           addrs4 = ["10.243.231.66"];
           addrs6 = ["42:b912:0f42:a82d:0d27:8610:e89b:490c"];
           aliases = [
@@ -286,7 +287,10 @@ with config.krebs.lib;
       nets = {
         gg23 = {
           addrs4 = ["10.23.1.37"];
-          aliases = ["wu.gg23"];
+          aliases = [
+            "wu.gg23"
+            "cache.wu.gg23"
+          ];
           ssh.port = 11423;
         };
         retiolum = {

krebs/5pkgs/default.nix

@@ -17,7 +17,7 @@ with config.krebs.lib;
     };
 
     push = pkgs.callPackage ./push {
-      inherit (subdirs) get jq;
+      inherit (subdirs) get;
     };
 
     ReaktorPlugins = pkgs.callPackage ./Reaktor/plugins.nix {};

krebs/5pkgs/jq/default.nix

@@ -1,33 +0,0 @@
-{stdenv, fetchurl}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="jq";
-    version="1.5";
-    name="${baseName}-${version}";
-    url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz;
-    sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
-  };
-  buildInputs = [
-  ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
-
-  # jq is linked to libjq:
-  configureFlags = [
-    "LDFLAGS=-Wl,-rpath,\\\${libdir}"
-  ];
-  meta = {
-    inherit (s) version;
-    description = ''A lightweight and flexible command-line JSON processor'';
-    license = stdenv.lib.licenses.mit ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
-  };
-}
-

tv/1systems/nomic.nix

@@ -15,6 +15,7 @@ with config.krebs.lib;
     ../2configs/nginx-public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
+    ../2configs/wu-binary-cache/client.nix
     ../2configs/xserver
   ];
 

tv/1systems/wu.nix

@@ -16,6 +16,7 @@ with config.krebs.lib;
     ../2configs/nginx-public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
+    ../2configs/wu-binary-cache
     ../2configs/xserver
     {
       environment.systemPackages = with pkgs; [
@@ -126,12 +127,12 @@ with config.krebs.lib;
     "/" = {
       device = "/dev/mapper/vg840-wuroot";
       fsType = "btrfs";
-      options = "defaults,noatime,ssd,compress=lzo";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
     "/home" = {
       device = "/dev/mapper/home";
       fsType = "btrfs";
-      options = "defaults,noatime,ssd,compress=lzo";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
     "/boot" = {
       device = "/dev/sda1";
@@ -139,7 +140,7 @@ with config.krebs.lib;
     "/tmp" = {
       device = "tmpfs";
       fsType = "tmpfs";
-      options = "nosuid,nodev,noatime";
+      options = ["nosuid" "nodev" "noatime"];
     };
   };
 

tv/1systems/xu.nix

@@ -15,6 +15,7 @@ with config.krebs.lib;
     ../2configs/nginx-public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
+    ../2configs/wu-binary-cache/client.nix
     ../2configs/xserver
     ../2configs/xu-qemu0.nix
     {
@@ -137,12 +138,12 @@ with config.krebs.lib;
     "/" = {
       device = "/dev/mapper/xuvga-root";
       fsType = "btrfs";
-      options = "defaults,noatime,ssd,compress=lzo";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
     "/home" = {
       device = "/dev/mapper/xuvga-home";
       fsType = "btrfs";
-      options = "defaults,noatime,ssd,compress=lzo";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
     "/boot" = {
       device = "/dev/sda1";
@@ -150,7 +151,7 @@ with config.krebs.lib;
     "/tmp" = {
       device = "tmpfs";
       fsType = "tmpfs";
-      options = "nosuid,nodev,noatime";
+      options = ["nosuid" "nodev" "noatime"];
     };
   };
 

tv/2configs/default.nix

@@ -14,8 +14,7 @@ with config.krebs.lib;
       stockholm = "/home/tv/stockholm";
       nixpkgs = {
         url = https://github.com/NixOS/nixpkgs;
-        rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
+        rev = "40c586b7ce2c559374df435f46d673baf711c543";
-        dev = "/home/tv/nixpkgs";
       };
     } // optionalAttrs config.krebs.build.host.secure {
       secrets-master = "/home/tv/secrets/master";
@@ -49,20 +48,20 @@ with config.krebs.lib;
     }
     {
       security.sudo.extraConfig = ''
+        Defaults env_keep+="SSH_CLIENT"
         Defaults mailto="${config.krebs.users.tv.mail}"
         Defaults !lecture
       '';
       time.timeZone = "Europe/Berlin";
     }
+
     {
       # TODO check if both are required:
       nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
 
-      nix.trustedBinaryCaches = [
+      nix.requireSignedBinaryCaches = true;
-        "https://cache.nixos.org"
+
-        "http://cache.nixos.org"
+      nix.binaryCaches = ["https://cache.nixos.org"];
-        "http://hydra.nixos.org"
-      ];
 
       nix.useChroot = true;
     }
@@ -177,12 +176,6 @@ with config.krebs.lib;
       tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
     }
 
-    {
-      # TODO: exim
-      security.setuidPrograms = [
-        "sendmail"  # for sudo
-      ];
-    }
     {
       environment.systemPackages = [
         pkgs.get

tv/2configs/exim-retiolum.nix

@@ -4,5 +4,9 @@ with config.krebs.lib;
 
 {
   krebs.exim-retiolum.enable = true;
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
   tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
 }

tv/2configs/exim-smarthost.nix

@@ -40,5 +40,9 @@ with config.krebs.lib;
       { from = "mirko"; to = "mv"; }
     ];
   };
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
   tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
 }

tv/2configs/vim.nix

@@ -13,21 +13,17 @@ let
     environment.variables.VIMINIT = ":so /etc/vimrc";
   };
 
-  extra-runtimepath = let
+  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
-    inherit (pkgs.vimUtils) buildVimPlugin rtpPath;
+    pkgs.vimPlugins.undotree
-    fromVimPlugins = pkgs: concatStringsSep ","
+    (pkgs.vimUtils.buildVimPlugin {
-      (mapAttrsToList (name: pkg: "${pkg}/${rtpPath}/${name}") pkgs);
-  in fromVimPlugins {
-    inherit (pkgs.vimPlugins) undotree;
-    file-line = buildVimPlugin {
       name = "file-line-1.0";
       src = pkgs.fetchgit {
         url = git://github.com/bogado/file-line;
         rev = "refs/tags/1.0";
         sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
       };
-    };
+    })
-  };
+  ];
 
   dirs = {
     backupdir = "$HOME/.cache/vim/backup";

tv/2configs/wu-binary-cache/client.nix

@@ -0,0 +1,7 @@
+_:
+{
+  nix = {
+    binaryCaches = ["http://cache.wu.gg23"];
+    binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
+  };
+}

tv/2configs/wu-binary-cache/default.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }: with config.krebs.lib;
+{
+  services.nix-serve = assert config.krebs.build.host.name == "wu"; {
+    enable = true;
+    secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+  };
+  systemd.services.nix-serve = {
+    requires = ["secret.service"];
+    after = ["secret.service"];
+  };
+  krebs.secret.files.nix-serve-key = {
+    path = "/run/secret/nix-serve.key";
+    owner.name = "nix-serve";
+    source-path = toString <secrets> + "/nix-serve.key";
+  };
+  krebs.nginx = {
+    enable = true;
+    servers.nix-serve = {
+      server-names = [ "cache.wu.gg23" ];
+      locations = singleton (nameValuePair "/" ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+      '');
+    };
+  };
+}