diff options
32 files changed, 457 insertions, 331 deletions
@@ -102,7 +102,7 @@ ifneq ($(ssh),) populate: populate-flags += --ssh=$(ssh) endif populate: - $(call evaluate,config.krebs.build.source) --json --strict | \ + nix-shell --run 'get-source $(LOGNAME)/1systems/$(system)/source.nix' \ populate $(populate-target) $(populate-flags) # usage: make pkgs.populate diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 5e5f6cdb2..bcf63dc4b 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -5,6 +5,9 @@ <stockholm/krebs> <stockholm/krebs/2configs> <stockholm/krebs/2configs/secret-passwords.nix> + + <stockholm/krebs/2configs/repo-sync.nix> + <stockholm/krebs/2configs/shared-buildbot.nix> ]; krebs.build.host = config.krebs.hosts.puyak; @@ -27,6 +30,11 @@ "/boot" = { device = "/dev/sda2"; }; + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; "/home" = { device = "/dev/mapper/pool-home"; fsType = "btrfs"; diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index ba897a26e..32e7bd49d 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -11,7 +11,6 @@ in <stockholm/krebs/2configs/central-stats-client.nix> <stockholm/krebs/2configs/save-diskspace.nix> - <stockholm/krebs/2configs/cgit-mirror.nix> <stockholm/krebs/2configs/graphite.nix> <stockholm/krebs/2configs/repo-sync.nix> <stockholm/krebs/2configs/shared-buildbot.nix> diff --git a/krebs/2configs/backup.nix b/krebs/2configs/backup.nix new file mode 100644 index 000000000..7ee438784 --- /dev/null +++ b/krebs/2configs/backup.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: +with import <stockholm/lib>; +{ + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + wolf-share-puyak = { + method = "pull"; + src = { host = config.krebs.hosts.wolf; path = "/home/share"; }; + dst = { host = config.krebs.hosts.puyak; path = "/bku/wolf-share"; }; + startAt = "03:00"; + }; + }; +} + diff --git a/krebs/2configs/cgit-mirror.nix b/krebs/2configs/cgit-mirror.nix deleted file mode 100644 index c2326a5cc..000000000 --- a/krebs/2configs/cgit-mirror.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let - rules = with git; singleton { - user = [ wolf-repo-sync ]; - repo = [ stockholm-mirror ]; - perm = push ''refs/*'' [ non-fast-forward create delete merge ]; - }; - - stockholm-mirror = { - public = true; - name = "stockholm-mirror"; - cgit.desc = "mirror for all stockholm branches"; - hooks = { - post-receive = pkgs.git-hooks.irc-announce { - nick = config.networking.hostName; - verbose = false; - channel = "#retiolum"; - server = "ni.r"; - }; - }; - }; - - wolf-repo-sync = { - name = "wolf-repo-sync"; - mail = "spam@krebsco.de"; - # TODO put git-sync pubkey somewhere more appropriate - pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; - }; - -in { - krebs.users.wolf-repo-sync = wolf-repo-sync; - krebs.git = { - enable = true; - cgit = { - settings = { - root-title = "Shared Repos"; - root-desc = "keep on krebsing"; - }; - }; - inherit rules; - repos.stockholm-mirror = stockholm-mirror; - }; -} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 901516e50..daf9bd9d0 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -2,6 +2,9 @@ with import <stockholm/lib>; { + imports = [ + ./backup.nix + ]; krebs.enable = true; krebs.tinc.retiolum.enable = true; diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 637a26e3c..157a30e69 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -1,31 +1,80 @@ { config, lib, pkgs, ... }: -with lib; -{ - krebs.repo-sync = let - # TODO addMirrorURL function - mirror = "git@wolf:stockholm-mirror"; - in { - enable = true; - repos.stockholm = { - branches = { - makefu = { - origin.url = http://cgit.gum/stockholm ; - mirror.url = mirror; +with import <stockholm/lib>; + +let + mirror = "git@${config.networking.hostName}:"; + + defineRepo = name: announce: let + repo = { + public = true; + name = mkDefault "${name}"; + cgit.desc = mkDefault "mirror for ${name}"; + cgit.section = mkDefault "mirror"; + hooks = mkIf announce (mkDefault { + post-receive = pkgs.git-hooks.irc-announce { + nick = config.networking.hostName; + verbose = false; + channel = "#retiolum"; + server = "ni.r"; + branches = [ "newest" ]; }; - tv = { - origin.url = http://cgit.ni.r/stockholm; - mirror.url = mirror; + }); + }; + in { + rules = with git; singleton { + user = with config.krebs.users; [ + config.krebs.users."${config.networking.hostName}-repo-sync" + ]; + repo = [ repo ]; + perm = push ''refs/*'' [ non-fast-forward create delete merge ]; + }; + repos."${name}" = repo; + }; + + sync-retiolum = name: + { + krebs.repo-sync.repos.${name} = { + branches = { + makefu = { + origin.url = "http://cgit.gum/${name}"; + mirror.url = "${mirror}${name}"; + }; + tv = { + origin.url = "http://cgit.ni.r/${name}"; + mirror.url = "${mirror}${name}"; + }; + nin = { + origin.url = "http://cgit.onondaga.r/${name}"; + mirror.url = "${mirror}${name}"; + }; + lassulus = { + origin.url = "http://cgit.lassul.us/${name}"; + mirror.url = "${mirror}${name}"; + }; }; - lassulus = { - origin.url = http://cgit.prism/stockholm ; - mirror.url = mirror; + latest = { + url = "${mirror}${name}"; + ref = "heads/newest"; }; }; - latest = { - url = mirror; - ref = "heads/master"; + krebs.git = defineRepo name true; + }; + +in { + krebs.repo-sync = { + enable = true; + }; + krebs.git = { + enable = mkDefault true; + cgit = { + settings = { + root-title = "Shared Repos"; + root-desc = "keep on krebsing"; }; }; }; + imports = [ + (sync-retiolum "stockholm") + ]; } diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix index dd430b7c0..a9e5afc75 100644 --- a/krebs/2configs/shared-buildbot.nix +++ b/krebs/2configs/shared-buildbot.nix @@ -1,30 +1,34 @@ { lib, config, pkgs, ... }: -# The buildbot config is self-contained and currently provides a way +# The buildbot config is self-contained and currently provides a way # to test "krebs" configuration (infrastructure to be used by every krebsminister). # You can add your own test, test steps as required. Deploy the config on a # krebs host like wolf and everything should be fine. # TODO for all users schedule a build for fast tests -{ +let + hostname = config.networking.hostName; +in { # due to the fact that we actually build stuff on the box via the daemon, # /nix/store should be cleaned up automatically as well - services.nginx.virtualHosts.build = { - serverAliases = [ "build.wolf.r" ]; - locations."/".extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; - ''; + services.nginx = { + enable = true; + virtualHosts.build = { + serverAliases = [ "build.${hostname}.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port}; + ''; + }; }; nix.gc.automatic = true; nix.gc.dates = "05:23"; - networking.firewall.allowedTCPPorts = [ 8010 9989 ]; + networking.firewall.allowedTCPPorts = [ 80 8010 9989 ]; krebs.buildbot.master = let - stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ; + stockholm-mirror-url = "http://cgit.${hostname}.r/stockholm" ; in { - secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; workers = { testworker = "krebspass"; }; @@ -155,13 +159,13 @@ }; irc = { enable = true; - nick = "wolfbot"; + nick = "${hostname}bot"; server = "ni.r"; channels = [ { channel = "retiolum"; } ]; allowForce = true; }; extraConfig = '' - c['buildbotURL'] = "http://build.wolf.r/" + c['buildbotURL'] = "http://build.${hostname}.r/" ''; }; @@ -173,6 +177,6 @@ packages = with pkgs; [ gnumake jq nix populate ]; # all nix commands will need a working nixpkgs installation extraEnviron = { - NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./krebs/1systems/wolf/config.nix:stockholm=./"; }; + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./krebs/1systems/${hostname}/config.nix:stockholm=./"; }; }; } diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index bfb0ab591..6f015d66b 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -54,6 +54,12 @@ let }; }); }; + timerConfig = mkOption { + type = with types; attrsOf str; + default = optionalAttrs (config.startAt != null) { + OnCalendar = config.startAt; + }; + }; }; })); }; @@ -82,11 +88,19 @@ let SyslogIdentifier = ExecStart.name; Type = "oneshot"; }; - startAt = mkIf (plan.startAt != null) plan.startAt; }) (filter (plan: build-host-is "pull" "dst" plan || build-host-is "push" "src" plan) enabled-plans)); + systemd.timers = + listToAttrs (map (plan: nameValuePair "backup.${plan.name}" { + wantedBy = [ "timers.target" ]; + timerConfig = plan.timerConfig; + }) (filter (plan: plan.timerConfig != {} && ( + build-host-is "pull" "dst" plan || + build-host-is "push" "src" plan)) + enabled-plans)); + users.groups.backup.gid = genid "backup"; users.users.root.openssh.authorizedKeys.keys = map (plan: getAttr plan.method { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index e00c0ec9b..cdb9fe70a 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -49,6 +49,7 @@ let set -euf mkdir -p ${cfg.stateDir} + chmod o+rx ${cfg.stateDir} cd ${cfg.stateDir} (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 884108ebb..93211d9d4 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -569,7 +569,8 @@ let if ! test -d "$repodir"; then mkdir -m "$mode" "$repodir" git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" + # TODO fix correctly with stringAfter + chown -R ${toString config.users.users.git.uid}:nogroup "$repodir" fi ln -s ${hooks} "$repodir/hooks" '' diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index f11b8ef48..f751b4f9f 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -38,6 +38,8 @@ in { ip6.addr = "42:0:0:0:0:0:77:2"; aliases = [ "puyak.r" + "build.puyak.r" + "cgit.puyak.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -94,5 +96,15 @@ in { krebs = { pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary }; + puyak-repo-sync = { + name = "puyak-repo-sync"; + mail = "spam@krebsco.de"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ+18mG/cV1YbR9PXzuu3ScyV9kENy08OXUntpmgh9H2"; + }; + wolf-repo-sync = { + name = "wolf-repo-sync"; + mail = "spam@krebsco.de"; + pubkey = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwuAZB3wtAvBJFYh+gWdyGaZU4mtqM2dFXmh2rORlbXeh02msu1uv07ck1VKkQ4LgvCBcBsAOeVa1NTz99eLqutwgcqMCytvRNUCibcoEWwHObsK53KhDJj+zotwlFhnPPeK9+EpOP4ngh/tprJikttos5BwBwe2K+lfiid3fmVPZcTTYa77nCwijimMvWEx6CEjq1wiXMUc4+qcEn8Swbwomz/EEQdNE2hgoC3iMW9RqduTFdIJWnjVi0KaxenX9CvQRGbVK5SSu2gwzN59D/okQOCP6+p1gL5r3QRHSLSSRiEHctVQTkpKOifrtLZGSr5zArEmLd/cOVyssHQPCX repo-sync@wolf''; + }; }; } diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh index 50d521e17..d39aca348 100644 --- a/krebs/4lib/infest/prepare.sh +++ b/krebs/4lib/infest/prepare.sh @@ -102,7 +102,7 @@ prepare_nixos_iso() { mkdir -p bin rm -f bin/nixos-install cp "$(type -p nixos-install)" bin/nixos-install - sed -i "s@^NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install + sed -i "s@NIX_PATH=\"[^\"]*\"@NIX_PATH=$target_path@" bin/nixos-install } get_nixos_install() { diff --git a/krebs/5pkgs/writers.nix b/krebs/5pkgs/writers.nix index c4fb8cd83..49ca3557e 100644 --- a/krebs/5pkgs/writers.nix +++ b/krebs/5pkgs/writers.nix @@ -262,7 +262,12 @@ with import <stockholm/lib>; }; }; - writeJSON = name: value: pkgs.writeText name (toJSON value); + writeJSON = name: value: pkgs.runCommand name { + json = toJSON value; + passAsFile = [ "json" ]; + } /* sh */ '' + ${pkgs.jq}/bin/jq . "$jsonPath" > "$out" + ''; writeNixFromCabal = trace (toString [ diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 1d20c081a..61837bf38 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -36,11 +36,11 @@ "/boot" = { device = "/dev/sda2"; }; - #"/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - #}; + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; "/home" = { device = "/dev/mapper/pool-home"; fsType = "btrfs"; diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 820ef74b8..4431a702c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -151,25 +151,41 @@ with import <stockholm/lib>; systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ]; } { - krebs.iptables = { + networking.firewall = { enable = true; - tables = { - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - ]; - }; + allowedTCPPorts = [ 22 ]; }; } { krebs.hidden-ssh.enable = true; } + { + services.xserver = { + enable = true; + #videoDrivers = mkForce [ "ati_unfree" ]; + + desktopManager.xterm.enable = false; + desktopManager.default = "none"; + displayManager.lightdm.enable = true; + displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + }; + windowManager.default = "xmonad"; + windowManager.session = [{ + name = "xmonad"; + start = '' + ${pkgs.xorg.xhost}/bin/xhost +LOCAL: + ${pkgs.xmonad-lass}/bin/xmonad & + waitPID=$! + ''; + }]; + + layout = "us"; + xkbModel = "evdev"; + xkbVariant = "altgr-intl"; + xkbOptions = "caps:backspace"; + }; + } ]; } diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index abc55a0e1..c4fb85420 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -134,7 +134,7 @@ with import <stockholm/lib>; startAt = "03:55"; }; icarus-home-mors = { - method = "push"; + method = "pull"; src = { host = config.krebs.hosts.icarus; path = "/home"; }; dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; }; startAt = "05:00"; diff --git a/lib/eval-source.nix b/lib/eval-source.nix index 468fc92d1..ff853185b 100644 --- a/lib/eval-source.nix +++ b/lib/eval-source.nix @@ -10,6 +10,12 @@ let }; }; }; + sanitize = x: getAttr (typeOf x) { + set = mapAttrs + (const sanitize) + (filterAttrs (name: value: name != "_module" && value != null) x); + string = x; + }; in # This function's return value can be used as pkgs.populate input. - _file: source: (eval _file source).config.source + _file: source: sanitize (eval _file source).config.source @@ -2,6 +2,10 @@ let lib = import ./lib; pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; }; + # + # high level commands + # + # usage: deploy [--user=USER] --system=SYSTEM [--target=TARGET] cmds.deploy = pkgs.writeDash "cmds.deploy" '' set -efu @@ -29,6 +33,69 @@ let exec ${utils.build} config.system.build.toplevel ''; + # + # low level commands + # + + # usage: get-source SOURCE_FILE + cmds.get-source = pkgs.writeDash "cmds.get-source" '' + set -efu + exec ${pkgs.nix}/bin/nix-instantiate \ + --eval \ + --json \ + --readonly-mode \ + --show-trace \ + --strict \ + "$1" + ''; + + # usage: parse-target [--default=TARGET] TARGET + # TARGET = [USER@]HOST[:PORT][/PATH] + cmds.parse-target = pkgs.writeDash "cmds.parse-target" '' + set -efu + args=$(${pkgs.utillinux}/bin/getopt -n "$0" -s sh \ + -o d: \ + -l default: \ + -- "$@") + if \test $? != 0; then exit 1; fi + eval set -- "$args" + default_target= + while :; do case $1 in + -d|--default) default_target=$2; shift 2;; + --) shift; break;; + esac; done + target=$1; shift + for arg; do echo "$0: bad argument: $arg" >&2; done + if \test $# != 0; then exit 2; fi + exec ${pkgs.jq}/bin/jq \ + -enr \ + --arg default_target "$default_target" \ + --arg target "$target" \ + -f ${pkgs.writeText "cmds.parse-target.jq" '' + def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | { + user: .captures[0].string, + host: .captures[1].string, + port: .captures[2].string, + path: .captures[3].string, + }; + def sanitize: with_entries(select(.value != null)); + ($default_target | parse) + ($target | parse | sanitize) | + . + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) } + ''} + ''; + + # usage: quote [ARGS...] + cmds.quote = pkgs.writeDash "cmds.quote" '' + set -efu + prefix= + for x; do + y=$(${pkgs.jq}/bin/jq -nr --arg x "$x" '$x | @sh "\(.)"') + echo -n "$prefix$y" + prefix=' ' + done + echo + ''; + init.args = pkgs.writeText "init.args" /* sh */ '' args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \ -o s:t:u: \ @@ -47,16 +114,16 @@ let ''; init.env = pkgs.writeText "init.env" /* sh */ '' - config=''${config-$user/1systems/$system/config.nix} source=''${source-$user/1systems/$system/source.nix} - export config export source export system export target export user - export target_object="$(${init.env.parsetarget} $target)" + default_target=root@$system:22/var/src + + export target_object="$(parse-target "$target" -d "$default_target")" export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)" export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)" export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)" @@ -70,36 +137,9 @@ let fi fi '' // { - parsetarget = pkgs.writeDash "init.env.parsetarget" '' - set -efu - exec ${pkgs.jq}/bin/jq \ - -enr \ - --arg target "$1" \ - -f ${init.env.parsetarget.jq} - '' // { - jq = pkgs.writeText "init.env.parsetarget.jq" '' - def when(c; f): if c then f else . end; - def capturesDef(i; v): .captures[i].string | when(. == null; v); - $target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | { - user: capturesDef(0; "root"), - host: capturesDef(1; env.system), - port: capturesDef(2; "22"), - path: capturesDef(3; "/var/src"), - } | . + { - local: (.user == env.LOGNAME and .host == env.HOSTNAME), - } - ''; - }; populate = pkgs.writeDash "init.env.populate" '' set -efu - _source=$(${pkgs.nix}/bin/nix-instantiate \ - --eval \ - --json \ - --readonly-mode \ - --show-trace \ - --strict \ - -I nixos-config="$config" \ - "$source") + _source=$(get-source "$source") echo $_source | ${pkgs.populate}/bin/populate \ "$target_user@$target_host:$target_port$target_path" \ @@ -108,22 +148,17 @@ let ''; proxy = pkgs.writeDash "init.env.proxy" '' set -efu - q() { - ${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"' - } exec ${pkgs.openssh}/bin/ssh \ "$target_user@$target_host" -p "$target_port" \ cd "$target_path/stockholm" \; \ - NIX_PATH=$(q "$target_path") \ - STOCKHOLM_VERSION=$STOCKHOLM_VERSION \ - nix-shell \ - --run $(q \ - config=$config \ - system=$system \ - target=$target \ - using_proxy=true \ - "$*" - ) + NIX_PATH=$(quote "$target_path") \ + STOCKHOLM_VERSION=$(quote "$STOCKHOLM_VERSION") \ + nix-shell --run "$(quote " + system=$(quote "$system") \ + target=$(quote "$target") \ + using_proxy=true \ + $(quote "$@") + ")" ''; }; @@ -166,7 +201,8 @@ let in pkgs.stdenv.mkDerivation { name = "stockholm"; shellHook = /* sh */ '' - export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}" + export NIX_PATH=stockholm=$PWD:nixpkgs=${toString <nixpkgs>} + ex |