diff options
| -rw-r--r-- | Makefile | 15 | ||||
| -rw-r--r-- | default.nix | 31 | ||||
| -rw-r--r-- | krebs/3modules/build.nix | 72 | ||||
| -rw-r--r-- | krebs/3modules/build/default.nix | 304 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 2 | ||||
| -rw-r--r-- | krebs/4lib/infest/finalize.sh (renamed from krebs/3modules/build/infest/finalize.sh) | 0 | ||||
| -rw-r--r-- | krebs/4lib/infest/install-nix.sh (renamed from krebs/3modules/build/infest/install-nix.sh) | 0 | ||||
| -rw-r--r-- | krebs/4lib/infest/prepare.sh (renamed from krebs/3modules/build/infest/prepare.sh) | 0 | ||||
| -rw-r--r-- | krebs/default.nix | 263 |
9 files changed, 358 insertions, 329 deletions
@@ -1,7 +1,8 @@ # # usage: -# make system=foo -# make systems='foo bar' +# make infest system=foo [target=bar] +# make [deploy] system=foo [target=bar] +# make [deploy] systems='foo bar' # make eval get=tv.wu.config.time.timeZone [filter=json] # @@ -11,6 +12,7 @@ ifdef systems $(systems): @ + unset target parallel \ --line-buffer \ -j0 \ @@ -20,7 +22,7 @@ $(systems): else ifdef system .PHONY: deploy infest deploy infest:;@ - export get=$$LOGNAME.${system}.config.krebs.build.scripts.$@ + export get=krebs.$@ export filter=json make -s eval | sh @@ -39,8 +41,11 @@ endif --eval \ -A "$$get" \ '<stockholm>' \ - --argstr user-name "$$LOGNAME" \ - --argstr host-name "$$HOSTNAME" \ + --argstr current-date "$$(date -Is)" \ + --argstr current-host-name "$$HOSTNAME" \ + --argstr current-user-name "$$LOGNAME" \ + $${system+--argstr system "$$system"} \ + $${target+--argstr target "$$target"} \ | filter else $(error unbound variable: system[s]) diff --git a/default.nix b/default.nix index 1c3341ba..7f3f621b 100644 --- a/default.nix +++ b/default.nix @@ -1,36 +1,29 @@ -{ user-name, host-name }: +{ current-date +, current-host-name +, current-user-name +}: let lib = import <nixpkgs/lib>; krebs-modules-path = ./krebs/3modules; krebs-pkgs-path = ./krebs/5pkgs; - user-modules-path = ./. + "/${user-name}/3modules"; - user-pkgs-path = ./. + "/${user-name}/5pkgs"; + user-modules-path = ./. + "/${current-user-name}/3modules"; + user-pkgs-path = ./. + "/${current-user-name}/5pkgs"; out = - (lib.mapAttrs (k: v: mk-namespace (./. + "/${k}")) + (lib.mapAttrs + (k: v: + if builtins.pathExists (./. + "/${k}/1systems") + then mk-namespace (./. + "/${k}") + else import (./. + "/${k}")) (lib.filterAttrs - (k: v: !lib.hasPrefix "." k && v == "directory" && - builtins.pathExists (./. + "/${k}/1systems")) + (k: v: !lib.hasPrefix "." k && v == "directory") (builtins.readDir ./.))); eval = path: import <nixpkgs/nixos/lib/eval-config.nix> { system = builtins.currentSystem; modules = [ - ({ config, ... }: - with import ./krebs/4lib { inherit lib; }; - { - options.krebs.exec.host = mkOption { - type = types.host; - default = config.krebs.hosts.${host-name}; - }; - options.krebs.exec.user = mkOption { - type = types.user; - default = config.krebs.users.${user-name}; - }; - } - ) path krebs-modules-path user-modules-path diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix new file mode 100644 index 00000000..57495ea6 --- /dev/null +++ b/krebs/3modules/build.nix @@ -0,0 +1,72 @@ +{ config, lib, ... }: + +with import ../4lib { inherit lib; }; + +let + target = config.krebs.build // { user.name = "root"; }; + + out = { + # TODO deprecate krebs.build.host + options.krebs.build.host = mkOption { + type = types.host; + }; + + # TODO make krebs.build.profile shell safe + options.krebs.build.profile = mkOption { + type = types.str; + default = "/nix/var/nix/profiles/system"; + }; + + # TODO make krebs.build.target.host :: host + options.krebs.build.target = mkOption { + type = with types; nullOr str; + default = null; + }; + + # TODO deprecate krebs.build.user + options.krebs.build.user = mkOption { + type = types.user; + }; + + options.krebs.build.source.dir = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + host = mkOption { + type = types.host; + }; + path = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + url = mkOption { + type = types.str; + default = "file://${config.host.name}${config.path}"; + }; + }; + })); + default = {}; + }; + + options.krebs.build.source.git = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + url = mkOption { + type = types.str; # TODO must be shell safe + }; + rev = mkOption { + type = types.str; + }; + target-path = mkOption { + type = types.str; + default = "/root/${config._module.args.name}"; + }; + }; + })); + default = {}; + }; + }; + +in out diff --git a/krebs/3modules/build/default.nix b/krebs/3modules/build/default.nix deleted file mode 100644 index 23bd8c8f..00000000 --- a/krebs/3modules/build/default.nix +++ /dev/null @@ -1,304 +0,0 @@ -{ config, lib, ... }: - -with import ../../4lib { inherit lib; }; - -let - target = config.krebs.build // { user.name = "root"; }; - - out = { - # TODO deprecate krebs.build.host - options.krebs.build.host = mkOption { - type = types.host; - }; - - # TODO make krebs.build.profile shell safe - options.krebs.build.profile = mkOption { - type = types.str; - default = "/nix/var/nix/profiles/system"; - }; - - # TODO make krebs.build.target.host :: host - options.krebs.build.target = mkOption { - type = with types; nullOr str; - default = null; - }; - - # TODO deprecate krebs.build.user - options.krebs.build.user = mkOption { - type = types.user; - }; - - options.krebs.build.scripts.init = lib.mkOption { - type = lib.types.str; - default = - let - inherit (config.krebs.build) host; - in - '' - #! /bin/sh - set -efu - - hostname=${host.name} - secrets_dir=${config.krebs.build.source.dir.secrets.path} - key_type=ed25519 - key_file=$secrets_dir/ssh.id_$key_type - key_comment=$hostname - - if test -e "$key_file"; then - echo "Warning: privkey already exists: $key_file" >&2 - else - ssh-keygen \ - -C "$key_comment" \ - -t "$key_type" \ - -f "$key_file" \ - -N "" - rm "$key_file.pub" - fi - - pubkey=$(ssh-keygen -y -f "$key_file") - - cat<<EOF - # put following into config.krebs.hosts.$hostname: - ssh.pubkey = $(echo $pubkey | jq -R .); - EOF - ''; - }; - - options.krebs.build.scripts.deploy = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - (${config.krebs.build.scripts._source}) - ${ssh-target '' - ${config.krebs.build.scripts._nix-env} - ${config.krebs.build.profile}/bin/switch-to-configuration switch - ''} - echo OK - ''; - }; - - options.krebs.build.scripts.infest = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - - export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ - -o 'HostName ${target.host.infest.addr}' \ - -o 'Port ${toString target.host.infest.port}' \ - " - ssh() { - eval "$RSYNC_RSH \"\$@\"" - } - - ${ssh-target '' - ${readFile ./infest/prepare.sh} - ${readFile ./infest/install-nix.sh} - ''} - - (${config.krebs.build.scripts._source}) - - ${ssh-target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - { sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - - # Disable: Copy the NixOS/Nixpkgs sources to the target as - # the initial contents of the NixOS channel. - /^srcs=/,/^ln -sfn /= - ' - } | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert config.krebs.build.scripts._nix-env - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${doc config.krebs.build.scripts._nix-env} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - # Wrap inserted config.krebs.build.scripts._nix-env into chroot. - nix_env=$(cat_src | sed -n ' - s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - ') - echo nix-env is $nix_env - sed -i ' - s:^nix-env:chroot $mountPoint '"$nix_env"': - ' nixos-install - - ./nixos-install - - ${readFile ./infest/finalize.sh} - ''} - ''; - }; - - options.krebs.build.scripts._nix-env = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - NIX_PATH=${config.krebs.build.source.NIX_PATH} \ - nix-env \ - -f '<stockholm>' \ - -Q \ - --argstr user-name ${config.krebs.exec.user.name} \ - --argstr host-name ${target.host.name} \ - --profile ${config.krebs.build.profile} \ - --set \ - -A ${lib.escapeShellArg (lib.concatStringsSep "." [ - config.krebs.build.user.name - config.krebs.build.host.name - "system" - ])} - ''; - }; - - options.krebs.build.scripts._source = lib.mkOption { - type = lib.types.str; - default = '' - set -efu - ${ - lib.concatStringsSep "\n" - (lib.mapAttrsToList - (name: { scripts, url, ... }: "(${scripts._source})") - (config.krebs.build.source.dir // - config.krebs.build.source.git)) - } - ''; - }; - - options.krebs.build.source.NIX_PATH = mkOption { - type = types.str; - default = - lib.concatStringsSep ":" - (lib.mapAttrsToList (name: _: "${name}=/root/${name}") - (config.krebs.build.source.dir // - config.krebs.build.source.git)); - }; - - options.krebs.build.source.dir = mkOption { - type = - let - exec = config.krebs.exec; - in - types.attrsOf (types.submodule ({ config, ... }: - let - url = "file://${config.host.name}${config.path}"; - - can-link = config.host.name == target.host.name; - can-push = config.host.name == exec.host.name; - - push-method = '' - rsync \ - --exclude .git \ - --exclude .graveyard \ - --exclude old \ - --exclude tmp \ - --rsync-path='mkdir -p ${config.target-path} && rsync' \ - --delete-excluded \ - -vrLptgoD \ - ${config.path}/ \ - ${target.user.name}@${target.host.name}:${config.target-path} - ''; - in - { - options = { - host = mkOption { - type = types.host; - }; - path = mkOption { - type = types.str; - }; - scripts._source = mkOption { - type = types.str; - default = - #if can-link then link-method else - if can-push then push-method else - throw "cannot source ${url}"; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - url = mkOption { - type = types.str; - default = "file://${config.host.name}${config.path}"; - }; - }; - } - )); - default = {}; - }; - - options.krebs.build.source.git = mkOption { - type = - let - target = config.krebs.build // { user.name = "root"; }; - in - with types; attrsOf (submodule ({ config, ... }: - { - options = { - url = mkOption { - type = types.str; # TODO must be shell safe - }; - rev = mkOption { - type = types.str; - }; - scripts._source = mkOption { - type = types.str; - default = ssh-target '' - mkdir -p ${config.target-path} - cd ${config.target-path} - if ! test -e .git; then - git init - fi - if ! cur_url=$(git config remote.origin.url 2>/dev/null); then - git remote add origin ${config.url} - elif test "$cur_url" != ${config.url}; then - git remote set-url origin ${config.url} - fi - if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then - git fetch origin - git checkout ${config.rev} -- . - git checkout -q ${config.rev} - git submodule init - git submodule update - fi - git clean -dxf - ''; - }; - target-path = mkOption { - type = types.str; - default = "/root/${config._module.args.name}"; - }; - }; - } - )); - default = {}; - }; - }; - - doc = s: - let b = "EOF${hashString "sha256" s}"; in - '' - <<\${b} - ${s} - ${b} - ''; - - ssh-target = script: - "ssh root@${target.host.name} -T ${doc '' - set -efu - ${script} - ''}"; - -in out diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 2b4a13c4..d3481505 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -6,7 +6,7 @@ let out = { imports = [ - ./build + ./build.nix ./exim-retiolum.nix ./exim-smarthost.nix ./github-hosts-sync.nix diff --git a/krebs/3modules/build/infest/finalize.sh b/krebs/4lib/infest/finalize.sh index ced5a4d4..ced5a4d4 100644 --- a/krebs/3modules/build/infest/finalize.sh +++ b/krebs/4lib/infest/finalize.sh diff --git a/krebs/3modules/build/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh index 88c8c3e1..88c8c3e1 100644 --- a/krebs/3modules/build/infest/install-nix.sh +++ b/krebs/4lib/infest/install-nix.sh diff --git a/krebs/3modules/build/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 07c00c3a..07c00c3a 100644 --- a/krebs/3modules/build/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh diff --git a/krebs/default.nix b/krebs/default.nix new file mode 100644 index 00000000..0ec4c607 --- /dev/null +++ b/krebs/default.nix @@ -0,0 +1,263 @@ +{ current-date +, current-host-name +, current-user-name +}@current: rec { + + deploy = + { system ? current-host-name + , target ? system + }@args: let + config = lib.get-config system; + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.deploy + set -efu + (${lib.populate args}) + ${lib.rootssh target '' + ${lib.install args} + ${config.krebs.build.profile}/bin/switch-to-configuration switch + ''} + echo OK + ''; + + infest = + { system ? current-host-name + , target ? system + }@args: let + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.infest + set -efu + + # XXX type -p is non-standard + #export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ + # -o 'HostName $ {target.host.infest.addr}' \ + # -o 'Port $ {toString target.host.infest.port}' \ + #" + #ssh() { + # eval "$RSYNC_RSH \"\$@\"" + #} + + ${lib.rootssh target '' + ${builtins.readFile ./4lib/infest/prepare.sh} + ${builtins.readFile ./4lib/infest/install-nix.sh} + ''} + + (${lib.populate args}) + + ${lib.rootssh target '' + export PATH; PATH=/root/.nix-profile/bin:$PATH + + src=$(type -p nixos-install) + cat_src() { + sed < "$src" "$( + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' + )" + } + + # Location to insert lib.install + i=$(sed -n '/^echo "building the system configuration/=' "$src") + + { + cat_src | sed -n "1,$i{p}" + cat ${lib.doc (lib.install args)} + cat_src | sed -n "$i,\''${$i!p}" + } > nixos-install + chmod +x nixos-install + + ## Wrap inserted lib.install into chroot. + #nix_env=$(cat_src | sed -n ' + # s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q + #') + #echo nix-env is $nix_env + #sed -i ' + # s:^nix-env:chroot $mountPoint '"$nix_env"': + #' nixos-install + + ./nixos-install + + ${builtins.readFile ./4lib/infest/finalize.sh} + ''} + ''; + + init = + { system ? current-host-name + }@args: let + config = lib.get-config system; + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.init + set -efu + + system=${lib.shell.escape system} + secrets_dir=${config.krebs.build.source.dir.secrets.path} + key_type=ed25519 + key_file=$secrets_dir/ssh.id_$key_type + key_comment=$system + + if test -e "$key_file"; then + echo "Warning: privkey already exists: $key_file" >&2 + else + ssh-keygen \ + -C "$key_comment" \ + -t "$key_type" \ + -f "$key_file" \ + -N "" + rm "$key_file.pub" + fi + + pubkey=$(ssh-keygen -y -f "$key_file") + + cat<<EOF + # put following into config.krebs.hosts.$system: + ssh.pubkey = $(echo $pubkey | jq -R .); + EOF + ''; + + lib = import ./4lib { lib = import <nixpkgs/lib>; } // rec { + + stockholm = import ../. current; + + get-config = system: + stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + doc = s: + let b = "EOF${builtins.hashString "sha256" s}"; in + '' + <<\${b} + ${s} + ${b} + ''; + + rootssh = target: script: + "ssh root@${target} -T ${lib.doc '' + set -efu + ${script} + ''}"; + + install = + { system ? current-host-name + , target ? system + }: + let + stockholm = import ../. { + inherit current-date; + inherit current-host-name; + inherit current-user-name; + }; + + config = stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + nix-path = + lib.concatStringsSep ":" + (lib.mapAttrsToList (name: _: "${name}=/root/${name}") + (config.krebs.build.source.dir // + config.krebs.build.source.git)); + in '' + set -efu + NIX_PATH=${lib.shell.escape nix-path} \ + nix-env \ + --show-trace \ + -f '<stockholm>' \ + -Q \ + --argstr current-date ${lib.shell.escape current-date} \ + --argstr current-host-name ${lib.shell.escape current-host-name} \ + --argstr current-user-name ${lib.shell.escape current-user-name} \ + --profile ${lib.shell.escape config.krebs.build.profile} \ + --set \ + -A ${lib.escapeShellArg (lib.concatStringsSep "." [ + config.krebs.build.user.name + config.krebs.build.host.name + "system" + ])} + ''; + + populate = + { system ? current-host-name + , target ? system + }@args: + let out = '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + set -efu + ${lib.concatStringsSep "\n" + (lib.concatMap + (type: lib.mapAttrsToList (_: methods.${type}) + config.krebs.build.source.${type}) + ["dir" "git"])} + ''; + + stockholm = import ../. { + inherit current-date; + inherit current-host-name; + inherit current-user-name; + }; + + config = stockholm.${current-user-name}.${system}.config + or (abort "unknown system: ${system}"); + + current-host = config.krebs.hosts.${current-host-name}; + current-user = config.krebs.users.${current-user-name}; + + target-host = config.krebs.hosts.${system}; + + methods.dir = config: + let + can-link = config.host.name == target-host.name; + can-push = config.host.name == current-host.name; + push-method = '' + rsync \ + --exclude .git \ + --exclude .graveyard \ + --exclude old \ + --exclude tmp \ + --rsync-path='mkdir -p ${config.target-path} && rsync' \ + --delete-excluded \ + -vrLptgoD \ + ${config.path}/ \ + root@${target}:${config.target-path} + ''; + url = "file://${config.host.name}${config.path}"; + in + #if can-link then link-method else + if can-push then push-method else + throw "cannot source ${url}"; + + methods.git = config: + lib.rootssh target '' + mkdir -p ${config.target-path} + cd ${config.target-path} + if ! test -e .git; then + git init + fi + if ! cur_url=$(git config remote.origin.url 2>/dev/null); then + git remote add origin ${config.url} + elif test "$cur_url" != ${config.url}; then + git remote set-url origin ${config.url} + fi + if test "$(git rev-parse --verify HEAD 2>/dev/null)" != ${config.rev}; then + git fetch origin + git checkout ${config.rev} -- . + git checkout -q ${config.rev} + git submodule init + git submodule update + fi + git clean -dxf + ''; + in out; + }; +} |