Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge 'cd/master' - update krebs.build.source

Browse Source
This commit is contained in:
makefu 2016-02-04 11:16:17 +01:00
commit e89f43de94
62 changed files with 773 additions and 731 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.rsync-filter Normal file
View File

@ -0,0 +1,2 @@
- /.git
- /.graveyard

76
Makefile
View File

@ -1,53 +1,51 @@
#
# usage:
# make infest system=foo [target=bar]
# make [deploy] system=foo [target=bar]
# make [deploy] systems='foo bar'
# make eval get=users.tv.wu.config.time.timeZone [filter=json]
#
.ONESHELL: .ONESHELL:
.SHELLFLAGS := -eufc .SHELLFLAGS := -eufc
ifdef systems ifndef system
$(systems): $(error unbound variable: system)
@ endif
unset target
parallel \
--line-buffer \
-j0 \
--no-notice \
--tagstring {} \
-q make -s systems= system={} ::: $(systems)
else ifdef system
.PHONY: deploy infest
deploy infest:;@
export get=krebs.$@
export filter=json
make -s eval | sh
export target_host ?= $(system)
export target_user ?= root
export target_path ?= /var/src
# usage: make deploy system=foo [target_host=bar]
.PHONY: deploy
deploy: populate ;@set -x
ssh "$$target_user@$$target_host" nixos-rebuild switch -I "$$target_path"
# usage: make populate system=foo [target_host=bar]
.PHONY: populate
populate:;@
result=$$(make -s eval get=config.krebs.build.populate filter=json)
echo "$$result" | sh
# usage: make eval system=foo get=config.krebs.build [LOGNAME=tv] [filter=json]
.PHONY: eval .PHONY: eval
eval: eval:;@
@
ifeq ($(filter),json) ifeq ($(filter),json)
extraArgs='--json --strict' extraArgs='--json --strict'
filter() { jq -r .; } filter() { echo "$$1" | jq -r .; }
else else
filter() { cat; } filter() { echo "$$1"; }
endif endif
result=$$(nix-instantiate \ result=$$(nix-instantiate \
$${extraArgs-} \ $${extraArgs-} \
--show-trace \
--readonly-mode \
--eval \ --eval \
-A "$$get" \ -A "$$get" \
-I stockholm="$$PWD" \ --arg configuration "./$$LOGNAME/1systems/$$system.nix")
'<stockholm>' \ filter "$$result"
--argstr current-date "$$(date -Is)" \
--argstr current-host-name "$$HOSTNAME" \
--argstr current-user-name "$$LOGNAME" \
$${system+--argstr system "$$system"} \
$${target+--argstr target "$$target"})
echo "$$result" | filter
else ## usage: make install system=foo target=
$(error unbound variable: system[s]) #.PHONY: install
endif #install: ssh = ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
#install:;@set -x
# $(ssh) "$$target_user@$$target_host" \
# env target_path=/var/src \
# sh -s prepare < krebs/4lib/infest/prepare.sh
# make -s populate target_path=/mnt"$$target_path"
# $(ssh) "$$target_user@$$target_host" \
# env NIXOS_CONFIG=/var/src/nixos-config \
# nixos-install

32
default.nix
View File

@ -1,6 +1,15 @@
{ current-date ? abort "current-date not defined" { configuration ? import (nixpkgs-path + "/nixos/lib/from-env.nix") "NIXOS_CONFIG" <nixos-config>
, current-host-name ? abort "current-host-name not defined" , system ? builtins.currentSystem
, current-user-name ? builtins.getEnv "LOGNAME" , current-host-name ?
let v = builtins.getEnv "HOSTNAME"; in
if v != "" then v else builtins.readFile /proc/sys/kernel/hostname
, current-user-name ?
let v = builtins.getEnv "LOGNAME"; in
if v != "" then v else abort "undefined variable: LOGNAME"
, nixpkgs-path ?
if (builtins.tryEval <nixpkgs/krebs>).success
then <upstream-nixpkgs>
else <nixpkgs>
, StrictHostKeyChecking ? "yes" , StrictHostKeyChecking ? "yes"
}@args: }@args:
@ -8,26 +17,26 @@ let stockholm = {
inherit krebs; inherit krebs;
inherit users; inherit users;
inherit lib; inherit lib;
inherit pkgs; inherit config options pkgs;
system = config.system.build.toplevel;
}; };
krebs = import ./krebs (args // { inherit lib stockholm; }); krebs = import ./krebs (args // { inherit lib stockholm; });
lib = let lib = let
nlib = import <nixpkgs/lib>; nlib = import (slib.npath "lib");
klib = import (slib.kpath "4lib") { lib = nlib; }; klib = import (slib.kpath "4lib") { lib = nlib; };
slib = rec { slib = rec {
stockholm-path = ./.; npath = p: nixpkgs-path + "/${p}";
nspath = ns: p: stockholm-path + "/${ns}/${p}"; kpath = p: ./. + "/krebs/${p}";
kpath = nspath "krebs"; upath = p: ./. + "/${current-user-name}/${p}";
upath = nspath current-user-name;
}; };
ulib = let p = slib.upath "4lib"; in ulib = let p = slib.upath "4lib"; in
nlib.optionalAttrs (klib.dir.has-default-nix p) nlib.optionalAttrs (klib.dir.has-default-nix p)
(import p { lib = nlib // klib; }); (import p { lib = nlib // klib; });
in nlib // klib // slib // ulib // builtins; in nlib // klib // slib // ulib // builtins;
inherit (eval {}) pkgs; inherit (eval configuration) config options pkgs;
base-module = { config, ... }: { base-module = { config, ... }: {
imports = builtins.filter lib.dir.has-default-nix (lib.concatLists [ imports = builtins.filter lib.dir.has-default-nix (lib.concatLists [
@ -45,7 +54,8 @@ let stockholm = {
in kpkgs // upkgs; in kpkgs // upkgs;
}; };
eval = config: import <nixpkgs/nixos/lib/eval-config.nix> { eval = config: import (lib.npath "nixos/lib/eval-config.nix") {
inherit system;
specialArgs = { specialArgs = {
inherit lib; inherit lib;
}; };

22
krebs/3modules/backup.nix
View File

@ -28,9 +28,17 @@ let
type = types.krebs.file-location; type = types.krebs.file-location;
}; };
startAt = mkOption { startAt = mkOption {
type = types.str; default = "hourly";
type = types.str; # TODO systemd.time(7)'s calendar event
}; };
snapshots = mkOption { snapshots = mkOption {
default = {
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
type = types.attrsOf (types.submodule { type = types.attrsOf (types.submodule {
options = { options = {
format = mkOption { format = mkOption {
@ -284,3 +292,15 @@ let
}; };
in out in out
# TODO ionice
# TODO mail on failed push, pull
# TODO mail on missing push
# TODO don't cancel plans on activation
# also, don't hang while deploying at:
# starting the following units: backup.wu-home-xu.push.service, backup.wu-home-xu.push.timer
# TODO make sure /bku is properly mounted
# TODO make sure that secure hosts cannot backup to insecure ones
# TODO optionally only backup when src and dst are near enough :)
# TODO try using btrfs for snapshots (configurable)
# TODO warn if partial snapshots are found
# TODO warn if unknown stuff is found in dst path

173
krebs/3modules/build.nix
View File

@ -28,48 +28,159 @@ let
type = types.user; type = types.user;
}; };
options.krebs.build.source.dir = mkOption { options.krebs.build.source = let
type = let raw = types.either types.str types.path;
default-host = config.krebs.current.host; url = types.submodule {
in types.attrsOf (types.submodule ({ config, ... }: {
options = {
host = mkOption {
type = types.host;
default = default-host;
};
path = mkOption {
type = types.str;
};
target-path = mkOption {
type = types.str;
default = "/root/${config._module.args.name}";
};
url = mkOption {
type = types.str;
default = "file://${config.host.name}${config.path}";
};
};
}));
default = {};
};
options.krebs.build.source.git = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = { options = {
url = mkOption { url = mkOption {
type = types.str; # TODO must be shell safe type = types.str;
}; };
rev = mkOption { rev = mkOption {
type = types.str; type = types.str;
}; };
target-path = mkOption { dev = mkOption {
type = types.str; type = types.str;
default = "/root/${config._module.args.name}";
}; };
}; };
})); };
in mkOption {
type = types.attrsOf (types.either types.str url);
apply = let f = mapAttrs (_: value: {
string = value;
path = toString value;
set = f value;
}.${typeOf value}); in f;
default = {}; default = {};
}; };
options.krebs.build.populate = mkOption {
type = types.str;
default = let
source = config.krebs.build.source;
target-user = maybeEnv "target_user" "root";
target-host = maybeEnv "target_host" config.krebs.build.host.name;
target-path = maybeEnv "target_path" "/var/src";
out = ''
#! /bin/sh
set -eu
verbose() {
printf '+%s\n' "$(printf ' %q' "$@")" >&2
"$@"
}
echo ${shell.escape git-script} \
| ssh ${shell.escape "${target-user}@${target-host}"} -T
unset tmpdir
trap '
rm "$tmpdir"/*
rmdir "$tmpdir"
trap - EXIT INT QUIT
' EXIT INT QUIT
tmpdir=$(mktemp -dt stockholm.XXXXXXXX)
chmod 0755 "$tmpdir"
${concatStringsSep "\n"
(mapAttrsToList
(name: spec: let dst = removePrefix "symlink:" (get-url spec); in
"verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}")
symlink-specs)}
verbose proot \
-b $tmpdir:${shell.escape target-path} \
${concatStringsSep " \\\n "
(mapAttrsToList
(name: spec:
"-b ${shell.escape "${get-url spec}:${target-path}/${name}"}")
file-specs)} \
rsync \
-f ${shell.escape "P /*"} \
${concatMapStringsSep " \\\n "
(name: "-f ${shell.escape "R /${name}"}")
(attrNames file-specs)} \
--delete \
-vFrlptD \
${shell.escape target-path}/ \
${shell.escape "${target-user}@${target-host}:${target-path}"}
'';
get-schema = uri:
if substring 0 1 uri == "/"
then "file"
else head (splitString ":" uri);
has-schema = schema: uri: get-schema uri == schema;
get-url = spec: {
string = spec;
path = toString spec;
set = get-url spec.url;
}.${typeOf spec};
git-specs =
filterAttrs (_: spec: has-schema "https" (get-url spec)) source //
filterAttrs (_: spec: has-schema "http" (get-url spec)) source //
filterAttrs (_: spec: has-schema "git" (get-url spec)) source;
file-specs =
filterAttrs (_: spec: has-schema "file" (get-url spec)) source;
symlink-specs =
filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source;
git-script = ''
#! /bin/sh
set -efu
verbose() {
printf '+%s\n' "$(printf ' %q' "$@")" >&2
"$@"
}
fetch_git() {(
dst_dir=$1
src_url=$2
src_ref=$3
if ! test -e "$dst_dir"; then
git clone "$src_url" "$dst_dir"
fi
cd "$dst_dir"
if ! url=$(git config remote.origin.url); then
git remote add origin "$src_url"
elif test "$url" != "$src_url"; then
git remote set-url origin "$src_url"
fi
# TODO resolve src_ref to commit hash
hash=$src_ref
if ! test "$(git log --format=%H -1)" = "$hash"; then
git fetch origin
git checkout "$hash" -- "$dst_dir"
git checkout "$hash"
fi
git clean -dxf
)}
${concatStringsSep "\n"
(mapAttrsToList
(name: spec: toString (map shell.escape [
"verbose"
"fetch_git"
"${target-path}/${name}"
spec.url
spec.rev
]))
git-specs)}
'';
in out;
};
}; };
in out in out

167
krebs/3modules/git.nix
View File

@ -44,8 +44,74 @@ let
default = "/etc/git"; default = "/etc/git";
}; };
repos = mkOption { repos = mkOption {
type = types.attrsOf (types.submodule ({ type = types.attrsOf subtypes.repo;
default = {};
example = literalExample ''
{
testing = {
name = "testing";
hooks.post-update = '''
#! /bin/sh
set -euf
echo post-update hook: $* >&2
''';
};
testing2 = { name = "testing2"; };
}
'';
description = ''
Repositories.
'';
};
root-desc = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Text printed below the heading on the repository index page.
Default value: "a fast webinterface for the git dscm".
'';
};
root-title = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Text printed as heading on the repository index page.
Default value: "Git Repository Browser".
'';
};
rules = mkOption {
type = types.listOf subtypes.rule;
default = [];
example = literalExample ''
singleton {
user = [ config.krebs.users.tv ];
repo = [ testing ]; # see literal example of repos
perm = push "refs/*" (with lib.git; [
non-fast-forward create delete merge
]);
}
'';
description = ''
Rules.
'';
};
};
# TODO put into krebs/4lib/types.nix?
subtypes = {
repo = types.submodule ({
options = { options = {
collaborators = mkOption {
type = types.listOf types.user;
default = [];
description = ''
List of users that should be able to fetch from this repo.
This option is currently not used by krebs.git but instead can be
used to create rules. See e.g. <stockholm/tv/2configs/git.nix> for
an example.
'';
};
desc = mkOption { desc = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
@ -82,48 +148,69 @@ let
# TODO allow every configured user to fetch the repository via SSH. # TODO allow every configured user to fetch the repository via SSH.
}; };
}; };
})); });
rule = types.submodule ({ config, ... }: {
default = {}; options = {
user = mkOption {
example = literalExample '' type = types.listOf types.user;
{
testing = {
name = "testing";
hooks.post-update = '''
#! /bin/sh
set -euf
echo post-update hook: $* >&2
''';
};
testing2 = { name = "testing2"; };
}
'';
description = '' description = ''
Repositories. List of users this rule should apply to.
Checked by authorize-command.
''; '';
}; };
root-desc = mkOption { repo = mkOption {
type = types.listOf subtypes.repo;
description = ''
List of repos this rule should apply to.
Checked by authorize-command.
'';
};
perm = mkOption {
type = types.submodule {
# TODO generate enum argument from krebs/4lib/git.nix
options = {
allow-commands = mkOption {
type = types.listOf (types.enum (with git; [
git-receive-pack
git-upload-pack
]));
default = [];
description = ''
List of commands the rule's users are allowed to execute.
Checked by authorize-command.
'';
};
allow-receive-ref = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
description = '' description = ''
Text printed below the heading on the repository index page. Ref that can receive objects.
Default value: "a fast webinterface for the git dscm". Checked by authorize-push.
''; '';
}; };
root-title = mkOption { allow-receive-modes = mkOption {
type = types.nullOr types.str; type = types.listOf (types.enum (with git; [
default = null; fast-forward
non-fast-forward
create
delete
merge
]));
default = [];
description = '' description = ''
Text printed as heading on the repository index page. List of allowed receive modes.
Default value: "Git Repository Browser". Checked by pre-receive hook.
''; '';
}; };
rules = mkOption {
type = types.unspecified;
}; };
}; };
description = ''
Permissions granted.
'';
};
};
});
};
git-imp = { git-imp = {
system.activationScripts.git-init = "${init-script}"; system.activationScripts.git-init = "${init-script}";
@ -131,18 +218,18 @@ let
# TODO maybe put all scripts here and then use PATH? # TODO maybe put all scripts here and then use PATH?
environment.etc."${etc-base}".source = environment.etc."${etc-base}".source =
scriptFarm "git-ssh-authorizers" { scriptFarm "git-ssh-authorizers" {
authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ authorize-command = makeAuthorizeScript (map (rule: [
(map getName (ensureList user)) (map getName (ensureList rule.user))
(map getName (ensureList repo)) (map getName (ensureList rule.repo))
(map getName perm.allow-commands) (map getName rule.perm.allow-commands)
]) cfg.rules); ]) cfg.rules);
authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ authorize-push = makeAuthorizeScript (map (rule: [
(map getName (ensureList user)) (map getName (ensureList rule.user))
(map getName (ensureList repo)) (map getName (ensureList rule.repo))
(ensureList perm.allow-receive-ref) (ensureList rule.perm.allow-receive-ref)
(map getName perm.allow-receive-modes) (map getName rule.perm.allow-receive-modes)
]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); ]) (filter (rule: rule.perm.allow-receive-ref != null) cfg.rules));
}; };
users.extraUsers = singleton rec { users.extraUsers = singleton rec {

1
krebs/3modules/tv/default.nix
View File

@ -247,6 +247,7 @@ with lib;
}; };
}; };
secure = true; secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
}; };
xu = { xu = {

46
krebs/3modules/urlwatch.nix
View File

@ -54,6 +54,10 @@ let
example = [ example = [
https://nixos.org/channels/nixos-unstable/git-revision https://nixos.org/channels/nixos-unstable/git-revision
]; ];
apply = map (x: getAttr (typeOf x) {
set = x;
string.url = x;
});
}; };
verbose = mkOption { verbose = mkOption {
type = types.bool; type = types.bool;
@ -64,7 +68,40 @@ let
}; };
}; };
urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); urlsFile = toFile "urls" (concatMapStringsSep "\n---\n" toJSON cfg.urls);
configFile = toFile "urlwatch.yaml" (toJSON {
display = {
error = true;
new = true;
unchanged = false;
};
report = {
email = {
enabled = false;
from = "";
html = false;
smtp = {
host = "localhost";
keyring = true;
port = 25;
starttls = true;
};
subject = "{count} changes: {jobs}";
to = "";
};
html.diff = "unified";
stdout = {
color = true;
enabled = true;
};
text = {
details = true;
footer = true;
line_length = 75;
};
};
});
imp = { imp = {
systemd.timers.urlwatch = { systemd.timers.urlwatch = {
@ -109,10 +146,15 @@ let
from=${escapeShellArg cfg.from} from=${escapeShellArg cfg.from}
mailto=${escapeShellArg cfg.mailto} mailto=${escapeShellArg cfg.mailto}
urlsFile=${escapeShellArg urlsFile} urlsFile=${escapeShellArg urlsFile}
configFile=${escapeShellArg configFile}
cd /tmp cd /tmp
urlwatch -e ${optionalString cfg.verbose "-v"} --urls="$urlsFile" > changes || : urlwatch \
${optionalString cfg.verbose "-v"} \
--urls="$urlsFile" \
--config="$configFile" \
> changes || :
if test -s changes; then if test -s changes; then
date=$(date -R) date=$(date -R)

1
krebs/4lib/default.nix
View File

@ -6,6 +6,7 @@ with lib;
let out = rec { let out = rec {
eq = x: y: x == y; eq = x: y: x == y;
ne = x: y: x != y;
mod = x: y: x - y * (x / y); mod = x: y: x - y * (x / y);

4
krebs/4lib/types.nix
View File

@ -164,10 +164,6 @@ types // rec {
pubkey = mkOption { pubkey = mkOption {
type = str; type = str;
}; };
pubkeys = mkOption {
type = attrsOf str;
default = {};
};
}; };
}; };

2
krebs/5pkgs/Reaktor/plugins.nix
View File

@ -82,7 +82,7 @@ rec {
}; };
stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" { stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" {
script = ./scripts/random-issue.sh; script = ./scripts/random-issue.sh;
path = with pkgs; [ git gnused lentil ]; path = with pkgs; [ git gnused haskellPackages.lentil ];
env = { "origin" = "http://cgit.gum/stockholm"; }; env = { "origin" = "http://cgit.gum/stockholm"; };
}; };

42
krebs/5pkgs/cac-api/default.nix Normal file
View File

@ -0,0 +1,42 @@
{ stdenv, fetchgit, bc, cac-cert, coreutils, curl, dash, gnused, inotifyTools, jq, ncurses, openssh, sshpass, ... }:
stdenv.mkDerivation {
name = "cac-api-1.1.0";
src = fetchgit {
url = http://cgit.cd.krebsco.de/cac-api;
rev = "0809fae379239687ed1170e04311dc2880ef0aba";
sha256 = "357ced27c9ed88028967c934178a1d230bf38617a7494cd4632fabdd2a04fcdd";
};
phases = [
"unpackPhase"
"installPhase"
];
installPhase = ''
mkdir -p $out/bin
{ cat <<\EOF
#! ${dash}/bin/dash
export PATH=${stdenv.lib.makeSearchPath "bin" [
bc
coreutils
curl
gnused
inotifyTools
jq
ncurses
openssh
sshpass
]}
EOF
# [1]: Disable fetching tasks; listtasks is currently broken:
# Unknown column 'iod.apitask.cid' in 'field list'
sed '
/^\s*tasks \\$/d; # [1]
s|\<_cac_exec curl|<${cac-cert} & --cacert /dev/stdin|
' cac-api
} > $out/bin/cac-api
chmod +x $out/bin/cac-api
'';
}

0
krebs/5pkgs/test/infest-cac-centos7/panel.cloudatcost.com.crt → krebs/5pkgs/cac-cert/cac.pem
View File

2
krebs/5pkgs/cac-cert/default.nix Normal file
View File

@ -0,0 +1,2 @@
{ writeText, ... }:
writeText "cac.pem" (builtins.readFile ./cac.pem)

39
krebs/5pkgs/cac/default.nix
View File

@ -1,39 +0,0 @@
{ stdenv, fetchgit, bc, coreutils, curl, gnused, inotifyTools, jq, ncurses, sshpass, ... }:
stdenv.mkDerivation {
name = "cac-1.0.3";
src = fetchgit {
url = http://cgit.cd.retiolum/cac;
rev = "22acc1b990ac7d97c16344fbcbc2621e24cdf915";
sha256 = "135b740617c983b3f46a1983d4744be17340d5146a0a0de0dff4bb7a53688f2f";
};
phases = [
"unpackPhase"
"installPhase"
];
installPhase =
let
path = stdenv.lib.makeSearchPath "bin" [
bc
coreutils
curl
gnused
inotifyTools
jq
ncurses
sshpass
];
in
''
mkdir -p $out/bin
sed < ./cac > $out/bin/cac '
s;^_cac_main .*;PATH=${path}''${PATH+:$PATH} &;
'
chmod +x $out/bin/cac
'';
}

6
krebs/5pkgs/get/default.nix
View File

@ -1,12 +1,12 @@
{ coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }: { coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }:
stdenv.mkDerivation { stdenv.mkDerivation {
name = "get-1.3.1"; name = "get-1.4.0";
src = fetchgit { src = fetchgit {
url = http://cgit.cd.krebsco.de/get; url = http://cgit.cd.krebsco.de/get;
rev = "64c97edd3f9952cd5e703208c46748a035a515bf"; rev = "08757d47c480c130d69270855c6c0371f6b7d385";
sha256 = "32ca83f4fd86fd3285bef9dcfd0917308086d239189858daceca175de49ff97c"; sha256 = "7c609e2cde7a071bbf62241a7bea60313fdbf076b9f7b3d97226417e13e5ba9d";
}; };
phases = [ phases = [

15
krebs/5pkgs/lentil/default.nix
View File

@ -1,15 +0,0 @@
{ pkgs, ... }:
(pkgs.haskellPackages.override {
overrides = self: super: {
lentil = super.lentil.override {
mkDerivation = (attrs: self.mkDerivation (attrs // {
version = "0.1.3.0";
sha256 = "0xa59avh0bvfg69xh9p5b8dppfhx29mvfq8v41sk9j7qbcnzjivg";
patches = [
./syntaxes.patch
];
}));
};
};
}).lentil

11
krebs/5pkgs/lentil/syntaxes.patch
View File

@ -1,11 +0,0 @@
diff -rN -u old-lentil/src/Lentil/Parse/Syntaxes.hs new-lentil/src/Lentil/Parse/Syntaxes.hs
--- old-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200
+++ new-lentil/src/Lentil/Parse/Syntaxes.hs 2015-07-20 23:15:38.600539779 +0200
@@ -30,6 +30,7 @@
| ext `elem` [".pas", ".pp", ".inc"] = Just pascal
| ext `elem` [".py"] = Just python
| ext `elem` [".rb"] = Just ruby
+ | ext `elem` [".nix"] = Just perl -- Nix
| ext `elem` [".pl", ".pm", ".t"] = Just perl
| ext `elem` [".sh"] = Just perl -- shell
| ext `elem` [".txt"] = Just text

2
krebs/5pkgs/much/default.nix
View File

@ -1,6 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.haskellngPackages.callPackage ( pkgs.haskellPackages.callPackage (
{ mkDerivation, aeson, attoparsec, base, base64-bytestring { mkDerivation, aeson, attoparsec, base, base64-bytestring
, blaze-builder, blessings, bytestring, case-insensitive, containers, deepseq , blaze-builder, blessings, bytestring, case-insensitive, containers, deepseq
, directory, docopt, email-header, fetchgit, filepath , directory, docopt, email-header, fetchgit, filepath

10
krebs/5pkgs/test/infest-cac-centos7/default.nix
View File

@ -1,4 +1,4 @@
{ stdenv, coreutils,makeWrapper, cac-api, cac-panel, gnumake, gnused, jq, openssh, ... }: { stdenv, coreutils,makeWrapper, cac-api, cac-cert, cac-panel, gnumake, gnused, jq, openssh, ... }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "${shortname}-${version}"; name = "${shortname}-${version}";
@ -10,6 +10,7 @@ stdenv.mkDerivation rec {
phases = [ phases = [
"installPhase" "installPhase"
]; ];
buildInputs = [ makeWrapper ]; buildInputs = [ makeWrapper ];
path = stdenv.lib.makeSearchPath "bin" [ path = stdenv.lib.makeSearchPath "bin" [
@ -22,15 +23,14 @@ stdenv.mkDerivation rec {
openssh openssh
]; ];
installPhase = installPhase = ''
''
mkdir -p $out/bin mkdir -p $out/bin
cp ${src} $out/bin/${shortname} cp ${src} $out/bin/${shortname}
chmod +x $out/bin/${shortname} chmod +x $out/bin/${shortname}
wrapProgram $out/bin/${shortname} \ wrapProgram $out/bin/${shortname} \
--prefix PATH : ${path} \ --prefix PATH : ${path} \
--set SSL_CERT_FILE ${./panel.cloudatcost.com.crt} \ --set REQUESTS_CA_BUNDLE ${cac-cert} \
--set REQUESTS_CA_BUNDLE ${./panel.cloudatcost.com.crt} --set SSL_CERT_FILE ${cac-cert}
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {
homepage = http://krebsco.de; homepage = http://krebsco.de;

12
krebs/5pkgs/test/infest-cac-centos7/notes
View File

@ -1,5 +1,3 @@
#! /bin/sh
# nix-shell -p gnumake jq openssh cac-api cac-panel # nix-shell -p gnumake jq openssh cac-api cac-panel
set -eufx set -eufx
@ -54,7 +52,7 @@ cac-api servers
old_trapstr=$(clear_defer) old_trapstr=$(clear_defer)
while true;do while true;do
# Template 26: CentOS7 # Template 26: CentOS7
# TODO: use cac templates to determine the real Centos7 template in case it changes # TODO: use cac-api templates to determine the real Centos7 template in case it changes
out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1) out=$(cac-api build cpu=1 ram=512 storage=10 os=26 2>&1)
if name=$(echo "$out" | jq -r .servername);then if name=$(echo "$out" | jq -r .servername);then
id=servername:$name id=servername:$name
@ -67,15 +65,15 @@ while true;do
fi fi
clear_defer >/dev/null clear_defer >/dev/null
defer "cac delete $id" defer "cac-api delete $id"
# TODO: timeout? # TODO: timeout?
wait_login_cac(){ wait_login_cac(){
# we wait for 30 minutes # we wait for 30 minutes
for t in `seq 180`;do for t in `seq 180`;do
# now we have a working cac server # now we have a working cac-api server
if cac ssh $1 -o ConnectTimeout=10 \ if cac-api ssh $1 -o ConnectTimeout=10 \
cat /etc/redhat-release | \ cat /etc/redhat-release | \
grep CentOS ;then grep CentOS ;then
return 0 return 0
@ -134,7 +132,7 @@ cac-api powerop $id reset
wait_login(){ wait_login(){
# timeout # timeout
for t in `seq 90`;do for t in `seq 90`;do
# now we have a working cac server # now we have a working cac-api server
if ssh -o StrictHostKeyChecking=no \ if ssh -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \ -o UserKnownHostsFile=/dev/null \
-i $krebs_ssh \ -i $krebs_ssh \

39
krebs/5pkgs/urlwatch/default.nix Normal file
View File

@ -0,0 +1,39 @@
{ stdenv, fetchurl, python3Packages }:
python3Packages.buildPythonPackage rec {
name = "urlwatch-2.0";
src = fetchurl {
url = "https://thp.io/2008/urlwatch/${name}.tar.gz";
sha256 = "0j38qzw4jxw41vnnpi6j851hqpv8d6p1cbni6cv8r2vqf5307s3b";
};
propagatedBuildInputs = with python3Packages; [
pyyaml
keyring
(python3Packages.buildPythonPackage rec {
name = "minidb-2.0.1";
src = fetchurl {
url = "https://thp.io/2010/minidb/${name}.tar.gz";
sha256 = "1x958zr9jc26vaqij451qb9m2l7apcpz34ir9fwfjg4fwv24z2dy";
};
meta = {
description = "A simple SQLite3-based store for Python objects";
homepage = https://thp.io/2010/minidb/;
license = stdenv.lib.licenses.isc;
maintainers = [ stdenv.lib.maintainers.tv ];
};
})
];
postFixup = ''
wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH"
'';
meta = {
description = "A tool for monitoring webpages for updates";
homepage = https://thp.io/2008/urlwatch/;
license = stdenv.lib.licenses.bsd3;
maintainers = [ stdenv.lib.maintainers.tv ];
};
}#

29
krebs/5pkgs/with-tmpdir/default.nix Normal file
View File

@ -0,0 +1,29 @@
{ stdenv, fetchgit, coreutils, dash, ... }:
stdenv.mkDerivation {
name = "with-tmpdir-1";
src = fetchgit {
url = http://cgit.cd.krebsco.de/with-tmpdir;
rev = "3243c02ed8cd27a04c080bd39560204980f6c16a";
sha256 = "80ee6cafb2c337999ddcd1e41747d6256b7cfcea605358c2046eb7e3729555c6";
};
phases = [
"unpackPhase"
"installPhase"
];
installPhase = ''
mkdir -p $out/bin
{ echo '#! ${dash}/bin/dash'
echo 'OLDPATH=$PATH'
echo 'PATH=${coreutils}/bin'
sed '$s/^/#/' ./with-tmpdir
echo '(PATH=$OLDPATH; exec "$@")'
} > $out/bin/with-tmpdir
chmod +x $out/bin/with-tmpdir
'';
}

105
krebs/default.nix
View File

@ -1,5 +1,6 @@
{ current-date assert false;
, current-host-name
{ current-host-name
, current-user-name , current-user-name
, lib , lib
, stockholm , stockholm
@ -7,31 +8,11 @@
}: }:
let out = { let out = {
inherit deploy;
inherit infest; inherit infest;
inherit init; inherit init;
inherit nixos-install; inherit nixos-install;
inherit populate;
}; };
deploy =
{ system ? current-host-name
, target ? system
}@args: let
config = get-config system;
in ''
#! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
# krebs.deploy
set -efu
(${populate args})
${rootssh target ''
${nix-install args}
${config.krebs.build.profile}/bin/switch-to-configuration switch
''}
echo OK
'';
infest = infest =
{ system ? current-host-name { system ? current-host-name
, target ? system , target ? system
@ -39,7 +20,6 @@ let out = {
config = get-config system; config = get-config system;
in '' in ''
#! /bin/sh #! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
# krebs.infest # krebs.infest
set -efu set -efu
@ -48,9 +28,6 @@ let out = {
${builtins.readFile ./4lib/infest/install-nix.sh} ${builtins.readFile ./4lib/infest/install-nix.sh}
''} ''}
# Prepare target source via bind-mounting
(${nixos-install args}) (${nixos-install args})
${rootssh target '' ${rootssh target ''
@ -64,7 +41,6 @@ let out = {
config = get-config system; config = get-config system;
in '' in ''
#! /bin/sh #! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
# krebs.init # krebs.init
set -efu set -efu
@ -100,7 +76,6 @@ let out = {
}@args: let }@args: let
in '' in ''
#! /bin/sh #! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
# krebs.nixos-install # krebs.nixos-install
(${populate (args // { root = "/mnt"; })}) (${populate (args // { root = "/mnt"; })})
@ -171,9 +146,10 @@ let out = {
${b} ${b}
''; '';
get-config = system: get-config = system: let
stockholm.users.${current-user-name}.${system}.config config = stockholm.users.${current-user-name}.${system}.config
or (abort "unknown system: ${system}, user: ${current-user-name}"); or (abort "unknown system: ${system}, user: ${current-user-name}");
in config;
nix-install = nix-install =
{ system ? current-host-name { system ? current-host-name
@ -193,7 +169,6 @@ let out = {
nix-env \ nix-env \
--show-trace \ --show-trace \
-f '<stockholm>' \ -f '<stockholm>' \
--argstr current-date ${lib.shell.escape current-date} \
--argstr current-host-name ${lib.shell.escape current-host-name} \ --argstr current-host-name ${lib.shell.escape current-host-name} \
--argstr current-user-name ${lib.shell.escape current-user-name} \ --argstr current-user-name ${lib.shell.escape current-user-name} \
--profile ${lib.shell.escape config.krebs.build.profile} \ --profile ${lib.shell.escape config.krebs.build.profile} \
@ -206,74 +181,6 @@ let out = {
])} ])}
''; '';
populate =
{ system ? current-host-name
, target ? system
, root ? ""
}@args:
let out = ''
#! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
set -efu
${lib.concatStringsSep "\n"
(lib.concatMap
(type: lib.mapAttrsToList (_: methods.${type})
config.krebs.build.source.${type})
["dir" "git"])}
'';
config = get-config system;
current-host = config.krebs.hosts.${current-host-name};
current-user = config.krebs.users.${current-user-name};
methods.dir = config:
let
can-push = config.host.name == current-host.name;
target-path = root + config.target-path;
push-method = ''
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--exclude tmp \
--rsync-path='mkdir -p ${target-path} && rsync' \
--delete-excluded \
-vrLptgoD \
${config.path}/ \
root@${target}:${target-path}
'';
in
if can-push then push-method else
let dir = "file://${config.host.name}${config.path}"; in
# /!\ revise this message when using more than just push-method
throw "No way to push ${dir} from ${current-host.name} to ${target}";
methods.git = config:
let target-path = root + config.target-path;
in rootssh target ''
mkdir -p ${target-path}
cd ${target-path}
if ! test -e .git; then
git init
fi
if ! cur_url=$(git config remote.origin.url 2>/dev/null); then
git remote add origin ${config.url}
elif test "$cur_url" != ${config.url}; then
git remote set-url origin ${config.url}
fi
if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then
git fetch origin
git checkout ${config.rev} -- .
git checkout -q ${config.rev}
git submodule init
git submodule update
fi
git clean -dxf
'';
in out;
rootssh = target: script: rootssh = target: script:
let let
flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";

2
makefu/1systems/omo.nix
View File

@ -40,7 +40,7 @@ in {
networking.firewall.allowedTCPPorts = [ 80 655 8080 ]; networking.firewall.allowedTCPPorts = [ 80 655 8080 ];
# services.openssh.allowSFTP = false; # services.openssh.allowSFTP = false;
krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce"; krebs.build.source.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/ # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true; services.sabnzbd.enable = true;

2
makefu/1systems/vbob.nix
View File

@ -37,7 +37,7 @@
extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; }; extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
}; };
krebs.build.source.git.nixpkgs = { krebs.build.source.nixpkgs = {
# url = https://github.com/nixos/nixpkgs; # url = https://github.com/nixos/nixpkgs;
# HTTP Everywhere + libredir # HTTP Everywhere + libredir
rev = "8239ac6"; rev = "8239ac6";

30
makefu/2configs/backup.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }:
with lib;
let
startAt = "0,6,12,18:00";
defaultBackupServer = config.krebs.hosts.omo;
defaultBackupDir = "/home/backup";
defaultPull = host: src: {
method = "pull";
src = {
inherit host;
path = src;
};
dst = {
host = defaultBackupServer;
path = defaultBackupDir + src;
};
startAt = "0,6,12,18:00";
snapshots = {
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
in {
krebs.backup.plans = addNames {
wry-to-omo_var-www = defaultPull wry "/var/www";
};
}

20
makefu/2configs/default.nix
View File

@ -21,23 +21,17 @@ with lib;
target = mkDefault "root@${config.krebs.build.host.name}"; target = mkDefault "root@${config.krebs.build.host.name}";
user = config.krebs.users.makefu; user = config.krebs.users.makefu;
source = { source = {
git.nixpkgs = { upstream-nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/nixos/nixpkgs; url = mkDefault https://github.com/nixos/nixpkgs;
rev = mkDefault "93d8671e2c6d1d25f126ed30e5e6f16764330119"; # unstable @ 2015-01-03, tested on filepimp rev = mkDefault "93d8671e2c6d1d25f126ed30e5e6f16764330119"; # unstable @ 2015-01-03, tested on filepimp
target-path = "/var/src/nixpkgs";
}; };
secrets = "/home/makefu/secrets/${config.krebs.build.host.name}/";
stockholm = "/home/makefu/stockholm";
dir.secrets = { # Defaults for all stockholm users?
host = config.krebs.hosts.pornocauster; nixos-config = "symlink:stockholm/${config.krebs.build.user.name}/1systems/${config.krebs.build.host.name}.nix";
path = "/home/makefu/secrets/${config.krebs.build.host.name}/"; nixpkgs = symlink:stockholm/nixpkgs;
}; stockholm-user = "symlink:stockholm/${config.krebs.build.user.name}";
dir.stockholm = {
host = config.krebs.hosts.pornocauster;
path = "/home/makefu/stockholm" ;
target-path = "/var/src/stockholm";
};
}; };
}; };
}; };

2
makefu/2configs/unstable-sources.nix
View File

@ -1,7 +1,7 @@
_: _:
{ {
krebs.build.source.git.nixpkgs = { krebs.build.source.nixpkgs = {
url = https://github.com/makefu/nixpkgs; url = https://github.com/makefu/nixpkgs;
rev = "15b5bbfbd1c8a55e7d9e05dd9058dc102fac04fe"; # cherry-picked collectd rev = "15b5bbfbd1c8a55e7d9e05dd9058dc102fac04fe"; # cherry-picked collectd
}; };

1
nixpkgs/default.nix Symbolic link
View File

@ -0,0 +1 @@
../upstream-nixpkgs/default.nix

0
nixpkgs/krebs Normal file
View File

1
nixpkgs/lib Symbolic link
View File

@ -0,0 +1 @@
../upstream-nixpkgs/lib

1
nixpkgs/nixos/default.nix Normal file
View File

@ -0,0 +1 @@
import <stockholm>

1
nixpkgs/nixos/lib Symbolic link
View File

@ -0,0 +1 @@
../../../upstream-nixpkgs/nixos/lib

1
nixpkgs/nixos/modules Symbolic link
View File

@ -0,0 +1 @@
../../../upstream-nixpkgs/nixos/modules

1
nixpkgs/pkgs Symbolic link
View File

@ -0,0 +1 @@
../upstream-nixpkgs/pkgs

1
root Symbolic link
View File

@ -0,0 +1 @@
../stockholm-user

2
shared/2configs/buildbot-standalone.nix
View File

@ -86,7 +86,6 @@
-I stockholm=. \ -I stockholm=. \
--show-trace \ --show-trace \
-I secrets=. '<stockholm>' \ -I secrets=. '<stockholm>' \
--argstr current-date lol \
--argstr current-user-name shared \ --argstr current-user-name shared \
--argstr current-host-name lol \ --argstr current-host-name lol \
--strict --json"]) --strict --json"])
@ -98,7 +97,6 @@
-I stockholm=. \ -I stockholm=. \
-I secrets=. '<stockholm>' \ -I secrets=. '<stockholm>' \
--show-trace \ --show-trace \
--argstr current-date lol \
--argstr current-user-name shared \ --argstr current-user-name shared \
--argstr current-host-name lol \ --argstr current-host-name lol \
--strict --json"]) --strict --json"])

43
tv/1systems/cd.nix
View File

@ -6,12 +6,17 @@ with lib;
krebs.build.host = config.krebs.hosts.cd; krebs.build.host = config.krebs.hosts.cd;
krebs.build.target = "root@cd.internet"; krebs.build.target = "root@cd.internet";
krebs.build.source.upstream-nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "b7ff030";
};
imports = [ imports = [
../2configs/hw/CAC-Developer-2.nix ../2configs/hw/CAC-Developer-2.nix
../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/fs/CAC-CentOS-7-64bit.nix
#../2configs/consul-server.nix
../2configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../2configs/git.nix ../2configs/git.nix
../2configs/retiolum.nix
../2configs/urlwatch.nix ../2configs/urlwatch.nix
{ {
imports = [ ../2configs/charybdis.nix ]; imports = [ ../2configs/charybdis.nix ];
@ -25,6 +30,10 @@ with lib;
enable = true; enable = true;
hosts = [ "jabber.viljetic.de" ]; hosts = [ "jabber.viljetic.de" ];
}; };
tv.iptables.input-internet-accept-new-tcp = [
"xmpp-client"
"xmpp-server"
];
} }
{ {
krebs.github-hosts-sync.enable = true; krebs.github-hosts-sync.enable = true;
@ -32,38 +41,17 @@ with lib;
singleton config.krebs.github-hosts-sync.port; singleton config.krebs.github-hosts-sync.port;
} }
{ {
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
"ssh"
"tinc"
"smtp"
"xmpp-client"
"xmpp-server"
];
input-retiolum-accept-new-tcp = [
"http"
];
};
}
{
tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.cgit.server-names = [ krebs.nginx.servers.cgit.server-names = [
"cgit.cd.krebsco.de" "cgit.cd.krebsco.de"
"cgit.cd.viljetic.de" "cgit.cd.viljetic.de"
]; ];
}
{
# TODO make public_html also available to cd, cd.retiolum (AKA default) # TODO make public_html also available to cd, cd.retiolum (AKA default)
tv.iptables.input-internet-accept-new-tcp = singleton "http";
krebs.nginx.servers.public_html = { krebs.nginx.servers.public_html = {
server-names = singleton "cd.viljetic.de"; server-names = singleton "cd.viljetic.de";
locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2; alias /home/$1/public_html$2;
''); '');
}; };
}
{
krebs.nginx.servers.viljetic = { krebs.nginx.servers.viljetic = {
server-names = singleton "viljetic.de"; server-names = singleton "viljetic.de";
# TODO directly set root (instead via location) # TODO directly set root (instead via location)
@ -71,16 +59,7 @@ with lib;
root ${pkgs.viljetic-pages}; root ${pkgs.viljetic-pages};
''); '');
}; };
} tv.iptables.input-internet-accept-new-tcp = singleton "http";
{
krebs.retiolum = {
enable = true;
connectTo = [
"fastpoke"
"pigstarter"
"ire"
];
};
} }
]; ];

1
tv/1systems/mkdir.nix
View File

@ -22,7 +22,6 @@ in
imports = [ imports = [
../2configs/hw/CAC-Developer-1.nix ../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../2configs/git.nix ../2configs/git.nix
{ {

41
tv/1systems/nomic.nix
View File

@ -5,45 +5,14 @@ with lib;
{ {
krebs.build.host = config.krebs.hosts.nomic; krebs.build.host = config.krebs.hosts.nomic;
krebs.build.target = "root@nomic.gg23";
imports = [ imports = [
../2configs/hw/AO753.nix ../2configs/hw/AO753.nix
#../2configs/consul-server.nix ../2configs/exim-retiolum.nix
../2configs/git.nix ../2configs/git.nix
{ ../2configs/nginx-public_html.nix
tv.iptables = { ../2configs/pulse.nix
enable = true; ../2configs/retiolum.nix
input-internet-accept-new-tcp = [ ../2configs/xserver
"ssh"
"http"
"tinc"
"smtp"
];
};
}
{
krebs.exim-retiolum.enable = true;
}
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
}
{
krebs.retiolum = {
enable = true;
connectTo = [
"gum"
"pigstarter"
];
};
}
]; ];
boot.initrd.luks = { boot.initrd.luks = {

1
tv/1systems/rmdir.nix
View File

@ -23,7 +23,6 @@ in
imports = [ imports = [
../2configs/hw/CAC-Developer-1.nix ../2configs/hw/CAC-Developer-1.nix
../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/consul-server.nix
../2configs/exim-smarthost.nix ../2configs/exim-smarthost.nix
../2configs/git.nix ../2configs/git.nix
{ {

43
tv/1systems/wu.nix
View File

@ -7,10 +7,12 @@ with lib;
imports = [ imports = [
../2configs/hw/w110er.nix ../2configs/hw/w110er.nix
#../2configs/consul-client.nix ../2configs/exim-retiolum.nix
../2configs/git.nix ../2configs/git.nix
../2configs/mail-client.nix ../2configs/mail-client.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix ../2configs/pulse.nix
../2configs/retiolum.nix
../2configs/xserver ../2configs/xserver
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -18,7 +20,7 @@ with lib;
# stockholm # stockholm
gnumake gnumake
hashPassword hashPassword
lentil haskellPackages.lentil
parallel parallel
(pkgs.writeScriptBin "im" '' (pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash #! ${pkgs.bash}/bin/bash
@ -41,7 +43,7 @@ with lib;
# tv # tv
bc bc
bind # dig bind # dig
cac cac-api
dic dic
file file
get get
@ -123,39 +125,6 @@ with lib;
unison unison
]; ];
} }
{
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
"ssh"
"http"
"tinc"
"smtp"
];
};
}
{
krebs.exim-retiolum.enable = true;
}
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
}
{
krebs.retiolum = {
enable = true;
connectTo = [
"gum"
"pigstarter"
];
};
}
]; ];
boot.initrd.luks = { boot.initrd.luks = {
@ -188,7 +157,7 @@ with lib;
nixpkgs.config.chromium.enablePepperFlash = true; nixpkgs.config.chromium.enablePepperFlash = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name;
hardware.bumblebee.enable = true; hardware.bumblebee.enable = true;
hardware.bumblebee.group = "video"; hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;

44
tv/1systems/xu.nix
View File

@ -5,15 +5,14 @@ with lib;
{ {
krebs.build.host = config.krebs.hosts.xu; krebs.build.host = config.krebs.hosts.xu;
krebs.build.source.git.nixpkgs.rev =
"7ae05edcdd14f6ace83ead9bf0d114e97c89a83a";
imports = [ imports = [
../2configs/hw/x220.nix ../2configs/hw/x220.nix
#../2configs/consul-client.nix ../2configs/exim-retiolum.nix
../2configs/git.nix ../2configs/git.nix
../2configs/mail-client.nix ../2configs/mail-client.nix
../2configs/nginx-public_html.nix
../2configs/pulse.nix ../2configs/pulse.nix
../2configs/retiolum.nix
../2configs/xserver ../2configs/xserver
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -21,7 +20,7 @@ with lib;
# stockholm # stockholm
gnumake gnumake
hashPassword hashPassword
lentil haskellPackages.lentil
parallel parallel
(pkgs.writeScriptBin "im" '' (pkgs.writeScriptBin "im" ''
#! ${pkgs.bash}/bin/bash #! ${pkgs.bash}/bin/bash
@ -124,40 +123,6 @@ with lib;
unison unison
]; ];
} }
{
tv.iptables = {
enable = true;
input-internet-accept-new-tcp = [
"ssh"
"http"
"tinc"
"smtp"
];
};
}
{
krebs.exim-retiolum.enable = true;
}
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
}
{
krebs.retiolum = {
enable = true;
connectTo = [
"cd"
"gum"
"pigstarter"
];
};
}
]; ];
boot.initrd.luks = { boot.initrd.luks = {
@ -190,7 +155,6 @@ with lib;
nixpkgs.config.chromium.enablePepperFlash = true; nixpkgs.config.chromium.enablePepperFlash = true;
nixpkgs.config.allowUnfree = true;
#hardware.bumblebee.enable = true; #hardware.bumblebee.enable = true;
#hardware.bumblebee.group = "video"; #hardware.bumblebee.group = "video";
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;

32
tv/2configs/backup.nix
View File

@ -2,41 +2,17 @@
with lib; with lib;
{ {
krebs.backup.plans = addNames { krebs.backup.plans = addNames {
xu-test-cd = { wu-home-xu = {
method = "push"; method = "push";
src = { host = config.krebs.hosts.wu; path = "/home"; };
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; }; dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; }; startAt = "05:00";
#startAt = "0,6,12,18:00";
startAt = "minutely";
snapshots = { snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; }; daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; }; weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; }; monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; }; yearly = { format = "%Y"; };
}; };
}; };
#xu-test-wu = {
# method = "push";
# dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; };
#};
cd-test-xu = {
method = "pull";
src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; };
dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; };
startAt = "minutely";
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
}; };
} }

9
tv/2configs/consul-client.nix
View File

@ -1,9 +0,0 @@
{ pkgs, ... }:
{
imports = [ ./consul-server.nix ];
tv.consul = {
server = pkgs.lib.mkForce false;
};
}

21
tv/2configs/consul-server.nix
View File

@ -1,21 +0,0 @@
{ config, ... }:
{
tv.consul = rec {
enable = true;
self = config.krebs.build.host;
inherit (self) dc;
server = true;
hosts = with config.krebs.hosts; [
# TODO get this list automatically from each host where tv.consul.enable is true
cd
mkdir
nomic
rmdir
#wu
];
};
}

52
tv/2configs/default.nix
View File

@ -8,20 +8,21 @@ with lib;
krebs.build = { krebs.build = {
user = config.krebs.users.tv; user = config.krebs.users.tv;
target = mkDefault "root@${config.krebs.build.host.name}"; target = mkDefault "root@${config.krebs.build.host.name}";
source = { source = mapAttrs (_: mkDefault) ({
git.nixpkgs = { nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix";
url = mkDefault https://github.com/NixOS/nixpkgs; nixpkgs = symlink:stockholm/nixpkgs;
rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613"; secrets = "/home/tv/secrets/${config.krebs.build.host.name}";
target-path = mkDefault "/var/src/nixpkgs"; secrets-common = "/home/tv/secrets/common";
}; stockholm = "/home/tv/stockholm";
dir.secrets = { stockholm-user = "symlink:stockholm/tv";
path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}"; upstream-nixpkgs = {
}; url = https://github.com/NixOS/nixpkgs;
dir.stockholm = { rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
path = mkDefault "/home/tv/stockholm"; dev = "/home/tv/nixpkgs";
target-path = mkDefault "/var/src/stockholm";
};
}; };
} // optionalAttrs config.krebs.build.host.secure {
secrets-master = "/home/tv/secrets/master";
});
}; };
networking.hostName = config.krebs.build.host.name; networking.hostName = config.krebs.build.host.name;
@ -66,6 +67,9 @@ with lib;
nix.useChroot = true; nix.useChroot = true;
} }
{
nixpkgs.config.allowUnfree = false;
}
{ {
environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
@ -98,12 +102,7 @@ with lib;
}; };
environment.variables = { environment.variables = {
NIX_PATH = NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
with config.krebs.build.source; with dir; with git;
mkForce (concatStringsSep ":" [
"nixpkgs=${nixpkgs.target-path}"
"secrets=${stockholm.target-path}/null"
]);
}; };
programs.bash = { programs.bash = {
@ -142,7 +141,12 @@ with lib;
''; '';
}; };
programs.ssh.startAgent = false; programs.ssh = {
extraConfig = ''
UseRoaming no
'';
startAgent = false;
};
} }
{ {
@ -159,6 +163,10 @@ with lib;
}; };
} }
{
tv.iptables.enable = true;
}
{ {
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -166,6 +174,7 @@ with lib;
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
]; ];
}; };
tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
} }
{ {
@ -177,7 +186,8 @@ with lib;
{ {
systemd.tmpfiles.rules = let systemd.tmpfiles.rules = let
forUsers = flip map users; forUsers = flip map users;
isUser = { group, ... }: hasSuffix "users" group; isUser = { name, group, ... }:
name == "root" || hasSuffix "users" group;
users = filter isUser (mapAttrsToList (_: id) config.users.users); users = filter isUser (mapAttrsToList (_: id) config.users.users);
in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -"); in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME"; environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";

8
tv/2configs/exim-retiolum.nix Normal file
View File

@ -0,0 +1,8 @@
{ lib, ... }:
with lib;
{
krebs.exim-retiolum.enable = true;
tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
}

5
tv/2configs/exim-smarthost.nix
View File

@ -1,4 +1,6 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
{ {
krebs.exim-smarthost = { krebs.exim-smarthost = {
@ -34,4 +36,5 @@
{ from = "mirko"; to = "mv"; } { from = "mirko"; to = "mv"; }
]; ];
}; };
tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
} }

9
tv/2configs/git.nix
View File

@ -9,7 +9,7 @@ let
enable = true; enable = true;
root-title = "public repositories at ${config.krebs.build.host.name}"; root-title = "public repositories at ${config.krebs.build.host.name}";
root-desc = "keep calm and engage"; root-desc = "keep calm and engage";
repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; repos = repos;
rules = rules; rules = rules;
}; };
}; };
@ -22,8 +22,8 @@ let
public-repos = mapAttrs make-public-repo ({ public-repos = mapAttrs make-public-repo ({
} // mapAttrValues (setAttr "section" "1. Miscellaneous") { } // mapAttrValues (setAttr "section" "1. Miscellaneous") {
cac = { cac-api = {
desc = "CloudAtCost command line interface"; desc = "CloudAtCost API command line interface";
}; };
get = {}; get = {};
hack = {}; hack = {};
@ -39,6 +39,7 @@ let
stockholm = { stockholm = {
desc = "take all the computers hostage, they'll love you!"; desc = "take all the computers hostage, they'll love you!";
}; };
with-tmpdir = {};
} // mapAttrValues (setAttr "section" "2. Haskell libraries") { } // mapAttrValues (setAttr "section" "2. Haskell libraries") {
blessings = {}; blessings = {};
mime = {}; mime = {};
@ -98,7 +99,7 @@ let
repo = [ repo ]; repo = [ repo ];
perm = fetch; perm = fetch;
} ++ } ++
optional (length (repo.collaborators or []) > 0) { optional (repo.collaborators or [] != []) {
user = repo.collaborators; user = repo.collaborators;
repo = [ repo ]; repo = [ repo ];
perm = fetch; perm = fetch;

9
tv/2configs/hw/AO753.nix
View File

@ -1,4 +1,6 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
{ {
imports = [ imports = [
@ -39,8 +41,5 @@
HandleSuspendKey=ignore HandleSuspendKey=ignore
''; '';
nixpkgs.config = { nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name;
allowUnfree = false;
allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
};
} }

1
tv/2configs/hw/x220.nix
View File

@ -14,7 +14,6 @@
networking.wireless.enable = true; networking.wireless.enable = true;
#hardware.enableAllFirmware = true; #hardware.enableAllFirmware = true;
#nixpkgs.config.allowUnfree = true;
#zramSwap.enable = true; #zramSwap.enable = true;
#zramSwap.numDevices = 2; #zramSwap.numDevices = 2;

15
tv/2configs/nginx-public_html.nix Normal file
View File

@ -0,0 +1,15 @@
{ lib, ... }:
with lib;
{
krebs.nginx = {
enable = true;
servers.default.locations = [
(nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
alias /home/$1/public_html$2;
'')
];
};
tv.iptables.input-internet-accept-new-tcp = singleton "http";
}

32
tv/2configs/pulse.nix
View File

@ -1,5 +1,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib;
let let
pkg = pkgs.pulseaudioLight; pkg = pkgs.pulseaudioLight;
runDir = "/run/pulse"; runDir = "/run/pulse";
@ -35,36 +36,43 @@ let
in in
{ {
systemd.tmpfiles.rules = [
"d ${runDir} 0750 pulse pulse - -"
"d ${runDir}/home 0700 pulse pulse - -"
];
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
environment = { environment = {
etc = { etc = {
"asound.conf".source = alsaConf; "asound.conf".source = alsaConf;
#"pulse/client.conf" = lib.mkForce { source = clientConf; }; # XXX mkForce is not strong enough (and neither is mkOverride) to create
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
#"pulse/client.conf" = mkForce { source = clientConf; };
#"pulse/client.conf".source = mkForce clientConf;
"pulse/default.pa".source = configFile; "pulse/default.pa".source = configFile;
}; };
systemPackages = [ pkg ]; systemPackages = [
pkg
] ++ optionals config.services.xserver.enable [
pkgs.pavucontrol
];
}; };
# Allow PulseAudio to get realtime priority using rtkit. # Allow PulseAudio to get realtime priority using rtkit.
security.rtkit.enable = true; security.rtkit.enable = true;
system.activationScripts.pulseaudio-hack = ''
ln -fns ${clientConf} /etc/pulse/client.conf
'';
systemd.services.pulse = { systemd.services.pulse = {
wantedBy = [ "sound.target" ]; wantedBy = [ "sound.target" ];
before = [ "sound.target" ]; before = [ "sound.target" ];
environment = { environment = {
PULSE_RUNTIME_PATH = "${runDir}/home"; PULSE_RUNTIME_PATH = "${runDir}/home";
#DISPLAY = ":${toString config.services.xserver.display}";
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkg}/bin/pulseaudio"; ExecStart = "${pkg}/bin/pulseaudio";
ExecStartPre = pkgs.writeScript "pulse-start" ''
#! /bin/sh
install -o pulse -g pulse -m 0750 -d ${runDir}
install -o pulse -g pulse -m 0700 -d ${runDir}/home
'';
PermissionsStartOnly = "true";
User = "pulse"; User = "pulse";
}; };
}; };

17
tv/2configs/retiolum.nix Normal file
View File

@ -0,0 +1,17 @@
{ config, lib, ... }:
with lib;
{
krebs.retiolum = {
enable = true;
connectTo = filter (ne config.krebs.build.host.name) [
"gum"
"prism"
"echelon"
"cd"
"ire"
];
};
tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
}

9
tv/2configs/vim.nix
View File

@ -7,11 +7,6 @@ let
vim vim
]; ];
# Nano really is just a stupid name for Vim.
nixpkgs.config.packageOverrides = pkgs: {
nano = pkgs.vim;
};
environment.etc.vimrc.source = vimrc; environment.etc.vimrc.source = vimrc;
environment.variables.EDITOR = mkForce "vim"; environment.variables.EDITOR = mkForce "vim";
@ -89,7 +84,7 @@ let
\ | hi Normal ctermfg=White \ | hi Normal ctermfg=White
au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" '' au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" ''
syn region String start=+\[[^|]*|+ end=+|]+ syn region String start=+\[[[:alnum:]]*|+ end=+|]+
''} ''}
au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" '' au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" ''
@ -110,6 +105,8 @@ let
syn match String /"\([^\\"]\|\\.\)*"/ syn match String /"\([^\\"]\|\\.\)*"/
syn match Comment /\(^\|\s\)#.*/ syn match Comment /\(^\|\s\)#.*/
let b:current_syntax = "nix"
''} ''}
au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile

1
tv/2configs/xserver/default.nix
View File

@ -37,7 +37,6 @@ let
pkgs.ff pkgs.ff
pkgs.gitAndTools.qgit pkgs.gitAndTools.qgit
pkgs.mpv pkgs.mpv
pkgs.pavucontrol
pkgs.slock pkgs.slock
pkgs.sxiv pkgs.sxiv
pkgs.xsel pkgs.xsel

118
tv/3modules/consul.nix
View File

@ -1,118 +0,0 @@
{ config, lib, pkgs, ... }:
# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect
# but -bootstrap
# TODO consul-bootstrap HOST that actually does is
# TODO tools to inspect state of a cluster in outage state
with lib;
let
cfg = config.tv.consul;
out = {
options.tv.consul = api;
config = mkIf cfg.enable (mkMerge [
imp
{ tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; }
# TODO udp for 8301
]);
};
api = {
enable = mkEnableOption "tv.consul";
dc = mkOption {
type = types.label;
};
hosts = mkOption {
type = with types; listOf host;
};
encrypt-file = mkOption {
type = types.str; # TODO path (but not just into store)
default = toString <secrets/consul-encrypt.json>;
};
data-dir = mkOption {
type = types.str; # TODO path (but not just into store)
default = "/var/lib/consul";
};
self = mkOption {
type = types.host;
};
server = mkOption {
type = types.bool;
default = false;
};
GOMAXPROCS = mkOption {
type = types.int;
default = cfg.self.cores;
};
};
consul-config = {
datacenter = cfg.dc;
data_dir = cfg.data-dir;
log_level = "INFO";
#node_name =
server = cfg.server;
enable_syslog = true;
retry_join =
# TODO allow consul in other nets than retiolum [maybe]
concatMap (host: host.nets.retiolum.addrs)
(filter (host: host.name != cfg.self.name) cfg.hosts);
leave_on_terminate = true;
} // optionalAttrs cfg.server {
bootstrap_expect = length cfg.hosts;
leave_on_terminate = false;
};
imp = {
environment.systemPackages = with pkgs; [
consul
];
systemd.services.consul = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
consul
];
environment = {
GOMAXPROCS = toString cfg.GOMAXPROCS;
};
serviceConfig = {
PermissionsStartOnly = "true";
SyslogIdentifier = "consul";
User = user.name;
PrivateTmp = "true";
Restart = "always";
ExecStartPre = pkgs.writeScript "consul-init" ''
#! /bin/sh
mkdir -p ${cfg.data-dir}
chown ${user.name}: ${cfg.data-dir}
install -o ${user.name} -m 0400 ${cfg.encrypt-file} /tmp/encrypt.json
'';
ExecStart = pkgs.writeScript "consul-service" ''
#! /bin/sh
set -euf
exec >/dev/null
exec consul agent \
-config-file=${toFile "consul.json" (toJSON consul-config)} \
-config-file=/tmp/encrypt.json
'';
#-node=${cfg.self.fqdn} \
#ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
};
};
users.extraUsers = singleton {
inherit (user) name uid;
};
};
user = rec {
name = "consul";
uid = genid name;
};
in
out

1
tv/3modules/default.nix
View File

@ -2,7 +2,6 @@ _:
{ {
imports = [ imports = [
./consul.nix
./ejabberd.nix ./ejabberd.nix
./iptables.nix ./iptables.nix
]; ];

3
tv/5pkgs/default.nix
View File

@ -11,6 +11,9 @@
--disk-cache-size=50000000 \ --disk-cache-size=50000000 \
"%@" "%@"
''; '';
ejabberd = pkgs.callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
ff = pkgs.callPackage ./ff {}; ff = pkgs.callPackage ./ff {};
viljetic-pages = pkgs.callPackage ./viljetic-pages {}; viljetic-pages = pkgs.callPackage ./viljetic-pages {};
xmonad-tv = xmonad-tv =

28
tv/5pkgs/ejabberd/default.nix Normal file
View File

@ -0,0 +1,28 @@
{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
stdenv.mkDerivation rec {
version = "2.1.13";
name = "ejabberd-${version}";
src = fetchurl {
url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
};
buildInputs = [ expat erlang zlib openssl pam ];
patchPhase = ''
sed -i \
-e "s|erl \\\|${erlang}/bin/erl \\\|" \
-e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
src/ejabberdctl.template
'';
preConfigure = ''
cd src
'';
configureFlags = ["--enable-pam"];
meta = {
description = "Open-source XMPP application server written in Erlang";
license = stdenv.lib.licenses.gpl2;
homepage = http://www.ejabberd.im;
maintainers = [ lib.maintainers.sander ];
};
}