From e3f0ca7137b8b94c87f008c200fecb4042a7ec38 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 15 Mar 2016 15:58:45 +0100 Subject: krebs.on-failure: init --- krebs/3modules/default.nix | 1 + krebs/3modules/on-failure.nix | 91 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+) create mode 100644 krebs/3modules/on-failure.nix (limited to 'krebs') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bdd9049cb..77fb3d61c 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -23,6 +23,7 @@ let ./lib.nix ./nginx.nix ./nixpkgs.nix + ./on-failure.nix ./os-release.nix ./per-user.nix ./Reaktor.nix diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix new file mode 100644 index 000000000..13d561b8d --- /dev/null +++ b/krebs/3modules/on-failure.nix @@ -0,0 +1,91 @@ +{ config, lib, pkgs, ... }: with config.krebs.lib; let + out = { + options.krebs.on-failure = api; + config = lib.mkIf cfg.enable imp; + }; + + cfg = config.krebs.on-failure; + + api = { + enable = mkEnableOption "krebs.on-failure" // { + default = cfg.plans != {}; + }; + plans = mkOption { + default = {}; + type = let + inherit (config) krebs; + in types.attrsOf (types.submodule ({ config, ... }: { + options = { + enable = mkEnableOption "krebs.on-failure.${config.name}" // { + default = true; + }; + journalctl = { + lines = mkOption { + type = types.int; + default = 100; + }; + output = mkOption { + type = types.enum [ + "cat" + "export" + "json" + "json-pretty" + "json-sse" + "short" + "short-iso" + "short-precise" + "verbose" + ]; + default = "short-iso"; + }; + }; + mailto = mkOption { + type = types.str; + default = krebs.build.user.mail; + description = "Mail address to send journal extract to."; + }; + subject = mkOption { + type = types.str; + default = "[${krebs.build.host.name}] ${config.name} has failed"; + }; + name = mkOption { + type = types.str; + default = config._module.args.name; + description = "Name of the to-be-monitored service."; + }; + }; + })); + }; + sendmail = mkOption { + type = types.str; + default = "/var/setuid-wrappers/sendmail"; + }; + }; + + imp = { + systemd.services = foldl (a: b: a // b) {} (map to-services enabled-plans); + }; + + enabled-plans = filter (getAttr "enable") (attrValues cfg.plans); + + to-services = plan: { + "${plan.name}".unitConfig.OnFailure = "on-failure.${plan.name}.service"; + "on-failure.${plan.name}".serviceConfig = rec { + ExecStart = start plan; + SyslogIdentifier = ExecStart.name; + Type = "oneshot"; + }; + }; + + start = plan: pkgs.writeDash "on-failure.${plan.name}" '' + { echo Subject: ${shell.escape plan.subject} + echo To: ${shell.escape plan.mailto} + echo + ${pkgs.systemd}/bin/journalctl \ + --lines=${toString plan.journalctl.lines} \ + --output=${plan.journalctl.output} \ + --unit=${shell.escape plan.name}.service + } | ${shell.escape cfg.sendmail} -t + ''; + +in out -- cgit v1.2.3 From 13df24f8f09469c32077ded463d99033042e25ee Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 15 Mar 2016 15:59:05 +0100 Subject: krebs.backup: use krebs.on-failure --- krebs/3modules/backup.nix | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 97082f56a..d22dd3810 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -60,6 +60,12 @@ let }; imp = { + krebs.on-failure.plans = + listToAttrs (map (plan: nameValuePair "backup.${plan.name}" { + }) (filter (plan: build-host-is "pull" "dst" plan || + build-host-is "push" "src" plan) + enabled-plans)); + systemd.services = listToAttrs (map (plan: nameValuePair "backup.${plan.name}" { # TODO if there is plan.user, then use its privkey -- cgit v1.2.3 From 91844576fd201c628e070761be1eaffe3e40eca8 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 00:49:32 +0100 Subject: krebs.users.tv.pgp.pubkey: 2CAEE3B5 --- krebs/3modules/tv/default.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'krebs') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index a0237d361..dd1f0d289 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -357,6 +357,35 @@ with config.krebs.lib; }; tv = { mail = "tv@nomic.retiolum"; + pgp.pubkey = '' + -----BEGIN PGP PUBLIC KEY BLOCK----- + mQINBFbJ/B0BEADZx8l5gRurzhEHcc3PbBepdZqDJQZ2cGHixi8VEk9iN25qJO5y + HB0q5sQRsh7oNCbzKp6qRhaG9kXmEda+Uu+qbHWxE32QcT76+W8npH73qthaFwC/ + 5RA8KcSE8/XFxVBnVb14PNVHyAVxPHawawbhsOeaiZcHrq5IF6sVzcsc2KN87sIE + SthR4E01LBK4AFeFuKxga9OKFQV5WJNrihu+6H4wZwUfMpbE552N1rggxT4CouqZ + RocSg+el/aPRj3Jk9jDe/JFv4HU7KfioOD+NO8xLAkyw3aLsu/bv9nfUvcvTGeRp + z31UOjpNYpT3PS0+lNCUKQKUadAmhwU95V/0GdhadgxCFcS65qNO7ZZYDJqMIT2y + YH1d9MaVPDQD9W2v0ITCJcrks9p47o+C8zzDlcVr2VEGrTSngRDkWVNYjKwd3L8w + HuaTarqOprLzeZ6yblcLVOrW8tGTmxum0jB4Fn3enpTyJNzCfp6c0CoYp/ZziQ82 + 2jgLWuqKv3EKhX9aCUUgbeDFhnsM3GzdT5qYupX7UyWTLfiUlAEUQUgtyM7yBUNN + PsD5OeYeRQ/xFzUO30kglbjXOOUQpm7kyX38OJA01JdOOhXNI7BTvkFZsJzBLoVM + AdK3LvF4Rjau3HzYqL1Cr0ai1Y9jZVXP3vimcvUcI9bTRg9pMfD8LekiQQARAQAB + tAl0diA8dHZAcj6JAj0EEwEIACcFAlbJ/B0CGwMFCQHhM4AFCwkIBwIGFQgJCgsC + BBYCAwECHgECF4AACgkQJdgKWiyu47Xwow//ZS6Y1UcTDxHa066AQxL5UWL86Jj4 + pIw3k630384VrUlStP+OcwOSwa4igvyIUPrOhVLynkijNsutg6KAVi8BrtSZ8ZcP + 58gnyCPCQG4Ir0cSanp/GxMxfHKdEMyfMOopTLusLBa55VPr7sYrNi7WY20aojjJ + 05bviSrFv0+u9dEJGmCChLDv+IhHJDe4zXHbmwspGDMwlhy/E/clSZG7a1yoJjLf + DpqRVn8KmICqMX0lvBP6fsS51pSD0n82kCpedLZmnwYEHCp+Bkx/Cla7aS33N1+n + 5CUAR6HQvPT91LsLK/h/BKZ+SHAg4j7hANSfMFO+/0A5pby3JBo6Fck0LvrEMyog + 6oGedzszZztO1eSJ5h0UQlowD4g0Y7wlWrR8znvdO1gBxQpGIjZXKqGRcuIPNZpu + lgqIXw/pX6b0CWh2GsbHGE0FfIkBkgW2A2akA8cGEiKqOdp/kP4o7VGCLI5iZXZA + ZY405gOo3ePTTRJ3zxF7YFRzjMhTlc6KtLiA9/Wps67lrOU0w/O8Dd+zYxmZoani + lnXaqOj32/UCW76fZ+ovUzKP2lav5wf3tpJeekjV5Zs5dNpAYmrK6EuW7LvUg5lm + 7i5yz8yuD/xU6R3o1FycogDU6H0JtdFDYTJI9gd5EzNe3UNUEzBJF1yqQFwiW6xY + 3yFvks3C6e58YNE= + =Sqyp + -----END PGP PUBLIC KEY BLOCK----- + ''; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQDFR//RnCvEZAt0F6ExDsatKZ/DDdifanuSL360mqOhaFieKI34RoOwfQT9T+Ga52Vh5V2La6esvlph686EdgzeKLvDoxEwFM9ZYFBcMrNzu4bMTlgE7YUYw5JiORyXNfznBGnme6qpuvx9ibYhUyiZo99kM8ys5YrUHrP2JXQJMezDFZHxT4GFMOuSdh/1daGoKKD6hYL/jEHX8CI4E3BSmKK6ygYr1fVX0K0Tv77lIi5mLXucjR7CytWYWYnhM6DC3Hxpv2zRkPgf3k0x/Y1hrw3V/r0Me5h90pd2C8pFaWA2ZoUT/fmyVqvx1tZPYToU/O2dMItY0zgx2kR0yD+6g7Aahz3R+KlXkV8k5c8bbTbfGnZWDR1ZlbLRM9Yt5vosfwapUD90MmVkpmR3wUkO2sUKi80QfC7b4KvSDXQ+MImbGxMaU5Bnsq1PqLN95q+uat3nlAVBAELkcx51FlE9CaIS65y4J7FEDg8BE5JeuCNshh62VSYRXVSFt8bk3f/TFGgzC8OIo14BhVmiRQQ503Z1sROyf5xLX2a/EJavMm1i2Bs2TH6ROKY9z5Pz8hT5US0r381V8oG7TZyLF9HTtoy3wCYsgWA5EmLanjAsVU2YEeAA0rxzdtYP8Y2okFiJ6u+M4HQZ3Wg3peSodyp3vxdYce2vk4EKeqEFuuS82850DYb7Et7fmp+wQQUT8Q/bMO0DreWjHoMM5lE4LJ4ME6AxksmMiFtfo/4Fe2q9D+LAqZ+ANOcv9M+8Rn6ngiYmuRNd0l/a02q1PEvO6vTfXgcl4f7Z1IULHPEaDNZHCJS1K5RXYFqYQ6OHsTmOm7hnwaRAS97+VFMo1i5uvTx9nYaAcY7yzq3Ckfb67dMBKApGOpJpkvPgfrP7bgBO5rOZXM1opXqVPb09nljAhhAhyCTh1e/8+mJrBo0cLQ/LupQzVxGDgm3awSMPxsZAN45PSWz76zzxdDa1MMo51do+VJHfs7Wl0NcXAQrniOBYL9Wqt0qNkn1gY5smkkISGeQ/vxNap4MmzeZE7b5fpOy+2fpcRVQLpc4nooQzJvSVTFz+25lgZ6iHf45K87gQFMIAri1Pf/EDDpL87az+bRWvWi+BA2kMe1kf+Ay1LyMz8r+g51H0ma0bNFh6+fbWMfUiD9JCepIObclnUJ4NlWfcgHxTf17d/4tl6z4DTcLpCCk8Da77JouSHgvtcRbRlFV1OfhWZLXUsrlfpaQTiItv6TGIr3k7+7b66o3Qw/GQVs5GmYifaIZIz8n8my4XjkaMBd0SZfBzzvFjHMq6YUP9+SbjvReqofuoO+5tW1wTYZXitFFBfwuHlXm6w77K5QDBW6olT7pat41/F5eGxLcz tv@wu"; uid = 1337; # TODO use default }; -- cgit v1.2.3 From 1ff38bf6c69fd68cbf4e158a96cd8c97d6cf305d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 01:17:07 +0100 Subject: krebs lib += optionalTrace --- krebs/4lib/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index deac02bb7..e984614a0 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -17,7 +17,7 @@ let out = rec { types = import ./types.nix { inherit config; - lib = lib // { inherit genid; }; + lib = lib // { inherit genid optionalTrace; }; }; dir.has-default-nix = path: pathExists (path + "/default.nix"); @@ -44,4 +44,6 @@ let out = rec { mapAttrValues = f: mapAttrs (_: f); setAttr = name: value: set: set // { ${name} = value; }; + optionalTrace = c: msg: x: if c then trace msg x else x; + }; in out -- cgit v1.2.3 From fb82aa8f34977de004df09d9e76c506557235d15 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 01:19:27 +0100 Subject: krebs types.host.ssh.pubkeys: trace only own missing keys --- krebs/4lib/types.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 839a1a923..334a94c3a 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -6,7 +6,7 @@ with types; let # Inherited attributes are used in submodules that have their own `config`. - inherit (config.krebs) users; + inherit (config.krebs) build users; in types // rec { @@ -50,9 +50,9 @@ types // rec { type = nullOr str; default = null; apply = x: - if x != null - then x - else trace "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." null; + optionalTrace (x == null && config.owner.name == build.user.name) + "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." + x; }; ssh.privkey = mkOption { type = nullOr (submodule { -- cgit v1.2.3 From e6657cd46a6b97153f80006144fe6293f715bb7d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 01:52:34 +0100 Subject: krebs lib += getAttrDef --- krebs/4lib/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'krebs') diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index e984614a0..585bd313f 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -41,6 +41,7 @@ let out = rec { mapAttrs (name: _: path + "/${name}") (filterAttrs (_: eq "directory") (readDir path)); + getAttrDef = name: set: set.${name} or set.default or null; mapAttrValues = f: mapAttrs (_: f); setAttr = name: value: set: set // { ${name} = value; }; -- cgit v1.2.3 From 444d85ea86d150c4257781605ed372357cda2e18 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 01:54:49 +0100 Subject: krebs types += ssh-{priv,pub}key --- krebs/4lib/types.nix | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 334a94c3a..ed6ae9e4f 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -47,7 +47,7 @@ types // rec { }; ssh.pubkey = mkOption { - type = nullOr str; + type = nullOr ssh-pubkey; default = null; apply = x: optionalTrace (x == null && config.owner.name == build.user.name) @@ -55,25 +55,7 @@ types // rec { x; }; ssh.privkey = mkOption { - type = nullOr (submodule { - options = { - bits = mkOption { - type = nullOr (enum ["4096"]); - default = null; - }; - path = mkOption { - type = either path str; - apply = x: { - path = toString x; - string = x; - }.${typeOf x}; - }; - type = mkOption { - type = enum ["rsa" "ed25519"]; - default = "ed25519"; - }; - }; - }); + type = nullOr ssh-privkey; default = null; }; }; @@ -184,7 +166,7 @@ types // rec { default = config._module.args.name; }; pubkey = mkOption { - type = nullOr str; + type = nullOr ssh-pubkey; default = null; }; uid = mkOption { @@ -198,6 +180,26 @@ types // rec { addr = str; addr4 = str; addr6 = str; + ssh-pubkey = str; + ssh-privkey = submodule { + options = { + bits = mkOption { + type = nullOr (enum ["4096"]); + default = null; + }; + path = mkOption { + type = either path str; + apply = x: { + path = toString x; + string = x; + }.${typeOf x}; + }; + type = mkOption { + type = enum ["rsa" "ed25519"]; + default = "ed25519"; + }; + }; + }; krebs.file-location = types.submodule { options = { -- cgit v1.2.3 From 9d16ea61451aff36963cef3610ac8d51ed0b488b Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 01:57:03 +0100 Subject: krebs types += pgp-pubkey, user.pgp.pubkey --- krebs/3modules/tv/default.nix | 2 +- krebs/4lib/types.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index dd1f0d289..262f508c3 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -357,7 +357,7 @@ with config.krebs.lib; }; tv = { mail = "tv@nomic.retiolum"; - pgp.pubkey = '' + pgp.pubkeys.default = '' -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFbJ/B0BEADZx8l5gRurzhEHcc3PbBepdZqDJQZ2cGHixi8VEk9iN25qJO5y HB0q5sQRsh7oNCbzKp6qRhaG9kXmEda+Uu+qbHWxE32QcT76+W8npH73qthaFwC/ diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index ed6ae9e4f..112984445 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -165,6 +165,16 @@ types // rec { type = username; default = config._module.args.name; }; + pgp.pubkeys = mkOption { + type = attrsOf pgp-pubkey; + default = {}; + description = '' + Set of user's PGP public keys. + + Modules supporting PGP may use well-known key names to define option + defaults, e.g. using `getAttrDef well-known-name pubkeys`. + ''; + }; pubkey = mkOption { type = nullOr ssh-pubkey; default = null; @@ -180,6 +190,9 @@ types // rec { addr = str; addr4 = str; addr6 = str; + + pgp-pubkey = str; + ssh-pubkey = str; ssh-privkey = submodule { options = { -- cgit v1.2.3 From 20afe7b9aeb5d523e10a0d5c597b8c1656bca58e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 16 Mar 2016 02:04:22 +0100 Subject: krebs types += tinc-pubkey --- krebs/4lib/types.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'krebs') diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 112984445..32d1daf9d 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -111,7 +111,7 @@ types // rec { ); }; pubkey = mkOption { - type = str; + type = tinc-pubkey; }; }; })); @@ -214,6 +214,8 @@ types // rec { }; }; + tinc-pubkey = str; + krebs.file-location = types.submodule { options = { # TODO user -- cgit v1.2.3