summaryrefslogtreecommitdiffstats
path: root/krebs/4lib
diff options
context:
space:
mode:
Diffstat (limited to 'krebs/4lib')
-rw-r--r--krebs/4lib/infest/finalize.sh65
-rw-r--r--krebs/4lib/infest/install-nix.sh57
-rw-r--r--krebs/4lib/infest/prepare.sh74
-rw-r--r--krebs/4lib/shell.nix2
-rw-r--r--krebs/4lib/types.nix48
5 files changed, 243 insertions, 3 deletions
diff --git a/krebs/4lib/infest/finalize.sh b/krebs/4lib/infest/finalize.sh
new file mode 100644
index 000000000..ced5a4d4d
--- /dev/null
+++ b/krebs/4lib/infest/finalize.sh
@@ -0,0 +1,65 @@
+#! /bin/sh
+set -eux
+{
+ umount /mnt/nix || [ $? -eq 32 ]
+ umount /mnt/boot || [ $? -eq 32 ]
+ umount /mnt/root || [ $? -eq 32 ]
+ umount /mnt || [ $? -eq 32 ]
+ umount /boot || [ $? -eq 32 ]
+
+ PATH=$(set +f; for i in /nix/store/*coreutils*/bin; do :; done; echo $i)
+ export PATH
+
+ mkdir /oldshit
+
+ mv /bin /oldshit/
+ mv /newshit/bin /
+
+ # TODO ensure /boot is empty
+ rmdir /newshit/boot
+
+ # skip /dev
+ rmdir /newshit/dev
+
+ mv /etc /oldshit/
+ mv /newshit/etc /
+
+ # skip /nix (it's already there)
+ rmdir /newshit/nix
+
+ # skip /proc
+ rmdir /newshit/proc
+
+ # skip /run
+ rmdir /newshit/run
+
+ # skip /sys
+ rmdir /newshit/sys
+
+ # skip /root
+ rmdir /newshit/root
+
+ # skip /tmp
+ # TODO rmdir /newshit/tmp
+
+ mv /home /oldshit/
+ mv /newshit/home /
+
+ mv /usr /oldshit/
+ mv /newshit/usr /
+
+ mv /var /oldshit/
+ mv /newshit/var /
+
+ mv /lib /oldshit/
+ mv /lib64 /oldshit/
+ mv /sbin /oldshit/
+ mv /srv /oldshit/
+ mv /opt /oldshit/
+
+
+ mv /newshit /root/ # TODO this one shoult be empty
+ mv /oldshit /root/
+
+ sync
+}
diff --git a/krebs/4lib/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh
new file mode 100644
index 000000000..88c8c3e1e
--- /dev/null
+++ b/krebs/4lib/infest/install-nix.sh
@@ -0,0 +1,57 @@
+#! /bin/sh
+set -efu
+
+nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2
+nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4
+
+install_nix() {(
+
+ # install nix on host (cf. https://nixos.org/nix/install)
+ if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then
+ (
+ verify() {
+ printf '%s %s\n' $nix_sha256 $(basename $nix_url) | sha256sum -c
+ }
+ if ! verify; then
+ curl -C - -O "$nix_url"
+ verify
+ fi
+ )
+ nix_src_dir=$(basename $nix_url .tar.bz2)
+ tar jxf $nix_src_dir.tar.bz2
+ mkdir -v -m 0755 -p /nix
+ $nix_src_dir/install
+ fi
+
+ #TODO: make this general or move to prepare
+ if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then
+ mkdir -p /mnt/nix
+ mount --bind /nix /mnt/nix
+ fi
+
+ . /root/.nix-profile/etc/profile.d/nix.sh
+
+ for i in \
+ bash \
+ coreutils \
+ # This line intentionally left blank.
+ do
+ if ! nix-env -q $i | grep -q .; then
+ nix-env -iA nixpkgs.pkgs.$i
+ fi
+ done
+
+ # install nixos-install
+ if ! type nixos-install 2>/dev/null; then
+ nixpkgs_expr='import <nixpkgs> { system = builtins.currentSystem; }'
+ nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d)
+ nix-env \
+ --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \
+ --arg pkgs "$nixpkgs_expr" \
+ --arg modulesPath 'throw "no modulesPath"' \
+ -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \
+ -iA config.system.build.nixos-install
+ fi
+)}
+
+install_nix "$@"
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
new file mode 100644
index 000000000..07c00c3a5
--- /dev/null
+++ b/krebs/4lib/infest/prepare.sh
@@ -0,0 +1,74 @@
+#! /bin/sh
+set -efu
+
+prepare() {(
+ if test -e /etc/os-release; then
+ . /etc/os-release
+ case $ID in
+ centos)
+ case $VERSION_ID in
+ 7)
+ prepare_centos7 "$@"
+ exit
+ ;;
+ esac
+ ;;
+ esac
+ fi
+ echo "$0 prepare: unknown OS" >&2
+ exit -1
+)}
+
+prepare_centos7() {
+ type bzip2 2>/dev/null || yum install -y bzip2
+ type git 2>/dev/null || yum install -y git
+ type rsync 2>/dev/null || yum install -y rsync
+ if ! getent group nixbld >/dev/null; then
+ groupadd -g 30000 -r nixbld
+ fi
+ for i in `seq 1 10`; do
+ if ! getent passwd nixbld$i 2>/dev/null; then
+ useradd \
+ -c "CentOS Nix build user $i" \
+ -d /var/empty \
+ -g 30000 \
+ -G 30000 \
+ -l \
+ -M \
+ -s /sbin/nologin \
+ -u $(expr 30000 + $i) \
+ nixbld$i
+ rm -f /var/spool/mail/nixbld$i
+ fi
+ done
+
+ #
+ # mount install directory
+ #
+
+ if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt type xfs'; then
+ mkdir -p /newshit
+ mount --bind /newshit /mnt
+ fi
+
+ if ! mount | grep -Fq '/dev/sda1 on /mnt/boot type xfs'; then
+ mkdir -p /mnt/boot
+ mount /dev/sda1 /mnt/boot
+ fi
+
+ mount | grep 'on /mnt\>' >&2
+
+ #
+ # prepare install directory
+ #
+
+ mkdir -p /mnt/etc/nixos
+ mkdir -m 0555 -p /mnt/var/empty
+
+ if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/root type xfs'; then
+ mkdir -p /mnt/root
+ mount --bind /root /mnt/root
+ fi
+}
+
+prepare "$@"
diff --git a/krebs/4lib/shell.nix b/krebs/4lib/shell.nix
index 2a6da5c16..5910adacc 100644
--- a/krebs/4lib/shell.nix
+++ b/krebs/4lib/shell.nix
@@ -6,7 +6,7 @@ with lib;
rec {
escape =
let
- isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null;
+ isSafeChar = c: match "[-+./0-9:=A-Z_a-z]" c != null;
in
stringAsChars (c:
if isSafeChar c then c
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index dbffdf850..0aa594fb1 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -1,11 +1,12 @@
{ lib, ... }:
+with builtins;
with lib;
with types;
types // rec {
- host = submodule {
+ host = submodule ({ config, ... }: {
options = {
name = mkOption {
type = label;
@@ -46,8 +47,39 @@ types // rec {
TODO define minimum requirements for secure hosts
'';
};
+
+ ssh.pubkey = mkOption {
+ type = nullOr str;
+ default = null;
+ apply = x:
+ if x != null
+ then x
+ else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null;
+ };
+ ssh.privkey = mkOption {
+ type = nullOr (submodule {
+ options = {
+ bits = mkOption {
+ type = nullOr (enum ["4096"]);
+ default = null;
+ };
+ path = mkOption {
+ type = either path str;
+ apply = x: {
+ path = toString x;
+ string = x;
+ }.${typeOf x};
+ };
+ type = mkOption {
+ type = enum ["rsa" "ed25519"];
+ default = "ed25519";
+ };
+ };
+ });
+ default = null;
+ };
};
- };
+ });
net = submodule ({ config, ... }: {
options = {
@@ -71,6 +103,18 @@ types // rec {
aliases = mkOption {
# TODO nonEmptyListOf hostname
type = listOf hostname;
+ default = [];
+ };
+ ssh = mkOption {
+ type = submodule {
+ options = {
+ port = mkOption {
+ type = nullOr int;
+ default = null;
+ };
+ };
+ };
+ default = {};
};
tinc = mkOption {
type = let net-config = config; in nullOr (submodule ({ config, ... }: {