Merge remote-tracking branch 'cd/master'

This commit is contained in:
makefu 2015-07-24 21:04:22 +02:00
commit e1f4ef731f
20 changed files with 182 additions and 138 deletions

View File

@ -13,7 +13,7 @@ in
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/charybdis.nix ]; imports = [ ../../2configs/tv/charybdis.nix ];
tv.charybdis = { tv.charybdis = {
@ -22,14 +22,12 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/ejabberd.nix ];
tv.ejabberd = { tv.ejabberd = {
enable = true; enable = true;
hosts = [ "jabber.viljetic.de" ]; hosts = [ "jabber.viljetic.de" ];
}; };
} }
{ {
imports = [ ../../3modules/krebs/github-hosts-sync.nix ];
krebs.github-hosts-sync.enable = true; krebs.github-hosts-sync.enable = true;
tv.iptables.input-internet-accept-new-tcp = tv.iptables.input-internet-accept-new-tcp =
singleton config.krebs.github-hosts-sync.port; singleton config.krebs.github-hosts-sync.port;
@ -39,7 +37,6 @@ in
tv.identity.self = config.tv.identity.hosts.cd; tv.identity.self = config.tv.identity.hosts.cd;
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -55,19 +52,11 @@ in
}; };
} }
{ {
imports = [
../../3modules/tv/iptables.nix
../../3modules/krebs/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http"; tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de";
} }
{ {
# TODO make public_html also available to cd, cd.retiolum (AKA default) # TODO make public_html also available to cd, cd.retiolum (AKA default)
imports = [
../../3modules/tv/iptables.nix
../../3modules/krebs/nginx.nix
];
tv.iptables.input-internet-accept-new-tcp = singleton "http"; tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.public_html = { krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de"; server-names = singleton "cd.viljetic.de";
@ -86,10 +75,8 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"fastpoke" "fastpoke"
"pigstarter" "pigstarter"

View File

@ -9,13 +9,12 @@ with lib;
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ]; imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.mkdir; tv.identity.self = config.tv.identity.hosts.mkdir;
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -29,10 +28,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"cd" "cd"
"fastpoke" "fastpoke"

View File

@ -8,13 +8,12 @@ with lib;
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-retiolum.nix ../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ]; imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.nomic; tv.identity.self = config.tv.identity.hosts.nomic;
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -26,7 +25,6 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/krebs/nginx.nix ];
krebs.nginx = { krebs.nginx = {
enable = true; enable = true;
servers.default.locations = [ servers.default.locations = [
@ -37,10 +35,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"gum" "gum"
"pigstarter" "pigstarter"

View File

@ -9,13 +9,12 @@ with lib;
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-server.nix ../../2configs/tv/consul-server.nix
../../2configs/tv/exim-smarthost.nix ../../2configs/tv/exim-smarthost.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
{ {
imports = [ ../../2configs/tv/identity.nix ]; imports = [ ../../2configs/tv/identity.nix ];
tv.identity.self = config.tv.identity.hosts.rmdir; tv.identity.self = config.tv.identity.hosts.rmdir;
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -29,10 +28,8 @@ with lib;
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"cd" "cd"
"mkdir" "mkdir"

View File

@ -12,8 +12,7 @@ in
../../2configs/tv/base.nix ../../2configs/tv/base.nix
../../2configs/tv/consul-client.nix ../../2configs/tv/consul-client.nix
../../2configs/tv/exim-retiolum.nix ../../2configs/tv/exim-retiolum.nix
../../2configs/tv/git-public.nix ../../2configs/tv/git.nix
# TODO git-private.nix
../../2configs/tv/mail-client.nix ../../2configs/tv/mail-client.nix
../../2configs/tv/xserver.nix ../../2configs/tv/xserver.nix
../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
@ -24,7 +23,7 @@ in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# shitment # stockholm
git git
gnumake gnumake
parallel parallel
@ -122,7 +121,6 @@ in
]; ];
} }
{ {
imports = [ ../../3modules/tv/iptables.nix ];
tv.iptables = { tv.iptables = {
enable = true; enable = true;
input-internet-accept-new-tcp = [ input-internet-accept-new-tcp = [
@ -134,7 +132,6 @@ in
}; };
} }
{ {
imports = [ ../../3modules/krebs/nginx.nix ];
krebs.nginx = { krebs.nginx = {
enable = true; enable = true;
servers.default.locations = [ servers.default.locations = [
@ -145,10 +142,8 @@ in
}; };
} }
{ {
imports = [ ../../3modules/tv/retiolum.nix ]; krebs.retiolum = {
tv.retiolum = {
enable = true; enable = true;
hosts = ../../Zhosts;
connectTo = [ connectTo = [
"gum" "gum"
"pigstarter" "pigstarter"
@ -156,7 +151,6 @@ in
}; };
} }
{ {
imports = [ ../../3modules/krebs/urlwatch.nix ];
krebs.urlwatch = { krebs.urlwatch = {
enable = true; enable = true;
mailto = "tv@wu.retiolum"; # TODO mailto = "tv@wu.retiolum"; # TODO

View File

@ -1,7 +1,6 @@
{ config, ... }: { config, ... }:
{ {
imports = [ ../../3modules/tv/consul.nix ];
tv.consul = rec { tv.consul = rec {
enable = true; enable = true;

View File

@ -4,9 +4,9 @@
services.exim = services.exim =
# This configuration makes only sense for retiolum-enabled hosts. # This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration # TODO modular configuration
assert config.tv.retiolum.enable; assert config.krebs.retiolum.enable;
let let
# TODO get the hostname from config.tv.retiolum. # TODO get the hostname from config.krebs.retiolum.
retiolumHostname = "${config.networking.hostName}.retiolum"; retiolumHostname = "${config.networking.hostName}.retiolum";
in in
{ enable = true; { enable = true;

View File

@ -1,18 +1,22 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with import ../../4lib/tv { inherit lib pkgs; }; with import ../../4lib/tv { inherit lib pkgs; };
let let
out = { out = {
imports = [ ../../3modules/krebs/git.nix ];
krebs.git = { krebs.git = {
enable = true; enable = true;
root-title = "public repositories at ${config.tv.identity.self.name}"; root-title = "public repositories at ${config.tv.identity.self.name}";
root-desc = "keep calm and engage"; root-desc = "keep calm and engage";
inherit repos rules users; inherit repos rules;
}; };
}; };
repos = public-repos; repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) (
public-repos //
optionalAttrs config.tv.identity.self.secure restricted-repos
);
rules = concatMap make-rules (attrValues repos); rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo { public-repos = mapAttrs make-public-repo {
@ -37,13 +41,14 @@ let
xintmap = {}; xintmap = {};
}; };
# TODO move users to separate module restricted-repos = mapAttrs make-restricted-repo (
users = mapAttrs make-user { {
tv = ../../Zpubkeys/tv_wu.ssh.pub; brain = {
lass = ../../Zpubkeys/lass.ssh.pub; collaborators = with config.krebs.users; [ lass makefu ];
uriel = ../../Zpubkeys/uriel.ssh.pub;
makefu = ../../Zpubkeys/makefu.ssh.pub;
}; };
} //
import /root/src/secrets/repos.nix { inherit config lib pkgs; }
);
make-public-repo = name: { desc ? null, ... }: { make-public-repo = name: { desc ? null, ... }: {
inherit name desc; inherit name desc;
@ -58,8 +63,14 @@ let
}; };
}; };
make-restricted-repo = name: { desc ? null, ... }: {
inherit name desc;
public = false;
hooks = {}; # TODO default
};
make-rules = make-rules =
with git // users; with git // config.krebs.users;
repo: repo:
singleton { singleton {
user = tv; user = tv;
@ -70,11 +81,11 @@ let
user = [ lass makefu uriel ]; user = [ lass makefu uriel ];
repo = [ repo ]; repo = [ repo ];
perm = fetch; perm = fetch;
}; } ++
optional (length (repo.collaborators or []) > 0) {
make-user = name: pubkey-file: { user = repo.collaborators;
inherit name; repo = [ repo ];
pubkey = readFile pubkey-file; perm = fetch;
}; };
in out in out

View File

@ -1,7 +1,6 @@
{ config, ... }: { config, ... }:
{ {
imports = [ ../../3modules/tv/identity.nix ];
tv.identity = { tv.identity = {
enable = true; enable = true;
search = "retiolum"; search = "retiolum";
@ -99,6 +98,7 @@
''; '';
}; };
}; };
secure = true;
}; };
rmdir = { rmdir = {
cores = 1; cores = 1;
@ -154,6 +154,7 @@
''; '';
}; };
}; };
secure = true;
}; };
}; };
}; };

View File

@ -0,0 +1,43 @@
{ config, lib, ... }:
with import ../../4lib/krebs { inherit lib; };
let
cfg = config.krebs;
out = {
imports = [
./github-hosts-sync.nix
./git.nix
./nginx.nix
./retiolum.nix
./urlwatch.nix
];
options.krebs = api;
config = mkIf cfg.enable imp;
};
api = {
users = mkOption {
type = with types; attrsOf user;
default = addNames {
lass = {
pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
};
makefu = {
pubkey = readFile ../../Zpubkeys/makefu.ssh.pub;
};
tv = {
pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub;
};
uriel = {
pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
};
};
};
};
imp = {
};
in
out

View File

@ -6,8 +6,7 @@
# TODO when authorized_keys changes, then restart ssh # TODO when authorized_keys changes, then restart ssh
# (or kill already connected users somehow) # (or kill already connected users somehow)
with builtins; with import ../../4lib/krebs { inherit lib; };
with lib;
let let
cfg = config.krebs.git; cfg = config.krebs.git;
@ -127,9 +126,6 @@ let
rules = mkOption { rules = mkOption {
type = types.unspecified; type = types.unspecified;
}; };
users = mkOption {
type = types.unspecified;
};
}; };
git-imp = { git-imp = {
@ -157,7 +153,8 @@ let
name = "git"; name = "git";
shell = "/bin/sh"; shell = "/bin/sh";
openssh.authorizedKeys.keys = openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
config.krebs.users;
uid = 129318403; # genid git uid = 129318403; # genid git
}; };
}; };
@ -263,7 +260,7 @@ let
isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: makeAuthorizedKey = git-ssh-command: user@{ name, pubkey, ... }:
# TODO assert name # TODO assert name
# TODO assert pubkey # TODO assert pubkey
let let

View File

@ -57,9 +57,9 @@ let
}; };
hosts = mkOption { hosts = mkOption {
default = null; type = with types; either package path;
default = ../../Zhosts;
description = '' description = ''
Hosts package or path to use.
If a path is given, then it will be used to generate an ad-hoc package. If a path is given, then it will be used to generate an ad-hoc package.
''; '';
}; };
@ -131,24 +131,20 @@ let
}; };
tinc = cfg.tincPackage; tinc = cfg.tincPackage;
hostsType = builtins.typeOf cfg.hosts;
hosts = hosts = getAttr (typeOf cfg.hosts) {
if hostsType == "package" then package = cfg.hosts;
# use package as is path = pkgs.stdenv.mkDerivation {
cfg.hosts
else if hostsType == "path" then
# use path to generate a package
pkgs.stdenv.mkDerivation {
name = "custom-retiolum-hosts"; name = "custom-retiolum-hosts";
src = cfg.hosts; src = cfg.hosts;
installPhase = '' installPhase = ''
mkdir $out mkdir $out
find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out find . -name .git -prune -o -type f -print0 \
| xargs -0 cp --target-directory $out
''; '';
} };
else };
abort "The option `services.retiolum.hosts' must be set to a package or a path"
;
iproute = cfg.iproutePackage; iproute = cfg.iproutePackage;
retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
@ -226,5 +222,5 @@ let
chmod +x $out/tinc-up chmod +x $out/tinc-up
''; '';
in
out in out

View File

@ -10,7 +10,6 @@ let
cfg = config.tv.consul; cfg = config.tv.consul;
out = { out = {
imports = [ ../../3modules/tv/iptables.nix ];
options.tv.consul = api; options.tv.consul = api;
config = mkIf cfg.enable (mkMerge [ config = mkIf cfg.enable (mkMerge [
imp imp

10
3modules/tv/default.nix Normal file
View File

@ -0,0 +1,10 @@
_:
{
imports = [
./consul.nix
./ejabberd.nix
./identity.nix
./iptables.nix
];
}

View File

@ -1,29 +0,0 @@
{ config, lib, ... }:
with lib;
let
cfg = config.tv.retiolum;
out = {
imports = [ ../../3modules/krebs/retiolum.nix ];
options.tv.retiolum = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.retiolum";
connectTo = mkOption {
type = with types; listOf str;
};
hosts = mkOption {
type = types.path;
};
};
imp = {
krebs.retiolum = cfg;
};
in out

View File

@ -1,6 +1,14 @@
{ lib, ... }: { lib, ... }:
builtins // lib // { with builtins;
with lib;
builtins // lib // rec {
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
types = import ./types.nix { inherit lib; }; types = import ./types.nix { inherit lib; };

View File

@ -20,6 +20,15 @@ types // rec {
type = attrsOf net; type = attrsOf net;
apply = x: assert hasAttr "retiolum" x; x; apply = x: assert hasAttr "retiolum" x; x;
}; };
secure = mkOption {
type = bool;
default = false;
description = ''
If true, then the host is capable of keeping secret information.
TODO define minimum requirements for secure hosts
'';
};
}; };
}; };
@ -72,6 +81,17 @@ types // rec {
merge = mergeOneOption; merge = mergeOneOption;
}; };
user = submodule {
options = {
name = mkOption {
type = str; # TODO
};
pubkey = mkOption {
type = str;
};
};
};
# TODO # TODO
addr = str; addr = str;
addr4 = str; addr4 = str;

View File

@ -15,16 +15,9 @@ krebs // rec {
inherit pkgs; inherit pkgs;
}; };
addName = name: set:
set // { inherit name; };
addNames = mapAttrs addName;
# "7.4.335" -> "74" # "7.4.335" -> "74"
majmin = with lib; x : concatStrings (take 2 (splitString "." x)); majmin = with lib; x : concatStrings (take 2 (splitString "." x));
concat = xs : concat = xs :
if xs == [] if xs == []
then "" then ""

View File

@ -41,13 +41,14 @@ deploy:;@
"$$src/" "$$deploy_host:$$dst" "$$src/" "$$deploy_host:$$dst"
)} )}
prepush /root/src/shitment "$$PWD" prepush /root/src/stockholm "$$PWD"
prepush /root/src/secrets "$$secrets_dir" prepush /root/src/secrets "$$secrets_dir"
ssh -S none "$$deploy_host" -T env \ ssh -S none "$$deploy_host" -T env \
nixpkgs_url="$$nixpkgs_url" \ nixpkgs_url="$$nixpkgs_url" \
nixpkgs_rev="$$nixpkgs_rev" \ nixpkgs_rev="$$nixpkgs_rev" \
system_name="$$system_name" \ system_name="$$system_name" \
user_name="$$LOGNAME" \
sh -euf \ sh -euf \
<<-\EOF <<-\EOF
prefetch(){( prefetch(){(
@ -77,26 +78,30 @@ deploy:;@
prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
echo build system... echo build system...
NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ NIX_PATH=/root/src \
NIX_PATH=src \ nix-build \
nix-build -Q -A system '<nixpkgs/nixos>' -Q \
-A system \
'<stockholm>' \
--argstr user-name "$$user_name" \
--argstr system-name "$$system_name"
result/bin/switch-to-configuration switch result/bin/switch-to-configuration switch
EOF EOF
.PHONY: eval .PHONY: eval
eval: eval:
@nix-instantiate \ @
NIX_PATH=stockholm=$$PWD:$$NIX_PATH \
nix-instantiate \
--json \ --json \
--eval \ --eval \
--strict \ --strict \
-A "$$get" \ -A "$$get" \
-E ' '<stockholm>' \
import <nixpkgs/nixos/lib/eval-config.nix> { --argstr user-name "$$LOGNAME" \
system = builtins.currentSystem; --argstr system-name "$$system" \
modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; | jq -r .
}
' | jq -r .
else else
$(error unbound variable: system[s]) $(error unbound variable: system[s])
endif endif

20
default.nix Normal file
View File

@ -0,0 +1,20 @@
{ user-name, system-name }:
let
eval = import <nixpkgs/nixos/lib/eval-config.nix> {
system = builtins.currentSystem;
modules = [
(./1systems + "/${user-name}/${system-name}.nix")
(./3modules/krebs)
(./3modules + "/${user-name}")
];
};
in
{
inherit (eval) config options;
system = eval.config.system.build.toplevel;
}