diff options
| author | makefu <github@syntax-fehler.de> | 2015-10-23 15:38:01 +0200 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2015-10-23 15:38:01 +0200 |
| commit | a1d05482e5527d32baef9d9343b900dee8d46694 (patch) | |
| tree | 2de3ac509481799f6188620987cdf1678ea675a5 | |
| parent | 709ebf6bbcc2e0d4644ed35cd42db47c4f2e78c5 (diff) | |
| parent | 93dcfe5ad61903f90f422d9d6c97e499b240aa86 (diff) | |
Merge remote-tracking branch 'cloudkrebs/master'
41 files changed, 751 insertions, 270 deletions
diff --git a/default.nix b/default.nix index 11bae7d9..b261e51e 100644 --- a/default.nix +++ b/default.nix @@ -17,7 +17,8 @@ { current-date ? abort "current-date not defined" , current-host-name ? abort "current-host-name not defined" , current-user-name ? builtins.getEnv "LOGNAME" -}@current: +, StrictHostKeyChecking ? "yes" +}@args: let stockholm = { # The generated scripts to deploy (or infest) systems can be found in the @@ -44,11 +45,25 @@ let stockholm = { # Additionally, output lib and pkgs for easy access from the shell. # Notice how we're evaluating just the base module to obtain pkgs. inherit lib; - inherit (eval {}) pkgs; + inherit pkgs; }; - krebs = import ./krebs (current // { inherit stockholm; }); - inherit (krebs) lib; + krebs = import ./krebs (args // { inherit lib stockholm; }); + + lib = + let + lib = import <nixpkgs/lib>; + klib = import ./krebs/4lib { inherit lib; }; + #ulib = import (./. + "/${current-user-name}/4lib") { lib = lib // klib; }; + ulib = {}; # TODO + in + builtins // lib // klib // ulib // rec { + # TODO move this stuff + stockholm-path = ./.; + nspath = ns: p: stockholm-path + "/${ns}/${p}"; + }; + + inherit (eval {}) pkgs; # Path resolvers for common and individual files. # Example: `upath "3modules"` produces the current user's 3modules directory @@ -65,8 +80,8 @@ let stockholm = { let # Notice the ordering. Krebs packages can only depend on Nixpkgs, # whereas user packages additionally can depend on krebs packages. - kpkgs = import (kpath "5pkgs") { inherit pkgs; }; - upkgs = import (upath "5pkgs") { pkgs = pkgs // kpkgs; }; + kpkgs = import (kpath "5pkgs") { inherit lib pkgs; }; + upkgs = import (upath "5pkgs") { inherit lib; pkgs = pkgs // kpkgs; }; in kpkgs // upkgs; }; @@ -76,8 +91,10 @@ let stockholm = { # packages and modules on top of NixOS. Some of this stuff might become # useful to a broader audience, at which point it should probably be merged # and pull-requested for inclusion into NixOS/nixpkgs. - # TODO provide krebs lib, so modules don't have to import it awkwardly eval = config: import <nixpkgs/nixos/lib/eval-config.nix> { + specialArgs = { + inherit lib; + }; modules = [ base-module config diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 57495ea6..1205e192 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let target = config.krebs.build // { user.name = "root"; }; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bc858f66..e0c3b00f 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs; diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 64b7820b..23412949 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -6,7 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.git; diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 2a1df9e0..5503ee8d 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: -with builtins; -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.github-hosts-sync; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index afedf95f..498282b0 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,8 +1,36 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; -{ +let + testHosts = lib.genAttrs [ + "test-arch" + "test-centos6" + "test-centos7" + ] (name: { + inherit name; + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.111.111"]; + addrs6 = ["42:0:0:0:0:0:0:7357"]; + aliases = [ + "test.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd + mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5 + TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1 + K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8 + QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY + VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }); +in { hosts = addNames { echelon = { cores = 4; @@ -104,7 +132,11 @@ with import ../../4lib { inherit lib; }; uriel = { cores = 1; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.12"]; + aliases = ["uriel.gg23"]; + }; retiolum = { addrs4 = ["10.243.81.176"]; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; @@ -131,7 +163,11 @@ with import ../../4lib { inherit lib; }; mors = { cores = 2; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.11"]; + aliases = ["mors.gg23"]; + }; retiolum = { addrs4 = ["10.243.0.2"]; addrs6 = ["42:0:0:0:0:0:0:dea7"]; @@ -155,8 +191,24 @@ with import ../../4lib { inherit lib; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD"; }; + schnabel-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.20"]; + aliases = ["schnabel-ap.gg23"]; + }; + }; + }; + Reichsfunk-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.10"]; + aliases = ["Reichsfunk-ap.gg23"]; + }; + }; + }; - }; + } // testHosts; users = addNames { lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index bc0d389f..d328033c 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { hosts = addNames { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 5d5fead8..4c295dff 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { dns.providers = { @@ -65,7 +65,7 @@ with import ../../4lib { inherit lib; }; dc = "tv"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["104.233.84.215"]; + addrs4 = ["104.167.114.142"]; aliases = [ "mkdir.internet" ]; @@ -231,6 +231,7 @@ with import ../../4lib { inherit lib; }; addrs6 = ["42:0:0:0:0:0:0:1337"]; aliases = [ "wu.retiolum" + "cgit.wu.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 0a610131..396307c2 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -3,8 +3,6 @@ with builtins; with lib; -builtins // -lib // rec { eq = x: y: x == y; diff --git a/krebs/4lib/infest/finalize.sh b/krebs/4lib/infest/finalize.sh index 0039960c..94b13e0b 100644 --- a/krebs/4lib/infest/finalize.sh +++ b/krebs/4lib/infest/finalize.sh @@ -3,8 +3,8 @@ set -eux { umount /mnt/nix umount /mnt/root - umount /boot || : umount /mnt/boot + umount /boot || : umount /mnt coreutils_path=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i) diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 9fbd5be8..94c9b0fb 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -18,6 +18,13 @@ prepare() {( esac ;; esac + elif test -e /etc/centos-release; then + case $(cat /etc/centos-release) in + 'CentOS release 6.5 (Final)') + prepare_centos "$@" + exit + ;; + esac fi echo "$0 prepare: unknown OS" >&2 exit -1 diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 84fb8725..0ec4b3de 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -1,7 +1,6 @@ -{ pkgs, ... }: - -with import ../4lib { inherit (pkgs) lib; }; +{ lib, pkgs, ... }: +with lib; let subdirs = mapAttrs (_: flip pkgs.callPackage {}) (subdirsOf ./.); pkgs' = pkgs // subdirs; diff --git a/krebs/default.nix b/krebs/default.nix index c23cf152..31a7f7d0 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -1,14 +1,16 @@ { current-date , current-host-name , current-user-name +, lib , stockholm +, StrictHostKeyChecking ? "yes" }: let out = { inherit deploy; inherit infest; inherit init; - inherit lib; + inherit nixos-install; }; deploy = @@ -23,7 +25,7 @@ let out = { set -efu (${populate args}) ${rootssh target '' - ${install args} + ${nix-install args} ${config.krebs.build.profile}/bin/switch-to-configuration switch ''} echo OK @@ -39,63 +41,14 @@ let out = { # krebs.infest set -efu - # XXX type -p is non-standard - #export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ - # -o 'HostName $ {target.host.infest.addr}' \ - # -o 'Port $ {toString target.host.infest.port}' \ - #" - #ssh() { - # eval "$RSYNC_RSH \"\$@\"" - #} - - ${lib.rootssh target '' + ${rootssh target '' ${builtins.readFile ./4lib/infest/prepare.sh} ${builtins.readFile ./4lib/infest/install-nix.sh} ''} - (${lib.populate args}) - - ${lib.rootssh target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - { sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - - # Disable: Copy the NixOS/Nixpkgs sources to the target as - # the initial contents of the NixOS channel. - /^srcs=/,/^ln -sfn /= - ' - } | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert install - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${lib.doc (install args)} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - ## Wrap inserted install into chroot. - #nix_env=$(cat_src | sed -n ' - # s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - #') - #echo nix-env is $nix_env - #sed -i ' - # s:^nix-env:chroot $mountPoint '"$nix_env"': - #' nixos-install - - unset SSL_CERT_FILE - ./nixos-install + (${nixos-install args}) + ${rootssh target '' ${builtins.readFile ./4lib/infest/finalize.sh} ''} ''; @@ -135,10 +88,74 @@ let out = { EOF ''; - lib = import ./4lib { lib = import <nixpkgs/lib>; } // rec { - stockholm-path = ../.; - nspath = ns: p: stockholm-path + "/${ns}/${p}"; - }; + nixos-install = + { system ? current-host-name + , target ? system + }@args: let + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.nixos-install + (${populate args}) + + ${rootssh target '' + export PATH; PATH=/root/.nix-profile/bin:$PATH + + src=$(type -p nixos-install) + cat_src() { + sed < "$src" "$( + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' + )" + } + + # Location to insert `nix-install` + i=$(sed -n '/^echo "building the system configuration/=' "$src") + + { + cat_src | sed -n "1,$i{p}" + cat ${doc (nix-install args)} + cat_src | sed -n "$i,\''${$i!p}" + } > nixos-install + chmod +x nixos-install + + # Wrap inserted nix-install into chroot. + nix_env=$(cat_src | sed -n ' + s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q + ') + echo "nix-env is $nix_env" >&2 + findpkg() {( + name=$1 + path=$(find /nix/store \ + -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \ + | head -n 1 | sed s:^/mnt::) + if echo "$path" | grep .; then + echo "$name is $path" >&2 + else + echo "Error: package not found: $name" >&2 + exit 1 + fi + )} + cacert=$(findpkg cacert) + coreutils=$(findpkg coreutils) + cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE + env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE" + sed -i ' + s:^NIX_PATH=:chroot $mountPoint '"$env"' &: + s:^nix-env:'"$nix_env"': + ' nixos-install + + ./nixos-install + ''} + ''; doc = s: let b = "EOF${builtins.hashString "sha256" s}"; in @@ -152,7 +169,7 @@ let out = { stockholm.users.${current-user-name}.${system}.config or (abort "unknown system: ${system}, user: ${current-user-name}"); - install = + nix-install = { system ? current-host-name , target ? system }: @@ -203,11 +220,8 @@ let out = { current-host = config.krebs.hosts.${current-host-name}; current-user = config.krebs.users.${current-user-name}; - target-host = config.krebs.hosts.${system}; - methods.dir = config: let - can-link = config.host.name == target-host.name; can-push = config.host.name == current-host.name; push-method = '' rsync \ @@ -221,11 +235,11 @@ let out = { ${config.path}/ \ root@${target}:${config.target-path} ''; - url = "file://${config.host.name}${config.path}"; in - #if can-link then link-method else if can-push then push-method else - throw "cannot source ${url}"; + let dir = "file://${config.host.name}${config.path}"; in + # /!\ revise this message when using more than just push-method + throw "No way to push ${dir} from ${current-host.name} to ${target}"; methods.git = config: rootssh target '' @@ -251,7 +265,10 @@ let out = { in out; rootssh = target: script: - "ssh root@${target} -T ${doc '' + let + flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; + in + "ssh ${flags} root@${target} -T ${doc '' set -efu ${script} ''}"; diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 17915e08..ab24b584 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -27,30 +27,9 @@ in { } { - nix.maxJobs = 1; sound.enable = false; } ]; - krebs.build = { - user = config.krebs.users.lass; - host = config.krebs.hosts.cloudkrebs; - source = { - dir.secrets = { - host = config.krebs.hosts.mors; - path = "/home/lass/secrets/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - host = config.krebs.hosts.mors; - path = "/home/lass/dev/stockholm"; - }; - }; - }; - - networking.hostName = "cloudkrebs"; - - environment.systemPackages = [ - pkgs.dic - ]; - + krebs.build.host = config.krebs.hosts.cloudkrebs; } diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index feaf77ef..94c793b0 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -31,26 +31,23 @@ in { } { - nix.maxJobs = 1; sound.enable = false; } - ]; - - krebs.build = { - user = config.krebs.users.lass; - host = config.krebs.hosts.echelon; - source = { - dir.secrets = { - host = config.krebs.hosts.mors; - path = "/home/lass/secrets/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - host = config.krebs.hosts.mors; - path = "/home/lass/dev/stockholm"; + { + imports = [ + ../3modules/dnsmasq.nix + ]; + lass.dnsmasq = { + enable = true; + config = '' + interface=retiolum + ''; }; - }; - }; - - networking.hostName = config.krebs.build.host.name; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; } + ]; + } + ]; + krebs.build.host = config.krebs.hosts.echelon; } diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 7076c8b1..b0b8ff57 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -2,7 +2,7 @@ { imports = [ - ../2configs/desktop-base.nix + ../2configs/baseX.nix ../2configs/programs.nix ../2configs/bitcoin.nix ../2configs/browsers.nix @@ -10,7 +10,6 @@ ../2configs/pass.nix ../2configs/virtualbox.nix ../2configs/elster.nix - ../2configs/urxvt.nix ../2configs/steam.nix ../2configs/wine.nix ../2configs/texlive.nix @@ -18,7 +17,6 @@ #../2configs/ircd.nix ../2configs/chromium-patched.nix ../2configs/git.nix - #../../2configs/tv/synaptics.nix ../2configs/retiolum.nix ../2configs/wordpress.nix ../2configs/bitlbee.nix @@ -26,22 +24,8 @@ ../2configs/skype.nix ]; - krebs.build = { - user = config.krebs.users.lass; - host = config.krebs.hosts.mors; - source = { - dir.secrets = { - host = config.krebs.hosts.mors; - path = "/home/lass/secrets/${config.krebs.build.host.name}"; - }; - dir.stockholm = { - host = config.krebs.hosts.mors; - path = "/home/lass/dev/stockholm"; - }; - }; - }; + krebs.build.host = config.krebs.hosts.mors; - networking.hostName = "mors"; networking.wireless.enable = true; networking.extraHosts = '' @@ -52,8 +36,6 @@ 10.243.206.102 apanowicz.de ''; - nix.maxJobs = 4; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -159,11 +141,6 @@ emulateWheel = true; }; - #system.activationScripts.trackpoint = '' - # echo 0 > '/sys/devices/platform/i8042/serio1/serio2/speed' - # echo 220 > '/sys/devices/platform/i8042/serio1/serio2/sensitivity' - #''; - services.xserver = { videoDriver = "intel"; vaapiDrivers = [ pkgs.vaapiIntel ]; @@ -210,9 +187,19 @@ ]; }; }; + #touchpad config services.xserver.synaptics = { enable = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; tapButtons = false; + twoFingerScroll = true; }; + + #for google hangout + users.extraUsers.gm.extraGroups = [ "audio" "video" ]; } diff --git a/lass/1systems/test-arch.nix b/lass/1systems/test-arch.nix new file mode 100644 index 00000000..0ab9da2f --- /dev/null +++ b/lass/1systems/test-arch.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +let + inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; + inherit (lib) head; + +in { + imports = [ + ../2configs/base.nix + { + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + }; + } + { + networking.dhcpcd.allowInterfaces = [ + "enp*" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-arch; +} diff --git a/lass/1systems/test-centos6.nix b/lass/1systems/test-centos6.nix new file mode 100644 index 00000000..7270c226 --- /dev/null +++ b/lass/1systems/test-centos6.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +let + inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway; + inherit (lib) head; + + ip = "168.235.148.52"; +in { + imports = [ + ../2configs/base.nix + ../2configs/os-templates/CAC-CentOS-6.5-64bit.nix + { + networking.interfaces.enp11s0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = getDefaultGateway ip; + networking.nameservers = [ + "8.8.8.8" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-centos6; +} diff --git a/lass/1systems/test-centos7.nix b/lass/1systems/test-centos7.nix new file mode 100644 index 00000000..91bd3e0f --- /dev/null +++ b/lass/1systems/test-centos7.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + |