diff options
78 files changed, 1592 insertions, 1006 deletions
diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index d22dd381..71b22d8c 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -103,103 +103,91 @@ let plan.method == method && config.krebs.build.host.name == plan.${side}.host.name; - start = plan: pkgs.writeDash "backup.${plan.name}" '' + start = plan: let + login-name = "root"; + identity = local.host.ssh.privkey.path; + ssh = "ssh -i ${shell.escape identity}"; + local = getAttr plan.method { + push = plan.src // { rsync = src-rsync; }; + pull = plan.dst // { rsync = dst-rsync; }; + }; + remote = getAttr plan.method { + push = plan.dst // { rsync = dst-rsync; }; + pull = plan.src // { rsync = src-rsync; }; + }; + src-rsync = "rsync"; + dst-rsync = concatStringsSep " && " [ + "stat ${shell.escape plan.dst.path} >/dev/null" + "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current" + "flock -n ${shell.escape plan.dst.path} rsync" + ]; + in pkgs.writeScript "backup.${plan.name}" '' + #! ${pkgs.bash}/bin/bash set -efu + start_date=$(date +%s) + ssh_target=${shell.escape login-name}@$(${fastest-address remote.host}) ${getAttr plan.method { push = '' - identity=${shell.escape plan.src.host.ssh.privkey.path} - src_path=${shell.escape plan.src.path} - src=$src_path - dst_user=root - dst_host=$(${fastest-address plan.dst.host}) - dst_port=$(${network-ssh-port plan.dst.host "$dst_host"}) - dst_path=${shell.escape plan.dst.path} - dst=$dst_user@$dst_host:$dst_path - echo "update snapshot: current; $src -> $dst" >&2 - dst_shell() { - exec ssh -F /dev/null \ - -i "$identity" \ - ''${dst_port:+-p $dst_port} \ - "$dst_user@$dst_host" \ - -T "$with_dst_path_lock_script" - } - rsh="ssh -F /dev/null -i $identity ''${dst_port:+-p $dst_port}" - local_rsync() { - rsync "$@" - } - remote_rsync=${shell.escape (concatStringsSep " && " [ - "mkdir -m 0700 -p ${shell.escape plan.dst.path}/current" - "exec flock -n ${shell.escape plan.dst.path} rsync" - ])} + rsync_src=${shell.escape plan.src.path} + rsync_dst=$ssh_target:${shell.escape plan.dst.path} + echo >&2 "update snapshot current; $rsync_src -> $rsync_dst" ''; pull = '' - identity=${shell.escape plan.dst.host.ssh.privkey.path} - src_user=root - src_host=$(${fastest-address plan.src.host}) - src_port=$(${network-ssh-port plan.src.host "$src_host"}) - src_path=${shell.escape plan.src.path} - src=$src_user@$src_host:$src_path - dst_path=${shell.escape plan.dst.path} - dst=$dst_path - echo "update snapshot: current; $dst <- $src" >&2 - dst_shell() { - eval "$with_dst_path_lock_script" - } - rsh="ssh -F /dev/null -i $identity ''${src_port:+-p $src_port}" - local_rsync() { - mkdir -m 0700 -p ${shell.escape plan.dst.path}/current - flock -n ${shell.escape plan.dst.path} rsync "$@" - } - remote_rsync=rsync + rsync_src=$ssh_target:${shell.escape plan.src.path} + rsync_dst=${shell.escape plan.dst.path} + echo >&2 "update snapshot current; $rsync_dst <- $rsync_src" ''; }} - # Note that this only works because we trust date +%s to produce output - # that doesn't need quoting when used to generate a command string. - # TODO relax this requirement by selectively allowing to inject variables - # e.g.: ''${shell.quote "exec env NOW=''${shell.unquote "$NOW"} ..."} - with_dst_path_lock_script="exec env start_date=$(date +%s) "${shell.escape - "flock -n ${shell.escape plan.dst.path} /bin/sh" - } - local_rsync >&2 \ + ${local.rsync} >&2 \ -aAXF --delete \ - --rsh="$rsh" \ - --rsync-path="$remote_rsync" \ - --link-dest="$dst_path/current" \ - "$src/" \ - "$dst/.partial" - dst_shell < ${toFile "backup.${plan.name}.take-snapshots" '' + --rsh=${shell.escape ssh} \ + --rsync-path=${shell.escape remote.rsync} \ + --link-dest=${shell.escape plan.dst.path}/current \ + "$rsync_src/" \ + "$rsync_dst/.partial" + + dst_exec() { + ${getAttr plan.method { + push = ''exec ${ssh} "$ssh_target" -T "exec$(printf ' %q' "$@")"''; + pull = ''exec "$@"''; + }} + } + dst_exec env \ + start_date="$start_date" \ + flock -n ${shell.escape plan.dst.path} \ + /bin/sh < ${toFile "backup.${plan.name}.take-snapshots" '' set -efu : $start_date - dst=${shell.escape plan.dst.path} + dst_path=${shell.escape plan.dst.path} - mv "$dst/current" "$dst/.previous" - mv "$dst/.partial" "$dst/current" - rm -fR "$dst/.previous" + mv "$dst_path/current" "$dst_path/.previous" + mv "$dst_path/.partial" "$dst_path/current" + rm -fR "$dst_path/.previous" echo >&2 snapshot() {( : $ns $format $retain name=$(date --date="@$start_date" +"$format") - if ! test -e "$dst/$ns/$name"; then + if ! test -e "$dst_path/$ns/$name"; then echo >&2 "create snapshot: $ns/$name" - mkdir -m 0700 -p "$dst/$ns" + mkdir -m 0700 -p "$dst_path/$ns" rsync >&2 \ -aAXF --delete \ - --link-dest="$dst/current" \ - "$dst/current/" \ - "$dst/$ns/.partial.$name" - mv "$dst/$ns/.partial.$name" "$dst/$ns/$name" + --link-dest="$dst_path/current" \ + "$dst_path/current/" \ + "$dst_path/$ns/.partial.$name" + mv "$dst_path/$ns/.partial.$name" "$dst_path/$ns/$name" echo >&2 fi case $retain in ([0-9]*) delete_from=$(($retain + 1)) - ls -r "$dst/$ns" \ + ls -r "$dst_path/$ns" \ | sed -n "$delete_from,\$p" \ | while read old_name; do echo >&2 "delete snapshot: $ns/$old_name" - rm -fR "$dst/$ns/$old_name" + rm -fR "$dst_path/$ns/$old_name" done ;; (ALL) @@ -227,24 +215,12 @@ let | ${pkgs.coreutils}/bin/head -1; } ''; - # Note that we don't escape word on purpose, so we can deref shell vars. - # TODO type word - network-ssh-port = host: word: '' - case ${word} in - ${concatStringsSep ";;\n" (mapAttrsToList - (_: net: "(${head net.aliases}) echo ${toString net.ssh.port}") - host.nets)};; - esac - ''; - in out # TODO ionice -# TODO mail on failed push, pull # TODO mail on missing push # TODO don't cancel plans on activation # also, don't hang while deploying at: # starting the following units: backup.wu-home-xu.push.service, backup.wu-home-xu.push.timer -# TODO make sure /bku is properly mounted # TODO make sure that secure hosts cannot backup to insecure ones # TODO optionally only backup when src and dst are near enough :) # TODO try using btrfs for snapshots (configurable) diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index d4c6b08d..9cd09562 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -88,6 +88,8 @@ let #! /bin/sh set -efu + export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt + verbose() { printf '%s%s\n' "$PS5$(printf ' %q' "$@")" >&2 "$@" diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index be530d46..e87b3360 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -13,6 +13,7 @@ let ./buildbot/slave.nix ./build.nix ./current.nix + ./exim.nix ./exim-retiolum.nix ./exim-smarthost.nix ./fetchWallpaper.nix @@ -218,7 +219,7 @@ let (filter (hasSuffix ".${cfg.search-domain}") longs); add-port = a: - if net.ssh.port != null + if net.ssh.port != 22 then "[${a}]:${toString net.ssh.port}" else a; in @@ -228,8 +229,25 @@ let publicKey = host.ssh.pubkey; }) (filterAttrs (_: host: host.ssh.pubkey != null) cfg.hosts); + + programs.ssh.extraConfig = concatMapStrings + (net: '' + Host ${toString (net.aliases ++ net.addrs)} + Port ${toString net.ssh.port} + '') + (filter + (net: net.ssh.port != 22) + (concatMap (host: attrValues host.nets) + (mapAttrsToList + (_: host: recursiveUpdate host + (optionalAttrs (hasAttr config.krebs.search-domain host.nets) { + nets."" = host.nets.${config.krebs.search-domain} // { + aliases = [host.name]; + addrs = []; + }; + })) + config.krebs.hosts))); } ]; -in -out +in out diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 696c48ba..8b6ac4a4 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -32,7 +32,7 @@ let }; imp = { - services.exim = { + krebs.exim = { enable = true; config = # This configuration makes only sense for retiolum-enabled hosts. diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index cee10ce7..8d922703 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -105,7 +105,7 @@ let requires = [ "secret.service" ]; }; }; - services.exim = { + krebs.exim = { enable = true; config = '' keep_environment = @@ -136,6 +136,8 @@ let syslog_timestamp = false syslog_duplication = false + tls_advertise_hosts = + begin acl acl_check_rcpt: diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix new file mode 100644 index 00000000..16a2a37b --- /dev/null +++ b/krebs/3modules/exim.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: with config.krebs.lib; let + cfg = config.krebs.exim; +in { + options.krebs.exim = { + enable = mkEnableOption "krebs.exim"; + config = mkOption { + type = types.str; + default = ""; + description = '' + Verbatim Exim configuration. This should not contain exim_user, + exim_group, exim_path, or spool_directory. + ''; + }; + user = mkOption { + type = types.user; + default = { + name = "exim"; + home = "/var/spool/exim"; + }; + description = '' + User to use when no root privileges are required. + In particular, this applies when receiving messages and when doing + remote deliveries. (Local deliveries run as various non-root users, + typically as the owner of a local mailbox.) Specifying this value + as root is not supported. + ''; + }; + group = mkOption { + type = types.group; + default = { + name = "exim"; + }; + description = '' + Group to use when no root privileges are required. + ''; + }; + }; + config = lib.mkIf cfg.enable { + environment = { + etc."exim.conf".text = '' + exim_user = ${cfg.user.name} + exim_group = ${cfg.group.name} + exim_path = /var/setuid-wrappers/exim + spool_directory = ${cfg.user.home} + ${cfg.config} + ''; + systemPackages = [ pkgs.exim ]; + }; + krebs.setuid = { + exim = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + }; + systemd.services.exim = { + restartTriggers = [ + config.environment.etc."exim.conf".source + ]; + serviceConfig = { + ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + }; + wantedBy = [ "multi-user.target" ]; + }; + users = { + groups.${cfg.group.name} = { + inherit (cfg.group) name gid; + }; + users.${cfg.user.name} = { + inherit (cfg.user) home name uid; + createHome = true; + group = cfg.group.name; + }; + }; + }; +} diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index bd3d6d3b..0adcec3d 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -40,8 +40,7 @@ let }; }; - fetchWallpaperScript = pkgs.writeScript "fetchWallpaper" '' - #! ${pkgs.bash}/bin/bash + fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' set -euf mkdir -p ${shell.escape cfg.stateDir} diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 9596229d..4b99873a 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -20,6 +20,7 @@ let flatten length hasAttr + hasPrefix mkEnableOption mkOption < |