From f6a4131daecd6e5c1a0727adbcac43ba8530ec13 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:13:46 +0100 Subject: tv exim-retiolum: init --- tv/1systems/nomic.nix | 7 +------ tv/1systems/wu.nix | 5 +---- tv/1systems/xu.nix | 8 +------- tv/2configs/exim-retiolum.nix | 5 +++++ 4 files changed, 8 insertions(+), 17 deletions(-) create mode 100644 tv/2configs/exim-retiolum.nix diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 7bc7b70d2..145e9b236 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -5,11 +5,9 @@ with lib; { krebs.build.host = config.krebs.hosts.nomic; - krebs.build.target = "root@nomic.gg23"; - imports = [ ../2configs/hw/AO753.nix - #../2configs/consul-server.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/pulse.nix ../2configs/xserver @@ -24,9 +22,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 3bdf8d37a..47fdb2092 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -7,7 +7,7 @@ with lib; imports = [ ../2configs/hw/w110er.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/pulse.nix @@ -134,9 +134,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index e6894b55e..12c115eb8 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -5,12 +5,9 @@ with lib; { krebs.build.host = config.krebs.hosts.xu; - krebs.build.source.git.nixpkgs.rev = - "7ae05edcdd14f6ace83ead9bf0d114e97c89a83a"; - imports = [ ../2configs/hw/x220.nix - #../2configs/consul-client.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix ../2configs/pulse.nix @@ -135,9 +132,6 @@ with lib; ]; }; } - { - krebs.exim-retiolum.enable = true; - } { krebs.nginx = { enable = true; diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix new file mode 100644 index 000000000..1af72c28f --- /dev/null +++ b/tv/2configs/exim-retiolum.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + krebs.exim-retiolum.enable = true; +} -- cgit v1.2.3 From a7e1709a466cee24783e20b6219ef5112b00e8c9 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:18:07 +0100 Subject: tv nginx-public_html: init --- tv/1systems/nomic.nix | 11 +---------- tv/1systems/wu.nix | 11 +---------- tv/1systems/xu.nix | 11 +---------- tv/2configs/nginx-public_html.nix | 14 ++++++++++++++ 4 files changed, 17 insertions(+), 30 deletions(-) create mode 100644 tv/2configs/nginx-public_html.nix diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 145e9b236..64fe5a635 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -9,6 +9,7 @@ with lib; ../2configs/hw/AO753.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -22,16 +23,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 47fdb2092..6dd051210 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -10,6 +10,7 @@ with lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -134,16 +135,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 12c115eb8..409129581 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -10,6 +10,7 @@ with lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/xserver { @@ -132,16 +133,6 @@ with lib; ]; }; } - { - krebs.nginx = { - enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; - }; - } { krebs.retiolum = { enable = true; diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix new file mode 100644 index 000000000..50c623915 --- /dev/null +++ b/tv/2configs/nginx-public_html.nix @@ -0,0 +1,14 @@ +{ lib, ... }: + +with lib; + +{ + krebs.nginx = { + enable = true; + servers.default.locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; +} -- cgit v1.2.3 From b3a481e0b9462bdb4ed92bfc27b2cbf723a8ec30 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:30:38 +0100 Subject: krebs lib.ne: init --- krebs/4lib/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index dfc51bbe4..4d7e0b549 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -6,6 +6,7 @@ with lib; let out = rec { eq = x: y: x == y; + ne = x: y: x != y; mod = x: y: x - y * (x / y); -- cgit v1.2.3 From d6ded00d012d4fb2a2a0a824604b25dac35ee349 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:32:04 +0100 Subject: tv retiolum: init --- tv/1systems/cd.nix | 11 +---------- tv/1systems/nomic.nix | 10 +--------- tv/1systems/wu.nix | 10 +--------- tv/1systems/xu.nix | 11 +---------- tv/2configs/retiolum.nix | 16 ++++++++++++++++ 5 files changed, 20 insertions(+), 38 deletions(-) create mode 100644 tv/2configs/retiolum.nix diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index b69d7655a..da44f5077 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -17,6 +17,7 @@ with lib; #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix + ../2configs/retiolum.nix ../2configs/urlwatch.nix { imports = [ ../2configs/charybdis.nix ]; @@ -77,16 +78,6 @@ with lib; ''); }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "fastpoke" - "pigstarter" - "ire" - ]; - }; - } ]; networking.interfaces.enp2s1.ip4 = [ diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 64fe5a635..b7e77e973 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -11,6 +11,7 @@ with lib; ../2configs/git.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { tv.iptables = { @@ -23,15 +24,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 6dd051210..f52bbc091 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -12,6 +12,7 @@ with lib; ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -135,15 +136,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 409129581..54e16868f 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -12,6 +12,7 @@ with lib; ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix + ../2configs/retiolum.nix ../2configs/xserver { environment.systemPackages = with pkgs; [ @@ -133,16 +134,6 @@ with lib; ]; }; } - { - krebs.retiolum = { - enable = true; - connectTo = [ - "cd" - "gum" - "pigstarter" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix new file mode 100644 index 000000000..91fe81d69 --- /dev/null +++ b/tv/2configs/retiolum.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: + +with lib; + +{ + krebs.retiolum = { + enable = true; + connectTo = filter (ne config.krebs.build.host.name) [ + "gum" + "prism" + "echelon" + "cd" + "ire" + ]; + }; +} -- cgit v1.2.3 From bb1dbae8187601cea2ddfbdcdc9baa456bc5b4ab Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:40:25 +0100 Subject: tv: open ssh port by default --- tv/1systems/cd.nix | 4 ---- tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/default.nix | 5 +++++ 5 files changed, 5 insertions(+), 7 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index da44f5077..6db78ca89 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "tinc" "smtp" "xmpp-client" @@ -58,10 +57,7 @@ with lib; "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" ]; - } - { # TODO make public_html also available to cd, cd.retiolum (AKA default) - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index b7e77e973..f176a5f23 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -17,7 +17,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index f52bbc091..16709052b 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -129,7 +129,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 54e16868f..c6f1a393e 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -127,7 +127,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "ssh" "http" "tinc" "smtp" diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 310077021..abe9d3de8 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -162,6 +162,10 @@ with lib; }; } + { + tv.iptables.enable = true; + } + { services.openssh = { enable = true; @@ -169,6 +173,7 @@ with lib; { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "ssh"; } { -- cgit v1.2.3 From b172630f894362dc32cb6af7d5c9d44902ec5752 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:44:19 +0100 Subject: tv retiolum: open tinc port --- tv/1systems/cd.nix | 1 - tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/retiolum.nix | 1 + 5 files changed, 1 insertion(+), 4 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 6db78ca89..783d23ca9 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "tinc" "smtp" "xmpp-client" "xmpp-server" diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index f176a5f23..6f2c41823 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -18,7 +18,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 16709052b..7635f6162 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -130,7 +130,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index c6f1a393e..91b761d24 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -128,7 +128,6 @@ with lib; enable = true; input-internet-accept-new-tcp = [ "http" - "tinc" "smtp" ]; }; diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index 91fe81d69..d2bb9e6cf 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -13,4 +13,5 @@ with lib; "ire" ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "tinc"; } -- cgit v1.2.3 From d85c70d1d669636fe2fcbb1179dca2c4aecb0802 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:46:33 +0100 Subject: tv nginx-public_html: open http port --- tv/1systems/nomic.nix | 1 - tv/1systems/wu.nix | 1 - tv/1systems/xu.nix | 1 - tv/2configs/nginx-public_html.nix | 1 + 4 files changed, 1 insertion(+), 3 deletions(-) diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 6f2c41823..2b71a974e 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -17,7 +17,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 7635f6162..a51e0e678 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -129,7 +129,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 91b761d24..847b57249 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -127,7 +127,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "http" "smtp" ]; }; diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix index 50c623915..dc74f7f8d 100644 --- a/tv/2configs/nginx-public_html.nix +++ b/tv/2configs/nginx-public_html.nix @@ -11,4 +11,5 @@ with lib; '') ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } -- cgit v1.2.3 From fe025213ea5c15012fd83f1064269a315a2d576a Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:50:00 +0100 Subject: tv exim-retiolum: open smtp port to retiolum --- tv/1systems/nomic.nix | 8 -------- tv/1systems/wu.nix | 8 -------- tv/1systems/xu.nix | 8 -------- tv/2configs/exim-retiolum.nix | 5 ++++- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 2b71a974e..37ef204c7 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -13,14 +13,6 @@ with lib; ../2configs/pulse.nix ../2configs/retiolum.nix ../2configs/xserver - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index a51e0e678..aef8ca761 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -125,14 +125,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 847b57249..31a8a3e99 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -123,14 +123,6 @@ with lib; unison ]; } - { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "smtp" - ]; - }; - } ]; boot.initrd.luks = { diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix index 1af72c28f..aedf25823 100644 --- a/tv/2configs/exim-retiolum.nix +++ b/tv/2configs/exim-retiolum.nix @@ -1,5 +1,8 @@ -{ ... }: +{ lib, ... }: + +with lib; { krebs.exim-retiolum.enable = true; + tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp"; } -- cgit v1.2.3 From b58f37ce3833b7800c0a9ec83367dc888ea571b3 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:53:16 +0100 Subject: tv exim-smarthost: open smtp port --- tv/1systems/cd.nix | 1 - tv/2configs/exim-smarthost.nix | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 783d23ca9..1d9457600 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -41,7 +41,6 @@ with lib; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ - "smtp" "xmpp-client" "xmpp-server" ]; diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index f5f63d284..bcfea7821 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { krebs.exim-smarthost = { @@ -34,4 +36,5 @@ { from = "mirko"; to = "mv"; } ]; }; + tv.iptables.input-internet-accept-new-tcp = singleton "smtp"; } -- cgit v1.2.3 From 0c1a2d11b18c73ddc7fdb429e0d09dcffa3906f8 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 1 Feb 2016 17:56:10 +0100 Subject: cd: redistribute iptable rules --- tv/1systems/cd.nix | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 1d9457600..27e94aef0 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -31,6 +31,10 @@ with lib; enable = true; hosts = [ "jabber.viljetic.de" ]; }; + tv.iptables.input-internet-accept-new-tcp = [ + "xmpp-client" + "xmpp-server" + ]; } { krebs.github-hosts-sync.enable = true; @@ -38,19 +42,6 @@ with lib; singleton config.krebs.github-hosts-sync.port; } { - tv.iptables = { - enable = true; - input-internet-accept-new-tcp = [ - "xmpp-client" - "xmpp-server" - ]; - input-retiolum-accept-new-tcp = [ - "http" - ]; - }; - } - { - tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = [ "cgit.cd.krebsco.de" "cgit.cd.viljetic.de" @@ -62,8 +53,6 @@ with lib; alias /home/$1/public_html$2; ''); }; - } - { krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) @@ -71,6 +60,7 @@ with lib; root ${pkgs.viljetic-pages}; ''); }; + tv.iptables.input-internet-accept-new-tcp = singleton "http"; } ]; -- cgit v1.2.3 From 461fe008e72995a42e8546d5dcc46382ca820000 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 1 Feb 2016 21:58:19 +0100 Subject: ma 1 filepimp: use by-id fs path, snapraid --- makefu/1systems/filepimp.nix | 51 +++++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 2d008cee6..fb9324ee9 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -1,10 +1,14 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ +{ config, pkgs, lib, ... }: +let + byid = dev: "/dev/disk/by-id/" + dev; + part1 = disk: disk + "-part1"; + rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890"; + jDisk0 = byid "ata-ST4000DM000-1F2168_Z303HVSG"; + jDisk1 = byid "ata-ST4000DM000-1F2168_Z3040NEA"; + jDisk2 = byid "ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E0621363"; + jDisk3 = byid "ata-TOSHIBA_MD04ACA400_156GK89OFSBA"; + allDisks = [ rootDisk jDisk0 jDisk1 jDisk2 jDisk3 ]; +in { imports = [ # Include the results of the hardware scan. ../2configs/fs/single-partition-ext4.nix @@ -12,16 +16,9 @@ ../2configs/smart-monitor.nix ]; krebs.build.host = config.krebs.hosts.filepimp; - services.smartd.devices = [ - { device = "/dev/sda"; } - { device = "/dev/sdb"; } - { device = "/dev/sdc"; } - { device = "/dev/sdd"; } - { device = "/dev/sde"; } - ]; # AMD N54L boot = { - loader.grub.device = "/dev/sde"; + loader.grub.device = rootDisk; initrd.availableKernelModules = [ "ahci" @@ -40,4 +37,28 @@ zramSwap.enable = true; zramSwap.numDevices = 2; + + makefu.snapraid = let + toMedia = name: "/media/" + name; + in { + enable = true; + # todo combine creation when enabling the mount point + disks = map toMedia [ "j0" "j1" "j2" ]; + parity = toMedia "par0"; + }; + # TODO: refactor, copy-paste from omo + services.smartd.devices = builtins.map (x: { device = x; }) allDisks; + powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' + ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} + ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} + ${pkgs.hdparm}/sbin/hdparm -y ${disk} + '') allDisks); + fileSystems = let + xfsmount = name: dev: + { "/media/${name}" = { device = dev; fsType = "xfs"; }; }; + in + (xfsmount "j0" (part1 jDisk0)) + // (xfsmount "j1" (part1 jDisk1)) + // (xfsmount "j2" (part1 jDisk2)) + // (xfsmount "par0" (part1 jDisk3)); } -- cgit v1.2.3 From 40b13f240888be643e19939ceef79483aeb07ca5 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 1 Feb 2016 21:58:54 +0100 Subject: ma 1 gum: host update.connector.one --- makefu/1systems/gum.nix | 1 + makefu/2configs/nginx/update.connector.one.nix | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 makefu/2configs/nginx/update.connector.one.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index ac7524506..c4dfbf4b7 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -15,6 +15,7 @@ in { ../2configs/git/cgit-retiolum.nix ../2configs/mattermost-docker.nix ../2configs/nginx/euer.test.nix + ../2configs/nginx/update.connector.one.nix ../2configs/exim-retiolum.nix ../2configs/urlwatch.nix diff --git a/makefu/2configs/nginx/update.connector.one.nix b/makefu/2configs/nginx/update.connector.one.nix new file mode 100644 index 000000000..eb39a1668 --- /dev/null +++ b/makefu/2configs/nginx/update.connector.one.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.krebs.build.host.name; + external-ip = head config.krebs.build.host.nets.internet.addrs4; +in { + krebs.nginx = { + enable = mkDefault true; + servers = { + omo-share = { + listen = [ "${external-ip}:80" ]; + server-names = [ + "update.connector.one" + "firmware.connector.one" + ]; + locations = singleton (nameValuePair "/" '' + autoindex on; + root /var/www/update.connector.one; + sendfile on; + gzip on; + ''); + }; + }; + }; +} -- cgit v1.2.3 From 44e0c5153ca6a65ee130f30ea8466906deedcada Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 1 Feb 2016 22:01:41 +0100 Subject: ma 1 omo: add shares --- makefu/1systems/omo.nix | 30 +--------------- makefu/2configs/nginx/omo-share.nix | 34 ------------------- makefu/2configs/omo-share.nix | 68 +++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 63 deletions(-) delete mode 100644 makefu/2configs/nginx/omo-share.nix create mode 100644 makefu/2configs/omo-share.nix diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 19183fea8..e9c51f485 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -28,7 +28,7 @@ in { ../2configs/smart-monitor.nix ../2configs/mail-client.nix ../2configs/share-user-sftp.nix - ../2configs/nginx/omo-share.nix + ../2configs/omo-share.nix ../3modules ]; networking.firewall.trustedInterfaces = [ "enp3s0" ]; @@ -42,34 +42,6 @@ in { # services.openssh.allowSFTP = false; krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce"; - # samba share /media/crypt1/share - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/var/empty"; - }; - services.samba = { - enable = true; - shares = { - winshare = { - path = "/media/crypt1/share"; - "read only" = "no"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; - # copy config from to /var/lib/sabnzbd/ services.sabnzbd.enable = true; systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; diff --git a/makefu/2configs/nginx/omo-share.nix b/makefu/2configs/nginx/omo-share.nix deleted file mode 100644 index ce85e0442..000000000 --- a/makefu/2configs/nginx/omo-share.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - hostname = config.krebs.build.host.name; - # TODO local-ip from the nets config - local-ip = "192.168.1.11"; - # local-ip = head config.krebs.build.host.nets.retiolum.addrs4; -in { - krebs.nginx = { - enable = mkDefault true; - servers = { - omo-share = { - listen = [ "${local-ip}:80" ]; - locations = singleton (nameValuePair "/" '' - autoindex on; - root /media; - limit_rate_after 100m; - limit_rate 5m; - mp4_buffer_size 4M; - mp4_max_buffer_size 10M; - allow all; - access_log off; - keepalive_timeout 65; - keepalive_requests 200; - reset_timedout_connection on; - sendfile on; - tcp_nopush on; - gzip off; - ''); - }; - }; - }; -} diff --git a/makefu/2configs/omo-share.nix b/makefu/2configs/omo-share.nix new file mode 100644 index 000000000..1e0975e1d --- /dev/null +++ b/makefu/2configs/omo-share.nix @@ -0,0 +1,68 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.krebs.build.host.name; + # TODO local-ip from the nets config + local-ip = "192.168.1.11"; + # local-ip = head config.krebs.build.host.nets.retiolum.addrs4; +in { + krebs.nginx = { + enable = mkDefault true; + servers = { + omo-share = { + listen = [ "${local-ip}:80" ]; + locations = singleton (nameValuePair "/" '' + autoindex on; + root /media; + limit_rate_after 100m; + limit_rate 5m; + mp4_buffer_size 4M; + mp4_max_buffer_size 10M; + allow all; + access_log off; + keepalive_timeout 65; + keepalive_requests 200; + reset_timedout_connection on; + sendfile on; + tcp_nopush on; + gzip off; + ''); + }; + }; + }; + + # samba share /media/crypt1/share + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + services.samba = { + enable = true; + shares = { + winshare = { + path = "/media/crypt1/share"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + usenet = { + path = "/media/crypt0/usenet/dst"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} -- cgit v1.2.3 From 07fa0d989609faca2e9f9847165db61428206ef7 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 01:35:19 +0100 Subject: nixpkgs: symlink upstream-nixpkgs/{default.nix,lib} --- nixpkgs/default.nix | 2 +- nixpkgs/lib | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) mode change 100644 => 120000 nixpkgs/default.nix create mode 120000 nixpkgs/lib diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix deleted file mode 100644 index 92da82c35..000000000 --- a/nixpkgs/default.nix +++ /dev/null @@ -1 +0,0 @@ -import diff --git a/nixpkgs/default.nix b/nixpkgs/default.nix new file mode 120000 index 000000000..74e9d7633 --- /dev/null +++ b/nixpkgs/default.nix @@ -0,0 +1 @@ +../upstream-nixpkgs/default.nix \ No newline at end of file diff --git a/nixpkgs/lib b/nixpkgs/lib new file mode 120000 index 000000000..2284ef489 --- /dev/null +++ b/nixpkgs/lib @@ -0,0 +1 @@ +../upstream-nixpkgs/lib \ No newline at end of file -- cgit v1.2.3 From 2497533b90ce901a39d6642923738b2a337ad9aa Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 01:53:38 +0100 Subject: krebs/populate.nix -> krebs/v2 populate --- Makefile | 13 ++++-- krebs/populate.nix | 116 ------------------------------------------------- krebs/v2/default.nix | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 129 insertions(+), 120 deletions(-) delete mode 100644 krebs/populate.nix create mode 100644 krebs/v2/default.nix diff --git a/Makefile b/Makefile index a35d6d128..d7534e1f3 100644 --- a/Makefile +++ b/Makefile @@ -33,15 +33,20 @@ deploy2: export target-host = $(target) else deploy2: export target-host = $(system) endif +deploy2: export source = \ + with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; \ + assert source-version == 2; \ + source deploy2:;@ target=$${target-$$system} result=$$(nix-instantiate \ - --json \ --eval \ - krebs/populate.nix \ - --arg source 'with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; assert source-version == 2; source' \ + --json \ + --arg source "$$source" \ --argstr target-host "$$target" \ - --argstr target-path /var/src) + --argstr target-path /var/src \ + -A populate \ + krebs/v2) script=$$(echo "$$result" | jq -r .) echo "$$script" | sh ssh root@$$target nixos-rebuild switch -I /var/src diff --git a/krebs/populate.nix b/krebs/populate.nix deleted file mode 100644 index 13270c8a7..000000000 --- a/krebs/populate.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ source -, target-user ? "root" -, target-host -, target-path ? "/var/src" -}: -with import ; -with import ~/stockholm/krebs/4lib { - lib = import ; -}; -with builtins; -let - out = '' - #! /bin/sh - set -efu - - echo ${shell.escape git-script} \ - | ssh ${shell.escape "${target-user}@${target-host}"} -T - - tmpdir=$(mktemp -dt stockholm.XXXXXXXX) - trap ' - set +f - rm "$tmpdir"/* - rmdir "$tmpdir" - trap - EXIT INT QUIT - ' EXIT INT QUIT - chmod 0755 "$tmpdir" - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: let dst = removePrefix "symlink:" (get-url spec); in - "ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") - symlink-specs)} - - proot \ - -b $tmpdir:${shell.escape target-path} \ - ${concatStringsSep " \\\n " - (mapAttrsToList - (name: spec: - "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") - file-specs)} \ - rsync \ - -f ${shell.escape "P /*"} \ - ${concatMapStringsSep " \\\n " - (name: "-f ${shell.escape "R /${name}"}") - (attrNames file-specs)} \ - --delete \ - -vFrlptD \ - ${shell.escape target-path}/ \ - ${shell.escape "${target-user}@${target-host}:${target-path}"} - ''; - - get-schema = uri: - if substring 0 1 uri == "/" - then "file" - else head (splitString ":" uri); - - has-schema = schema: uri: get-schema uri == schema; - - get-url = spec: { - string = spec; - path = toString spec; - set = get-url spec.url; - }.${typeOf spec}; - - git-specs = - filterAttrs (_: spec: has-schema "https" (get-url spec)) source // - filterAttrs (_: spec: has-schema "http" (get-url spec)) source // - filterAttrs (_: spec: has-schema "git" (get-url spec)) source; - - file-specs = - filterAttrs (_: spec: has-schema "file" (get-url spec)) source; - - symlink-specs = - filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; - - git-script = '' - fetch_git() {( - dst_dir=$1 - src_url=$2 - src_ref=$3 - - if ! test -e "$dst_dir"; then - git clone "$src_url" "$dst_dir" - fi - - cd "$dst_dir" - - if ! url=$(git config remote.origin.url); then - git remote add origin "$src_url" - elif test "$url" != "$src_url"; then - git remote set-url origin "$src_url" - fi - - # TODO resolve src_ref to commit hash - hash=$src_ref - - if ! test "$(git log --format=%H -1)" = "$hash"; then - git fetch origin - git checkout "$hash" -- "$dst_dir" - git checkout "$hash" - fi - - git clean -dxf - )} - - ${concatStringsSep "\n" - (mapAttrsToList - (name: spec: toString (map shell.escape [ - "fetch_git" - "${target-path}/${name}" - spec.url - spec.rev - ])) - git-specs)} - ''; - -in out diff --git a/krebs/v2/default.nix b/krebs/v2/default.nix new file mode 100644 index 000000000..7eb60103f --- /dev/null +++ b/krebs/v2/default.nix @@ -0,0 +1,120 @@ +{ source +, target-user ? "root" +, target-host +, target-path ? "/var/src" +}: +with import ; +with import ~/stockholm/krebs/4lib { + lib = import ; +}; +with builtins; +let + out = { + inherit populate; + }; + + populate = '' + #! /bin/sh + set -efu + + echo ${shell.escape git-script} \ + | ssh ${shell.escape "${target-user}@${target-host}"} -T + + tmpdir=$(mktemp -dt stockholm.XXXXXXXX) + trap ' + set +f + rm "$tmpdir"/* + rmdir "$tmpdir" + trap - EXIT INT QUIT + ' EXIT INT QUIT + chmod 0755 "$tmpdir" + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: let dst = removePrefix "symlink:" (get-url spec); in + "ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") + symlink-specs)} + + proot \ + -b $tmpdir:${shell.escape target-path} \ + ${concatStringsSep " \\\n " + (mapAttrsToList + (name: spec: + "-b ${shell.escape "${get-url spec}:${target-path}/${name}"}") + file-specs)} \ + rsync \ + -f ${shell.escape "P /*"} \ + ${concatMapStringsSep " \\\n " + (name: "-f ${shell.escape "R /${name}"}") + (attrNames file-specs)} \ + --delete \ + -vFrlptD \ + ${shell.escape target-path}/ \ + ${shell.escape "${target-user}@${target-host}:${target-path}"} + ''; + + get-schema = uri: + if substring 0 1 uri == "/" + then "file" + else head (splitString ":" uri); + + has-schema = schema: uri: get-schema uri == schema; + + get-url = spec: { + string = spec; + path = toString spec; + set = get-url spec.url; + }.${typeOf spec}; + + git-specs = + filterAttrs (_: spec: has-schema "https" (get-url spec)) source // + filterAttrs (_: spec: has-schema "http" (get-url spec)) source // + filterAttrs (_: spec: has-schema "git" (get-url spec)) source; + + file-specs = + filterAttrs (_: spec: has-schema "file" (get-url spec)) source; + + symlink-specs = + filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; + + git-script = '' + fetch_git() {( + dst_dir=$1 + src_url=$2 + src_ref=$3 + + if ! test -e "$dst_dir"; then + git clone "$src_url" "$dst_dir" + fi + + cd "$dst_dir" + + if ! url=$(git config remote.origin.url); then + git remote add origin "$src_url" + elif test "$url" != "$src_url"; then + git remote set-url origin "$src_url" + fi + + # TODO resolve src_ref to commit hash + hash=$src_ref + + if ! test "$(git log --format=%H -1)" = "$hash"; then + git fetch origin + git checkout "$hash" -- "$dst_dir" + git checkout "$hash" + fi + + git clean -dxf + )} + + ${concatStringsSep "\n" + (mapAttrsToList + (name: spec: toString (map shell.escape [ + "fetch_git" + "${target-path}/${name}" + spec.url + spec.rev + ])) + git-specs)} + ''; + +in out -- cgit v1.2.3 From b849e3525edfe884a2e004e6497aad9995c093bd Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 03:19:20 +0100 Subject: make {deploy2 -> populate, rebuild} --- Makefile | 51 +++++++++++++++++++++++++++------------------------ 1 file changed, 27 insertions(+), 24 deletions(-) diff --git a/Makefile b/Makefile index d7534e1f3..ecfc7e50d 100644 --- a/Makefile +++ b/Makefile @@ -27,30 +27,6 @@ deploy infest:;@ script=$$(make -s eval) echo "$$script" | sh -.PHONY: deploy2 -ifdef target -deploy2: export target-host = $(target) -else -deploy2: export target-host = $(system) -endif -deploy2: export source = \ - with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; \ - assert source-version == 2; \ - source -deploy2:;@ - target=$${target-$$system} - result=$$(nix-instantiate \ - --eval \ - --json \ - --arg source "$$source" \ - --argstr target-host "$$target" \ - --argstr target-path /var/src \ - -A populate \ - krebs/v2) - script=$$(echo "$$result" | jq -r .) - echo "$$script" | sh - ssh root@$$target nixos-rebuild switch -I /var/src - .PHONY: eval eval: @ @@ -73,6 +49,33 @@ endif $${target+--argstr target "$$target"}) echo "$$result" | filter +ifndef target +export target = $(system) +endif + +# usage: make populate system=foo [target=bar] +.PHONY: populate +populate: export source = \ + with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; \ + assert source-version == 2; \ + source +populate:;@ + result=$$(nix-instantiate \ + --eval \ + --json \ + --arg source "$$source" \ + --argstr target-host "$$target" \ + --argstr target-path /var/src \ + -A populate \ + krebs/v2) + script=$$(echo "$$result" | jq -r .) + echo "$$script" | sh + +# usage: make rebuild system=foo [target=bar] [operation=switch] +.PHONY: rebuild +rebuild: populate ;@ + ssh root@"$$target" nixos-rebuild "$${operation-switch}" -I /var/src + else $(error unbound variable: system[s]) endif -- cgit v1.2.3 From 8e219cd0a2446e8f141e0f2403413a9bd3f0b061 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 03:20:29 +0100 Subject: Makefile,krebs/v2: verbosity++ --- Makefile | 2 +- krebs/v2/default.nix | 28 +++++++++++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index ecfc7e50d..f81666ae3 100644 --- a/Makefile +++ b/Makefile @@ -73,7 +73,7 @@ populate:;@ # usage: make rebuild system=foo [target=bar] [operation=switch] .PHONY: rebuild -rebuild: populate ;@ +rebuild: populate ;@set -x ssh root@"$$target" nixos-rebuild "$${operation-switch}" -I /var/src else diff --git a/krebs/v2/default.nix b/krebs/v2/default.nix index 7eb60103f..78e990d1c 100644 --- a/krebs/v2/default.nix +++ b/krebs/v2/default.nix @@ -15,26 +15,34 @@ let populate = '' #! /bin/sh - set -efu + set -eu + + verbose() { + printf '+' >&2 + printf ' %q' "$@" >&2 + printf '\n' + "$@" + } echo ${shell.escape git-script} \ | ssh ${shell.escape "${target-user}@${target-host}"} -T - tmpdir=$(mktemp -dt stockholm.XXXXXXXX) + unset tmpdir trap ' - set +f rm "$tmpdir"/* rmdir "$tmpdir" trap - EXIT INT QUIT ' EXIT INT QUIT + tmpdir=$(mktemp -dt stockholm.XXXXXXXX) chmod 0755 "$tmpdir" + ${concatStringsSep "\n" (mapAttrsToList (name: spec: let dst = removePrefix "symlink:" (get-url spec); in - "ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") + "verbose ln -s ${shell.escape dst} $tmpdir/${shell.escape name}") symlink-specs)} - proot \ + verbose proot \ -b $tmpdir:${shell.escape target-path} \ ${concatStringsSep " \\\n " (mapAttrsToList @@ -77,6 +85,15 @@ let filterAttrs (_: spec: has-schema "symlink" (get-url spec)) source; git-script = '' + #! /bin/sh + set -efu + + verbose() { + printf '+' >&2 + printf ' %q' "$@" >&2 + printf '\n' + } + fetch_git() {( dst_dir=$1 src_url=$2 @@ -109,6 +126,7 @@ let ${concatStringsSep "\n" (mapAttrsToList (name: spec: toString (map shell.escape [ + "verbose" "fetch_git" "${target-path}/${name}" spec.url -- cgit v1.2.3 From 1b67c62f15e1c92aa1ccdf392fcdfe85488e3f48 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 03:29:42 +0100 Subject: make populate: define and pass lib to krebs/v2 --- Makefile | 6 +++++- krebs/v2/default.nix | 9 +++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index f81666ae3..c4f5cd398 100644 --- a/Makefile +++ b/Makefile @@ -55,14 +55,18 @@ endif # usage: make populate system=foo [target=bar] .PHONY: populate +populate: export lib = \ + let nlib = import ; in \ + nlib // import krebs/4lib { lib = nlib; } // builtins populate: export source = \ - with (import ~/stockholm {}).users.$(LOGNAME).$(system).config.krebs.build; \ + with (import ./. {}).users.$(LOGNAME).$(system).config.krebs.build; \ assert source-version == 2; \ source populate:;@ result=$$(nix-instantiate \ --eval \ --json \ + --arg lib "$$lib" \ --arg source "$$source" \ --argstr target-host "$$target" \ --argstr target-path /var/src \ diff --git a/krebs/v2/default.nix b/krebs/v2/default.nix index 78e990d1c..ac1c13e72 100644 --- a/krebs/v2/default.nix +++ b/krebs/v2/default.nix @@ -1,13 +1,10 @@ -{ source +{ lib +, source , target-user ? "root" , target-host , target-path ? "/var/src" }: -with import ; -with import ~/stockholm/krebs/4lib { - lib = import ; -}; -with builtins; +with lib; let out = { inherit populate; -- cgit v1.2.3 From 942511acb1ca0d3c6ef1e59694e888c7d4665aee Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 03:51:22 +0100 Subject: make {populate,rebuild}: use $target_{host,user,path} --- Makefile | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index c4f5cd398..501dfbe83 100644 --- a/Makefile +++ b/Makefile @@ -49,36 +49,39 @@ endif $${target+--argstr target "$$target"}) echo "$$result" | filter -ifndef target -export target = $(system) -endif +export target_host ?= $(system) +export target_user ?= root +export target_path ?= /var/src -# usage: make populate system=foo [target=bar] +# usage: make populate system=foo [target_host=bar] .PHONY: populate populate: export lib = \ let nlib = import ; in \ nlib // import krebs/4lib { lib = nlib; } // builtins populate: export source = \ - with (import ./. {}).users.$(LOGNAME).$(system).config.krebs.build; \ - assert source-version == 2; \ - source + with builtins; \ + with (import ./. {}).users.$${getEnv "LOGNAME"}.$${getEnv "system"}; \ + assert config.krebs.build.source-version == 2; \ + config.krebs.build.source populate:;@ result=$$(nix-instantiate \ --eval \ --json \ --arg lib "$$lib" \ --arg source "$$source" \ - --argstr target-host "$$target" \ - --argstr target-path /var/src \ + --argstr target-user "$$target_user" \ + --argstr target-host "$$target_host" \ + --argstr target-path "$$target_path" \ -A populate \ krebs/v2) script=$$(echo "$$result" | jq -r .) echo "$$script" | sh -# usage: make rebuild system=foo [target=bar] [operation=switch] +# usage: make rebuild system=foo [target_host=bar] [operation=switch] .PHONY: rebuild rebuild: populate ;@set -x - ssh root@"$$target" nixos-rebuild "$${operation-switch}" -I /var/src + ssh "$$target_user@$$target_host" \ + nixos-rebuild "$${operation-switch}" -I "$$target_path" else $(error unbound variable: system[s]) -- cgit v1.2.3 From 74120066f0387339bc4b3c02b30ed303a90de5da Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 03:57:32 +0100 Subject: krebs/v2: simplify verbose --- krebs/v2/default.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/krebs/v2/default.nix b/krebs/v2/default.nix index ac1c13e72..cba7a75ff 100644 --- a/krebs/v2/default.nix +++ b/krebs/v2/default.nix @@ -15,9 +15,7 @@ let set -eu verbose() { - printf '+' >&2 - printf ' %q' "$@" >&2 - printf '\n' + printf '+%s\n' "$(printf ' %q' "$@")" >&2 "$@" } @@ -86,9 +84,8 @@ let set -efu verbose() { - printf '+' >&2 - printf ' %q' "$@" >&2 - printf '\n' + printf '+%s\n' "$(printf ' %q' "$@")" >&2 + "$@" } fetch_git() {( -- cgit v1.2.3 From 0414f344d9abec821883dcdc77acc6b1d7b8f0ae Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 04:01:55 +0100 Subject: nixpkgs/nixos/lib -> upstream-nixpkgs/nixos/lib --- nixpkgs/nixos/lib | 1 + 1 file changed, 1 insertion(+) create mode 120000 nixpkgs/nixos/lib diff --git a/nixpkgs/nixos/lib b/nixpkgs/nixos/lib new file mode 120000 index 000000000..eb942f88b --- /dev/null +++ b/nixpkgs/nixos/lib @@ -0,0 +1 @@ +../../upstream-nixpkgs/nixos/lib \ No newline at end of file -- cgit v1.2.3 From 5ce588fb8172ba4d91cfa31c9e043fa1799be9ae Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 13:21:59 +0100 Subject: nixpkgs/pkgs -> upstream-nixpkgs/pkgs --- nixpkgs/pkgs | 1 + 1 file changed, 1 insertion(+) create mode 120000 nixpkgs/pkgs diff --git a/nixpkgs/pkgs b/nixpkgs/pkgs new file mode 120000 index 000000000..ce5f5448b --- /dev/null +++ b/nixpkgs/pkgs @@ -0,0 +1 @@ +../upstream-nixpkgs/pkgs \ No newline at end of file -- cgit v1.2.3 From 11371608c1c6b5fc661d1c0a1f825226dfd9f599 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 15:29:40 +0100 Subject: with-tmpdir: init at 1 --- krebs/5pkgs/with-tmpdir/default.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 krebs/5pkgs/with-tmpdir/default.nix diff --git a/krebs/5pkgs/with-tmpdir/default.nix b/krebs/5pkgs/with-tmpdir/default.nix new file mode 100644 index 000000000..517e46310 --- /dev/null +++ b/krebs/5pkgs/with-tmpdir/default.nix @@ -0,0 +1,29 @@ +{ stdenv, fetchgit, coreutils, dash, ... }: + +stdenv.mkDerivation { + name = "with-tmpdir-1"; + + src = fetchgit { + url = http://cgit.cd.krebsco.de/with-tmpdir; + rev = "3243c02ed8cd27a04c080bd39560204980f6c16a"; + sha256 = "80ee6cafb2c337999ddcd1e41747d6256b7cfcea605358c2046eb7e3729555c6"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = '' + mkdir -p $out/bin + + { echo '#! ${dash}/bin/dash' + echo 'OLDPATH=$PATH' + echo 'PATH=${coreutils}/bin' + sed '$s/^/#/' ./with-tmpdir + echo '(PATH=$OLDPATH; exec "$@")' + } > $out/bin/with-tmpdir + + chmod +x $out/bin/with-tmpdir + ''; +} -- cgit v1.2.3 From 7dbfc126fb329a67d68b32803e866ba9f0e7b2f0 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 15:34:22 +0100 Subject: tv git public-repos += with-tmpdir --- tv/2configs/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix index 800deff1b..5e0f95c15 100644 --- a/tv/2configs/git.nix +++ b/tv/2configs/git.nix @@ -39,6 +39,7 @@ let stockholm = { desc = "take all the computers hostage, they'll love you!"; }; + with-tmpdir = {}; } // mapAttrValues (setAttr "section" "2. Haskell libraries") { blessings = {}; mime = {}; -- cgit v1.2.3 From 03e5d03c129190451e1431fac6aae70f745812f9 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 19:17:19 +0100 Subject: tv config: use null for dummy secrets --- tv/2configs/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index abe9d3de8..777cd4ea3 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -12,6 +12,7 @@ with lib; source = mapAttrs (_: mkDefault) ({ nixos-config = "symlink:stockholm-private/1systems/${config.krebs.build.host.name}.nix"; nixpkgs = symlink:stockholm-nixpkgs; + null = "/home/tv/stockholm/null"; secrets = "/home/tv/secrets/${config.krebs.build.host.name}"; secrets-common = "/home/tv/secrets/common"; stockholm-krebs = "/home/tv/stockholm/krebs"; @@ -101,7 +102,7 @@ with lib; }; environment.variables = { - NIX_PATH = mkForce "/var/src"; + NIX_PATH = mkForce "secrets=/var/src/null:/var/src"; }; programs.bash = { -- cgit v1.2.3 From 28382e43e0df74a6b10bfcf23465d8415fa86460 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 19:51:01 +0100 Subject: tv: RIP consul --- tv/1systems/cd.nix | 1 - tv/1systems/mkdir.nix | 1 - tv/1systems/rmdir.nix | 1 - tv/2configs/consul-client.nix | 9 ---- tv/2configs/consul-server.nix | 21 -------- tv/3modules/consul.nix | 118 ------------------------------------------ tv/3modules/default.nix | 1 - 7 files changed, 152 deletions(-) delete mode 100644 tv/2configs/consul-client.nix delete mode 100644 tv/2configs/consul-server.nix delete mode 100644 tv/3modules/consul.nix diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 27e94aef0..e42d5750a 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -14,7 +14,6 @@ with lib; imports = [ ../2configs/hw/CAC-Developer-2.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - #../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix ../2configs/retiolum.nix diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix index 9d8a0bcfa..79e5f73b9 100644 --- a/tv/1systems/mkdir.nix +++ b/tv/1systems/mkdir.nix @@ -22,7 +22,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix index 1f1d975c9..6fd79c596 100644 --- a/tv/1systems/rmdir.nix +++ b/tv/1systems/rmdir.nix @@ -23,7 +23,6 @@ in imports = [ ../2configs/hw/CAC-Developer-1.nix ../2configs/fs/CAC-CentOS-7-64bit.nix - ../2configs/consul-server.nix ../2configs/exim-smarthost.nix ../2configs/git.nix { diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix deleted file mode 100644 index 0a8bf4d75..000000000 --- a/tv/2configs/consul-client.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ ./consul-server.nix ]; - - tv.consul = { - server = pkgs.lib.mkForce false; - }; -} diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix deleted file mode 100644 index d10f9ea75..000000000 --- a/tv/2configs/consul-server.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -{ - tv.consul = rec { - enable = true; - - self = config.krebs.build.host; - inherit (self) dc; - - server = true; - - hosts = with config.krebs.hosts; [ - # TODO get this list automatically from each host where tv.consul.enable is true - cd - mkdir - nomic - rmdir - #wu - ]; - }; -} diff --git a/tv/3modules/consul.nix b/tv/3modules/consul.nix deleted file mode 100644 index 5c955fdb5..000000000 --- a/tv/3modules/consul.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ config, lib, pkgs, ... }: - -# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect -# but -bootstrap -# TODO consul-bootstrap HOST that actually does is -# TODO tools to inspect state of a cluster in outage state - -with lib; -let - cfg = config.tv.consul; - - out = { - options.tv.consul = api; - config = mkIf cfg.enable (mkMerge [ - imp - { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; } - # TODO udp for 8301 - ]); - }; - - api = { - enable = mkEnableOption "tv.consul"; - - dc = mkOption { - type = types.label; - }; - hosts = mkOption { - type = with types; listOf host; - }; - encrypt-file = mkOption { - type = types.str; # TODO path (but not just into store) - default = toString ; - }; - data-dir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/consul"; - }; - self = mkOption { - type = types.host; - }; - server = mkOption { - type = types.bool; - default = false; - }; - GOMAXPROCS = mkOption { - type = types.int; - default = cfg.self.cores; - }; - }; - - consul-config = { - datacenter = cfg.dc; - data_dir = cfg.data-dir; - log_level = "INFO"; - #node_name = - server = cfg.server; - enable_syslog = true; - retry_join = - # TODO allow consul in other nets than retiolum [maybe] - concatMap (host: host.nets.retiolum.addrs) - (filter (host: host.name != cfg.self.name) cfg.hosts); - leave_on_terminate = true; - } // optionalAttrs cfg.server { - bootstrap_expect = length cfg.hosts; - leave_on_terminate = false; - }; - - imp = { - environment.systemPackages = with pkgs; [ - consul - ]; - - systemd.services.consul = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - consul - ]; - environment = { - GOMAXPROCS = toString cfg.GOMAXPROCS; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "consul"; - User = user.name; - PrivateTmp = "true"; - Restart = "always"; - ExecStartPre = pkgs.writeScript "consul-init" '' - #! /bin/sh - mkdir -p ${cfg.data-dir} - chown ${user.name}: ${cfg.data-dir} - install -o ${user.name} -m 0400 ${cfg.encrypt-file} /tmp/encrypt.json - ''; - ExecStart = pkgs.writeScript "consul-service" '' - #! /bin/sh - set -euf - exec >/dev/null - exec consul agent \ - -config-file=${toFile "consul.json" (toJSON consul-config)} \ - -config-file=/tmp/encrypt.json - ''; - #-node=${cfg.self.fqdn} \ - #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = rec { - name = "consul"; - uid = genid name; - }; - -in -out diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index bb10d8261..f7889b245 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -2,7 +2,6 @@ _: { imports = [ - ./consul.nix ./ejabberd.nix ./iptables.nix ]; -- cgit v1.2.3 From d341d1ad1006d49299007c2210dfd8f9903ae21a Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:01:28 +0100 Subject: tv vim: drop noise --- tv/2configs/vim.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index bab949270..83cc6e117 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -7,11 +7,6 @@ let vim ]; - # Nano really is just a stupid name for Vim. - nixpkgs.config.packageOverrides = pkgs: { - nano = pkgs.vim; - }; - environment.etc.vimrc.source = vimrc; environment.variables.EDITOR = mkForce "vim"; -- cgit v1.2.3 From ef0ce9065f312140cbcb51fc5102c4c5d4e80568 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:02:01 +0100 Subject: tv nix.vim: let b:current_syntax --- tv/2configs/vim.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 83cc6e117..23f90af05 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -105,6 +105,8 @@ let syn match String /"\([^\\"]\|\\.\)*"/ syn match Comment /\(^\|\s\)#.*/ + + let b:current_syntax = "nix" ''} au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile -- cgit v1.2.3 From ba4bfed2715cb3973f9dbaa6f0a6010c59121a54 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:05:12 +0100 Subject: wu: selectively allowUnfree nvidia-x11 --- tv/1systems/wu.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index aef8ca761..2fa0e8ab7 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -157,7 +157,7 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name; hardware.bumblebee.enable = true; hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; -- cgit v1.2.3 From 34dcaa692382072889e7e796461933ff129d5a13 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:06:15 +0100 Subject: xu: don't unconditionally allowUnfree --- tv/1systems/xu.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 31a8a3e99..8c4af2bd3 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -155,7 +155,6 @@ with lib; nixpkgs.config.chromium.enablePepperFlash = true; - nixpkgs.config.allowUnfree = true; #hardware.bumblebee.enable = true; #hardware.bumblebee.group = "video"; hardware.enableAllFirmware = true; -- cgit v1.2.3 From 44b9f90b2c70c997399afcc550dac2fff155af6b Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:12:06 +0100 Subject: tv config: allowUnfree = false --- tv/2configs/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 777cd4ea3..ee1d9521d 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -70,6 +70,9 @@ with lib; nix.useChroot = true; } + { + nixpkgs.config.allowUnfree = false; + } { environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ]; -- cgit v1.2.3 From afd09edbd3ec1739fb95eaab664a2400386ce7a0 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 2 Feb 2016 20:17:10 +0100 Subject: tv: cleanup allowUnfree --- tv/2configs/hw/AO753.nix | 9 ++++----- tv/2configs/hw/x220.nix | 1 - 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix index acd9ee32b..72a40819f 100644 --- a/tv/2configs/hw/AO753.nix +++ b/tv/2configs/hw/AO753.nix @@ -1,4 +1,6 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: + +with lib; { imports = [ @@ -39,8 +41,5 @@ HandleSuspendKey=ignore ''; - nixpkgs.config = { - allowUnfree = false; - allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name); - }; + nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name; } diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix index 8549311e7..7cec670fa 100644 --- a/tv/2configs/hw/x220.nix +++ b/tv/2configs/hw/x220.nix @@ -14,7 +14,6 @@ networking.wireless.enable = true; #hardware.enableAllFirmware = true; - #nixpkgs.config.allowUnfree = true; #zramSwap.enable = true; #zramSwap.numDevices = 2; -- cgit v1.2.3 From 68655d1ddf078eb1bb3a48ba7e6e9376d913985e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 3 Feb 2016 11:32:58 +0100 Subject: krebs.git: remove trailing spaces --- krebs/3modules/git.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index e6267d7e6..0fa6b240b 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -27,7 +27,7 @@ let description = '' Enable cgit. Cgit is an attempt to create a fast web interface for the git version - control system, using a built in cache to decrease pressure on the + control system, using a built in cache to decrease pressure on the git server. cgit in this module is being served via fastcgi nginx.This module deploys a http://cgit. nginx configuration and enables nginx @@ -127,7 +127,7 @@ let git-imp = { system.activationScripts.git-init = "${init-script}"; - + # TODO maybe put all scripts here and then use PATH? environment.etc."${etc-base}".source = scriptFarm "git-ssh-authorizers" { @@ -136,7 +136,7 @@ let (map getName (ensureList repo)) (map getName perm.allow-commands) ]) cfg.rules); - + authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ (map getName (ensureList user)) (map getName (ensureList repo)) @@ -144,7 +144,7 @@ let (map getName perm.allow-receive-modes) ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); }; - + users.extraUsers = singleton rec { description = "Git repository hosting user"; name = "git"; -- cgit v1.2.3 From cdb590be5072712c9552a98f8979aa94288dcbc8 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 3 Feb 2016 13:36:54 +0100 Subject: krebs.git.rules: specify type --- krebs/3modules/git.nix | 193 +++++++++++++++++++++++++++++++++++-------------- tv/2configs/git.nix | 4 +- 2 files changed, 142 insertions(+), 55 deletions(-) diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 0fa6b240b..7b28ffca8 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -44,48 +44,8 @@ let default = "/etc/git"; }; repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { -