diff options
71 files changed, 2499 insertions, 438 deletions
diff --git a/default.nix b/default.nix index 11bae7d98..472d7597d 100644 --- a/default.nix +++ b/default.nix @@ -1,93 +1,61 @@ -# Welcome to the top-level default.nix of stockholm. -# -# You can discover the whole thing easily using the `get` utility, -# which can be found at http://cgit.cd.krebsco.de/get/tree/get -# To install `get` on any Nix-enabled system, use: -# -# nix-env -f /path/to/stockholm -iA pkgs.get -# -# The "current" arguments are used to provide information about the user who's -# evaluating this file. This information is used to determine which user -# namespace is to be used. Of course there's nothing trying to prevent you -# from forging this information. E.g. you could try to generate the deployment -# script for some random user's system, targeting some random host: -# -# LOGNAME=tv get krebs.deploy system=nomic target=8.8.8.8 -# { current-date ? abort "current-date not defined" , current-host-name ? abort "current-host-name not defined" , current-user-name ? builtins.getEnv "LOGNAME" -}@current: +, StrictHostKeyChecking ? "yes" +}@args: let stockholm = { - # The generated scripts to deploy (or infest) systems can be found in the - # `krebs` attribute. There's also an init script, but it's in its early - # stages, not well integrated and mostly useless at the moment. :) - # - # You'll also find lib here, which is nixpkgs/lib + krebs lib, but nobody - # is really accessing this directly, as this lib gets reexported below. inherit krebs; - - # All systems of all users can be found here. - # - # /!\ Please note that `get users.${user-name}.${host-name}.system` is a - # bad idea because it will produce vast amounts of output. These are the - # actual and complete system derivations that can be installed on the - # respective host. - # - # Another thing to notice here is that other user's systems might not be - # evaluable because of missing secrets. If you _are_ able to evaluate - # another user's system, then you probably share a similar naming scheme - # for your secret files! :) inherit users; - - # Additionally, output lib and pkgs for easy access from the shell. - # Notice how we're evaluating just the base module to obtain pkgs. inherit lib; - inherit (eval {}) pkgs; + inherit pkgs; }; - krebs = import ./krebs (current // { inherit stockholm; }); - inherit (krebs) lib; + krebs = import ./krebs (args // { inherit lib stockholm; }); + + lib = + let + lib = import <nixpkgs/lib>; + klib = import ./krebs/4lib { inherit lib; }; + #ulib = import (./. + "/${current-user-name}/4lib") { lib = lib // klib; }; + ulib = {}; # TODO + in + builtins // lib // klib // ulib // rec { + # TODO move this stuff + stockholm-path = ./.; + nspath = ns: p: stockholm-path + "/${ns}/${p}"; + }; + + inherit (eval {}) pkgs; - # Path resolvers for common and individual files. - # Example: `upath "3modules"` produces the current user's 3modules directory kpath = lib.nspath "krebs"; upath = lib.nspath current-user-name; - # This is the base module. Its purpose is to provide modules and - # packages, both common ones, found in krebs/ as well as the current user's, - # found in the user's namespace. - base-module = { + base-module = { config, ... }: { imports = map (f: f "3modules") [ kpath upath ]; + krebs.current.enable = true; + krebs.current.host = config.krebs.hosts.${current-host-name}; + krebs.current.user = config.krebs.users.${current-user-name}; + nixpkgs.config.packageOverrides = pkgs: let - # Notice the ordering. Krebs packages can only depend on Nixpkgs, - # whereas user packages additionally can depend on krebs packages. - kpkgs = import (kpath "5pkgs") { inherit pkgs; }; - upkgs = import (upath "5pkgs") { pkgs = pkgs // kpkgs; }; + kpkgs = import (kpath "5pkgs") { inherit lib pkgs; }; + upkgs = import (upath "5pkgs") { inherit lib; pkgs = pkgs // kpkgs; }; in kpkgs // upkgs; }; - # The above base module is used together with a NixOS configuration to - # produce a system. Notice how stockholm really just provides additional - # packages and modules on top of NixOS. Some of this stuff might become - # useful to a broader audience, at which point it should probably be merged - # and pull-requested for inclusion into NixOS/nixpkgs. - # TODO provide krebs lib, so modules don't have to import it awkwardly eval = config: import <nixpkgs/nixos/lib/eval-config.nix> { + specialArgs = { + inherit lib; + }; modules = [ base-module config ]; }; - # Any top-level directory other than krebs/ is considered to be a user - # namespace, configuring a bunch of systems. - # Have a look at the definition of install in krebs/default.nix to see how - # nix-env is using this attribute set to obtain the system to be installed. # TODO move user namespaces' to users/, so no exception for krebs/ is needed users = lib.mapAttrs @@ -96,8 +64,6 @@ let stockholm = { (n: t: !lib.hasPrefix "." n && t == "directory" && n != "krebs") (builtins.readDir ./.)); - # Given a path to a user namespace, provide an attribute of evaluated - # system configurations, keyed by system names (AKA host names). eval-all-systems = path: lib.mapAttrs' (n: _: (lib.nameValuePair (lib.removeSuffix ".nix" n) diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 57495ea69..1205e192b 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let target = config.krebs.build // { user.name = "root"; }; diff --git a/krebs/3modules/current.nix b/krebs/3modules/current.nix new file mode 100644 index 000000000..41941e289 --- /dev/null +++ b/krebs/3modules/current.nix @@ -0,0 +1,26 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.krebs.current; + + out = { + options.krebs.current = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.current"; + host = mkOption { + type = types.host; + }; + user = mkOption { + type = types.user; + }; + }; + + imp = { + }; + +in out diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 075db1826..fd9d56ed2 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs; @@ -8,6 +8,7 @@ let imports = [ ./bepasty-server.nix ./build.nix + ./current.nix ./exim-retiolum.nix ./exim-smarthost.nix ./github-hosts-sync.nix @@ -76,6 +77,7 @@ let imp = mkMerge [ { krebs = import ./lass { inherit lib; }; } { krebs = import ./makefu { inherit lib; }; } + { krebs = import ./shared { inherit lib; }; } { krebs = import ./tv { inherit lib; }; } { krebs.dns.providers = { @@ -105,8 +107,8 @@ let # Implements environment.etc."zones/<zone-name>" environment.etc = let - stripEmptyLines = s: concatStringsSep "\n" - (remove "\n" (remove "" (splitString "\n" s))); + stripEmptyLines = s: (concatStringsSep "\n" + (remove "\n" (remove "" (splitString "\n" s)))) + "\n"; all-zones = foldAttrs (sum: current: sum + "\n" +current ) "" ([cfg.zone-head-config] ++ combined-hosts); combined-hosts = (mapAttrsToList (name: value: value.extraZones) cfg.hosts ); diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 64b7820b2..234129497 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -6,7 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.git; diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 2a1df9e03..5503ee8d6 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: -with builtins; -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.github-hosts-sync; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index afedf95f2..498282b03 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,8 +1,36 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; -{ +let + testHosts = lib.genAttrs [ + "test-arch" + "test-centos6" + "test-centos7" + ] (name: { + inherit name; + cores = 1; + nets = { + retiolum = { + addrs4 = ["10.243.111.111"]; + addrs6 = ["42:0:0:0:0:0:0:7357"]; + aliases = [ + "test.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd + mrX2tBIfb2hhhgm4Jecy33WVymoEL7EiRZ6gshJaYwte51Jnrac6IFQyiRGMqHY5 + TG/6IzzTOkeQrT1fw3Yfh0NRfqLBZLr0nAFoqgzIVRxvy+QO1gCU2UDKkQ/y5df1 + K+YsMipxU08dsOkPkmLdC/+vDaZiEdYljIS3Omd+ED5JmLM3MSs/ZPQ8xjkjEAy8 + QqD9/67bDoeXyg1ZxED2n0+aRKtU/CK/66Li//yev6yv38OQSEM4t/V0dr9sjLcY + VIdkxKf96F9r3vcDf/9xw2HrqVoy+D5XYQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }); +in { hosts = addNames { echelon = { cores = 4; @@ -104,7 +132,11 @@ with import ../../4lib { inherit lib; }; uriel = { cores = 1; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.12"]; + aliases = ["uriel.gg23"]; + }; retiolum = { addrs4 = ["10.243.81.176"]; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; @@ -131,7 +163,11 @@ with import ../../4lib { inherit lib; }; mors = { cores = 2; dc = "lass"; - nets = rec { + nets = { + gg23 = { + addrs4 = ["10.23.1.11"]; + aliases = ["mors.gg23"]; + }; retiolum = { addrs4 = ["10.243.0.2"]; addrs6 = ["42:0:0:0:0:0:0:dea7"]; @@ -155,8 +191,24 @@ with import ../../4lib { inherit lib; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAMPlIG+6u75GJ3kvsPF6OoIZsU+u8ZQ+rdviv5fNMD"; }; + schnabel-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.20"]; + aliases = ["schnabel-ap.gg23"]; + }; + }; + }; + Reichsfunk-ap = { + nets = { + gg23 = { + addrs4 = ["10.23.1.10"]; + aliases = ["Reichsfunk-ap.gg23"]; + }; + }; + }; - }; + } // testHosts; users = addNames { lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index bc0d389f2..e36a083f2 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { hosts = addNames { @@ -185,6 +185,7 @@ with import ../../4lib { inherit lib; }; addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"]; aliases = [ "graphs.wry.retiolum" + "graphs.retiolum" "paste.wry.retiolum" "paste.retiolum" "wry.retiolum" diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix new file mode 100644 index 000000000..24dd7b782 --- /dev/null +++ b/krebs/3modules/shared/default.nix @@ -0,0 +1,42 @@ +{ lib, ... }: + +with lib; + +{ + hosts = addNames { + wolf = { + #dc = "shack"; + nets = { + #shack = { + # addrs4 = [ TODO ]; + # aliases = ["wolf.shack"]; + #}; + retiolum = { + addrs4 = ["10.243.77.1"]; + addrs6 = ["42:0:0:0:0:0:77:1"]; + aliases = [ + "wolf.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzpXyEATt8+ElxPq650/fkboEC9RvTWqN6UIAl/R4Zu+uDhAZ2ekb + HBjoSbRxu/0w2I37nwWUhEOemxGm4PXCgWrtO0jeRF4nVNYu3ZBppA3vuVALUWq7 + apxRUEL9FdsWQlXGo4PVd20dGaDTi8M/Ggo755MStVTY0rRLluxyPq6VAa015sNg + 4NOFuWm0NDn4e+qrahTCTiSjbCU8rWixm0GktV40kdg0QAiFbEcRhuXF1s9/yojk + 7JT/nFg6LELjWUSSNZnioj5oSfVbThDRelIld9VaAKBAZZ5/zy6T2XSeDfoepytH + 8aw6itEuTCy1M1DTiTG+12SPPw+ubG+NqQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR"; + }; + }; + users = addNames { + shared = { + mail = "spam@krebsco.de"; + pubkey = "lol"; # TODO krebs.users.shared.pubkey should be unnecessary + }; + }; +} diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index a6c628353..e415d20ab 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -95,8 +95,12 @@ let ExecStartPre = pkgs.writeScript "tinc_graphs-init" '' #!/bin/sh + mkdir -p "${internal_dir}" "${external_dir}" if ! test -e "${cfg.workingDir}/internal/index.html"; then - cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}" + cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/." "${internal_dir}" + fi + if ! test -e "${cfg.workingDir}/external/index.html"; then + cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/external/." "${external_dir}" fi ''; @@ -118,7 +122,6 @@ let users.extraUsers.tinc_graphs = { uid = 3925439960; #genid tinc_graphs home = "/var/spool/tinc_graphs"; - createHome = true; }; krebs.nginx.servers = mkIf cfg.nginx.enable { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 5d5fead8f..4c295dffe 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { dns.providers = { @@ -65,7 +65,7 @@ with import ../../4lib { inherit lib; }; dc = "tv"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["104.233.84.215"]; + addrs4 = ["104.167.114.142"]; aliases = [ "mkdir.internet" ]; @@ -231,6 +231,7 @@ with import ../../4lib { inherit lib; }; addrs6 = ["42:0:0:0:0:0:0:1337"]; aliases = [ "wu.retiolum" + "cgit.wu.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 80d9f5e93..206bc5697 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -56,6 +56,13 @@ let https://nixos.org/channels/nixos-unstable/git-revision ]; }; + verbose = mkOption { + type = types.bool; + default = false; + description = '' + verbose output of urlwatch + ''; + }; }; urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); @@ -106,7 +113,7 @@ let cd /tmp - urlwatch -e --urls="$urlsFile" > changes 2>&1 || : + urlwatch -e ${optionalString cfg.verbose "-v"} --urls="$urlsFile" > changes || : if test -s changes; then date=$(date -R) diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 0a6101314..396307c22 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -3,8 +3,6 @@ with builtins; with lib; -builtins // -lib // rec { eq = x: y: x == y; diff --git a/krebs/4lib/infest/finalize.sh b/krebs/4lib/infest/finalize.sh index 0039960c5..94b13e0be 100644 --- a/krebs/4lib/infest/finalize.sh +++ b/ |