diff options
| -rw-r--r-- | default.nix | 31 | ||||
| -rw-r--r-- | krebs/3modules/build.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/git.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/github-hosts-sync.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/lass/default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/tv/default.nix | 5 | ||||
| -rw-r--r-- | krebs/4lib/default.nix | 2 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix | 5 | ||||
| -rw-r--r-- | krebs/default.nix | 149 | ||||
| -rw-r--r-- | tv/1systems/cd.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/mkdir.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/nomic.nix | 13 | ||||
| -rw-r--r-- | tv/1systems/rmdir.nix | 1 | ||||
| -rw-r--r-- | tv/1systems/wu.nix | 1 | ||||
| -rw-r--r-- | tv/2configs/base.nix | 6 | ||||
| -rw-r--r-- | tv/2configs/test.nix | 2 | ||||
| -rw-r--r-- | tv/2configs/urlwatch.nix | 4 | ||||
| -rw-r--r-- | tv/3modules/consul.nix | 2 | ||||
| -rw-r--r-- | tv/4lib/default.nix | 14 |
21 files changed, 135 insertions, 115 deletions
diff --git a/default.nix b/default.nix index 11bae7d98..b261e51e7 100644 --- a/default.nix +++ b/default.nix @@ -17,7 +17,8 @@ { current-date ? abort "current-date not defined" , current-host-name ? abort "current-host-name not defined" , current-user-name ? builtins.getEnv "LOGNAME" -}@current: +, StrictHostKeyChecking ? "yes" +}@args: let stockholm = { # The generated scripts to deploy (or infest) systems can be found in the @@ -44,11 +45,25 @@ let stockholm = { # Additionally, output lib and pkgs for easy access from the shell. # Notice how we're evaluating just the base module to obtain pkgs. inherit lib; - inherit (eval {}) pkgs; + inherit pkgs; }; - krebs = import ./krebs (current // { inherit stockholm; }); - inherit (krebs) lib; + krebs = import ./krebs (args // { inherit lib stockholm; }); + + lib = + let + lib = import <nixpkgs/lib>; + klib = import ./krebs/4lib { inherit lib; }; + #ulib = import (./. + "/${current-user-name}/4lib") { lib = lib // klib; }; + ulib = {}; # TODO + in + builtins // lib // klib // ulib // rec { + # TODO move this stuff + stockholm-path = ./.; + nspath = ns: p: stockholm-path + "/${ns}/${p}"; + }; + + inherit (eval {}) pkgs; # Path resolvers for common and individual files. # Example: `upath "3modules"` produces the current user's 3modules directory @@ -65,8 +80,8 @@ let stockholm = { let # Notice the ordering. Krebs packages can only depend on Nixpkgs, # whereas user packages additionally can depend on krebs packages. - kpkgs = import (kpath "5pkgs") { inherit pkgs; }; - upkgs = import (upath "5pkgs") { pkgs = pkgs // kpkgs; }; + kpkgs = import (kpath "5pkgs") { inherit lib pkgs; }; + upkgs = import (upath "5pkgs") { inherit lib; pkgs = pkgs // kpkgs; }; in kpkgs // upkgs; }; @@ -76,8 +91,10 @@ let stockholm = { # packages and modules on top of NixOS. Some of this stuff might become # useful to a broader audience, at which point it should probably be merged # and pull-requested for inclusion into NixOS/nixpkgs. - # TODO provide krebs lib, so modules don't have to import it awkwardly eval = config: import <nixpkgs/nixos/lib/eval-config.nix> { + specialArgs = { + inherit lib; + }; modules = [ base-module config diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 57495ea69..1205e192b 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let target = config.krebs.build // { user.name = "root"; }; diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 075db1826..e244ef7b7 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs; diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 64b7820b2..234129497 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -6,7 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.git; diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 2a1df9e03..5503ee8d6 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: -with builtins; -with import ../4lib { inherit lib; }; +with lib; let cfg = config.krebs.github-hosts-sync; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index afedf95f2..59052021b 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { hosts = addNames { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 6b3781b49..4f8f964f8 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { hosts = addNames { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 5d5fead8f..4c295dffe 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,6 +1,6 @@ { lib, ... }: -with import ../../4lib { inherit lib; }; +with lib; { dns.providers = { @@ -65,7 +65,7 @@ with import ../../4lib { inherit lib; }; dc = "tv"; #dc = "cac"; nets = rec { internet = { - addrs4 = ["104.233.84.215"]; + addrs4 = ["104.167.114.142"]; aliases = [ "mkdir.internet" ]; @@ -231,6 +231,7 @@ with import ../../4lib { inherit lib; }; addrs6 = ["42:0:0:0:0:0:0:1337"]; aliases = [ "wu.retiolum" + "cgit.wu.retiolum" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 0a6101314..396307c22 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -3,8 +3,6 @@ with builtins; with lib; -builtins // -lib // rec { eq = x: y: x == y; diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index 84fb8725b..0ec4b3ded 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -1,7 +1,6 @@ -{ pkgs, ... }: - -with import ../4lib { inherit (pkgs) lib; }; +{ lib, pkgs, ... }: +with lib; let subdirs = mapAttrs (_: flip pkgs.callPackage {}) (subdirsOf ./.); pkgs' = pkgs // subdirs; diff --git a/krebs/default.nix b/krebs/default.nix index c23cf152a..31a7f7d04 100644 --- a/krebs/default.nix +++ b/krebs/default.nix @@ -1,14 +1,16 @@ { current-date , current-host-name , current-user-name +, lib , stockholm +, StrictHostKeyChecking ? "yes" }: let out = { inherit deploy; inherit infest; inherit init; - inherit lib; + inherit nixos-install; }; deploy = @@ -23,7 +25,7 @@ let out = { set -efu (${populate args}) ${rootssh target '' - ${install args} + ${nix-install args} ${config.krebs.build.profile}/bin/switch-to-configuration switch ''} echo OK @@ -39,63 +41,14 @@ let out = { # krebs.infest set -efu - # XXX type -p is non-standard - #export RSYNC_RSH; RSYNC_RSH="$(type -p ssh) \ - # -o 'HostName $ {target.host.infest.addr}' \ - # -o 'Port $ {toString target.host.infest.port}' \ - #" - #ssh() { - # eval "$RSYNC_RSH \"\$@\"" - #} - - ${lib.rootssh target '' + ${rootssh target '' ${builtins.readFile ./4lib/infest/prepare.sh} ${builtins.readFile ./4lib/infest/install-nix.sh} ''} - (${lib.populate args}) - - ${lib.rootssh target '' - export PATH; PATH=/root/.nix-profile/bin:$PATH - - src=$(type -p nixos-install) - cat_src() { - sed < "$src" "$( - { sed < "$src" -n ' - /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= - /^nixpkgs=/= - /^NIX_PATH=/,/^$/{/./=} - - # Disable: Copy the NixOS/Nixpkgs sources to the target as - # the initial contents of the NixOS channel. - /^srcs=/,/^ln -sfn /= - ' - } | sed 's:$:s/^/#krebs#/:' - )" - } - - # Location to insert install - i=$(sed -n '/^echo "building the system configuration/=' "$src") - - { - cat_src | sed -n "1,$i{p}" - cat ${lib.doc (install args)} - cat_src | sed -n "$i,\''${$i!p}" - } > nixos-install - chmod +x nixos-install - - ## Wrap inserted install into chroot. - #nix_env=$(cat_src | sed -n ' - # s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q - #') - #echo nix-env is $nix_env - #sed -i ' - # s:^nix-env:chroot $mountPoint '"$nix_env"': - #' nixos-install - - unset SSL_CERT_FILE - ./nixos-install + (${nixos-install args}) + ${rootssh target '' ${builtins.readFile ./4lib/infest/finalize.sh} ''} ''; @@ -135,10 +88,74 @@ let out = { EOF ''; - lib = import ./4lib { lib = import <nixpkgs/lib>; } // rec { - stockholm-path = ../.; - nspath = ns: p: stockholm-path + "/${ns}/${p}"; - }; + nixos-install = + { system ? current-host-name + , target ? system + }@args: let + in '' + #! /bin/sh + # ${current-date} ${current-user-name}@${current-host-name} + # krebs.nixos-install + (${populate args}) + + ${rootssh target '' + export PATH; PATH=/root/.nix-profile/bin:$PATH + + src=$(type -p nixos-install) + cat_src() { + sed < "$src" "$( + { sed < "$src" -n ' + /^if ! test -e "\$mountPoint\/\$NIXOS_CONFIG/,/^fi$/= + /^nixpkgs=/= + /^NIX_PATH=/,/^$/{/./=} + + # Disable: Copy the NixOS/Nixpkgs sources to the target as + # the initial contents of the NixOS channel. + /^srcs=/,/^ln -sfn /= + ' + } | sed 's:$:s/^/#krebs#/:' + )" + } + + # Location to insert `nix-install` + i=$(sed -n '/^echo "building the system configuration/=' "$src") + + { + cat_src | sed -n "1,$i{p}" + cat ${doc (nix-install args)} + cat_src | sed -n "$i,\''${$i!p}" + } > nixos-install + chmod +x nixos-install + + # Wrap inserted nix-install into chroot. + nix_env=$(cat_src | sed -n ' + s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q + ') + echo "nix-env is $nix_env" >&2 + findpkg() {( + name=$1 + path=$(find /nix/store \ + -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \ + | head -n 1 | sed s:^/mnt::) + if echo "$path" | grep .; then + echo "$name is $path" >&2 + else + echo "Error: package not found: $name" >&2 + exit 1 + fi + )} + cacert=$(findpkg cacert) + coreutils=$(findpkg coreutils) + cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE + env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE" + sed -i ' + s:^NIX_PATH=:chroot $mountPoint '"$env"' &: + s:^nix-env:'"$nix_env"': + ' nixos-install + + ./nixos-install + ''} + ''; doc = s: let b = "EOF${builtins.hashString "sha256" s}"; in @@ -152,7 +169,7 @@ let out = { stockholm.users.${current-user-name}.${system}.config or (abort "unknown system: ${system}, user: ${current-user-name}"); - install = + nix-install = { system ? current-host-name , target ? system }: @@ -203,11 +220,8 @@ let out = { current-host = config.krebs.hosts.${current-host-name}; current-user = config.krebs.users.${current-user-name}; - target-host = config.krebs.hosts.${system}; - methods.dir = config: let - can-link = config.host.name == target-host.name; can-push = config.host.name == current-host.name; push-method = '' rsync \ @@ -221,11 +235,11 @@ let out = { ${config.path}/ \ root@${target}:${config.target-path} ''; - url = "file://${config.host.name}${config.path}"; in - #if can-link then link-method else if can-push then push-method else - throw "cannot source ${url}"; + let dir = "file://${config.host.name}${config.path}"; in + # /!\ revise this message when using more than just push-method + throw "No way to push ${dir} from ${current-host.name} to ${target}"; methods.git = config: rootssh target '' @@ -251,7 +265,10 @@ let out = { in out; rootssh = target: script: - "ssh root@${target} -T ${doc '' + let + flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}"; + in + "ssh ${flags} root@${target} -T ${doc '' set -efu ${script} ''}"; diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 12e52cd11..d2b08bef7 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -114,7 +114,6 @@ with lib; ]; environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update htop iftop iotop diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 669dcc2f3..f0c7dc2a0 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -88,7 +88,6 @@ in ]; environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update htop iftop iotop diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 718f6ae24..210846215 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -64,27 +64,24 @@ with lib; ]; boot.initrd.luks = { - cryptoModules = [ "aes" "sha1" "xts" ]; + cryptoModules = [ "aes" "sha512" "xts" ]; devices = [ - { - name = "luks1"; - device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4"; - } + { name = "luks1"; device = "/dev/sda2"; } ]; }; fileSystems."/" = - { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c"; + { device = "/dev/mapper/nomic1-root"; fsType = "btrfs"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e"; + { device = "/dev/sda1"; fsType = "ext4"; }; fileSystems."/home" = - { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff"; + { device = "/dev/mapper/nomic1-home"; fsType = "btrfs"; }; diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 79e47c539..c52222cd1 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -84,7 +84,6 @@ in ]; environment.systemPackages = with pkgs; [ - git # required for ./deploy, clone_or_update htop iftop iotop diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index c691066cb..89ad257f0 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -37,7 +37,6 @@ with lib; # stockholm genid - git gnumake hashPassword lentil diff --git a/tv/2configs/base.nix b/tv/2configs/base.nix index 010d4b326..4de980cf1 100644 --- a/tv/2configs/base.nix +++ b/tv/2configs/base.nix @@ -15,6 +15,12 @@ in imports = [ { + # stockholm dependencies + environment.systemPackages = with pkgs; [ + git + ]; + } + { # TODO never put hashedPassword into the store users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/tv/2configs/test.nix b/tv/2configs/test.nix index 409b4e9b4..f5f068d6f 100644 --- a/tv/2configs/test.nix +++ b/tv/2configs/test.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../4lib { inherit lib pkgs; }; +with lib; let out = { diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index c1c5d19d9..373803cc6 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -29,10 +29,6 @@ # 2014-09-24 ref https://github.com/4z3/xintmap http://www.mathstat.dal.ca/~selinger/quipper/ - # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3 - # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix - http://nixos.org/releases/nixops/ - ## other https://nixos.org/channels/nixos-unstable/git-revision diff --git a/tv/3modules/consul.nix b/tv/3modules/consul.nix index e764ab7b2..ccdee07f5 100644 --- a/tv/3modules/consul.nix +++ b/tv/3modules/consul.nix @@ -5,7 +5,7 @@ # TODO consul-bootstrap HOST that actually does is # TODO tools to inspect state of a cluster in outage state -with import ../4lib { inherit lib pkgs; }; +with lib; let cfg = config.tv.consul; diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix index 106535ba2..7e6b2ab17 100644 --- a/tv/4lib/default.nix +++ b/tv/4lib/default.nix @@ -1,20 +1,14 @@ { lib, pkgs, ... }: -let - krebs = import ../../krebs/4lib { inherit lib; }; -in - -with krebs; - -krebs // rec { +lib // rec { git = import ./git.nix { - lib = krebs; - inherit pkgs; + inherit lib pkgs; }; # "7.4.335" -> "74" majmin = with lib; x : concatStrings (take 2 (splitString "." x)); - shell-escape = krebs.shell.escape; + # TODO deprecate shell-escape for lass + shell-escape = lib.shell.escape; } |