Merge remote-tracking branch 'ni/master' into HEAD

2017-06-20 16:05:27 +02:00 · 2017-06-20 16:05:27 +02:00 · f0bcc6e1f1
commit f0bcc6e1f1
parent bda14221cf 57c6b890f9
19 changed files with 348 additions and 69 deletions
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -186,7 +186,7 @@ let
          makefu
          tv
        ];
-        ciko.mail = "wieczorek.stefan@gmail.com";
+        ciko.mail = "ciko@slash16.net";
      in {
        "anmeldung@eloop.org" = eloop-ml;
        "cfp@eloop.org" = eloop-ml;
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@ -47,9 +47,7 @@ let
          type = mkOptionType {
            # TODO admit symbolic mode
            name = "octal mode";
-            check = x:
+            check = test "[0-7][0-7][0-7][0-7]";
              isString x &&
              match "[0-7][0-7][0-7][0-7]" x != null;
            merge = mergeOneOption;
          };
        };
--- a/krebs/5pkgs/simple/bling/default.nix
+++ b/krebs/5pkgs/simple/bling/default.nix
@ -0,0 +1,56 @@
 { imagemagick, runCommand, ... }:
 with import <stockholm/lib>;
 let
  krebs-v2 = [
    "                "
    "                "
    " x x         x x"
    "xx x  xx xx xx x"
    "xx x  xx xx xx x"
    " xxx   x  x  xxx"
    " xxx  xxxxx  xxx"
    "  x  xxxxxxx  x "
    "  xxxxxxxxxxxxx "
    "     xxxxxxx    "
    "   xxxxxxxxxxx  "
    "   x   xxx   x  "
    "  x  x x x x  x "
    "  x  x x x x  x "
    "  x xx x x xx x "
    "                "
  ];
  chars-per-pixel = 1;
  colors = 2;
  columns = foldl' max 0 (map stringLength krebs-v2);
  rows = length krebs-v2;
  png-geometry = "1692x1692";
  txt = concatMapStrings (s: "${s}\n") krebs-v2;
  xpm = ''
    static char *krebs_v2[] = {
      ${toC (toString [columns rows colors chars-per-pixel])},
      "  c None",
      "x c #E4002B",
      ${concatMapStringsSep ",\n  " toC krebs-v2}
    };
  '';
 in
 runCommand "bling"
  {
    inherit xpm;
    passAsFile = ["xpm"];
  }
  ''
    mkdir -p $out
    cd $out
    cp $xpmPath krebs-v2.xpm
    ${imagemagick}/bin/convert krebs-v2.xpm krebs-v2.ico
    ${imagemagick}/bin/convert krebs-v2.xpm -scale ${png-geometry} krebs-v2.png
  ''
--- a/krebs/5pkgs/simple/git-hooks/default.nix
+++ b/krebs/5pkgs/simple/git-hooks/default.nix
@ -5,7 +5,15 @@ with import <stockholm/lib>;
 {
  # TODO irc-announce should return a derivation
  #      but it cannot because krebs.git.repos.*.hooks :: attrsOf str
-  irc-announce = { nick, channel, server, port ? 6667, verbose ? false, branches ? [] }: ''
+  irc-announce =
  { branches ? []
  , cgit_endpoint ? "http://cgit.${nick}.r"
  , channel
  , nick
  , port ? 6667
  , server
  , verbose ? false
  }: /* sh */ ''
    #! /bin/sh
    set -euf
@ -34,7 +42,6 @@ with import <stockholm/lib>;
    port=${toString port}
    host=$nick
    cgit_endpoint=http://cgit.$host.r
    empty=0000000000000000000000000000000000000000
@ -66,22 +73,27 @@ with import <stockholm/lib>;
      if [ $newrev = $empty ]; then id=$empty_tree; fi
      if [ $oldrev = $empty ]; then id2=$empty_tree; fi
-      case $receive_mode in
+      ${if cgit_endpoint != null then /* sh */ ''
-        create)
+        cgit_endpoint=${escapeShellArg cgit_endpoint}
-          link="$cgit_endpoint/$GIT_SSH_REPO/?h=$h"
+        case $receive_mode in
-          ;;
+          create)
-        delete)
+            link="$cgit_endpoint/$GIT_SSH_REPO/?h=$h"
-          link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)"
+            ;;
-          ;;
+          delete)
-        fast-forward|non-fast-forward)
+            link="$cgit_endpoint/$GIT_SSH_REPO/ ($h)"
-          link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
+            ;;
-          ;;
+          fast-forward|non-fast-forward)
-      esac
+            link="$cgit_endpoint/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
            ;;
        esac
      '' else /* sh */ ''
        link="$GIT_SSH_REPO $h"
      ''}
      #$host $GIT_SSH_REPO $ref $link
      add_message $(pink push) $link $(gray "($receive_mode)")
-      ${optionalString verbose ''
+      ${optionalString verbose /* sh */ ''
        add_message "$(
          git log \
              --format="$(orange %h) %s $(gray '(%ar)')" \
--- a/krebs/5pkgs/simple/krebs-pages/default.nix
+++ b/krebs/5pkgs/simple/krebs-pages/default.nix
@ -0,0 +1,8 @@
 { bling, runCommand, ... }:
 runCommand "krebs-pages-0" {} ''
  mkdir $out
  cp ${./fixtures}/* $out/
  ln -s ${bling}/krebs-v2.ico $out/favicon.ico
  ln -s ${bling}/krebs-v2.png $out/
 ''
--- a/krebs/5pkgs/simple/krebs-pages/fixtures/index.html
+++ b/krebs/5pkgs/simple/krebs-pages/fixtures/index.html
@ -0,0 +1,42 @@
 <!doctype html>
 <title>krebscode</title>
 <style>
  html {
    background: black url(krebs-v2.png) fixed no-repeat 50% 0%;
    background-size: 423px;
  }
  a:visited {
        color: white;
  }
  a:link {
      color: lightgrey;
    }
 </style>
 <script>
  var html;
  window.onload = function () {
    html = document.getElementsByTagName('html')[0];
    window.onresize();
  }
  window.onresize = function () {
    html.style.backgroundSize =
        Math.min(document.height - 23, document.width - 23) + 'px';
  }
 </script>
 <body>
  <p>
    <a href="http://krebscode.github.io/minikrebs/linuxtag">
      Linuxtag Heckenkrebs Presentation
    </a>
  </p>
  <p>
    <a href="http://krebscode.github.io/writeups">
      CTF Writeups
    </a>
  </p>
  <p>
    <a href="thesauron.html">
      Thesauron
    </a>
  </p>
 </body>
--- a/krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html
+++ b/krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html
@ -0,0 +1,133 @@
 <p>Cholerab n.
 [de]
 - Kunstwort aus Kollaboration und Cholera. Beschreibt den Zustand, dass
 Zusammenarbeit niemals gut, einfach und ohne Schmerzen funktioniert.
 - Teamwork-Plattform für Krebscode.</p>
 <p>eigentlich adv.
 [de]
 - Hinweis darauf, dass der Inhalt eines Satzes eine Soll-Realität beschreibt,
 die nicht der Fall ist.
 Antonym: tatsaechlich</p>
 <p>ghost n.
 [de]
 - Host im Darknet welcher evtl. irgendwie noch da ist (als dd image auf anderen
 Festplatten) aber wohl nie wieder kommen wird.
 Siehe: Wiederbelebung</p>
 <p>KD;RP abbr. (pronounciation: kah-derp)
 [en]
 - Short for Krebs Darknet / Retiolum Prefix.</p>
 <p>krebs
 [de]
 - krebs ist ein soziales Experiment, eine Organisation, das zweit aelteste
 Softwareprojekt im Shack und viel verteilte infrastruktur.</p>
 <p>kremium
 [en]
 - coinage derived from the words premium and krebs
 see: broken
 usage: Reaktor ircbot has unfixed broken behavior since ever-&gt;&#8220;Kremium Software&#8221;</p>
 <p>KRI abbr. (pronounciation: [en] cry)
 [en]
 - Short for Krebs Request for Implementation.
 Derived from Scheme Requests for Implementation (SRFI).</p>
 <p>litterate programming n.
 [en]
 - any code that has not been proved mathematically.</p>
 <p>Nahziel n.
 [de]
 - Ziel mit höchst möglicher Priorität.</p>
 <p>Nahzielerfahrung n.
 [de]
 - das Erlebnis der (endgültigen) Nichterreichung eines Nahziels (obwohl
 nur noch wenig ((quasi-) infinitesimal viel) nötig gewesen wäre).</p>
 <p>parentheses of fear
 [en]
 - unnecessary parentheses, usually used when order of precedence is unknown.
 - Examples: 1 + (2 * 3)</p>
 <p>Protip n.
 [en]
 - (Probably vague) description how a task can be solved.
 - Antonym: Spoiler
 - Example:
 - To defeat the Cyberdaemon, shoot at it until it dies.
 - RTFM</p>
 <p>Punching Lemma n.
 [de]
 - Sozialer Druck zur Aufrechterhaltung der Ordnung in dem sozialen Geflaecht
 von Krebs</p>
 <p>ref, n.
 [en]
 - A reference like an URI, ISBN, name of a person, etc.</p>
 <p>reftrace, n.
 [en]
 - A stacktrace-like representation of refs that lead to some (any kind of)
 conclusion. Usually generated by a human. The conclusion can be either on
 the top or on the bottom of the stack. If the order is ambiguous, then it
 should be communicated explicitly.
 - Example: (conclusion first)
 - http://en.wikipedia.org/wiki/Stack_trace
 - google &#8220;stacktrace&#8221; (first entry / 2014&#8211;12&#8211;05T12:13:58Z)
 - think about some example [this could be omitted, as it&#8217;s obvious&#8230;]</p>
 <p>Retiolum n.
 [en]
 - The official darknet of Krebs which utilizes the Retiolum Prefix to
 address individual nodes.</p>
 <p>Retiolum Prefix n.
 [en]
 - The universally accepted IPv6-prefix, 42::/16. Anyone can has a
 /128-subnet and, if require, anything larger.</p>
 <p>Retiolum Realtime Map n.
 [en]
 - The network map of the public visible part of Retiolum.</p>
 <p>RRM [abbr.][en]
 - Short for Retiolum Retiolum Map.</p>
 <p>Sanatorium n.
 [en]
 - The Krebs Control and Command Center.
 - An Retiolum-based IRC-channel where all Reaktor-enabled nodes gather
 and lurk for relevant input.</p>
 <p>Spoiler n.
 [en]
 - A subset of walkthrough, i.e. any individual steps may be omitted.
 - Antonym: Protip</p>
 <p>tatsaechlich, adv.
 [de]
 - Hinweis darauf, dass der Inhalt eines Satzes exakt der Realität entspricht.
 Antonym: eigentlich</p>
 <p>Verkrebsung n.
 [de]
 - Synonym fuer die Installation von Krebs (oder eine einzelnen Krebs
 Komponente) auf einem beliebigem System.</p>
 <p>Walkthrough n.
 [en]
 - Description of the individual steps to complete a task.
 - Examples:
 - program code
 - small-step semantics</p>
 <p>Wiederbelebung n.
 [de]
 - Ein ghost wird im Darknet wieder erreichbar
 Siehe: ghost</p>
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
@ -1,16 +1,17 @@
 { stdenv, fetchurl, python3Packages }:
 python3Packages.buildPythonPackage rec {
-  name = "urlwatch-2.5";
+  name = "urlwatch-${meta.version}";
  src = fetchurl {
-    url = "https://thp.io/2008/urlwatch/${name}.tar.gz";
+    url = "https://github.com/thp/urlwatch/archive/${meta.version}.tar.gz";
-    sha256 = "0qirpymdmpsx0klmhbx3icmiwpm6fx4wjma646gl9m90pifs8430";
+    sha256 = "09bn31gn03swi7yr3s1ql8x07hx96gap1ka77kk44kk0lvfxn55b";
  };
  propagatedBuildInputs = with python3Packages; [
    keyring
    minidb
    pycodestyle
    pyyaml
    requests2
  ];
@ -20,5 +21,6 @@ python3Packages.buildPythonPackage rec {
    homepage = https://thp.io/2008/urlwatch/;
    license = stdenv.lib.licenses.bsd3;
    maintainers = [ stdenv.lib.maintainers.tv ];
    version = "2.6";
  };
 }
--- a/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
+++ b/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
@ -1,26 +1,33 @@
 #!/usr/bin/env bash
-
+#
 # Prints build logs for failed derivations in quiet build mode (-Q).
 # See https://github.com/NixOS/nix/issues/443
 #
 # Usage:
 #
-#    set -o pipefail
+#    nix-build ... -Q ... 2>&1 | whatsupnix [user@target[:port]]
-#    nix-build ... -Q ... | whatsupnix [user@target[:port]]
+#
 # Exit Codes:
 #
 #   0     No failed derivations could be found.  This either means there where
 #         no build errors, or stdin wasn't nix-build output.
 #
 #   1     Usage error; arguments couldn't be parsed.
 #
 #   2     Build error; at least one failed derivation could be found.
 #
 GAWK=${GAWK:-gawk}
 NIX_STORE=${NIX_STORE:-nix-store}
-broken=$(mktemp)
+failed_drvs=$(mktemp --tmpdir whatsupnix.XXXXXXXX)
-trap 'rm -f -- "$broken"' EXIT
+trap 'rm -f -- "$failed_drvs"' EXIT
 exec >&2
-$GAWK -v broken="$broken" '
+$GAWK -v failed_drvs="$failed_drvs" '
  match($0, /^builder for ‘(\/nix\/store\/[^’]+\.drv)’ failed/, m) {
-    print m[1] >> broken
+    print m[1] >> failed_drvs
  }
  { print $0 }
 '
@ -28,7 +35,7 @@ $GAWK -v broken="$broken" '
 case $# in
  0)
    print_log() {
-      $NIX_STORE -l "$1"
+      NIX_PAGER= $NIX_STORE -l "$1"
    }
    ;;
  1)
@ -47,7 +54,7 @@ case $# in
    remote_host=$1
    print_log() {
      ssh "$remote_user@$remote_host" -p "$remote_port" \
-          nix-store -l "$1"
+          env NIX_PAGER= nix-store -l "$1"
    }
    ;;
  *)
@ -55,7 +62,6 @@ case $# in
    exit 1
 esac
 export NIX_PAGER='' # for nix-store
 while read -r drv; do
  title="** FAILED $drv LOG **"
  frame=${title//?/*}
@ -68,6 +74,10 @@ while read -r drv; do
  print_log "$drv"
  echo
-done < "$broken"
+done < "$failed_drvs"
-exit 0
+if test -s "$failed_drvs"; then
  exit 2
 else
  exit 0
 fi
--- a/lib/default.nix
+++ b/lib/default.nix
@ -29,6 +29,10 @@ let
    setAttr = name: value: set: set // { ${name} = value; };
    test = re: x: isString x && testString re x;
    testString = re: x: match re x != null;
    toC = x: let
      type = typeOf x;
      reject = throw "cannot convert ${type}";
--- a/lib/shell.nix
+++ b/lib/shell.nix
@ -5,7 +5,7 @@ with lib;
 rec {
  escape =
    let
-      isSafeChar = c: match "[-+./0-9:=A-Z_a-z]" c != null;
+      isSafeChar = testString "[-+./0-9:=A-Z_a-z]";
    in
    stringAsChars (c:
      if isSafeChar c then c
--- a/lib/types.nix
+++ b/lib/types.nix
@ -2,10 +2,10 @@
 let
  inherit (lib)
-    all any concatMapStringsSep concatStringsSep const filter flip genid
+    all any concatMapStringsSep concatStringsSep const filter flip
-    hasSuffix head isInt isString length match mergeOneOption mkOption
+    genid hasSuffix head isInt isString length mergeOneOption mkOption
    mkOptionType optional optionalAttrs optionals range splitString
-    stringLength substring typeOf;
+    stringLength substring test typeOf;
  inherit (lib.types)
    attrsOf bool either enum int listOf nullOr path str string submodule;
 in
@ -338,7 +338,8 @@ rec {
    check = let
      IPv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in
        concatMapStringsSep "." (const d) (range 1 4);
-    in x: isString x && match IPv4address x != null;
+    in
      test IPv4address;
    merge = mergeOneOption;
  };
  addr6 = mkOptionType {
@ -346,7 +347,8 @@ rec {
    check = let
      # TODO check IPv6 address harder
      IPv6address = "[0-9a-f.:]+";
-    in x: isString x && match IPv6address x != null;
+    in
      test IPv6address;
    merge = mergeOneOption;
  };
@ -396,14 +398,13 @@ rec {
  file-mode = mkOptionType {
    name = "file mode";
-    check = x: isString x && match "[0-7]{4}" x != null;
+    check = test "[0-7]{4}";
    merge = mergeOneOption;
  };
  haskell.conid = mkOptionType {
    name = "Haskell constructor identifier";
-    check = x:
+    check = test "[[:upper:]][[:lower:]_[:upper:]0-9']*";
      isString x && match "[[:upper:]][[:lower:]_[:upper:]0-9']*" x != null;
    merge = mergeOneOption;
  };
@ -425,15 +426,14 @@ rec {
  label = mkOptionType {
    name = "label";
    # TODO case-insensitive labels
-    check = x: isString x
+    check = test "[0-9A-Za-z]([0-9A-Za-z-]*[0-9A-Za-z])?";
            && match "[0-9A-Za-z]([0-9A-Za-z-]*[0-9A-Za-z])?" x != null;
    merge = mergeOneOption;
  };
  # POSIX.1‐2013, 3.278 Portable Filename Character Set
  filename = mkOptionType {
    name = "POSIX filename";
-    check = x: isString x && match "([0-9A-Za-z._])[0-9A-Za-z._-]*" x != null;
+    check = test "([0-9A-Za-z._])[0-9A-Za-z._-]*";
    merge = mergeOneOption;
  };
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@ -28,6 +28,7 @@ with import <stockholm/lib>;
        # tv
        bc
        bind # dig
        brain
        cac-api
        dic
        file
@ -35,6 +36,7 @@ with import <stockholm/lib>;
        haskellPackages.hledger
        htop
        jq
        krebszones
        mkpasswd
        netcat
        netcup
@ -47,18 +49,6 @@ with import <stockholm/lib>;
        texlive.combined.scheme-full
        tmux
        (pkgs.writeDashBin "krebszones" ''
          set -efu
          export OVH_ZONE_CONFIG=$HOME/.secrets/krebs/ovh-zone.conf
          case $* in
            import)
              set -- import /etc/zones/krebsco.de krebsco.de
              echo "+ krebszones $*" >&2
              ;;
          esac
          exec ${pkgs.krebszones}/bin/ovh-zone "$@"
        '')
        #ack
        #apache-httpd
        #ascii
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@ -9,12 +9,15 @@ with import <stockholm/lib>;
    user = config.krebs.users.tv;
    source = let inherit (config.krebs.build) host; in {
      nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix";
-      secrets.file = "/home/tv/secrets/${host.name}";
+      secrets.file =
        if getEnv "dummy_secrets" == "true"
          then toString <stockholm/tv/dummy_secrets>
          else "/home/tv/secrets/${host.name}";
      secrets-common.file = "/home/tv/secrets/common";
      stockholm.file = "/home/tv/stockholm";
      nixpkgs.git = {
        url = https://github.com/NixOS/nixpkgs;
-        ref = "99dfb6dce37edcd1db7cb85c2db97089d9d5f442"; # nixos-17.03
+        ref = "412b0a17aa2975e092c7ab95a38561c5f82908d4"; # nixos-17.03
      };
    } // optionalAttrs host.secure {
      secrets-master.file = "/home/tv/secrets/master";
@ -41,6 +44,7 @@ with import <stockholm/lib>;
        gnumake
        hashPassword
        populate
        whatsupnix
      ];
    }
    {
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@ -90,28 +90,33 @@ let {
    {
      brain = {
        collaborators = with config.krebs.users; [ lass makefu ];
        hooks.post-receive = irc-announce {
          cgit_endpoint = null;
        };
      };
    } //
    # TODO don't put secrets/repos.nix into the store
    import <secrets/repos.nix> { inherit config lib pkgs; }
  );
  irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
    channel = "#retiolum";
    # TODO make nick = config.krebs.build.host.name the default
    nick = config.krebs.build.host.name;
    server = "ni.r";
    verbose = true;
  } args);
  make-public-repo = name: { cgit ? {}, ... }: {
    inherit cgit name;
    public = true;
    hooks = optionalAttrs (config.krebs.build.host.name == "ni") {
-      post-receive = pkgs.git-hooks.irc-announce {
+      post-receive = irc-announce {};
        # TODO make nick = config.krebs.build.host.name the default
        nick = config.krebs.build.host.name;
        channel = "#retiolum";
        server = "ni.r";
        verbose = true;
      };
    };
  };
-  make-restricted-repo = name: { collaborators ? [], ... }: {
+  make-restricted-repo = name: { collaborators ? [], hooks ? {}, ... }: {
-    inherit collaborators name;
+    inherit collaborators hooks name;
    public = false;
  };
--- a/tv/dummy_secrets/default.nix
+++ b/tv/dummy_secrets/default.nix
@ -0,0 +1,8 @@
 { config, ... }:
 {
  users.users.root = {
    openssh.authorizedKeys.keys = [
      config.krebs.users.tv.pubkey
    ];
  };
 }
--- a/tv/dummy_secrets/repos.nix
+++ b/tv/dummy_secrets/repos.nix
@ -0,0 +1 @@
 _: {}
--- a/tv/dummy_secrets/ssh.id_ed25519
+++ b/tv/dummy_secrets/ssh.id_ed25519
@ -0,0 +1,3 @@
 -----BEGIN OPENSSH PRIVATE KEY-----
 dummy
 -----END OPENSSH PRIVATE KEY-----
--- a/tv/dummy_secrets/ssh.id_rsa
+++ b/tv/dummy_secrets/ssh.id_rsa
@ -0,0 +1,3 @@
 -----BEGIN RSA PRIVATE KEY-----
 dummy
 -----END RSA PRIVATE KEY-----