Merge branch 'master' of gum:stockholm

This commit is contained in:
makefu 2016-01-18 12:50:20 +01:00
commit f475401033
95 changed files with 1896 additions and 774 deletions

View File

@ -35,7 +35,7 @@ ifeq ($(filter),json)
else
filter() { cat; }
endif
nix-instantiate \
result=$$(nix-instantiate \
$${extraArgs-} \
--eval \
-A "$$get" \
@ -45,8 +45,9 @@ endif
--argstr current-host-name "$$HOSTNAME" \
--argstr current-user-name "$$LOGNAME" \
$${system+--argstr system "$$system"} \
$${target+--argstr target "$$target"} \
| filter
$${target+--argstr target "$$target"})
echo "$$result" | filter
else
$(error unbound variable: system[s])
endif

View File

@ -1,25 +1,15 @@
{ config, pkgs,lib, ... }:
{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib)
mkIf
mkOption
types
singleton
isString
optionalString
concatStrings
escapeShellArg
;
ReaktorConfig = pkgs.writeText "config.py" ''
${if (isString cfg.overrideConfig ) then ''
# Overriden Config
${cfg.overrideConfig}
'' else ""}
## Extra Config
${concatStringsSep "\n" (map (plug: plug.config) cfg.plugins)}
${cfg.extraConfig}
'';
cfg = config.krebs.Reaktor;
@ -46,7 +36,6 @@ let
'';
};
overrideConfig = mkOption {
default = null;
type = types.nullOr types.str;
@ -55,6 +44,9 @@ let
Reaktor default cfg can be retrieved via `reaktor get-config`
'';
};
plugins = mkOption {
default = [pkgs.ReaktorPlugins.nixos-version];
};
extraConfig = mkOption {
default = "";
type = types.string;
@ -62,6 +54,14 @@ let
configuration appended to the default or overridden configuration
'';
};
workdir = mkOption {
default = "/var/lib/Reaktor";
type = types.str;
description = ''
Reaktor working directory
'';
};
extraEnviron = mkOption {
default = {};
type = types.attrsOf types.str;
@ -70,12 +70,17 @@ let
REAKTOR_HOST
REAKTOR_PORT
REAKTOR_STATEDIR
REAKTOR_CHANNELS
debug and nickname can be set separately via the Reaktor api
'';
};
channels = mkOption {
default = [ "#krebs" ];
type = types.listOf types.str;
description = ''
Channels the Reaktor should connect to at startup.
'';
};
debug = mkOption {
default = false;
description = ''
@ -86,12 +91,11 @@ let
imp = {
# for reaktor get-config
users.extraUsers = singleton {
users.extraUsers = singleton rec {
name = "Reaktor";
# uid = config.ids.uids.Reaktor;
uid = 2066439104; #genid Reaktor
uid = genid name;
description = "Reaktor user";
home = "/var/lib/Reaktor";
home = cfg.workdir;
createHome = true;
};
@ -113,6 +117,9 @@ let
GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
REAKTOR_NICKNAME = cfg.nickname;
REAKTOR_DEBUG = (if cfg.debug then "True" else "False");
REAKTOR_CHANNELS = lib.concatStringsSep "," cfg.channels;
state_dir = cfg.workdir;
} // cfg.extraEnviron;
serviceConfig= {
ExecStartPre = pkgs.writeScript "Reaktor-init" ''

View File

@ -119,16 +119,14 @@ let
imp = {
users.extraUsers.acng = {
# uid = config.ids.uids.acng;
uid = 897955083; #genid Reaktor
uid = genid "acng";
description = "apt-cacher-ng";
home = acng-home;
createHome = false;
};
users.extraGroups.acng = {
gid = 897955083; #genid Reaktor
# gid = config.ids.gids.Reaktor;
gid = genid "acng";
};
systemd.services.apt-cacher-ng = {

286
krebs/3modules/backup.nix Normal file
View File

@ -0,0 +1,286 @@
{ config, lib, pkgs, ... }:
with lib;
let
out = {
options.krebs.backup = api;
config = mkIf cfg.enable imp;
};
cfg = config.krebs.backup;
api = {
enable = mkEnableOption "krebs.backup" // { default = true; };
plans = mkOption {
default = {};
type = types.attrsOf (types.submodule ({
# TODO enable = mkEnableOption "TODO" // { default = true; };
options = {
method = mkOption {
type = types.enum ["pull" "push"];
};
name = mkOption {
type = types.str;
};
src = mkOption {
type = types.krebs.file-location;
};
dst = mkOption {
type = types.krebs.file-location;
};
startAt = mkOption {
type = types.str;
};
snapshots = mkOption {
type = types.attrsOf (types.submodule {
options = {
format = mkOption {
type = types.str; # TODO date's +FORMAT
};
retain = mkOption {
type = types.nullOr types.int;
default = null; # null = retain all snapshots
};
};
});
};
};
}));
};
};
imp = {
users.groups.backup.gid = genid "backup";
users.users = {}
// {
root.openssh.authorizedKeys.keys =
map (plan: plan.dst.host.ssh.pubkey)
(filter isPullSrc (attrValues cfg.plans))
++
map (plan: plan.src.host.ssh.pubkey)
(filter isPushDst (attrValues cfg.plans))
;
}
;
systemd.services =
flip mapAttrs' (filterAttrs (_:isPullDst) cfg.plans) (name: plan: {
name = "backup.${name}.pull";
value = makePullService plan;
})
//
flip mapAttrs' (filterAttrs (_:isPushSrc) cfg.plans) (name: plan: {
name = "backup.${name}.push";
value = makePushService plan;
})
;
};
isPushSrc = plan:
plan.method == "push" &&
plan.src.host.name == config.krebs.build.host.name;
isPullSrc = plan:
plan.method == "pull" &&
plan.src.host.name == config.krebs.build.host.name;
isPushDst = plan:
plan.method == "push" &&
plan.dst.host.name == config.krebs.build.host.name;
isPullDst = plan:
plan.method == "pull" &&
plan.dst.host.name == config.krebs.build.host.name;
# TODO push destination needs this in the dst.user's PATH
service-path = [
pkgs.coreutils
pkgs.gnused
pkgs.openssh
pkgs.rsync
pkgs.utillinux
];
# TODO if there is plan.user, then use its privkey
makePushService = plan: assert isPushSrc plan; {
path = service-path;
serviceConfig = {
ExecStart = push plan;
Type = "oneshot";
};
startAt = plan.startAt;
};
makePullService = plan: assert isPullDst plan; {
path = service-path;
serviceConfig = {
ExecStart = pull plan;
Type = "oneshot";
};
startAt = plan.startAt;
};
push = plan: let
# We use writeDashBin and return the absolute path so systemd will produce
# nice names in the log, i.e. without the Nix store hash.
out = "${main}/bin/${main.name}";
main = writeDashBin "backup.${plan.name}.push" ''
set -efu
dst=${shell.escape plan.dst.path}
mkdir -m 0700 -p "$dst"
exec flock -n "$dst" ${critical-section}
'';
critical-section = writeDash "backup.${plan.name}.push.critical-section" ''
# TODO check if there is a previous
set -efu
identity=${shell.escape plan.src.host.ssh.privkey.path}
src=${shell.escape plan.src.path}
dst_target=${shell.escape "root@${getFQDN plan.dst.host}"}
dst_path=${shell.escape plan.dst.path}
dst=$dst_target:$dst_path
# Export NOW so runtime of rsync doesn't influence snapshot naming.
export NOW
NOW=$(date +%s)
echo >&2 "update snapshot: current; $src -> $dst"
rsync >&2 \
-aAXF --delete \
-e "ssh -F /dev/null -i $identity" \
--rsync-path ${shell.escape
"mkdir -m 0700 -p ${shell.escape plan.dst.path} && rsync"} \
--link-dest="$dst_path/current" \
"$src/" \
"$dst/.partial"
exec ssh -F /dev/null \
-i "$identity" \
"$dst_target" \
-T \
env NOW="$NOW" /bin/sh < ${remote-snapshot}
EOF
'';
remote-snapshot = writeDash "backup.${plan.name}.push.remote-snapshot" ''
set -efu
dst=${shell.escape plan.dst.path}
if test -e "$dst/current"; then
mv "$dst/current" "$dst/.previous"
fi
mv "$dst/.partial" "$dst/current"
rm -fR "$dst/.previous"
echo >&2
(${(take-snapshots plan).text})
'';
in out;
# TODO admit plan.dst.user and its ssh identity
pull = plan: let
# We use writeDashBin and return the absolute path so systemd will produce
# nice names in the log, i.e. without the Nix store hash.
out = "${main}/bin/${main.name}";
main = writeDashBin "backup.${plan.name}.pull" ''
set -efu
dst=${shell.escape plan.dst.path}
mkdir -m 0700 -p "$dst"
exec flock -n "$dst" ${critical-section}
'';
critical-section = writeDash "backup.${plan.name}.pull.critical-section" ''
# TODO check if there is a previous
set -efu
identity=${shell.escape plan.dst.host.ssh.privkey.path}
src=${shell.escape "root@${getFQDN plan.src.host}:${plan.src.path}"}
dst=${shell.escape plan.dst.path}
# Export NOW so runtime of rsync doesn't influence snapshot naming.
export NOW
NOW=$(date +%s)
echo >&2 "update snapshot: current; $dst <- $src"
mkdir -m 0700 -p ${shell.escape plan.dst.path}
rsync >&2 \
-aAXF --delete \
-e "ssh -F /dev/null -i $identity" \
--link-dest="$dst/current" \
"$src/" \
"$dst/.partial"
mv "$dst/current" "$dst/.previous"
mv "$dst/.partial" "$dst/current"
rm -fR "$dst/.previous"
echo >&2
exec ${take-snapshots plan}
'';
in out;
take-snapshots = plan: writeDash "backup.${plan.name}.take-snapshots" ''
set -efu
NOW=''${NOW-$(date +%s)}
dst=${shell.escape plan.dst.path}
snapshot() {(
: $ns $format $retain
name=$(date --date="@$NOW" +"$format")
if ! test -e "$dst/$ns/$name"; then
echo >&2 "create snapshot: $ns/$name"
mkdir -m 0700 -p "$dst/$ns"
rsync >&2 \
-aAXF --delete \
--link-dest="$dst/current" \
"$dst/current/" \
"$dst/$ns/.partial.$name"
mv "$dst/$ns/.partial.$name" "$dst/$ns/$name"
echo >&2
fi
case $retain in
([0-9]*)
delete_from=$(($retain + 1))
ls -r "$dst/$ns" \
| sed -n "$delete_from,\$p" \
| while read old_name; do
echo >&2 "delete snapshot: $ns/$old_name"
rm -fR "$dst/$ns/$old_name"
done
;;
(ALL)
:
;;
esac
)}
${concatStringsSep "\n" (mapAttrsToList (ns: { format, retain ? null, ... }:
toString (map shell.escape [
"ns=${ns}"
"format=${format}"
"retain=${if retain == null then "ALL" else toString retain}"
"snapshot"
]))
plan.snapshots)}
'';
# TODO getFQDN: admit hosts in other domains
getFQDN = host: "${host.name}.${config.krebs.search-domain}";
writeDash = name: text: pkgs.writeScript name ''
#! ${pkgs.dash}/bin/dash
${text}
'';
writeDashBin = name: text: pkgs.writeTextFile {
executable = true;
destination = "/bin/${name}";
name = name;
text = ''
#! ${pkgs.dash}/bin/dash
${text}
'';
};
in out

View File

@ -130,12 +130,12 @@ let
) cfg.servers;
users.extraUsers.bepasty = {
uid = 2796546855; #genid bepasty
uid = genid "bepasty";
group = "bepasty";
home = "/var/lib/bepasty-server";
};
users.extraGroups.bepasty = {
gid = 2796546855; #genid bepasty
gid = genid "bepasty";
};
};

View File

@ -0,0 +1,385 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot = pkgs.buildbot;
buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
# -*- python -*-
from buildbot.plugins import *
import re
import json
c = BuildmasterConfig = {}
c['slaves'] = []
slaves = json.loads('${builtins.toJSON cfg.slaves}')
slavenames = [ s for s in slaves ]
for k,v in slaves.items():
c['slaves'].append(buildslave.BuildSlave(k, v))
# TODO: configure protocols?
c['protocols'] = {'pb': {'port': 9989}}
####### Build Inputs
c['change_source'] = cs = []
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Change_Source: Begin of ${n}
${v}
#### Change_Source: End of ${n}
'') cfg.change_source )}
####### Build Scheduler
c['schedulers'] = sched = []
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Schedulers: Begin of ${n}
${v}
#### Schedulers: End of ${n}
'') cfg.scheduler )}
###### Builder
c['builders'] = bu = []
# Builder Pre: Begin
${cfg.builder_pre}
# Builder Pre: End
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Builder: Begin of ${n}
${v}
#### Builder: End of ${n}
'') cfg.builder )}
####### Status
c['status'] = st = []
# If you want to configure this url, override with extraConfig
c['buildbotURL'] = "http://${config.networking.hostName}:${toString cfg.web.port}/"
${optionalString (cfg.web.enable) ''
from buildbot.status import html
from buildbot.status.web import authz, auth
authz_cfg=authz.Authz(
auth=auth.BasicAuth([ ("${cfg.web.username}","${cfg.web.password}") ]),
# TODO: configure harder
gracefulShutdown = False,
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
stopBuild = 'auth',
stopAllBuilds = 'auth',
cancelPendingBuild = 'auth'
)
# TODO: configure krebs.nginx
st.append(html.WebStatus(http_port=${toString cfg.web.port}, authz=authz_cfg))
''}
${optionalString (cfg.irc.enable) ''
from buildbot.status import words
irc = words.IRC("${cfg.irc.server}", "${cfg.irc.nick}",
channels=${builtins.toJSON cfg.irc.channels},
notify_events={
'success': 1,
'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
}${optionalString cfg.irc.allowForce ",allowForce=True"})
c['status'].append(irc)
''}
${ concatStringsSep "\n"
(mapAttrsToList (n: v: ''
#### Status: Begin of ${n}
${v}
#### Status: End of ${n}
'') cfg.status )}
####### PROJECT IDENTITY
c['title'] = "${cfg.title}"
c['titleURL'] = "http://krebsco.de"
####### DB URL
# TODO: configure
c['db'] = {
'db_url' : "sqlite:///state.sqlite",
}
${cfg.extraConfig}
'';
cfg = config.krebs.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
title = mkOption {
default = "Buildbot CI";
type = types.str;
description = ''
Title of the Buildbot Installation
'';
};
workDir = mkOption {
default = "/var/lib/buildbot/master";
type = types.str;
description = ''
Path to build bot master directory.
Will be created on startup.
'';
};
secrets = mkOption {
default = [];
type = types.listOf types.str;
example = [ "cac.json" ];
description = ''
List of all the secrets in <secrets> which should be copied into the
buildbot master directory.
'';
};
slaves = mkOption {
default = {};
type = types.attrsOf types.str;
description = ''
Attrset of slavenames with their passwords
slavename = slavepassword
'';
};
change_source = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
stockholm = ''
cs.append(changes.GitPoller(
'http://cgit.gum/stockholm',
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
'';
};
description = ''
Attrset of all the change_sources which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>cs</literal>
'';
};
scheduler = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
force-scheduler = ''
sched.append(schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"]))
'';
};
description = ''
Attrset of all the schedulers which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>sched</literal>
'';
};
builder_pre = mkOption {
default = "";
type = types.lines;
example = ''
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
'';
description = ''
some code before the builders are being assembled.
can be used to define functions used by multiple builders
'';
};
builder = mkOption {
default = {};
type = types.attrsOf types.str;
example = {
fast-test = ''
'';
};
description = ''
Attrset of all the builder which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>bu</literal>
'';
};
status = mkOption {
default = {};
type = types.attrsOf types.str;
description = ''
Attrset of all the extra status which should be configured.
It will be directly included into the master configuration.
At the end an change object should be appended to <literal>st</literal>
Right now IRC and Web status can be configured by setting
<literal>buildbot.master.irc.enable</literal> and
<literal>buildbot.master.web.enable</literal>
'';
};
# Configurable Stati
web = mkOption {
default = {};
type = types.submodule ({ config2, ... }: {
options = {
enable = mkEnableOption "Buildbot Master Web Status";
username = mkOption {
default = "krebs";
type = types.str;
description = ''
username for web authentication
'';
};
hostname = mkOption {
default = config.networking.hostName;
type = types.str;
description = ''
web interface Hostname
'';
};
password = mkOption {
default = "bob";
type = types.str;
description = ''
password for web authentication
'';
};
port = mkOption {
default = 8010;
type = types.int;
description = ''
port for buildbot web status
'';
};
};
});
};
irc = mkOption {
default = {};
type = types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "Buildbot Master IRC Status";
channels = mkOption {
default = [ "nix-buildbot-meetup" ];
type = with types; listOf str;
description = ''
irc channels the bot should connect to
'';
};
allowForce = mkOption {
default = false;
type = types.bool;
description = ''
Determines if builds can be forced via IRC
'';
};
nick = mkOption {
default = "nix-buildbot";
type = types.str;
description = ''
nickname for IRC
'';
};
server = mkOption {
default = "irc.freenode.net";
type = types.str;
description = ''
Buildbot Status IRC Server to connect to
'';
};
};
});
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
extra config appended to the generated master.cfg
'';
};
};
imp = {
users.extraUsers.buildbotMaster = {
uid = genid "buildbotMaster";
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotMaster = {
gid = 672626386;
};
systemd.services.buildbotMaster = {
description = "Buildbot Master";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
# TODO: add extra dependencies to master like svn and cvs
path = [ pkgs.git ];
environment = {
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
};
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
secretsdir="${lib.shell.escape (toString <secrets>)}";
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
if [ ! -e ${workdir} ];then
mkdir -p ${workdir}
${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
# copy secrets
${ concatMapStringsSep "\n"
(f: "cp ${secretsdir}/${f} ${workdir}/${f}" ) cfg.secrets }
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
# TODO: maybe upgrade? not sure about this
# normally we should write buildbot.tac by our own
# ${buildbot}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildbot start ${workdir}";
ExecStop = "${buildbot}/bin/buildbot stop ${workdir}";
ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
PrivateTmp = "true";
User = "buildbotMaster";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.krebs.buildbot.master = api;
config = mkIf cfg.enable imp;
}

View File

@ -39,7 +39,7 @@ let
s.setServiceParent(application)
'';
default-packages = [ pkgs.git pkgs.bash ];
cfg = config.makefu.buildbot.slave;
cfg = config.krebs.buildbot.slave;
api = {
enable = mkEnableOption "Buildbot Slave";
@ -127,7 +127,7 @@ let
imp = {
users.extraUsers.buildbotSlave = {
uid = 1408105834; #genid buildbotMaster
uid = genid "buildbotSlave";
description = "Buildbot Slave";
home = cfg.workDir;
createHome = false;
@ -144,6 +144,7 @@ let
path = default-packages ++ cfg.packages;
environment = {
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
NIX_REMOTE="daemon";
} // cfg.extraEnviron;
@ -180,6 +181,6 @@ let
};
in
{
options.makefu.buildbot.slave = api;
options.krebs.buildbot.slave = api;
config = mkIf cfg.enable imp;
}

View File

@ -7,8 +7,11 @@ let
out = {
imports = [
./apt-cacher-ng.nix
./backup.nix
./bepasty-server.nix
./build.nix
./buildbot/master.nix
./buildbot/slave.nix
./current.nix
./exim-retiolum.nix
./exim-smarthost.nix

View File

@ -1,14 +1,12 @@
{ config, pkgs, lib, ... }:
with builtins;
with lib;
let
cfg = config.krebs.exim-retiolum;
out = {
options.krebs.exim-retiolum = api;
config =
mkIf cfg.enable imp;
config = mkIf cfg.enable imp;
};
api = {
@ -16,13 +14,13 @@ let
};
imp = {
services.exim =
services.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.krebs.retiolum.enable;
{
enable = true;
config = ''
''
primary_hostname = ${retiolumHostname}
domainlist local_domains = @ : localhost
domainlist relay_to_domains = *.retiolum

View File

@ -51,7 +51,7 @@ let
imp = {
users.users.fetchWallpaper = {
name = "fetchWallpaper";
uid = 3332383611; #genid fetchWallpaper
uid = genid "fetchWallpaper";
description = "fetchWallpaper user";
home = cfg.stateDir;
createHome = true;

View File

@ -145,14 +145,14 @@ let
]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules));
};
users.extraUsers = singleton {
users.extraUsers = singleton rec {
description = "Git repository hosting user";
name = "git";
shell = "/bin/sh";
openssh.authorizedKeys.keys =
mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
config.krebs.users;
uid = 129318403; # genid git
uid = genid name;
};
};
@ -238,9 +238,9 @@ let
};
};
fcgitwrap-user = {
fcgitwrap-user = rec {
name = "fcgiwrap";
uid = 2867890860; # genid fcgiwrap
uid = genid name;
group = "fcgiwrap";
};

View File

@ -56,9 +56,9 @@ let
};
};
user = {
user = rec {
name = "github-hosts-sync";
uid = 3220554646; # genid github-hosts-sync
uid = genid name;
};
# TODO move to lib?

View File

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
with builtins;
with lib;
let
@ -31,9 +30,9 @@ let
bind = mkDefault "127.0.0.1";
};
users.extraUsers.go = {
users.extraUsers.go = rec {
name = "go";
uid = 42774411; #genid go
uid = genid name;
description = "go url shortener user";
home = "/var/lib/go";
createHome = true;

View File

@ -83,6 +83,9 @@ with lib;
'';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster";
};
vbob = {
@ -108,6 +111,8 @@ with lib;
'';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPLTMl+thSq77cjYa2XF7lz5fA7JMftrLo8Dy/OBXSg root@nixos";
};
flap = rec {
cores = 1;
@ -238,6 +243,8 @@ with lib;
'';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4Tjx9qK6uWtxT1HCpeC0XvDZKO/kaPygyKatpAqU6I root@wry";
};
filepimp = rec {
cores = 1;
@ -287,6 +294,8 @@ with lib;
'';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
};
gum = rec {
cores = 1;
@ -327,6 +336,8 @@ with lib;
'';
};
};
ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
};
};
users = addNames rec {

View File

@ -1,13 +1,7 @@
arg@{ config, lib, pkgs, ... }:
with lib;
let
inherit (lib)
mkEnableOption
mkOption
types
mkIf
;
cfg = config.krebs.realwallpaper;
out = {
@ -89,7 +83,7 @@ let
};
users.extraUsers.realwallpaper = {
uid = 2009435407; #genid realwallpaper
uid = genid "realwallpaper";
home = cfg.workingDir;
createHome = true;
};

View File

@ -133,9 +133,9 @@ let
};
};
user = {
user = rec {
name = "retiolum";
uid = 301281149; # genid retiolum
uid = genid name;
};
tinc = cfg.tincPackage;

View File

@ -7,6 +7,7 @@ let
"test-arch"
"test-centos6"
"test-centos7"
"test-all-krebs-modules"
] (name: {
inherit name;
cores = 1;

View File

@ -120,7 +120,7 @@ let
};
users.extraUsers.tinc_graphs = {
uid = 3925439960; #genid tinc_graphs
uid = genid "tinc_graphs";
home = "/var/spool/tinc_graphs";
};

View File

@ -5,7 +5,6 @@
# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"
# TODO hooks.py
with builtins;
with lib;
let
cfg = config.krebs.urlwatch;
@ -136,9 +135,9 @@ let
};
};
user = {
user = rec {
name = "urlwatch";
uid = 3467631196; # genid urlwatch
uid = genid name;
};
in
out

View File

@ -7,6 +7,8 @@ let out = rec {
eq = x: y: x == y;
mod = x: y: x - y * (x / y);
addName = name: set:
set // { inherit name; };
@ -17,6 +19,7 @@ let out = rec {
dir.has-default-nix = path: pathExists (path + "/default.nix");
dns = import ./dns.nix { inherit lib; };
genid = import ./genid.nix { lib = lib // out; };
git = import ./git.nix { lib = lib // out; };
listset = import ./listset.nix { inherit lib; };
shell = import ./shell.nix { inherit lib; };

37
krebs/4lib/genid.nix Normal file
View File

@ -0,0 +1,37 @@
{ lib, ... }:
with lib;
with builtins;
let out = genid;
# id = genid s = (hash s + min) % max
# min <= genid s < max
#
# min = 2^24 = 16777216 = 0x001000000
# max = 2^32 = 4294967296 = 0x100000000
#
# id is bigger than UID of nobody and GID of nogroup
# see <nixos/modules/misc/ids.nix> and some spare for stuff like lxd.
#
# :: str -> uint32
genid = s: sum16 (addmod16_16777216 (hash s));
# :: str -> list8 uint4
hash = s:
map hexint (stringToCharacters (substring 32 8 (hashString "sha1" s)));
# :: list uint -> uint
sum16 = foldl (a: i: a * 16 + i) 0;
# :: list8 uint4 -> list1 uint8 ++ list6 uint4
addmod16_16777216 = x: let
a = 16 * head x + head (tail x);
d = tail (tail x);
in [(mod (a + 1) 256)] ++ d;
# :: char -> uint4
hexint = x: hexvals.${toLower x};
# :: attrset char uint4
hexvals = listToAttrs (imap (i: c: { name = c; value = i - 1; })
(stringToCharacters "0123456789abcdef"));
in out

View File

@ -177,4 +177,21 @@ types // rec {
addr6 = str;
hostname = str;
label = str;
krebs.file-location = types.submodule {
options = {
# TODO user
host = mkOption {
type = host;
};
# TODO merge with ssl.privkey.path
path = mkOption {
type = types.either types.path types.str;
apply = x: {
path = toString x;
string = x;
}.${typeOf x};
};
};
};
}

View File

@ -0,0 +1,120 @@
{ stdenv, lib, pkgs, makeWrapper }:
rec {
# Begin API
buildBaseReaktorPlugin = { name
, config # python extra configuration for plugin
, phases ? []
, ... } @ attrs:
stdenv.mkDerivation (attrs // {
name = "Reaktor-plugin-" + name;
isReaktorPlugin = true;
});
buildSimpleReaktorPlugin = name: { script
, path ? []
, env ? {}
, append_rule ? false # append the rule instead of insert
, pattern ? ""
, ... } @ attrs:
let
path_env = { "PATH" = lib.makeSearchPath "bin" (path ++ [ pkgs.coreutils ]); };
src_dir = pkgs.substituteAll ( {
inherit name;
dir = "bin";
isExecutable = true;
src = script;
});
src_file = "${src_dir}/bin/${name}";
config = ''
public_commands.${if append_rule then "append(" else "insert(0," }{
'capname' : "${name}",
'pattern' : ${if pattern == "" then
''indirect_pattern.format("${name}")'' else
''"${pattern}"'' },
'argv' : ["${src_file}"],
'env' : ${builtins.toJSON (path_env // env)} })
'';
config_file = pkgs.writeText "plugin.py" config;
in buildBaseReaktorPlugin (attrs // rec {
inherit name config;
phases = [ "installPhase" ];
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin $out/etc/Reaktor
ln -s ${src_file} $out/bin
wrapProgram $out/bin/${name} \
--prefix PATH : ${path_env.PATH}
ln -s ${config_file} $out/etc/Reaktor/plugin.py
'';
});
# End API
# Begin Plugins
random-emoji = buildSimpleReaktorPlugin "emoji" {
path = with pkgs; [ gnused gnugrep xmlstarlet curl ];
script = ./scripts/random-emoji.sh;
};
sed-plugin = buildSimpleReaktorPlugin "sed-plugin" {
path = [ pkgs.gnused pkgs.python3 ];
# only support s///gi the plugin needs to see every msg
# TODO: this will eat up the last regex, fix Reaktor to support fallthru
append_rule = true;
pattern = "^(?P<args>.*)$$";
script = ./scripts/sed-plugin.py;
};
shack-correct = buildSimpleReaktorPlugin "shack-correct" {
path = [ pkgs.gnused ];
pattern = "^(?P<args>.*Shack.*)$$";
script = ./scripts/shack-correct.sh;
};
nixos-version = buildSimpleReaktorPlugin "nixos-version" {
script = pkgs.writeScript "nixos-version" ''
#! /bin/sh
. /etc/os-release
echo "$PRETTY_NAME"
'';
};
stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" {
script = ./scripts/random-issue.sh;
path = with pkgs; [ git gnused lentil ];
env = { "origin" = "http://cgit.gum/stockholm"; };
};
titlebot =
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = pkgs.fetchurl {
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
in buildBaseReaktorPlugin rec {
name = "titlebot";
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out
ln -s ${titlebot_cmds}/* $out
'';
config = ''
def titlebot_cmd(cmd):
from os import environ
return { 'capname': None,
'env': { 'TITLEDB':
environ['state_dir']+'/suggestions.json' },
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
for i in ['up','help','list','top','new']:
public_commands.insert(0,titlebot_cmd(i))
commands.insert(0,titlebot_cmd('clear'))
'';
};
}

View File

@ -2,11 +2,11 @@
python3Packages.buildPythonPackage rec {
name = "cacpanel-${version}";
version = "0.2.1";
version = "0.2.3";
src = pkgs.fetchurl {
url = "https://pypi.python.org/packages/source/c/cacpanel/cacpanel-${version}.tar.gz";
sha256 = "1zaazg5r10kgva32zh4fhpw6l6h51ijkwpa322na0kh4x6f6aqj3";
sha256 = "1fib7416qqv8yzrj75kxra7ccpz9abqh58b6gkaavws2fa6m3mm8";
};
propagatedBuildInputs = with python3Packages; [

View File

@ -26,6 +26,8 @@ subdirs // rec {
inherit (subdirs) get jq;
};
ReaktorPlugins = pkgs.callPackage ./Reaktor/plugins.nix {};
execve = name: { filename, argv, envp ? {}, destination ? "" }:
writeC name { inherit destination; } ''
#include <unistd.h>
@ -40,6 +42,10 @@ subdirs // rec {
}
'';
test = {
infest-cac-centos7 = pkgs.callPackage ./test/infest-cac-centos7 {};
};
execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; });
writeC = name: { destination ? "" }: src: pkgs.runCommand name {} ''

View File

@ -1,22 +0,0 @@
{ lib, pkgs, ... }:
pkgs.writeScriptBin "genid" ''
#! /bin/sh
# usage: genid NAME
set -euf
export PATH=${lib.makeSearchPath "bin" (with pkgs; [
bc
coreutils
])}
name=$1
hash=$(printf %s "$name" | sha1sum | cut -d\ -f1 | tr a-f A-F)
echo "
min=2^24 # bigger than nobody and nogroup, see <nixos/modules/misc/ids.nix>
# and some spare for stuff like lxd.
max=2^32 # see 2^(8*sizeof(uid_t))
ibase=16
($hash + min) % max
" | bc
''

View File

@ -1,5 +1,10 @@
{ lib, pkgs,python3Packages,fetchurl, ... }:
# TODO: Prepare a diff of future and current
## ovh-zone export krebsco.de --config ~/secrets/krebs/cfg.json |sed 's/[ ]\+/ /g' | sort current
## sed 's/[ ]\+/ /g'/etc/zones/krebsco.de | sort > future
## diff future.sorted current.sorted
python3Packages.buildPythonPackage rec {
name = "krebszones-${version}";
version = "0.4.4";

View File

@ -1,33 +0,0 @@
{stdenv, fetchurl}:
let
s = # Generated upstream information
rec {
baseName="jq";
version="1.5";
name="${baseName}-${version}";
url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz;
sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
};
buildInputs = [
];
in
stdenv.mkDerivation {
inherit (s) name version;
inherit buildInputs;
src = fetchurl {
inherit (s) url sha256;
};
# jq is linked to libjq:
configureFlags = [
"LDFLAGS=-Wl,-rpath,\\\${libdir}"
];
meta = {
inherit (s) version;
description = ''A lightweight and flexible command-line JSON processor'';
license = stdenv.lib.licenses.mit ;
maintainers = [stdenv.lib.maintainers.raskin];
platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
};
}

View File

@ -1,7 +1,9 @@
{ stdenv, coreutils,makeWrapper, cac, cacpanel, gnumake, gnused, jq, openssh, ... }:
stdenv.mkDerivation rec {
name = "krebs-ci-0.1.0";
name = "${shortname}-${version}";
shortname = "infest-cac-centos7";
version = "0.2.0";
src = ./notes;
@ -23,9 +25,9 @@ stdenv.mkDerivation rec {
installPhase =
''
mkdir -p $out/bin
cp ${src} $out/bin/krebs-ci
chmod +x $out/bin/krebs-ci
wrapProgram $out/bin/krebs-ci \
cp ${src} $out/bin/${shortname}
chmod +x $out/bin/${shortname}
wrapProgram $out/bin/${shortname} \
--prefix PATH : ${path}
'';
meta = with stdenv.lib; {

View File

@ -1,12 +1,24 @@
#! /bin/sh
# nix-shell -p gnumake jq openssh cac cacpanel
set -euf
set -eufx
# 2 secrets are required:
krebs_cred=${krebs_cred-./cac.json}
retiolum_key=${retiolum_key-./retiolum.rsa_key.priv}
clear_defer(){
echo "${trapstr:-exit}"
trap - INT TERM EXIT KILL
}
defer(){
if test -z "${debug:-}"; then
trapstr="$1;${trapstr:-exit}"
trap "$trapstr" INT TERM EXIT KILL
fi
}
# Sanity
if test ! -r "$krebs_cred";then
echo "\$krebs_cred=$krebs_cred must be readable"; exit 1
@ -18,37 +30,53 @@ fi
krebs_secrets=$(mktemp -d)
sec_file=$krebs_secrets/cac_config
krebs_ssh=$krebs_secrets/tempssh
export cac_resources_cache=$krebs_secrets/res_cache.json
export cac_servers_cache=$krebs_secrets/servers_cache.json
export cac_tasks_cache=$krebs_secrets/tasks_cache.json
export cac_templates_cache=$krebs_secrets/templates_cache.json
# we need to receive this key from buildmaster to speed up tinc bootstrap
TRAP="rm $sec_file;rm -r $krebs_secrets"
trap "$TRAP" INT TERM EXIT
defer "trap - INT TERM EXIT"
defer "rm -r $krebs_secrets"
cat > $sec_file <<EOF
cac_login="$(jq -r .email $krebs_cred)"
cac_key="$(cac-cli panel --config $krebs_cred settings | jq -r .apicode)"
cac_key="$(cac-cli --config $krebs_cred panel settings | jq -r .apicode)"
EOF
export cac_secrets=$sec_file
cac-cli panel --config $krebs_cred update-api-ip
cac-cli --config $krebs_cred panel add-api-ip
# test login:
cac update
cac servers
# preserve old trap
old_trapstr=$(clear_defer)
while true;do
# Template 26: CentOS7
# TODO: use cac templates to determine the real Centos7 template in case it changes
name=$( cac build cpu=1 ram=512 storage=10 os=26 2>&1\
| jq -r .servername)
out=$(cac build cpu=1 ram=512 storage=10 os=26 2>&1)
if name=$(echo "$out" | jq -r .servername);then
id=servername:$name
trap "cac delete $id;$TRAP" INT TERM EXIT
echo "got a working machine, id=$id"
else
echo "Unable to build a virtual machine, retrying in 15 seconds" >&2
echo "Output of build program: $out" >&2
sleep 15
continue
fi
clear_defer >/dev/null
defer "cac delete $id"
# TODO: timeout?
always_update=true cac waitstatus $id "Powered On"
wait_login_cac(){
# timeout
for t in `seq 60`;do
# we wait for 30 minutes
for t in `seq 180`;do
# now we have a working cac server
if cac ssh $1 cat /etc/redhat-release | \
if cac ssh $1 -o ConnectTimeout=10 \
cat /etc/redhat-release | \
grep CentOS ;then
return 0
fi
@ -57,7 +85,18 @@ wait_login_cac(){
return 1
}
# die on timeout
wait_login_cac $id
if ! wait_login_cac $id;then
echo "unable to boot a working system within time frame, retrying..." >&2
echo "Cleaning up old image,last status: $(cac update;cac getserver $id | jq -r .status)"
eval "$(clear_defer | sed 's/;exit//')"
sleep 15
else
echo "got a working system" >&2
break
fi
done
clear_defer >/dev/null
defer "cac delete $id;$old_trapstr"
mkdir -p shared/2configs/temp
cac generatenetworking $id > \
@ -94,7 +133,7 @@ cac powerop $id reset
wait_login(){
# timeout
for t in `seq 20`;do
for t in `seq 90`;do
# now we have a working cac server
if ssh -o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \

11
krebs/Zhosts/bobby Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.111.112/32
Subnet = 42:0:0:0:0:0:111:112/128
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA+AScnIqFdzGl+iRZTNZ7r91n/r1H4GzDsrAupUvJ4mi7nDN4eP8s
uLvKtJp22RxfuF3Kf4KhHb8LHQ8bLLN/KDaNDXrCNBc69d7vvLsjoY+wfGLJNu4Y
Ad/8J4r3rdb83mTA3IHb47T/70MERPBr2gF84YiG6ZoQrPQuTk4lHxaI83SOhjny
0F0ucS/rBV6Vv9y5/756TKi1cFPSpY4X+qeWc8xWrBGJcJiiqYb8ZX2o/lkAJ5c+
jI/VdybGFVGY9+bp4Jw5xBIo5KGuFnm8+blRmSDDl3joRneKQSx9FAu7RUwoajBu
cEbi1529NReQzIFT6Vt22ymbHftxOiuh4QIDAQAB
-----END RSA PUBLIC KEY-----

11
krebs/Zhosts/kebsco Normal file
View File

@ -0,0 +1,11 @@
Subnet = 10.243.212.68
Subnet = 42:9d30:3845:c822:988b:96c5:39ab:90b7
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0dEwTZh2uzJpP9GL7YRyiLuezJqYiJ8/4Bl4IPshJnuO9IGbEcto
0cFm9uM9gxxqggfaCi96DsIQNlyqff2vDfEj3mdIu9T3tkRROByQF8y1NWX29NyH
zZEX8Ri8u4U2KdYTEzPXEFxBEl0GQX9mMtlvwzCq7V4ueCcWB1xDA+DtJjpd894z
3FOw0rIxYmfYhLAL5B3rzF74bcHFGV30f4JWq11wLBkyR6/Q5gxgZzkKYGwdZ/SN
C6gg86abKdp65/Wq5P331IbwPBal1ZhGbaAo1y7JpjpLvZytI2jboXeQuPZ8P5hU
L3zKKceAibPKrw9+y8lb+IKoYLF7I1KYIwIDAQAB
-----END RSA PUBLIC KEY-----

View File

@ -36,6 +36,7 @@ let out = {
{ system ? current-host-name
, target ? system
}@args: let
config = get-config system;
in ''
#! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
@ -47,6 +48,9 @@ let out = {
${builtins.readFile ./4lib/infest/install-nix.sh}
''}
# Prepare target source via bind-mounting
(${nixos-install args})
${rootssh target ''
@ -98,7 +102,7 @@ let out = {
#! /bin/sh
# ${current-date} ${current-user-name}@${current-host-name}
# krebs.nixos-install
(${populate args})
(${populate (args // { root = "/mnt"; })})
${rootssh target ''
export PATH; PATH=/root/.nix-profile/bin:$PATH
@ -205,6 +209,7 @@ let out = {
populate =
{ system ? current-host-name
, target ? system
, root ? ""
}@args:
let out = ''
#! /bin/sh
@ -217,6 +222,7 @@ let out = {
["dir" "git"])}
'';
config = get-config system;
current-host = config.krebs.hosts.${current-host-name};
@ -225,17 +231,18 @@ let out = {
methods.dir = config:
let
can-push = config.host.name == current-host.name;
target-path = root + config.target-path;
push-method = ''
rsync \
--exclude .git \
--exclude .graveyard \
--exclude old \
--exclude tmp \
--rsync-path='mkdir -p ${config.target-path} && rsync' \
--rsync-path='mkdir -p ${target-path} && rsync' \
--delete-excluded \
-vrLptgoD \
${config.path}/ \
root@${target}:${config.target-path}
root@${target}:${target-path}
'';
in
if can-push then push-method else
@ -244,9 +251,10 @@ let out = {
throw "No way to push ${dir} from ${current-host.name} to ${target}";
methods.git = config:
rootssh target ''
mkdir -p ${config.target-path}
cd ${config.target-path}
let target-path = root + config.target-path;
in rootssh target ''
mkdir -p ${target-path}
cd ${target-path}
if ! test -e .git; then
git init
fi

View File

@ -38,6 +38,10 @@
../3modules/wordpress_nginx.nix
];
lass.wordpress."testserver.de" = {
multiSite = {
"1" = "testserver.de";
"2" = "bla.testserver.de";
};
};
services.mysql = {
@ -52,6 +56,27 @@
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
}
{
#owncloud-test
#imports = singleton (sitesGenerators.createWordpress "testserver.de");
imports = [
../3modules/owncloud_nginx.nix
];
lass.owncloud."owncloud-test.de" = {
};
#services.mysql = {
# enable = true;
# package = pkgs.mariadb;
# rootPassword = "<secrets>/mysql_rootPassword";
#};
networking.extraHosts = ''
10.243.0.2 owncloud-test.de
'';
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
];
}
];
krebs.build.host = config.krebs.hosts.mors;
@ -59,11 +84,12 @@
networking.wireless.enable = true;
networking.extraHosts = ''
10.243.206.102 habsys.de
10.243.206.102 pixelpocket.de
10.243.206.102 karlaskop.de
10.243.206.102 ubikmedia.de
10.243.206.102 apanowicz.de
213.239.205.240 wohnprojekt-rhh.de
213.239.205.240 karlaskop.de
213.239.205.240 makeup.apanowicz.de
213.239.205.240 pixelpocket.de
213.239.205.240 reich-gebaeudereinigung.de
213.239.205.240 o.ubikmedia.de
'';
hardware.enableAllFirmware = true;
@ -184,7 +210,6 @@
cac
sshpass
get
genid
teamspeak_client
hashPassword
];

View File

@ -50,7 +50,7 @@ with lib;
source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251";
rev = "93d8671e2c6d1d25f126ed30e5e6f16764330119";
};
dir.secrets = {
host = config.krebs.hosts.mors;

View File

@ -31,10 +31,15 @@ in {
environment.systemPackages = with pkgs; [
powertop
sxiv
gitAndTools.qgit
mpv
much
pavucontrol
powertop
push
slock
sxiv
xsel
zathura
#window manager stuff

View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
@ -8,7 +8,7 @@ in {
users.extraUsers = {
libvirt = {
uid = 358821352; # genid libvirt
uid = lib.genid "libvirt";
description = "user for running libvirt stuff";
home = "/home/libvirt";
useDefaultShell = true;

View File

@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
@ -7,7 +7,7 @@ in {
users.extraUsers = {
skype = {
name = "skype";
uid = 2259819492; #genid skype
uid = lib.genid "skype";
description = "user for running skype";
home = "/home/skype";
useDefaultShell = true;

View File

@ -8,7 +8,7 @@
users.extraUsers.chat = {
home = "/home/chat";
uid = 986764891; # genid chat
uid = lib.genid "chat";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = [

View File

@ -7,7 +7,6 @@ let
user = config.users.users.mainUser;
out = {
services.xserver = {
display = 11;
tty = 11;
@ -41,16 +40,6 @@ let
};
};
environment.systemPackages = [
pkgs.gitAndTools.qgit
pkgs.mpv
pkgs.pavucontrol
pkgs.slock
pkgs.sxiv
pkgs.xsel
pkgs.zathura
];
security.setuidPrograms = [
"slock"
];
@ -106,9 +95,6 @@ let
set -efu
export PATH; PATH=${makeSearchPath "bin" ([
pkgs.rxvt_unicode
pkgs.i3lock
pkgs.haskellPackages.yeganesh
pkgs.dmenu
] ++ config.environment.systemPackages)}:/var/setuid-wrappers
settle() {(
# Use PATH for a clean journal

View File

@ -51,7 +51,7 @@ let
imp = {
users.extraUsers.newsbot-js = {
name = "newsbot-js";
uid = 1616759810; #genid newsbot-js
uid = genid "newsbot-js";
description = "newsbot-js user";
home = "/var/empty";
};

View File

@ -207,7 +207,7 @@ let
# };
#});
users.users.nobody_oc = {
uid = 1651469147; # genid nobody_oc
uid = genid "nobody_oc";
useDefaultShell = true;
};
};

View File

@ -229,7 +229,7 @@ let
};
});
users.users.nobody2 = mkDefault {
uid = mkDefault 125816384; # genid nobody2
uid = mkDefault (genid "nobody2");
useDefaultShell = mkDefault true;
};
};

View File

@ -26,8 +26,8 @@ in nodePackages.buildNodePackage {
src = fetchgit {
url = "http://cgit.echelon/newsbot-js/";
rev = "b22729670236bfa6491207d57c5d7565137625ca";
sha256 = "8ff00de56d85543399776c82d41d92ccc68000e5dce0f008d926748e188f3c69";
rev = "802b172d0eed6c9625a9cb5db408f5cc8c01784e";
sha256 = "794fc7845aca311f7cf7b6bdc109b5a25d0e2299322bc6612edadc477b2536e2";
};
phases = [

View File

@ -125,6 +125,8 @@ myKeyMap =
--, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"")
, ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%")
, ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%")
, ("<XF86AudioMute>", spawn "pactl -- set-sink-mute 0 toggle")
, ("<XF86AudioMicMute>", spawn "pactl -- set-source-mute 1 toggle")
, ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view)
, ("M4-a", focusUrgent)

View File

@ -9,28 +9,35 @@
[ # Include the results of the hardware scan.
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
../2configs/smart-monitor.nix
];
krebs.build.host = config.krebs.hosts.filepimp;
services.smartd.devices = [
{ device = "/dev/sda"; }
{ device = "/dev/sdb"; }
{ device = "/dev/sdc"; }
{ device = "/dev/sdd"; }
{ device = "/dev/sde"; }
];
# AMD N54L
boot = {
loader.grub.device = "/dev/sda";
loader.grub.device = "/dev/sde";
initrd.availableKernelModules = [
"usb_storage"
"ahci"
"xhci_hcd"
"ata_piix"
"uhci_hcd"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"usb_storage"
"usbhid"
];
kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
}

View File

@ -6,18 +6,22 @@ let
internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
imports = [
# TODO: copy this config or move to krebs
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
../2configs/fs/simple-swap.nix
../2configs/fs/single-partition-ext4.nix
../2configs/smart-monitor.nix
# ../2configs/iodined.nix
../2configs/git/cgit-retiolum.nix
../2configs/mattermost-docker.nix
../2configs/nginx/euer.test.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
];
services.smartd.devices = [ { device = "/dev/sda";} ];
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
###### stable
@ -28,6 +32,9 @@ in {
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
krebs.nginx.servers.cgit.server-names = [
"cgit.euer.krebsco.de"
];
# Chat
environment.systemPackages = with pkgs;[

View File

@ -2,36 +2,110 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
{ config, pkgs, lib, ... }:
let
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = "/dev/disk/by-id/usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
homePartition = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WCAZA5548487";
# all physical disks
allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
in {
imports =
[ # Include the results of the hardware scan.
[
# TODO: unlock home partition via ssh
../2configs/fs/single-partition-ext4.nix
../2configs/tinc-basic-retiolum.nix
../2configs/zsh-user.nix
../2configs/exim-retiolum.nix
../2configs/smart-monitor.nix
../2configs/mail-client.nix
../2configs/share-user-sftp.nix
../2configs/nginx/omo-share.nix
../3modules
];
# services.openssh.allowSFTP = false;
krebs.build.host = config.krebs.hosts.omo;
krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
makefu.snapraid = let
toMapper = id: "/media/crypt${builtins.toString id}";
in {
enable = true;
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
in {
"/home" = {
device = "/dev/mapper/home";
fsType = "ext4";
};
} // cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2";
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
# AMD E350
boot = {
loader.grub.device = "/dev/sda";
initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
};
in [
(usbkey "home" homePartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
];
};
loader.grub.device = rootDisk;
initrd.availableKernelModules = [
"usb_storage"
"ahci"
"xhci_hcd"
"ata_piix"
"uhci_hcd"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
networking.firewall.allowedUDPPorts = [ 655 ];
# 8080: sabnzbd
networking.firewall.allowedTCPPorts = [ 80 655 8080 ];
hardware.enableAllFirmware = true;
hardware.cpu.amd.updateMicrocode = true;
networking.firewall.allowPing = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
}

View File

@ -1,62 +1,51 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
# Usage:
# NIX_PATH=secrets=/home/makefu/secrets/wry:nixpkgs=/var/src/nixpkgs nix-build -A users.makefu.pnp.config.system.build.vm
# result/bin/run-pnp-vm -virtfs local,path=/home/makefu/secrets/pnp,security_model=none,mount_tag=secrets
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
# Base
[
../2configs/tinc-basic-retiolum.nix
../2configs/headless.nix
../../krebs/3modules/Reaktor.nix
# HW/FS
# enables virtio kernel modules in initrd
# these will be overwritten by qemu-vm.nix but will be used if the system
# is directly deployed
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/fs/vm-single-partition.nix
# Services
../2configs/git/cgit-retiolum.nix
## Reaktor
## \/ are only plugins, must enable Reaktor explicitly
../2configs/Reaktor/stockholmLentil.nix
../2configs/Reaktor/simpleExtend.nix
../2configs/Reaktor/random-emoji.nix
../2configs/Reaktor/titlebot.nix
../2configs/Reaktor/shack-correct.nix
../2configs/exim-retiolum.nix
../2configs/urlwatch.nix
# ../2configs/graphite-standalone.nix
# config.system.build.vm
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
];
krebs.urlwatch.verbose = true;
krebs.Reaktor.enable = true;
krebs.Reaktor.debug = true;
krebs.Reaktor.nickname = "Reaktor|bot";
krebs.Reaktor.extraEnviron = {
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
virtualisation.graphics = false;
# also export secrets, see Usage above
fileSystems = pkgs.lib.mkVMOverride {
"${builtins.toString <secrets>}" =
{ device = "secrets";
fsType = "9p";
options = "trans=virtio,version=9p2000.L,cache=loose";
neededForBoot = true;
};
};
krebs.Reaktor = {
enable = true;
debug = true;
extraEnviron = {
REAKTOR_HOST = "cd.retiolum";
};
plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ];
channels = [ "#retiolum" ];
};
krebs.build.host = config.krebs.hosts.pnp;
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
networking.firewall.allowedTCPPorts = [
# nginx runs on 80
80
# graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp
# 8080 2003
# smtp
25
];
# networking.firewall.allowedUDPPorts = [ 2003 ];
}

View File

@ -26,6 +26,7 @@
# services
../2configs/git/brain-retiolum.nix
../2configs/tor.nix
# ../2configs/buildbot-standalone.nix
# hardware specifics are in here
../2configs/hw/tp-x220.nix
@ -34,16 +35,18 @@
# ../2configs/mediawiki.nix
#../2configs/wordpress.nix
];
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.samsungUnifiedLinuxDriver ];
nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre;
buildbot = let
pkgs1509 = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
in pkgs1509.buildbot;
};
makefu.buildbot.master.enable = true;
#krebs.Reaktor.enable = true;
#krebs.Reaktor.nickname = "makefu|r";
krebs.Reaktor = {
enable = false;
nickname = "makefu|r";
plugins = with pkgs.ReaktorPlugins; [ nixos-version random-emoji ];
};
# nix.binaryCaches = [ "http://acng.shack/nixos" "https://cache.nixos.org" ];
environment.systemPackages = with pkgs;[
@ -58,6 +61,7 @@
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" ''
${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"'';
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
25
];

View File

@ -59,7 +59,6 @@ in {
buildbot
buildbot-slave
get
genid
];
networking.firewall.allowedTCPPorts = [

View File

@ -18,8 +18,6 @@ in {
../2configs/iodined.nix
# Reaktor
../2configs/Reaktor/simpleExtend.nix
# other nginx
../2configs/nginx/euer.wiki.nix
@ -29,9 +27,21 @@ in {
# collectd
../2configs/collectd/collectd-base.nix
];
krebs.build.host = config.krebs.hosts.wry;
krebs.Reaktor.enable = true;
krebs.Reaktor = {
nickname = "Reaktor|bot";
channels = [ "#krebs" "#shackspace" "#binaergewitter" ];
enable = true;
plugins = with pkgs.ReaktorPlugins;[
titlebot
# stockholm-issue
nixos-version
shack-correct
sed-plugin
random-emoji ];
};
# bepasty to listen only on the correct interfaces
krebs.bepasty.servers.internal.nginx.listen = [ "${internal-ip}:80" ];
@ -63,7 +73,7 @@ in {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [ 53 80 443 ];
allowedUDPPorts = [ 655 ];
allowedUDPPorts = [ 655 53 ];
};
interfaces.enp2s1.ip4 = [{
address = external-ip;

View File

@ -1,18 +0,0 @@
_:
{
# implementation of the complete Reaktor bot
imports = [
#./stockholmLentil.nix
./simpleExtend.nix
./random-emoji.nix
./titlebot.nix
./shack-correct.nix
./sed-plugin.nix
];
krebs.Reaktor.nickname = "Reaktor|bot";
krebs.Reaktor.enable = true;
krebs.Reaktor.extraEnviron = {
REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
};
}

View File

@ -1,26 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
rpkg = pkgs.substituteAll( {
name="random-emoji";
dir= "bin";
isExecutable=true;
src= ./random-emoji.sh;
});
rpkg-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
gnused
gnugrep
xmlstarlet
curl]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "emoji",
'pattern' : indirect_pattern.format("emoji"),
'argv' : ["${rpkg}/bin/random-emoji"],
'env' : { 'PATH':'${rpkg-path}' } })
'';
}

View File

@ -1,18 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = ./sed-plugin.py;
in {
#TODO: this will eat up the last regex, fix Reaktor
krebs.Reaktor.extraConfig = ''
public_commands.append({
'capname' : "sed-plugin",
# only support s///gi
'pattern' : '^(?P<args>.*)$$',
'argv' : ["${pkgs.python3}/bin/python3","${script}"],
'env' : { 'state_dir' : workdir,
'PATH':'${lib.makeSearchPath "bin" [pkgs.gnused]}' }})
'';
}

View File

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
script = pkgs.substituteAll ( {
name="shack-correct";
isExecutable=true;
dir = "";
src = ./shack-correct.sh;
});
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "shack-correct",
'pattern' : '^(?P<args>.*Shack.*)$$',
'argv' : ["${script}"],
'env' : { }})
'';
}

View File

@ -1,19 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
nixos-version-script = pkgs.writeScript "nix-version" ''
#! /bin/sh
. /etc/os-release
echo "$PRETTY_NAME"
'';
in {
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "nixos-version",
'pattern' : indirect_pattern.format("nixos-version"),
'argv' : ["${nixos-version-script}"],
'env' : { 'state_dir': workdir } })
'';
}

View File

@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
with pkgs;
let
random-issue = pkgs.substituteAll( {
name="random-issue";
dir= "bin";
isExecutable=true;
src= ./random-issue.sh;
});
random-issue-path = lib.makeSearchPath "bin" (with pkgs; [
coreutils
git
gnused
lentil]);
in {
# TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
krebs.Reaktor.extraConfig = ''
public_commands.insert(0,{
'capname' : "stockholm-issue",
'pattern' : indirect_pattern.format("stockholm-issue"),
'argv' : ["${random-issue}/bin/random-issue"],
'env' : { 'state_dir': workdir,
'PATH':'${random-issue-path}',
'origin':'http://cgit.pnp/stockholm' } })
'';
}

View File

@ -1,38 +0,0 @@
{ stdenv,config, lib, pkgs, ... }:
with pkgs;
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = fetchurl {
# https://github.com/makefu/reaktor-titlebot tag 2.1.0
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
pub_cmds = ["up" "help" "list" "top" "highest" "undo" ];
priv_cmds = [ "clear" ];
in {
# TODO: write identify file in
# {config.users.extraUsers.Reaktor.home}/state/admin.lst
krebs.Reaktor.extraConfig = ''
def titlebot_cmd(cmd):
return {
'capname': cmd,
'env': {
'TITLEDB':
'${config.users.extraUsers.Reaktor.home}/suggestions.json'
},
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
# TODO: for each element in ${titlebot_cmds}/bin/*
public_commands.insert(0,titlebot_cmd('up'))
public_commands.insert(0,titlebot_cmd('help'))
public_commands.insert(0,titlebot_cmd('list'))
public_commands.insert(0,titlebot_cmd('top'))
public_commands.insert(0,titlebot_cmd('new'))
commands.insert(0,titlebot_cmd('clear'))
'';
}

View File

@ -13,7 +13,7 @@ with lib;
./vim.nix
];
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = {
enable = true;
search-domain = "retiolum";
@ -23,8 +23,8 @@ with lib;
source = {
git.nixpkgs = {
#url = https://github.com/NixOS/nixpkgs;
url = mkDefault https://github.com/makefu/nixpkgs;
rev = mkDefault "3fd2c24685f604edc925f73ed56600b8c66236b3"; # nixos-15.09 + cherry-picking
url = mkDefault https://github.com/nixos/nixpkgs;
rev = mkDefault "93d8671e2c6d1d25f126ed30e5e6f16764330119"; # unstable @ 2015-01-03, tested on filepimp
target-path = "/var/src/nixpkgs";
};
@ -65,7 +65,12 @@ with lib;
time.timeZone = "Europe/Berlin";
#nix.maxJobs = 1;
programs.ssh.startAgent = false;
programs.ssh = {
startAgent = false;
extraConfig = ''
UseRoaming no
'';
};
services.openssh.enable = true;
nix.useChroot = true;

View File

@ -24,5 +24,12 @@ with lib;
services.tlp.enable = true;
services.tlp.extraConfig = ''
START_CHARGE_THRESH_BAT0=80
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
}

View File

@ -7,6 +7,8 @@ with lib;
mutt-kz
notmuch
offlineimap
imapfilter
gnupg
];
}

View File

@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.krebs.build.host.name;
# TODO local-ip from the nets config
local-ip = "192.168.1.11";
# local-ip = head config.krebs.build.host.nets.retiolum.addrs4;
in {
krebs.nginx = {
enable = mkDefault true;
servers = {
omo-share = {
listen = [ "${local-ip}:80" ];
locations = singleton (nameValuePair "/" ''
autoindex on;
root /media;
limit_rate_after 100m;
limit_rate 5m;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
allow all;
access_log off;
keepalive_timeout 65;
keepalive_requests 200;
reset_timedout_connection on;
sendfile on;
tcp_nopush on;
gzip off;
'');
};
};
};
}

View File

@ -0,0 +1,21 @@
{ config, ... }:
{
users.users = {
share = {
uid = 9002;
home = "/var/empty";
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
};
};
# we will use internal-sftp to make uncomplicated Chroot work
services.openssh.extraConfig = ''
Match User share
ChrootDirectory /media
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
Match All
'';
}

View File

@ -0,0 +1,18 @@
{ config, lib, ... }:
{
krebs.exim-retiolum.enable = lib.mkDefault true;
services.smartd = {
enable = true;
autodetect = false;
notifications = {
mail = {
enable = true;
recipient = config.krebs.users.makefu.mail;
};
};
# short daily, long weekly, check on boot
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
devices = lib.mkDefault [ ];
};
}

View File

@ -1,6 +1,22 @@
{ config, ... }:
{ config, lib, ... }:
{
nixpkgs.config.packageOverrides = pkgs: {
urlwatch = with pkgs.pythonPackages; buildPythonPackage rec {
name = "urlwatch-1.18";
propagatedBuildInputs = [ futures ];
src = pkgs.fetchurl {
url = "http://thp.io/2008/urlwatch/${name}.tar.gz";
sha256 = "090qfgx249ks7103sap6w47f8302ix2k46wxhfssxwsqcqdl25vb";
};
postFixup = ''
wrapProgram "$out/bin/urlwatch" --prefix "PYTHONPATH" : "$PYTHONPATH"
'';
};
};
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
@ -12,7 +28,7 @@
http://git.sysphere.org/vicious/log/?qt=grep&q=Next+release
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
];
};
}

View File

@ -122,7 +122,7 @@ in {
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree"
"YouCompleteMe"
# "YouCompleteMe"
"vim-better-whitespace" ]; }
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];

View File

@ -5,4 +5,5 @@ let
in {
virtualisation.libvirtd.enable = true;
users.extraUsers.${mainUser.name}.extraGroups = [ "libvirtd" ];
networking.firewall.checkReversePath = false; # TODO: unsolved issue in nixpkgs:#9067 [bug]
}

View File

@ -1,33 +1,9 @@
{ config, lib, pkgs, ... }:
_:
#usage: $ wvdial
let
mainUser = config.krebs.build.user;
in {
environment.systemPackages = with pkgs;[
wvdial
];
environment.shellAliases = {
umts = "sudo wvdial netzclub";
{
imports = [ ../3modules ];
makefu.umts = {
enable = true;
modem-device = "/dev/serial/by-id/usb-Lenovo_H5321_gw_2D5A51BA0D3C3A90-if01";
};
# configure for NETZCLUB
environment.wvdial.dialerDefaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = /dev/ttyACM0
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
users.extraUsers.${mainUser.name}.extraGroups = [ "dialout" ];
}

View File

@ -19,8 +19,7 @@ in
bindkey -e
# shift-tab
bindkey '^[[Z' reverse-menu-complete
autoload -U compinit && compinit
bindkey "\e[3~" delete-char
zstyle ':completion:*' menu select
# load gpg-agent

View File

@ -1,263 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
buildbot = pkgs.buildbot;
buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
# -*- python -*-
from buildbot.plugins import *
import re
c = BuildmasterConfig = {}
c['slaves'] = []
# TODO: template potential buildslaves
# TODO: set password?
slavenames= [ 'testslave' ]
for i in slavenames:
c['slaves'].append(buildslave.BuildSlave(i, "krebspass"))
c['protocols'] = {'pb': {'port': 9989}}
####### Build Inputs
stockholm_repo = 'http://cgit.gum/stockholm'
c['change_source'] = []
c['change_source'].append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
####### Build Scheduler
# TODO: configure scheduler
c['schedulers'] = []
# test the master real quick
fast = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
name="fast-master-test",
builderNames=["fast-tests"])
force = schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"])
# files everyone depends on or are part of the share branch
def shared_files(change):
r =re.compile("^((krebs|share)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
return False
full = schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
fileIsImportant=shared_files,
name="full-master-test",
builderNames=["full-tests"])
c['schedulers'] = [ fast, force, full ]
###### The actual build
# couple of fast steps:
f = util.BuildFactory()
## fetch repo
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
f.addStep(grab_repo)
# the dependencies which are used by the test script
deps = [ "gnumake", "jq" ]
nixshell = ["nix-shell", "-p" ] + deps + [ "--run" ]
def addShell(f,**kwargs):
f.addStep(steps.ShellCommand(**kwargs))
addShell(f,name="centos7-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=test-centos7"])
addShell(f,name="wolf-eval",env={"LOGNAME": "shared",
"get" : "krebs.deploy",
"filter" : "json"
},
command=nixshell + ["make -s eval system=wolf"])
c['builders'] = []
c['builders'].append(
util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
# TODO slow build
c['builders'].append(
util.BuilderConfig(name="full-tests",
slavenames=slavenames,
factory=f))
####### Status of Builds
c['status'] = []
from buildbot.status import html
from buildbot.status.web import authz, auth
# TODO: configure if http is wanted
authz_cfg=authz.Authz(
# TODO: configure user/pw
auth=auth.BasicAuth([("krebs","bob")]),
gracefulShutdown = False,
forceBuild = 'auth',
forceAllBuilds = 'auth',
pingBuilder = False,
stopBuild = False,
stopAllBuilds = False,
cancelPendingBuild = False,
)
# TODO: configure nginx
c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
from buildbot.status import words
${optionalString (cfg.irc.enable) ''
irc = words.IRC("${cfg.irc.server}", "krebsbuild",
# TODO: multiple channels
channels=["${cfg.irc.channel}"],
notify_events={
#'success': 1,
#'failure': 1,
'exception': 1,
'successToFailure': 1,
'failureToSuccess': 1,
}${optionalString cfg.irc.allowForce ",allowForce=True"})
c['status'].append(irc)
''}
####### PROJECT IDENTITY
c['title'] = "Stockholm"
c['titleURL'] = "http://krebsco.de"
#c['buildbotURL'] = "http://buildbot.krebsco.de/"
# TODO: configure url
c['buildbotURL'] = "http://vbob:8010/"
####### DB URL
c['db'] = {
'db_url' : "sqlite:///state.sqlite",
}
${cfg.extraConfig}
'';
cfg = config.makefu.buildbot.master;
api = {
enable = mkEnableOption "Buildbot Master";
workDir = mkOption {
default = "/var/lib/buildbot/master";
type = types.str;
description = ''
Path to build bot master directory.
Will be created on startup.
'';
};
irc = mkOption {
default = {};
type = types.submodule ({ config, ... }: {
options = {
enable = mkEnableOption "Buildbot Master IRC Status";
channel = mkOption {
default = "nix-buildbot-meetup";
type = types.str;
description = ''
irc channel the bot should connect to
'';
};
allowForce = mkOption {
default = false;
type = types.bool;
description = ''
Determines if builds can be forced via IRC
'';
};
nick = mkOption {
default = "nix-buildbot";
type = types.str;
description = ''
nickname for IRC
'';
};
server = mkOption {
default = "irc.freenode.net";
type = types.str;
description = ''
Buildbot Status IRC Server to connect to
'';
};
};
});
};
extraConfig = mkOption {
default = "";
type = types.lines;
description = ''
extra config appended to the generated master.cfg
'';
};
};
imp = {
users.extraUsers.buildbotMaster = {
uid = 672626386; #genid buildbotMaster
description = "Buildbot Master";
home = cfg.workDir;
createHome = false;
};
users.extraGroups.buildbotMaster = {
gid = 672626386;
};
systemd.services.buildbotMaster = {
description = "Buildbot Master";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.git ];
serviceConfig = let
workdir="${lib.shell.escape cfg.workDir}";
# TODO: check if git is the only dep
in {
PermissionsStartOnly = true;
Type = "forking";
PIDFile = "${workdir}/twistd.pid";
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
#!/bin/sh
set -efux
if [ ! -e ${workdir} ];then
mkdir -p ${workdir}
${buildbot}/bin/buildbot create-master -r -l 10 -f ${workdir}
fi
# always override the master.cfg
cp ${buildbot-master-config} ${workdir}/master.cfg
# sanity
${buildbot}/bin/buildbot checkconfig ${workdir}
# TODO: maybe upgrade? not sure about this
# normally we should write buildbot.tac by our own
# ${buildbot}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${buildbot}/bin/buildbot start ${workdir}";
ExecStop = "${buildbot}/bin/buildbot stop ${workdir}";
ExecReload = "${buildbot}/bin/buildbot reconfig ${workdir}";
PrivateTmp = "true";
User = "buildbotMaster";
Restart = "always";
RestartSec = "10";
};
};
};
in
{
options.makefu.buildbot.master = api;
config = mkIf cfg.enable imp;
}

View File

@ -2,8 +2,8 @@ _:
{
imports = [
./buildbot/master.nix
./buildbot/slave.nix
./snapraid.nix
./umts.nix
];
}

View File

@ -0,0 +1,125 @@
{ config, lib, pkgs, ... }:
with lib;
let
# returns dirname without / , used as disk name
dname = dir: replaceChars ["/"] [""] (head (reverseList (splitString "/" dir)));
snapraid-conf = ''
# Disks
${concatMapStringsSep "\n" (d: "disk ${dname d} ${d}") cfg.disks}
# Parity
${optionalString (cfg.parity != "") "parity ${cfg.parity}/snapraid.parity"}
# content on Disks
${optionalString cfg.contentOnDisks
concatMapStringsSep "\n" (d: "content ${d}/snapraid.content") cfg.disks}
# content on Parity
${optionalString (cfg.contentOnParity && cfg.parity != "")
"content ${cfg.parity}/snapraid.content"}
# Default content file
content ${cfg.defaultContentFile}
# Extra Configuration
${cfg.extraConfig}
'';
cfg = config.makefu.snapraid;
out = {
options.makefu.snapraid = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "snapraid";
timerConfig = mkOption {
type = types.unspecified;
description = ''
Start snapraid service
'';
default = {
OnCalendar = "daily";
};
};
disks = mkOption {
type = with types;listOf str;
description = ''
Disks to protect. Each disk is a path to the mounted directory of the
disk.
'';
};
parity = mkOption {
type = types.str;
description = ''
Folder to store parity file.
Set to empty string if you want to configure the parity yourself in
extraConfig.
All extra parity files (2,3,z, etc...) should be configured via
extraConfig.
'';
};
contentOnDisks = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on each Disk to protect.
Set this to false if you do not want this behavior to apply.
'';
};
contentOnParity = mkOption {
type = types.bool;
default = true;
description = ''
Store Content file on parity Disk.
Set this to false if you do not want this behavior to apply.
'';
};
defaultContentFile = mkOption {
type = types.str;
default = "/var/cache/snapraid.content";
description = ''
Path to default content file
Set to empty string if this content file should be written.
'';
};
extraConfig = mkOption {
type = types.string;
default = "";
description = ''
Extra configuration to be appended to the snapraid conf file.
You can configure extra Parity files as well as extra content files.
See `man snapraid` for additional configuration
'';
};
};
imp = {
environment.systemPackages = [
# for scrubbing,fixing
pkgs.snapraid
];
environment.etc."snapraid.conf".text = snapraid-conf;
systemd.timers.snapraid-sync = {
description = "snapraid sync timer";
wantedBy = [ "timers.target" ];
timerConfig = cfg.timerConfig;
};
systemd.services.snapraid-sync = {
description = "Snapraid sync service";
after = [ "network.target" "local-fs.target" ];
serviceConfig = {
Type = "simple";
ExecStartPre = pkgs.writeScript "Snapraid-sync-init" ''
#! /bin/sh
${optionalString (cfg.defaultContentFile != "")
"mkdir -p $(dirname ${cfg.defaultContentFile})"}
'';
ExecStart = "${pkgs.snapraid}/bin/snapraid sync";
};
};
};
in out

76
makefu/3modules/umts.nix Normal file
View File

@ -0,0 +1,76 @@
{ config, lib, pkgs, ... }:
with lib;
let
# TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
systemctl start umts
trap "systemctl stop umts;trap - INT TERM EXIT;exit" INT TERM EXIT
echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
journalctl -xfu umts
'';
wvdial-defaults = ''
Phone = *99***1#
Dial Command = ATDT
Modem = ${cfg.modem-device}
Baud = 460800
Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
Init2 = ATZ
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
ISDN = 0
Modem Type = Analog Modem
Username = netzclub
Password = netzclub
Stupid Mode = 1
Idle Seconds = 0'';
cfg = config.makefu.umts;
out = {
options.makefu.umts = api;
config = mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "umts";
modem-device = mkOption {
default = "/dev/ttyUSB0";
type = types.str;
description = ''
path to modem device, use <filename>/dev/serial/by-id/...</filename>
to avoid race conditions.
'';
};
};
imp = {
environment.shellAliases = {
umts = "sudo ${umts-bin}/bin/umts";
};
environment.systemPackages = [ ];
environment.wvdial.dialerDefaults = wvdial-defaults;
systemd.targets.network-umts = {
description = "System is running on UMTS";
unitConfig.StopWhenUnneeded = true;
};
systemd.services.umts = {
description = "UMTS wvdial Service";
before = [ "network-umts.target" ];
serviceConfig = {
Type = "simple";
Restart = "always";
RestartSec = "4s";
ExecStart = "${pkgs.wvdial}/bin/wvdial -n";
};
};
};
in out

View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
en = { enable = true;};
in {
krebs = {
enable = true;
build.user = config.krebs.users.shared;
build.host = config.krebs.hosts.test-all-krebs-modules;
Reaktor.enable = true;
apt-cacher-ng.enable = true;
backup.enable = true;
bepasty.enable = true;
buildbot.master.enable = true;
buildbot.slave = {
enable = true;
username = "lol";
password = "wut";
};
exim-retiolum.enable = true;
exim-smarthost = {
enable = true;
system-aliases = [ { from = "dick"; to = "butt"; } ];
};
go.enable = true;
iptables = {
enable = true;
tables = {};
};
nginx.enable = true;
realwallpaper.enable = true;
retiolum.enable = true;
retiolum-bootstrap.enable = true;
tinc_graphs.enable = true;
urlwatch.enable = true;
fetchWallpaper = {
enable = true;
url ="localhost";
};
};
# just get the system running
boot.loader.grub.devices = ["/dev/sda"];
fileSystems."/" = {
device = "/dev/lol";
};
}

View File

@ -0,0 +1,6 @@
{ config, pkgs, ... }:
{
programs.ssh.startAgent = true;
programs.ssh.startAgent = false;
}

View File

@ -0,0 +1,13 @@
{ config, pkgs, lib, ... }:
{
krebs = {
enable = true;
build.user = config.krebs.users.shared;
build.host = config.krebs.hosts.test-all-krebs-modules;
};
# just get the system to eval in nixos without errors
boot.loader.grub.devices = ["/dev/sda"];
fileSystems."/" = {
device = "/dev/lol";
};
}

View File

@ -11,7 +11,7 @@ in
../2configs/collectd-base.nix
../2configs/shack-nix-cacher.nix
../2configs/shack-drivedroid.nix
../2configs/cac-ci.nix
../2configs/buildbot-standalone.nix
../2configs/graphite.nix
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
@ -33,8 +33,6 @@ in
# uninteresting stuff
#####################
krebs.build.host = config.krebs.hosts.wolf;
# TODO rename shared user to "krebs"
krebs.build.user = config.krebs.users.shared;
krebs.build.target = "wolf";
boot.kernel.sysctl = {

View File

@ -14,11 +14,12 @@ with lib;
};
# TODO rename shared user to "krebs"
krebs.build.user = config.krebs.users.shared;
krebs.build.user = mkDefault config.krebs.users.shared;
krebs.build.source = {
git.nixpkgs = {
url = https://github.com/NixOS/nixpkgs;
rev = "6d31e9b81dcd4ab927bb3dc91b612dd5abfa2f80";
target-path = "/var/src/nixpkgs";
};
dir.secrets = {
host = config.krebs.current.host;
@ -27,6 +28,7 @@ with lib;
dir.stockholm = {
host = config.krebs.current.host;
path = mkDefault "${getEnv "HOME"}/stockholm";
target-path = "/var/src/stockholm";
};
};

View File

@ -0,0 +1,155 @@
{ lib, config, pkgs, ... }:
let
pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {};
in {
nixpkgs.config.packageOverrides = pkgs: {
buildbot = pkgs-unst.buildbot;
buildbot-slave = pkgs-unst.buildbot-slave;
};
networking.firewall.allowedTCPPorts = [ 8010 9989 ];
krebs.buildbot.master = {
secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ];
slaves = {
testslave = "krebspass";
};
change_source.stockholm = ''
stockholm_repo = 'http://cgit.gum/stockholm'
cs.append(changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branch='master',
project='stockholm',
pollinterval=120))
'';
scheduler = {
force-scheduler = ''
sched.append(schedulers.ForceScheduler(
name="force",
builderNames=["full-tests"]))
'';
fast-tests-scheduler = ''
# test the master real quick
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
treeStableTimer=10, #only test the latest push
name="fast-master-test",
builderNames=["fast-tests"]))
'';
test-cac-infest-master = ''
# files everyone depends on or are part of the share branch
def shared_files(change):
r =re.compile("^((krebs|shared)/.*|Makefile|default.nix)")
for file in change.files:
if r.match(file):
return True
return False
sched.append(schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch="master"),
fileIsImportant=shared_files,
treeStableTimer=60*60, # master was stable for the last hour
name="full-master-test",
builderNames=["full-tests"]))
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
stockholm_repo = "http://cgit.gum.retiolum/stockholm"
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
env = {"LOGNAME": "shared", "NIX_REMOTE": "daemon"}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [ "gnumake", "jq","nix","rsync",
"(import <stockholm> {}).pkgs.test.infest-cac-centos7" ]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
# prepare addShell function
def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs))
'';
builder = {
fast-tests = ''
f = util.BuildFactory()
f.addStep(grab_repo)
addShell(f,name="deploy-eval-centos7",env=env,
command=nixshell + ["make -s eval get=krebs.deploy filter=json system=test-centos7"])
addShell(f,name="deploy-eval-wolf",env=env,
command=nixshell + ["make -s eval get=krebs.deploy filter=json system=wolf"])
addShell(f,name="deploy-eval-cross-check",env=env,
command=nixshell + ["! make eval get=krebs.deploy filter=json system=test-failing"])
addShell(f,name="instantiate-test-all-modules",env=env,
command=nixshell + \
["touch retiolum.rsa_key.priv; \
nix-instantiate --eval -A \
users.shared.test-all-krebs-modules.system \
-I stockholm=. \
-I secrets=. '<stockholm>' \
--argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
addShell(f,name="instantiate-test-minimal-deploy",env=env,
command=nixshell + \
["nix-instantiate --eval -A \
users.shared.test-minimal-deploy.system \
-I stockholm=. \
-I secrets=. '<stockholm>' \
--argstr current-date lol \
--argstr current-user-name shared \
--argstr current-host-name lol \
--strict --json"])
bu.append(util.BuilderConfig(name="fast-tests",
slavenames=slavenames,
factory=f))
'';
slow-tests = ''
s = util.BuildFactory()
s.addStep(grab_repo)
# slave needs 2 files:
# * cac.json
# * retiolum
s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/cac.json", slavedest="cac.json"))
s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/retiolum-ci.rsa_key.priv", slavedest="retiolum.rsa_key.priv"))
addShell(s, name="infest-cac-centos7",env=env,
sigtermTime=60, # SIGTERM 1 minute before SIGKILL
timeout=10800, # 3h
command=nixshell + ["infest-cac-centos7"])
bu.append(util.BuilderConfig(name="full-tests",
slavenames=slavenames,
factory=s))
'';
};
enable = true;
web = {
enable = true;
};
irc = {
enable = true;
nick = "shared-buildbot";
server = "cd.retiolum";
channels = [ "retiolum" ];
allowForce = true;
};
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "krebspass";
packages = with pkgs;[ git nix ];
# all nix commands will need a working nixpkgs installation
extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
};
}

View File

@ -1,11 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
environment.systemPackages = with pkgs;[
get
cac
cacpanel
jq
];
}

View File

@ -16,7 +16,6 @@ with lib;
environment.systemPackages = with pkgs; [
# stockholm
genid
gnumake
hashPassword
lentil
@ -234,7 +233,12 @@ with lib;
KERNEL=="hpet", GROUP="audio"
'';
services.bitlbee.enable = true;
services.bitlbee = {
enable = true;
plugins = [
pkgs.bitlbee-facebook
];
};
services.tor.client.enable = true;
services.tor.enable = true;
services.virtualboxHost.enable = true;

View File

@ -19,7 +19,6 @@ with lib;
environment.systemPackages = with pkgs; [
# stockholm
genid
gnumake
hashPassword
lentil

42
tv/2configs/backup.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, lib, ... }:
with lib;
{
krebs.backup.plans = addNames {
xu-test-cd = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; };
dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; };
#startAt = "0,6,12,18:00";
startAt = "minutely";
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
#xu-test-wu = {
# method = "push";
# dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; };
#};
cd-test-xu = {
method = "pull";
src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; };
dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; };
startAt = "minutely";
snapshots = {
minutely = { format = "%Y-%m-%dT%H:%M"; retain = 5; };
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
};
}

View File

@ -72,9 +72,9 @@ let
};
};
user = {
user = rec {
name = "charybdis";
uid = 3748224544; # genid charybdis
uid = genid name;
};
configFile = toFile "charybdis-ircd.conf" ''

View File

@ -28,6 +28,7 @@ with lib;
imports = [
<secrets>
./backup.nix
./vim.nix
{
# stockholm dependencies

View File

@ -69,12 +69,10 @@ in
};
};
users = let
id = 3768151709; # genid pulse
in {
groups.pulse.gid = id;
users = {
groups.pulse.gid = config.users.users.pulse.uid;
users.pulse = {
uid = id;
uid = genid "pulse";
group = "pulse";
extraGroups = [ "audio" ];
home = "${runDir}/home";

View File

@ -4,7 +4,7 @@ with lib;
let
out = {
environment.systemPackages = [
pkgs.vim
vim
];
# Nano really is just a stupid name for Vim.
@ -22,14 +22,38 @@ let
"${pkgs.vimPlugins.undotree}/share/vim-plugins/undotree"
];
dirs = {
backupdir = "$HOME/.cache/vim/backup";
swapdir = "$HOME/.cache/vim/swap";
undodir = "$HOME/.cache/vim/undo";
};
files = {
viminfo = "$HOME/.cache/vim/info";
};
mkdirs = let
dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
in assert out != ""; out;
alldirs = attrValues dirs ++ map dirOf (attrValues files);
in unique (sort lessThan alldirs);
vim = pkgs.writeScriptBin "vim" ''
#! ${pkgs.dash}/bin/dash
set -f
umask 0077
${concatStringsSep "\n" (map (x: "mkdir -p ${x}") mkdirs)}
umask 0022
exec ${pkgs.vim}/bin/vim "$@"
'';
vimrc = pkgs.writeText "vimrc" ''
set nocompatible
set autoindent
set backspace=indent,eol,start
set backup
set backupdir=$HOME/.vim/backup/
set directory=$HOME/.vim/cache//
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set hlsearch
set incsearch
set mouse=a
@ -40,11 +64,11 @@ let
set showcmd
set showmatch
set ttimeoutlen=0
set undodir=$HOME/.vim/undo
set undodir=${dirs.undodir}
set undofile
set undolevels=1000000
set undoreload=1000000
set viminfo='20,<1000,s100,h,n$HOME/.vim/cache/info
set viminfo='20,<1000,s100,h,n${files.viminfo}
set visualbell
set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
set wildmenu

View File

@ -48,7 +48,7 @@ let
"slock"
];
systemd.services.display-manager = mkForce {};
systemd.services.display-manager.enable = false;
services.xserver.enable = true;

View File

@ -109,9 +109,9 @@ let
};
};
user = {
user = rec {
name = "consul";
uid = 2999951406; # genid consul
uid = genid name;
};
in

View File

@ -53,9 +53,9 @@ let
};
};
user = {
user = rec {
name = "ejabberd";
uid = 3499746127; # genid ejabberd
uid = genid name;
};
my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" ''