diff options
Diffstat (limited to 'krebs/default.nix')
-rw-r--r-- | krebs/default.nix | 201 |
1 files changed, 8 insertions, 193 deletions
diff --git a/krebs/default.nix b/krebs/default.nix index 17c035896..93e006f3d 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -1,193 +1,8 @@ -assert false; - -{ current-host-name -, current-user-name -, lib -, stockholm -, StrictHostKeyChecking ? "yes" -}: - -let out = { - inherit infest; - inherit init; - inherit nixos-install; - }; - - infest = - { system ? current-host-name - , target ? system - }@args: let - config = get-config system; - in '' - #! /bin/sh - # krebs.infest - set -efu - - ${rootssh target '' - ${builtins.readFile ./4lib/infest/prepare.sh} - ${builtins.readFile ./4lib/infest/install-nix.sh} - ''} - - (${nixos-install args}) - - ${rootssh target '' - ${builtins.readFile ./4lib/infest/finalize.sh} - ''} - ''; - - init = - { system ? current-host-name - }@args: let - config = get-config system; - in '' - #! /bin/sh - # krebs.init - set -efu - - system=${lib.shell.escape system} - secrets_dir=${config.krebs.build.source.dir.secrets.path} - key_type=ed25519 - key_file=$secrets_dir/ssh.id_$key_type - key_comment=$system - - if test -e "$key_file"; then - echo "Warning: privkey already exists: $key_file" >&2 - else - ssh-keygen \ - -C "$key_comment" \ - -t "$key_type" \ - -f "$key_file" \ - -N "" - rm "$key_file.pub" - fi - - pubkey=$(ssh-keygen -y -f "$key_file") - - cat<<EOF - # put following into config.krebs.hosts.$system: - ssh.privkey.path = <secrets/ssh.$key_type>; - ssh.pubkey = $(echo $pubkey | jq -R .); - EOF - ''; - - nixos-install = - { system ? current-host-name - , target ? system - }@args: let - in '' - #! /bin/sh - # krebs.nixos-install - (${populate (args // { root = "/mnt"; })}) - - ${rootssh target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - { sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - - # Disable: Copy the NixOS/Nixpkgs sources to the target as - # the initial contents of the NixOS channel. - /^srcs=/,/^ln -sfn /= - ' - } | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert `nix-install` - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${doc (nix-install args)} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - # Wrap inserted nix-install into chroot. - nix_env=$(cat_src | sed -n ' - s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - ') - echo "nix-env is $nix_env" >&2 - findpkg() {( - name=$1 - path=$(find /nix/store \ - -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \ - | head -n 1 | sed s:^/mnt::) - if echo "$path" | grep .; then - echo "$name is $path" >&2 - else - echo "Error: package not found: $name" >&2 - exit 1 - fi - )} - cacert=$(findpkg cacert) - coreutils=$(findpkg coreutils) - cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE - env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE" - sed -i ' - s:^NIX_PATH=:chroot $mountPoint '"$env"' &: - s:^nix-env:'"$nix_env"': - ' nixos-install - - ./nixos-install - ''} - ''; - - doc = s: - let b = "EOF${builtins.hashString "sha256" s}"; in - '' - <<\${b} - ${s} - ${b} - ''; - - get-config = system: let - config = stockholm.users.${current-user-name}.${system}.config - or (abort "unknown system: ${system}, user: ${current-user-name}"); - in config; - - nix-install = - { system ? current-host-name - , target ? system - }: - let - config = get-config system; - - nix-path = - lib.concatStringsSep ":" - (lib.mapAttrsToList (name: src: "${name}=${src.target-path}") - (config.krebs.build.source.dir // - config.krebs.build.source.git)); - in '' - set -efu - NIX_PATH=${lib.shell.escape nix-path} \ - nix-env \ - --show-trace \ - -f '<stockholm>' \ - --argstr current-host-name ${lib.shell.escape current-host-name} \ - --argstr current-user-name ${lib.shell.escape current-user-name} \ - --profile ${lib.shell.escape config.krebs.build.profile} \ - --set \ - -A ${lib.escapeShellArg (lib.concatStringsSep "." [ - "users" - config.krebs.build.user.name - config.krebs.build.host.name - "system" - ])} - ''; - - rootssh = target: script: - let - flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; - in - "ssh ${flags} root@${target} -T ${doc '' - set -efu - ${script} - ''}"; - -in out +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + imports = [ + ./3modules + ./5pkgs + ]; +} |