From 2bc5c58d85990e483af8fde57ed5f2442351b69c Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 11 Jul 2015 19:44:12 +0200 Subject: move old stuff --- .gitignore | 4 - Makefile | 48 -- README.md | 32 - bin/copy-secrets | 69 --- bin/genid | 11 - bin/netmask-to-prefix | 12 - bin/nixos-query | 4 - bin/urlencode | 35 -- cac | 337 ----------- certs/zalora-ca.crt | 24 - default.nix | 151 ----- deploy | 15 - infest-cac-CentOS-7-64bit.sh | 51 -- infest.d/cac-CentOS-7-64bit/finalize.sh | 66 -- infest.d/cac-CentOS-7-64bit/prepare.sh | 104 ---- infest.d/nixos-install.sh | 8 - lib/default.nix | 62 -- lib/git.nix | 181 ------ lib/modules.nix | 21 - modules/cd/default.nix | 91 --- modules/cd/networking.nix | 14 - modules/cd/paths.nix | 12 - modules/cd/users.nix | 53 -- modules/cloudkrebs/default.nix | 69 --- modules/cloudkrebs/networking.nix | 14 - modules/common/krebs-keys.nix | 18 - modules/common/krebs-repos.nix | 36 -- modules/common/nixpkgs.nix | 25 - modules/common/sshkeys.nix | 26 - modules/lass/base.nix | 110 ---- modules/lass/binary-caches.nix | 13 - modules/lass/bird.nix | 13 - modules/lass/bitcoin.nix | 17 - modules/lass/browsers.nix | 67 --- modules/lass/chromium-patched.nix | 48 -- modules/lass/desktop-base.nix | 37 -- modules/lass/elster.nix | 20 - modules/lass/games.nix | 25 - modules/lass/gitolite-base.nix | 173 ------ modules/lass/ircd.nix | 83 --- modules/lass/pass.nix | 10 - modules/lass/programs.nix | 24 - modules/lass/retiolum-cloudkrebs.nix | 21 - modules/lass/retiolum-mors.nix | 21 - modules/lass/retiolum-uriel.nix | 21 - modules/lass/sshkeys.nix | 11 - modules/lass/steam.nix | 29 - modules/lass/texlive.nix | 7 - modules/lass/urxvt.nix | 40 -- modules/lass/urxvtd.nix | 55 -- modules/lass/vim.nix | 116 ---- modules/lass/virtualbox.nix | 22 - modules/lass/wine.nix | 23 - modules/lass/xresources.nix | 57 -- modules/lass/xserver-lass.nix | 43 -- modules/mkdir/default.nix | 86 --- modules/mkdir/networking.nix | 14 - modules/mkdir/paths.nix | 12 - modules/mkdir/users.nix | 19 - modules/mors/default.nix | 283 --------- modules/mors/git.nix | 71 --- modules/mors/repos.nix | 78 --- modules/mu/default.nix | 466 -------------- modules/mu/paths.nix | 12 - modules/nomic/default.nix | 105 ---- modules/nomic/hardware-configuration.nix | 49 -- modules/nomic/paths.nix | 12 - modules/nomic/users.nix | 42 -- modules/rmdir/default.nix | 87 --- modules/rmdir/networking.nix | 15 - modules/rmdir/paths.nix | 12 - modules/rmdir/users.nix | 19 - modules/tv/base-cac-CentOS-7-64bit.nix | 27 - modules/tv/base.nix | 16 - modules/tv/config/consul-client.nix | 9 - modules/tv/config/consul-server.nix | 22 - modules/tv/consul/default.nix | 121 ---- modules/tv/ejabberd.nix | 867 --------------------------- modules/tv/environment.nix | 93 --- modules/tv/exim-retiolum.nix | 126 ---- modules/tv/exim-smarthost.nix | 474 --------------- modules/tv/git/cgit.nix | 93 --- modules/tv/git/config.nix | 272 --------- modules/tv/git/default.nix | 27 - modules/tv/git/options.nix | 93 --- modules/tv/git/public.nix | 82 --- modules/tv/identity/default.nix | 71 --- modules/tv/iptables/config.nix | 93 --- modules/tv/iptables/default.nix | 11 - modules/tv/iptables/options.nix | 29 - modules/tv/nginx/config.nix | 49 -- modules/tv/nginx/default.nix | 11 - modules/tv/nginx/options.nix | 21 - modules/tv/retiolum/config.nix | 130 ---- modules/tv/retiolum/default.nix | 11 - modules/tv/retiolum/options.nix | 87 --- modules/tv/sanitize.nix | 12 - modules/tv/smartd.nix | 17 - modules/tv/synaptics.nix | 14 - modules/tv/urlwatch/default.nix | 158 ----- modules/tv/urxvt.nix | 24 - modules/tv/users/default.nix | 67 --- modules/tv/xserver.nix | 40 -- modules/uriel/default.nix | 184 ------ modules/uriel/repos.nix | 78 --- modules/wu/default.nix | 464 -------------- modules/wu/hosts.nix | 22 - modules/wu/paths.nix | 12 - modules/wu/users.nix | 227 ------- old/Makefile | 48 ++ old/README.md | 32 + old/bin/copy-secrets | 69 +++ old/bin/genid | 11 + old/bin/netmask-to-prefix | 12 + old/bin/nixos-query | 4 + old/bin/urlencode | 35 ++ old/cac | 337 +++++++++++ old/certs/zalora-ca.crt | 24 + old/default.nix | 151 +++++ old/deploy | 15 + old/infest-cac-CentOS-7-64bit.sh | 51 ++ old/infest.d/cac-CentOS-7-64bit/finalize.sh | 66 ++ old/infest.d/cac-CentOS-7-64bit/prepare.sh | 104 ++++ old/infest.d/nixos-install.sh | 8 + old/lib/default.nix | 62 ++ old/lib/git.nix | 181 ++++++ old/lib/modules.nix | 21 + old/modules/cd/default.nix | 91 +++ old/modules/cd/networking.nix | 14 + old/modules/cd/paths.nix | 12 + old/modules/cd/users.nix | 53 ++ old/modules/cloudkrebs/default.nix | 69 +++ old/modules/cloudkrebs/networking.nix | 14 + old/modules/common/krebs-keys.nix | 18 + old/modules/common/krebs-repos.nix | 36 ++ old/modules/common/nixpkgs.nix | 25 + old/modules/common/sshkeys.nix | 26 + old/modules/lass/base.nix | 110 ++++ old/modules/lass/binary-caches.nix | 13 + old/modules/lass/bird.nix | 13 + old/modules/lass/bitcoin.nix | 17 + old/modules/lass/browsers.nix | 67 +++ old/modules/lass/chromium-patched.nix | 48 ++ old/modules/lass/desktop-base.nix | 37 ++ old/modules/lass/elster.nix | 20 + old/modules/lass/games.nix | 25 + old/modules/lass/gitolite-base.nix | 173 ++++++ old/modules/lass/ircd.nix | 83 +++ old/modules/lass/pass.nix | 10 + old/modules/lass/programs.nix | 24 + old/modules/lass/retiolum-cloudkrebs.nix | 21 + old/modules/lass/retiolum-mors.nix | 21 + old/modules/lass/retiolum-uriel.nix | 21 + old/modules/lass/sshkeys.nix | 11 + old/modules/lass/steam.nix | 29 + old/modules/lass/texlive.nix | 7 + old/modules/lass/urxvt.nix | 40 ++ old/modules/lass/urxvtd.nix | 55 ++ old/modules/lass/vim.nix | 116 ++++ old/modules/lass/virtualbox.nix | 22 + old/modules/lass/wine.nix | 23 + old/modules/lass/xresources.nix | 57 ++ old/modules/lass/xserver-lass.nix | 43 ++ old/modules/mkdir/default.nix | 86 +++ old/modules/mkdir/networking.nix | 14 + old/modules/mkdir/paths.nix | 12 + old/modules/mkdir/users.nix | 19 + old/modules/mors/default.nix | 283 +++++++++ old/modules/mors/git.nix | 71 +++ old/modules/mors/repos.nix | 78 +++ old/modules/mu/default.nix | 466 ++++++++++++++ old/modules/mu/paths.nix | 12 + old/modules/nomic/default.nix | 105 ++++ old/modules/nomic/hardware-configuration.nix | 49 ++ old/modules/nomic/paths.nix | 12 + old/modules/nomic/users.nix | 42 ++ old/modules/rmdir/default.nix | 87 +++ old/modules/rmdir/networking.nix | 15 + old/modules/rmdir/paths.nix | 12 + old/modules/rmdir/users.nix | 19 + old/modules/tv/base-cac-CentOS-7-64bit.nix | 27 + old/modules/tv/base.nix | 16 + old/modules/tv/config/consul-client.nix | 9 + old/modules/tv/config/consul-server.nix | 22 + old/modules/tv/consul/default.nix | 121 ++++ old/modules/tv/ejabberd.nix | 867 +++++++++++++++++++++++++++ old/modules/tv/environment.nix | 93 +++ old/modules/tv/exim-retiolum.nix | 126 ++++ old/modules/tv/exim-smarthost.nix | 474 +++++++++++++++ old/modules/tv/git/cgit.nix | 93 +++ old/modules/tv/git/config.nix | 272 +++++++++ old/modules/tv/git/default.nix | 27 + old/modules/tv/git/options.nix | 93 +++ old/modules/tv/git/public.nix | 82 +++ old/modules/tv/identity/default.nix | 71 +++ old/modules/tv/iptables/config.nix | 93 +++ old/modules/tv/iptables/default.nix | 11 + old/modules/tv/iptables/options.nix | 29 + old/modules/tv/nginx/config.nix | 49 ++ old/modules/tv/nginx/default.nix | 11 + old/modules/tv/nginx/options.nix | 21 + old/modules/tv/retiolum/config.nix | 130 ++++ old/modules/tv/retiolum/default.nix | 11 + old/modules/tv/retiolum/options.nix | 87 +++ old/modules/tv/sanitize.nix | 12 + old/modules/tv/smartd.nix | 17 + old/modules/tv/synaptics.nix | 14 + old/modules/tv/urlwatch/default.nix | 158 +++++ old/modules/tv/urxvt.nix | 24 + old/modules/tv/users/default.nix | 67 +++ old/modules/tv/xserver.nix | 40 ++ old/modules/uriel/default.nix | 184 ++++++ old/modules/uriel/repos.nix | 78 +++ old/modules/wu/default.nix | 464 ++++++++++++++ old/modules/wu/hosts.nix | 22 + old/modules/wu/paths.nix | 12 + old/modules/wu/users.nix | 227 +++++++ old/pubkeys/deploy_wu.ssh.pub | 1 + old/pubkeys/lass.ssh.pub | 1 + old/pubkeys/makefu.ssh.pub | 1 + old/pubkeys/mv_vod.ssh.pub | 1 + old/pubkeys/tv_wu.ssh.pub | 1 + old/pubkeys/uriel.ssh.pub | 1 + pubkeys/deploy_wu.ssh.pub | 1 - pubkeys/lass.ssh.pub | 1 - pubkeys/makefu.ssh.pub | 1 - pubkeys/mv_vod.ssh.pub | 1 - pubkeys/tv_wu.ssh.pub | 1 - pubkeys/uriel.ssh.pub | 1 - 229 files changed, 8237 insertions(+), 8241 deletions(-) delete mode 100644 .gitignore delete mode 100644 Makefile delete mode 100644 README.md delete mode 100755 bin/copy-secrets delete mode 100755 bin/genid delete mode 100755 bin/netmask-to-prefix delete mode 100755 bin/nixos-query delete mode 100755 bin/urlencode delete mode 100755 cac delete mode 100644 certs/zalora-ca.crt delete mode 100644 default.nix delete mode 100755 deploy delete mode 100755 infest-cac-CentOS-7-64bit.sh delete mode 100644 infest.d/cac-CentOS-7-64bit/finalize.sh delete mode 100644 infest.d/cac-CentOS-7-64bit/prepare.sh delete mode 100644 infest.d/nixos-install.sh delete mode 100644 lib/default.nix delete mode 100644 lib/git.nix delete mode 100644 lib/modules.nix delete mode 100644 modules/cd/default.nix delete mode 100644 modules/cd/networking.nix delete mode 100644 modules/cd/paths.nix delete mode 100644 modules/cd/users.nix delete mode 100644 modules/cloudkrebs/default.nix delete mode 100644 modules/cloudkrebs/networking.nix delete mode 100644 modules/common/krebs-keys.nix delete mode 100644 modules/common/krebs-repos.nix delete mode 100644 modules/common/nixpkgs.nix delete mode 100644 modules/common/sshkeys.nix delete mode 100644 modules/lass/base.nix delete mode 100644 modules/lass/binary-caches.nix delete mode 100644 modules/lass/bird.nix delete mode 100644 modules/lass/bitcoin.nix delete mode 100644 modules/lass/browsers.nix delete mode 100644 modules/lass/chromium-patched.nix delete mode 100644 modules/lass/desktop-base.nix delete mode 100644 modules/lass/elster.nix delete mode 100644 modules/lass/games.nix delete mode 100644 modules/lass/gitolite-base.nix delete mode 100644 modules/lass/ircd.nix delete mode 100644 modules/lass/pass.nix delete mode 100644 modules/lass/programs.nix delete mode 100644 modules/lass/retiolum-cloudkrebs.nix delete mode 100644 modules/lass/retiolum-mors.nix delete mode 100644 modules/lass/retiolum-uriel.nix delete mode 100644 modules/lass/sshkeys.nix delete mode 100644 modules/lass/steam.nix delete mode 100644 modules/lass/texlive.nix delete mode 100644 modules/lass/urxvt.nix delete mode 100644 modules/lass/urxvtd.nix delete mode 100644 modules/lass/vim.nix delete mode 100644 modules/lass/virtualbox.nix delete mode 100644 modules/lass/wine.nix delete mode 100644 modules/lass/xresources.nix delete mode 100644 modules/lass/xserver-lass.nix delete mode 100644 modules/mkdir/default.nix delete mode 100644 modules/mkdir/networking.nix delete mode 100644 modules/mkdir/paths.nix delete mode 100644 modules/mkdir/users.nix delete mode 100644 modules/mors/default.nix delete mode 100644 modules/mors/git.nix delete mode 100644 modules/mors/repos.nix delete mode 100644 modules/mu/default.nix delete mode 100644 modules/mu/paths.nix delete mode 100644 modules/nomic/default.nix delete mode 100644 modules/nomic/hardware-configuration.nix delete mode 100644 modules/nomic/paths.nix delete mode 100644 modules/nomic/users.nix delete mode 100644 modules/rmdir/default.nix delete mode 100644 modules/rmdir/networking.nix delete mode 100644 modules/rmdir/paths.nix delete mode 100644 modules/rmdir/users.nix delete mode 100644 modules/tv/base-cac-CentOS-7-64bit.nix delete mode 100644 modules/tv/base.nix delete mode 100644 modules/tv/config/consul-client.nix delete mode 100644 modules/tv/config/consul-server.nix delete mode 100644 modules/tv/consul/default.nix delete mode 100644 modules/tv/ejabberd.nix delete mode 100644 modules/tv/environment.nix delete mode 100644 modules/tv/exim-retiolum.nix delete mode 100644 modules/tv/exim-smarthost.nix delete mode 100644 modules/tv/git/cgit.nix delete mode 100644 modules/tv/git/config.nix delete mode 100644 modules/tv/git/default.nix delete mode 100644 modules/tv/git/options.nix delete mode 100644 modules/tv/git/public.nix delete mode 100644 modules/tv/identity/default.nix delete mode 100644 modules/tv/iptables/config.nix delete mode 100644 modules/tv/iptables/default.nix delete mode 100644 modules/tv/iptables/options.nix delete mode 100644 modules/tv/nginx/config.nix delete mode 100644 modules/tv/nginx/default.nix delete mode 100644 modules/tv/nginx/options.nix delete mode 100644 modules/tv/retiolum/config.nix delete mode 100644 modules/tv/retiolum/default.nix delete mode 100644 modules/tv/retiolum/options.nix delete mode 100644 modules/tv/sanitize.nix delete mode 100644 modules/tv/smartd.nix delete mode 100644 modules/tv/synaptics.nix delete mode 100644 modules/tv/urlwatch/default.nix delete mode 100644 modules/tv/urxvt.nix delete mode 100644 modules/tv/users/default.nix delete mode 100644 modules/tv/xserver.nix delete mode 100644 modules/uriel/default.nix delete mode 100644 modules/uriel/repos.nix delete mode 100644 modules/wu/default.nix delete mode 100644 modules/wu/hosts.nix delete mode 100644 modules/wu/paths.nix delete mode 100644 modules/wu/users.nix create mode 100644 old/Makefile create mode 100644 old/README.md create mode 100755 old/bin/copy-secrets create mode 100755 old/bin/genid create mode 100755 old/bin/netmask-to-prefix create mode 100755 old/bin/nixos-query create mode 100755 old/bin/urlencode create mode 100755 old/cac create mode 100644 old/certs/zalora-ca.crt create mode 100644 old/default.nix create mode 100755 old/deploy create mode 100755 old/infest-cac-CentOS-7-64bit.sh create mode 100644 old/infest.d/cac-CentOS-7-64bit/finalize.sh create mode 100644 old/infest.d/cac-CentOS-7-64bit/prepare.sh create mode 100644 old/infest.d/nixos-install.sh create mode 100644 old/lib/default.nix create mode 100644 old/lib/git.nix create mode 100644 old/lib/modules.nix create mode 100644 old/modules/cd/default.nix create mode 100644 old/modules/cd/networking.nix create mode 100644 old/modules/cd/paths.nix create mode 100644 old/modules/cd/users.nix create mode 100644 old/modules/cloudkrebs/default.nix create mode 100644 old/modules/cloudkrebs/networking.nix create mode 100644 old/modules/common/krebs-keys.nix create mode 100644 old/modules/common/krebs-repos.nix create mode 100644 old/modules/common/nixpkgs.nix create mode 100644 old/modules/common/sshkeys.nix create mode 100644 old/modules/lass/base.nix create mode 100644 old/modules/lass/binary-caches.nix create mode 100644 old/modules/lass/bird.nix create mode 100644 old/modules/lass/bitcoin.nix create mode 100644 old/modules/lass/browsers.nix create mode 100644 old/modules/lass/chromium-patched.nix create mode 100644 old/modules/lass/desktop-base.nix create mode 100644 old/modules/lass/elster.nix create mode 100644 old/modules/lass/games.nix create mode 100644 old/modules/lass/gitolite-base.nix create mode 100644 old/modules/lass/ircd.nix create mode 100644 old/modules/lass/pass.nix create mode 100644 old/modules/lass/programs.nix create mode 100644 old/modules/lass/retiolum-cloudkrebs.nix create mode 100644 old/modules/lass/retiolum-mors.nix create mode 100644 old/modules/lass/retiolum-uriel.nix create mode 100644 old/modules/lass/sshkeys.nix create mode 100644 old/modules/lass/steam.nix create mode 100644 old/modules/lass/texlive.nix create mode 100644 old/modules/lass/urxvt.nix create mode 100644 old/modules/lass/urxvtd.nix create mode 100644 old/modules/lass/vim.nix create mode 100644 old/modules/lass/virtualbox.nix create mode 100644 old/modules/lass/wine.nix create mode 100644 old/modules/lass/xresources.nix create mode 100644 old/modules/lass/xserver-lass.nix create mode 100644 old/modules/mkdir/default.nix create mode 100644 old/modules/mkdir/networking.nix create mode 100644 old/modules/mkdir/paths.nix create mode 100644 old/modules/mkdir/users.nix create mode 100644 old/modules/mors/default.nix create mode 100644 old/modules/mors/git.nix create mode 100644 old/modules/mors/repos.nix create mode 100644 old/modules/mu/default.nix create mode 100644 old/modules/mu/paths.nix create mode 100644 old/modules/nomic/default.nix create mode 100644 old/modules/nomic/hardware-configuration.nix create mode 100644 old/modules/nomic/paths.nix create mode 100644 old/modules/nomic/users.nix create mode 100644 old/modules/rmdir/default.nix create mode 100644 old/modules/rmdir/networking.nix create mode 100644 old/modules/rmdir/paths.nix create mode 100644 old/modules/rmdir/users.nix create mode 100644 old/modules/tv/base-cac-CentOS-7-64bit.nix create mode 100644 old/modules/tv/base.nix create mode 100644 old/modules/tv/config/consul-client.nix create mode 100644 old/modules/tv/config/consul-server.nix create mode 100644 old/modules/tv/consul/default.nix create mode 100644 old/modules/tv/ejabberd.nix create mode 100644 old/modules/tv/environment.nix create mode 100644 old/modules/tv/exim-retiolum.nix create mode 100644 old/modules/tv/exim-smarthost.nix create mode 100644 old/modules/tv/git/cgit.nix create mode 100644 old/modules/tv/git/config.nix create mode 100644 old/modules/tv/git/default.nix create mode 100644 old/modules/tv/git/options.nix create mode 100644 old/modules/tv/git/public.nix create mode 100644 old/modules/tv/identity/default.nix create mode 100644 old/modules/tv/iptables/config.nix create mode 100644 old/modules/tv/iptables/default.nix create mode 100644 old/modules/tv/iptables/options.nix create mode 100644 old/modules/tv/nginx/config.nix create mode 100644 old/modules/tv/nginx/default.nix create mode 100644 old/modules/tv/nginx/options.nix create mode 100644 old/modules/tv/retiolum/config.nix create mode 100644 old/modules/tv/retiolum/default.nix create mode 100644 old/modules/tv/retiolum/options.nix create mode 100644 old/modules/tv/sanitize.nix create mode 100644 old/modules/tv/smartd.nix create mode 100644 old/modules/tv/synaptics.nix create mode 100644 old/modules/tv/urlwatch/default.nix create mode 100644 old/modules/tv/urxvt.nix create mode 100644 old/modules/tv/users/default.nix create mode 100644 old/modules/tv/xserver.nix create mode 100644 old/modules/uriel/default.nix create mode 100644 old/modules/uriel/repos.nix create mode 100644 old/modules/wu/default.nix create mode 100644 old/modules/wu/hosts.nix create mode 100644 old/modules/wu/paths.nix create mode 100644 old/modules/wu/users.nix create mode 100644 old/pubkeys/deploy_wu.ssh.pub create mode 100644 old/pubkeys/lass.ssh.pub create mode 100644 old/pubkeys/makefu.ssh.pub create mode 100644 old/pubkeys/mv_vod.ssh.pub create mode 100644 old/pubkeys/tv_wu.ssh.pub create mode 100644 old/pubkeys/uriel.ssh.pub delete mode 100644 pubkeys/deploy_wu.ssh.pub delete mode 100644 pubkeys/lass.ssh.pub delete mode 100644 pubkeys/makefu.ssh.pub delete mode 100644 pubkeys/mv_vod.ssh.pub delete mode 100644 pubkeys/tv_wu.ssh.pub delete mode 100644 pubkeys/uriel.ssh.pub diff --git a/.gitignore b/.gitignore deleted file mode 100644 index bad1d00e..00000000 --- a/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -/.graveyard -/hosts -/secrets -/tmp diff --git a/Makefile b/Makefile deleted file mode 100644 index bef7727c..00000000 --- a/Makefile +++ /dev/null @@ -1,48 +0,0 @@ -all:;@exit 23 - -tv-cluster := cd mkdir nomic rmdir wu -deploy-cd:; ./deploy cd -deploy-mkdir:; ./deploy mkdir -deploy-nomic:; ./deploy nomic root@nomic-local -deploy-rmdir:; ./deploy rmdir -deploy-wu:; ./deploy wu root@localhost - -ifndef cluster -cluster := $(LOGNAME) -endif -hosts := $($(cluster)-cluster) -ifeq ($(hosts),) -$(error bad cluster: $(cluster)) -else -.ONESHELL: - -.PHONY: deploy $(addprefix deploy-,$(hosts)) -deploy: - exec parallel \ - -j 0 \ - --no-notice \ - --rpl '{u} s/^.* deploy-(.*)/\1/' \ - --tagstring '{u}' \ - --line-buffer \ - $(MAKE) deploy-{} ::: $(hosts) - -.PHONY: rotate-consul-encrypt -rotate-consul-encrypt: - umask 0377 - mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; } - json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt)) - cmd=' - f=secrets/{}/rsync/etc/consul/encrypt.json - rm -f "$$f" - echo "$$json" > "$$f" - ' - export json - exec parallel \ - -j 0 \ - --no-notice \ - --rpl '{u} s/^.* deploy-(.*)/\1/' \ - --tagstring '{u}' \ - --line-buffer \ - --quote \ - sh -eufc "$$cmd" ::: $(hosts) -endif diff --git a/README.md b/README.md deleted file mode 100644 index 8a72d2fe..00000000 --- a/README.md +++ /dev/null @@ -1,32 +0,0 @@ - - -# Turn a Cloud at Cost CentOS-7-64bit server into NixOS - -1. Configure the system (`$systemname`) you'd like to install (see Configuration below). -2. Create new server instance (either Custom or cloudpro) using "CentOS-7-64bit". - Note the servername (something like c731445864-cloudpro-388922936). -3. `cac_login=xxx cac_key=yyy ./infest-cac-CentOS-7-64bit.sh servername:$servername $systename` -4. Enjoy. (`ssh root@$systename`) - -# Configuration - -Configure your system in modules/$systemname -See modules/cd/default.nix as an example. - -Notice that modules/$systemname/networking will be autogenerated (but not committed). - -secrets/$systemname/nix/foo can be accessed as `` from within the configuration. - -You might want `secrets/$systemname/rsync/etc/tinc/retiolum/rsa_key.priv`. - -You might want `secrets/$systemname/nix/hashedPasswords.nix`, which looks like - -```nix -_: { users.extraUsers.root.hashedPassword = "XXX"; } -``` - -`XXX` can be generated with e.g. - -``` -mkpasswd -m sha-512 -S $(openssl rand -base64 16 | tr -d '+=' | head -c 16) -``` diff --git a/bin/copy-secrets b/bin/copy-secrets deleted file mode 100755 index f4049359..00000000 --- a/bin/copy-secrets +++ /dev/null @@ -1,69 +0,0 @@ -#! /bin/sh -# -# copy-secrets system_name target -# -set -euf - -system_name=$1 -target=$2 - -nixos_config=$config_root/modules/$system_name -secrets_nix=$secrets_root/$system_name/nix -secrets_rsync=$secrets_root/$system_name/rsync - -if ! test -e "$secrets_rsync"; then - exit # nothing to do -fi - -# XXX this is ugly -# Notice NIX_PATH used from host -# Notice secrets required to evaluate configuration -NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name -NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix -export NIX_PATH - -case $(nixos-query tv.retiolum.enable 2>/dev/null) in true) - retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile) - retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid) -esac - -case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true) - ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile) - ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid) -esac - -case $(nixos-query tv.consul.enable 2>/dev/null) in true) - consul_secret=$(nixos-query tv.consul.encrypt-file) - consul_uid=$(nixos-query users.extraUsers.consul.uid) -esac - -(set -x - rsync \ - --rsync-path="mkdir -p \"$2\" && rsync" \ - -vzrlptD \ - "$secrets_rsync/" \ - "$target:/") - -ssh "$target" -T < - max=2^32 # see 2^(8*sizeof(uid_t)) - ibase=16 - ($hash + min) % max -" | bc diff --git a/bin/netmask-to-prefix b/bin/netmask-to-prefix deleted file mode 100755 index 1c4dbeb2..00000000 --- a/bin/netmask-to-prefix +++ /dev/null @@ -1,12 +0,0 @@ -#! /bin/sh -set -euf - -netmask=$1 - -binaryNetmask=$(echo $1 | sed 's/^/obase=2;/;s/\./;/g' | bc | tr -d \\n) -binaryPrefix=$(echo $binaryNetmask | sed -n 's/^\(1*\)0*$/\1/p') -if ! echo $binaryPrefix | grep -q .; then - echo $0: bad netmask: $netmask >&2 - exit 4 -fi -printf %s $binaryPrefix | tr -d 0 | wc -c diff --git a/bin/nixos-query b/bin/nixos-query deleted file mode 100755 index 1111aead..00000000 --- a/bin/nixos-query +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh -set -euf -result=$(nix-instantiate -A config."$1" --eval --json '') -echo $result | jq -r . diff --git a/bin/urlencode b/bin/urlencode deleted file mode 100755 index 02ca0307..00000000 --- a/bin/urlencode +++ /dev/null @@ -1,35 +0,0 @@ -#! /bin/sh -set -euf -exec sed ' - s/%/%25/g - s/ /%20/g - s/!/%21/g - s/"/%22/g - s/#/%23/g - s/\$/%24/g - s/\&/%26/g - s/'\''/%27/g - s/(/%28/g - s/)/%29/g - s/\*/%2a/g - s/+/%2b/g - s/,/%2c/g - s/-/%2d/g - s/\./%2e/g - s/\//%2f/g - s/:/%3a/g - s/;/%3b/g - s//%3e/g - s/?/%3f/g - s/@/%40/g - s/\[/%5b/g - s/\\/%5c/g - s/\]/%5d/g - s/\^/%5e/g - s/_/%5f/g - s/`/%60/g - s/{/%7b/g - s/|/%7c/g - s/}/%7d/g - s/~/%7e/g -' diff --git a/cac b/cac deleted file mode 100755 index fb816b99..00000000 --- a/cac +++ /dev/null @@ -1,337 +0,0 @@ -#! /bin/sh -set -euf - -PATH=$PWD/bin:$PATH -export PATH - -cac_listservers_cache=$PWD/tmp/cac_listservers_cache.json - - -cac() { - __cac_cli__command=$1 - shift - __cac_cli__"$__cac_cli__command" "$@" -} - -# WIP -__cac_cli__help() {( - exec sed < "$0" -n ' - s/^__cac_cli__\([^(]\+\)().*/\1/p - ' -)} - -# usage: console -__cac_cli__console() {( - server=$(__cac_cli__getserver "$1") - sid=$(echo $server | jq -r .sid) - # TODO check reply status == ok - _cac_post_api_v1 console sid="$sid" | jq -r .console -)} - -__cac_cli__listservers() { - jq -r . $cac_listservers_cache -} - -__cac_cli__update() {( - umask 0077 - servers=$(_cac_listservers) - echo $servers > $cac_listservers_cache.tmp - mv $cac_listservers_cache.tmp $cac_listservers_cache -)} - -__cac_cli__getserver() {( - - case $1 in - *:*) - k=${1%%:*} - v=${1#*:} - ;; - *) - k=label - v=${1#*:} - ;; - esac - - if result=$(jq \ - -e \ - --arg k "$k" \ - --arg v "$v" \ - ' - map(select(.[$k]==$v)) | - if (. | length) == 1 then - .[0] - else - null - end - ' \ - $cac_listservers_cache); then - echo $result | jq -r . - else - echo "$0 getserver $k:$v => not unique server found" >&2 - exit 23 - fi -)} - -__cac_cli__generatenetworking() {( - server=$(__cac_cli__getserver "$1") - - hostname=$(echo $server | jq -r .label) - - address=$(echo $server | jq -r .ip) - gateway=$(echo $server | jq -r .gateway) - nameserver=8.8.8.8 - netmask=$(echo $server | jq -r .netmask) - prefix=$(netmask-to-prefix $netmask) - - #printf '# Generated file: %s generatenetworking %s %s\n' "$0" "$1" "$2" - #printf '# on %s\n' "$(date -Is)" - #printf '\n' - printf '_:\n' - printf '\n' - printf '{\n' - printf ' networking.hostName = "%s";\n' $hostname - printf ' networking.interfaces.enp2s1.ip4 = [\n' - printf ' {\n' - printf ' address = "%s";\n' $address - printf ' prefixLength = %d;\n' $prefix - printf ' }\n' - printf ' ];\n' - printf ' networking.defaultGateway = "%s";\n' $gateway - printf ' networking.nameservers = [\n' - printf ' "%s"\n' $nameserver - printf ' ];\n' - printf '}\n' -)} - -__cac_cli__powerop() {( - server=$(__cac_cli__getserver "$1") - action=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 powerop sid="$sid" action="$action") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . >&2 - exit 23 - ;; - esac -)} -__cac_cli__pushconfig() {( - server=$(__cac_cli__getserver "$1") - - prefix=${2-/} - - hostname=$(echo $server | jq -r .label) - - address=$(echo $server | jq -r .ip) - target=root@$address - - RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' - SSHPASS=$(echo $server | jq -r .rootpass) - export RSYNC_RSH SSHPASS - - pushgit . $target:$prefix/etc/nixos/ - pushgit hosts $target:$prefix/etc/nixos/hosts/ - pushgit tmp/nixpkgs/$hostname $target:$prefix/etc/nixos/nixpkgs/ - pushdir secrets/$hostname/nix $target:$prefix/etc/nixos/secrets/ - pushdir secrets/$hostname/rsync $target:$prefix/ - echo "_:{imports=[./modules/$hostname];}" \ - | $RSYNC_RSH "$target" tee "$prefix/etc/nixos/configuration.nix" \ - > /dev/null - - ## TODO chmod and chown secrets -)} - -__cac_cli__setlabel() {( - server=$(__cac_cli__getserver "$1") - label=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 renameserver sid="$sid" name="$label") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . >&2 - exit 23 - ;; - esac -)} - -__cac_cli__setmode() {( - server=$(__cac_cli__getserver "$1") - mode=$2 - - sid=$(echo $server | jq -r .sid) - - reply=$(_cac_post_api_v1 runmode sid="$sid" mode="$mode") - - case $(echo $reply | jq -r .status) in - ok) - echo $reply | jq -r . >&2 - __cac_cli__update - ;; - *) - echo bad reply: >&2 - echo $reply | jq -r . - exit 23 - ;; - esac -)} - -__cac_cli__ssh() {( - server=$(__cac_cli__getserver "$1") - shift - - address=$(echo $server | jq -r .ip) - target=root@$address - - SSHPASS=$(echo $server | jq -r .rootpass) - export SSHPASS - - exec sshpass -e ssh \ - -S none \ - -o StrictHostKeyChecking=no \ - -o UserKnownHostsFile=/dev/null \ - $target \ - "$@" -)} - - -# usage: ./cac waitstatus mode:Safe 'Powered On' -# blocks until server has specfied state -__cac_cli__waitstatus() { - server=$(__cac_cli__getserver "$1") - status=$(echo $server | jq -r .status) - - case $status in - $2) - return - ;; - esac - - echo "$(date -Is) Waiting for status: $2; current status: $status ..." >&2 - - __cac_cli__waitforcacheupdate __cac_cli__waitstatus "$@" -} - - -# XXX for __cac_cli__waitforcacheupdate and __cac_cli__poll cache means $cac_listservers_cache - -# blocks until cache has been updated then executes "$@" -__cac_cli__waitforcacheupdate() { - case $(inotifywait --format %f -q -e moved_to $(dirname $cac_listservers_cache)) in - $(basename $cac_listservers_cache)) "$@";; - *) __cac_cli__waitforcacheupdate "$@";; - esac -} - -# usage: with cac ./cac poll 60s -# continuously update cache, sleeping at least $1 between updates -__cac_cli__poll() { - __cac_cli__update - t=${1-1m} - echo "$(date -Is) cache updated; sleeping $t ..." >&2 - sleep "$t" - __cac_cli__poll "$@" -} - - -_cac_listservers() {( - servers=$(_cac_get_api_v1 listservers) - status=$(echo $servers | jq -r .status) - - if [ "$status" = ok ]; then - echo "$servers" | jq -r .data - else - echo "cac_listservers: bad listservers status: $status" >&2 - exit 1 - fi -)} - - - - -# rsyncfiles : lines filename |> local-dir x rsync-target -> ? |> ? -rsyncfiles() {( - set -x - rsync \ - --rsync-path="mkdir -p \"$2\" && rsync" \ - -vzrlptD \ - --files-from=- \ - "$1"/ \ - "$2" -)} - - -# gitfiles : git-work-tree -> lines filename -gitfiles() { - git -C "$1" archive --format=tar HEAD | tar t | sed '/\/$/d' -} - -# pushgit : git-work-tree x rsync-target -> ? -pushgit() { - gitfiles "$1" | rsyncfiles "$1" "$2" -} - -# dirfiles : local-dir -> lines filename -dirfiles() {( - cd "$1" - find . -type f | sed 's/^\.\///' -)} - -# pushdir : local-dir x rsync-target -> ? -pushdir() { - dirfiles "$1" | rsyncfiles "$1" "$2" -} - - - - - - -_cac_get_api_v1() { - _cac_curl_api_v1 -G "$@" -} - -_cac_post_api_v1() { - _cac_curl_api_v1 -XPOST "$@" -} - -_cac_curl_api_v1() { - _cac_exec curl -sS "$1" "https://panel.cloudatcost.com/api/v1/$2.php" $( - shift 2 - set -- "$@" login="$cac_login" key="$cac_key" - for arg; do - echo -d $(printf '%s' "$arg" | urlencode) - done - ) -} - -_cac_exec() { - if test -z "${cac_via-}"; then - env -- "$@" - else - ssh -q "$cac_via" -t "$@" - fi -} - - - - - -case ${run-true} in - true) cac "$@";; -esac diff --git a/certs/zalora-ca.crt b/certs/zalora-ca.crt deleted file mode 100644 index 12cdf8fc..00000000 --- a/certs/zalora-ca.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID7zCCAtegAwIBAgIJAPImpJwMgGmhMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD -VQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMQ8wDQYDVQQKDAZaYWxvcmExCzAJ -BgNVBAsMAklUMSUwIwYDVQQDDBxaYWxvcmEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 -MSUwIwYJKoZIhvcNAQkBFhZpdC1zZXJ2aWNlc0B6YWxvcmEuY29tMB4XDTE0MDkx -ODIxNDY0N1oXDTI0MDkxNTIxNDY0N1owgY0xCzAJBgNVBAYTAlNHMRIwEAYDVQQI -DAlTaW5nYXBvcmUxDzANBgNVBAoMBlphbG9yYTELMAkGA1UECwwCSVQxJTAjBgNV -BAMMHFphbG9yYSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEW -Fml0LXNlcnZpY2VzQHphbG9yYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDi48Tkh6XuS2gdE1+gsPPQjTI8Q2wbXqZGTHnyAZx75btOIUZHeHJm -Fvu8erAD+vtx1nD1GOG30uvHFk9Of2mFY1fxw0R1LthJHSLFJU1/GjFSggHWkaI3 -HBSmeALjss/XHG3EtShLo8SHBc/+B8ehqj1JqcXF8q50JtfTQ+zlf+k26ke2S5Xo -OdHLxjlNaPwj+TgJI1DHqs/bTapaPHPKk5+jFQzAcMmq0bygzpQTHCvvKqcoXaJk -UgDBQnVsJUtwfObrM1TKu2TOXUhqgfnnflYf2sz5Sr30QlkrHP+PM3BRLB+6FXhr -UlKKVcAcIwrBo0aJ5Sd0fv39GwV1XCWVAgMBAAGjUDBOMB0GA1UdDgQWBBQFftMH -5/dc0pUNDqLbVQ8gm7+I5TAfBgNVHSMEGDAWgBQFftMH5/dc0pUNDqLbVQ8gm7+I -5TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQC2aSKJ15v5OI7Zj/HQ -lW+iY9STBPJi9lgOjaGrNaPX0IuhJLkeKDntmzjvpGwvcylHMp6Im02svTymteNN -38s8A0aStnmW4ysGT853H7L7Jxzf7J2vrUF0Dj4QkZ07Gp3vAgKnWVcqz36Xr0Se -DEqrKMl/6fq3Ygl35fZXP1kb6t/wP6qx69bnENH6ksHFpZapWYssKNZO9yiB8+Eq -ngB22X/ycMmAqOnNQDzw1JBw7LzdXypCG75UKEK6kbnUy2yPADdHpH8v9qcRa1U9 -vEmUTJs6i1CpPO+2frPJ8A8QIp61nNxe7xJ1SnNVtwk9d6SRet6YGySvgG748Wjw -GwWx ------END CERTIFICATE----- diff --git a/default.nix b/default.nix deleted file mode 100644 index 84153482..00000000 --- a/default.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ system-name -, rsync-target ? null -, deploy-target ? null -}: - -# TODO assert that only one of rsync-target or deploy-target is not null - -with builtins; -assert (typeOf system-name == "string"); -with import ; -let - paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix"; - - paths = import paths-file; - - prefetch.file = '' - echo "$prefetch_in_url" - ''; - - prefetch.git = '' - ${concatMapStringsSep "\n" (attr-name: '' - case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?) - printf '%s: %s: missing attribute: %s' \ - ${escapeShellArg paths-file} \ - "$prefetch_name" \ - ${escapeShellArg attr-name} \ - >&2 - return 1 - esac - '') [ "rev" "url" "cache" ]} - - git_rev=$prefetch_in_rev - git_url=$prefetch_in_url - - # cache_dir points to a (maybe non-existent) directory, where a shared cache of - # the repository should be maintained. The shared cache is used to create - # multiple working trees of the repository. - cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode) - cache_git() { - git --git-dir="$cache_dir" "$@" - } - - # work_dir points to a (maybe non-existent) directory, where a specific - # revision of the repository is checked out. - # XXX this is probably a bad idea if git_rev is not a commit - work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode) - work_git() { - git -C "$work_dir" "$@" - } - - is_up_to_date() { - test -d "$cache_dir" && - test -d "$work_dir" && - test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" && - test "$(work_git rev-parse --verify HEAD)" = "$git_rev" - } - - # Notice how the remote name "origin" has been chosen arbitrarily, but must be - # kept in sync with the default value of nixpkgs.rev. - if ! is_up_to_date; then - if ! test -d "$cache_dir"; then - mkdir -p "$cache_dir" - cache_git init --bare - fi - if ! cache_git_url=$(cache_git config remote.origin.url); then - cache_git remote add origin "$git_url" - elif test "$cache_git_url" != "$git_url"; then - cache_git remote set-url origin "$git_url" - fi - cache_git fetch origin - if ! test -d "$work_dir"; then - git clone -n --shared "$cache_dir" "$work_dir" - fi - commit_name=$(cache_git rev-parse --verify "$git_rev") - work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")" - work_git checkout -q "$commit_name" - work_git submodule init - work_git submodule update - fi - work_git clean -dxf - - echo "$work_dir" - ''; - - - f = pkg-name: pkg-spec: - let - types = attrNames pkg-spec; - type = elemAt types 0; - in - assert (length types == 1); # there can be only one source type - '' - out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v: - "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \ - prefetch_name=${escapeShellArg pkg-name} \ - __prefetch_${escapeShellArg type}) - printf '%s=%s\n' \ - ${escapeShellArg pkg-name} \ - "$out" - ''; -in -'' -#! /bin/sh -set -euf - -PATH=${toString ./.}/bin:$PATH -export PATH - -__prefetch_file() { -${prefetch.file} -} -__prefetch_git() { -${prefetch.git} -} - -# TODO make sure x contains only sane chars -x=$(${concatStrings (mapAttrsToList f paths)}) - -${optionalString (rsync-target != null) '' - proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ - rsync --delete --delete-excluded \ - --filter='- /*/.git' \ - --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \ - -vaz \ - --no-owner \ - --no-group \ - '/shitment/' \ - ${escapeShellArg rsync-target} -''} - - -${optionalString (deploy-target != null) '' - system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ - env \ - NIX_PATH=/shitment \ - NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \ - nix-build -A system --no-out-link '') - - system_name=${escapeShellArg system-name} - target=${escapeShellArg deploy-target} - - nix-copy-closure --gzip --to "$target" "$system_path" - - secrets_root=${toString ./.}/secrets \ - config_root=${toString ./.} \ - copy-secrets "$system_name" "$target" - - ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch -''} - -'' diff --git a/deploy b/deploy deleted file mode 100755 index a9dbf45e..00000000 --- a/deploy +++ /dev/null @@ -1,15 +0,0 @@ -#! /bin/sh -# -# usage: ./deploy system_name [target] -# -set -euf - -system_name=$1 -target=${2-root@$system_name} - -nix-instantiate \ - --argstr system-name "$system_name" \ - --argstr deploy-target "$target" \ - --eval --json . \ - | jq -r . \ - | sh diff --git a/infest-cac-CentOS-7-64bit.sh b/infest-cac-CentOS-7-64bit.sh deleted file mode 100755 index 1e96e0e2..00000000 --- a/infest-cac-CentOS-7-64bit.sh +++ /dev/null @@ -1,51 +0,0 @@ -#! /bin/sh -set -xeuf - -serverspec=$1 -systemname=$2 - -( - PATH=$PWD/bin:$PATH - export PATH - - # Notice NIX_PATH used from host - # Notice secrets required to evaluate configuration - NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$systemname - NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$systemname/nix - export NIX_PATH - - case $(nixos-query nixpkgs.dirty) in true) - echo "$0: cannot use nixpkgs.dirty" >&2 # b/c ./cac pushconfig - exit -1 - esac - - prefetch nixpkgs tmp/nixpkgs/$systemname -) - -./cac poll 10s 2>/dev/null & -pollpid=$! -trap "kill $pollpid; trap - EXIT" EXIT - -./cac waitstatus $serverspec 'Powered On' - -# TODO don't set label/mode if they're already good -./cac setlabel $serverspec $systemname -./cac setmode $systemname normal -./cac generatenetworking $systemname > modules/$systemname/networking.nix - -cat infest.d/cac-CentOS-7-64bit/prepare.sh | ./cac ssh $systemname \ - nix_url=https://nixos.org/releases/nix/nix-1.9/nix-1.9-x86_64-linux.tar.bz2 \ - nix_sha256=5c76611c631e79aef5faf3db2d253237998bbee0f61fa093f925fa32203ae32b \ - /bin/sh - -./cac pushconfig $systemname /mnt - -# This needs to be run twice because (at least): -# Initialized empty Git repository in /var/lib/git/$reponame -# chown: invalid user: 'git:nogroup' -cat infest.d/nixos-install.sh | ./cac ssh $systemname || : -cat infest.d/nixos-install.sh | ./cac ssh $systemname - -cat infest.d/cac-CentOS-7-64bit/finalize.sh | ./cac ssh $systemname - -./cac powerop $systemname reset diff --git a/infest.d/cac-CentOS-7-64bit/finalize.sh b/infest.d/cac-CentOS-7-64bit/finalize.sh deleted file mode 100644 index b70276b3..00000000 --- a/infest.d/cac-CentOS-7-64bit/finalize.sh +++ /dev/null @@ -1,66 +0,0 @@ -#! /bin/sh -set -eu -{ - umount /mnt2 - umount /mnt/nix - umount /mnt/boot - umount /mnt - umount /boot - - PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i) - export PATH - - mkdir /oldshit - - mv /bin /oldshit/ - mv /newshit/bin / - - # TODO ensure /boot is empty - rmdir /newshit/boot - - # skip /dev - rmdir /newshit/dev - - mv /etc /oldshit/ - mv /newshit/etc / - - # TODO ensure /home is empty - rmdir /newshit/home - - # skip /nix (it's already there) - rmdir /newshit/nix - - # skip /proc - rmdir /newshit/proc - - # skip /run - rmdir /newshit/run - - # skip /sys - rmdir /newshit/sys - - # skip /tmp - # TODO rmdir /newshit/tmp - - mv /usr /oldshit/ - mv /newshit/usr / - - mv /var /oldshit/ - mv /newshit/var / - - mv /root /oldshit/ - mv /newshit/root / - - mv /lib /oldshit/ - mv /lib64 /oldshit/ - mv /sbin /oldshit/ - mv /mnt2 /oldshit/ - mv /srv /oldshit/ - mv /opt /oldshit/ - - - mv /newshit /root/ # TODO this one shoult be empty - mv /oldshit /root/ - - sync -} diff --git a/infest.d/cac-CentOS-7-64bit/prepare.sh b/infest.d/cac-CentOS-7-64bit/prepare.sh deleted file mode 100644 index f932e9c3..00000000 --- a/infest.d/cac-CentOS-7-64bit/prepare.sh +++ /dev/null @@ -1,104 +0,0 @@ -#! /bin/sh -set -euf - -: $nix_url -: $nix_sha256 - -{ - # - # prepare host - # - - type bzip2 2>/dev/null || yum install -y bzip2 - type rsync 2>/dev/null || yum install -y rsync - - if ! getent group nixbld >/dev/null; then - groupadd -g 30000 -r nixbld - fi - for i in `seq 1 10`; do - if ! getent passwd nixbld$i 2>/dev/null; then - useradd \ - -c "CentOS Nix build user $i" \ - -d /var/empty \ - -g 30000 \ - -G 30000 \ - -l \ - -M \ - -s /sbin/nologin \ - -u $(expr 30000 + $i) \ - nixbld$i - rm -f /var/spool/mail/nixbld$i - fi - done - - # generate fake sudo because - # sudo: sorry, you must have a tty to run sudo - mkdir -p bin - printf '#! /bin/sh\nexec env "$@"\n' > bin/sudo - chmod +x bin/sudo - - PATH=$PWD/bin:$PATH - export PATH - - # install nix on host (cf. https://nixos.org/nix/install) - if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then - ( - verify() { - echo $nix_sha256 $(basename $nix_url) | sha256sum -c - } - if ! verify; then - curl -C - -O "$nix_url" - verify - fi - ) - tar jxf $(basename $nix_url) - $(basename $nix_url .tar.bz2)/install - fi - - MANPATH=/var/empty . /root/.nix-profile/etc/profile.d/nix.sh - - if ! type nixos-install 2>/dev/null; then - nixpkgs_expr='import { system = builtins.currentSystem; }' - nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) - nix-env \ - --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ - --arg pkgs "$nixpkgs_expr" \ - --arg modulesPath 'throw "no modulesPath"' \ - -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ - -iA config.system.build.nixos-install - fi - - # - # mount install directory - # - - if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt type xfs'; then - mkdir -p /newshit - mount --bind /newshit /mnt - fi - - if ! mount | grep -Fq '/dev/sda1 on /mnt/boot type xfs'; then - mkdir -p /mnt/boot - mount /dev/sda1 /mnt/boot - fi - - if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then - mkdir -p /mnt/nix - mount --bind /nix /mnt/nix - fi - - mount | grep 'on /mnt\>' >&2 - - # - # prepare install directory - # - # XXX This should be done by (?) - # remote_dir=/mnt ./cac pushconfig servername:c731445864-cloudpro-134581046 rmdir - - mkdir -p /mnt/etc/nixos - mkdir -m 0555 -p /mnt/var/empty - - # add eye candy - address=$(echo $SSH_CONNECTION | awk '{print$3}') - echo 'PS1='\''\[\e[1;31m\]\u@'"$address"'\[\e[m\] \[\e[1;32m\]\w\[\e[m\] '\' > .bashrc -} diff --git a/infest.d/nixos-install.sh b/infest.d/nixos-install.sh deleted file mode 100644 index df01a346..00000000 --- a/infest.d/nixos-install.sh +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/sh -# usage: cat infest-nixos-install.sh | ./cac ssh ... -set -euf -nixos-install \ - -I secrets=/etc/nixos/secrets \ - -I retiolum-hosts=/etc/nixos/hosts \ - -I pubkeys=/etc/nixos/pubkeys \ - -I nixpkgs=/etc/nixos/nixpkgs diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index 164a6a1a..00000000 --- a/lib/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ lib, pkgs, ... }: - -with builtins; - -let - inherit (lib) mapAttrs stringAsChars; -in - -rec { - git = import ./git.nix { - lib = lib // { - inherit addNames; - }; - inherit pkgs; - }; - - addName = name: set: - set // { inherit name; }; - - addNames = mapAttrs addName; - - - # "7.4.335" -> "74" - majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - - - concat = xs : - if xs == [] - then "" - else head xs + concat (tail xs) - ; - - flip = f : x : y : f y x; - - # isSuffixOf :: String -> String -> Bool - isSuffixOf = - s : xs : - let - sn = stringLength s; - xsn = stringLength xs; - in - xsn >= sn && substring (xsn - sn) sn xs == s ; - - removeSuffix = - s : xs : substring 0 (stringLength xs - stringLength s) xs; - - # setMap :: (String -> a -> b) -> Set String a -> [b] - #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs); - - # setToList :: Set k a -> [a] - #setToList = setMap (_: v: v); - - shell-escape = - let - isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; - in - stringAsChars (c: - if isSafeChar c then c - else if c == "\n" then "'\n'" - else "\\${c}"); - -} diff --git a/lib/git.nix b/lib/git.nix deleted file mode 100644 index 8dc17611..00000000 --- a/lib/git.nix +++ /dev/null @@ -1,181 +0,0 @@ -{ lib, pkgs, ... }: - -let - inherit (lib) addNames escapeShellArg makeSearchPath; - - commands = addNames { - git-receive-pack = {}; - git-upload-pack = {}; - }; - - receive-modes = addNames { - fast-forward = {}; - non-fast-forward = {}; - create = {}; - delete = {}; - merge = {}; # TODO implement in git.nix - }; - - permissions = { - fetch = { - allow-commands = [ - commands.git-upload-pack - ]; - }; - - push = ref: extra-modes: { - allow-commands = [ - commands.git-receive-pack - commands.git-upload-pack - ]; - allow-receive-ref = ref; - allow-receive-modes = [ receive-modes.fast-forward ] ++ extra-modes; - }; - }; - - refs = { - master = "refs/heads/master"; - all-heads = "refs/heads/*"; - }; - - irc-announce-script = pkgs.writeScript "irc-announce-script" '' - #! /bin/sh - set -euf - - export PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - gawk - gnused - netcat - nettools - ])} - - IRC_SERVER=$1 - IRC_PORT=$2 - IRC_NICK=$3$$ - IRC_CHANNEL=$4 - message=$5 - - export IRC_CHANNEL # for privmsg_cat - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - printf '%s' "$message" \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - - hooks = { - # TODO make this a package? - irc-announce = { nick, channel, server, port ? 6667 }: '' - #! /bin/sh - set -euf - - export PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnused - ])} - - nick=${escapeShellArg nick} - channel=${escapeShellArg channel} - server=${escapeShellArg server} - port=${toString port} - - host=$nick - - empty=0000000000000000000000000000000000000000 - - unset message - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - h=$(echo $ref | sed 's:^refs/heads/::') - - # empty_tree=$(git hash-object -t tree /dev/null - empty_tree=4b825dc6 - - id=$(echo $newrev | cut -b-7) - id2=$(echo $oldrev | cut -b-7) - if [ $newrev = $empty ]; then id=$empty_tree; fi - if [ $oldrev = $empty ]; then id2=$empty_tree; fi - - case $receive_mode in - create) - #git log --oneline $id2 - link="http://$host/cgit/$GIT_SSH_REPO/?h=$h" - ;; - delete) - #git log --oneline $id2 - link="http://$host/cgit/$GIT_SSH_REPO/ ($h)" - ;; - fast-forward|non-fast-forward) - #git diff --stat $id..$id2 - link="http://$host/cgit/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2" - ;; - esac - - #$host $GIT_SSH_REPO $ref $link - message="''${message+$message - }$GIT_SSH_USER $receive_mode $link" - done - - if test -n "''${message-}"; then - exec ${irc-announce-script} \ - "$server" \ - "$port" \ - "$nick" \ - "$channel" \ - "$message" - fi - ''; - }; - -in -commands // receive-modes // permissions // refs // hooks diff --git a/lib/modules.nix b/lib/modules.nix deleted file mode 100644 index 248e638e..00000000 --- a/lib/modules.nix +++ /dev/null @@ -1,21 +0,0 @@ -let - pkgs = import {}; - inherit (pkgs.lib) concatMap hasAttr; -in rec { - - no-touch-args = { - config = throw "no-touch-args: can't touch config!"; - lib = throw "no-touch-args: can't touch lib!"; - pkgs = throw "no-touch-args: can't touch pkgs!"; - }; - - # list-imports : path -> [path] - # Return a module's transitive list of imports. - # XXX duplicates won't get eliminated from the result. - list-imports = path: - let module = import path no-touch-args; - imports = if hasAttr "imports" module - then concatMap list-imports module.imports - else []; - in [path] ++ imports; -} diff --git a/modules/cd/default.nix b/modules/cd/default.nix deleted file mode 100644 index e3abd47e..00000000 --- a/modules/cd/default.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ config, pkgs, ... }: - -let - inherit (builtins) readFile; -in - -{ - imports = - [ - { users.extraUsers = import ; } - ./networking.nix - ./users.nix - ../tv/base.nix - ../tv/base-cac-CentOS-7-64bit.nix - ../tv/config/consul-server.nix - ../tv/ejabberd.nix # XXX echtes modul - ../tv/exim-smarthost.nix - ../tv/git/public.nix - ../tv/sanitize.nix - { - imports = [ ../tv/identity ]; - tv.identity = { - enable = true; - self = config.tv.identity.hosts.cd; - }; - } - { - imports = [ ../tv/iptables ]; - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "ssh" - "tinc" - "smtp" - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - imports = [ ../tv/retiolum ]; - tv.retiolum = { - enable = true; - hosts = ; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } - ]; - - # "Developer 2" plan has two vCPUs. - nix.maxJobs = 2; - - environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update - htop - iftop - iotop - iptables - mutt # for mv - nethogs - rxvt_unicode.terminfo - tcpdump - ]; - - services.ejabberd-cd = { - enable = true; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - permitRootLogin = "yes"; - }; - - sound.enable = false; -} diff --git a/modules/cd/networking.nix b/modules/cd/networking.nix deleted file mode 100644 index 215e2082..00000000 --- a/modules/cd/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{...}: -{ - networking.hostName = "cd"; - networking.interfaces.enp2s1.ip4 = [ - { - address = "162.219.7.216"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "162.219.7.1"; - networking.nameservers = [ - "8.8.8.8" - ]; -} diff --git a/modules/cd/paths.nix b/modules/cd/paths.nix deleted file mode 100644 index f873912f..00000000 --- a/modules/cd/paths.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - lib.file.url = ../../lib; - modules.file.url = ../../modules; - nixpkgs.git = { - url = https://github.com/NixOS/nixpkgs; - rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; - cache = ../../tmp/git-cache; - }; - pubkeys.file.url = ../../pubkeys; - retiolum-hosts.file.url = ../../hosts; - secrets.file.url = ../../secrets/cd/nix; -} diff --git a/modules/cd/users.nix b/modules/cd/users.nix deleted file mode 100644 index 656336d6..00000000 --- a/modules/cd/users.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: - -let - inherit (builtins) readFile; -in - -{ - users.extraGroups = { - - # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories - # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) - # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago - # Docs: man:tmpfiles.d(5) - # man:systemd-tmpfiles(8) - # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) - # Main PID: 19272 (code=exited, status=1/FAILURE) - # - # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE - # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. - # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. - # warning: error(s) occured while switching to the new configuration - lock.gid = 10001; - - }; - users.extraUsers = - { - root = { - openssh.authorizedKeys.keys = [ - (readFile ) - (readFile ) - ]; - }; - - mv = rec { - name = "mv"; - uid = 1338; - group = "users"; - home = "/home/${name}"; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ - (readFile ) - ]; - }; - - }; - - users.mutableUsers = false; -} diff --git a/modules/cloudkrebs/default.nix b/modules/cloudkrebs/default.nix deleted file mode 100644 index 938447e0..00000000 --- a/modules/cloudkrebs/default.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/base-cac-CentOS-7-64bit.nix - ../lass/retiolum-cloudkrebs.nix - ./networking.nix - ../../secrets/cloudkrebs-pw.nix - ../lass/sshkeys.nix - ../lass/base.nix - ../common/nixpkgs.nix - ]; - - nixpkgs = { - url = "https://github.com/Lassulus/nixpkgs"; - rev = "b42ecfb8c61e514bf7733b4ab0982d3e7e27dacb"; - }; - - nix.maxJobs = 1; - - #activationScripts - #split up and move into base - - #TODO move into modules - users.extraUsers = { - #main user - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - - environment.systemPackages = with pkgs; [ - ]; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - permitRootLogin = "yes"; - }; - - networking.firewall = { - enable = true; - - allowedTCPPorts = [ - 22 - ]; - }; - -} diff --git a/modules/cloudkrebs/networking.nix b/modules/cloudkrebs/networking.nix deleted file mode 100644 index fc500736..00000000 --- a/modules/cloudkrebs/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{...}: -{ - networking.hostName = "cloudkrebs"; - networking.interfaces.enp2s1.ip4 = [ - { - address = "104.167.113.104"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "104.167.113.1"; - networking.nameservers = [ - "8.8.8.8" - ]; -} diff --git a/modules/common/krebs-keys.nix b/modules/common/krebs-keys.nix deleted file mode 100644 index 5e349338..00000000 --- a/modules/common/krebs-keys.nix +++ /dev/null @@ -1,18 +0,0 @@ -# alle public keys der krebsminister fuer R in krebs repos -{ config, ... }: - -let - inherit (builtins) readFile; -in - -with import ../lass/sshkeys.nix { - config.sshKeys.lass.pub = config.sshKeys.lass.pub; - config.sshKeys.uriel.pub = config.sshKeys.uriel.pub; - }; -{ - imp