diff options
Diffstat (limited to 'krebs/3modules')
78 files changed, 2987 insertions, 1202 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index 308c6d41d..2a035d7be 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -17,7 +17,7 @@ let nickname = mkOption { default = config.krebs.build.host.name + "|r"; - type = types.string; + type = types.str; description = '' The nick name of the irc bot. Defaults to {hostname}|r @@ -47,7 +47,7 @@ let extraConfig = mkOption { default = ""; - type = types.string; + type = types.str; description = '' configuration appended to the default or overridden configuration ''; diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index c0b218c15..910324f3c 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -226,10 +226,14 @@ let # XXX Is one ping enough to determine fastest address? fastest-address = host: '' - { ${pkgs.fping}/bin/fping </dev/null -a \ + { ${pkgs.fping}/bin/fping </dev/null -a -e \ ${concatMapStringsSep " " shell.escape (mapAttrsToList (_: net: head net.aliases) host.nets)} \ - | ${pkgs.coreutils}/bin/head -1; } + | ${pkgs.gnused}/bin/sed -r 's/^(\S+) \(([0-9.]+) ms\)$/\2\t\1/' \ + | ${pkgs.coreutils}/bin/sort -n \ + | ${pkgs.coreutils}/bin/cut -f2 \ + | ${pkgs.coreutils}/bin/head -n 1 + } ''; in out diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index e12367b7c..ffa9a29e9 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -2,10 +2,10 @@ with import <stockholm/lib>; let - gunicorn = pkgs.pythonPackages.gunicorn; + gunicorn = pkgs.python3Packages.gunicorn; bepasty = pkgs.bepasty; - gevent = pkgs.pythonPackages.gevent; - python = pkgs.pythonPackages.python; + gevent = pkgs.python3Packages.gevent; + python = pkgs.python3Packages.python; cfg = config.krebs.bepasty; out = { @@ -164,7 +164,7 @@ let client_max_body_size 32M; ''; locations = { - "/".extraConfig = "proxy_set_header Host $http_host;"; + "/".extraConfig = "proxy_set_header Host $host;"; "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock"; "/static/".extraConfig = '' alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix new file mode 100644 index 000000000..7e3730e86 --- /dev/null +++ b/krebs/3modules/bindfs.nix @@ -0,0 +1,61 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: +let + cfg = config.krebs.bindfs; +in { + options.krebs.bindfs = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + target = mkOption { + description = '' + destination where bindfs mounts to. + second positional argument to bindfs. + ''; + default = config._module.args.name; + type = types.absolute-pathname; + }; + source = mkOption { + description = '' + source folder where the mounted directory is originally. + first positional argument to bindfs. + ''; + type = types.absolute-pathname; + }; + options = mkOption { + description = '' + additional arguments to bindfs + ''; + type = types.listOf types.str; + default = []; + }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; + }; + })); + default = {}; + }; + + config = mkIf (cfg != {}) { + systemd.services = mapAttrs' (n: mount: let + name = replaceStrings [ "/" ] [ "_" ] n; + in nameValuePair "bindfs-${name}" { + wantedBy = [ "local-fs.target" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} + mkdir -p '${mount.source}' + mkdir -p '${mount.target}' + ''; + ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; + }; + }) cfg; + }; +} diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix new file mode 100644 index 000000000..9b2ed4a71 --- /dev/null +++ b/krebs/3modules/brockman.nix @@ -0,0 +1,36 @@ +{ pkgs, config, ... }: +with import <stockholm/lib>; +let + cfg = config.krebs.brockman; +in { + options.krebs.brockman = { + enable = mkEnableOption "brockman"; + config = mkOption { type = types.attrs; }; # TODO make real config here + }; + + config = mkIf cfg.enable { + users.extraUsers.brockman = { + home = "/var/lib/brockman"; + createHome = true; + isNormalUser = false; + uid = genid_uint31 "brockman"; + }; + + systemd.services.brockman = { + description = "RSS to IRC broadcaster"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Restart = "always"; + ExecStart = '' + ${pkgs.brockman}/bin/brockman ${pkgs.writeText "brockman.json" (builtins.toJSON cfg.config)} + ''; + User = config.users.extraUsers.brockman.name; + PrivateTmp = true; + RuntimeDirectory = "brockman"; + WorkingDirectory = "%t/brockman"; + RestartSec = 5; + }; + }; + }; +} diff --git a/krebs/3modules/charybdis.nix b/krebs/3modules/charybdis.nix index f4a7c1313..038d79dd0 100644 --- a/krebs/3modules/charybdis.nix +++ b/krebs/3modules/charybdis.nix @@ -21,14 +21,14 @@ in enable = mkEnableOption "Charybdis IRC daemon"; config = mkOption { - type = types.string; + type = types.str; description = '' Charybdis IRC daemon configuration file. ''; }; statedir = mkOption { - type = types.string; + type = types.str; default = "/var/lib/charybdis"; description = '' Location of the state directory of charybdis. @@ -36,7 +36,7 @@ in }; user = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon user. @@ -44,7 +44,7 @@ in }; group = mkOption { - type = types.string; + type = types.str; default = "ircd"; description = '' Charybdis IRC daemon group. @@ -71,14 +71,13 @@ in config = mkIf cfg.enable (lib.mkMerge [ { - users.users = singleton { - name = cfg.user; + users.users.${cfg.user} = { description = "Charybdis IRC daemon user"; uid = config.ids.uids.ircd; group = cfg.group; }; - users.groups = singleton { + users.groups.${cfg.group} = { name = cfg.group; gid = config.ids.gids.ircd; }; @@ -102,7 +101,7 @@ in }; } - + (mkIf (cfg.motd != null) { environment.etc."charybdis/ircd.motd".text = cfg.motd; }) diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index a47dbe611..50db0b971 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -27,7 +27,7 @@ let hostname = config.networking.hostName; getJobs = pkgs.writeDash "get_jobs" '' set -efu - ${pkgs.nix}/bin/nix-build --no-out-link --quiet -Q ./ci.nix >&2 + ${pkgs.nix}/bin/nix-build --no-out-link --quiet --show-trace -Q ./ci.nix >&2 json="$(${pkgs.nix}/bin/nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)" echo "$json" | ${pkgs.jq}/bin/jq -r 'to_entries[] | [.key, .value] | @tsv' \ | while read -r host builder; do @@ -52,7 +52,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=10 + pollinterval=100 ) ) '') repo.urls) @@ -108,10 +108,12 @@ let name=str(new_step), command=[ "${pkgs.writeDash "build-stepper.sh" '' - set -efu + set -xefu profile=${shell.escape profileRoot}/$build_name result=$("$build_script") - ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + if [ -n "$result" ]; then + ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + fi ''}" ], env={ @@ -133,6 +135,7 @@ let f_${name} = util.BuildFactory() f_${name}.addStep(steps.Git( repourl=util.Property('repository', '${head repo.urls}'), + method='clobber', mode='full', submodules=True, )) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 567c077eb..85d27459b 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,8 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix + ./bindfs.nix + ./brockman.nix ./buildbot/master.nix ./buildbot/slave.nix ./build.nix @@ -27,6 +29,7 @@ let ./github-known-hosts.nix ./git.nix ./go.nix + ./gollum.nix ./hidden-ssh.nix ./hosts.nix ./htgen.nix @@ -35,10 +38,10 @@ let ./kapacitor.nix ./konsens.nix ./monit.nix - ./newsbot-js.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix + ./permown.nix ./per-user.nix ./power-action.nix ./Reaktor.nix @@ -48,9 +51,11 @@ let ./rtorrent.nix ./secret.nix ./setuid.nix - ./syncthing.nix + ./shadow.nix + ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix + ./upstream ./urlwatch.nix ./repo-sync.nix ./xresources.nix @@ -88,8 +93,10 @@ let @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) IN NS ns19.ovh.net. IN NS dns19.ovh.net. - IN A 192.30.252.154 - IN A 192.30.252.153 + IN A 185.199.108.153 + IN A 185.199.109.153 + IN A 185.199.110.153 + IN A 185.199.111.153 ''; }; }; @@ -102,11 +109,11 @@ let { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; } + { krebs = import ./external/mic92.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { "krebsco.de" = "zones"; - gg23 = "hosts"; shack = "hosts"; i = "hosts"; r = "hosts"; @@ -129,7 +136,7 @@ let services.openssh.hostKeys = let inherit (config.krebs.build.host.ssh) privkey; in - mkIf (privkey != null) (mkForce [privkey]); + mkIf (privkey != null) [privkey]; # TODO use imports for merging services.openssh.knownHosts = @@ -150,9 +157,11 @@ let let longs = net.aliases; shorts = - map (removeSuffix ".${cfg.dns.search-domain}") - (filter (hasSuffix ".${cfg.dns.search-domain}") - longs); + optionals + (cfg.dns.search-domain != null) + (map (removeSuffix ".${cfg.dns.search-domain}") + (filter (hasSuffix ".${cfg.dns.search-domain}") + longs)); add-port = a: if net.ssh.port != 22 then "[${a}]:${toString net.ssh.port}" @@ -175,7 +184,8 @@ let (concatMap (host: attrValues host.nets) (mapAttrsToList (_: host: recursiveUpdate host - (optionalAttrs (hasAttr cfg.dns.search-domain host.nets) { + (optionalAttrs (cfg.dns.search-domain != null && + hasAttr cfg.dns.search-domain host.nets) { nets."" = host.nets.${cfg.dns.search-domain} // { aliases = [host.name]; addrs = []; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index b7e2a2cbb..8acc4ccd8 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -6,7 +6,7 @@ with import <stockholm/lib>; }; krebs.dns.search-domain = mkOption { - type = types.hostname; + type = types.nullOr types.hostname; }; }; } diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index e08024977..a16661c9f 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,15 +1,22 @@ -{ config, pkgs, lib, ... }: - with import <stockholm/lib>; -let +{ config, pkgs, lib, ... }: let cfg = config.krebs.exim-retiolum; - out = { - options.krebs.exim-retiolum = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { + # Due to improvements to the JSON notation, braces around top-level objects + # are not necessary^Wsupported by rspamd's parser when including files: + # https://github.com/rspamd/rspamd/issues/2674 + toMostlyJSON = value: + assert typeOf value == "set"; + (s: substring 1 (stringLength s - 2) s) + (toJSON value); + + to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n"); + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({</ |