diff options
Diffstat (limited to 'krebs')
40 files changed, 334 insertions, 347 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index 92400139c..d58661a28 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let ReaktorConfig = pkgs.writeText "config.py" '' @@ -16,7 +16,7 @@ let out = { options.krebs.Reaktor = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/apt-cacher-ng.nix b/krebs/3modules/apt-cacher-ng.nix index 371d39b6f..46b405842 100644 --- a/krebs/3modules/apt-cacher-ng.nix +++ b/krebs/3modules/apt-cacher-ng.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let acng-config = pkgs.writeTextFile { name = "acng-configuration"; @@ -151,5 +151,5 @@ let in { options.krebs.apt-cacher-ng = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 66a325ed9..0aa86dec9 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -1,9 +1,9 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let out = { options.krebs.backup = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; cfg = config.krebs.backup; @@ -210,7 +210,7 @@ let | ${pkgs.coreutils}/bin/head -1; } ''; - # Note that we don't escape word on purpose, so we deref shell vars. + # Note that we don't escape word on purpose, so we can deref shell vars. # TODO type word network-ssh-port = host: word: '' case ${word} in diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index e74841205..9e777a5ef 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let gunicorn = pkgs.pythonPackages.gunicorn; bepasty = pkgs.pythonPackages.bepasty-server; @@ -10,8 +10,8 @@ let out = { options.krebs.bepasty = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.serveNginx nginx-imp) + config = lib.mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf cfg.serveNginx nginx-imp) imp ]); }; diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 3530fd595..a1f446188 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with lib; +with config.krebs.lib; let out = { @@ -51,6 +51,7 @@ let source = config.krebs.build.source; target-user = maybeEnv "target_user" "root"; target-host = maybeEnv "target_host" config.krebs.build.host.name; + target-port = maybeEnv "target_port" "22"; target-path = maybeEnv "target_path" "/var/src"; out = '' #! /bin/sh @@ -62,7 +63,8 @@ let } echo ${shell.escape git-script} \ - | ssh ${shell.escape "${target-user}@${target-host}"} -T + | ssh -p ${shell.escape target-port} \ + ${shell.escape "${target-user}@${target-host}"} -T unset tmpdir trap ' @@ -93,6 +95,7 @@ let (attrNames file-specs)} \ --delete \ -vFrlptD \ + -e ${shell.escape "ssh -p ${target-port}"} \ ${shell.escape target-path}/ \ ${shell.escape "${target-user}@${target-host}:${target-path}"} ''; diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index 74385a433..825cb3413 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let buildbot = pkgs.buildbot; buildbot-master-config = pkgs.writeText "buildbot-master.cfg" '' @@ -381,5 +381,5 @@ let in { options.krebs.buildbot.master = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 0e7796d8a..7705ac31c 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let buildbot-slave-init = pkgs.writeText "buildbot-slave.tac" '' import os @@ -182,5 +182,5 @@ let in { options.krebs.buildbot.slave = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; } diff --git a/krebs/3modules/current.nix b/krebs/3modules/current.nix index 41941e289..9f63e33ac 100644 --- a/krebs/3modules/current.nix +++ b/krebs/3modules/current.nix @@ -1,13 +1,13 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.current; out = { options.krebs.current = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 060b4445d..c06f3754e 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs; @@ -9,9 +9,9 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix - ./build.nix ./buildbot/master.nix ./buildbot/slave.nix + ./build.nix ./current.nix ./exim-retiolum.nix ./exim-smarthost.nix @@ -20,19 +20,21 @@ let ./git.nix ./go.nix ./iptables.nix + ./lib.nix ./nginx.nix ./nixpkgs.nix ./per-user.nix ./Reaktor.nix - ./retiolum-bootstrap.nix ./realwallpaper.nix + ./retiolum-bootstrap.nix ./retiolum.nix + ./setuid.nix ./tinc_graphs.nix ./urlwatch.nix ./repo-sync.nix ]; options.krebs = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -83,13 +85,13 @@ let }; }; - imp = mkMerge [ - { krebs = import ./lass { inherit lib; }; } - { krebs = import ./makefu { inherit lib; }; } - { krebs = import ./miefda { inherit lib; }; } - { krebs = import ./mv { inherit lib; }; } - { krebs = import ./shared { inherit lib; }; } - { krebs = import ./tv { inherit lib; }; } + imp = lib.mkMerge [ + { krebs = import ./lass { inherit config lib; }; } + { krebs = import ./makefu { inherit config lib; }; } + { krebs = import ./miefda { inherit config lib; }; } + { krebs = import ./mv { inherit config lib; }; } + { krebs = import ./shared { inherit config lib; }; } + { krebs = import ./tv { inherit config lib; }; } { krebs.dns.providers = { de.krebsco = "zones"; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index ea012c38c..1722eef1f 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,12 +1,12 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.exim-retiolum; out = { options.krebs.exim-retiolum = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index a564430ea..267ee2900 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -1,13 +1,12 @@ { config, pkgs, lib, ... }: -with builtins; -with lib; +with config.krebs.lib; let cfg = config.krebs.exim-smarthost; out = { options.krebs.exim-smarthost = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 225f00803..53fe0839d 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.fetchWallpaper; out = { options.krebs.fetchWallpaper = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 11cf21b5f..a9542718d 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: # TODO unify logging of shell scripts to user and journal # TODO move all scripts to ${etcDir}, so ControlMaster connections @@ -6,13 +6,13 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with lib; +with config.krebs.lib; let cfg = config.krebs.git; out = { options.krebs.git = api; - config = mkIf cfg.enable (mkMerge [ + config = with lib; mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) git-imp ]); @@ -86,7 +86,7 @@ let singleton { user = [ config.krebs.users.tv ]; repo = [ testing ]; # see literal example of repos - perm = push "refs/*" (with lib.git; [ + perm = push "refs/*" (with config.krebs.lib.git; [ non-fast-forward create delete merge ]); } diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 2aa18d53a..1d3873232 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -1,12 +1,12 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.github-hosts-sync; out = { options.krebs.github-hosts-sync = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index 08a93dab7..52a104bb9 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.go; out = { options.krebs.go = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 749d3ff49..41a609105 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/lib.nix b/krebs/3modules/lib.nix new file mode 100644 index 000000000..b19f275b5 --- /dev/null +++ b/krebs/3modules/lib.nix @@ -0,0 +1,15 @@ +{ config, pkgs, lib, ... }: +with lib; +let + out = { + options.krebs.lib = api; + config = imp; + }; + api = mkOption { + default = {}; + type = types.attrs; + }; + imp = { + krebs.lib = lib // import ../4lib { inherit lib; } // builtins; + }; +in out diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 2811c0c52..ca83d6906 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { @@ -292,8 +292,8 @@ with lib; cores = 1; nets = { retiolm = { - addrs4 = ["10.243.214.15/32"]; - addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732/128"]; + addrs4 = ["10.243.214.15"]; + addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732"]; aliases = [ "wbob.retiolum" ]; diff --git a/krebs/3modules/miefda/default.nix b/krebs/3modules/miefda/default.nix index 0cfa8bd27..6587ad92d 100644 --- a/krebs/3modules/miefda/default.nix +++ b/krebs/3modules/miefda/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, lib, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/mv/default.nix b/krebs/3modules/mv/default.nix index 8803cb249..33f941aae 100644 --- a/krebs/3modules/mv/default.nix +++ b/krebs/3modules/mv/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, ... }: -with lib; +with config.krebs.lib; { hosts = { diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 921771033..7b7163071 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -1,13 +1,12 @@ -{ config, pkgs, lib, ... }: +{ config, lib, pkgs, ... }: -with builtins; -with lib; +with config.krebs.lib; let cfg = config.krebs.nginx; out = { options.krebs.nginx = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -34,6 +33,7 @@ let }; locations = mkOption { type = with types; listOf (attrsOf str); + default = []; }; extraConfig = mkOption { type = with types; string; @@ -76,8 +76,8 @@ let server { ${concatMapStringsSep "\n" (x: "listen ${x};") listen} server_name ${toString server-names}; - ${extraConfig} - ${indent (concatStrings (map to-location locations))} + ${indent extraConfig} + ${indent (concatMapStrings to-location locations)} } ''; diff --git a/krebs/3modules/nixpkgs.nix b/krebs/3modules/nixpkgs.nix index 4129f9483..5816b8a30 100644 --- a/krebs/3modules/nixpkgs.nix +++ b/krebs/3modules/nixpkgs.nix @@ -1,11 +1,11 @@ -{ config, pkgs, lib, ... }: -with lib; +{ config, lib, pkgs, ... }: +with config.krebs.lib; let cfg = config.krebs.nixpkgs; out = { options.krebs.nixpkgs = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { @@ -37,7 +37,7 @@ let }; }; - imp = mkIf (cfg.allowUnfreePredicate != null) { + imp = lib.mkIf (cfg.allowUnfreePredicate != null) { nixpkgs.config.allowUnfreePredicate = cfg.allowUnfreePredicate; }; in out diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index ee213deda..13da5c4c3 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.per-user; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index b377368f7..df374e184 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -1,12 +1,12 @@ -arg@{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.realwallpaper; out = { options.krebs.realwallpaper = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 65bb51193..40382d098 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -1,12 +1,12 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.retiolum-bootstrap; out = { options.krebs.retiolum-bootstrap = api; - config = mkIf cfg.enable imp ; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 407695273..d0162eae9 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -1,11 +1,11 @@ { config, pkgs, lib, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.retiolum; out = { options.krebs.retiolum = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix new file mode 100644 index 000000000..1137788d8 --- /dev/null +++ b/krebs/3modules/setuid.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, ... }: +with config.krebs.lib; +let + cfg = config.krebs.setuid; + + out = { + options.krebs.setuid = api; + config = imp; + }; + + api = mkOption { + default = {}; + type = let + # TODO make wrapperDir configurable + inherit (config.security) wrapperDir; + inherit (config.users) groups users; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.filename; + default = config._module.args.name; + }; + filename = mkOption { + type = mkOptionType { + # TODO unyuck string and merge with toC + name = "derivation or string"; + check = x: + isDerivation x || + isString x; + }; + apply = toString; + }; + owner = mkOption { + default = "root"; + type = types.enum (attrNames users); + }; + group = mkOption { + default = "root"; + type = types.enum (attrNames groups); + }; + mode = mkOption { + default = "4710"; + type = mkOptionType { + # TODO admit symbolic mode + name = "octal mode"; + check = x: + isString x && + match "[0-7][0-7][0-7][0-7]" x != null; + }; + }; + activate = mkOption { + type = types.str; + visible = false; + readOnly = true; + }; + }; + config.activate = let + src = pkgs.execve config.name { + inherit (config) filename; + }; + dst = "${wrapperDir}/${config.name}"; + in '' + cp ${src} ${dst} + chown ${config.owner}.${config.group} ${dst} + chmod ${config.mode} ${dst} + ''; + })); + }; + + imp = { + system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); + }; + +in out diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index df4c529bf..208b596f8 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -1,9 +1,8 @@ -{ lib, ... }: - -with lib; +{ config, ... }: +with config.krebs.lib; let - testHosts = lib.genAttrs [ + testHosts = genAttrs [ "test-arch" "test-centos6" "test-centos7" diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index dc0484a8b..2692de982 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with lib; +with config.krebs.lib; let cfg = config.krebs.tinc_graphs; internal_dir = "${cfg.workingDir}/internal"; @@ -8,7 +8,7 @@ let out = { options.krebs.tinc_graphs = api; - config = mkIf cfg.enable imp ; + config = lib.mkIf cfg.enable imp ; }; api = { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 9a0b99396..f8d3d8671 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -1,6 +1,6 @@ -{ lib, ... }: +{ config, ... }: -with lib; +with config.krebs.lib; { dns.providers = { diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 7a9fb55fd..cd4976a21 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -5,14 +5,14 @@ # cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" # TODO hooks.py -with lib; +with config.krebs.lib; let cfg = config.krebs.urlwatch; # TODO assert sendmail's existence out = { options.krebs.urlwatch = api; - config = mkIf cfg.enable imp; + config = lib.mkIf cfg.enable imp; }; api = { diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 4d7e0b549..d5b6d03ac 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -26,11 +26,15 @@ let out = rec { shell = import ./shell.nix { inherit lib; }; tree = import ./tree.nix { inherit lib; }; - toC = x: { + toC = x: let + type = typeOf x; + reject = throw "cannot convert ${type}"; + in { list = "{ ${concatStringsSep ", " (map toC x)} }"; null = "NULL"; + set = if isDerivation x then toJSON x else reject; string = toJSON x; # close enough - }.${typeOf x}; + }.${type} or reject; subdirsOf = path: mapAttrs (name: _: path + "/${name}") diff --git a/krebs/4lib/infest/install-nix.sh b/krebs/4lib/infest/install-nix.sh deleted file mode 100644 index af1a8bd16..000000000 --- a/krebs/4lib/infest/install-nix.sh +++ /dev/null @@ -1,50 +0,0 @@ -#! /bin/sh -set -efu - -nix_url=https://nixos.org/releases/nix/nix-1.10/nix-1.10-x86_64-linux.tar.bz2 -nix_sha256=504f7a3a85fceffb8766ae5e1005de9e02e489742f5a63cc3e7552120b138bf4 - -install_nix() {( - - # install nix on host (cf. https://nixos.org/nix/install) - if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then - ( - verify() { - printf '%s %s\n' $nix_sha256 $(basename $nix_url) | sha256sum -c - } - if |