From 58380c82848c3db0bd6c3d74904153f3464c2098 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 14 Jul 2017 00:17:58 +0200 Subject: merge shared into krebs --- krebs/1systems/test-all-krebs-modules/config.nix | 55 +++++++ krebs/1systems/test-all-krebs-modules/source.nix | 3 + krebs/1systems/test-arch/config.nix | 33 ++++ krebs/1systems/test-arch/source.nix | 3 + krebs/1systems/test-centos6/config.nix | 31 ++++ krebs/1systems/test-centos6/source.nix | 3 + krebs/1systems/test-centos7/config.nix | 17 ++ krebs/1systems/test-centos7/source.nix | 3 + krebs/1systems/test-failing/config.nix | 10 ++ krebs/1systems/test-failing/source.nix | 3 + krebs/1systems/test-minimal-deploy/config.nix | 17 ++ krebs/1systems/test-minimal-deploy/source.nix | 3 + krebs/1systems/wolf/config.nix | 108 +++++++++++++ krebs/1systems/wolf/source.nix | 3 + krebs/2configs/central-stats-client.nix | 68 ++++++++ krebs/2configs/cgit-mirror.nix | 45 ++++++ krebs/2configs/collectd-base.nix | 41 +++++ krebs/2configs/default.nix | 51 ++++++ krebs/2configs/graphite.nix | 93 +++++++++++ .../2configs/os-templates/CAC-CentOS-6.5-64bit.nix | 47 ++++++ krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix | 47 ++++++ krebs/2configs/repo-sync.nix | 31 ++++ krebs/2configs/save-diskspace.nix | 11 ++ krebs/2configs/shack/bincache.nix | 6 + krebs/2configs/shack/drivedroid.nix | 49 ++++++ krebs/2configs/shack/mqtt_sub.nix | 34 ++++ krebs/2configs/shack/muell_caller.nix | 41 +++++ krebs/2configs/shack/nix-cacher.nix | 31 ++++ krebs/2configs/shack/radioactive.nix | 35 ++++ krebs/2configs/shack/share.nix | 38 +++++ krebs/2configs/shack/worlddomination.nix | 67 ++++++++ krebs/2configs/shared-buildbot.nix | 178 +++++++++++++++++++++ krebs/2configs/temp/dirs.nix | 1 + krebs/2configs/temp/networking.nix | 1 + krebs/3modules/default.nix | 2 +- krebs/3modules/krebs/default.nix | 75 +++++++++ krebs/3modules/shared/default.nix | 75 --------- krebs/5pkgs/test/infest-cac-centos7/notes | 8 +- krebs/6tests/data/secrets/grafana_security.nix | 1 + krebs/6tests/data/secrets/retiolum.rsa_key.priv | 0 krebs/6tests/data/secrets/ssh.id_ed25519 | 0 krebs/source.nix | 19 +++ 42 files changed, 1307 insertions(+), 80 deletions(-) create mode 100644 krebs/1systems/test-all-krebs-modules/config.nix create mode 100644 krebs/1systems/test-all-krebs-modules/source.nix create mode 100644 krebs/1systems/test-arch/config.nix create mode 100644 krebs/1systems/test-arch/source.nix create mode 100644 krebs/1systems/test-centos6/config.nix create mode 100644 krebs/1systems/test-centos6/source.nix create mode 100644 krebs/1systems/test-centos7/config.nix create mode 100644 krebs/1systems/test-centos7/source.nix create mode 100644 krebs/1systems/test-failing/config.nix create mode 100644 krebs/1systems/test-failing/source.nix create mode 100644 krebs/1systems/test-minimal-deploy/config.nix create mode 100644 krebs/1systems/test-minimal-deploy/source.nix create mode 100644 krebs/1systems/wolf/config.nix create mode 100644 krebs/1systems/wolf/source.nix create mode 100644 krebs/2configs/central-stats-client.nix create mode 100644 krebs/2configs/cgit-mirror.nix create mode 100644 krebs/2configs/collectd-base.nix create mode 100644 krebs/2configs/default.nix create mode 100644 krebs/2configs/graphite.nix create mode 100644 krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix create mode 100644 krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix create mode 100644 krebs/2configs/repo-sync.nix create mode 100644 krebs/2configs/save-diskspace.nix create mode 100644 krebs/2configs/shack/bincache.nix create mode 100644 krebs/2configs/shack/drivedroid.nix create mode 100644 krebs/2configs/shack/mqtt_sub.nix create mode 100644 krebs/2configs/shack/muell_caller.nix create mode 100644 krebs/2configs/shack/nix-cacher.nix create mode 100644 krebs/2configs/shack/radioactive.nix create mode 100644 krebs/2configs/shack/share.nix create mode 100644 krebs/2configs/shack/worlddomination.nix create mode 100644 krebs/2configs/shared-buildbot.nix create mode 100644 krebs/2configs/temp/dirs.nix create mode 100644 krebs/2configs/temp/networking.nix create mode 100644 krebs/3modules/krebs/default.nix delete mode 100644 krebs/3modules/shared/default.nix create mode 100644 krebs/6tests/data/secrets/grafana_security.nix create mode 100644 krebs/6tests/data/secrets/retiolum.rsa_key.priv create mode 100644 krebs/6tests/data/secrets/ssh.id_ed25519 create mode 100644 krebs/source.nix (limited to 'krebs') diff --git a/krebs/1systems/test-all-krebs-modules/config.nix b/krebs/1systems/test-all-krebs-modules/config.nix new file mode 100644 index 00000000..c0c14b71 --- /dev/null +++ b/krebs/1systems/test-all-krebs-modules/config.nix @@ -0,0 +1,55 @@ +{ config, pkgs, lib, ... }: +let + en = { enable = true;}; +in { + imports = [ + + + ]; + krebs = { + enable = true; + build.user = config.krebs.users.krebs; + build.host = config.krebs.hosts.test-all-krebs-modules; + Reaktor.test = {}; + apt-cacher-ng.enable = true; + backup.enable = true; + bepasty.enable = true; + # FIXME fast-tests / instantiate-test-all-modules fails at wolfbot + # http://wolf:8010/builders/fast-tests/builds/442 + #buildbot.master.enable = true; + buildbot.worker = { + enable = true; + username = "lol"; + password = "wut"; + }; + # XXX exim-retiolum and exim-smarthost are mutually exclusive + #exim-retiolum = { + # enable = true; + # primary_hostname = "test.r"; + #}; + exim-smarthost = { + enable = true; + primary_hostname = "test.r"; + system-aliases = [ { from = "dick"; to = "butt"; } ]; + }; + go.enable = true; + iptables = { + enable = true; + tables = {}; + }; + realwallpaper.enable = true; + tinc.retiolum.enable = true; + retiolum-bootstrap.enable = true; + tinc_graphs.enable = true; + urlwatch.enable = true; + fetchWallpaper = { + enable = true; + url ="localhost"; + }; + }; + # just get the system running + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/krebs/1systems/test-all-krebs-modules/source.nix b/krebs/1systems/test-all-krebs-modules/source.nix new file mode 100644 index 00000000..66fdaa77 --- /dev/null +++ b/krebs/1systems/test-all-krebs-modules/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-all-krebs-modules"; +} diff --git a/krebs/1systems/test-arch/config.nix b/krebs/1systems/test-arch/config.nix new file mode 100644 index 00000000..b5a4234e --- /dev/null +++ b/krebs/1systems/test-arch/config.nix @@ -0,0 +1,33 @@ +{ config, pkgs, ... }: + +{ + imports = [ + + + { + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/sda1"; + }; + } + { + networking.dhcpcd.allowInterfaces = [ + "enp*" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-arch; +} diff --git a/krebs/1systems/test-arch/source.nix b/krebs/1systems/test-arch/source.nix new file mode 100644 index 00000000..bff9d432 --- /dev/null +++ b/krebs/1systems/test-arch/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-arch"; +} diff --git a/krebs/1systems/test-centos6/config.nix b/krebs/1systems/test-centos6/config.nix new file mode 100644 index 00000000..968f8b8f --- /dev/null +++ b/krebs/1systems/test-centos6/config.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + + ip = "168.235.148.52"; + gw = "168.235.148.1"; +in { + imports = [ + + + + { + networking.interfaces.enp11s0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = gw; + networking.nameservers = [ + "8.8.8.8" + ]; + } + { + sound.enable = false; + } + ]; + + krebs.build.host = config.krebs.hosts.test-centos6; +} diff --git a/krebs/1systems/test-centos6/source.nix b/krebs/1systems/test-centos6/source.nix new file mode 100644 index 00000000..3693bbb2 --- /dev/null +++ b/krebs/1systems/test-centos6/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-centos6"; +} diff --git a/krebs/1systems/test-centos7/config.nix b/krebs/1systems/test-centos7/config.nix new file mode 100644 index 00000000..732bc4f1 --- /dev/null +++ b/krebs/1systems/test-centos7/config.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) head; + +in { + imports = [ + + + + + + ]; + + sound.enable = false; + krebs.build.host = config.krebs.hosts.test-centos7; +} diff --git a/krebs/1systems/test-centos7/source.nix b/krebs/1systems/test-centos7/source.nix new file mode 100644 index 00000000..44230f08 --- /dev/null +++ b/krebs/1systems/test-centos7/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-centos7"; +} diff --git a/krebs/1systems/test-failing/config.nix b/krebs/1systems/test-failing/config.nix new file mode 100644 index 00000000..0dc8e6bf --- /dev/null +++ b/krebs/1systems/test-failing/config.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + imports = [ + + + ]; + programs.ssh.startAgent = true; + programs.ssh.startAgent = false; +} diff --git a/krebs/1systems/test-failing/source.nix b/krebs/1systems/test-failing/source.nix new file mode 100644 index 00000000..60b77a0a --- /dev/null +++ b/krebs/1systems/test-failing/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-failing"; +} diff --git a/krebs/1systems/test-minimal-deploy/config.nix b/krebs/1systems/test-minimal-deploy/config.nix new file mode 100644 index 00000000..9974b4f7 --- /dev/null +++ b/krebs/1systems/test-minimal-deploy/config.nix @@ -0,0 +1,17 @@ +{ config, pkgs, lib, ... }: +{ + imports = [ + + + ]; + krebs = { + enable = true; + build.user = config.krebs.users.krebs; + build.host = config.krebs.hosts.test-all-krebs-modules; + }; + # just get the system to eval in nixos without errors + boot.loader.grub.devices = ["/dev/sda"]; + fileSystems."/" = { + device = "/dev/lol"; + }; +} diff --git a/krebs/1systems/test-minimal-deploy/source.nix b/krebs/1systems/test-minimal-deploy/source.nix new file mode 100644 index 00000000..032ab12b --- /dev/null +++ b/krebs/1systems/test-minimal-deploy/source.nix @@ -0,0 +1,3 @@ +import { + name = "test-minimal-deploy"; +} diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix new file mode 100644 index 00000000..b8cc1b4a --- /dev/null +++ b/krebs/1systems/wolf/config.nix @@ -0,0 +1,108 @@ +{ config, pkgs, ... }: +let + shack-ip = config.krebs.build.host.nets.shack.ip4.addr; +in +{ + imports = [ + + + + + + + + + + + + + + + # + + + + + + ]; + # use your own binary cache, fallback use cache.nixos.org (which is used by + # apt-cacher-ng in first place) + + services.influxdb.enable = true; + + # local discovery in shackspace + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; + services.grafana = { + enable = true; + addr = "0.0.0.0"; + users.allowSignUp = true; + users.allowOrgCreate = true; + users.autoAssignOrg = true; + auth.anonymous.enable = true; + security = import ; + }; + + nix = { + # use the up to date prism cache + binaryCaches = [ + "http://cache.prism.r" + "https://cache.nixos.org/" + ]; + binaryCachePublicKeys = [ + "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; + }; + + networking = { + firewall.enable = false; + firewall.allowedTCPPorts = [ 8088 8086 8083 ]; + interfaces.enp0s3.ip4 = [{ + address = shack-ip; + prefixLength = 20; + }]; + + defaultGateway = "10.42.0.1"; + nameservers = [ "10.42.0.100" "10.42.0.200" ]; + }; + + ##################### + # uninteresting stuff + ##################### + krebs.build.host = config.krebs.hosts.wolf; + + boot.kernel.sysctl = { + # Enable IPv6 Privacy Extensions + "net.ipv6.conf.all.use_tempaddr" = 2; + "net.ipv6.conf.default.use_tempaddr" = 2; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" "uhci_hcd" "ehci_pci" "virtio_pci" "virtio_blk" + ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/vda"; + + fileSystems."/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; + # fallout of ipv6calypse + networking.extraHosts = '' + hass.shack 10.42.2.191 + heidi.shack 10.42.2.135 + ''; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ + config.krebs.users.ulrich.pubkey + ]; + + time.timeZone = "Europe/Berlin"; + sound.enable = false; +} diff --git a/krebs/1systems/wolf/source.nix b/krebs/1systems/wolf/source.nix new file mode 100644 index 00000000..c292bfa6 --- /dev/null +++ b/krebs/1systems/wolf/source.nix @@ -0,0 +1,3 @@ +import { + name = "wolf"; +} diff --git a/krebs/2configs/central-stats-client.nix b/krebs/2configs/central-stats-client.nix new file mode 100644 index 00000000..0412eba9 --- /dev/null +++ b/krebs/2configs/central-stats-client.nix @@ -0,0 +1,68 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + + + LoadPlugin df + + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + + + LoadPlugin cpu + + ReportByCpu true + ReportByState true + ValuesPercentage true + + + LoadPlugin network + + Server "stats.makefu.r" "25826" + + + LoadPlugin curl + + + URL "http://smarthome.shack/"; + MeasureResponseTime true + + + ''; + }; +} diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix new file mode 100644 index 00000000..c2326a5c --- /dev/null +++ b/krebs/2configs/cgit-mirror.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + rules = with git; singleton { + user = [ wolf-repo-sync ]; + repo = [ stockholm-mirror ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + + stockholm-mirror = { + public = true; + name = "stockholm-mirror"; + cgit.desc = "mirror for all stockholm branches"; + hooks = { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "ni.r"; + }; + }; + }; + + wolf-repo-sync = { + name = "wolf-repo-sync"; + mail = "spam@krebsco.de"; + # TODO put git-sync pubkey somewhere more appropriate + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; + }; + +in { + krebs.users.wolf-repo-sync = wolf-repo-sync; + krebs.git = { + enable = true; + cgit = { + settings = { + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; + }; + }; + inherit rules; + repos.stockholm-mirror = stockholm-mirror; + }; +} diff --git a/krebs/2configs/collectd-base.nix b/krebs/2configs/collectd-base.nix new file mode 100644 index 00000000..440f83fc --- /dev/null +++ b/krebs/2configs/collectd-base.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +# TODO: krebs.collectd.plugins +with import ; +let + connect-time-cfg = with pkgs; writeText "collectd-connect-time.conf" '' + LoadPlugin python + + ModulePath "${collectd-connect-time}/lib/${python.libPrefix}/site-packages/" + Import "collectd_connect_time" + + target "localhost:22" "google.com" "google.de" "gum.r:22" "gum.krebsco.de" "heidi.shack:22" "10.42.0.1:22" "heise.de" "t-online.de" + interval 10 + + + ''; + graphite-cfg = pkgs.writeText "collectd-graphite.conf" '' + LoadPlugin write_graphite + + + Host "heidi.shack" + Port "2003" + Prefix "retiolum." + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + + + ''; +in { + imports = [ ]; + + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + collectd = pkgs.collectd.override { python= pkgs.python; }; + }; + services.collectd = { + enable = true; + include = [ (toString connect-time-cfg) (toString graphite-cfg) ]; + }; + +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix new file mode 100644 index 00000000..53ad56d6 --- /dev/null +++ b/krebs/2configs/default.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with import ; +{ + krebs.enable = true; + krebs.tinc.retiolum.enable = true; + + krebs.build.user = mkDefault config.krebs.users.krebs; + + networking.hostName = config.krebs.build.host.name; + + nix.maxJobs = 1; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + "http://cache.nixos.org" + "http://hydra.nixos.org" + ]; + nix.useSandbox = true; + + environment.systemPackages = with pkgs; [ + git + rxvt_unicode.terminfo + ]; + + programs.ssh.startAgent = false; + + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + services.cron.enable = false; + services.nscd.enable = false; + services.ntp.enable = false; + + users.mutableUsers = false; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + # TODO + config.krebs.users.lass.pubkey + config.krebs.users.makefu.pubkey + # TODO HARDER: + config.krebs.users.makefu-omo.pubkey + config.krebs.users.tv.pubkey + ]; + + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "15.09"; + +} diff --git a/krebs/2configs/graphite.nix b/krebs/2configs/graphite.nix new file mode 100644 index 00000000..64222e43 --- /dev/null +++ b/krebs/2configs/graphite.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +# graphite-web on port 8080 +# carbon cache on port 2003 (tcp/udp) + +# TODO: krebs.graphite.minimal.enable +# TODO: configure firewall +with import ; +{ + imports = [ ]; + + services.graphite = { + api = { + enable = true; + listenAddress = "0.0.0.0"; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 50 + MAX_UPDATES_PER_SECOND_ONSHUTDOWN = 9001 + + LOG_CACHE_HITS = False + LOG_CACHE_QUEUE_SORTS = False + LOG_UPDATES = False + LOG_LISTENER_CONNECTIONS = False + LOG_CREATES = True + ''; + storageAggregation = '' + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + + [radiation_sensor] + pattern = ^sensors\.radiation\. + retentions = 1m:30d,5m:180d,10m:3y + + [motion_sensors] + pattern = ^sensors\.motion\. + retentions = 1s:1h,60s:30d,300s:1y + + [motion_sensors] + pattern = ^retiolum\. + retentions = 10s:1h,30s:30d,300s:1y + + [homeassistant] + pattern = ^homeassistant\. + retentions = 10s:24h,30s:30d,300s:1y,3600s:5y + + [ara] + pattern = ^ara\. + retentions = 60s:30d,300s:1y + + [openweathermap] + pattern = ^weather\.openweathermap + retentions = 30m:30d,1h:5y + + [stadtklima] + pattern = ^weather\.stadtklima-stuttgart + retentions = 15m:30d,30m:5y + + [sensebox] + pattern = ^weather\.sensebox + retentions = 1m:90d,30m:5y + + [elchos] + pattern = ^elchos\. + retentions = 10s:14d,1m:90d,10m:5y + + [icinga_default] + pattern = ^icinga + retentions = 10s:14d,5m:90d,10m:5y + + [icinga_internals] + pattern = ^icinga.*\.(max_check_attempts|reachable|current_attempt|execution_time|latency|state|state_type) + retentions = 5m:7d + + [default] + pattern = .* + retentions = 60s:30d,300s:1y + ''; + }; + }; + systemd.services.carbonCache.serviceConfig.Restart="always"; + systemd.services.graphiteApi.serviceConfig.Restart="always"; +} diff --git a/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix new file mode 100644 index 00000000..b5ec722a --- /dev/null +++ b/krebs/2configs/os-templates/CAC-CentOS-6.5-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/VolGroup/lv_root"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; + + swapDevices = [ + { device = "/dev/VolGroup/lv_swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix new file mode 100644 index 00000000..168d1d97 --- /dev/null +++ b/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix @@ -0,0 +1,47 @@ +_: + +{ + boot.loader.grub = { + device = "/dev/sda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/centos/root"; + fsType = "xfs"; + }; + + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "xfs"; + }; + + swapDevices = [ + { device = "/dev/centos/swap"; } + ]; + + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; +} diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix new file mode 100644 index 00000000..637a26e3 --- /dev/null +++ b/krebs/2configs/repo-sync.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + krebs.repo-sync = let + # TODO addMirrorURL function + mirror = "git@wolf:stockholm-mirror"; + in { + enable = true; + repos.stockholm = { + branches = { + makefu = { + origin.url = http://cgit.gum/stockholm ; + mirror.url = mirror; + }; + tv = { + origin.url = http://cgit.ni.r/stockholm; + mirror.url = mirror; + }; + lassulus = { + origin.url = http://cgit.prism/stockholm ; + mirror.url = mirror; + }; + }; + latest = { + url = mirror; + ref = "heads/master"; + }; + }; + }; +} diff --git a/krebs/2configs/save-diskspace.nix b/krebs/2configs/save-diskspace.nix new file mode 100644 index 00000000..ab074c75 --- /dev/null +++ b/krebs/2configs/save-diskspace.nix @@ -0,0 +1,11 @@ +{lib, ... }: +# TODO: do not check out nixpkgs master but fetch revision from github +{ + environment.noXlibs = true; + nix.gc.automatic = true; + nix.gc.dates = lib.mkDefault "03:10"; + programs.info.enable = false; + programs.man.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + services.nixosManual.enable = false; +} diff --git a/krebs/2configs/shack/bincache.nix b/krebs/2configs/shack/bincache.nix new file mode 100644 index 00000000..9cd7fae2 --- /dev/null +++ b/krebs/2configs/shack/bincache.nix @@ -0,0 +1,6 @@ +{...}: +{ + nix.binaryCaches = [ + "http://wolf.shack:3142/nixos" + ]; +} diff --git a/krebs/2configs/shack/drivedroid.nix b/krebs/2configs/shack/drivedroid.nix new file mode 100644 index 00000000..12e4a39c --- /dev/null +++ b/krebs/2configs/shack/drivedroid.nix @@ -0,0 +1,49 @@ +{ config, pkgs, ... }: +with import ; +let + root = "/var/srv/drivedroid"; +in +{ + environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-drivedroid = { + serverAliases = [ + "drivedroid.shack" + ]; + # TODO: prepare this somehow + locations."/".extraConfig = '' + root ${root}; + index main.json; + ''; + }; + }; + + systemd.services.drivedroid-gen-repo = { + description = "generates drivedroid repo file"; + path = [ + pkgs.coreutils + pkgs.drivedroid-gen-repo + pkgs.inotify-tools + ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + Restart = "always"; + ExecStartPre = pkgs.writeDash "prepare-drivedroid-gen-repo" '' + mkdir -p ${root}/repos + ''; + ExecStart = pkgs.writeDash "start-drivedroid-gen-repo" '' + set -efu + cd ${root} + while sleep 60; do + if inotifywait -r .; then + drivedroid-gen-repo repos > main.json + fi + done + ''; + }; + }; +} diff --git a/krebs/2configs/shack/mqtt_sub.nix b/krebs/2configs/shack/mqtt_sub.nix new file mode 100644 index 00000000..a8427dde --- /dev/null +++ b/krebs/2configs/shack/mqtt_sub.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + pkg = pkgs.stdenv.mkDerivation { + name = "mqtt2graphite-2017-05-29"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/mqtt2graphite/"; + rev = "117179d"; + sha256 = "1334jbbzlqizyp7zcn4hdswhhrnkj1p4p435n5nph82lzffrsi44"; + }; + buildInputs = [ + (pkgs.python35.withPackages (pythonPackages: with pythonPackages; [ + docopt + paho-mqtt + ])) + ]; + installPhase = '' + install -m755 -D sub.py $out/bin/sub + install -m755 -D sub2.py $out/bin/sub-new + ''; + }; +in { + systemd.services.mqtt_sub = { + description = "subscribe to mqtt, send to graphite"; + # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; + ExecStart = "${pkg}/bin/sub-new"; + PrivateTmp = true; + }; + }; +} diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix new file mode 100644 index 00000000..2d8d78e3 --- /dev/null +++ b/krebs/2configs/shack/muell_caller.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + pkg = pkgs.stdenv.mkDerivation { + name = "muell_caller-2017-06-01"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/muell_caller/"; + rev = "bbd4009"; + sha256 = "1bfnfl2vdh0p5wzyz5p48qh04vvsg2445avg86fzhzragx25fqv0"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + requests2 + paramiko + python + ])) + ]; + installPhase = '' + install -m755 -D call.py $out/bin/call-muell + ''; + }; + cfg = "${toString }/tell.json"; +in { + systemd.services.call_muell = { + description = "call muell"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStartPre = pkgs.writeDash "call-muell-pre" '' + cp ${cfg} /tmp/tell.json + chown nobody /tmp/tell.json + ''; + ExecStart = "${pkg}/bin/call-muell --cfg /tmp/tell.json --mode mpd loop 60"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shack/nix-cacher.nix b/krebs/2configs/shack/nix-cacher.nix new file mode 100644 index 00000000..8feeca9a --- /dev/null +++ b/krebs/2configs/shack/nix-cacher.nix @@ -0,0 +1,31 @@ +{ config, pkgs, ... }: +with import ; +let + cfg = config.krebs.apt-cacher-ng; +in +{ + imports = [ + ./bincache.nix + ]; + krebs.apt-cacher-ng = { + enable = true; + port = 3142; + bindAddress = "localhost"; + cacheExpiration = 30; + }; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-nix-cacher = { + serverAliases = [ + "acng.shack" + ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:${toString cfg.port}/; + ''; + }; + }; +} diff --git a/krebs/2configs/shack/radioactive.nix b/krebs/2configs/shack/radioactive.nix new file mode 100644 index 00000000..378b5405 --- /dev/null +++ b/krebs/2configs/shack/radioactive.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + pkg = pkgs.stdenv.mkDerivation { + name = "radioactive-2017-06-01"; + src = pkgs.fetchgit { + url = "https://github.com/makefu/nagios-radioactiveathome-plugins/"; + rev = "955f614"; + sha256 = "0ql6npl3n6shvij0ly6a52yjmf7dc31c5x29y927k9lvp8ygin20"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + requests2 + python + ])) + ]; + installPhase = '' + install -m755 -D add_many_points.py $out/bin/radioactive-add-many + ''; + }; +in { + systemd.services.radioactive = { + description = "radioactive"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStart = "${pkg}/bin/radioactive-add-many loop 60"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shack/share.nix b/krebs/2configs/shack/share.nix new file mode 100644 index 00000000..247b9ee7 --- /dev/null +++ b/krebs/2configs/shack/share.nix @@ -0,0 +1,38 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + group = "share"; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix new file mode 100644 index 00000000..d0f9f5fa --- /dev/null +++ b/krebs/2configs/shack/worlddomination.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + pythonPackages = pkgs.python3Packages; + # https://github.com/chrysn/aiocoap + aiocoap = pythonPackages.buildPythonPackage { + name = "aiocoap-0.3"; + src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; }; + propagatedBuildInputs = [ ]; + doCheck = false; # 2 errors, dunnolol + meta = with pkgs.stdenv.lib; { + homepage = ""; + license = licenses.mit; + description = "Python CoAP library"; + }; + }; + LinkHeader = pythonPackages.buildPythonPackage { + name = "LinkHeader-0.4.3"; + src = pkgs.fetchurl { url = "https://pypi.python.org/packages/27/d4/eb1da743b2dc825e936ef1d9e04356b5701e3a9ea022c7aaffdf4f6b0594/LinkHeader-0.4.3.tar.gz"; sha256 = "7fbbc35c0ba3fbbc530571db7e1c886e7db3d718b29b345848ac9686f21b50c3"; }; + propagatedBuildInputs = [ ]; + meta = with pkgs.stdenv.lib; { + homepage = ""; + license = licenses.bsdOriginal; + description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; + }; + }; + pkg = pkgs.stdenv.mkDerivation { + name = "worlddomination-2017-06-10"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/worlddomination/"; + rev = "72fc9b5"; + sha256 = "05h500rswzypcxy4i22qc1vkc8izbzfqa9m86xg289hjxh133xyf"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + LinkHeader + aiocoap + requests2 + paramiko + python + ])) + ]; + installPhase = '' + install -m755 -D backend/push_led.py $out/bin/push-led + install -m755 -D backend/loop_single.py $out/bin/loop-single + # copy the provided file to the package + install -m755 -D backend/wd.lst $out/${wdpath} + ''; + }; + wdpath = "/usr/worlddomination/wd.lst"; + esphost = "10.42.24.7"; # esp8266 + timeout = 10; # minutes +in { + systemd.services.worlddomination = { + description = "run worlddomination"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStart = "${pkg}/bin/push-led ${esphost} ${pkg}/${wdpath} loop ${toString timeout}"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; +} diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix new file mode 100644 index 00000000..efb41cc3 --- /dev/null +++ b/krebs/2configs/shared-buildbot.nix @@ -0,0 +1,178 @@ +{ lib, config, pkgs, ... }: +# The buildbot config is self-contained and currently provides a way +# to test "krebs" configuration (infrastructure to be used by every krebsminister). + +# You can add your own test, test steps as required. Deploy the config on a +# krebs host like wolf and everything should be fine. + +# TODO for all users schedule a build for fast tests +{ + # due to the fact that we actually build stuff on the box via the daemon, + # /nix/store should be cleaned up automatically as well + services.nginx.virtualHosts.build = { + serverAliases = [ "build.wolf.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port}; + ''; + }; + + nix.gc.automatic = true; + nix.gc.dates = "05:23"; + networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + krebs.buildbot.master = let + stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ; + in { + secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; + workers = { + testworker = "krebspass"; + }; + change_source.stockholm = '' + stockholm_repo = '${stockholm-mirror-url}' + cs.append(changes.GitPoller( + stockholm_repo, + workdir='stockholm-poller', branches=True, + project='stockholm', + pollinterval=60)) + ''; + scheduler = { + force-scheduler = '' + sched.append(schedulers.ForceScheduler( + name="force", + builderNames=[ + # "full-tests", + "fast-tests", + "build-local" + ])) + ''; + fast-tests-scheduler = '' + # test everything real quick + sched.append(schedulers.AnyBranchScheduler( + treeStableTimer=10, + name="fast-all-branches", + builderNames=["fast-tests"])) + ''; + test-cac-infest-master = '' + # files everyone depends on or are part of the share branch + def shared_files(change): + r =re.compile("^(krebs/.*|Makefile|default.nix|shell.nix)") + for file in change.files: + if r.match(file): + return True + return False + + sched.append(schedulers.SingleBranchScheduler( + change_filter=util.ChangeFilter(branch="master"), + fileIsImportant=shared_files, + treeStableTimer=60*60, # master was stable for the last hour + name="full-master", + builderNames=[ + # "full-tests", + "build-local" + ])) + ''; + }; + builder_pre = '' + # prepare grab_repo step for stockholm + grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental') + + env = { + "LOGNAME": "krebs", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + } + + # prepare nix-shell + # the dependencies which are used by the test script + deps = [ "gnumake", "jq", "nix", + "(import ).pkgs.populate", + "(import ).pkgs.test.infest-cac-centos7" ] + # TODO: --pure , prepare ENV in nix-shell command: + # SSL_CERT_FILE,LOGNAME,NIX_REMOTE + nixshell = ["nix-shell", + "-I", "stockholm=.", + "-I", "nixpkgs=/var/src/nixpkgs", + "-p" ] + deps + [ "--run" ] + + # prepare addShell function + def addShell(factory,**kwargs): + factory.addStep(steps.ShellCommand(**kwargs)) + ''; + builder = { + fast-tests = '' + f = util.BuildFactory() + f.addStep(grab_repo) + + for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]: + addShell(f,name="build-{}".format(i),env=env, + command=nixshell + \ + ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ + make \ + test \ + target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \ + method=eval \ + system={}".format(i)]) + + bu.append(util.BuilderConfig(name="fast-tests", + workernames=workernames, + factory=f)) + + ''; + # this build will try to build against local nixpkgs + # TODO change to do a 'local' populate and use the retrieved nixpkgs + build-local = '' + f = util.BuildFactory() + f.addStep(grab_repo) + + + bu.append(util.BuilderConfig(name="build-local", + workernames=workernames, + factory=f)) + ''; +# slow-tests = '' +# s = util.BuildFactory() +# s.addStep(grab_repo) +# +# # worker needs 2 files: +# # * cac.json +# # * retiolum +# s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/cac.json", workerdest="cac.json")) +# s.addStep(steps.FileDownload(mastersrc="${config.krebs.buildbot.master.workDir}/retiolum-ci.rsa_key.priv", workerdest="retiolum.rsa_key.priv")) +# addShell(s, name="infest-cac-centos7",env=env, +# sigtermTime=60, # SIGTERM 1 minute before SIGKILL +# timeout=10800, # 3h +# command=nixshell + ["infest-cac-centos7"]) +# +# bu.append(util.BuilderConfig(name="full-tests", +# workernames=workernames, +# factory=s)) +# ''; + }; + enable = true; + web = { + enable = true; + }; + irc = { + enable = true; + nick = "wolfbot"; + server = "ni.r"; + channels = [ { channel = "retiolum"; } ]; + allowForce = true; + }; + extraConfig = '' + c['buildbotURL'] = "http://build.wolf.r/" + ''; + }; + + krebs.buildbot.worker = { + enable = true; + masterhost = "localhost"; + username = "testworker"; + password = "krebspass"; + packages = with pkgs; [ gnumake jq nix populate ]; + # all nix commands will need a working nixpkgs installation + extraEnviron = { + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./krebs/1systems/wolf.nix"; }; + }; +} diff --git a/krebs/2configs/temp/dirs.nix b/krebs/2configs/temp/dirs.nix new file mode 100644 index 00000000..958608a5 --- /dev/null +++ b/krebs/2configs/temp/dirs.nix @@ -0,0 +1 @@ +_: { } diff --git a/krebs/2configs/temp/networking.nix b/krebs/2configs/temp/networking.nix new file mode 100644 index 00000000..958608a5 --- /dev/null +++ b/krebs/2configs/temp/networking.nix @@ -0,0 +1 @@ +_: { } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 081724cf..6123b6dd 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -94,10 +94,10 @@ let imp = lib.mkMerge [ { krebs = import ./lass { inherit config; }; } + { krebs = import ./krebs { inherit config; }; } { krebs = import ./makefu { inherit config; }; } { krebs = import ./mv { inherit config; }; } { krebs = import ./nin { inherit config; }; } - { krebs = import ./shared { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix new file mode 100644 index 00000000..780aeb1c --- /dev/null +++ b/krebs/3modules/krebs/default.nix @@ -0,0 +1,75 @@ +{ config, ... }: + +with import ; +let + testHosts = genAttrs [ + "test-arch" + "test-centos6" + "test-centos7" + "test-all-krebs-modules" + ] (name: { + owner = config.krebs.users.krebs; + inherit name; + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.73.57"; + ip6.addr = "42:0:0:0:0:0:0:7357"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd + mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5 + TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1 + K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8 + QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY + VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }); +in { + hosts = { + wolf = { + owner = config.krebs.users.krebs; + nets = { + shack = { + ip4.addr = "10.42.2.150" ; + aliases = [ + "wolf.shack" + "graphite.shack" + "acng.shack" + "drivedroid.shack" + ]; + }; + retiolum = { + ip4.addr = "10.243.77.1"; + ip6.addr = "42:0:0:0:0:0:77:1"; + aliases = [ + "wolf.r" + "build.wolf.r" + "cgit.wolf.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzpXyEATt8+ElxPq650/fkboEC9RvTWqN6UIAl/R4Zu+uDhAZ2ekb + HBjoSbRxu/0w2I37nwWUhEOemxGm4PXCgWrtO0jeRF4nVNYu3ZBppA3vuVALUWq7 + apxRUEL9FdsWQlXGo4PVd20dGaDTi8M/Ggo755MStVTY0rRLluxyPq6VAa015sNg + 4NOFuWm0NDn4e+qrahTCTiSjbCU8rWixm0GktV40kdg0QAiFbEcRhuXF1s9/yojk + 7JT/nFg6LELjWUSSNZnioj5oSfVbThDRelIld9VaAKBAZZ5/zy6T2XSeDfoepytH + 8aw6itEuTCy1M1DTiTG+12SPPw+ubG+NqQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR"; + }; + } // testHosts; + users = { + krebs = { + mail = "spam@krebsco.de"; + pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary + }; + }; +} diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix deleted file mode 100644 index 17179a39..00000000 --- a/krebs/3modules/shared/default.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, ... }: - -with import ; -let - testHosts = genAttrs [ - "test-arch" - "test-centos6" - "test-centos7" - "test-all-krebs-modules" - ] (name: { - owner = config.krebs.users.shared; - inherit name; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.73.57"; - ip6.addr = "42:0:0:0:0:0:0:7357"; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd - mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5 - TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1 - K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8 - QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY - VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }); -in { - hosts = { - wolf = { - owner = config.krebs.users.shared; - nets = { - shack = { - ip4.addr = "10.42.2.150" ; - aliases = [ - "wolf.shack" - "graphite.shack" - "acng.shack" - "drivedroid.shack" - ]; - }; - retiolum = { - ip4.addr = "10.243.77.1"; - ip6.addr = "42:0:0:0:0:0:77:1"; - aliases = [ - "wolf.r" - "build.wolf.r" - "cgit.wolf.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzpXyEATt8+ElxPq650/fkboEC9RvTWqN6UIAl/R4Zu+uDhAZ2ekb - HBjoSbRxu/0w2I37nwWUhEOemxGm4PXCgWrtO0jeRF4nVNYu3ZBppA3vuVALUWq7 - apxRUEL9FdsWQlXGo4PVd20dGaDTi8M/Ggo755MStVTY0rRLluxyPq6VAa015sNg - 4NOFuWm0NDn4e+qrahTCTiSjbCU8rWixm0GktV40kdg0QAiFbEcRhuXF1s9/yojk - 7JT/nFg6LELjWUSSNZnioj5oSfVbThDRelIld9VaAKBAZZ5/zy6T2XSeDfoepytH - 8aw6itEuTCy1M1DTiTG+12SPPw+ubG+NqQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR"; - }; - } // testHosts; - users = { - shared = { - mail = "spam@krebsco.de"; - pubkey = "lol"; # TODO krebs.users.shared.pubkey should be unnecessary - }; - }; -} diff --git a/krebs/5pkgs/test/infest-cac-centos7/notes b/krebs/5pkgs/test/infest-cac-centos7/notes index 2a3ebd6f..e89edffc 100755 --- a/krebs/5pkgs/test/infest-cac-centos7/notes +++ b/krebs/5pkgs/test/infest-cac-centos7/notes @@ -15,7 +15,7 @@ krebs_cred=${krebs_cred-./cac.json} # tinc retiolum key for host retiolum_key=${retiolum_key-./retiolum.rsa_key.priv} # build this host -user=${user:-shared} +user=${user:-krebs} system=${target_system:-test-centos7} log(){ @@ -125,9 +125,9 @@ done clear_defer >/dev/null defer "cac-api delete $id;$old_trapstr" -mkdir -p shared/2configs/temp +mkdir -p krebs/2configs/temp cac-api generatenetworking $id > \ - shared/2configs/temp/networking.nix + krebs/2configs/temp/networking.nix # new temporary ssh key we will use to log in after install ssh-keygen -f $krebs_ssh -N "" cp "$retiolum_key" $krebs_secrets/retiolum.rsa_key.priv @@ -135,7 +135,7 @@ cp "$retiolum_key" $krebs_secrets/retiolum.rsa_key.priv # additionally we set the ssh key we generated ip=$(cac-api getserver $id | jq -r .ip) -cat > shared/2configs/temp/dirs.nix < krebs/2configs/temp/dirs.nix <; +host@{ name, secure ? false }: let + builder = if getEnv "dummy_secrets" == "true" + then "buildbot" + else "krebs"; + _file = + "/krebs/1systems/${name}/source.nix"; +in + evalSource (toString _file) { + nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix"; + secrets.file = getAttr builder { + buildbot = toString ; + krebs = "${getEnv "HOME"}/secrets/krebs/${host.name}"; + }; + stockholm.file = toString ; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + ref = "72c9ed78d0b1d9d5f531805ddf5bf06bfd447614"; # nixos-17.03 @ 2017-06-17 + }; + } -- cgit v1.2.3