Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
e7dd1d0e65
|
@ -8,6 +8,7 @@
|
||||||
<stockholm/jeschli/2configs/emacs.nix>
|
<stockholm/jeschli/2configs/emacs.nix>
|
||||||
<stockholm/jeschli/2configs/xdg.nix>
|
<stockholm/jeschli/2configs/xdg.nix>
|
||||||
<stockholm/jeschli/2configs/xserver>
|
<stockholm/jeschli/2configs/xserver>
|
||||||
|
<stockholm/jeschli/2configs/steam.nix>
|
||||||
<stockholm/jeschli/2configs/virtualbox.nix>
|
<stockholm/jeschli/2configs/virtualbox.nix>
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
<stockholm/jeschli>
|
<stockholm/jeschli>
|
||||||
<stockholm/jeschli/2configs/retiolum.nix>
|
<stockholm/jeschli/2configs/retiolum.nix>
|
||||||
<stockholm/jeschli/2configs/IM.nix>
|
<stockholm/jeschli/2configs/IM.nix>
|
||||||
|
<stockholm/jeschli/2configs/git.nix>
|
||||||
<stockholm/jeschli/2configs/os-templates/CentOS-7-64bit.nix>
|
<stockholm/jeschli/2configs/os-templates/CentOS-7-64bit.nix>
|
||||||
{
|
{
|
||||||
networking.dhcpcd.allowInterfaces = [
|
networking.dhcpcd.allowInterfaces = [
|
||||||
|
|
73
jeschli/2configs/git.nix
Normal file
73
jeschli/2configs/git.nix
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
|
||||||
|
let
|
||||||
|
|
||||||
|
out = {
|
||||||
|
services.nginx.enable = true;
|
||||||
|
krebs.git = {
|
||||||
|
enable = true;
|
||||||
|
cgit = {
|
||||||
|
settings = {
|
||||||
|
root-title = "public repositories at ${config.krebs.build.host.name}";
|
||||||
|
root-desc = "keep calm and engage";
|
||||||
|
};
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
|
||||||
|
rules = rules;
|
||||||
|
};
|
||||||
|
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
repos = public-repos;
|
||||||
|
|
||||||
|
rules = concatMap make-rules (attrValues repos);
|
||||||
|
|
||||||
|
public-repos = mapAttrs make-public-repo {
|
||||||
|
stockholm = {
|
||||||
|
cgit.desc = "Bonbon aus Git - die ganze Nacht";
|
||||||
|
};
|
||||||
|
krebs-page = {
|
||||||
|
cgit.desc = "Die Krebs Page";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
make-public-repo = name: { cgit ? {}, ... }: {
|
||||||
|
inherit cgit name;
|
||||||
|
public = true;
|
||||||
|
hooks = {
|
||||||
|
post-receive = pkgs.git-hooks.irc-announce {
|
||||||
|
nick = config.krebs.build.host.name;
|
||||||
|
channel = "#xxx";
|
||||||
|
server = "irc.r";
|
||||||
|
verbose = true;
|
||||||
|
branches = [ "master" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
make-rules =
|
||||||
|
with git // config.krebs.users;
|
||||||
|
repo:
|
||||||
|
singleton {
|
||||||
|
user = [ jeschli jeschli-brauerei];
|
||||||
|
repo = [ repo ];
|
||||||
|
perm = push "refs/*" [ non-fast-forward create delete merge ];
|
||||||
|
} ++
|
||||||
|
optional repo.public {
|
||||||
|
user = attrValues config.krebs.users;
|
||||||
|
repo = [ repo ];
|
||||||
|
perm = fetch;
|
||||||
|
} ++
|
||||||
|
optional (length (repo.collaborators or []) > 0) {
|
||||||
|
user = repo.collaborators;
|
||||||
|
repo = [ repo ];
|
||||||
|
perm = fetch;
|
||||||
|
};
|
||||||
|
|
||||||
|
in out
|
|
@ -17,7 +17,7 @@
|
||||||
tinc = pkgs.tinc_pre;
|
tinc = pkgs.tinc_pre;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 655 ];
|
networking.firewall.allowedTCPPorts = [ 80 655 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 655 ];
|
networking.firewall.allowedUDPPorts = [ 655 ];
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
|
|
12
jeschli/2configs/steam.nix
Normal file
12
jeschli/2configs/steam.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
nixpkgs.config.steam.java = true;
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
steam
|
||||||
|
];
|
||||||
|
hardware.opengl.driSupport32Bit = true;
|
||||||
|
|
||||||
|
#ports for inhome streaming
|
||||||
|
}
|
40
jeschli/krops.nix
Normal file
40
jeschli/krops.nix
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{ name }: let
|
||||||
|
inherit (import ../krebs/krops.nix { inherit name; })
|
||||||
|
krebs-source
|
||||||
|
lib
|
||||||
|
pkgs
|
||||||
|
;
|
||||||
|
|
||||||
|
source = { test }: lib.evalSource [
|
||||||
|
krebs-source
|
||||||
|
{
|
||||||
|
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
|
||||||
|
secrets = if test then {
|
||||||
|
file = toString ./2configs/tests/dummy-secrets;
|
||||||
|
} else {
|
||||||
|
pass = {
|
||||||
|
dir = "${lib.getEnv "HOME"}/.password-store";
|
||||||
|
name = "hosts/${name}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
in {
|
||||||
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
||||||
|
deploy = pkgs.krops.writeDeploy "${name}-deploy" {
|
||||||
|
source = source { test = false; };
|
||||||
|
target = "root@${name}/var/src";
|
||||||
|
};
|
||||||
|
|
||||||
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test)
|
||||||
|
test = pkgs.krops.writeTest "${name}-test" {
|
||||||
|
source = source { test = true; };
|
||||||
|
target = "${lib.getEnv "HOME"}/tmp/${name}-stockholm-test";
|
||||||
|
};
|
||||||
|
|
||||||
|
ci = pkgs.krops.writeTest "${name}-test" {
|
||||||
|
source = source { test = true; };
|
||||||
|
target = "${lib.getEnv "HOME"}/stockholm-build";
|
||||||
|
};
|
||||||
|
}
|
0
krebs/0tests/data/secrets/konsens.id_ed25519
Normal file
0
krebs/0tests/data/secrets/konsens.id_ed25519
Normal file
|
@ -4,6 +4,14 @@ let
|
||||||
|
|
||||||
hostname = config.networking.hostName;
|
hostname = config.networking.hostName;
|
||||||
|
|
||||||
|
build = pkgs.writeDash "build" ''
|
||||||
|
set -eu
|
||||||
|
export USER="$1"
|
||||||
|
export SYSTEM="$2"
|
||||||
|
$(nix-build $USER/krops.nix --no-out-link --argstr name "$SYSTEM" --argstr target "$HOME/stockholm-build" -A ci)
|
||||||
|
'';
|
||||||
|
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
networking.firewall.allowedTCPPorts = [ 80 ];
|
||||||
|
@ -24,7 +32,7 @@ in
|
||||||
testslave = "lasspass";
|
testslave = "lasspass";
|
||||||
};
|
};
|
||||||
change_source.stockholm = ''
|
change_source.stockholm = ''
|
||||||
stockholm_repo = 'http://cgit.prism.r/stockholm'
|
stockholm_repo = 'http://cgit.hotdog.r/stockholm'
|
||||||
cs.append(
|
cs.append(
|
||||||
changes.GitPoller(
|
changes.GitPoller(
|
||||||
stockholm_repo,
|
stockholm_repo,
|
||||||
|
@ -95,15 +103,9 @@ in
|
||||||
env={
|
env={
|
||||||
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
|
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
|
||||||
"NIX_REMOTE": "daemon",
|
"NIX_REMOTE": "daemon",
|
||||||
"dummy_secrets": "true",
|
|
||||||
},
|
},
|
||||||
command=[
|
command=[
|
||||||
"nix-shell", "-I", "stockholm=.", "--run", " ".join(["test",
|
"${build}", user, host
|
||||||
"--user={}".format(user),
|
|
||||||
"--system={}".format(host),
|
|
||||||
"--force-populate",
|
|
||||||
"--target=$LOGNAME@${config.krebs.build.host.name}$HOME/{}".format(user),
|
|
||||||
])
|
|
||||||
],
|
],
|
||||||
timeout=90001,
|
timeout=90001,
|
||||||
workdir='build', # TODO figure out why we need this?
|
workdir='build', # TODO figure out why we need this?
|
||||||
|
|
|
@ -3,6 +3,10 @@
|
||||||
with import <stockholm/lib>;
|
with import <stockholm/lib>;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
konsens-user = {
|
||||||
|
name = "konsens";
|
||||||
|
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKKozGNGBAzHnyj6xUlsjGxxknyChXvuyrddkWVVnz7";
|
||||||
|
};
|
||||||
mirror = "git@${config.networking.hostName}:";
|
mirror = "git@${config.networking.hostName}:";
|
||||||
|
|
||||||
defineRepo = {
|
defineRepo = {
|
||||||
|
@ -20,7 +24,7 @@ let
|
||||||
verbose = false;
|
verbose = false;
|
||||||
channel = "#xxx";
|
channel = "#xxx";
|
||||||
server = "irc.r";
|
server = "irc.r";
|
||||||
branches = [ "newest" ];
|
branches = [ "master" "newest" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -37,6 +41,13 @@ let
|
||||||
repo = [ repo ];
|
repo = [ repo ];
|
||||||
perm = push ''refs/*'' [ non-fast-forward create delete merge ];
|
perm = push ''refs/*'' [ non-fast-forward create delete merge ];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
user = [
|
||||||
|
konsens-user
|
||||||
|
];
|
||||||
|
repo = [ repo ];
|
||||||
|
perm = push ''refs/heads/master'' [ create merge ];
|
||||||
|
}
|
||||||
{
|
{
|
||||||
user = attrValues config.krebs.users;
|
user = attrValues config.krebs.users;
|
||||||
repo = [ repo ];
|
repo = [ repo ];
|
||||||
|
@ -108,6 +119,19 @@ in {
|
||||||
krebs.repo-sync = {
|
krebs.repo-sync = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
krebs.konsens = {
|
||||||
|
enable = true;
|
||||||
|
repos = {
|
||||||
|
krops = { branchesToCheck = [ "lassulus" "tv" ]; };
|
||||||
|
stockholm = {};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
krebs.secret.files.konsens = {
|
||||||
|
path = "/var/lib/konsens/.ssh/id_ed25519";
|
||||||
|
owner = konsens-user;
|
||||||
|
source-path = "${<secrets/konsens.id_ed25519>}";
|
||||||
|
};
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
(sync-retiolum { name = "the_playlist"; desc = "Good Music collection + tools"; section = "art"; })
|
(sync-retiolum { name = "the_playlist"; desc = "Good Music collection + tools"; section = "art"; })
|
||||||
|
|
||||||
|
|
|
@ -26,6 +26,7 @@ let
|
||||||
./iana-etc.nix
|
./iana-etc.nix
|
||||||
./iptables.nix
|
./iptables.nix
|
||||||
./kapacitor.nix
|
./kapacitor.nix
|
||||||
|
./konsens.nix
|
||||||
./monit.nix
|
./monit.nix
|
||||||
./newsbot-js.nix
|
./newsbot-js.nix
|
||||||
./nixpkgs.nix
|
./nixpkgs.nix
|
||||||
|
|
|
@ -348,6 +348,10 @@ let
|
||||||
users.users.${cfg.user.name} = {
|
users.users.${cfg.user.name} = {
|
||||||
inherit (cfg.user) home name uid;
|
inherit (cfg.user) home name uid;
|
||||||
description = "Git repository hosting user";
|
description = "Git repository hosting user";
|
||||||
|
extraGroups = [
|
||||||
|
# To allow running cgit-clear-cache via hooks.
|
||||||
|
cfg.cgit.fcgiwrap.group.name
|
||||||
|
];
|
||||||
shell = "/bin/sh";
|
shell = "/bin/sh";
|
||||||
openssh.authorizedKeys.keys =
|
openssh.authorizedKeys.keys =
|
||||||
unique
|
unique
|
||||||
|
@ -403,13 +407,12 @@ let
|
||||||
));
|
));
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(pkgs.writeDashBin "cgit-clear-cache" ''
|
(pkgs.cgit-clear-cache.override { inherit (cfg.cgit.settings) cache-root; })
|
||||||
${pkgs.coreutils}/bin/rm -f ${cfg.cgit.settings.cache-root}/*
|
|
||||||
'')
|
|
||||||
];
|
];
|
||||||
|
|
||||||
system.activationScripts.cgit = ''
|
system.activationScripts.cgit = ''
|
||||||
mkdir -m 0700 -p ${cfg.cgit.settings.cache-root}
|
mkdir -m 0770 -p ${cfg.cgit.settings.cache-root}
|
||||||
|
chmod 0770 ${cfg.cgit.settings.cache-root}
|
||||||
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
|
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|
|
@ -132,6 +132,7 @@ with import <stockholm/lib>;
|
||||||
ip6.addr = "42::30";
|
ip6.addr = "42::30";
|
||||||
aliases = [
|
aliases = [
|
||||||
"enklave.r"
|
"enklave.r"
|
||||||
|
"cgit.enklave.r"
|
||||||
];
|
];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
|
80
krebs/3modules/konsens.nix
Normal file
80
krebs/3modules/konsens.nix
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.krebs.konsens;
|
||||||
|
|
||||||
|
out = {
|
||||||
|
options.krebs.konsens = api;
|
||||||
|
config = lib.mkIf cfg.enable imp;
|
||||||
|
};
|
||||||
|
|
||||||
|
api = {
|
||||||
|
enable = mkEnableOption "git konsens finder";
|
||||||
|
repos = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule ({ config, ...}: {
|
||||||
|
options = {
|
||||||
|
url = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "git@localhost:${config._module.args.name}";
|
||||||
|
};
|
||||||
|
branchesToCheck = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ "lassulus" "makefu" "tv" ];
|
||||||
|
};
|
||||||
|
target = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "master";
|
||||||
|
};
|
||||||
|
timerConfig = mkOption {
|
||||||
|
type = types.attrsOf types.str;
|
||||||
|
default = {
|
||||||
|
OnCalendar = "*:00,15,30,45";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
imp = {
|
||||||
|
users.users.konsens = rec {
|
||||||
|
name = "konsens";
|
||||||
|
uid = genid name;
|
||||||
|
home = "/var/lib/konsens";
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers = mapAttrs' (name: repo:
|
||||||
|
nameValuePair "konsens-${name}" {
|
||||||
|
description = "konsens timer";
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = repo.timerConfig;
|
||||||
|
}
|
||||||
|
) cfg.repos;
|
||||||
|
|
||||||
|
systemd.services = mapAttrs' (name: repo:
|
||||||
|
nameValuePair "konsens-${name}" {
|
||||||
|
after = [ "network.target" "secret.service" ];
|
||||||
|
path = [ pkgs.git ];
|
||||||
|
restartIfChanged = false;
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "simple";
|
||||||
|
PermissionsStartOnly = true;
|
||||||
|
ExecStart = pkgs.writeDash "konsens-${name}" ''
|
||||||
|
if ! test -e ${name}; then
|
||||||
|
git clone ${repo.url} ${name}
|
||||||
|
fi
|
||||||
|
cd ${name}
|
||||||
|
git fetch origin
|
||||||
|
git push origin $(git merge-base ${concatMapStringsSep " " (branch: "origin/${branch}") repo.branchesToCheck}):refs/heads/master
|
||||||
|
'';
|
||||||
|
WorkingDirectory = /var/lib/konsens;
|
||||||
|
User = "konsens";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
) cfg.repos;
|
||||||
|
};
|
||||||
|
|
||||||
|
in out
|
|
@ -11,39 +11,6 @@ with import <stockholm/lib>;
|
||||||
ci = true;
|
ci = true;
|
||||||
monitoring = true;
|
monitoring = true;
|
||||||
}) {
|
}) {
|
||||||
dishfire = {
|
|
||||||
cores = 4;
|
|
||||||
nets = rec {
|
|
||||||
internet = {
|
|
||||||
ip4.addr = "144.76.172.188";
|
|
||||||
aliases = [
|
|
||||||
"dishfire.i"
|
|
||||||
];
|
|
||||||
ssh.port = 45621;
|
|
||||||
};
|
|
||||||
retiolum = {
|
|
||||||
via = internet;
|
|
||||||
ip4.addr = "10.243.133.99";
|
|
||||||
ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233";
|
|
||||||
aliases = [
|
|
||||||
"dishfire.r"
|
|
||||||
];
|
|
||||||
tinc.pubkey = ''
|
|
||||||
-----BEGIN RSA PUBLIC KEY-----
|
|
||||||
MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs
|
|
||||||
Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7
|
|
||||||
uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK
|
|
||||||
R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd
|
|
||||||
vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U
|
|
||||||
HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
|
|
||||||
-----END RSA PUBLIC KEY-----
|
|
||||||
'';
|
|
||||||
tinc.port = 993;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
|
||||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
|
|
||||||
};
|
|
||||||
prism = rec {
|
prism = rec {
|
||||||
cores = 4;
|
cores = 4;
|
||||||
extraZones = {
|
extraZones = {
|
||||||
|
@ -441,7 +408,7 @@ with import <stockholm/lib>;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
borg = {
|
rock = {
|
||||||
monitoring = false;
|
monitoring = false;
|
||||||
ci = false;
|
ci = false;
|
||||||
external = true;
|
external = true;
|
||||||
|
@ -449,22 +416,21 @@ with import <stockholm/lib>;
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.29.171";
|
ip4.addr = "10.243.29.171";
|
||||||
ip6.addr = "42:4992:6a6d:700::2";
|
ip6.addr = "42:4992:6a6d:700::2";
|
||||||
aliases = [ "borg.r" ];
|
aliases = [ "rock.r" ];
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0bHZApTM7Hl4qqNakSwq
|
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
|
||||||
bt7zJoTVK9ePoC3Mue1VmJ1mCKMaxKdzlO31kPeHtkilAzgyIJdgikyKFlApGsQL
|
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
|
||||||
aIuU9h55X7TbikoDD6ghbSrAe3Pgc+sJ3OZ7wO7Qb8CKgJvEbkk/u68YiJgyTjYD
|
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
|
||||||
HNjIQzlsGdpoSke9vwC8qWanfgN7c2MMGtakqfXDjYjCgp7O43i+SMupkMSXIXMA
|
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
|
||||||
5XUFh/vVp6xgPxBofcw0uQIyZ5v4PPFjnGPm4rnMbFzbhubntHjDadwGd5Niyw4O
|
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
|
||||||
zNNKNchTLfNiuNGqTZeYd0kJ5fNMKykhpSs+ou34MvexvpuyPlFuotnPXN/nOMml
|
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
|
||||||
3nwiqzthzPuBZRLswxT0WvlA8wlbeTOKJ0wTIR4dDuAF+euDtoNocVEN5PJNc7yN
|
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
|
||||||
fmwAV6geESoJbZQMSCtAp1NioaBlRPp1pFfoM/GotHywuFrTIxyoIBiYhkpWyQvq
|
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
|
||||||
WYw5j13IKqkL7jDchhoBmcardmh+AP5bL3uQ84BgaYNwFzHp04qIRrrdpF0eMaHB
|
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
|
||||||
/8zaqsNLn4/zQJB5ffkelwoIqfvLPQeCMLzHGHgP5xUnWgmZZGiiDLvhuaMeNq4U
|
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
|
||||||
EpCKoTL178sPOgNfHfd8mEqx0qKYuPrNQEdlpa5xOZqwx56pfYpGWY+KtF2FHLhS
|
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
|
||||||
iO64GCJqCi1MKBYx/NhaxKMCAwEAAQ==
|
-----END RSA PUBLIC KEY-----
|
||||||
-----END PUBLIC KEY-----
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
8
krebs/5pkgs/simple/cgit-clear-cache.nix
Normal file
8
krebs/5pkgs/simple/cgit-clear-cache.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
|
||||||
|
{ cache-root ? "/tmp/cgit", findutils, writeDashBin }:
|
||||||
|
|
||||||
|
writeDashBin "cgit-clear-cache" ''
|
||||||
|
set -efu
|
||||||
|
${findutils}/bin/find ${shell.escape cache-root} -type f -delete
|
||||||
|
''
|
|
@ -2,6 +2,6 @@
|
||||||
|
|
||||||
fetchgit {
|
fetchgit {
|
||||||
url = https://cgit.krebsco.de/krops;
|
url = https://cgit.krebsco.de/krops;
|
||||||
rev = "refs/tags/v1.1.0";
|
rev = "refs/tags/v1.3.1";
|
||||||
sha256 = "19z5385rdci2bj0l7ksjbgyj84vsb29kz87j9x6vj5vv16y7y4ll";
|
sha256 = "0bv984bjc6r1ys1q0wnszv1v1g1wdvjb6i0ibj7namwz0mhg67a7";
|
||||||
}
|
}
|
||||||
|
|
|
@ -60,4 +60,9 @@
|
||||||
source = source { test = true; };
|
source = source { test = true; };
|
||||||
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
|
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ci = pkgs.krops.writeTest "${name}-test" {
|
||||||
|
source = source { test = true; };
|
||||||
|
target = "${lib.getEnv "HOME"}/stockholm-build";
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs-channels",
|
"url": "https://github.com/NixOS/nixpkgs-channels",
|
||||||
"rev": "4df3426f5a5e78cef4835897a43abd9e2a092b74",
|
"rev": "a37638d46706610d12c9747614fd1b8f8d35ad48",
|
||||||
"date": "2018-08-19T09:20:40+02:00",
|
"date": "2018-08-30T21:03:26+02:00",
|
||||||
"sha256": "05k5mssiqxffxi45mss9wjns6k76i248rpasa48akdcriry1mp63",
|
"sha256": "0rsdkk4z7pkqr2mw0pq7i6fkqs7gbi5kral3c8smm9bw104sn8v7",
|
||||||
"fetchSubmodules": true
|
"fetchSubmodules": true
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,63 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
<stockholm/lass>
|
|
||||||
<stockholm/lass/2configs/retiolum.nix>
|
|
||||||
<stockholm/lass/2configs/git.nix>
|
|
||||||
{
|
|
||||||
networking.dhcpcd.allowInterfaces = [
|
|
||||||
"enp*"
|
|
||||||
"eth*"
|
|
||||||
"ens*"
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
sound.enable = false;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
mk_sql_pair
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
<stockholm/lass/2configs/websites/fritz.nix>
|
|
||||||
];
|
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
|
||||||
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
|
|
||||||
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; }
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
#TODO: abstract & move to own file
|
|
||||||
krebs.exim-smarthost = {
|
|
||||||
enable = true;
|
|
||||||
relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
|
|
||||||
config.krebs.hosts.mors
|
|
||||||
config.krebs.hosts.uriel
|
|
||||||
];
|
|
||||||
system-aliases = [
|
|
||||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
|
||||||
{ from = "postmaster"; to = "root"; }
|
|
||||||
{ from = "nobody"; to = "root"; }
|
|
||||||
{ from = "hostmaster"; to = "root"; }
|
|
||||||
{ from = "usenet"; to = "root"; }
|
|
||||||
{ from = "news"; to = "root"; }
|
|
||||||
{ from = "webmaster"; to = "root"; }
|
|
||||||
{ from = "www"; to = "root"; }
|
|
||||||
{ from = "ftp"; to = "root"; }
|
|
||||||
{ from = "abuse"; to = "root"; }
|
|
||||||
{ from = "noc"; to = "root"; }
|
|
||||||
{ from = "security"; to = "root"; }
|
|
||||||
{ from = "root"; to = "lass"; }
|
|
||||||
];
|
|
||||||
};
|
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
|
||||||
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.dishfire;
|
|
||||||
}
|
|
|
@ -1,39 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
./config.nix
|
|
||||||
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
|
||||||
];
|
|
||||||
|
|
||||||
boot.loader.grub = {
|
|
||||||
device = "/dev/vda";
|
|
||||||
splashImage = null;
|
|
||||||
};
|
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [
|
|
||||||
"ata_piix"
|
|
||||||
"ehci_pci"
|
|
||||||
"uhci_hcd"
|
|
||||||
"virtio_pci"
|
|
||||||
"virtio_blk"
|
|
||||||
];
|
|
||||||
|
|
||||||
fileSystems."/" = {
|
|
||||||
device = "/dev/mapper/pool-nix";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/srv/http" = {
|
|
||||||
device = "/dev/pool/srv_http";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
|
|
||||||
fileSystems."/boot" = {
|
|
||||||
device = "/dev/vda1";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
fileSystems."/bku" = {
|
|
||||||
device = "/dev/pool/bku";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,3 +0,0 @@
|
||||||
import <stockholm/lass/source.nix> {
|
|
||||||
name = "dishfire";
|
|
||||||
}
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config ? config, name }: let
|
{ name }: let
|
||||||
inherit (import ../krebs/krops.nix { inherit name; })
|
inherit (import ../krebs/krops.nix { inherit name; })
|
||||||
krebs-source
|
krebs-source
|
||||||
lib
|
lib
|
||||||
|
@ -10,7 +10,7 @@
|
||||||
{
|
{
|
||||||
nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
|
nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
|
||||||
secrets = if test then {
|
secrets = if test then {
|
||||||
file = "/home/lass/stockholm/lass/2configs/tests/dummy-secrets";
|
file = toString ./2configs/tests/dummy-secrets;
|
||||||
} else {
|
} else {
|
||||||
pass = {
|
pass = {
|
||||||
dir = "${lib.getEnv "HOME"}/.password-store";
|
dir = "${lib.getEnv "HOME"}/.password-store";
|
||||||
|
@ -30,13 +30,11 @@ in {
|
||||||
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test)
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test)
|
||||||
test = pkgs.krops.writeTest "${name}-test" {
|
test = pkgs.krops.writeTest "${name}-test" {
|
||||||
source = source { test = true; };
|
source = source { test = true; };
|
||||||
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
|
target = "${lib.getEnv "HOME"}/tmp/${name}-stockholm-test";
|
||||||
};
|
};
|
||||||
|
|
||||||
ci = map (host:
|
ci = pkgs.krops.writeTest "${name}-test" {
|
||||||
pkgs.krops.writeTest "${host.name}-test" {
|
source = source { test = true; };
|
||||||
source = source { test = true; };
|
target = "${lib.getEnv "HOME"}/stockholm-build";
|
||||||
target = "${lib.getEnv "TMPDIR"}/lass/${host.name}";
|
};
|
||||||
}
|
|
||||||
) (lib.filter (host: lib.getAttr "ci" host && host.owner == "lass") (lib.attrValues config.krebs.hosts));
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -81,10 +81,8 @@ in {
|
||||||
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
|
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
|
||||||
};
|
};
|
||||||
|
|
||||||
ci = map (host:
|
ci = pkgs.krops.writeTest "${name}-test" {
|
||||||
pkgs.krops.writeTest "${host.name}-test" {
|
source = source { test = true; };
|
||||||
source = source { test = true; };
|
target = "${lib.getEnv "HOME"}/stockholm-build";
|
||||||
target = "${lib.getEnv "TMPDIR"}/makefu/${host.name}";
|
};
|
||||||
}
|
|
||||||
) (lib.filter (host: lib.getAttr "ci" host && host.owner == "makefu") (lib.attrValues config.krebs.hosts));
|
|
||||||
}
|
}
|
||||||
|
|
40
nin/krops.nix
Normal file
40
nin/krops.nix
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{ name }: let
|
||||||
|
inherit (import ../krebs/krops.nix { inherit name; })
|
||||||
|
krebs-source
|
||||||
|
lib
|
||||||
|
pkgs
|
||||||
|
;
|
||||||
|
|
||||||
|
source = { test }: lib.evalSource [
|
||||||
|
krebs-source
|
||||||
|
{
|
||||||
|
nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix";
|
||||||
|
secrets = if test then {
|
||||||
|
file = toString ./0tests/dummysecrets;
|
||||||
|
} else {
|
||||||
|
pass = {
|
||||||
|
dir = "${lib.getEnv "HOME"}/.password-store";
|
||||||
|
name = "hosts/${name}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
in {
|
||||||
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
|
||||||
|
deploy = pkgs.krops.writeDeploy "${name}-deploy" {
|
||||||
|
source = source { test = false; };
|
||||||
|
target = "root@${name}/var/src";
|
||||||
|
};
|
||||||
|
|
||||||
|
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test)
|
||||||
|
test = pkgs.krops.writeTest "${name}-test" {
|
||||||
|
source = source { test = true; };
|
||||||
|
target = "${lib.getEnv "HOME"}/tmp/${name}-stockholm-test";
|
||||||
|
};
|
||||||
|
|
||||||
|
ci = pkgs.krops.writeTest "${name}-test" {
|
||||||
|
source = source { test = true; };
|
||||||
|
target = "${lib.getEnv "HOME"}/stockholm-build";
|
||||||
|
};
|
||||||
|
}
|
|
@ -1 +1 @@
|
||||||
Subproject commit 4d0829328e885a6d7163b513998a975e60dd0a72
|
Subproject commit 5d79992262e8f16a3efa985375be74abea3bb392
|
|
@ -18,6 +18,10 @@ let {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
cgit-clear-cache = pkgs.cgit-clear-cache.override {
|
||||||
|
inherit (config.krebs.git.cgit.settings) cache-root;
|
||||||
|
};
|
||||||
|
|
||||||
repos =
|
repos =
|
||||||
public-repos //
|
public-repos //
|
||||||
optionalAttrs config.krebs.build.host.secure restricted-repos;
|
optionalAttrs config.krebs.build.host.secure restricted-repos;
|
||||||
|
@ -97,8 +101,11 @@ let {
|
||||||
{
|
{
|
||||||
brain = {
|
brain = {
|
||||||
collaborators = with config.krebs.users; [ lass makefu ];
|
collaborators = with config.krebs.users; [ lass makefu ];
|
||||||
hooks.post-receive = irc-announce {
|
hooks = {
|
||||||
cgit_endpoint = null;
|
post-receive = /* sh */ ''
|
||||||
|
(${irc-announce { cgit_endpoint = null; }})
|
||||||
|
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
} //
|
} //
|
||||||
|
@ -117,14 +124,24 @@ let {
|
||||||
make-public-repo = name: { cgit ? {}, ... }: {
|
make-public-repo = name: { cgit ? {}, ... }: {
|
||||||
inherit cgit name;
|
inherit cgit name;
|
||||||
public = true;
|
public = true;
|
||||||
hooks = optionalAttrs (config.krebs.build.host.name == "ni") {
|
hooks = {
|
||||||
post-receive = irc-announce {};
|
post-receive = /* sh */ ''
|
||||||
|
(${optionalString (config.krebs.build.host.name == "ni")
|
||||||
|
(irc-announce {})})
|
||||||
|
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
|
make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
|
||||||
inherit collaborators hooks name;
|
inherit collaborators name;
|
||||||
public = false;
|
public = false;
|
||||||
|
hooks = hooks // {
|
||||||
|
post-receive = /* sh */ ''
|
||||||
|
(${hooks.post-receive or ""})
|
||||||
|
${cgit-clear-cache}/bin/cgit-clear-cache
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
make-rules =
|
make-rules =
|
||||||
|
|
Loading…
Reference in New Issue
Block a user