Merge branch 'master' of gum:stockholm

This commit is contained in:
makefu 2016-01-18 12:50:20 +01:00
commit f475401033
95 changed files with 1896 additions and 774 deletions

View File

@ -35,7 +35,7 @@ ifeq ($(filter),json)
else else
filter() { cat; } filter() { cat; }
endif endif
nix-instantiate \ result=$$(nix-instantiate \
$${extraArgs-} \ $${extraArgs-} \
--eval \ --eval \
-A "$$get" \ -A "$$get" \
@ -45,8 +45,9 @@ endif
--argstr current-host-name "$$HOSTNAME" \ --argstr current-host-name "$$HOSTNAME" \
--argstr current-user-name "$$LOGNAME" \ --argstr current-user-name "$$LOGNAME" \
$${system+--argstr system "$$system"} \ $${system+--argstr system "$$system"} \
$${target+--argstr target "$$target"} \ $${target+--argstr target "$$target"})
| filter echo "$$result" | filter
else else
$(error unbound variable: system[s]) $(error unbound variable: system[s])
endif endif

View File

@ -1,25 +1,15 @@
{ config, pkgs,lib, ... }: { config, lib, pkgs, ... }:
with lib;
let let
inherit (lib)
mkIf
mkOption
types
singleton
isString
optionalString
concatStrings
escapeShellArg
;
ReaktorConfig = pkgs.writeText "config.py" '' ReaktorConfig = pkgs.writeText "config.py" ''
${if (isString cfg.overrideConfig ) then '' ${if (isString cfg.overrideConfig ) then ''
# Overriden Config # Overriden Config
${cfg.overrideConfig} ${cfg.overrideConfig}
'' else ""} '' else ""}
## Extra Config ## Extra Config
${concatStringsSep "\n" (map (plug: plug.config) cfg.plugins)}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
cfg = config.krebs.Reaktor; cfg = config.krebs.Reaktor;
@ -46,7 +36,6 @@ let
''; '';
}; };
overrideConfig = mkOption { overrideConfig = mkOption {
default = null; default = null;
type = types.nullOr types.str; type = types.nullOr types.str;
@ -55,6 +44,9 @@ let
Reaktor default cfg can be retrieved via `reaktor get-config` Reaktor default cfg can be retrieved via `reaktor get-config`
''; '';
}; };
plugins = mkOption {
default = [pkgs.ReaktorPlugins.nixos-version];
};
extraConfig = mkOption { extraConfig = mkOption {
default = ""; default = "";
type = types.string; type = types.string;
@ -62,6 +54,14 @@ let
configuration appended to the default or overridden configuration configuration appended to the default or overridden configuration
''; '';
}; };
workdir = mkOption {
default = "/var/lib/Reaktor";
type = types.str;
description = ''
Reaktor working directory
'';
};
extraEnviron = mkOption { extraEnviron = mkOption {
default = {}; default = {};
type = types.attrsOf types.str; type = types.attrsOf types.str;
@ -70,12 +70,17 @@ let
REAKTOR_HOST REAKTOR_HOST
REAKTOR_PORT REAKTOR_PORT
REAKTOR_STATEDIR REAKTOR_STATEDIR
REAKTOR_CHANNELS
debug and nickname can be set separately via the Reaktor api debug and nickname can be set separately via the Reaktor api
''; '';
}; };
channels = mkOption {
default = [ "#krebs" ];
type = types.listOf types.str;
description = ''
Channels the Reaktor should connect to at startup.
'';
};
debug = mkOption { debug = mkOption {
default = false; default = false;
description = '' description = ''
@ -86,12 +91,11 @@ let
imp = { imp = {
# for reaktor get-config # for reaktor get-config
users.extraUsers = singleton { users.extraUsers = singleton rec {
name = "Reaktor"; name = "Reaktor";
# uid = config.ids.uids.Reaktor; uid = genid name;
uid = 2066439104; #genid Reaktor
description = "Reaktor user"; description = "Reaktor user";
home = "/var/lib/Reaktor"; home = cfg.workdir;
createHome = true; createHome = true;
}; };
@ -113,6 +117,9 @@ let
GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
REAKTOR_NICKNAME = cfg.nickname; REAKTOR_NICKNAME = cfg.nickname;
REAKTOR_DEBUG = (if cfg.debug then "True" else "False"); REAKTOR_DEBUG = (if cfg.debug then "True" else "False");
REAKTOR_CHANNELS = lib.concatStringsSep "," cfg.channels;
state_dir = cfg.workdir;
} // cfg.extraEnviron; } // cfg.extraEnviron;
serviceConfig= { serviceConfig= {
ExecStartPre = pkgs.writeScript "Reaktor-init" '' ExecStartPre = pkgs.writeScript "Reaktor-init" ''

View File

@ -119,16 +119,14 @@ let
imp = { imp = {
users.extraUsers.acng = { users.extraUsers.acng = {
# uid = config.ids.uids.acng; uid = genid "acng";
uid = 897955083; #genid Reaktor
description = "apt-cacher-ng"; description = "apt-cacher-ng";
home = acng-home; home = acng-home;
createHome = false; createHome = false;
}; };
users.extraGroups.acng = { users.extraGroups.acng = {
gid = 897955083; #genid Reaktor gid = genid "acng";
# gid = config.ids.gids.Reaktor;
}; };
systemd.services.apt-cacher-ng = { systemd.services.apt-cacher-ng = {

286
krebs/3modules/backup.nix Normal file
View File

@ -0,0 +1,286 @@
{ config, lib, pkgs, ... }:
with lib;
let
out = {
options.krebs.backup = api;
config = mkIf cfg.enable imp;
};
cfg = config.krebs.backup;
api = {
enable = mkEnableOption "krebs.backup" // { default = true; };
plans = mkOption {
default = {};
type = types.attrsOf (types.submodule ({
# TODO enable = mkEnableOption "TODO" // { default = true; };
options = {
method = mkOption {
type = types.enum ["pull" "push"];
};
name = mkOption {
type = types.str;
};
src = mkOption {
type = types.krebs.file-location;
};
dst = mkOption {
type = types.krebs.file-location;
};
startAt = mkOption {
type = types.str;
};
snapshots = mkOption {
type = types.attrsOf (types.submodule {
options = {
format = mkOption {
type = types.str; # TODO date's +FORMAT
};
retain = mkOption {
type = types.nullOr types.int;
default = null; # null = retain all snapshots
};
};
});
};
};
}));
};
};
imp = {
users.groups.backup.gid = genid "backup";
users.users = {}
// {
root.openssh.authorizedKeys.keys =
map (plan: plan.dst.host.ssh.pubkey)
(filter isPullSrc (attrValues cfg.plans))
++
map (plan: plan.src.host.ssh.pubkey)
(filter isPushDst (attrValues cfg.plans))
;
}
;
systemd.services =
flip mapAttrs' (filterAttrs (_:isPullDst) cfg.plans) (name: plan: {
name = "backup.${name}.pull";
value = makePullService plan;
})
//
flip mapAttrs' (filterAttrs (_:isPushSrc) cfg.plans) (name: plan: {
name = "backup.${name}.push";
value = makePushService plan;
})
;
};
isPushSrc = plan:
plan.method == "push" &&
plan.src.host.name == config.krebs.build.host.name;
isPullSrc = plan:
plan.method == "pull" &&
plan.src.host.name == config.krebs.build.host.name;
isPushDst = plan:
plan.method == "push" &&
plan.dst.host.name == config.krebs.build.host.name;
isPullDst = plan:
plan.method == "pull" &&
plan.dst.host.name == config.krebs.build.host.name;
# TODO push destination needs this in the dst.user's PATH
service-path = [
pkgs.coreutils
pkgs.gnused
pkgs.openssh
pkgs.rsync
pkgs.utillinux
];
# TODO if there is plan.user, then use its privkey
makePushService = plan: assert isPushSrc plan; {
path = service-path;
serviceConfig = {
ExecStart = push plan;
Type = "oneshot";
};
startAt = plan.startAt;
};
makePullService = plan: assert isPullDst plan; {
path = service-path;
serviceConfig = {
ExecStart = pull plan;
Type = "oneshot";
};
startAt = plan.startAt;
};
push = plan: let
# We use writeDashBin and return the absolute path so systemd will produce
# nice names in the log, i.e. without the Nix store hash.
out = "${main}/bin/${main.name}";
main = writeDashBin "backup.${plan.name}.push" ''
set -efu
dst=${shell.escape plan.dst.path}
mkdir -m 0700 -p "$dst"
exec flock -n "$dst" ${critical-section}
'';
critical-section = writeDash "backup.${plan.name}.push.critical-section" ''
# TODO check if there is a previous
set -efu
identity=${shell.escape plan.src.host.ssh.privkey.path}
src=${shell.escape plan.src.path}
dst_target=${shell.escape "root@${getFQDN plan.dst.host}"}
dst_path=${shell.escape plan.dst.path}
dst=$dst_target:$dst_path
# Export NOW so runtime of rsync doesn't influence snapshot naming.
export NOW
NOW=$(date +%s)
echo >&2 "update snapshot: current; $src -> $dst"
rsync >&2 \
-aAXF --delete \
-e "ssh -F /dev/null -i $identity" \
--rsync-path ${shell.escape
"mkdir -m 0700 -p ${shell.escape plan.dst.path} && rsync"} \
--link-dest="$dst_path/current" \
"$src/" \
"$dst/.partial"
exec ssh -F /dev/null \
-i "$identity" \
"$dst_target" \
-T \
env NOW="$NOW" /bin/sh < ${remote-snapshot}
EOF
'';
remote-snapshot = writeDash "backup.${plan.name}.push.remote-snapshot" ''
set -efu
dst=${shell.escape plan.dst.path}
if test -e "$dst/current"; then
mv "$dst/current" "$dst/.previous"
fi
mv "$dst/.partial" "$dst/current"
rm -fR "$dst/.previous"
echo >&2
(${(take-snapshots plan).text})
'';
in out;
# TODO admit plan.dst.user and its ssh identity
pull = plan: let
# We use writeDashBin and return the absolute path so systemd will produce
# nice names in the log, i.e. without the Nix store hash.
out = "${main}/bin/${main.name}";
main = writeDashBin "backup.${plan.name}.pull" ''
set -efu
dst=${shell.escape plan.dst.path}
mkdir -m 0700 -p "$dst"
exec flock -n "$dst" ${critical-section}
'';
critical-section = writeDash "backup.${plan.name}.pull.critical-section" ''
# TODO check if there is a previous
set -efu
identity=${shell.escape plan.dst.host.ssh.privkey.path}
src=${shell.escape "root@${getFQDN plan.src.host}:${plan.src.path}"}
dst=${shell.escape plan.dst.path}
# Export NOW so runtime of rsync doesn't influence snapshot naming.
export NOW
NOW=$(date +%s)
echo >&2 "update snapshot: current; $dst <- $src"
mkdir -m 0700 -p ${shell.escape plan.dst.path}
rsync >&2 \
-aAXF --delete \
-e "ssh -F /dev/null -i $identity" \
--link-dest="$dst/current" \
"$src/" \
"$dst/.partial"
mv "$dst/current" "$dst/.previous"
mv "$dst/.partial" "$dst/current"
rm -fR "$dst/.previous"
echo >&2
exec ${take-snapshots plan}
'';
in out;
take-snapshots = plan: writeDash "backup.${plan.name}.take-snapshots" ''
set -efu
NOW=''${NOW-$(date +%s)}
dst=${shell.escape plan.dst.path}
snapshot() {(
: $ns $format $retain
name=$(date --date="@$NOW" +"$format")
if ! test -e "$dst/$ns/$name"; then
echo >&2 "create snapshot: $ns/$name"
mkdir -m 0700 -p "$dst/$ns"
rsync >&2 \
-aAXF --delete \
--link-dest="$dst/current" \
"$dst/current/" \
"$dst/$ns/.partial.$name"
mv "$dst/$ns/.partial.$name" "$dst/$ns/$name"
echo >&2
fi
case $retain in
([0-9]*)
delete_from=$(($retain + 1))
ls -r "$dst/$ns" \
| sed -n "$delete_from,\$p" \
| while read old_name; do
echo >&2 "delete snapshot: $ns/$old_name"
rm -fR "$dst/$ns/$old_name"
done
;;
(ALL)
:
;;
esac
)}
${concatStringsSep "\n" (mapAttrsToList (ns: { format, retain ? null, ... }:
toString (map shell.escape [
"ns=${ns}"
"format=${format}"
"retain=${if retain == null then "ALL" else toString retain}"
"snapshot"
]))
plan.snapshots)}
'';
# TODO getFQDN: admit hosts in other domains
getFQDN = host: "${host.name}.${config.krebs.search-domain}";
writeDash = name: text: pkgs.writeScript name ''
#! ${pkgs.dash}/bin/dash
${text}
'';
writeDashBin = name: text: pkgs.writeTextFile {
executable = true;
destination = "/bin/${name}";
name = name;
text = ''
#! ${pkgs.dash}/bin/dash
${text}
'';
};
in out

View File

@ -130,12 +130,12 @@ let
) cfg.servers; ) cfg.servers;
users.extraUsers.bepasty = { users.extraUsers.bepasty = {
uid = 2796546855; #genid bepasty uid = genid "bepasty";
group = "bepasty"; group = "bepasty";
home = "/var/lib/bepasty-server"; home = "/var/lib/bepasty-server";
}; };
users.extraGroups.bepasty = { users.extraGroups.bepasty = {
gid = 2796546855; #genid bepasty gid = genid "bepasty";
}; };
}; };

View File

@ -0,0 +1,385 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot = pkgs.buildbot;
buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
# -*- python -*-
from buildbot.plugins import *
import re
import json
c = BuildmasterConfig = {}
c['slaves'] = []
slaves = json.loads('${builtins.toJSON cfg.slaves}')
slavenames = [ s for s in slaves ]
for k,v in slaves.items():
c['slaves'].append(buildslave.BuildSlave(k, v))
# TODO: configure protocols?
c['protocols'] = {'pb': {'port': 9989}}
####### Build Inputs
c['change_source'] = cs = []
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Change_Source: Begin of ${n}
${v}
#### Change_Source: End of ${n}
'') cfg.change_source )}
####### Build Scheduler
c['schedulers'] = sched = []
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Schedulers: Begin of ${n}
${v}
#### Schedulers: End of ${n}
'') cfg.scheduler )}
###### Builder
c['builders'] = bu = []
# Builder Pre: Begin
${cfg.builder_pre}
# Builder Pre: End
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Builder: Begin of ${n}
${v}
#### Builder: End of ${n}
'') cfg.builder )}
####### Status
c['status'] = st = []
# If you want to configure this url, override with extraConfig
c['buildbotURL'] = "http://${config.networking.hostName}:${toString cfg.web.port}/"
${optionalString (cfg.web.enable) ''
from buildbot.status import html
from buildbot.status.web import authz, auth
authz_cfg=authz.Authz(
auth=auth.BasicAuth([ ("${cfg.web.username}","${cfg.web.password}") ]),
# TODO: configure harder
gracefulShutdown = False,
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
stopBuild = 'auth',
stopAllBuilds = 'auth',
cancelPendingBuild = 'auth'
)
# TODO: configure krebs.nginx
st.append(html.WebStatus(http_port=${toString cfg.web.port}, authz=authz_cfg))
''}
${optionalString (cfg.irc.enable) ''
from buildbot.status import words
irc = words.IRC("${cfg.irc.server}", "${cfg.irc.nick}",
channels=${builtins.toJSON cfg.irc.channels},
notify_events={
'success': 1,
'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
}${optionalString cfg.irc.allowForce ",allowForce=True"})
c['status'].append(irc)
''}
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Status: Begin of ${n}
${v}
#### Status: End of ${n}
'') cfg.status )}
####### PROJECT IDENTITY
c['title'] = "${cfg.title}"
c['titleURL'] = "http://krebsco.de"
####### DB URL
# TODO: configure
c['db'] = {
'db_url' : "sqlite:///state.sqlite",
}
${cfg.extraConfig}
'';
cfg = config.krebs.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
title = mkOption {
default = "Buildbot CI";
type = types.str;
description = ''
Title of the Buildbot Installation
'';
};
workDir = mkOption {
default = "/var/lib/buildbot/master";
type = types.str;
description = ''
Path to build bot master directory.
Will be created on startup.
'';
};
secrets = mkOption {
default = [];
type = types.listOf types.str;
example = [ "cac.json" ];
description = ''
List of all the secrets in <secrets> which should be copied into the
buildbot master directory.
'';
};
slaves = mkOption {
default = {};
type = types.attrsOf types.str;
description = ''
Attrset of slavenames with their passwords
slavename = slavepassword
'';
};
change_source = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
stockholm = ''
cs.append(changes.GitPoller(
'http://cgit.gum/stockholm',
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
'';
};
description = ''
Attrset of all the change_sources which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>cs</literal>
'';
};
scheduler = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
force-scheduler = ''
sched.append(schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"]))
'';
};
description = ''
Attrset of all the schedulers which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>sched</literal>
'';
};
builder_pre = mkOption {
default = "";
type = types.lines;
example = ''
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
'';
description = ''
some code before the builders are being assembled.
can be used to define functions used by multiple builders
'';
};
builder = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
fast-test = ''
'';
};
description = ''
Attrset of all the builder which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>bu</literal>
'';
};
status = mkOption {
default = {};
type = types.attrsOf types.str;
description = ''
Attrset of all the extra status which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>st</literal>
Right now IRC and Web status can be configured by setting
<literal>buildbot.master.irc.enable</literal> and
<literal>buildbot.master.web.enable</literal>
'';
};
# Configurable Stati
web = mkOption {
default = {};
type = types.submodule ({ config2, ... }: {
options = {
enable = mkEnableOption "Buildbot Master Web Status";
username = mkOption {
default = "krebs";
type = types.str;
description = ''
username for web authentication
'';
};
hostname = mkOption {
default = config.networking.hostName;
type = types.str;
description = ''
web interface Hostname
'';
};
password = mkOption {
default = "bob";
type = types.str;
description = ''
password for web authentication
'';
};
port = mkOption {
default = 8010;
type = types.int;
description = ''
port for buildbot web status
'';
};
};
});
};
irc = mkOption {
default = {};
type = types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "Buildbot Master IRC Status";
channels = mkOption {
default = [ "nix-buildbot-meetup" ];
type = with types; listOf str;
description = ''
irc channels the bot should connect to
'';
};
allowForce = mkOption {
default = false;
type = types.bool;
description = ''
Determines if builds can be forced via IRC
'';
};
nick = mkOption {
default = "nix-buildbot";
type = types.str;
description = ''
nickname for IRC
'';
};
server = mkOption {
default = "irc.freenode.net";
type = types.str;
description = ''
Buildbot Status IRC Server to connect to
'';
};
};
});
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
extra config appended to the generated master.cfg
'';
};
};
imp = {
users.extraUsers.buildbotMaster = {
uid = genid "buildbotMaster";
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotMaster = {
gid = 672626386;
};
systemd.services.buildbotMaster = {
description = "Buildbot Master";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
# TODO: add extra dependencies to master like svn and cvs
path = [ pkgs.git ];
environment = {
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
secretsdir="${lib.shell.escape (toString <secrets>)}";
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
if [ ! -e ${workdir} ];then
mkdir -p ${workdir}
${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
# copy secrets
${ concatMapStringsSep "\n"
(f: "cp ${secretsdir}/${f} ${workdir}/${f}" ) cfg.secrets }
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
# TODO: maybe upgrade? not sure about this
# normally we should write buildbot.tac by our own
# ${buildbot}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildbot start ${workdir}";
ExecStop = "${buildbot}/bin/buildbot stop ${workdir}";
ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
PrivateTmp = "true";
User = "buildbotMaster";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.krebs.buildbot.master = api;
config = mkIf cfg.enable imp;
}

View File

@ -39,7 +39,7 @@ let
s.setServiceParent(application) s.setServiceParent(application)
''; '';
default-packages = [ pkgs.git pkgs.bash ]; default-packages = [ pkgs.git pkgs.bash ];
cfg = config.makefu.buildbot.slave; cfg = config.krebs.buildbot.slave;
api = { api = {
enable = mkEnableOption "Buildbot Slave"; enable = mkEnableOption "Buildbot Slave";
@ -127,7 +127,7 @@ let
imp = { imp = {
users.extraUsers.buildbotSlave = { users.extraUsers.buildbotSlave = {
uid = 1408105834; #genid buildbotMaster uid = genid "buildbotSlave";
description = "Buildbot Slave"; description = "Buildbot Slave";
home = cfg.workDir; home = cfg.workDir;
createHome = false; createHome = false;
@ -144,6 +144,7 @@ let
path = default-packages ++ cfg.packages; path = default-packages ++ cfg.packages;
environment = { environment = {
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
NIX_REMOTE="daemon"; NIX_REMOTE="daemon";
} // cfg.extraEnviron; } // cfg.extraEnviron;
@ -180,6 +181,6 @@ let
}; };
in in
{ {
options.makefu.buildbot.slave = api; options.krebs.buildbot.slave = api;
config = mkIf cfg.enable imp; config = mkIf cfg.enable imp;
} }

View File

@ -7,8 +7,11 @@ let
out = { out = {
imports = [ imports = [
./apt-cacher-ng.nix ./apt-cacher-ng.nix
./backup.nix
./bepasty-server.nix ./bepasty-server.nix
./build.nix ./build.nix
./buildbot/master.nix
./buildbot/slave.nix
./current.nix ./current.nix
./exim-retiolum.nix ./exim-retiolum.nix
./exim-smarthost.nix ./exim-smarthost.nix

View File

@ -1,14 +1,12 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with builtins;
with lib; with lib;
let let
cfg = config.krebs.exim-retiolum; cfg = config.krebs.exim-retiolum;
out = { out = {
options.krebs.exim-retiolum = api; options.krebs.exim-retiolum = api;
config = config = mkIf cfg.enable imp;
mkIf cfg.enable imp;
}; };
api = { api = {
@ -16,13 +14,13 @@ let
}; };
imp = { imp = {
services.exim = services.exim = {
# This configuration makes only sense for retiolum-enabled hosts. enable = true;
# TODO modular configuration config =
assert config.krebs.retiolum.enable; # This configuration makes only sense for retiolum-enabled hosts.
{ # TODO modular configuration
enable = true; assert config.krebs.retiolum.enable;
config = '' ''
primary_hostname = ${retiolumHostname} primary_hostname = ${retiolumHostname}
domainlist local_domains = @ : localhost domainlist local_domains = @ : localhost
domainlist relay_to_domains = *.retiolum domainlist relay_to_domains = *.retiolum
@ -134,7 +132,7 @@ let
begin authenticators begin authenticators
''; '';
}; };
}; };
# TODO get the hostname from somewhere else. # TODO get the hostname from somewhere else.

View File

@ -51,7 +51,7 @@ let
imp = { imp = {
users.users.fetchWallpaper = { users.users.fetchWallpaper = {
name = "fetchWallpaper"; name = "fetchWallpaper";
uid = 3332383611; #genid fetchWallpaper uid = genid "fetchWallpaper";
description = "fetchWallpaper user"; description = "fetchWallpaper user";
home = cfg.stateDir; home = cfg.stateDir;
createHome = true; createHome = true;

View File

@ -145,14 +145,14 @@ let
]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules));
}; };
users.extraUsers = singleton { users.extraUsers = singleton rec {
description = "Git repository hosting user"; description = "Git repository hosting user";
name = "git"; name = "git";
shell = "/bin/sh"; shell = "/bin/sh";
openssh.authorizedKeys.keys = openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command) mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
config.krebs.users; config.krebs.users;
uid = 129318403; # genid git uid = genid name;
}; };
}; };
@ -238,9 +238,9 @@ let
}; };
}; };
fcgitwrap-user = { fcgitwrap-user = rec {
name = "fcgiwrap"; name = "fcgiwrap";
uid = 2867890860; # genid fcgiwrap uid = genid name;
group = "fcgiwrap"; group = "fcgiwrap";
}; };

View File

@ -56,9 +56,9 @@ let
}; };
}; };
user = { user = rec {
name = "github-hosts-sync"; name = "github-hosts-sync";
uid = 3220554646; # genid github-hosts-sync uid = genid name;
}; };
# TODO move to lib? # TODO move to lib?

View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with builtins;
with lib; with lib;
let let
@ -31,9 +30,9 @@ let
bind = mkDefault "127.0.0.1"; bind = mkDefault "127.0.0.1";
}; };
users.extraUsers.go = { users.extraUsers.go = rec {
name = "go"; name = "go";
uid = 42774411; #genid go uid = genid name;
description = "go url shortener user"; description = "go url shortener user";
home = "/var/lib/go"; home = "/var/lib/go";
createHome = true; createHome = true;

View File

@ -83,6 +83,9 @@ with lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster";
}; };
vbob = { vbob = {
@ -108,6 +111,8 @@ with lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPLTMl+thSq77cjYa2XF7lz5fA7JMftrLo8Dy/OBXSg root@nixos";
}; };
flap = rec { flap = rec {
cores = 1; cores = 1;
@ -238,6 +243,8 @@ with lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4Tjx9qK6uWtxT1HCpeC0XvDZKO/kaPygyKatpAqU6I root@wry";
}; };
filepimp = rec { filepimp = rec {
cores = 1; cores = 1;
@ -287,6 +294,8 @@ with lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
}; };
gum = rec { gum = rec {
cores = 1; cores = 1;
@ -327,6 +336,8 @@ with lib;
''; '';
}; };
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
}; };
}; };
users = addNames rec { users = addNames rec {

View File

@ -1,13 +1,7 @@
arg@{ config, lib, pkgs, ... }: arg@{ config, lib, pkgs, ... }:
with lib;
let let
inherit (lib)
mkEnableOption
mkOption
types
mkIf
;
cfg = config.krebs.realwallpaper; cfg = config.krebs.realwallpaper;
out = { out = {
@ -89,7 +83,7 @@ let
}; };
users.extraUsers.realwallpaper = { users.extraUsers.realwallpaper = {
uid = 2009435407; #genid realwallpaper uid = genid "realwallpaper";
home = cfg.workingDir; home = cfg.workingDir;
createHome = true; createHome = true;
}; };

View File

@ -133,9 +133,9 @@ let
}; };
}; };
user = { user = rec {
name = "retiolum"; name = "retiolum";
uid = 301281149; # genid retiolum uid = genid name;
}; };
tinc = cfg.tincPackage; tinc = cfg.tincPackage;

View File

@ -7,6 +7,7 @@ let
"test-arch" "test-arch"
"test-centos6" "test-centos6"
"test-centos7" "test-centos7"
"test-all-krebs-modules"
] (name: { ] (name: {
inherit name; inherit name;
cores = 1; cores = 1;

View File

@ -120,7 +120,7 @@ let
}; };
users.extraUsers.tinc_graphs = { users.extraUsers.tinc_graphs = {
uid = 3925439960; #genid tinc_graphs uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs"; home = "/var/spool/tinc_graphs";
}; };

View File

@ -5,7 +5,6 @@
# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" # cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"
# TODO hooks.py # TODO hooks.py
with builtins;
with lib; with lib;
let let
cfg = config.krebs.urlwatch; cfg = config.krebs.urlwatch;
@ -136,9 +135,9 @@ let
}; };
}; };
user = { user = rec {
name = "urlwatch"; name = "urlwatch";
uid = 3467631196; # genid urlwatch uid = genid name;
}; };
in in
out out

View File

@ -7,6 +7,8 @@ let out = rec {
eq = x: y: x == y; eq = x: y: x == y;
mod = x: y: x - y * (x / y);
addName = name: set: addName = name: set:
set // { inherit name; }; set // { inherit name; };
@ -17,6 +19,7 @@ let out = rec {
dir.has-default-nix = path: pathExists (path + "/default.nix"); dir.has-default-nix = path: pathExists (path + "/default.nix");
dns = import ./dns.nix { inherit lib; }; dns = import ./dns.nix { inherit lib; };
genid = import ./genid.nix { lib = lib // out; };
git = import ./git.nix { lib = lib // out; }; git = import ./git.nix { lib = lib // out; };
listset = import ./listset.nix { inherit lib; }; listset = import ./listset.nix { inherit lib; };
shell = import ./shell.nix { inherit lib; }; shell = import ./shell.nix { inherit lib; };

37
krebs/4lib/genid.nix Normal file
View File

@ -0,0 +1,37 @@
{ lib, ... }:
with lib;
with builtins;
let out = genid;
# id = genid s = (hash s + min) % max
# min <= genid s < max
#
# min = 2^24 = 16777216 = 0x001000000
# max = 2^32 = 4294967296 = 0x100000000
#
# id is bigger than UID of nobody and GID of nogroup
# see <nixos/modules/misc/ids.nix> and some spare for stuff like lxd.
#
# :: str -> uint32
genid = s: sum16 (addmod16_16777216 (hash s));
# :: str -> list8 uint4
hash = s:
map hexint (stringToCharacters (substring 32 8 (hashString "sha1" s)));
# :: list uint -> uint
sum16 = foldl (a: i: a * 16 + i) 0;
# :: list8 uint4 -> list1 uint8 ++ list6 uint4
addmod16_16777216 = x: let
a = 16 * head x + head (tail x);
d = tail (tail x);
in [(mod (a + 1) 256)] ++ d;
# :: char -> uint4
hexint = x: hexvals.${toLower x};
# :: attrset char uint4
hexvals = listToAttrs (imap (i: c: { name = c; value = i - 1; })
(stringToCharacters "0123456789abcdef"));
in out

View File

@ -177,4 +177,21 @@ types // rec {
addr6 = str; addr6 = str;
hostname = str; hostname = str;
label = str; label = str;
krebs.file-location = types.submodule {
options = {
# TODO user
host = mkOption {
type = host;
};
# TODO merge with ssl.privkey.path
path = mkOption {
type = types.either types.path types.str;
apply = x: {
path = toString x;
string = x;
}.${typeOf x};
};
};
};
} }

View File

@ -0,0 +1,120 @@
{ stdenv, lib, pkgs, makeWrapper }:
rec {
# Begin API
buildBaseReaktorPlugin = { name
, config # python extra configuration for plugin
, phases ? []
, ... } @ attrs:
stdenv.mkDerivation (attrs // {
name = "Reaktor-plugin-" + name;
isReaktorPlugin = true;
});
buildSimpleReaktorPlugin = name: { script
, path ? []
, env ? {}
, append_rule ? false # append the rule instead of insert
, pattern ? ""
, ... } @ attrs:
let
path_env = { "PATH" = lib.makeSearchPath "bin" (path ++ [ pkgs.coreutils ]); };
src_dir = pkgs.substituteAll ( {
inherit name;
dir = "bin";
isExecutable = true;
src = script;
});
src_file = "${src_dir}/bin/${name}";
config = ''
public_commands.${if append_rule then "append(" else "insert(0," }{
'capname' : "${name}",
'pattern' : ${if pattern == "" then
''indirect_pattern.format("${name}")'' else
''"${pattern}"'' },
'argv' : ["${src_file}"],
'env' : ${builtins.toJSON (path_env // env)} })
'';
config_file = pkgs.writeText "plugin.py" config;
in buildBaseReaktorPlugin (attrs // rec {
inherit name config;
phases = [ "installPhase" ];
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin $out/etc/Reaktor
ln -s ${src_file} $out/bin
wrapProgram $out/bin/${name} \
--prefix PATH : ${path_env.PATH}
ln -s ${config_file} $out/etc/Reaktor/plugin.py
'';
});
# End API
# Begin Plugins
random-emoji = buildSimpleReaktorPlugin "emoji" {
path = with pkgs; [ gnused gnugrep xmlstarlet curl ];
script = ./scripts/random-emoji.sh;
};
sed-plugin = buildSimpleReaktorPlugin "sed-plugin" {
path = [ pkgs.gnused pkgs.python3 ];
# only support s///gi the plugin needs to see every msg
# TODO: this will eat up the last regex, fix Reaktor to support fallthru
append_rule = true;
pattern = "^(?P<args>.*)$$";
script = ./scripts/sed-plugin.py;
};
shack-correct = buildSimpleReaktorPlugin "shack-correct" {
path = [ pkgs.gnused ];
pattern = "^(?P<args>.*Shack.*)$$";
script = ./scripts/shack-correct.sh;
};
nixos-version = buildSimpleReaktorPlugin "nixos-version" {
script = pkgs.writeScript "nixos-version" ''
#! /bin/sh
. /etc/os-release
echo "$PRETTY_NAME"
'';
};
stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" {
script = ./scripts/random-issue.sh;
path = with pkgs; [ git gnused lentil ];
env = { "origin" = "http://cgit.gum/stockholm"; };
};
titlebot =
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = pkgs.fetchurl {
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
in buildBaseReaktorPlugin rec {
name = "titlebot";
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out
ln -s ${titlebot_cmds}/* $out
'';
config = ''
def titlebot_cmd(cmd):
from os import environ
return { 'capname': None,
'env': { 'TITLEDB':
environ['state_dir']+'/suggestions.json' },
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
for i in ['up','help','list','top','new']:
public_commands.insert(0,titlebot_cmd(i))
commands.insert(0,titlebot_cmd('clear'))
'';
};
}

View File

@ -2,11 +2,11 @@
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
name = "cacpanel-${version}"; name = "cacpanel-${version}";
version = "0.2.1"; version = "0.2.3";
src = pkgs.fetchurl { src = pkgs.fetchurl {
url = "https://pypi.python.org/packages/source/c/cacpanel/cacpanel-${version}.tar.gz"; url = "https://pypi.python.org/packages/source/c/cacpanel/cacpanel-${version}.tar.gz";
sha256 = "1zaazg5r10kgva32zh4fhpw6l6h51ijkwpa322na0kh4x6f6aqj3"; sha256 = "1fib7416qqv8yzrj75kxra7ccpz9abqh58b6gkaavws2fa6m3mm8";
}; };
propagatedBuildInputs = with python3Packages; [ propagatedBuildInputs = with python3Packages; [

View File

@ -26,6 +26,8 @@ subdirs // rec {
inherit (subdirs) get jq; inherit (subdirs) get jq;
}; };
ReaktorPlugins = pkgs.callPackage ./Reaktor/plugins.nix {};
execve = name: { filename, argv, envp ? {}, destination ? "" }: execve = name: { filename, argv, envp ? {}, destination ? "" }:
writeC name { inherit destination; } '' writeC name { inherit destination; } ''
#include <unistd.h> #include <unistd.h>
@ -40,6 +42,10 @@ subdirs // rec {
} }
''; '';
test = {
infest-cac-centos7 = pkgs.callPackage ./test/infest-cac-centos7 {};
};
execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; }); execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; });
writeC = name: { destination ? "" }: src: pkgs.runCommand name {} '' writeC = name: { destination ? "" }: src: pkgs.runCommand name {} ''

View File

@ -1,22 +0,0 @@
{ lib, pkgs, ... }:
pkgs.writeScriptBin "genid" ''
#! /bin/sh
# usage: genid NAME
set -euf
export PATH=${lib.makeSearchPath "bin" (with pkgs; [
bc
coreutils
])}
name=$1
hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F)
echo "
min=2^24 # bigger than nobody and nogroup, see <nixos/modules/misc/ids.nix>
# and some spare for stuff like lxd.
max=2^32 # see 2^(8*sizeof(uid_t))
ibase=16
($hash + min) % max
" | bc
''

View File

@ -1,5 +1,10 @@
{ lib, pkgs,python3Packages,fetchurl, ... }: { lib, pkgs,python3Packages,fetchurl, ... }:
# TODO: Prepare a diff of future and current
## ovh-zone export krebsco.de --config ~/secrets/krebs/cfg.json |sed 's/[ ]\+/ /g' | sort current
## sed 's/[ ]\+/ /g'/etc/zones/krebsco.de | sort > future
## diff future.sorted current.sorted
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
name = "krebszones-${version}"; name = "krebszones-${version}";
version = "0.4.4"; version = "0.4.4";

View File

@ -1,33 +0,0 @@
{stdenv, fetchurl}:
let
s = # Generated upstream information
rec {
baseName="jq";
version="1.5";
name="${baseName}-${version}";
url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz;
sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
};
buildInputs = [
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
# jq is linked to libjq:
configureFlags = [
"LDFLAGS=-Wl,-rpath,\\\${libdir}"
];
meta = {
inherit (s) version;
description = ''A lightweight and flexible command-line JSON processor'';
license = stdenv.lib.licenses.mit ;
maintainers = [stdenv.lib.maintainers.raskin];
platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
};
}

View File

@ -1,7 +1,9 @@
{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }: { stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "krebs-ci-0.1.0"; name = "${shortname}-${version}";
shortname = "infest-cac-centos7";
version = "0.2.0";
src = ./notes; src = ./notes;
@ -23,9 +25,9 @@ stdenv.mkDerivation rec {
installPhase = installPhase =
'' ''
mkdir -p $out/bin mkdir -p $out/bin
cp ${src} $out/bin/krebs-ci cp ${src} $out/bin/${shortname}
chmod +x $out/bin/krebs-ci chmod +x $out/bin/${shortname}
wrapProgram $out/bin/krebs-ci \ wrapProgram $out/bin/${shortname} \
--prefix PATH : ${path} --prefix PATH : ${path}
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {

View File

@ -1,12 +1,24 @@
#! /bin/sh #! /bin/sh
# nix-shell -p gnumake jq openssh cac cacpanel # nix-shell -p gnumake jq openssh cac cacpanel
set -euf set -eufx
# 2 secrets are required: # 2 secrets are required:
krebs_cred=${krebs_cred-./cac.json} krebs_cred=${krebs_cred-./cac.json}
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv} retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
clear_defer(){
echo "${trapstr:-exit}"
trap - INT TERM EXIT KILL
}
defer(){
if test -z "${debug:-}"; then
trapstr="$1;${trapstr:-exit}"
trap "$trapstr" INT TERM EXIT KILL
fi
}
# Sanity # Sanity
if test ! -r "$krebs_cred";then if test ! -r "$krebs_cred";then
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1 echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
@ -18,46 +30,73 @@ fi
krebs_secrets=$(mktemp -d) krebs_secrets=$(mktemp -d)
sec_file=$krebs_secrets/cac_config sec_file=$krebs_secrets/cac_config
krebs_ssh=$krebs_secrets/tempssh krebs_ssh=$krebs_secrets/tempssh
export cac_resources_cache=$krebs_secrets/res_cache.json
export cac_servers_cache=$krebs_secrets/servers_cache.json
export cac_tasks_cache=$krebs_secrets/tasks_cache.json
export cac_templates_cache=$krebs_secrets/templates_cache.json
# we need to receive this key from buildmaster to speed up tinc bootstrap # we need to receive this key from buildmaster to speed up tinc bootstrap
TRAP="rm $sec_file;rm -r $krebs_secrets" defer "trap - INT TERM EXIT"
trap "$TRAP" INT TERM EXIT defer "rm -r $krebs_secrets"
cat > $sec_file <<EOF cat > $sec_file <<EOF
cac_login="$(jq -r .email $krebs_cred)" cac_login="$(jq -r .email $krebs_cred)"
cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)" cac_key="$(cac-cli --config $krebs_cred panel settings | jq -r .apicode)"
EOF EOF
export cac_secrets=$sec_file export cac_secrets=$sec_file
cac-cli panel --config $krebs_cred update-api-ip cac-cli --config $krebs_cred panel add-api-ip
# test login: # test login:
cac update cac update
cac servers cac servers
# Template 26: CentOS7 # preserve old trap
# TODO: use cac templates to determine the real Centos7 template in case it changes old_trapstr=$(clear_defer)
name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\ while true;do
| jq -r .servername) # Template 26: CentOS7
# TODO: use cac templates to determine the real Centos7 template in case it changes
out=$(cac build cpu=1 ram=512 storage=10 os=26 2>&1)
if name=$(echo "$out" | jq -r .servername);then
id=servername:$name
echo "got a working machine, id=$id"
else
echo "Unable to build a virtual machine, retrying in 15 seconds" >&2
echo "Output of build program: $out" >&2
sleep 15
continue
fi
id=servername:$name clear_defer >/dev/null
trap "cac delete $id;$TRAP" INT TERM EXIT defer "cac delete $id"
# TODO: timeout?
always_update=true cac waitstatus $id "Powered On"
wait_login_cac(){ # TODO: timeout?
# timeout
for t in `seq 60`;do wait_login_cac(){
# now we have a working cac server # we wait for 30 minutes
if cac ssh $1 cat /etc/redhat-release | \ for t in `seq 180`;do
grep CentOS ;then # now we have a working cac server
return 0 if cac ssh $1 -o ConnectTimeout=10 \
fi cat /etc/redhat-release | \
sleep 10 grep CentOS ;then
done return 0
return 1 fi
} sleep 10
# die on timeout done
wait_login_cac $id return 1
}
# die on timeout
if ! wait_login_cac $id;then
echo "unable to boot a working system within time frame, retrying..." >&2
echo "Cleaning up old image,last status: $(cac update;cac getserver $id | jq -r .status)"
eval "$(clear_defer | sed 's/;exit//')"
sleep 15
else
echo "got a working system" >&2
break
fi
done
clear_defer >/dev/null
defer "cac delete $id;$old_trapstr"
mkdir -p shared/2configs/temp mkdir -p shared/2configs/temp
cac generatenetworking $id > \ cac generatenetworking $id > \
@ -94,7 +133,7 @@ cac powerop $id reset
wait_login(){ wait_login(){
# timeout # timeout
for t in `seq 20`;do for t in `seq 90`;do
# now we have a working cac server # now we have a working cac server
if ssh -o StrictHostKeyChecking=no \ if ssh -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \ -o UserKnownHostsFile=/dev/null \

11
krebs/Zhosts/bobby Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.111.112/32
Subnet = 42:0:0:0:0:0:111:112/128
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA+AScnIqFdzGl+iRZTNZ7r91n/r1H4GzDsrAupUvJ4mi7nDN4eP8s
uLvKtJp22RxfuF3Kf4KhHb8LHQ8bLLN/KDaNDXrCNBc69d7vvLsjoY+wfGLJNu4Y
Ad/8J4r3rdb83mTA3IHb47T/70MERPBr2gF84YiG6ZoQrPQuTk4lHxaI83SOhjny
0F0ucS/rBV6Vv9y5/756TKi1cFPSpY4X+qeWc8xWrBGJcJiiqYb8ZX2o/lkAJ5c+
jI/VdybGFVGY9+bp4Jw5xBIo5KGuFnm8+blRmSDDl3joRneKQSx9FAu7RUwoajBu
cEbi1529NReQzIFT6Vt22ymbHftxOiuh4QIDAQAB
-----END RSA PUBLIC KEY-----

11
krebs/Zhosts/kebsco Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.212.68
Subnet = 42:9d30:3845:c822:988b:96c5:39ab:90b7
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0dEwTZh2uzJpP9GL7YRyiLuezJqYiJ8/4Bl4IPshJnuO9IGbEcto
0cFm9uM9gxxqggfaCi96DsIQNlyqff2vDfEj3mdIu9T3tkRROByQF8y1NWX29NyH
zZEX8Ri8u4U2KdYTEzPXEFxBEl0GQX9mMtlvwzCq7V4ueCcWB1xDA+DtJjpd894z
3FOw0rIxYmfYhLAL5B3rzF74bcHFGV30f4JWq11wLBkyR6/Q5gxgZzkKYGwdZ/SN
C6gg86abKdp65/Wq5P331IbwPBal1ZhGbaAo1y7JpjpLvZytI2jboXeQuPZ8P5hU
L3zKKceAibPKrw9+y8lb+IKoYLF7I1KYIwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -36,6 +36,7 @@ let out = {
{ system ? current-host-name { system ? current-host-name
, target ? system , target ? system
}@args: let }@args: let
config = get-config system;
in '' in ''
#! /bin/sh #! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name} # ${current-date} ${current-user-name}@${current-host-name}
@ -47,6 +48,9 @@ let out = {
${builtins.readFile ./4lib/infest/install-nix.sh} ${builtins.readFile ./4lib/infest/install-nix.sh}
''} ''}
# Prepare target source via bind-mounting
(${nixos-install args}) (${nixos-install args})
${rootssh target '' ${rootssh target ''
@ -98,7 +102,7 @@ let out = {
#! /bin/sh #! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name} # ${current-date} ${current-user-name}@${current-host-name}
# krebs.nixos-install # krebs.nixos-install
(${populate args}) (${populate (args // { root = "/mnt"; })})
${rootssh target '' ${rootssh target ''
export PATH; PATH=/root/.nix-profile/bin:$PATH export PATH; PATH=/root/.nix-profile/bin:$PATH
@ -205,6 +209,7 @@ let out = {
populate = populate =
{ system ? current-host-name { system ? current-host-name
, target ? system , target ? system
, root ? ""
}@args: }@args:
let out = '' let out = ''
#! /bin/sh #! /bin/sh
@ -217,6 +222,7 @@ let out = {
["dir" "git"])} ["dir" "git"])}
''; '';
config = get-config system; config = get-config system;
current-host = config.krebs.hosts.${current-host-name}; current-host = config.krebs.hosts.${current-host-name};
@ -225,17 +231,18 @@ let out = {
methods.dir = config: methods.dir = config:
let let
can-push = config.host.name == current-host.name; can-push = config.host.name == current-host.name;
target-path = root + config.target-path;
push-method = '' push-method = ''
rsync \ rsync \
--exclude .git \ --exclude .git \
--exclude .graveyard \ --exclude .graveyard \
--exclude old \ --exclude old \
--exclude tmp \ --exclude tmp \
--rsync-path='mkdir -p ${config.target-path} && rsync' \ --rsync-path='mkdir -p ${target-path} && rsync' \
--delete-excluded \ --delete-excluded \
-vrLptgoD \ -vrLptgoD \
${config.path}/ \ ${config.path}/ \
root@${target}:${config.target-path} root@${target}:${target-path}
''; '';
in in
if can-push then push-method else if can-push then push-method else
@ -244,9 +251,10 @@ let out = {
throw "No way to push ${dir} from ${current-host.name} to ${target}"; throw "No way to push ${dir} from ${current-host.name} to ${target}";
methods.git = config: methods.git = config:
rootssh target '' let target-path = root + config.target-path;
mkdir -p ${config.target-path} in rootssh target ''
cd ${config.target-path} mkdir -p ${target-path}
cd ${target-path}
if ! test -e .git; then if ! test -e .git; then
git init git init
fi fi

View File

@ -38,6 +38,10 @@
../3modules/wordpress_nginx.nix ../3modules/wordpress_nginx.nix
]; ];
lass.wordpress."testserver.de" = { lass.wordpress."testserver.de" = {
multiSite = {
"1" = "testserver.de";
"2" = "bla.testserver.de";
};
}; };
services.mysql = { services.mysql = {
@ -52,6 +56,27 @@
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
]; ];
} }
{
#owncloud-test
#imports = singleton (sitesGenerators.createWordpress "testserver.de");
imports = [
../3modules/owncloud_nginx.nix
];
lass.owncloud."owncloud-test.de" = {
};
#services.mysql = {
# enable = true;
# package = pkgs.mariadb;
# rootPassword = "<secrets>/mysql_rootPassword";
#};
networking.extraHosts = ''
10.243.0.2 owncloud-test.de
'';
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
}
]; ];
krebs.build.host = config.krebs.hosts.mors; krebs.build.host = config.krebs.hosts.mors;
@ -59,11 +84,12 @@
networking.wireless.enable = true; networking.wireless.enable = true;
networking.extraHosts = '' networking.extraHosts = ''
10.243.206.102 habsys.de 213.239.205.240 wohnprojekt-rhh.de
10.243.206.102 pixelpocket.de 213.239.205.240 karlaskop.de
10.243.206.102 karlaskop.de 213.239.205.240 makeup.apanowicz.de
10.243.206.102 ubikmedia.de 213.239.205.240 pixelpocket.de
10.243.206.102 apanowicz.de 213.239.205.240 reich-gebaeudereinigung.de
213.239.205.240 o.ubikmedia.de
''; '';
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
@ -184,7 +210,6 @@
cac cac
sshpass sshpass
get get
genid
teamspeak_client teamspeak_client
hashPassword hashPassword
]; ];

View File

@ -50,7 +50,7 @@ with lib;
source = { source = {
git.nixpkgs = { git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs; url = https://github.com/Lassulus/nixpkgs;
rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251"; rev = "93d8671e2c6d1d25f126ed30e5e6f16764330119";
}; };
dir.secrets = { dir.secrets = {
host = config.krebs.hosts.mors; host = config.krebs.hosts.mors;

View File

@ -31,10 +31,15 @@ in {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
powertop gitAndTools.qgit
sxiv mpv
much much
pavucontrol
powertop
push push
slock
sxiv
xsel
zathura zathura
#window manager stuff #window manager stuff

View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
let let
mainUser = config.users.extraUsers.mainUser; mainUser = config.users.extraUsers.mainUser;
@ -8,7 +8,7 @@ in {
users.extraUsers = { users.extraUsers = {
libvirt = { libvirt = {
uid = 358821352; # genid libvirt uid = lib.genid "libvirt";
description = "user for running libvirt stuff"; description = "user for running libvirt stuff";
home = "/home/libvirt"; home = "/home/libvirt";
useDefaultShell = true; useDefaultShell = true;

View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
let let
mainUser = config.users.extraUsers.mainUser; mainUser = config.users.extraUsers.mainUser;
@ -7,7 +7,7 @@ in {
users.extraUsers = { users.extraUsers = {
skype = { skype = {
name = "skype"; name = "skype";
uid = 2259819492; #genid skype uid = lib.genid "skype";
description = "user for running skype"; description = "user for running skype";
home = "/home/skype"; home = "/home/skype";
useDefaultShell = true; useDefaultShell = true;

View File

@ -8,7 +8,7 @@
users.extraUsers.chat = { users.extraUsers.chat = {
home = "/home/chat"; home = "/home/chat";
uid = 986764891; # genid chat uid = lib.genid "chat";
useDefaultShell = true; useDefaultShell = true;
createHome = true; createHome = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [

View File

@ -7,7 +7,6 @@ let
user = config.users.users.mainUser; user = config.users.users.mainUser;
out = { out = {
services.xserver = { services.xserver = {
display = 11; display = 11;
tty = 11; tty = 11;
@ -41,16 +40,6 @@ let
}; };
}; };
environment.systemPackages = [
pkgs.gitAndTools.qgit
pkgs.mpv
pkgs.pavucontrol
pkgs.slock
pkgs.sxiv
pkgs.xsel
pkgs.zathura
];
security.setuidPrograms = [ security.setuidPrograms = [
"slock" "slock"
]; ];
@ -106,9 +95,6 @@ let
set -efu set -efu
export PATH; PATH=${makeSearchPath "bin" ([ export PATH; PATH=${makeSearchPath "bin" ([
pkgs.rxvt_unicode pkgs.rxvt_unicode
pkgs.i3lock
pkgs.haskellPackages.yeganesh
pkgs.dmenu
] ++ config.environment.systemPackages)}:/var/setuid-wrappers ] ++ config.environment.systemPackages)}:/var/setuid-wrappers
settle() {( settle() {(
# Use PATH for a clean journal # Use PATH for a clean journal

View File

@ -51,7 +51,7 @@ let
imp = { imp = {
users.extraUsers.newsbot-js = { users.extraUsers.newsbot-js = {
name = "newsbot-js"; name = "newsbot-js";
uid = 1616759810; #genid newsbot-js uid = genid "newsbot-js";
description = "newsbot-js user"; description = "newsbot-js user";
home = "/var/empty"; home = "/var/empty";
}; };

View File

@ -207,7 +207,7 @@ let
# }; # };
#}); #});
users.users.nobody_oc = { users.users.nobody_oc = {
uid = 1651469147; # genid nobody_oc uid = genid "nobody_oc";
useDefaultShell = true; useDefaultShell = true;
}; };
}; };

View File

@ -229,7 +229,7 @@ let
}; };
}); });
users.users.nobody2 = mkDefault { users.users.nobody2 = mkDefault {
uid = mkDefault 125816384; # genid nobody2 uid = mkDefault (genid "nobody2");
useDefaultShell = mkDefault true; useDefaultShell = mkDefault true;
}; };
}; };

View File

@ -26,8 +26,8 @@ in nodePackages.buildNodePackage {
src = fetchgit { src = fetchgit {
url = "http://cgit.echelon/newsbot-js/"; url = "http://cgit.echelon/newsbot-js/";
rev = "b22729670236bfa6491207d57c5d7565137625ca"; rev = "802b172d0eed6c9625a9cb5db408f5cc8c01784e";
sha256 = "8ff00de56d85543399776c82d41d92ccc68000e5dce0f008d926748e188f3c69"; sha256 = "794fc7845aca311f7cf7b6bdc109b5a25d0e2299322bc6612edadc477b2536e2";
}; };
phases = [ phases = [

View File

@ -125,6 +125,8 @@ myKeyMap =
--, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"") --, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"")
, ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%") , ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%")
, ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%") , ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%")
, ("<XF86AudioMute>", spawn "pactl -- set-sink-mute 0 toggle")
, ("<XF86AudioMicMute>", spawn "pactl -- set-source-mute 1 toggle")
, ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view) , ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view)
, ("M4-a", focusUrgent) , ("M4-a", focusUrgent)

View File

@ -9,28 +9,35 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
../2configs/fs/single-partition-ext4.nix ../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix ../2configs/tinc-basic-retiolum.nix
../2configs/smart-monitor.nix
]; ];
krebs.build.host = config.krebs.hosts.filepimp; krebs.build.host = config.krebs.hosts.filepimp;
services.smartd.devices = [
{ device = "/dev/sda"; }
{ device = "/dev/sdb"; }
{ device = "/dev/sdc"; }
{ device = "/dev/sdd"; }
{ device = "/dev/sde"; }
];
# AMD N54L # AMD N54L
boot = { boot = {
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sde";
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"usb_storage"
"ahci" "ahci"
"xhci_hcd" "ohci_pci"
"ata_piix"
"uhci_hcd"
"ehci_pci" "ehci_pci"
"pata_atiixp"
"usb_storage"
"usbhid"
]; ];
kernelModules = [ ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true; zramSwap.enable = true;
zramSwap.numDevices = 2;
} }

View File

@ -6,18 +6,22 @@ let
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4; internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in { in {
imports = [ imports = [
# TODO: copy this config or move to krebs
../2configs/tinc-basic-retiolum.nix ../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix ../2configs/headless.nix
../2configs/fs/simple-swap.nix ../2configs/fs/simple-swap.nix
../2configs/fs/single-partition-ext4.nix ../2configs/fs/single-partition-ext4.nix
../2configs/smart-monitor.nix
# ../2configs/iodined.nix # ../2configs/iodined.nix
../2configs/git/cgit-retiolum.nix ../2configs/git/cgit-retiolum.nix
../2configs/mattermost-docker.nix ../2configs/mattermost-docker.nix
../2configs/nginx/euer.test.nix ../2configs/nginx/euer.test.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
]; ];
services.smartd.devices = [ { device = "/dev/sda";} ];
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
###### stable ###### stable
@ -28,6 +32,9 @@ in {
ListenAddress = ${external-ip} 655 ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031 ListenAddress = ${external-ip} 21031
''; '';
krebs.nginx.servers.cgit.server-names = [
"cgit.euer.krebsco.de"
];
# Chat # Chat
environment.systemPackages = with pkgs;[ environment.systemPackages = with pkgs;[

View File

@ -2,36 +2,110 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
let
{ byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WCAZA5548487";
# all physical disks
allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
in {
imports = imports =
[ # Include the results of the hardware scan. [
# TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix ../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix ../2configs/tinc-basic-retiolum.nix
../2configs/zsh-user.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/nginx/omo-share.nix
../3modules
]; ];
# services.openssh.allowSFTP = false;
krebs.build.host = config.krebs.hosts.omo; krebs.build.host = config.krebs.hosts.omo;
krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
makefu.snapraid = let
toMapper = id: "/media/crypt${builtins.toString id}";
in {
enable = true;
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in {
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2";
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
# AMD E350
boot = { boot = {
loader.grub.device = "/dev/sda"; initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
};
in [
(usbkey "home" homePartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
initrd.availableKernelModules = [ initrd.availableKernelModules = [
"usb_storage"
"ahci" "ahci"
"xhci_hcd" "ohci_pci"
"ata_piix"
"uhci_hcd"
"ehci_pci" "ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
]; ];
kernelModules = [ ]; kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
networking.firewall.allowedUDPPorts = [ 655 ];
# 8080: sabnzbd
networking.firewall.allowedTCPPorts = [ 80 655 8080 ];
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true; hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true; zramSwap.enable = true;
zramSwap.numDevices = 2;
} }

View File

@ -1,62 +1,51 @@
# Edit this configuration file to define what should be installed on # Usage:
# your system. Help is available in the configuration.nix(5) man page # NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm
# and in the NixOS manual (accessible by running nixos-help). # result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = imports =
[ # Include the results of the hardware scan. [
# Base
../2configs/tinc-basic-retiolum.nix ../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix ../2configs/headless.nix
../../krebs/3modules/Reaktor.nix
# HW/FS # these will be overwritten by qemu-vm.nix but will be used if the system
# is directly deployed
# enables virtio kernel modules in initrd
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/fs/vm-single-partition.nix ../2configs/fs/vm-single-partition.nix
# Services # config.system.build.vm
../2configs/git/cgit-retiolum.nix <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
## Reaktor
## \/ are only plugins, must enable Reaktor explicitly
../2configs/Reaktor/stockholmLentil.nix
../2configs/Reaktor/simpleExtend.nix
../2configs/Reaktor/random-emoji.nix
../2configs/Reaktor/titlebot.nix
../2configs/Reaktor/shack-correct.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
# ../2configs/graphite-standalone.nix
]; ];
krebs.urlwatch.verbose = true;
krebs.Reaktor.enable = true; virtualisation.graphics = false;
krebs.Reaktor.debug = true; # also export secrets, see Usage above
krebs.Reaktor.nickname = "Reaktor|bot"; fileSystems = pkgs.lib.mkVMOverride {
krebs.Reaktor.extraEnviron = { "${builtins.toString <secrets>}" =
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace"; { device = "secrets";
fsType = "9p";
options = "trans=virtio,version=9p2000.L,cache=loose";
neededForBoot = true;
};
};
krebs.Reaktor = {
enable = true;
debug = true;
extraEnviron = {
REAKTOR_HOST = "cd.retiolum";
};
plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ];
channels = [ "#retiolum" ];
}; };
krebs.build.host = config.krebs.hosts.pnp; krebs.build.host = config.krebs.hosts.pnp;
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# nginx runs on 80
80
# graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp
# 8080 2003
# smtp
25 25
]; ];
# networking.firewall.allowedUDPPorts = [ 2003 ];
} }

View File

@ -26,6 +26,7 @@
# services # services
../2configs/git/brain-retiolum.nix ../2configs/git/brain-retiolum.nix
../2configs/tor.nix ../2configs/tor.nix
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here # hardware specifics are in here
../2configs/hw/tp-x220.nix ../2configs/hw/tp-x220.nix
@ -34,16 +35,18 @@
# ../2configs/mediawiki.nix # ../2configs/mediawiki.nix
#../2configs/wordpress.nix #../2configs/wordpress.nix
]; ];
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.samsungUnifiedLinuxDriver ];
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre; tinc = pkgs.tinc_pre;
buildbot = let
pkgs1509 = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
in pkgs1509.buildbot;
}; };
makefu.buildbot.master.enable = true;
#krebs.Reaktor.enable = true; krebs.Reaktor = {
#krebs.Reaktor.nickname = "makefu|r"; enable = false;
nickname = "makefu|r";
plugins = with pkgs.ReaktorPlugins; [ nixos-version random-emoji ];
};
# nix.binaryCaches = [ "http://acng.shack/nixos" "https://cache.nixos.org" ]; # nix.binaryCaches = [ "http://acng.shack/nixos" "https://cache.nixos.org" ];
environment.systemPackages = with pkgs;[ environment.systemPackages = with pkgs;[
@ -58,6 +61,7 @@
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"} ${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"''; load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"'';
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 25
]; ];

View File

@ -59,7 +59,6 @@ in {
buildbot buildbot
buildbot-slave buildbot-slave
get get
genid
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

View File

@ -18,8 +18,6 @@ in {
../2configs/iodined.nix ../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
# other nginx # other nginx
../2configs/nginx/euer.wiki.nix ../2configs/nginx/euer.wiki.nix
@ -29,9 +27,21 @@ in {
# collectd # collectd
../2configs/collectd/collectd-base.nix ../2configs/collectd/collectd-base.nix
]; ];
krebs.build.host = config.krebs.hosts.wry; krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor.enable = true; krebs.Reaktor = {
nickname = "Reaktor|bot";
channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
enable = true;
plugins = with pkgs.ReaktorPlugins;[
titlebot
# stockholm-issue
nixos-version
shack-correct
sed-plugin
random-emoji ];
};
# bepasty to listen only on the correct interfaces # bepasty to listen only on the correct interfaces
krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ]; krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
@ -59,11 +69,11 @@ in {
}; };
networking = { networking = {
firewall = { firewall = {
allowPing = true; allowPing = true;
logRefusedConnections = false; logRefusedConnections = false;
allowedTCPPorts = [ 53 80 443 ]; allowedTCPPorts = [ 53 80 443 ];
allowedUDPPorts = [ 655 ]; allowedUDPPorts = [ 655 53 ];
}; };
interfaces.enp2s1.ip4 = [{ interfaces.enp2s1.ip4 = [{
address = external-ip; address = external-ip;

View File

@ -1,18 +0,0 @@
_:
{
# implementation of the complete Reaktor bot
imports = [
#./stockholmLentil.nix
./simpleExtend.nix
./random-emoji.nix
./titlebot.nix
./shack-correct.nix
./sed-plugin.nix
];
krebs.Reaktor.nickname = "Reaktor|bot";
krebs.Reaktor.enable = true;
krebs.Reaktor.extraEnviron = {
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
};
}

View File

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
rpkg = pkgs.substituteAll( {
name="random-emoji";
dir= "bin";
isExecutable=true;
src= ./random-emoji.sh;
});
rpkg-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
gnused
gnugrep
xmlstarlet
curl]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "emoji",
'pattern' : indirect_pattern.format("emoji"),
'argv' : ["${rpkg}/bin/random-emoji"],
'env' : { 'PATH':'${rpkg-path}' } })
'';
}

View File

@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = ./sed-plugin.py;
in {
#TODO: this will eat up the last regex, fix Reaktor
krebs.Reaktor.extraConfig = ''
public_commands.append({
'capname' : "sed-plugin",
# only support s///gi
'pattern' : '^(?P<args>.*)$$',
'argv' : ["${pkgs.python3}/bin/python3","${script}"],
'env' : { 'state_dir' : workdir,
'PATH':'${lib.makeSearchPath "bin" [pkgs.gnused]}' }})
'';
}

View File

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = pkgs.substituteAll ( {
name="shack-correct";
isExecutable=true;
dir = "";
src = ./shack-correct.sh;
});
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "shack-correct",
'pattern' : '^(?P<args>.*Shack.*)$$',
'argv' : ["${script}"],
'env' : { }})
'';
}

View File

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
nixos-version-script = pkgs.writeScript "nix-version" ''
#! /bin/sh
. /etc/os-release
echo "$PRETTY_NAME"
'';
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "nixos-version",
'pattern' : indirect_pattern.format("nixos-version"),
'argv' : ["${nixos-version-script}"],
'env' : { 'state_dir': workdir } })
'';
}

View File

@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
random-issue = pkgs.substituteAll( {
name="random-issue";
dir= "bin";
isExecutable=true;
src= ./random-issue.sh;
});
random-issue-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
git
gnused
lentil]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "stockholm-issue",
'pattern' : indirect_pattern.format("stockholm-issue"),
'argv' : ["${random-issue}/bin/random-issue"],
'env' : { 'state_dir': workdir,
'PATH':'${random-issue-path}',
'origin':'http://cgit.pnp/stockholm' } })
'';
}

View File

@ -1,38 +0,0 @@
{ stdenv,config, lib, pkgs, ... }:
with pkgs;
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = fetchurl {
# https://github.com/makefu/reaktor-titlebot tag 2.1.0
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
pub_cmds = ["up" "help" "list" "top" "highest" "undo" ];
priv_cmds = [ "clear" ];
in {
# TODO: write identify file in
# {config.users.extraUsers.Reaktor.home}/state/admin.lst
krebs.Reaktor.extraConfig = ''
def titlebot_cmd(cmd):
return {
'capname': cmd,
'env': {
'TITLEDB':
'${config.users.extraUsers.Reaktor.home}/suggestions.json'
},
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
# TODO: for each element in ${titlebot_cmds}/bin/*
public_commands.insert(0,titlebot_cmd('up'))
public_commands.insert(0,titlebot_cmd('help'))
public_commands.insert(0,titlebot_cmd('list'))
public_commands.insert(0,titlebot_cmd('top'))
public_commands.insert(0,titlebot_cmd('new'))
commands.insert(0,titlebot_cmd('clear'))
'';
}

View File

@ -13,7 +13,7 @@ with lib;
./vim.nix ./vim.nix
]; ];
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = { krebs = {
enable = true; enable = true;
search-domain = "retiolum"; search-domain = "retiolum";
@ -23,8 +23,8 @@ with lib;
source = { source = {
git.nixpkgs = { git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs; #url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/makefu/nixpkgs; url = mkDefault https://github.com/nixos/nixpkgs;
rev = mkDefault "3fd2c24685f604edc925f73ed56600b8c66236b3"; # nixos-15.09 + cherry-picking rev = mkDefault "93d8671e2c6d1d25f126ed30e5e6f16764330119"; # unstable @ 2015-01-03, tested on filepimp
target-path = "/var/src/nixpkgs"; target-path = "/var/src/nixpkgs";
}; };
@ -65,7 +65,12 @@ with lib;
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
#nix.maxJobs = 1; #nix.maxJobs = 1;
programs.ssh.startAgent = false; programs.ssh = {
startAgent = false;
extraConfig = ''
UseRoaming no
'';
};
services.openssh.enable = true; services.openssh.enable = true;
nix.useChroot = true; nix.useChroot = true;

View File

@ -24,5 +24,12 @@ with lib;
services.tlp.enable = true; services.tlp.enable = true;
services.tlp.extraConfig = '' services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80 START_CHARGE_THRESH_BAT0=80
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
''; '';
} }

View File

@ -7,6 +7,8 @@ with lib;
mutt-kz mutt-kz
notmuch notmuch
offlineimap offlineimap
imapfilter
gnupg
]; ];
} }

View File

@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.krebs.build.host.name;
# TODO local-ip from the nets config
local-ip = "192.168.1.11";
# local-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
krebs.nginx = {
enable = mkDefault true;
servers = {
omo-share = {
listen = [ "${local-ip}:80" ];
locations = singleton (nameValuePair "/" ''
autoindex on;
root /media;
limit_rate_after 100m;
limit_rate 5m;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
allow all;
access_log off;
keepalive_timeout 65;
keepalive_requests 200;
reset_timedout_connection on;
sendfile on;
tcp_nopush on;
gzip off;
'');
};
};
};
}

View File

@ -0,0 +1,21 @@
{ config, ... }:
{
users.users = {
share = {
uid = 9002;
home = "/var/empty";
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
# we will use internal-sftp to make uncomplicated Chroot work
services.openssh.extraConfig = ''
Match User share
ChrootDirectory /media
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
Match All
'';
}

View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
krebs.exim-retiolum.enable = lib.mkDefault true;
services.smartd = {
enable = true;
autodetect = false;
notifications = {
mail = {
enable = true;
recipient = config.krebs.users.makefu.mail;
};
};
# short daily, long weekly, check on boot
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
devices = lib.mkDefault [ ];
};
}

View File

@ -1,6 +1,22 @@
{ config, ... }: { config, lib, ... }:
{ {
nixpkgs.config.packageOverrides = pkgs: {
urlwatch = with pkgs.pythonPackages; buildPythonPackage rec {
name = "urlwatch-1.18";
propagatedBuildInputs = [ futures ];
src = pkgs.fetchurl {
url = "http://thp.io/2008/urlwatch/${name}.tar.gz";
sha256 = "090qfgx249ks7103sap6w47f8302ix2k46wxhfssxwsqcqdl25vb";
};
postFixup = ''
wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH"
'';
};
};
krebs.urlwatch = { krebs.urlwatch = {
enable = true; enable = true;
mailto = config.krebs.users.makefu.mail; mailto = config.krebs.users.makefu.mail;
@ -12,7 +28,7 @@
http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release
https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
]; ];
}; };
} }

View File

@ -122,7 +122,7 @@ in {
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
vimrcConfig.vam.pluginDictionaries = [ vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree" { names = [ "undotree"
"YouCompleteMe" # "YouCompleteMe"
"vim-better-whitespace" ]; } "vim-better-whitespace" ]; }
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
]; ];

View File

@ -5,4 +5,5 @@ let
in { in {
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
users.extraUsers.${mainUser.name}.extraGroups = [ "libvirtd" ]; users.extraUsers.${mainUser.name}.extraGroups = [ "libvirtd" ];
networking.firewall.checkReversePath = false; # TODO: unsolved issue in nixpkgs:#9067 [bug]
} }

View File

@ -1,33 +1,9 @@
{ config, lib, pkgs, ... }: _:
#usage: $ wvdial {
imports = [ ../3modules ];
let makefu.umts = {
mainUser = config.krebs.build.user; enable = true;
in { modem-device = "/dev/serial/by-id/usb-Lenovo_H5321_gw_2D5A51BA0D3C3A90-if01";
environment.systemPackages = with pkgs;[
wvdial
];
environment.shellAliases = {
umts = "sudo wvdial netzclub";
}; };
# configure for NETZCLUB
environment.wvdial.dialerDefaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = /dev/ttyACM0
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
users.extraUsers.${mainUser.name}.extraGroups = [ "dialout" ];
} }

View File

@ -19,8 +19,7 @@ in
bindkey -e bindkey -e
# shift-tab # shift-tab
bindkey '^[[Z' reverse-menu-complete bindkey '^[[Z' reverse-menu-complete
bindkey "\e[3~" delete-char
autoload -U compinit && compinit
zstyle ':completion:*' menu select zstyle ':completion:*' menu select
# load gpg-agent # load gpg-agent

View File

@ -1,263 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot = pkgs.buildbot;
buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
# -*- python -*-
from buildbot.plugins import *
import re
c = BuildmasterConfig = {}
c['slaves'] = []
# TODO: template potential buildslaves
# TODO: set password?
slavenames= [ 'testslave' ]
for i in slavenames:
c['slaves'].append(buildslave.BuildSlave(i, "krebspass"))
c['protocols'] = {'pb': {'port': 9989}}
####### Build Inputs
stockholm_repo = 'http://cgit.gum/stockholm'
c['change_source'] = []
c['change_source'].append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
####### Build Scheduler
# TODO: configure scheduler
c['schedulers'] = []
# test the master real quick
fast = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
name="fast-master-test",
builderNames=["fast-tests"])
force = schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"])
# files everyone depends on or are part of the share branch
def shared_files(change):
r =re.compile("^((krebs|share)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
return False
full = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
fileIsImportant=shared_files,
name="full-master-test",
builderNames=["full-tests"])
c['schedulers'] = [ fast, force, full ]
###### The actual build
# couple of fast steps:
f = util.BuildFactory()
## fetch repo
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
f.addStep(grab_repo)
# the dependencies which are used by the test script
deps = [ "gnumake", "jq" ]
nixshell = ["nix-shell", "-p" ] + deps + [ "--run" ]
def addShell(f,**kwargs):
f.addStep(steps.ShellCommand(**kwargs))
addShell(f,name="centos7-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=test-centos7"])
addShell(f,name="wolf-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=wolf"])
c['builders'] = []
c['builders'].append(
util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
# TODO slow build
c['builders'].append(
util.BuilderConfig(name="full-tests",
slavenames=slavenames,
factory=f))
####### Status of Builds
c['status'] = []
from buildbot.status import html
from buildbot.status.web import authz, auth
# TODO: configure if http is wanted
authz_cfg=authz.Authz(
# TODO: configure user/pw
auth=auth.BasicAuth([("krebs","bob")]),
gracefulShutdown = False,
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
stopBuild = False,
stopAllBuilds = False,
cancelPendingBuild = False,
)
# TODO: configure nginx
c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
from buildbot.status import words
${optionalString (cfg.irc.enable) ''
irc = words.IRC("${cfg.irc.server}", "krebsbuild",
# TODO: multiple channels
channels=["${cfg.irc.channel}"],
notify_events={
#'success': 1,
#'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
}${optionalString cfg.irc.allowForce ",allowForce=True"})
c['status'].append(irc)
''}
####### PROJECT IDENTITY
c['title'] = "Stockholm"
c['titleURL'] = "http://krebsco.de"
#c['buildbotURL'] = "http://buildbot.krebsco.de/"
# TODO: configure url
c['buildbotURL'] = "http://vbob:8010/"
####### DB URL
c['db'] = {
'db_url' : "sqlite:///state.sqlite",
}
${cfg.extraConfig}
'';
cfg = config.makefu.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
workDir = mkOption {
default = "/var/lib/buildbot/master";
type = types.str;
description = ''
Path to build bot master directory.
Will be created on startup.
'';
};
irc = mkOption {
default = {};
type = types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "Buildbot Master IRC Status";
channel = mkOption {
default = "nix-buildbot-meetup";
type = types.str;
description = ''
irc channel the bot should connect to
'';
};
allowForce = mkOption {
default = false;
type = types.bool;
description = ''
Determines if builds can be forced via IRC
'';
};
nick = mkOption {
default = "nix-buildbot";
type = types.str;
description = ''
nickname for IRC
'';
};
server = mkOption {
default = "irc.freenode.net";
type = types.str;
description = ''
Buildbot Status IRC Server to connect to
'';
};
};
});
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
extra config appended to the generated master.cfg
'';
};
};
imp = {
users.extraUsers.buildbotMaster = {
uid = 672626386; #genid buildbotMaster
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotMaster = {
gid = 672626386;
};
systemd.services.buildbotMaster = {
description = "Buildbot Master";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ];
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
# TODO: check if git is the only dep
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
if [ ! -e ${workdir} ];then
mkdir -p ${workdir}
${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
# TODO: maybe upgrade? not sure about this
# normally we should write buildbot.tac by our own
# ${buildbot}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildbot start ${workdir}";
ExecStop = "${buildbot}/bin/buildbot stop ${workdir}";
ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
PrivateTmp = "true";
User = "buildbotMaster";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.makefu.buildbot.master = api;
config = mkIf cfg.enable imp;
}

View File

@ -2,8 +2,8 @@ _:
{ {
imports = [ imports = [
./buildbot/master.nix ./snapraid.nix
./buildbot/slave.nix ./umts.nix
]; ];
} }

View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
# returns dirname without / , used as disk name
dname = dir: replaceChars ["/"] [""] (head (reverseList (splitString "/" dir)));
snapraid-conf = ''
# Disks
${concatMapStringsSep "\n" (d: "disk ${dname d} ${d}") cfg.disks}
# Parity
${optionalString (cfg.parity != "") "parity ${cfg.parity}/snapraid.parity"}
# content on Disks
${optionalString cfg.contentOnDisks
concatMapStringsSep "\n" (d: "content ${d}/snapraid.content") cfg.disks}
# content on Parity
${optionalString (cfg.contentOnParity && cfg.parity != "")
"content ${cfg.parity}/snapraid.content"}
# Default content file
content ${cfg.defaultContentFile}
# Extra Configuration
${cfg.extraConfig}
'';
cfg = config.makefu.snapraid;
out = {
options.makefu.snapraid = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "snapraid";
timerConfig = mkOption {
type = types.unspecified;
description = ''
Start snapraid service
'';
default = {
OnCalendar = "daily";
};
};
disks = mkOption {
type = with types;listOf str;
description = ''
Disks to protect. Each disk is a path to the mounted directory of the
disk.
'';
};
parity = mkOption {
type = types.str;
description = ''
Folder to store parity file.
Set to empty string if you want to configure the parity yourself in
extraConfig.
All extra parity files (2,3,z, etc...) should be configured via
extraConfig.
'';
};
contentOnDisks = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on each Disk to protect.
Set this to false if you do not want this behavior to apply.
'';
};
contentOnParity = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on parity Disk.
Set this to false if you do not want this behavior to apply.
'';
};
defaultContentFile = mkOption {
type = types.str;
default = "/var/cache/snapraid.content";
description = ''
Path to default content file
Set to empty string if this content file should be written.
'';
};
extraConfig = mkOption {
type = types.string;
default = "";
description = ''
Extra configuration to be appended to the snapraid conf file.
You can configure extra Parity files as well as extra content files.
See `man snapraid` for additional configuration
'';
};
};
imp = {
environment.systemPackages = [
# for scrubbing,fixing
pkgs.snapraid
];
environment.etc."snapraid.conf".text = snapraid-conf;
systemd.timers.snapraid-sync = {
description = "snapraid sync timer";
wantedBy = [ "timers.target" ];
timerConfig = cfg.timerConfig;
};
systemd.services.snapraid-sync = {
description = "Snapraid sync service";
after = [ "network.target" "local-fs.target" ];
serviceConfig = {
Type = "simple";
ExecStartPre = pkgs.writeScript "Snapraid-sync-init" ''
#! /bin/sh
${optionalString (cfg.defaultContentFile != "")
"mkdir -p $(dirname ${cfg.defaultContentFile})"}
'';
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
};
};
};
in out

76
makefu/3modules/umts.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
with lib;
let
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
systemctl start umts
trap "systemctl stop umts;trap - INT TERM EXIT;exit" INT TERM EXIT
echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
journalctl -xfu umts
'';
wvdial-defaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = ${cfg.modem-device}
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
cfg = config.makefu.umts;
out = {
options.makefu.umts = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "umts";
modem-device = mkOption {
default = "/dev/ttyUSB0";
type = types.str;
description = ''
path to modem device, use <filename>/dev/serial/by-id/...</filename>
to avoid race conditions.
'';
};
};
imp = {
environment.shellAliases = {
umts = "sudo ${umts-bin}/bin/umts";
};
environment.systemPackages = [ ];
environment.wvdial.dialerDefaults = wvdial-defaults;
systemd.targets.network-umts = {
description = "System is running on UMTS";
unitConfig.StopWhenUnneeded = true;
};
systemd.services.umts = {
description = "UMTS wvdial Service";
before = [ "network-umts.target" ];
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "4s";
ExecStart = "${pkgs.wvdial}/bin/wvdial -n";
};
};
};
in out

View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
en = { enable = true;};
in {
krebs = {
enable = true;
build.user = config.krebs.users.shared;
build.host = config.krebs.hosts.test-all-krebs-modules;
Reaktor.enable = true;
apt-cacher-ng.enable = true;
backup.enable = true;
bepasty.enable = true;
buildbot.master.enable = true;
buildbot.slave = {
enable = true;
username = "lol";
password = "wut";
};
exim-retiolum.enable = true;
exim-smarthost = {
enable = true;
system-aliases = [ { from = "dick"; to = "butt"; } ];
};
go.enable = true;
iptables = {
enable = true;
tables = {};
};
nginx.enable = true;
realwallpaper.enable = true;
retiolum.enable = true;
retiolum-bootstrap.enable = true;
tinc_graphs.enable = true;
urlwatch.enable = true;
fetchWallpaper = {
enable = true;
url ="localhost";
};
};
# just get the system running
boot.loader.grub.devices = ["/dev/sda"];
fileSystems."/" = {
device = "/dev/lol";
};
}

View File

@ -0,0 +1,6 @@
{ config, pkgs, ... }:
{
programs.ssh.startAgent = true;
programs.ssh.startAgent = false;
}

View File

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
krebs = {
enable = true;
build.user = config.krebs.users.shared;
build.host = config.krebs.hosts.test-all-krebs-modules;
};
# just get the system to eval in nixos without errors
boot.loader.grub.devices = ["/dev/sda"];
fileSystems."/" = {
device = "/dev/lol";
};
}

View File

@ -11,7 +11,7 @@ in
../2configs/collectd-base.nix ../2configs/collectd-base.nix
../2configs/shack-nix-cacher.nix ../2configs/shack-nix-cacher.nix
../2configs/shack-drivedroid.nix ../2configs/shack-drivedroid.nix
../2configs/cac-ci.nix ../2configs/buildbot-standalone.nix
../2configs/graphite.nix ../2configs/graphite.nix
]; ];
# use your own binary cache, fallback use cache.nixos.org (which is used by # use your own binary cache, fallback use cache.nixos.org (which is used by
@ -33,8 +33,6 @@ in
# uninteresting stuff # uninteresting stuff
##################### #####################
krebs.build.host = config.krebs.hosts.wolf; krebs.build.host = config.krebs.hosts.wolf;
# TODO rename shared user to "krebs"
krebs.build.user = config.krebs.users.shared;
krebs.build.target = "wolf"; krebs.build.target = "wolf";
boot.kernel.sysctl = { boot.kernel.sysctl = {

View File

@ -14,11 +14,12 @@ with lib;
}; };
# TODO rename shared user to "krebs" # TODO rename shared user to "krebs"
krebs.build.user = config.krebs.users.shared; krebs.build.user = mkDefault config.krebs.users.shared;
krebs.build.source = { krebs.build.source = {
git.nixpkgs = { git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80"; rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
target-path = "/var/src/nixpkgs";
}; };
dir.secrets = { dir.secrets = {
host = config.krebs.current.host; host = config.krebs.current.host;
@ -27,6 +28,7 @@ with lib;
dir.stockholm = { dir.stockholm = {
host = config.krebs.current.host; host = config.krebs.current.host;
path = mkDefault "${getEnv "HOME"}/stockholm"; path = mkDefault "${getEnv "HOME"}/stockholm";
target-path = "/var/src/stockholm";
}; };
}; };

View File

@ -0,0 +1,155 @@
{ lib, config, pkgs, ... }:
let
pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
in {
nixpkgs.config.packageOverrides = pkgs: {
buildbot = pkgs-unst.buildbot;
buildbot-slave = pkgs-unst.buildbot-slave;
};
networking.firewall.allowedTCPPorts = [ 8010 9989 ];
krebs.buildbot.master = {
secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ];
slaves = {
testslave = "krebspass";
};
change_source.stockholm = ''
stockholm_repo = 'http://cgit.gum/stockholm'
cs.append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
'';
scheduler = {
force-scheduler = ''
sched.append(schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"]))
'';
fast-tests-scheduler = ''
# test the master real quick
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
treeStableTimer=10, #only test the latest push
name="fast-master-test",
builderNames=["fast-tests"]))
'';
test-cac-infest-master = ''
# files everyone depends on or are part of the share branch
def shared_files(change):
r =re.compile("^((krebs|shared)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
return False
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
fileIsImportant=shared_files,
treeStableTimer=60*60, # master was stable for the last hour
name="full-master-test",
builderNames=["full-tests"]))
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
stockholm_repo = "http://cgit.gum.retiolum/stockholm"
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
env = {"LOGNAME": "shared", "NIX_REMOTE": "daemon"}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync",
"(import <stockholm> {}).pkgs.test.infest-cac-centos7" ]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
# prepare addShell function
def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs))
'';
builder = {
fast-tests = ''
f = util.BuildFactory()
f.addStep(grab_repo)
addShell(f,name="deploy-eval-centos7",env=env,
command=nixshell + ["make -s eval get=krebs.deploy filter=json system=test-centos7"])
addShell(f,name="deploy-eval-wolf",env=env,
command=nixshell + ["make -s eval get=krebs.deploy filter=json system=wolf"])
addShell(f,name="deploy-eval-cross-check",env=env,
command=nixshell + ["! make eval get=krebs.deploy filter=json system=test-failing"])
addShell(f,name="instantiate-test-all-modules",env=env,
command=nixshell + \
["touch retiolum.rsa_key.priv; \
nix-instantiate --eval -A \
users.shared.test-all-krebs-modules.system \
-I stockholm=. \
-I secrets=. '<stockholm>' \
--argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
addShell(f,name="instantiate-test-minimal-deploy",env=env,
command=nixshell + \
["nix-instantiate --eval -A \
users.shared.test-minimal-deploy.system \
-I stockholm=. \
-I secrets=. '<stockholm>' \
--argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
bu.append(util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
'';
slow-tests = ''
s = util.BuildFactory()
s.addStep(grab_repo)
# slave needs 2 files:
# * cac.json
# * retiolum
s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/cac.json", slavedest="cac.json"))
s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/retiolum-ci.rsa_key.priv", slavedest="retiolum.rsa_key.priv"))
addShell(s, name="infest-cac-centos7",env=env,
sigtermTime=60, # SIGTERM 1 minute before SIGKILL
timeout=10800, # 3h
command=nixshell + ["infest-cac-centos7"])
bu.append(util.BuilderConfig(name="full-tests",
slavenames=slavenames,
factory=s))
'';
};
enable = true;
web = {
enable = true;
};
irc = {
enable = true;
nick = "shared-buildbot";
server = "cd.retiolum";
channels = [ "retiolum" ];
allowForce = true;
};
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "krebspass";
packages = with pkgs;[ git nix ];
# all nix commands will need a working nixpkgs installation
extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
};
}

View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
environment.systemPackages = with pkgs;[
get
cac
cacpanel
jq
];
}

View File

@ -16,7 +16,6 @@ with lib;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# stockholm # stockholm
genid
gnumake gnumake
hashPassword hashPassword
lentil lentil
@ -234,7 +233,12 @@ with lib;
KERNEL=="hpet", GROUP="audio" KERNEL=="hpet", GROUP="audio"
''; '';
services.bitlbee.enable = true; services.bitlbee = {
enable = true;
plugins = [
pkgs.bitlbee-facebook
];
};
services.tor.client.enable = true; services.tor.client.enable = true;
services.tor.enable = true; services.tor.enable = true;
services.virtualboxHost.enable = true; services.virtualboxHost.enable = true;

View File

@ -19,7 +19,6 @@ with lib;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# stockholm # stockholm
genid
gnumake gnumake
hashPassword hashPassword
lentil lentil

42
tv/2configs/backup.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, ... }:
with lib;
{
krebs.backup.plans = addNames {
xu-test-cd = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; };
dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; };
#startAt = "0,6,12,18:00";
startAt = "minutely";
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
#xu-test-wu = {
# method = "push";
# dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; };
#};
cd-test-xu = {
method = "pull";
src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; };
dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; };
startAt = "minutely";
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
};
}

View File

@ -72,9 +72,9 @@ let
}; };
}; };
user = { user = rec {
name = "charybdis"; name = "charybdis";
uid = 3748224544; # genid charybdis uid = genid name;
}; };
configFile = toFile "charybdis-ircd.conf" '' configFile = toFile "charybdis-ircd.conf" ''

View File

@ -28,6 +28,7 @@ with lib;
imports = [ imports = [
<secrets> <secrets>
./backup.nix
./vim.nix ./vim.nix
{ {
# stockholm dependencies # stockholm dependencies

View File

@ -69,12 +69,10 @@ in
}; };
}; };
users = let users = {
id = 3768151709; # genid pulse groups.pulse.gid = config.users.users.pulse.uid;
in {
groups.pulse.gid = id;
users.pulse = { users.pulse = {
uid = id; uid = genid "pulse";
group = "pulse"; group = "pulse";
extraGroups = [ "audio" ]; extraGroups = [ "audio" ];
home = "${runDir}/home"; home = "${runDir}/home";

View File

@ -4,7 +4,7 @@ with lib;
let let
out = { out = {
environment.systemPackages = [ environment.systemPackages = [
pkgs.vim vim
]; ];
# Nano really is just a stupid name for Vim. # Nano really is just a stupid name for Vim.
@ -22,14 +22,38 @@ let
"${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree" "${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree"
]; ];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
mkdirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim = pkgs.writeScriptBin "vim" ''
#! ${pkgs.dash}/bin/dash
set -f
umask 0077
${concatStringsSep "\n" (map (x: "mkdir -p ${x}") mkdirs)}
umask 0022
exec ${pkgs.vim}/bin/vim "$@"
'';
vimrc = pkgs.writeText "vimrc" '' vimrc = pkgs.writeText "vimrc" ''
set nocompatible set nocompatible
set autoindent set autoindent
set backspace=indent,eol,start set backspace=indent,eol,start
set backup set backup
set backupdir=$HOME/.vim/backup/ set backupdir=${dirs.backupdir}/
set directory=$HOME/.vim/cache// set directory=${dirs.swapdir}//
set hlsearch set hlsearch
set incsearch set incsearch
set mouse=a set mouse=a
@ -40,11 +64,11 @@ let
set showcmd set showcmd
set showmatch set showmatch
set ttimeoutlen=0 set ttimeoutlen=0
set undodir=$HOME/.vim/undo set undodir=${dirs.undodir}
set undofile set undofile
set undolevels=1000000 set undolevels=1000000
set undoreload=1000000 set undoreload=1000000
set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu set wildmenu

View File

@ -48,7 +48,7 @@ let
"slock" "slock"
]; ];
systemd.services.display-manager = mkForce {}; systemd.services.display-manager.enable = false;
services.xserver.enable = true; services.xserver.enable = true;

View File

@ -109,9 +109,9 @@ let
}; };
}; };
user = { user = rec {
name = "consul"; name = "consul";
uid = 2999951406; # genid consul uid = genid name;
}; };
in in

View File

@ -53,9 +53,9 @@ let
}; };
}; };
user = { user = rec {
name = "ejabberd"; name = "ejabberd";
uid = 3499746127; # genid ejabberd uid = genid name;
}; };
my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" '' my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" ''