From 2bc5c58d85990e483af8fde57ed5f2442351b69c Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 11 Jul 2015 19:44:12 +0200 Subject: move old stuff --- old/Makefile | 48 ++ old/README.md | 32 + old/bin/copy-secrets | 69 +++ old/bin/genid | 11 + old/bin/netmask-to-prefix | 12 + old/bin/nixos-query | 4 + old/bin/urlencode | 35 ++ old/cac | 337 +++++++++++ old/certs/zalora-ca.crt | 24 + old/default.nix | 151 +++++ old/deploy | 15 + old/infest-cac-CentOS-7-64bit.sh | 51 ++ old/infest.d/cac-CentOS-7-64bit/finalize.sh | 66 ++ old/infest.d/cac-CentOS-7-64bit/prepare.sh | 104 ++++ old/infest.d/nixos-install.sh | 8 + old/lib/default.nix | 62 ++ old/lib/git.nix | 181 ++++++ old/lib/modules.nix | 21 + old/modules/cd/default.nix | 91 +++ old/modules/cd/networking.nix | 14 + old/modules/cd/paths.nix | 12 + old/modules/cd/users.nix | 53 ++ old/modules/cloudkrebs/default.nix | 69 +++ old/modules/cloudkrebs/networking.nix | 14 + old/modules/common/krebs-keys.nix | 18 + old/modules/common/krebs-repos.nix | 36 ++ old/modules/common/nixpkgs.nix | 25 + old/modules/common/sshkeys.nix | 26 + old/modules/lass/base.nix | 110 ++++ old/modules/lass/binary-caches.nix | 13 + old/modules/lass/bird.nix | 13 + old/modules/lass/bitcoin.nix | 17 + old/modules/lass/browsers.nix | 67 +++ old/modules/lass/chromium-patched.nix | 48 ++ old/modules/lass/desktop-base.nix | 37 ++ old/modules/lass/elster.nix | 20 + old/modules/lass/games.nix | 25 + old/modules/lass/gitolite-base.nix | 173 ++++++ old/modules/lass/ircd.nix | 83 +++ old/modules/lass/pass.nix | 10 + old/modules/lass/programs.nix | 24 + old/modules/lass/retiolum-cloudkrebs.nix | 21 + old/modules/lass/retiolum-mors.nix | 21 + old/modules/lass/retiolum-uriel.nix | 21 + old/modules/lass/sshkeys.nix | 11 + old/modules/lass/steam.nix | 29 + old/modules/lass/texlive.nix | 7 + old/modules/lass/urxvt.nix | 40 ++ old/modules/lass/urxvtd.nix | 55 ++ old/modules/lass/vim.nix | 116 ++++ old/modules/lass/virtualbox.nix | 22 + old/modules/lass/wine.nix | 23 + old/modules/lass/xresources.nix | 57 ++ old/modules/lass/xserver-lass.nix | 43 ++ old/modules/mkdir/default.nix | 86 +++ old/modules/mkdir/networking.nix | 14 + old/modules/mkdir/paths.nix | 12 + old/modules/mkdir/users.nix | 19 + old/modules/mors/default.nix | 283 +++++++++ old/modules/mors/git.nix | 71 +++ old/modules/mors/repos.nix | 78 +++ old/modules/mu/default.nix | 466 ++++++++++++++ old/modules/mu/paths.nix | 12 + old/modules/nomic/default.nix | 105 ++++ old/modules/nomic/hardware-configuration.nix | 49 ++ old/modules/nomic/paths.nix | 12 + old/modules/nomic/users.nix | 42 ++ old/modules/rmdir/default.nix | 87 +++ old/modules/rmdir/networking.nix | 15 + old/modules/rmdir/paths.nix | 12 + old/modules/rmdir/users.nix | 19 + old/modules/tv/base-cac-CentOS-7-64bit.nix | 27 + old/modules/tv/base.nix | 16 + old/modules/tv/config/consul-client.nix | 9 + old/modules/tv/config/consul-server.nix | 22 + old/modules/tv/consul/default.nix | 121 ++++ old/modules/tv/ejabberd.nix | 867 +++++++++++++++++++++++++++ old/modules/tv/environment.nix | 93 +++ old/modules/tv/exim-retiolum.nix | 126 ++++ old/modules/tv/exim-smarthost.nix | 474 +++++++++++++++ old/modules/tv/git/cgit.nix | 93 +++ old/modules/tv/git/config.nix | 272 +++++++++ old/modules/tv/git/default.nix | 27 + old/modules/tv/git/options.nix | 93 +++ old/modules/tv/git/public.nix | 82 +++ old/modules/tv/identity/default.nix | 71 +++ old/modules/tv/iptables/config.nix | 93 +++ old/modules/tv/iptables/default.nix | 11 + old/modules/tv/iptables/options.nix | 29 + old/modules/tv/nginx/config.nix | 49 ++ old/modules/tv/nginx/default.nix | 11 + old/modules/tv/nginx/options.nix | 21 + old/modules/tv/retiolum/config.nix | 130 ++++ old/modules/tv/retiolum/default.nix | 11 + old/modules/tv/retiolum/options.nix | 87 +++ old/modules/tv/sanitize.nix | 12 + old/modules/tv/smartd.nix | 17 + old/modules/tv/synaptics.nix | 14 + old/modules/tv/urlwatch/default.nix | 158 +++++ old/modules/tv/urxvt.nix | 24 + old/modules/tv/users/default.nix | 67 +++ old/modules/tv/xserver.nix | 40 ++ old/modules/uriel/default.nix | 184 ++++++ old/modules/uriel/repos.nix | 78 +++ old/modules/wu/default.nix | 464 ++++++++++++++ old/modules/wu/hosts.nix | 22 + old/modules/wu/paths.nix | 12 + old/modules/wu/users.nix | 227 +++++++ old/pubkeys/deploy_wu.ssh.pub | 1 + old/pubkeys/lass.ssh.pub | 1 + old/pubkeys/makefu.ssh.pub | 1 + old/pubkeys/mv_vod.ssh.pub | 1 + old/pubkeys/tv_wu.ssh.pub | 1 + old/pubkeys/uriel.ssh.pub | 1 + 114 files changed, 8237 insertions(+) create mode 100644 old/Makefile create mode 100644 old/README.md create mode 100755 old/bin/copy-secrets create mode 100755 old/bin/genid create mode 100755 old/bin/netmask-to-prefix create mode 100755 old/bin/nixos-query create mode 100755 old/bin/urlencode create mode 100755 old/cac create mode 100644 old/certs/zalora-ca.crt create mode 100644 old/default.nix create mode 100755 old/deploy create mode 100755 old/infest-cac-CentOS-7-64bit.sh create mode 100644 old/infest.d/cac-CentOS-7-64bit/finalize.sh create mode 100644 old/infest.d/cac-CentOS-7-64bit/prepare.sh create mode 100644 old/infest.d/nixos-install.sh create mode 100644 old/lib/default.nix create mode 100644 old/lib/git.nix create mode 100644 old/lib/modules.nix create mode 100644 old/modules/cd/default.nix create mode 100644 old/modules/cd/networking.nix create mode 100644 old/modules/cd/paths.nix create mode 100644 old/modules/cd/users.nix create mode 100644 old/modules/cloudkrebs/default.nix create mode 100644 old/modules/cloudkrebs/networking.nix create mode 100644 old/modules/common/krebs-keys.nix create mode 100644 old/modules/common/krebs-repos.nix create mode 100644 old/modules/common/nixpkgs.nix create mode 100644 old/modules/common/sshkeys.nix create mode 100644 old/modules/lass/base.nix create mode 100644 old/modules/lass/binary-caches.nix create mode 100644 old/modules/lass/bird.nix create mode 100644 old/modules/lass/bitcoin.nix create mode 100644 old/modules/lass/browsers.nix create mode 100644 old/modules/lass/chromium-patched.nix create mode 100644 old/modules/lass/desktop-base.nix create mode 100644 old/modules/lass/elster.nix create mode 100644 old/modules/lass/games.nix create mode 100644 old/modules/lass/gitolite-base.nix create mode 100644 old/modules/lass/ircd.nix create mode 100644 old/modules/lass/pass.nix create mode 100644 old/modules/lass/programs.nix create mode 100644 old/modules/lass/retiolum-cloudkrebs.nix create mode 100644 old/modules/lass/retiolum-mors.nix create mode 100644 old/modules/lass/retiolum-uriel.nix create mode 100644 old/modules/lass/sshkeys.nix create mode 100644 old/modules/lass/steam.nix create mode 100644 old/modules/lass/texlive.nix create mode 100644 old/modules/lass/urxvt.nix create mode 100644 old/modules/lass/urxvtd.nix create mode 100644 old/modules/lass/vim.nix create mode 100644 old/modules/lass/virtualbox.nix create mode 100644 old/modules/lass/wine.nix create mode 100644 old/modules/lass/xresources.nix create mode 100644 old/modules/lass/xserver-lass.nix create mode 100644 old/modules/mkdir/default.nix create mode 100644 old/modules/mkdir/networking.nix create mode 100644 old/modules/mkdir/paths.nix create mode 100644 old/modules/mkdir/users.nix create mode 100644 old/modules/mors/default.nix create mode 100644 old/modules/mors/git.nix create mode 100644 old/modules/mors/repos.nix create mode 100644 old/modules/mu/default.nix create mode 100644 old/modules/mu/paths.nix create mode 100644 old/modules/nomic/default.nix create mode 100644 old/modules/nomic/hardware-configuration.nix create mode 100644 old/modules/nomic/paths.nix create mode 100644 old/modules/nomic/users.nix create mode 100644 old/modules/rmdir/default.nix create mode 100644 old/modules/rmdir/networking.nix create mode 100644 old/modules/rmdir/paths.nix create mode 100644 old/modules/rmdir/users.nix create mode 100644 old/modules/tv/base-cac-CentOS-7-64bit.nix create mode 100644 old/modules/tv/base.nix create mode 100644 old/modules/tv/config/consul-client.nix create mode 100644 old/modules/tv/config/consul-server.nix create mode 100644 old/modules/tv/consul/default.nix create mode 100644 old/modules/tv/ejabberd.nix create mode 100644 old/modules/tv/environment.nix create mode 100644 old/modules/tv/exim-retiolum.nix create mode 100644 old/modules/tv/exim-smarthost.nix create mode 100644 old/modules/tv/git/cgit.nix create mode 100644 old/modules/tv/git/config.nix create mode 100644 old/modules/tv/git/default.nix create mode 100644 old/modules/tv/git/options.nix create mode 100644 old/modules/tv/git/public.nix create mode 100644 old/modules/tv/identity/default.nix create mode 100644 old/modules/tv/iptables/config.nix create mode 100644 old/modules/tv/iptables/default.nix create mode 100644 old/modules/tv/iptables/options.nix create mode 100644 old/modules/tv/nginx/config.nix create mode 100644 old/modules/tv/nginx/default.nix create mode 100644 old/modules/tv/nginx/options.nix create mode 100644 old/modules/tv/retiolum/config.nix create mode 100644 old/modules/tv/retiolum/default.nix create mode 100644 old/modules/tv/retiolum/options.nix create mode 100644 old/modules/tv/sanitize.nix create mode 100644 old/modules/tv/smartd.nix create mode 100644 old/modules/tv/synaptics.nix create mode 100644 old/modules/tv/urlwatch/default.nix create mode 100644 old/modules/tv/urxvt.nix create mode 100644 old/modules/tv/users/default.nix create mode 100644 old/modules/tv/xserver.nix create mode 100644 old/modules/uriel/default.nix create mode 100644 old/modules/uriel/repos.nix create mode 100644 old/modules/wu/default.nix create mode 100644 old/modules/wu/hosts.nix create mode 100644 old/modules/wu/paths.nix create mode 100644 old/modules/wu/users.nix create mode 100644 old/pubkeys/deploy_wu.ssh.pub create mode 100644 old/pubkeys/lass.ssh.pub create mode 100644 old/pubkeys/makefu.ssh.pub create mode 100644 old/pubkeys/mv_vod.ssh.pub create mode 100644 old/pubkeys/tv_wu.ssh.pub create mode 100644 old/pubkeys/uriel.ssh.pub (limited to 'old') diff --git a/old/Makefile b/old/Makefile new file mode 100644 index 00000000..bef7727c --- /dev/null +++ b/old/Makefile @@ -0,0 +1,48 @@ +all:;@exit 23 + +tv-cluster := cd mkdir nomic rmdir wu +deploy-cd:; ./deploy cd +deploy-mkdir:; ./deploy mkdir +deploy-nomic:; ./deploy nomic root@nomic-local +deploy-rmdir:; ./deploy rmdir +deploy-wu:; ./deploy wu root@localhost + +ifndef cluster +cluster := $(LOGNAME) +endif +hosts := $($(cluster)-cluster) +ifeq ($(hosts),) +$(error bad cluster: $(cluster)) +else +.ONESHELL: + +.PHONY: deploy $(addprefix deploy-,$(hosts)) +deploy: + exec parallel \ + -j 0 \ + --no-notice \ + --rpl '{u} s/^.* deploy-(.*)/\1/' \ + --tagstring '{u}' \ + --line-buffer \ + $(MAKE) deploy-{} ::: $(hosts) + +.PHONY: rotate-consul-encrypt +rotate-consul-encrypt: + umask 0377 + mkencrypt() { dd status=none if=/dev/random bs=1 count=16 | base64; } + json=$$(printf '{"encrypt":"%s"}\n' $$(mkencrypt)) + cmd=' + f=secrets/{}/rsync/etc/consul/encrypt.json + rm -f "$$f" + echo "$$json" > "$$f" + ' + export json + exec parallel \ + -j 0 \ + --no-notice \ + --rpl '{u} s/^.* deploy-(.*)/\1/' \ + --tagstring '{u}' \ + --line-buffer \ + --quote \ + sh -eufc "$$cmd" ::: $(hosts) +endif diff --git a/old/README.md b/old/README.md new file mode 100644 index 00000000..8a72d2fe --- /dev/null +++ b/old/README.md @@ -0,0 +1,32 @@ + + +# Turn a Cloud at Cost CentOS-7-64bit server into NixOS + +1. Configure the system (`$systemname`) you'd like to install (see Configuration below). +2. Create new server instance (either Custom or cloudpro) using "CentOS-7-64bit". + Note the servername (something like c731445864-cloudpro-388922936). +3. `cac_login=xxx cac_key=yyy ./infest-cac-CentOS-7-64bit.sh servername:$servername $systename` +4. Enjoy. (`ssh root@$systename`) + +# Configuration + +Configure your system in modules/$systemname +See modules/cd/default.nix as an example. + +Notice that modules/$systemname/networking will be autogenerated (but not committed). + +secrets/$systemname/nix/foo can be accessed as `` from within the configuration. + +You might want `secrets/$systemname/rsync/etc/tinc/retiolum/rsa_key.priv`. + +You might want `secrets/$systemname/nix/hashedPasswords.nix`, which looks like + +```nix +_: { users.extraUsers.root.hashedPassword = "XXX"; } +``` + +`XXX` can be generated with e.g. + +``` +mkpasswd -m sha-512 -S $(openssl rand -base64 16 | tr -d '+=' | head -c 16) +``` diff --git a/old/bin/copy-secrets b/old/bin/copy-secrets new file mode 100755 index 00000000..f4049359 --- /dev/null +++ b/old/bin/copy-secrets @@ -0,0 +1,69 @@ +#! /bin/sh +# +# copy-secrets system_name target +# +set -euf + +system_name=$1 +target=$2 + +nixos_config=$config_root/modules/$system_name +secrets_nix=$secrets_root/$system_name/nix +secrets_rsync=$secrets_root/$system_name/rsync + +if ! test -e "$secrets_rsync"; then + exit # nothing to do +fi + +# XXX this is ugly +# Notice NIX_PATH used from host +# Notice secrets required to evaluate configuration +NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$system_name +NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$system_name/nix +export NIX_PATH + +case $(nixos-query tv.retiolum.enable 2>/dev/null) in true) + retiolum_secret=$(nixos-query tv.retiolum.privateKeyFile) + retiolum_uid=$(nixos-query users.extraUsers.retiolum-tinc.uid) +esac + +case $(nixos-query services.ejabberd-cd.enable 2>/dev/null) in true) + ejabberd_secret=$(nixos-query services.ejabberd-cd.certFile) + ejabberd_uid=$(nixos-query users.extraUsers.ejabberd.uid) +esac + +case $(nixos-query tv.consul.enable 2>/dev/null) in true) + consul_secret=$(nixos-query tv.consul.encrypt-file) + consul_uid=$(nixos-query users.extraUsers.consul.uid) +esac + +(set -x + rsync \ + --rsync-path="mkdir -p \"$2\" && rsync" \ + -vzrlptD \ + "$secrets_rsync/" \ + "$target:/") + +ssh "$target" -T < + max=2^32 # see 2^(8*sizeof(uid_t)) + ibase=16 + ($hash + min) % max +" | bc diff --git a/old/bin/netmask-to-prefix b/old/bin/netmask-to-prefix new file mode 100755 index 00000000..1c4dbeb2 --- /dev/null +++ b/old/bin/netmask-to-prefix @@ -0,0 +1,12 @@ +#! /bin/sh +set -euf + +netmask=$1 + +binaryNetmask=$(echo $1 | sed 's/^/obase=2;/;s/\./;/g' | bc | tr -d \\n) +binaryPrefix=$(echo $binaryNetmask | sed -n 's/^\(1*\)0*$/\1/p') +if ! echo $binaryPrefix | grep -q .; then + echo $0: bad netmask: $netmask >&2 + exit 4 +fi +printf %s $binaryPrefix | tr -d 0 | wc -c diff --git a/old/bin/nixos-query b/old/bin/nixos-query new file mode 100755 index 00000000..1111aead --- /dev/null +++ b/old/bin/nixos-query @@ -0,0 +1,4 @@ +#! /bin/sh +set -euf +result=$(nix-instantiate -A config."$1" --eval --json '') +echo $result | jq -r . diff --git a/old/bin/urlencode b/old/bin/urlencode new file mode 100755 index 00000000..02ca0307 --- /dev/null +++ b/old/bin/urlencode @@ -0,0 +1,35 @@ +#! /bin/sh +set -euf +exec sed ' + s/%/%25/g + s/ /%20/g + s/!/%21/g + s/"/%22/g + s/#/%23/g + s/\$/%24/g + s/\&/%26/g + s/'\''/%27/g + s/(/%28/g + s/)/%29/g + s/\*/%2a/g + s/+/%2b/g + s/,/%2c/g + s/-/%2d/g + s/\./%2e/g + s/\//%2f/g + s/:/%3a/g + s/;/%3b/g + s//%3e/g + s/?/%3f/g + s/@/%40/g + s/\[/%5b/g + s/\\/%5c/g + s/\]/%5d/g + s/\^/%5e/g + s/_/%5f/g + s/`/%60/g + s/{/%7b/g + s/|/%7c/g + s/}/%7d/g + s/~/%7e/g +' diff --git a/old/cac b/old/cac new file mode 100755 index 00000000..fb816b99 --- /dev/null +++ b/old/cac @@ -0,0 +1,337 @@ +#! /bin/sh +set -euf + +PATH=$PWD/bin:$PATH +export PATH + +cac_listservers_cache=$PWD/tmp/cac_listservers_cache.json + + +cac() { + __cac_cli__command=$1 + shift + __cac_cli__"$__cac_cli__command" "$@" +} + +# WIP +__cac_cli__help() {( + exec sed < "$0" -n ' + s/^__cac_cli__\([^(]\+\)().*/\1/p + ' +)} + +# usage: console +__cac_cli__console() {( + server=$(__cac_cli__getserver "$1") + sid=$(echo $server | jq -r .sid) + # TODO check reply status == ok + _cac_post_api_v1 console sid="$sid" | jq -r .console +)} + +__cac_cli__listservers() { + jq -r . $cac_listservers_cache +} + +__cac_cli__update() {( + umask 0077 + servers=$(_cac_listservers) + echo $servers > $cac_listservers_cache.tmp + mv $cac_listservers_cache.tmp $cac_listservers_cache +)} + +__cac_cli__getserver() {( + + case $1 in + *:*) + k=${1%%:*} + v=${1#*:} + ;; + *) + k=label + v=${1#*:} + ;; + esac + + if result=$(jq \ + -e \ + --arg k "$k" \ + --arg v "$v" \ + ' + map(select(.[$k]==$v)) | + if (. | length) == 1 then + .[0] + else + null + end + ' \ + $cac_listservers_cache); then + echo $result | jq -r . + else + echo "$0 getserver $k:$v => not unique server found" >&2 + exit 23 + fi +)} + +__cac_cli__generatenetworking() {( + server=$(__cac_cli__getserver "$1") + + hostname=$(echo $server | jq -r .label) + + address=$(echo $server | jq -r .ip) + gateway=$(echo $server | jq -r .gateway) + nameserver=8.8.8.8 + netmask=$(echo $server | jq -r .netmask) + prefix=$(netmask-to-prefix $netmask) + + #printf '# Generated file: %s generatenetworking %s %s\n' "$0" "$1" "$2" + #printf '# on %s\n' "$(date -Is)" + #printf '\n' + printf '_:\n' + printf '\n' + printf '{\n' + printf ' networking.hostName = "%s";\n' $hostname + printf ' networking.interfaces.enp2s1.ip4 = [\n' + printf ' {\n' + printf ' address = "%s";\n' $address + printf ' prefixLength = %d;\n' $prefix + printf ' }\n' + printf ' ];\n' + printf ' networking.defaultGateway = "%s";\n' $gateway + printf ' networking.nameservers = [\n' + printf ' "%s"\n' $nameserver + printf ' ];\n' + printf '}\n' +)} + +__cac_cli__powerop() {( + server=$(__cac_cli__getserver "$1") + action=$2 + + sid=$(echo $server | jq -r .sid) + + reply=$(_cac_post_api_v1 powerop sid="$sid" action="$action") + + case $(echo $reply | jq -r .status) in + ok) + echo $reply | jq -r . >&2 + __cac_cli__update + ;; + *) + echo bad reply: >&2 + echo $reply | jq -r . >&2 + exit 23 + ;; + esac +)} +__cac_cli__pushconfig() {( + server=$(__cac_cli__getserver "$1") + + prefix=${2-/} + + hostname=$(echo $server | jq -r .label) + + address=$(echo $server | jq -r .ip) + target=root@$address + + RSYNC_RSH='sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' + SSHPASS=$(echo $server | jq -r .rootpass) + export RSYNC_RSH SSHPASS + + pushgit . $target:$prefix/etc/nixos/ + pushgit hosts $target:$prefix/etc/nixos/hosts/ + pushgit tmp/nixpkgs/$hostname $target:$prefix/etc/nixos/nixpkgs/ + pushdir secrets/$hostname/nix $target:$prefix/etc/nixos/secrets/ + pushdir secrets/$hostname/rsync $target:$prefix/ + echo "_:{imports=[./modules/$hostname];}" \ + | $RSYNC_RSH "$target" tee "$prefix/etc/nixos/configuration.nix" \ + > /dev/null + + ## TODO chmod and chown secrets +)} + +__cac_cli__setlabel() {( + server=$(__cac_cli__getserver "$1") + label=$2 + + sid=$(echo $server | jq -r .sid) + + reply=$(_cac_post_api_v1 renameserver sid="$sid" name="$label") + + case $(echo $reply | jq -r .status) in + ok) + echo $reply | jq -r . >&2 + __cac_cli__update + ;; + *) + echo bad reply: >&2 + echo $reply | jq -r . >&2 + exit 23 + ;; + esac +)} + +__cac_cli__setmode() {( + server=$(__cac_cli__getserver "$1") + mode=$2 + + sid=$(echo $server | jq -r .sid) + + reply=$(_cac_post_api_v1 runmode sid="$sid" mode="$mode") + + case $(echo $reply | jq -r .status) in + ok) + echo $reply | jq -r . >&2 + __cac_cli__update + ;; + *) + echo bad reply: >&2 + echo $reply | jq -r . + exit 23 + ;; + esac +)} + +__cac_cli__ssh() {( + server=$(__cac_cli__getserver "$1") + shift + + address=$(echo $server | jq -r .ip) + target=root@$address + + SSHPASS=$(echo $server | jq -r .rootpass) + export SSHPASS + + exec sshpass -e ssh \ + -S none \ + -o StrictHostKeyChecking=no \ + -o UserKnownHostsFile=/dev/null \ + $target \ + "$@" +)} + + +# usage: ./cac waitstatus mode:Safe 'Powered On' +# blocks until server has specfied state +__cac_cli__waitstatus() { + server=$(__cac_cli__getserver "$1") + status=$(echo $server | jq -r .status) + + case $status in + $2) + return + ;; + esac + + echo "$(date -Is) Waiting for status: $2; current status: $status ..." >&2 + + __cac_cli__waitforcacheupdate __cac_cli__waitstatus "$@" +} + + +# XXX for __cac_cli__waitforcacheupdate and __cac_cli__poll cache means $cac_listservers_cache + +# blocks until cache has been updated then executes "$@" +__cac_cli__waitforcacheupdate() { + case $(inotifywait --format %f -q -e moved_to $(dirname $cac_listservers_cache)) in + $(basename $cac_listservers_cache)) "$@";; + *) __cac_cli__waitforcacheupdate "$@";; + esac +} + +# usage: with cac ./cac poll 60s +# continuously update cache, sleeping at least $1 between updates +__cac_cli__poll() { + __cac_cli__update + t=${1-1m} + echo "$(date -Is) cache updated; sleeping $t ..." >&2 + sleep "$t" + __cac_cli__poll "$@" +} + + +_cac_listservers() {( + servers=$(_cac_get_api_v1 listservers) + status=$(echo $servers | jq -r .status) + + if [ "$status" = ok ]; then + echo "$servers" | jq -r .data + else + echo "cac_listservers: bad listservers status: $status" >&2 + exit 1 + fi +)} + + + + +# rsyncfiles : lines filename |> local-dir x rsync-target -> ? |> ? +rsyncfiles() {( + set -x + rsync \ + --rsync-path="mkdir -p \"$2\" && rsync" \ + -vzrlptD \ + --files-from=- \ + "$1"/ \ + "$2" +)} + + +# gitfiles : git-work-tree -> lines filename +gitfiles() { + git -C "$1" archive --format=tar HEAD | tar t | sed '/\/$/d' +} + +# pushgit : git-work-tree x rsync-target -> ? +pushgit() { + gitfiles "$1" | rsyncfiles "$1" "$2" +} + +# dirfiles : local-dir -> lines filename +dirfiles() {( + cd "$1" + find . -type f | sed 's/^\.\///' +)} + +# pushdir : local-dir x rsync-target -> ? +pushdir() { + dirfiles "$1" | rsyncfiles "$1" "$2" +} + + + + + + +_cac_get_api_v1() { + _cac_curl_api_v1 -G "$@" +} + +_cac_post_api_v1() { + _cac_curl_api_v1 -XPOST "$@" +} + +_cac_curl_api_v1() { + _cac_exec curl -sS "$1" "https://panel.cloudatcost.com/api/v1/$2.php" $( + shift 2 + set -- "$@" login="$cac_login" key="$cac_key" + for arg; do + echo -d $(printf '%s' "$arg" | urlencode) + done + ) +} + +_cac_exec() { + if test -z "${cac_via-}"; then + env -- "$@" + else + ssh -q "$cac_via" -t "$@" + fi +} + + + + + +case ${run-true} in + true) cac "$@";; +esac diff --git a/old/certs/zalora-ca.crt b/old/certs/zalora-ca.crt new file mode 100644 index 00000000..12cdf8fc --- /dev/null +++ b/old/certs/zalora-ca.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIJAPImpJwMgGmhMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD +VQQGEwJTRzESMBAGA1UECAwJU2luZ2Fwb3JlMQ8wDQYDVQQKDAZaYWxvcmExCzAJ +BgNVBAsMAklUMSUwIwYDVQQDDBxaYWxvcmEgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 +MSUwIwYJKoZIhvcNAQkBFhZpdC1zZXJ2aWNlc0B6YWxvcmEuY29tMB4XDTE0MDkx +ODIxNDY0N1oXDTI0MDkxNTIxNDY0N1owgY0xCzAJBgNVBAYTAlNHMRIwEAYDVQQI +DAlTaW5nYXBvcmUxDzANBgNVBAoMBlphbG9yYTELMAkGA1UECwwCSVQxJTAjBgNV +BAMMHFphbG9yYSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgkqhkiG9w0BCQEW +Fml0LXNlcnZpY2VzQHphbG9yYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDi48Tkh6XuS2gdE1+gsPPQjTI8Q2wbXqZGTHnyAZx75btOIUZHeHJm +Fvu8erAD+vtx1nD1GOG30uvHFk9Of2mFY1fxw0R1LthJHSLFJU1/GjFSggHWkaI3 +HBSmeALjss/XHG3EtShLo8SHBc/+B8ehqj1JqcXF8q50JtfTQ+zlf+k26ke2S5Xo +OdHLxjlNaPwj+TgJI1DHqs/bTapaPHPKk5+jFQzAcMmq0bygzpQTHCvvKqcoXaJk +UgDBQnVsJUtwfObrM1TKu2TOXUhqgfnnflYf2sz5Sr30QlkrHP+PM3BRLB+6FXhr +UlKKVcAcIwrBo0aJ5Sd0fv39GwV1XCWVAgMBAAGjUDBOMB0GA1UdDgQWBBQFftMH +5/dc0pUNDqLbVQ8gm7+I5TAfBgNVHSMEGDAWgBQFftMH5/dc0pUNDqLbVQ8gm7+I +5TAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQC2aSKJ15v5OI7Zj/HQ +lW+iY9STBPJi9lgOjaGrNaPX0IuhJLkeKDntmzjvpGwvcylHMp6Im02svTymteNN +38s8A0aStnmW4ysGT853H7L7Jxzf7J2vrUF0Dj4QkZ07Gp3vAgKnWVcqz36Xr0Se +DEqrKMl/6fq3Ygl35fZXP1kb6t/wP6qx69bnENH6ksHFpZapWYssKNZO9yiB8+Eq +ngB22X/ycMmAqOnNQDzw1JBw7LzdXypCG75UKEK6kbnUy2yPADdHpH8v9qcRa1U9 +vEmUTJs6i1CpPO+2frPJ8A8QIp61nNxe7xJ1SnNVtwk9d6SRet6YGySvgG748Wjw +GwWx +-----END CERTIFICATE----- diff --git a/old/default.nix b/old/default.nix new file mode 100644 index 00000000..84153482 --- /dev/null +++ b/old/default.nix @@ -0,0 +1,151 @@ +{ system-name +, rsync-target ? null +, deploy-target ? null +}: + +# TODO assert that only one of rsync-target or deploy-target is not null + +with builtins; +assert (typeOf system-name == "string"); +with import ; +let + paths-file = toPath "${dirOf __curPos.file}/modules/${system-name}/paths.nix"; + + paths = import paths-file; + + prefetch.file = '' + echo "$prefetch_in_url" + ''; + + prefetch.git = '' + ${concatMapStringsSep "\n" (attr-name: '' + case ''${prefetch_in_${escapeShellArg attr-name}-?} in \?) + printf '%s: %s: missing attribute: %s' \ + ${escapeShellArg paths-file} \ + "$prefetch_name" \ + ${escapeShellArg attr-name} \ + >&2 + return 1 + esac + '') [ "rev" "url" "cache" ]} + + git_rev=$prefetch_in_rev + git_url=$prefetch_in_url + + # cache_dir points to a (maybe non-existent) directory, where a shared cache of + # the repository should be maintained. The shared cache is used to create + # multiple working trees of the repository. + cache_dir=$prefetch_in_cache/$(echo "$git_url" | urlencode) + cache_git() { + git --git-dir="$cache_dir" "$@" + } + + # work_dir points to a (maybe non-existent) directory, where a specific + # revision of the repository is checked out. + # XXX this is probably a bad idea if git_rev is not a commit + work_dir=$cache_dir-$(cache_git rev-parse --verify "$git_rev" | urlencode) + work_git() { + git -C "$work_dir" "$@" + } + + is_up_to_date() { + test -d "$cache_dir" && + test -d "$work_dir" && + test "$(cache_git rev-parse --verify "$git_rev")" = "$git_rev" && + test "$(work_git rev-parse --verify HEAD)" = "$git_rev" + } + + # Notice how the remote name "origin" has been chosen arbitrarily, but must be + # kept in sync with the default value of nixpkgs.rev. + if ! is_up_to_date; then + if ! test -d "$cache_dir"; then + mkdir -p "$cache_dir" + cache_git init --bare + fi + if ! cache_git_url=$(cache_git config remote.origin.url); then + cache_git remote add origin "$git_url" + elif test "$cache_git_url" != "$git_url"; then + cache_git remote set-url origin "$git_url" + fi + cache_git fetch origin + if ! test -d "$work_dir"; then + git clone -n --shared "$cache_dir" "$work_dir" + fi + commit_name=$(cache_git rev-parse --verify "$git_rev") + work_git checkout "$commit_name" -- "$(readlink -f "$work_dir")" + work_git checkout -q "$commit_name" + work_git submodule init + work_git submodule update + fi + work_git clean -dxf + + echo "$work_dir" + ''; + + + f = pkg-name: pkg-spec: + let + types = attrNames pkg-spec; + type = elemAt types 0; + in + assert (length types == 1); # there can be only one source type + '' + out=$(${concatStringsSep " \\\n" (mapAttrsToList (k: v: + "prefetch_in_${escapeShellArg k}=${escapeShellArg (toString v)}") pkg-spec.${type})} \ + prefetch_name=${escapeShellArg pkg-name} \ + __prefetch_${escapeShellArg type}) + printf '%s=%s\n' \ + ${escapeShellArg pkg-name} \ + "$out" + ''; +in +'' +#! /bin/sh +set -euf + +PATH=${toString ./.}/bin:$PATH +export PATH + +__prefetch_file() { +${prefetch.file} +} +__prefetch_git() { +${prefetch.git} +} + +# TODO make sure x contains only sane chars +x=$(${concatStrings (mapAttrsToList f paths)}) + +${optionalString (rsync-target != null) '' + proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ + rsync --delete --delete-excluded \ + --filter='- /*/.git' \ + --rsync-path='mkdir -p -m 0700 /shitment/ && rsync' \ + -vaz \ + --no-owner \ + --no-group \ + '/shitment/' \ + ${escapeShellArg rsync-target} +''} + + +${optionalString (deploy-target != null) '' + system_path=$(proot $(echo "$x" | sed -n 's@^\([^=]\+\)=\(.*\)@-b \2:/shitment/\1@p') \ + env \ + NIX_PATH=/shitment \ + NIXOS_CONFIG=/shitment/modules/${escapeShellArg system-name} \ + nix-build -A system --no-out-link '') + + system_name=${escapeShellArg system-name} + target=${escapeShellArg deploy-target} + + nix-copy-closure --gzip --to "$target" "$system_path" + + secrets_root=${toString ./.}/secrets \ + config_root=${toString ./.} \ + copy-secrets "$system_name" "$target" + + ssh ''${NIX_SSHOPTS-} "$target" "$system_path/bin/switch-to-configuration" switch +''} + +'' diff --git a/old/deploy b/old/deploy new file mode 100755 index 00000000..a9dbf45e --- /dev/null +++ b/old/deploy @@ -0,0 +1,15 @@ +#! /bin/sh +# +# usage: ./deploy system_name [target] +# +set -euf + +system_name=$1 +target=${2-root@$system_name} + +nix-instantiate \ + --argstr system-name "$system_name" \ + --argstr deploy-target "$target" \ + --eval --json . \ + | jq -r . \ + | sh diff --git a/old/infest-cac-CentOS-7-64bit.sh b/old/infest-cac-CentOS-7-64bit.sh new file mode 100755 index 00000000..1e96e0e2 --- /dev/null +++ b/old/infest-cac-CentOS-7-64bit.sh @@ -0,0 +1,51 @@ +#! /bin/sh +set -xeuf + +serverspec=$1 +systemname=$2 + +( + PATH=$PWD/bin:$PATH + export PATH + + # Notice NIX_PATH used from host + # Notice secrets required to evaluate configuration + NIX_PATH=$NIX_PATH:nixos-config=$PWD/modules/$systemname + NIX_PATH=$NIX_PATH:secrets=$PWD/secrets/$systemname/nix + export NIX_PATH + + case $(nixos-query nixpkgs.dirty) in true) + echo "$0: cannot use nixpkgs.dirty" >&2 # b/c ./cac pushconfig + exit -1 + esac + + prefetch nixpkgs tmp/nixpkgs/$systemname +) + +./cac poll 10s 2>/dev/null & +pollpid=$! +trap "kill $pollpid; trap - EXIT" EXIT + +./cac waitstatus $serverspec 'Powered On' + +# TODO don't set label/mode if they're already good +./cac setlabel $serverspec $systemname +./cac setmode $systemname normal +./cac generatenetworking $systemname > modules/$systemname/networking.nix + +cat infest.d/cac-CentOS-7-64bit/prepare.sh | ./cac ssh $systemname \ + nix_url=https://nixos.org/releases/nix/nix-1.9/nix-1.9-x86_64-linux.tar.bz2 \ + nix_sha256=5c76611c631e79aef5faf3db2d253237998bbee0f61fa093f925fa32203ae32b \ + /bin/sh + +./cac pushconfig $systemname /mnt + +# This needs to be run twice because (at least): +# Initialized empty Git repository in /var/lib/git/$reponame +# chown: invalid user: 'git:nogroup' +cat infest.d/nixos-install.sh | ./cac ssh $systemname || : +cat infest.d/nixos-install.sh | ./cac ssh $systemname + +cat infest.d/cac-CentOS-7-64bit/finalize.sh | ./cac ssh $systemname + +./cac powerop $systemname reset diff --git a/old/infest.d/cac-CentOS-7-64bit/finalize.sh b/old/infest.d/cac-CentOS-7-64bit/finalize.sh new file mode 100644 index 00000000..b70276b3 --- /dev/null +++ b/old/infest.d/cac-CentOS-7-64bit/finalize.sh @@ -0,0 +1,66 @@ +#! /bin/sh +set -eu +{ + umount /mnt2 + umount /mnt/nix + umount /mnt/boot + umount /mnt + umount /boot + + PATH=$(for i in /nix/store/*coreutils*/bin; do :; done; echo $i) + export PATH + + mkdir /oldshit + + mv /bin /oldshit/ + mv /newshit/bin / + + # TODO ensure /boot is empty + rmdir /newshit/boot + + # skip /dev + rmdir /newshit/dev + + mv /etc /oldshit/ + mv /newshit/etc / + + # TODO ensure /home is empty + rmdir /newshit/home + + # skip /nix (it's already there) + rmdir /newshit/nix + + # skip /proc + rmdir /newshit/proc + + # skip /run + rmdir /newshit/run + + # skip /sys + rmdir /newshit/sys + + # skip /tmp + # TODO rmdir /newshit/tmp + + mv /usr /oldshit/ + mv /newshit/usr / + + mv /var /oldshit/ + mv /newshit/var / + + mv /root /oldshit/ + mv /newshit/root / + + mv /lib /oldshit/ + mv /lib64 /oldshit/ + mv /sbin /oldshit/ + mv /mnt2 /oldshit/ + mv /srv /oldshit/ + mv /opt /oldshit/ + + + mv /newshit /root/ # TODO this one shoult be empty + mv /oldshit /root/ + + sync +} diff --git a/old/infest.d/cac-CentOS-7-64bit/prepare.sh b/old/infest.d/cac-CentOS-7-64bit/prepare.sh new file mode 100644 index 00000000..f932e9c3 --- /dev/null +++ b/old/infest.d/cac-CentOS-7-64bit/prepare.sh @@ -0,0 +1,104 @@ +#! /bin/sh +set -euf + +: $nix_url +: $nix_sha256 + +{ + # + # prepare host + # + + type bzip2 2>/dev/null || yum install -y bzip2 + type rsync 2>/dev/null || yum install -y rsync + + if ! getent group nixbld >/dev/null; then + groupadd -g 30000 -r nixbld + fi + for i in `seq 1 10`; do + if ! getent passwd nixbld$i 2>/dev/null; then + useradd \ + -c "CentOS Nix build user $i" \ + -d /var/empty \ + -g 30000 \ + -G 30000 \ + -l \ + -M \ + -s /sbin/nologin \ + -u $(expr 30000 + $i) \ + nixbld$i + rm -f /var/spool/mail/nixbld$i + fi + done + + # generate fake sudo because + # sudo: sorry, you must have a tty to run sudo + mkdir -p bin + printf '#! /bin/sh\nexec env "$@"\n' > bin/sudo + chmod +x bin/sudo + + PATH=$PWD/bin:$PATH + export PATH + + # install nix on host (cf. https://nixos.org/nix/install) + if ! test -e /root/.nix-profile/etc/profile.d/nix.sh; then + ( + verify() { + echo $nix_sha256 $(basename $nix_url) | sha256sum -c + } + if ! verify; then + curl -C - -O "$nix_url" + verify + fi + ) + tar jxf $(basename $nix_url) + $(basename $nix_url .tar.bz2)/install + fi + + MANPATH=/var/empty . /root/.nix-profile/etc/profile.d/nix.sh + + if ! type nixos-install 2>/dev/null; then + nixpkgs_expr='import { system = builtins.currentSystem; }' + nixpkgs_path=$(find /nix/store -mindepth 1 -maxdepth 1 -name *-nixpkgs-* -type d) + nix-env \ + --arg config "{ nix.package = ($nixpkgs_expr).nix; }" \ + --arg pkgs "$nixpkgs_expr" \ + --arg modulesPath 'throw "no modulesPath"' \ + -f $nixpkgs_path/nixpkgs/nixos/modules/installer/tools/tools.nix \ + -iA config.system.build.nixos-install + fi + + # + # mount install directory + # + + if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt type xfs'; then + mkdir -p /newshit + mount --bind /newshit /mnt + fi + + if ! mount | grep -Fq '/dev/sda1 on /mnt/boot type xfs'; then + mkdir -p /mnt/boot + mount /dev/sda1 /mnt/boot + fi + + if ! mount | grep -Fq '/dev/mapper/centos-root on /mnt/nix type xfs'; then + mkdir -p /mnt/nix + mount --bind /nix /mnt/nix + fi + + mount | grep 'on /mnt\>' >&2 + + # + # prepare install directory + # + # XXX This should be done by (?) + # remote_dir=/mnt ./cac pushconfig servername:c731445864-cloudpro-134581046 rmdir + + mkdir -p /mnt/etc/nixos + mkdir -m 0555 -p /mnt/var/empty + + # add eye candy + address=$(echo $SSH_CONNECTION | awk '{print$3}') + echo 'PS1='\''\[\e[1;31m\]\u@'"$address"'\[\e[m\] \[\e[1;32m\]\w\[\e[m\] '\' > .bashrc +} diff --git a/old/infest.d/nixos-install.sh b/old/infest.d/nixos-install.sh new file mode 100644 index 00000000..df01a346 --- /dev/null +++ b/old/infest.d/nixos-install.sh @@ -0,0 +1,8 @@ +#! /bin/sh +# usage: cat infest-nixos-install.sh | ./cac ssh ... +set -euf +nixos-install \ + -I secrets=/etc/nixos/secrets \ + -I retiolum-hosts=/etc/nixos/hosts \ + -I pubkeys=/etc/nixos/pubkeys \ + -I nixpkgs=/etc/nixos/nixpkgs diff --git a/old/lib/default.nix b/old/lib/default.nix new file mode 100644 index 00000000..164a6a1a --- /dev/null +++ b/old/lib/default.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, ... }: + +with builtins; + +let + inherit (lib) mapAttrs stringAsChars; +in + +rec { + git = import ./git.nix { + lib = lib // { + inherit addNames; + }; + inherit pkgs; + }; + + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; + + + # "7.4.335" -> "74" + majmin = with lib; x : concatStrings (take 2 (splitString "." x)); + + + concat = xs : + if xs == [] + then "" + else head xs + concat (tail xs) + ; + + flip = f : x : y : f y x; + + # isSuffixOf :: String -> String -> Bool + isSuffixOf = + s : xs : + let + sn = stringLength s; + xsn = stringLength xs; + in + xsn >= sn && substring (xsn - sn) sn xs == s ; + + removeSuffix = + s : xs : substring 0 (stringLength xs - stringLength s) xs; + + # setMap :: (String -> a -> b) -> Set String a -> [b] + #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs); + + # setToList :: Set k a -> [a] + #setToList = setMap (_: v: v); + + shell-escape = + let + isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null; + in + stringAsChars (c: + if isSafeChar c then c + else if c == "\n" then "'\n'" + else "\\${c}"); + +} diff --git a/old/lib/git.nix b/old/lib/git.nix new file mode 100644 index 00000000..8dc17611 --- /dev/null +++ b/old/lib/git.nix @@ -0,0 +1,181 @@ +{ lib, pkgs, ... }: + +let + inherit (lib) addNames escapeShellArg makeSearchPath; + + commands = addNames { + git-receive-pack = {}; + git-upload-pack = {}; + }; + + receive-modes = addNames { + fast-forward = {}; + non-fast-forward = {}; + create = {}; + delete = {}; + merge = {}; # TODO implement in git.nix + }; + + permissions = { + fetch = { + allow-commands = [ + commands.git-upload-pack + ]; + }; + + push = ref: extra-modes: { + allow-commands = [ + commands.git-receive-pack + commands.git-upload-pack + ]; + allow-receive-ref = ref; + allow-receive-modes = [ receive-modes.fast-forward ] ++ extra-modes; + }; + }; + + refs = { + master = "refs/heads/master"; + all-heads = "refs/heads/*"; + }; + + irc-announce-script = pkgs.writeScript "irc-announce-script" '' + #! /bin/sh + set -euf + + export PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + gawk + gnused + netcat + nettools + ])} + + IRC_SERVER=$1 + IRC_PORT=$2 + IRC_NICK=$3$$ + IRC_CHANNEL=$4 + message=$5 + + export IRC_CHANNEL # for privmsg_cat + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + printf '%s' "$message" \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + ''; + + hooks = { + # TODO make this a package? + irc-announce = { nick, channel, server, port ? 6667 }: '' + #! /bin/sh + set -euf + + export PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + git + gnused + ])} + + nick=${escapeShellArg nick} + channel=${escapeShellArg channel} + server=${escapeShellArg server} + port=${toString port} + + host=$nick + + empty=0000000000000000000000000000000000000000 + + unset message + while read oldrev newrev ref; do + + if [ $oldrev = $empty ]; then + receive_mode=create + elif [ $newrev = $empty ]; then + receive_mode=delete + elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then + receive_mode=fast-forward + else + receive_mode=non-fast-forward + fi + + h=$(echo $ref | sed 's:^refs/heads/::') + + # empty_tree=$(git hash-object -t tree /dev/null + empty_tree=4b825dc6 + + id=$(echo $newrev | cut -b-7) + id2=$(echo $oldrev | cut -b-7) + if [ $newrev = $empty ]; then id=$empty_tree; fi + if [ $oldrev = $empty ]; then id2=$empty_tree; fi + + case $receive_mode in + create) + #git log --oneline $id2 + link="http://$host/cgit/$GIT_SSH_REPO/?h=$h" + ;; + delete) + #git log --oneline $id2 + link="http://$host/cgit/$GIT_SSH_REPO/ ($h)" + ;; + fast-forward|non-fast-forward) + #git diff --stat $id..$id2 + link="http://$host/cgit/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2" + ;; + esac + + #$host $GIT_SSH_REPO $ref $link + message="''${message+$message + }$GIT_SSH_USER $receive_mode $link" + done + + if test -n "''${message-}"; then + exec ${irc-announce-script} \ + "$server" \ + "$port" \ + "$nick" \ + "$channel" \ + "$message" + fi + ''; + }; + +in +commands // receive-modes // permissions // refs // hooks diff --git a/old/lib/modules.nix b/old/lib/modules.nix new file mode 100644 index 00000000..248e638e --- /dev/null +++ b/old/lib/modules.nix @@ -0,0 +1,21 @@ +let + pkgs = import {}; + inherit (pkgs.lib) concatMap hasAttr; +in rec { + + no-touch-args = { + config = throw "no-touch-args: can't touch config!"; + lib = throw "no-touch-args: can't touch lib!"; + pkgs = throw "no-touch-args: can't touch pkgs!"; + }; + + # list-imports : path -> [path] + # Return a module's transitive list of imports. + # XXX duplicates won't get eliminated from the result. + list-imports = path: + let module = import path no-touch-args; + imports = if hasAttr "imports" module + then concatMap list-imports module.imports + else []; + in [path] ++ imports; +} diff --git a/old/modules/cd/default.nix b/old/modules/cd/default.nix new file mode 100644 index 00000000..e3abd47e --- /dev/null +++ b/old/modules/cd/default.nix @@ -0,0 +1,91 @@ +{ config, pkgs, ... }: + +let + inherit (builtins) readFile; +in + +{ + imports = + [ + { users.extraUsers = import ; } + ./networking.nix + ./users.nix + ../tv/base.nix + ../tv/base-cac-CentOS-7-64bit.nix + ../tv/config/consul-server.nix + ../tv/ejabberd.nix # XXX echtes modul + ../tv/exim-smarthost.nix + ../tv/git/public.nix + ../tv/sanitize.nix + { + imports = [ ../tv/identity ]; + tv.identity = { + enable = true; + self = config.tv.identity.hosts.cd; + }; + } + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } + { + imports = [ ../tv/retiolum ]; + tv.retiolum = { + enable = true; + hosts = ; + connectTo = [ + "fastpoke" + "pigstarter" + "ire" + ]; + }; + } + ]; + + # "Developer 2" plan has two vCPUs. + nix.maxJobs = 2; + + environment.systemPackages = with pkgs; [ + git # required for ./deploy, clone_or_update + htop + iftop + iotop + iptables + mutt # for mv + nethogs + rxvt_unicode.terminfo + tcpdump + ]; + + services.ejabberd-cd = { + enable = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + sound.enable = false; +} diff --git a/old/modules/cd/networking.nix b/old/modules/cd/networking.nix new file mode 100644 index 00000000..215e2082 --- /dev/null +++ b/old/modules/cd/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cd"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "162.219.7.216"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "162.219.7.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/cd/paths.nix b/old/modules/cd/paths.nix new file mode 100644 index 00000000..f873912f --- /dev/null +++ b/old/modules/cd/paths.nix @@ -0,0 +1,12 @@ +{ + lib.file.url = ../../lib; + modules.file.url = ../../modules; + nixpkgs.git = { + url = https://github.com/NixOS/nixpkgs; + rev = "4c01e6d91993b6de128795f4fbdd25f6227fb870"; + cache = ../../tmp/git-cache; + }; + pubkeys.file.url = ../../pubkeys; + retiolum-hosts.file.url = ../../hosts; + secrets.file.url = ../../secrets/cd/nix; +} diff --git a/old/modules/cd/users.nix b/old/modules/cd/users.nix new file mode 100644 index 00000000..656336d6 --- /dev/null +++ b/old/modules/cd/users.nix @@ -0,0 +1,53 @@ +{ ... }: + +let + inherit (builtins) readFile; +in + +{ + users.extraGroups = { + + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + + }; + users.extraUsers = + { + root = { + openssh.authorizedKeys.keys = [ + (readFile ) + (readFile ) + ]; + }; + + mv = rec { + name = "mv"; + uid = 1338; + group = "users"; + home = "/home/${name}"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + (readFile ) + ]; + }; + + }; + + users.mutableUsers = false; +} diff --git a/old/modules/cloudkrebs/default.nix b/old/modules/cloudkrebs/default.nix new file mode 100644 index 00000000..938447e0 --- /dev/null +++ b/old/modules/cloudkrebs/default.nix @@ -0,0 +1,69 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../tv/base-cac-CentOS-7-64bit.nix + ../lass/retiolum-cloudkrebs.nix + ./networking.nix + ../../secrets/cloudkrebs-pw.nix + ../lass/sshkeys.nix + ../lass/base.nix + ../common/nixpkgs.nix + ]; + + nixpkgs = { + url = "https://github.com/Lassulus/nixpkgs"; + rev = "b42ecfb8c61e514bf7733b4ab0982d3e7e27dacb"; + }; + + nix.maxJobs = 1; + + #activationScripts + #split up and move into base + + #TODO move into modules + users.extraUsers = { + #main user + root = { + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + mainUser = { + uid = 1337; + name = "lass"; + #isNormalUser = true; + group = "users"; + createHome = true; + home = "/home/lass"; + useDefaultShell = true; + isSystemUser = false; + description = "lassulus"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + config.sshKeys.lass.pub + ]; + }; + }; + + environment.systemPackages = with pkgs; [ + ]; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + permitRootLogin = "yes"; + }; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + }; + +} diff --git a/old/modules/cloudkrebs/networking.nix b/old/modules/cloudkrebs/networking.nix new file mode 100644 index 00000000..fc500736 --- /dev/null +++ b/old/modules/cloudkrebs/networking.nix @@ -0,0 +1,14 @@ +{...}: +{ + networking.hostName = "cloudkrebs"; + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; +} diff --git a/old/modules/common/krebs-keys.nix b/old/modules/common/krebs-keys.nix new file mode 100644 index 00000000..5e349338 --- /dev/null +++ b/old/modules/common/krebs-keys.nix @@ -0,0 +1,18 @@ +# alle public keys der krebsminister fuer R in krebs repos +{ config, ... }: + +let + inherit (builtins) readFile; +in + +with import ../lass/sshkeys.nix { + config.sshKeys.lass.pub = config.sshKeys.lass.pub; + config.sshKeys.uriel.pub = config.sshKeys.uriel.pub; + }; +{ + imports = [ + ./sshkeys.nix + ]; + + config.sshKeys.tv.pub = readFile ; +} diff --git a/old/modules/common/krebs-repos.nix b/old/modules/common/krebs-repos.nix new file mode 100644 index 00000000..86f37312 --- /dev/null +++ b/old/modules/common/krebs-repos.nix @@ -0,0 +1,36 @@ +{ lib, ... }: + +let + inherit (lib) mkDefault; + + mkSecureRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + + mkRepo = name: + { inherit name; + value = { + users = { + lass = mkDefault "R"; + tv = mkDefault "R"; + makefu = mkDefault "R"; + }; + }; + }; + +in { + services.gitolite.repos = + (lib.listToAttrs (map mkSecureRepo [ "brain" ])) // + (lib.listToAttrs (map mkRepo [ + "painload" + "services" + "hosts" + ])); +} diff --git a/old/modules/common/nixpkgs.nix b/old/modules/common/nixpkgs.nix new file mode 100644 index 00000000..486cf020 --- /dev/null +++ b/old/modules/common/nixpkgs.nix @@ -0,0 +1,25 @@ +{ lib, ... }: + +with lib; + +{ + options = { + nixpkgs.url = mkOption { + type = types.str; + description = "URL of the nixpkgs repository."; + }; + nixpkgs.rev = mkOption { + type = types.str; + default = "origin/master"; + description = "Revision of the remote repository."; + }; + nixpkgs.dirty = mkOption { + type = types.bool; + default = false; + description = '' + If nixpkgs.url is a local path, then use that as it is. + TODO this break if URL is not a local path. + ''; + }; + }; +} diff --git a/old/modules/common/sshkeys.nix b/old/modules/common/sshkeys.nix new file mode 100644 index 00000000..5f1c6066 --- /dev/null +++ b/old/modules/common/sshkeys.nix @@ -0,0 +1,26 @@ +{ lib, ... }: + +with lib; + +{ + options = { + sshKeys = mkOption { + type = types.attrsOf (types.submodule ( + { config, ... }: + { + options = { + pub = mkOption { + type = types.str; + description = "Public part of the ssh key."; + }; + + priv = mkOption { + type = types.str; + description = "Private part of the ssh key."; + }; + }; + })); + description = "collection of ssh-keys"; + }; + }; +} diff --git a/old/modules/lass/base.nix b/old/modules/lass/base.nix new file mode 100644 index 00000000..3a8d879e --- /dev/null +++ b/old/modules/lass/base.nix @@ -0,0 +1,110 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./sshkeys.nix + ]; + + nix.useChroot = true; + + users.mutableUsers = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + PAGER=most + ''; + + environment.systemPackages = with pkgs; [ + git + most + rxvt_unicode.terminfo + + #network + iptables + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.gitolite = { + enable = true; + dataDir = "/home/gitolite"; + adminPubkey = config.sshKeys.lass.pub; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 22 + ]; + + extraCommands = '' + iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A INPUT -j ACCEPT -i lo + iptables -A INPUT -j ACCEPT -p icmp + + #iptables -N Retiolum + iptables -A INPUT -j Retiolum -i retiolum + iptables -A Retiolum -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED + iptables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset + iptables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable + iptables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable + iptables -A Retiolum -j REJECT + ''; + + extraStopCommands = "iptables -F"; + }; +} diff --git a/old/modules/lass/binary-caches.nix b/old/modules/lass/binary-caches.nix new file mode 100644 index 00000000..c2727520 --- /dev/null +++ b/old/modules/lass/binary-caches.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + nix.sshServe.enable = true; + nix.sshServe.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel" + ]; + nix.binaryCaches = [ + #"scp://nix-ssh@mors" + #"scp://nix-ssh@uriel" + ]; +} diff --git a/old/modules/lass/bird.nix b/old/modules/lass/bird.nix new file mode 100644 index 00000000..3fc265cd --- /dev/null +++ b/old/modules/lass/bird.nix @@ -0,0 +1,13 @@ +{ config, ... }: + +{ + config.services.bird = { + enable = true; + config = '' + router id 192.168.122.1; + protocol device { + scan time 10; + } + ''; + }; +} diff --git a/old/modules/lass/bitcoin.nix b/old/modules/lass/bitcoin.nix new file mode 100644 index 00000000..d3bccbf5 --- /dev/null +++ b/old/modules/lass/bitcoin.nix @@ -0,0 +1,17 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + electrum + ]; + + users.extraUsers = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + useDefaultShell = true; + createHome = true; + }; + }; +} diff --git a/old/modules/lass/browsers.nix b/old/modules/lass/browsers.nix new file mode 100644 index 00000000..8aecea92 --- /dev/null +++ b/old/modules/lass/browsers.nix @@ -0,0 +1,67 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + + nixpkgs.config.packageOverrides = pkgs : { + chromium = pkgs.chromium.override { + pulseSupport = true; + }; + }; + + environment.systemPackages = with pkgs; [ + firefox + ]; + + users.extraUsers = { + firefox = { + name = "firefox"; + description = "user for running firefox"; + home = "/home/firefox"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + chromium = { + name = "chromium"; + description = "user for running chromium"; + home = "/home/chromium"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + facebook = { + name = "facebook"; + description = "user for running facebook in chromium"; + home = "/home/facebook"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + google = { + name = "google"; + description = "user for running google+/gmail in chromium"; + home = "/home/google"; + useDefaultShell = true; + createHome = true; + }; + flash = { + name = "flash"; + description = "user for running flash stuff"; + home = "/home/flash"; + useDefaultShell = true; + extraGroups = [ "audio" ]; + createHome = true; + }; + }; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(firefox) NOPASSWD: ALL + ${mainUser.name} ALL=(chromium) NOPASSWD: ALL + ${mainUser.name} ALL=(facebook) NOPASSWD: ALL + ${mainUser.name} ALL=(google) NOPASSWD: ALL + ${mainUser.name} ALL=(flash) NOPASSWD: ALL + ''; +} diff --git a/old/modules/lass/chromium-patched.nix b/old/modules/lass/chromium-patched.nix new file mode 100644 index 00000000..71518177 --- /dev/null +++ b/old/modules/lass/chromium-patched.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: + +#settings to test: +# + #"ForceEphemeralProfiles": true, +let + masterPolicy = pkgs.writeText "master.json" '' + { + "PasswordManagerEnabled": false, + "DefaultGeolocationSetting": 2, + "RestoreOnStartup": 1, + "AutoFillEnabled": false, + "BackgroundModeEnabled": false, + "DefaultBrowserSettingEnabled": false, + "SafeBrowsingEnabled": false, + "ExtensionInstallForcelist": [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", + "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" + ] + } + ''; + + master_preferences = pkgs.writeText "master_preferences" '' + { + "browser": { + "custom_chrome_frame": true + }, + + "extensions": { + "theme": { + "id": "", + "use_system": true + } + } + } + ''; +in { + environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; + + environment.systemPackages = [ + #pkgs.chromium + (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { + buildCommand = attrs.buildCommand + '' + touch $out/TEST123 + ''; + })) + ]; +} diff --git a/old/modules/lass/desktop-base.nix b/old/modules/lass/desktop-base.nix new file mode 100644 index 00000000..94184548 --- /dev/null +++ b/old/modules/lass/desktop-base.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./base.nix + ]; + + time.timeZone = "Europe/Berlin"; + + virtualisation.libvirtd.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + programs.ssh.startAgent = false; + + security.setuidPrograms = [ "slock" ]; + + services.printing = { + enable = true; + drivers = [ pkgs.foomatic_filters ]; + }; + + environment.systemPackages = with pkgs; [ + + powertop + + #window manager stuff + haskellPackages.xmobar + haskellPackages.yeganesh + dmenu2 + xlibs.fontschumachermisc + ]; + +} diff --git a/old/modules/lass/elster.nix b/old/modules/lass/elster.nix new file mode 100644 index 00000000..1edd0189 --- /dev/null +++ b/old/modules/lass/elster.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + users.extraUsers = { + elster = { + name = "elster"; + description = "user for running elster-online"; + home = "/home/elster"; + useDefaultShell = true; + extraGroups = []; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(elster) NOPASSWD: ALL + ''; +} diff --git a/old/modules/lass/games.nix b/old/modules/lass/games.nix new file mode 100644 index 00000000..6043a875