From e9689cd711b4c53609447fca128fb360aa87848c Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 23 Jul 2015 19:07:27 +0200 Subject: 3 tv.retiolum: describe connectTo --- 3modules/tv/retiolum.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to '3modules/tv') diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix index ca1418c..e8a1f6c 100644 --- a/3modules/tv/retiolum.nix +++ b/3modules/tv/retiolum.nix @@ -82,7 +82,11 @@ let connectTo = mkOption { type = types.listOf types.str; default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = "TODO describe me"; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; }; }; -- cgit v1.3.1 From adaaba6ab8f4d403d1da39288e98740a5acfee95 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:22:21 +0200 Subject: 3: {tv -> krebs}.retiolum --- 3modules/krebs/retiolum.nix | 226 ++++++++++++++++++++++++++++++++++++++++++++ 3modules/tv/retiolum.nix | 211 ++--------------------------------------- 2 files changed, 233 insertions(+), 204 deletions(-) create mode 100644 3modules/krebs/retiolum.nix (limited to '3modules/tv') diff --git a/3modules/krebs/retiolum.nix b/3modules/krebs/retiolum.nix new file mode 100644 index 0000000..447592e --- /dev/null +++ b/3modules/krebs/retiolum.nix @@ -0,0 +1,226 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.retiolum; + + out = { + options.krebs.retiolum = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.retiolum"; + + name = mkOption { + type = types.str; + default = config.networking.hostName; + # Description stolen from tinc.conf(5). + description = '' + This is the name which identifies this tinc daemon. It must + be unique for the virtual private network this daemon will + connect to. The Name may only consist of alphanumeric and + underscore characters. If Name starts with a $, then the + contents of the environment variable that follows will be + used. In that case, invalid characters will be converted to + underscores. If Name is $HOST, but no such environment + variable exist, the hostname will be read using the + gethostnname() system call This is the name which identifies + the this tinc daemon. + ''; + }; + + generateEtcHosts = mkOption { + type = types.str; + default = "both"; + description = '' + If set to short, long, or both, + then generate entries in /etc/hosts from subnets. + ''; + }; + + network = mkOption { + type = types.str; + default = "retiolum"; + description = '' + The tinc network name. + It is used to generate long host entries, + and name the TUN device. + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + default = null; + description = '' + Hosts package or path to use. + If a path is given, then it will be used to generate an ad-hoc package. + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + + privateKeyFile = mkOption { + # TODO if it's types.path then it gets copied to /nix/store with + # bad unsafe permissions... + type = types.str; + default = "/root/src/secrets/retiolum.rsa_key.priv"; + description = "Generate file with tincd -K."; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "pigstarter" "kheurop" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + ''; + }; + + }; + + imp = { + environment.systemPackages = [ tinc hosts iproute ]; + + networking.extraHosts = retiolumExtraHosts; + + systemd.services.retiolum = { + description = "Tinc daemon for Retiolum"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + path = [ tinc iproute ]; + serviceConfig = { + PermissionsStartOnly = "true"; + PrivateTmp = "true"; + Restart = "always"; + # TODO we cannot chroot (-R) b/c we use symlinks to hosts + # and the private key. + ExecStartPre = pkgs.writeScript "retiolum-init" '' + #! /bin/sh + install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv + ''; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; + SyslogIdentifier = "retiolum"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "retiolum"; + uid = 301281149; # genid retiolum + }; + + tinc = cfg.tincPackage; + hostsType = builtins.typeOf cfg.hosts; + hosts = + if hostsType == "package" then + # use package as is + cfg.hosts + else if hostsType == "path" then + # use path to generate a package + pkgs.stdenv.mkDerivation { + name = "custom-retiolum-hosts"; + src = cfg.hosts; + installPhase = '' + mkdir $out + find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out + ''; + } + else + abort "The option `services.retiolum.hosts' must be set to a package or a path" + ; + iproute = cfg.iproutePackage; + + retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" + { } + '' + generate() { + (cd ${hosts} + printf \'\' + for i in `ls`; do + names=$(hostnames $i) + for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do + names="$names $(hostnames $j)" + done + sed -En ' + s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p + ' $i + done | sort + printf \'\' + ) + } + + case ${cfg.generateEtcHosts} in + short) + hostnames() { echo "$1"; } + generate + ;; + long) + hostnames() { echo "$1.${cfg.network}"; } + generate + ;; + both) + hostnames() { echo "$1.${cfg.network} $1"; } + generate + ;; + *) + echo '""' + ;; + esac > $out + ''); + + + confDir = pkgs.runCommand "retiolum" { + # TODO text + executable = true; + preferLocalBuild = true; + } '' + set -euf + + mkdir -p $out + + ln -s ${hosts} $out/hosts + + cat > $out/tinc.conf < $out/tinc-up <short, long, or both, - then generate entries in /etc/hosts from subnets. - ''; - }; - - network = mkOption { - type = types.str; - default = "retiolum"; - description = '' - The tinc network name. - It is used to generate long host entries, - and name the TUN device. - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; + connectTo = mkOption { + type = with types; listOf str; }; hosts = mkOption { - default = null; - description = '' - Hosts package or path to use. - If a path is given, then it will be used to generate an ad-hoc package. - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; + type = types.path; }; - - - privateKeyFile = mkOption { - # TODO if it's types.path then it gets copied to /nix/store with - # bad unsafe permissions... - type = types.str; - default = "/root/src/secrets/retiolum.rsa_key.priv"; - description = "Generate file with tincd -K."; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "pigstarter" "kheurop" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - ''; - }; - }; imp = { - environment.systemPackages = [ tinc hosts iproute ]; - - networking.extraHosts = retiolumExtraHosts; - - systemd.services.retiolum = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - path = [ tinc iproute ]; - serviceConfig = { - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Restart = "always"; - # TODO we cannot chroot (-R) b/c we use symlinks to hosts - # and the private key. - ExecStartPre = pkgs.writeScript "retiolum-init" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv - ''; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user.name} -D"; - SyslogIdentifier = "retiolum"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - }; + krebs.retiolum = cfg; }; - user = { - name = "retiolum"; - uid = 301281149; # genid retiolum - }; - - tinc = cfg.tincPackage; - hostsType = builtins.typeOf cfg.hosts; - hosts = - if hostsType == "package" then - # use package as is - cfg.hosts - else if hostsType == "path" then - # use path to generate a package - pkgs.stdenv.mkDerivation { - name = "custom-retiolum-hosts"; - src = cfg.hosts; - installPhase = '' - mkdir $out - find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out - ''; - } - else - abort "The option `services.retiolum.hosts' must be set to a package or a path" - ; - iproute = cfg.iproutePackage; - - retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts" - { } - '' - generate() { - (cd ${hosts} - printf \'\' - for i in `ls`; do - names=$(hostnames $i) - for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do - names="$names $(hostnames $j)" - done - sed -En ' - s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1 '"$names"'|p - ' $i - done | sort - printf \'\' - ) - } - - case ${cfg.generateEtcHosts} in - short) - hostnames() { echo "$1"; } - generate - ;; - long) - hostnames() { echo "$1.${cfg.network}"; } - generate - ;; - both) - hostnames() { echo "$1.${cfg.network} $1"; } - generate - ;; - *) - echo '""' - ;; - esac > $out - ''); - - - confDir = pkgs.runCommand "retiolum" { - # TODO text - executable = true; - preferLocalBuild = true; - } '' - set -euf - - mkdir -p $out - - ln -s ${hosts} $out/hosts - - cat > $out/tinc.conf < $out/tinc-up < Date: Fri, 24 Jul 2015 11:50:23 +0200 Subject: 3 {tv -> krebs}.nginx --- 1systems/tv/cd.nix | 10 +++---- 1systems/tv/nomic.nix | 4 +-- 1systems/tv/wu.nix | 4 +-- 3modules/krebs/nginx.nix | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ 3modules/tv/git.nix | 5 ++-- 3modules/tv/nginx.nix | 71 ----------------------------------------------- 6 files changed, 84 insertions(+), 82 deletions(-) create mode 100644 3modules/krebs/nginx.nix delete mode 100644 3modules/tv/nginx.nix (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d3cae6f..407fc25 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -57,19 +57,19 @@ in { imports = [ ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; + krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) imports = [ ../../3modules/tv/iptables.nix - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; - tv.nginx.servers.public_html = { + krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; locations = singleton (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2; @@ -77,7 +77,7 @@ in }; } { - tv.nginx.servers.viljetic = { + krebs.nginx.servers.viljetic = { server-names = singleton "viljetic.de"; # TODO directly set root (instead via location) locations = singleton (nameValuePair "/" '' diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 6f984c4..8e6812e 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -26,8 +26,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + imports = [ ../../3modules/krebs/nginx.nix ]; + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 76bb43e..7a12bc5 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -134,8 +134,8 @@ in }; } { - imports = [ ../../3modules/tv/nginx.nix ]; - tv.nginx = { + imports = [ ../../3modules/krebs/nginx.nix ]; + krebs.nginx = { enable = true; servers.default.locations = [ (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' diff --git a/3modules/krebs/nginx.nix b/3modules/krebs/nginx.nix new file mode 100644 index 0000000..702e8a7 --- /dev/null +++ b/3modules/krebs/nginx.nix @@ -0,0 +1,72 @@ +{ config, pkgs, lib, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.nginx; + + out = { + options.krebs.nginx = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.nginx"; + + servers = mkOption { + type = with types; attrsOf optionSet; + options = singleton { + server-names = mkOption { + type = with types; listOf str; + # TODO use identity + default = [ + "${config.networking.hostName}" + "${config.networking.hostName}.retiolum" + ]; + }; + locations = mkOption { + type = with types; listOf (attrsOf str); + }; + }; + default = {}; + }; + }; + + imp = { + services.nginx = { + enable = true; + httpConfig = '' + include ${pkgs.nginx}/conf/mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + gzip on; + server { + listen 80 default_server; + server_name _; + return 404; + } + ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} + ''; + }; + }; + + + indent = replaceChars ["\n"] ["\n "]; + + to-location = { name, value }: '' + location ${name} { + ${indent value} + } + ''; + + to-server = { server-names, locations, ... }: '' + server { + listen 80; + server_name ${toString server-names}; + ${indent (concatStrings (map to-location locations))} + } + ''; + +in +out diff --git a/3modules/tv/git.nix b/3modules/tv/git.nix index 8c73d03..ea014e2 100644 --- a/3modules/tv/git.nix +++ b/3modules/tv/git.nix @@ -12,8 +12,9 @@ let cfg = config.tv.git; out = { + # TODO don't import krebs.nginx here imports = [ - ../../3modules/tv/nginx.nix + ../../3modules/krebs/nginx.nix ]; options.tv.git = api; config = mkIf cfg.enable (mkMerge [ @@ -210,7 +211,7 @@ let chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit ''; - tv.nginx = { + krebs.nginx = { enable = true; servers.cgit = { server-names = [ diff --git a/3modules/tv/nginx.nix b/3modules/tv/nginx.nix deleted file mode 100644 index a58c495..0000000 --- a/3modules/tv/nginx.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, pkgs, lib, ... }: - -with builtins; -with lib; -let - cfg = config.tv.nginx; - - out = { - options.tv.nginx = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.nginx"; - - servers = mkOption { - type = with types; attrsOf optionSet; - options = singleton { - server-names = mkOption { - type = with types; listOf str; - default = [ - "${config.networking.hostName}" - "${config.networking.hostName}.retiolum" - ]; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - }; - }; - default = {}; - }; - }; - - imp = { - services.nginx = { - enable = true; - httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - server { - listen 80 default_server; - server_name _; - return 404; - } - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - - indent = replaceChars ["\n"] ["\n "]; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, locations, ... }: '' - server { - listen 80; - server_name ${toString server-names}; - ${indent (concatStrings (map to-location locations))} - } - ''; - -in -out -- cgit v1.3.1 From cdb20d229315429b9be5b729233c5eec1c137f44 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:44:49 +0200 Subject: 3: {tv -> krebs}.git --- 2configs/tv/git-public.nix | 4 +- 3modules/krebs/git.nix | 484 +++++++++++++++++++++++++++++++++++++++++++++ 3modules/tv/git.nix | 484 --------------------------------------------- 3 files changed, 486 insertions(+), 486 deletions(-) create mode 100644 3modules/krebs/git.nix delete mode 100644 3modules/tv/git.nix (limited to '3modules/tv') diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7222f99..7f2b513 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -3,8 +3,8 @@ with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/tv/git.nix ]; - tv.git = { + imports = [ ../../3modules/krebs/git.nix ]; + krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; root-desc = "keep calm and engage"; diff --git a/3modules/krebs/git.nix b/3modules/krebs/git.nix new file mode 100644 index 0000000..3c3e934 --- /dev/null +++ b/3modules/krebs/git.nix @@ -0,0 +1,484 @@ +{ config, pkgs, lib, ... }: + +# TODO unify logging of shell scripts to user and journal +# TODO move all scripts to ${etcDir}, so ControlMaster connections +# immediately pick up new authenticators +# TODO when authorized_keys changes, then restart ssh +# (or kill already connected users somehow) + +with builtins; +with lib; +let + cfg = config.krebs.git; + + out = { + # TODO don't import krebs.nginx here + imports = [ + ../../3modules/krebs/nginx.nix + ]; + options.krebs.git = api; + config = mkIf cfg.enable (mkMerge [ + (mkIf cfg.cgit cgit-imp) + git-imp + ]); + }; + + api = { + enable = mkEnableOption "krebs.git"; + + cgit = mkOption { + type = types.bool; + default = true; + description = "Enable cgit."; # TODO better desc; talk about nginx + }; + dataDir = mkOption { + type = types.str; + default = "/var/lib/git"; + description = "Directory used to store repositories."; + }; + etcDir = mkOption { + type = types.str; + default = "/etc/git"; + }; + repos = mkOption { + type = types.attrsOf (types.submodule ({ + options = { + desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository description. + ''; + }; + section = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Repository section. + ''; + }; + name = mkOption { + type = types.str; + description = '' + Repository name. + ''; + }; + hooks = mkOption { + type = types.attrsOf types.str; + description = '' + Repository-specific hooks. + ''; + }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Allow everybody to read the repository via HTTP if cgit enabled. + ''; + # TODO allow every configured user to fetch the repository via SSH. + }; + }; + })); + + default = {}; + + example = literalExample '' + { + testing = { + name = "testing"; + hooks.post-update = ''' + #! /bin/sh + set -euf + echo post-update hook: $* >&2 + '''; + }; + testing2 = { name = "testing2"; }; + } + ''; + + description = '' + Repositories. + ''; + }; + root-desc = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Text printed below the heading on the repository index page. + Default value: "a fast webinterface for the git dscm". + ''; + }; + root-title = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Text printed as heading on the repository index page. + Default value: "Git Repository Browser". + ''; + }; + rules = mkOption { + type = types.unspecified; + }; + users = mkOption { + type = types.unspecified; + }; + }; + + git-imp = { + system.activationScripts.git-init = "${init-script}"; + + # TODO maybe put all scripts here and then use PATH? + environment.etc."${etc-base}".source = + scriptFarm "git-ssh-authorizers" { + authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (map getName perm.allow-commands) + ]) cfg.rules); + + authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ + (map getName (ensureList user)) + (map getName (ensureList repo)) + (ensureList perm.allow-receive-ref) + (map getName perm.allow-receive-modes) + ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); + }; + + users.extraUsers = singleton { + description = "Git repository hosting user"; + name = "git"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = + mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; + uid = 129318403; # genid git + }; + }; + + cgit-imp = { + users.extraUsers = lib.singleton { + inherit (fcgitwrap-user) group name uid; + home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); + }; + + users.extraGroups = lib.singleton { + inherit (fcgitwrap-group) gid name; + }; + + services.fcgiwrap = { + enable = true; + user = fcgitwrap-user.name; + group = fcgitwrap-user.group; + # socketAddress = "/run/fcgiwrap.sock" (default) + # socketType = "unix" (default) + }; + + environment.etc."cgitrc".text = '' + css=/static/cgit.css + logo=/static/cgit.png + + # if you do not want that webcrawler (like google) index your site + robots=noindex, nofollow + + virtual-root=/ + + # TODO make this nicer (and/or somewhere else) + cache-root=/tmp/cgit + + cache-size=1000 + enable-commit-graph=1 + enable-index-links=1 + enable-index-owner=0 + enable-log-filecount=1 + enable-log-linecount=1 + enable-remote-branches=1 + + ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} + ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} + + snapshots=0 + max-stats=year + + ${concatMapStringsSep "\n" (repo: '' + repo.url=${repo.name} + repo.path=${cfg.dataDir}/${repo.name} + ${optionalString (repo.section != null) "repo.section=${repo.section}"} + ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} + '') (filter isPublicRepo (attrValues cfg.repos))} + ''; + + system.activationScripts.cgit = '' + mkdir -m 0700 -p /tmp/cgit + chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit + ''; + + krebs.nginx = { + enable = true; + servers.cgit = { + server-names = [ + "cgit.${config.networking.hostName}" + "cgit.${config.networking.hostName}.retiolum" + ]; + locations = [ + (nameValuePair "/" '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + '') + (nameValuePair "/static/" '' + root ${pkgs.cgit}/cgit; + rewrite ^/static(/.*)$ $1 break; + '') + ]; + }; + }; + }; + + fcgitwrap-user = { + name = "fcgiwrap"; + uid = 2867890860; # genid fcgiwrap + group = "fcgiwrap"; + }; + + fcgitwrap-group = { + name = fcgitwrap-user.name; + gid = fcgitwrap-user.uid; + }; + + + ensureList = x: + if typeOf x == "list" then x else [x]; + + getName = x: x.name; + + isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix + + makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: + # TODO assert name + # TODO assert pubkey + let + options = concatStringsSep "," [ + ''command="exec ${git-ssh-command} ${name}"'' + "no-agent-forwarding" + "no-port-forwarding" + "no-pty" + "no-X11-forwarding" + ]; + in + "${options} ${pubkey}"; + + # [case-pattern] -> shell-script + # Create a shell script that succeeds (exit 0) when all its arguments + # match the case patterns (in the given order). + makeAuthorizeScript = + let + # TODO escape + to-pattern = x: concatStringsSep "|" (ensureList x); + go = i: ps: + if ps == [] + then "exit 0" + else '' + case ''$${toString i} in ${to-pattern (head ps)}) + ${go (i + 1) (tail ps)} + esac''; + in + patterns: '' + #! /bin/sh + set -euf + ${concatStringsSep "\n" (map (go 1) patterns)} + exit -1 + ''; + + reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); + + # TODO makeGitHooks that uses runCommand instead of scriptFarm? + scriptFarm = + farm-name: scripts: + let + makeScript = script-name: script-string: { + name = script-name; + path = pkgs.writeScript "${farm-name}_${script-name}" script-string; + }; + in + pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); + + + git-ssh-command = pkgs.writeScript "git-ssh-command" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + git + gnugrep + gnused + systemd + ])} + + abort() { + echo "error: $1" >&2 + systemd-cat -p err -t git echo "error: $1" + exit -1 + } + + GIT_SSH_USER=$1 + + systemd-cat -p info -t git echo \ + "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" + + # References: The Base Definitions volume of + # POSIX.1‐2013, Section 3.278, Portable Filename Character Set + portable_filename_bre="^[A-Za-z0-9._-]\\+$" + + command=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read command') + + GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ + | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ + | grep "$portable_filename_bre" \ + || abort 'cannot read reponame') + + ${cfg.etcDir}/authorize-command \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ + || abort 'access denied' + + repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO + + systemd-cat -p info -t git \ + echo "authorized exec $command $repodir" + + export GIT_SSH_USER + export GIT_SSH_REPO + exec "$command" "$repodir" + ''; + + init-script = pkgs.writeScript "git-init" '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + gawk + git + gnugrep + gnused + ])} + + dataDir=${escapeShellArg cfg.dataDir} + mkdir -p "$dataDir" + + # Notice how the presence of hooks symlinks determine whether + # we manage a repositry or not. + + # Make sure that no existing repository has hooks. We can delete + # symlinks because we assume we created them. + find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete + bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) + if echo "$bad_hooks" | grep -q .; then + printf 'error: unknown hooks:\n%s\n' \ + "$(echo "$bad_hooks" | sed 's/^/ /')" \ + >&2 + exit -1 + fi + + # Initialize repositories. + ${concatMapStringsSep "\n" (repo: + let + hooks = scriptFarm "git-hooks" (makeHooks repo); + in + '' + reponame=${escapeShellArg repo.name} + repodir=$dataDir/$reponame + mode=${toString (if isPublicRepo repo then 0711 else 0700)} + if ! test -d "$repodir"; then + mkdir -m "$mode" "$repodir" + git init --bare --template=/var/empty "$repodir" + chown -R git:nogroup "$repodir" + fi + ln -s ${hooks} "$repodir/hooks" + '' + ) (attrValues cfg.repos)} + + # Warn about repositories that exist but aren't mentioned in the + # current configuration (and thus didn't receive a hooks symlink). + unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ + -type d \! -exec test -e '{}/hooks' \; -print) + if echo "$unknown_repos" | grep -q .; then + printf 'warning: stale repositories:\n%s\n' \ + "$(echo "$unknown_repos" | sed 's/^/ /')" \ + >&2 + fi + ''; + + makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { + pre-receive = '' + #! /bin/sh + set -euf + + PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils # env + git + systemd + ])} + + accept() { + #systemd-cat -p info -t git echo "authorized $1" + accept_string="''${accept_string+$accept_string + }authorized $1" + } + reject() { + #systemd-cat -p err -t git echo "denied $1" + #echo 'access denied' >&2 + #exit_code=-1 + reject_string="''${reject_string+$reject_string + }access denied: $1" + } + + empty=0000000000000000000000000000000000000000 + + accept_string= + reject_string= + while read oldrev newrev ref; do + + if [ $oldrev = $empty ]; then + receive_mode=create + elif [ $newrev = $empty ]; then + receive_mode=delete + elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then + receive_mode=fast-forward + else + receive_mode=non-fast-forward + fi + + if ${cfg.etcDir}/authorize-push \ + "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then + accept "$receive_mode $ref" + else + reject "$receive_mode $ref" + fi + done + + if [ -n "$reject_string" ]; then + systemd-cat -p err -t git echo "$reject_string" + exit -1 + fi + + systemd-cat -p info -t git echo "$accept_string" + + ${optionalString (hasAttr "post-receive" repo.hooks) '' + # custom post-receive hook + ${repo.hooks.post-receive}''} + ''; + }; + + etc-base = + assert (hasPrefix "/etc/" cfg.etcDir); + removePrefix "/etc/" cfg.etcDir; + +in +out diff --git a/3modules/tv/git.nix b/3modules/tv/git.nix deleted file mode 100644 index ea014e2..0000000 --- a/3modules/tv/git.nix +++ /dev/null @@ -1,484 +0,0 @@ -{ config, pkgs, lib, ... }: - -# TODO unify logging of shell scripts to user and journal -# TODO move all scripts to ${etcDir}, so ControlMaster connections -# immediately pick up new authenticators -# TODO when authorized_keys changes, then restart ssh -# (or kill already connected users somehow) - -with builtins; -with lib; -let - cfg = config.tv.git; - - out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; - options.tv.git = api; - config = mkIf cfg.enable (mkMerge [ - (mkIf cfg.cgit cgit-imp) - git-imp - ]); - }; - - api = { - enable = mkEnableOption "tv.git"; - - cgit = mkOption { - type = types.bool; - default = true; - description = "Enable cgit."; # TODO better desc; talk about nginx - }; - dataDir = mkOption { - type = types.str; - default = "/var/lib/git"; - description = "Directory used to store repositories."; - }; - etcDir = mkOption { - type = types.str; - default = "/etc/git"; - }; - repos = mkOption { - type = types.attrsOf (types.submodule ({ - options = { - desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository description. - ''; - }; - section = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Repository section. - ''; - }; - name = mkOption { - type = types.str; - description = '' - Repository name. - ''; - }; - hooks = mkOption { - type = types.attrsOf types.str; - description = '' - Repository-specific hooks. - ''; - }; - public = mkOption { - type = types.bool; - default = false; - description = '' - Allow everybody to read the repository via HTTP if cgit enabled. - ''; - # TODO allow every configured user to fetch the repository via SSH. - }; - }; - })); - - default = {}; - - example = literalExample '' - { - testing = { - name = "testing"; - hooks.post-update = ''' - #! /bin/sh - set -euf - echo post-update hook: $* >&2 - '''; - }; - testing2 = { name = "testing2"; }; - } - ''; - - description = '' - Repositories. - ''; - }; - root-desc = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed below the heading on the repository index page. - Default value: "a fast webinterface for the git dscm". - ''; - }; - root-title = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - Text printed as heading on the repository index page. - Default value: "Git Repository Browser". - ''; - }; - rules = mkOption { - type = types.unspecified; - }; - users = mkOption { - type = types.unspecified; - }; - }; - - git-imp = { - system.activationScripts.git-init = "${init-script}"; - - # TODO maybe put all scripts here and then use PATH? - environment.etc."${etc-base}".source = - scriptFarm "git-ssh-authorizers" { - authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (map getName perm.allow-commands) - ]) cfg.rules); - - authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [ - (map getName (ensureList user)) - (map getName (ensureList repo)) - (ensureList perm.allow-receive-ref) - (map getName perm.allow-receive-modes) - ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules)); - }; - - users.extraUsers = singleton { - description = "Git repository hosting user"; - name = "git"; - shell = "/bin/sh"; - openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users; - uid = 129318403; # genid git - }; - }; - - cgit-imp = { - users.extraUsers = lib.singleton { - inherit (fcgitwrap-user) group name uid; - home = toString (pkgs.runCommand "empty" {} "mkdir -p $out"); - }; - - users.extraGroups = lib.singleton { - inherit (fcgitwrap-group) gid name; - }; - - services.fcgiwrap = { - enable = true; - user = fcgitwrap-user.name; - group = fcgitwrap-user.group; - # socketAddress = "/run/fcgiwrap.sock" (default) - # socketType = "unix" (default) - }; - - environment.etc."cgitrc".text = '' - css=/static/cgit.css - logo=/static/cgit.png - - # if you do not want that webcrawler (like google) index your site - robots=noindex, nofollow - - virtual-root=/ - - # TODO make this nicer (and/or somewhere else) - cache-root=/tmp/cgit - - cache-size=1000 - enable-commit-graph=1 - enable-index-links=1 - enable-index-owner=0 - enable-log-filecount=1 - enable-log-linecount=1 - enable-remote-branches=1 - - ${optionalString (cfg.root-title != null) "root-title=${cfg.root-title}"} - ${optionalString (cfg.root-desc != null) "root-desc=${cfg.root-desc}"} - - snapshots=0 - max-stats=year - - ${concatMapStringsSep "\n" (repo: '' - repo.url=${repo.name} - repo.path=${cfg.dataDir}/${repo.name} - ${optionalString (repo.section != null) "repo.section=${repo.section}"} - ${optionalString (repo.desc != null) "repo.desc=${repo.desc}"} - '') (filter isPublicRepo (attrValues cfg.repos))} - ''; - - system.activationScripts.cgit = '' - mkdir -m 0700 -p /tmp/cgit - chown ${toString fcgitwrap-user.uid}:${toString fcgitwrap-group.gid} /tmp/cgit - ''; - - krebs.nginx = { - enable = true; - servers.cgit = { - server-names = [ - "cgit.${config.networking.hostName}" - "cgit.${config.networking.hostName}.retiolum" - ]; - locations = [ - (nameValuePair "/" '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - '') - (nameValuePair "/static/" '' - root ${pkgs.cgit}/cgit; - rewrite ^/static(/.*)$ $1 break; - '') - ]; - }; - }; - }; - - fcgitwrap-user = { - name = "fcgiwrap"; - uid = 2867890860; # genid fcgiwrap - group = "fcgiwrap"; - }; - - fcgitwrap-group = { - name = fcgitwrap-user.name; - gid = fcgitwrap-user.uid; - }; - - - ensureList = x: - if typeOf x == "list" then x else [x]; - - getName = x: x.name; - - isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix - - makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }: - # TODO assert name - # TODO assert pubkey - let - options = concatStringsSep "," [ - ''command="exec ${git-ssh-command} ${name}"'' - "no-agent-forwarding" - "no-port-forwarding" - "no-pty" - "no-X11-forwarding" - ]; - in - "${options} ${pubkey}"; - - # [case-pattern] -> shell-script - # Create a shell script that succeeds (exit 0) when all its arguments - # match the case patterns (in the given order). - makeAuthorizeScript = - let - # TODO escape - to-pattern = x: concatStringsSep "|" (ensureList x); - go = i: ps: - if ps == [] - then "exit 0" - else '' - case ''$${toString i} in ${to-pattern (head ps)}) - ${go (i + 1) (tail ps)} - esac''; - in - patterns: '' - #! /bin/sh - set -euf - ${concatStringsSep "\n" (map (go 1) patterns)} - exit -1 - ''; - - reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules)); - - # TODO makeGitHooks that uses runCommand instead of scriptFarm? - scriptFarm = - farm-name: scripts: - let - makeScript = script-name: script-string: { - name = script-name; - path = pkgs.writeScript "${farm-name}_${script-name}" script-string; - }; - in - pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts); - - - git-ssh-command = pkgs.writeScript "git-ssh-command" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - git - gnugrep - gnused - systemd - ])} - - abort() { - echo "error: $1" >&2 - systemd-cat -p err -t git echo "error: $1" - exit -1 - } - - GIT_SSH_USER=$1 - - systemd-cat -p info -t git echo \ - "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND" - - # References: The Base Definitions volume of - # POSIX.1‐2013, Section 3.278, Portable Filename Character Set - portable_filename_bre="^[A-Za-z0-9._-]\\+$" - - command=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read command') - - GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \ - | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \ - | grep "$portable_filename_bre" \ - || abort 'cannot read reponame') - - ${cfg.etcDir}/authorize-command \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \ - || abort 'access denied' - - repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO - - systemd-cat -p info -t git \ - echo "authorized exec $command $repodir" - - export GIT_SSH_USER - export GIT_SSH_REPO - exec "$command" "$repodir" - ''; - - init-script = pkgs.writeScript "git-init" '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - gawk - git - gnugrep - gnused - ])} - - dataDir=${escapeShellArg cfg.dataDir} - mkdir -p "$dataDir" - - # Notice how the presence of hooks symlinks determine whether - # we manage a repositry or not. - - # Make sure that no existing repository has hooks. We can delete - # symlinks because we assume we created them. - find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete - bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks) - if echo "$bad_hooks" | grep -q .; then - printf 'error: unknown hooks:\n%s\n' \ - "$(echo "$bad_hooks" | sed 's/^/ /')" \ - >&2 - exit -1 - fi - - # Initialize repositories. - ${concatMapStringsSep "\n" (repo: - let - hooks = scriptFarm "git-hooks" (makeHooks repo); - in - '' - reponame=${escapeShellArg repo.name} - repodir=$dataDir/$reponame - mode=${toString (if isPublicRepo repo then 0711 else 0700)} - if ! test -d "$repodir"; then - mkdir -m "$mode" "$repodir" - git init --bare --template=/var/empty "$repodir" - chown -R git:nogroup "$repodir" - fi - ln -s ${hooks} "$repodir/hooks" - '' - ) (attrValues cfg.repos)} - - # Warn about repositories that exist but aren't mentioned in the - # current configuration (and thus didn't receive a hooks symlink). - unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \ - -type d \! -exec test -e '{}/hooks' \; -print) - if echo "$unknown_repos" | grep -q .; then - printf 'warning: stale repositories:\n%s\n' \ - "$(echo "$unknown_repos" | sed 's/^/ /')" \ - >&2 - fi - ''; - - makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // { - pre-receive = '' - #! /bin/sh - set -euf - - PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils # env - git - systemd - ])} - - accept() { - #systemd-cat -p info -t git echo "authorized $1" - accept_string="''${accept_string+$accept_string - }authorized $1" - } - reject() { - #systemd-cat -p err -t git echo "denied $1" - #echo 'access denied' >&2 - #exit_code=-1 - reject_string="''${reject_string+$reject_string - }access denied: $1" - } - - empty=0000000000000000000000000000000000000000 - - accept_string= - reject_string= - while read oldrev newrev ref; do - - if [ $oldrev = $empty ]; then - receive_mode=create - elif [ $newrev = $empty ]; then - receive_mode=delete - elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then - receive_mode=fast-forward - else - receive_mode=non-fast-forward - fi - - if ${cfg.etcDir}/authorize-push \ - "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then - accept "$receive_mode $ref" - else - reject "$receive_mode $ref" - fi - done - - if [ -n "$reject_string" ]; then - systemd-cat -p err -t git echo "$reject_string" - exit -1 - fi - - systemd-cat -p info -t git echo "$accept_string" - - ${optionalString (hasAttr "post-receive" repo.hooks) '' - # custom post-receive hook - ${repo.hooks.post-receive}''} - ''; - }; - - etc-base = - assert (hasPrefix "/etc/" cfg.etcDir); - removePrefix "/etc/" cfg.etcDir; - -in -out -- cgit v1.3.1 From 6e66334ec650a37eca46d4ae85b10fc8200ef460 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 11:55:16 +0200 Subject: 3: {tv -> krebs}.urlwatch --- 1systems/tv/wu.nix | 4 +- 3modules/krebs/urlwatch.nix | 136 ++++++++++++++++++++++++++++++++++++++++++++ 3modules/tv/urlwatch.nix | 136 -------------------------------------------- 3 files changed, 138 insertions(+), 138 deletions(-) create mode 100644 3modules/krebs/urlwatch.nix delete mode 100644 3modules/tv/urlwatch.nix (limited to '3modules/tv') diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 7a12bc5..1d7bbe5 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -156,8 +156,8 @@ in }; } { - imports = [ ../../3modules/tv/urlwatch.nix ]; - tv.urlwatch = { + imports = [ ../../3modules/krebs/urlwatch.nix ]; + krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO onCalendar = "*-*-* 05:00:00"; diff --git a/3modules/krebs/urlwatch.nix b/3modules/krebs/urlwatch.nix new file mode 100644 index 0000000..58de72f --- /dev/null +++ b/3modules/krebs/urlwatch.nix @@ -0,0 +1,136 @@ +{ config, lib, pkgs, ... }: + +# TODO multiple users +# TODO inform about unused caches +# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" +# TODO hooks.py + +with builtins; +with lib; +let + cfg = config.krebs.urlwatch; + + # TODO assert sendmail's existence + out = { + options.krebs.urlwatch = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.urlwatch"; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/urlwatch"; + description = '' + Directory where the urlwatch service should store its state. + ''; + }; + from = mkOption { + type = types.str; + default = "${user.name}@${config.networking.hostName}.retiolum"; + description = '' + Content of the From: header of the generated mails. + ''; + }; + mailto = mkOption { + type = types.str; + description = '' + Content of the To: header of the generated mails. [AKA recipient :)] + ''; + }; + onCalendar = mkOption { + type = types.str; + description = '' + Run urlwatch at this interval. + The format is described in systemd.time(7), CALENDAR EVENTS. + ''; + example = "04:23"; + }; + urls = mkOption { + type = with types; listOf str; + description = "URL to watch."; + example = [ + https://nixos.org/channels/nixos-unstable/git-revision + ]; + }; + }; + + urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); + + imp = { + systemd.timers.urlwatch = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = cfg.onCalendar; + Persistent = "true"; + }; + }; + systemd.services.urlwatch = { + path = with pkgs; [ + coreutils + gnused + urlwatch + ]; + environment = { + HOME = cfg.dataDir; + LC_ALL = "en_US.UTF-8"; + LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive"; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + }; + serviceConfig = { + User = user.name; + PermissionsStartOnly = "true"; + PrivateTmp = "true"; + Type = "oneshot"; + ExecStartPre = + pkgs.writeScript "urlwatch-prestart" '' + #! /bin/sh + set -euf + + dataDir=$HOME + + if ! test -e "$dataDir"; then + mkdir -m 0700 -p "$dataDir" + chown ${user.name}: "$dataDir" + fi + ''; + ExecStart = pkgs.writeScript "urlwatch" '' + #! /bin/sh + set -euf + + from=${escapeShellArg cfg.from} + mailto=${escapeShellArg cfg.mailto} + urlsFile=${escapeShellArg urlsFile} + + cd /tmp + + urlwatch -e --urls="$urlsFile" > changes 2>&1 || : + + if test -s changes; then + date=$(date -R) + subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ + | tr \\n \ ) + { + echo "Date: $date" + echo "From: $from" + echo "Subject: $subject" + echo "To: $mailto" + echo + cat changes + } | /var/setuid-wrappers/sendmail -t + fi + ''; + }; + }; + users.extraUsers = singleton { + inherit (user) name uid; + }; + }; + + user = { + name = "urlwatch"; + uid = 3467631196; # genid urlwatch + }; +in +out diff --git a/3modules/tv/urlwatch.nix b/3modules/tv/urlwatch.nix deleted file mode 100644 index a659fc7..0000000 --- a/3modules/tv/urlwatch.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ config, lib, pkgs, ... }: - -# TODO multiple users -# TODO inform about unused caches -# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}" -# TODO hooks.py - -with builtins; -with lib; -let - cfg = config.tv.urlwatch; - - # TODO assert sendmail's existence - out = { - options.tv.urlwatch = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.urlwatch"; - - dataDir = mkOption { - type = types.str; - default = "/var/lib/urlwatch"; - description = '' - Directory where the urlwatch service should store its state. - ''; - }; - from = mkOption { - type = types.str; - default = "${user.name}@${config.networking.hostName}.retiolum"; - description = '' - Content of the From: header of the generated mails. - ''; - }; - mailto = mkOption { - type = types.str; - description = '' - Content of the To: header of the generated mails. [AKA recipient :)] - ''; - }; - onCalendar = mkOption { - type = types.str; - description = '' - Run urlwatch at this interval. - The format is described in systemd.time(7), CALENDAR EVENTS. - ''; - example = "04:23"; - }; - urls = mkOption { - type = with types; listOf str; - description = "URL to watch."; - example = [ - https://nixos.org/channels/nixos-unstable/git-revision - ]; - }; - }; - - urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls); - - imp = { - systemd.timers.urlwatch = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = cfg.onCalendar; - Persistent = "true"; - }; - }; - systemd.services.urlwatch = { - path = with pkgs; [ - coreutils - gnused - urlwatch - ]; - environment = { - HOME = cfg.dataDir; - LC_ALL = "en_US.UTF-8"; - LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive"; - SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - }; - serviceConfig = { - User = user.name; - PermissionsStartOnly = "true"; - PrivateTmp = "true"; - Type = "oneshot"; - ExecStartPre = - pkgs.writeScript "urlwatch-prestart" '' - #! /bin/sh - set -euf - - dataDir=$HOME - - if ! test -e "$dataDir"; then - mkdir -m 0700 -p "$dataDir" - chown ${user.name}: "$dataDir" - fi - ''; - ExecStart = pkgs.writeScript "urlwatch" '' - #! /bin/sh - set -euf - - from=${escapeShellArg cfg.from} - mailto=${escapeShellArg cfg.mailto} - urlsFile=${escapeShellArg urlsFile} - - cd /tmp - - urlwatch -e --urls="$urlsFile" > changes 2>&1 || : - - if test -s changes; then - date=$(date -R) - subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \ - | tr \\n \ ) - { - echo "Date: $date" - echo "From: $from" - echo "Subject: $subject" - echo "To: $mailto" - echo - cat changes - } | /var/setuid-wrappers/sendmail -t - fi - ''; - }; - }; - users.extraUsers = singleton { - inherit (user) name uid; - }; - }; - - user = { - name = "urlwatch"; - uid = 3467631196; # genid urlwatch - }; -in -out -- cgit v1.3.1 From 4e846ab7b38bc6c5ecf8213a027cc8ec4fa819d8 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:03:51 +0200 Subject: 3: {tv -> krebs}.github-hosts-sync --- 1systems/tv/cd.nix | 6 +-- 3modules/krebs/github-hosts-sync.nix | 83 ++++++++++++++++++++++++++++++++++++ 3modules/tv/github-hosts-sync.nix | 83 ------------------------------------ Zpkgs/krebs/default.nix | 11 +++++ Zpkgs/krebs/github-hosts-sync.nix | 40 +++++++++++++++++ Zpkgs/krebs/github-known_hosts.nix | 13 ++++++ Zpkgs/tv/default.nix | 2 - Zpkgs/tv/github-hosts-sync.nix | 40 ----------------- Zpkgs/tv/github-known_hosts.nix | 13 ------ 9 files changed, 150 insertions(+), 141 deletions(-) create mode 100644 3modules/krebs/github-hosts-sync.nix delete mode 100644 3modules/tv/github-hosts-sync.nix create mode 100644 Zpkgs/krebs/default.nix create mode 100644 Zpkgs/krebs/github-hosts-sync.nix create mode 100644 Zpkgs/krebs/github-known_hosts.nix delete mode 100644 Zpkgs/tv/github-hosts-sync.nix delete mode 100644 Zpkgs/tv/github-known_hosts.nix (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 407fc25..463d643 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -29,10 +29,10 @@ in }; } { - imports = [ ../../3modules/tv/github-hosts-sync.nix ]; - tv.github-hosts-sync.enable = true; + imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; + krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = - singleton config.tv.github-hosts-sync.port; + singleton config.krebs.github-hosts-sync.port; } { imports = [ ../../2configs/tv/identity.nix ]; diff --git a/3modules/krebs/github-hosts-sync.nix b/3modules/krebs/github-hosts-sync.nix new file mode 100644 index 0000000..c3b56ef --- /dev/null +++ b/3modules/krebs/github-hosts-sync.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: + +with builtins; +with lib; +let + cfg = config.krebs.github-hosts-sync; + + out = { + options.krebs.github-hosts-sync = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "krebs.github-hosts-sync"; + port = mkOption { + type = types.int; # TODO port type + default = 1028; + }; + dataDir = mkOption { + type = types.str; # TODO path (but not just into store) + default = "/var/lib/github-hosts-sync"; + }; + ssh-identity-file = mkOption { + type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} + default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; + }; + }; + + imp = { + systemd.services.github-hosts-sync = { + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + port = toString cfg.port; + }; + serviceConfig = { + PermissionsStartOnly = "true"; + SyslogIdentifier = "github-hosts-sync"; + User = user.name; + Restart = "always"; + ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' + #! /bin/sh + set -euf + + ssh_identity_file_target=$( + case ${cfg.ssh-identity-file} in + *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; + *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; + *) + echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 + exit 1 + esac + ) + + mkdir -p ${cfg.dataDir} + chown ${user.name}: ${cfg.dataDir} + + install \ + -o ${user.name} \ + -m 0400 \ + ${cfg.ssh-identity-file} \ + "$ssh_identity_file_target" + + ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ''; + ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; + }; + }; + + users.extraUsers = singleton { + inherit (user) name uid; + home = cfg.dataDir; + }; + }; + + user = { + name = "github-hosts-sync"; + uid = 3220554646; # genid github-hosts-sync + }; + + Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; +in +out diff --git a/3modules/tv/github-hosts-sync.nix b/3modules/tv/github-hosts-sync.nix deleted file mode 100644 index f50bf2b..0000000 --- a/3modules/tv/github-hosts-sync.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; -let - cfg = config.tv.github-hosts-sync; - - out = { - options.tv.github-hosts-sync = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; - dataDir = mkOption { - type = types.str; # TODO path (but not just into store) - default = "/var/lib/github-hosts-sync"; - }; - ssh-identity-file = mkOption { - type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519} - default = "/root/src/secrets/github-hosts-sync.ssh.id_rsa"; - }; - }; - - imp = { - systemd.services.github-hosts-sync = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - port = toString cfg.port; - }; - serviceConfig = { - PermissionsStartOnly = "true"; - SyslogIdentifier = "github-hosts-sync"; - User = user.name; - Restart = "always"; - ExecStartPre = pkgs.writeScript "github-hosts-sync-init" '' - #! /bin/sh - set -euf - - ssh_identity_file_target=$( - case ${cfg.ssh-identity-file} in - *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;; - *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;; - *) - echo "bad identity file name: ${cfg.ssh-identity-file}" >&2 - exit 1 - esac - ) - - mkdir -p ${cfg.dataDir} - chown ${user.name}: ${cfg.dataDir} - - install \ - -o ${user.name} \ - -m 0400 \ - ${cfg.ssh-identity-file} \ - "$ssh_identity_file_target" - - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts - ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; - }; - }; - - users.extraUsers = singleton { - inherit (user) name uid; - home = cfg.dataDir; - }; - }; - - user = { - name = "github-hosts-sync"; - uid = 3220554646; # genid github-hosts-sync - }; - - Zpkgs = import ../../Zpkgs/tv { inherit pkgs; }; -in -out diff --git a/Zpkgs/krebs/default.nix b/Zpkgs/krebs/default.nix new file mode 100644 index 0000000..be8f720 --- /dev/null +++ b/Zpkgs/krebs/default.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: + +let + inherit (pkgs) callPackage; +in + +pkgs // +{ + github-hosts-sync = callPackage ./github-hosts-sync.nix {}; + github-known_hosts = callPackage ./github-known_hosts.nix {}; +} diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/Zpkgs/krebs/github-hosts-sync.nix new file mode 100644 index 0000000..d69b2b1 --- /dev/null +++ b/Zpkgs/krebs/github-hosts-sync.nix @@ -0,0 +1,40 @@ +{ stdenv, fetchgit, pkgs, ... }: + +stdenv.mkDerivation { + name = "github-hosts-sync"; + + src = fetchgit { + url = https://github.com/krebscode/painload; + rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; + sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + }; + + phases = [ + "unpackPhase" + "installPhase" + ]; + + installPhase = + let + ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; + path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ + coreutils + findutils + git + gnugrep + gnused + openssh + socat + ]); + in + '' + mkdir -p $out/bin + + sed \ + 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ + < ./retiolum/scripts/github_hosts_sync/hosts-sync \ + > $out/bin/github-hosts-sync + + chmod +x $out/bin/github-hosts-sync + ''; +} diff --git a/Zpkgs/krebs/github-known_hosts.nix b/Zpkgs/krebs/github-known_hosts.nix new file mode 100644 index 0000000..302fdd8 --- /dev/null +++ b/Zpkgs/krebs/github-known_hosts.nix @@ -0,0 +1,13 @@ +{ lib, ... }: + +with builtins; +with lib; + +let + github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); +in + +toFile "github-known_hosts" + (concatMapStrings + (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") + (range 0 255)) diff --git a/Zpkgs/tv/default.nix b/Zpkgs/tv/default.nix index fa9fff8..e3e12bd 100644 --- a/Zpkgs/tv/default.nix +++ b/Zpkgs/tv/default.nix @@ -9,8 +9,6 @@ pkgs // charybdis = callPackage ./charybdis {}; dic = callPackage ./dic.nix {}; genid = callPackage ./genid.nix {}; - github-hosts-sync = callPackage ./github-hosts-sync.nix {}; - github-known_hosts = callPackage ./github-known_hosts.nix {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; viljetic-pages = callPackage ./viljetic-pages {}; diff --git a/Zpkgs/tv/github-hosts-sync.nix b/Zpkgs/tv/github-hosts-sync.nix deleted file mode 100644 index d69b2b1..0000000 --- a/Zpkgs/tv/github-hosts-sync.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchgit, pkgs, ... }: - -stdenv.mkDerivation { - name = "github-hosts-sync"; - - src = fetchgit { - url = https://github.com/krebscode/painload; - rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; - }; - - phases = [ - "unpackPhase" - "installPhase" - ]; - - installPhase = - let - ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ - coreutils - findutils - git - gnugrep - gnused - openssh - socat - ]); - in - '' - mkdir -p $out/bin - - sed \ - 's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \ - < ./retiolum/scripts/github_hosts_sync/hosts-sync \ - > $out/bin/github-hosts-sync - - chmod +x $out/bin/github-hosts-sync - ''; -} diff --git a/Zpkgs/tv/github-known_hosts.nix b/Zpkgs/tv/github-known_hosts.nix deleted file mode 100644 index 302fdd8..0000000 --- a/Zpkgs/tv/github-known_hosts.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ lib, ... }: - -with builtins; -with lib; - -let - github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub); -in - -toFile "github-known_hosts" - (concatMapStrings - (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n") - (range 0 255)) -- cgit v1.3.1 From 873e1f90025f7eb1b13607130dbc4164cc2a0c44 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 12:34:25 +0200 Subject: 3 tv retiolum: RIP --- 1systems/tv/cd.nix | 4 ++-- 1systems/tv/mkdir.nix | 4 ++-- 1systems/tv/nomic.nix | 4 ++-- 1systems/tv/rmdir.nix | 4 ++-- 1systems/tv/wu.nix | 4 ++-- 2configs/tv/exim-retiolum.nix | 4 ++-- 3modules/tv/retiolum.nix | 29 ----------------------------- 7 files changed, 12 insertions(+), 41 deletions(-) delete mode 100644 3modules/tv/retiolum.nix (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index 463d643..2f8cf81 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -86,8 +86,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index e0e057d..05d76c4 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 8e6812e..bae12d3 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -37,8 +37,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index b77a1c3..2cf9668 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -29,8 +29,8 @@ with lib; }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 1d7bbe5..c5678a1 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -145,8 +145,8 @@ in }; } { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { + imports = [ ../../3modules/krebs/retiolum.nix ]; + krebs.retiolum = { enable = true; hosts = ../../Zhosts; connectTo = [ diff --git a/2configs/tv/exim-retiolum.nix b/2configs/tv/exim-retiolum.nix index efab5cf..851a0c6 100644 --- a/2configs/tv/exim-retiolum.nix +++ b/2configs/tv/exim-retiolum.nix @@ -4,9 +4,9 @@ services.exim = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.tv.retiolum.enable; + assert config.krebs.retiolum.enable; let - # TODO get the hostname from config.tv.retiolum. + # TODO get the hostname from config.krebs.retiolum. retiolumHostname = "${config.networking.hostName}.retiolum"; in { enable = true; diff --git a/3modules/tv/retiolum.nix b/3modules/tv/retiolum.nix deleted file mode 100644 index d003774..0000000 --- a/3modules/tv/retiolum.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, ... }: - -with lib; -let - cfg = config.tv.retiolum; - - out = { - imports = [ ../../3modules/krebs/retiolum.nix ]; - options.tv.retiolum = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.retiolum"; - - connectTo = mkOption { - type = with types; listOf str; - }; - - hosts = mkOption { - type = types.path; - }; - }; - - imp = { - krebs.retiolum = cfg; - }; - -in out -- cgit v1.3.1 From 4165440f467e2c573ba248ae9cdcae54d1488bc5 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 17:34:08 +0200 Subject: autoimport 3*/{krebs,$(LOGNAME)} --- 1systems/tv/cd.nix | 12 ------------ 1systems/tv/mkdir.nix | 2 -- 1systems/tv/nomic.nix | 3 --- 1systems/tv/rmdir.nix | 2 -- 1systems/tv/wu.nix | 6 +----- 2configs/tv/consul-server.nix | 1 - 2configs/tv/git-public.nix | 1 - 2configs/tv/identity.nix | 1 - 3modules/krebs/default.nix | 11 +++++++++++ 3modules/tv/consul.nix | 1 - 3modules/tv/default.nix | 10 ++++++++++ Makefile | 27 ++++++++++++++++----------- 12 files changed, 38 insertions(+), 39 deletions(-) create mode 100644 3modules/krebs/default.nix create mode 100644 3modules/tv/default.nix (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index bf556e0..b15b189 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -22,14 +22,12 @@ in }; } { - imports = [ ../../3modules/tv/ejabberd.nix ]; tv.ejabberd = { enable = true; hosts = [ "jabber.viljetic.de" ]; }; } { - imports = [ ../../3modules/krebs/github-hosts-sync.nix ]; krebs.github-hosts-sync.enable = true; tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; @@ -39,7 +37,6 @@ in tv.identity.self = config.tv.identity.hosts.cd; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -55,19 +52,11 @@ in }; } { - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.cgit.server-names = singleton "cgit.cd.viljetic.de"; } { # TODO make public_html also available to cd, cd.retiolum (AKA default) - imports = [ - ../../3modules/tv/iptables.nix - ../../3modules/krebs/nginx.nix - ]; tv.iptables.input-internet-accept-new-tcp = singleton "http"; krebs.nginx.servers.public_html = { server-names = singleton "cd.viljetic.de"; @@ -86,7 +75,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 823f044..03d0c00 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.mkdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index ef4a5ca..367502e 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -14,7 +14,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.nomic; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -26,7 +25,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -37,7 +35,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index f15c790..497354e 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -15,7 +15,6 @@ with lib; tv.identity.self = config.tv.identity.hosts.rmdir; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -29,7 +28,6 @@ with lib; }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 0b5b828..8470a4f 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -24,7 +24,7 @@ in { environment.systemPackages = with pkgs; [ - # shitment + # stockholm git gnumake parallel @@ -122,7 +122,6 @@ in ]; } { - imports = [ ../../3modules/tv/iptables.nix ]; tv.iptables = { enable = true; input-internet-accept-new-tcp = [ @@ -134,7 +133,6 @@ in }; } { - imports = [ ../../3modules/krebs/nginx.nix ]; krebs.nginx = { enable = true; servers.default.locations = [ @@ -145,7 +143,6 @@ in }; } { - imports = [ ../../3modules/krebs/retiolum.nix ]; krebs.retiolum = { enable = true; connectTo = [ @@ -155,7 +152,6 @@ in }; } { - imports = [ ../../3modules/krebs/urlwatch.nix ]; krebs.urlwatch = { enable = true; mailto = "tv@wu.retiolum"; # TODO diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 1c8dcb8..5d3fd55 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/consul.nix ]; tv.consul = rec { enable = true; diff --git a/2configs/tv/git-public.nix b/2configs/tv/git-public.nix index 7f2b513..1bf44e0 100644 --- a/2configs/tv/git-public.nix +++ b/2configs/tv/git-public.nix @@ -3,7 +3,6 @@ with import ../../4lib/tv { inherit lib pkgs; }; let out = { - imports = [ ../../3modules/krebs/git.nix ]; krebs.git = { enable = true; root-title = "public repositories at ${config.tv.identity.self.name}"; diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 44208c9..bcfdc29 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -1,7 +1,6 @@ { config, ... }: { - imports = [ ../../3modules/tv/identity.nix ]; tv.identity = { enable = true; search = "retiolum"; diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix new file mode 100644 index 0000000..fe94e09 --- /dev/null +++ b/3modules/krebs/default.nix @@ -0,0 +1,11 @@ +_: + +{ + imports = [ + ./github-hosts-sync.nix + ./git.nix + ./nginx.nix + ./retiolum.nix + ./urlwatch.nix + ]; +} diff --git a/3modules/tv/consul.nix b/3modules/tv/consul.nix index 312faa0..4e54c2a 100644 --- a/3modules/tv/consul.nix +++ b/3modules/tv/consul.nix @@ -10,7 +10,6 @@ let cfg = config.tv.consul; out = { - imports = [ ../../3modules/tv/iptables.nix ]; options.tv.consul = api; config = mkIf cfg.enable (mkMerge [ imp diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix new file mode 100644 index 0000000..e267d0b --- /dev/null +++ b/3modules/tv/default.nix @@ -0,0 +1,10 @@ +_: + +{ + imports = [ + ./consul.nix + ./ejabberd.nix + ./identity.nix + ./iptables.nix + ]; +} diff --git a/Makefile b/Makefile index da23467..6d075e6 100644 --- a/Makefile +++ b/Makefile @@ -41,13 +41,14 @@ deploy:;@ "$$src/" "$$deploy_host:$$dst" )} - prepush /root/src/shitment "$$PWD" + prepush /root/src/stockholm "$$PWD" prepush /root/src/secrets "$$secrets_dir" ssh -S none "$$deploy_host" -T env \ nixpkgs_url="$$nixpkgs_url" \ nixpkgs_rev="$$nixpkgs_rev" \ system_name="$$system_name" \ + user_name="$$LOGNAME" \ sh -euf \ <<-\EOF prefetch(){( @@ -77,26 +78,30 @@ deploy:;@ prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev" echo build system... - NIXOS_CONFIG=/root/src/shitment/1systems/$(LOGNAME)/$$system_name.nix \ - NIX_PATH=src \ - nix-build -Q -A system '' + NIX_PATH=/root/src \ + nix-build \ + -Q \ + -A system \ + '' \ + --argstr user-name "$$user_name" \ + --argstr system-name "$$system_name" result/bin/switch-to-configuration switch EOF .PHONY: eval eval: - @nix-instantiate \ + @ + NIX_PATH=stockholm=$$PWD:$$NIX_PATH \ + nix-instantiate \ --json \ --eval \ --strict \ -A "$$get" \ - -E ' - import { - system = builtins.currentSystem; - modules = [ ./1systems/$(LOGNAME)/$(system).nix ]; - } - ' | jq -r . + '' \ + --argstr user-name "$$LOGNAME" \ + --argstr system-name "$$system" \ + | jq -r . else $(error unbound variable: system[s]) endif -- cgit v1.3.1 From c9b3c530a6902979feaba0b07e3b6542708a72f5 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 24 Jul 2015 21:15:18 +0200 Subject: { * tv identity -> 3 krebs}.hosts --- 1systems/tv/cd.nix | 2 +- 1systems/tv/mkdir.nix | 2 +- 1systems/tv/nomic.nix | 2 +- 1systems/tv/rmdir.nix | 2 +- 1systems/tv/wu.nix | 2 +- 2configs/tv/consul-server.nix | 2 +- 2configs/tv/identity.nix | 153 ---------------------------------------- 3modules/krebs/default.nix | 157 ++++++++++++++++++++++++++++++++++++++++++ 3modules/tv/identity.nix | 7 +- 9 files changed, 164 insertions(+), 165 deletions(-) (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index d30e7ed..c0c41e9 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -34,7 +34,7 @@ in } { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.cd; + tv.identity.self = config.krebs.hosts.cd; } { tv.iptables = { diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 3e5fb72..113fc95 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -12,7 +12,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.mkdir; + tv.identity.self = config.krebs.hosts.mkdir; } { tv.iptables = { diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index 2d32d9e..fc58c16 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -11,7 +11,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.nomic; + tv.identity.self = config.krebs.hosts.nomic; } { tv.iptables = { diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index c470086..15d624d 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -12,7 +12,7 @@ with lib; ../../2configs/tv/git.nix { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.rmdir; + tv.identity.self = config.krebs.hosts.rmdir; } { tv.iptables = { diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 234b805..4a74d55 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -18,7 +18,7 @@ in ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled { imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.tv.identity.hosts.wu; + tv.identity.self = config.krebs.hosts.wu; } { environment.systemPackages = with pkgs; [ diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 5d3fd55..63dabdc 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -9,7 +9,7 @@ server = true; - hosts = with config.tv.identity.hosts; [ + hosts = with config.krebs.hosts; [ # TODO get this list automatically from each host where tv.consul.enable is true cd mkdir diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix index 379d02e..481ac72 100644 --- a/2configs/tv/identity.nix +++ b/2configs/tv/identity.nix @@ -4,158 +4,5 @@ tv.identity = { enable = true; search = "retiolum"; - hosts = { - cd = { - cores = 2; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.219.7.216"]; - aliases = [ - "cd.internet" - "cd.viljetic.de" - "cgit.cd.viljetic.de" - "cd.krebsco.de" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.222"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; - aliases = [ - "cd.retiolum" - "cgit.cd.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ - rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 - e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN - sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v - CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 - PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V - LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk - DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW - ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK - jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 - Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - mkdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["162.248.167.241"]; - aliases = [ - "mkdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.223"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; - aliases = [ - "mkdir.retiolum" - "cgit.mkdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ - dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev - voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF - 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ - Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 - 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - nomic = { - cores = 2; - dc = "tv"; #dc = "gg23"; - nets = rec { - retiolum = { - addrs4 = ["10.243.0.110"]; - addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; - aliases = [ - "nomic.retiolum" - "cgit.nomic.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ - qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw - Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu - 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a - OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA - Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - rmdir = { - cores = 1; - dc = "tv"; #dc = "cac"; - nets = rec { - internet = { - addrs4 = ["167.88.44.94"]; - aliases = [ - "rmdir.internet" - ]; - }; - retiolum = { - via = internet; - addrs4 = ["10.243.113.224"]; - addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; - aliases = [ - "rmdir.retiolum" - "cgit.rmdir.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf - i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM - Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz - hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF - 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH - SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - }; - wu = { - cores = 4; - # TODO wu is mobile, so dc means "home data center" - dc = "tv"; #dc = "gg23"; - nets = { - retiolum = { - addrs4 = ["10.243.13.37"]; - addrs6 = ["42:0:0:0:0:0:0:1337"]; - aliases = [ - "wu.retiolum" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn - M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg - GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT - KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 - 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik - AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - secure = true; - }; - }; }; } diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index b8722d1..b60ce78 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -17,6 +17,163 @@ let }; api = { + hosts = mkOption { + type = with types; attrsOf host; + default = addNames { + cd = { + cores = 2; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.219.7.216"]; + aliases = [ + "cd.internet" + "cd.viljetic.de" + "cgit.cd.viljetic.de" + "cd.krebsco.de" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.222"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af3"]; + aliases = [ + "cd.retiolum" + "cgit.cd.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ + rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4 + e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN + sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v + CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0 + PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V + LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk + DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW + ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK + jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5 + Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mkdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["162.248.167.241"]; + aliases = [ + "mkdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.223"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af4"]; + aliases = [ + "mkdir.retiolum" + "cgit.mkdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAuyfM+3od75zOYXqnqRMAt+yp/4z/vC3vSWdjUvEmCuM23c5BOBw+ + dKqbWoSPTzOuaQ0szdL7a6YxT+poSUXd/i3pPz59KgCl192rd1pZoJKgvoluITev + voYSP9rFQOUrustfDb9qKW/ZY95cwdCvypo7Vf4ghxwDCnlmyCGz7qXTJMLydNKF + 2PH9KiY4suv15sCg/zisu+q0ZYQXUc1TcgpoIYBOftDunOJoNdbti+XjwWdjGmJZ + Bn4GelsrrpwJFvfDmouHUe8GsD7nTgbZFtiJbKfCEiK16N0Q0d0ZFHhAV2nPjsk2 + 3JhG4n9vxATBkO82f7RLrcrhkx9cbLfN3wIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + nomic = { + cores = 2; + dc = "tv"; #dc = "gg23"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.110"]; + addrs6 = ["42:02d5:733f:d6da:c0f5:2bb7:2b18:09ec"]; + aliases = [ + "nomic.retiolum" + "cgit.nomic.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAwb8Yk/YRc17g2J9n960p6j4W/l559OPyuMPdGJ4DmCm3WNQtxoa+ + qTFUiDiI85BcmfqnSeddLG8zTC2XnSlIvCRMJ9oKzppFM4PX4OTAaJZVE5WyCQhw + Kd4tHVdoQgJW5yFepmT9IUmHqkxXJ0R2W93l2eSZNOcnFvFn0ooiAlRi4zAiHClu + 5Mz80Sc2rvez+n9wtC2D06aYjP23pHYld2xighHR9SUqX1dFzgSXNSoWWCcgNp2a + OKcM8LzxLV7MTMZFOJCJndZ77e4LsUvxhQFP6nyKZWg30PC0zufZsuN5o2xsWSlA + Wi9sMB1AUR6mZrxgcgTFpUjbjbLQf+36CwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + rmdir = { + cores = 1; + dc = "tv"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["167.88.44.94"]; + aliases = [ + "rmdir.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.113.224"]; + addrs6 = ["42:4522:25f8:36bb:8ccb:0150:231a:2af5"]; + aliases = [ + "rmdir.retiolum" + "cgit.rmdir.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+twy4obSbJdmZLfBoe9YYeyoDnXkO/WPa2D6Eh6jXrWk5fbhBjRf + i3EAQfLiXXFJX3E8V8YvJyazXklI19jJtCLDiu/F5kgJJfyAkWHH+a/hcg7qllDM + Xx2CvS/nCbs+p48/VLO6zLC7b1oHu3K/ob5M5bwPK6j9NEDIL5qYiM5PQzV6zryz + hS9E/+l8Z+UUpYcfS3bRovXJAerB4txc/gD3Xmptq1zk53yn1kJFYfVlwyyz+NEF + 59JZj2PDrvWoG0kx/QjiNurs6XfdnyHe/gP3rmSTrihKFVuA3cZM62sDR4FcaeWH + SnKSp02pqjBOjC/dOK97nXpKLJgNH046owIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + wu = { + cores = 4; + # TODO wu is mobile, so dc means "home data center" + dc = "tv"; #dc = "gg23"; + nets = { + retiolum = { + addrs4 = ["10.243.13.37"]; + addrs6 = ["42:0:0:0:0:0:0:1337"]; + aliases = [ + "wu.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEArDvU0cuBsVqTjCX2TlWL4XHSy4qSjUhjrDvUPZSKTVN7x6OENCUn + M27g9H7j4/Jw/8IHoJLiKnXHavOoc9UJM+P9Fla/4TTVADr69UDSnLgH+wGiHcEg + GxPkb2jt0Z8zcpD6Fusj1ATs3sssaLHTHvg1D0LylEWA3cI4WPP13v23PkyUENQT + KpSWfR+obqDl38Q7LuFi6dH9ruyvqK+4syddrBwjPXrcNxcGL9QbDn7+foRNiWw4 + 4CE5z25oGG2iWMShI7fe3ji/fMUAl7DSOOrHVVG9eMtpzy+uI8veOHrdTax4oKik + AFGCrMIov3F0GIeu3nDlrTIZPZDTodbFKQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; + }; + users = mkOption { type = with types; attrsOf user; default = addNames { diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix index 584b271..9de4322 100644 --- a/3modules/tv/identity.nix +++ b/3modules/tv/identity.nix @@ -21,11 +21,6 @@ let # default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts; #}; - hosts = mkOption { - type = with types; attrsOf host; - apply = mapAttrs (name: value: value // { inherit name; }); - }; - search = mkOption { type = types.hostname; }; @@ -44,7 +39,7 @@ let in map (addr: "${addr} ${aliases}") net.addrs ) host.nets - ) cfg.hosts + ) config.krebs.hosts )); }; -- cgit v1.3.1 From 129829cacfee9bc5b7fda99e50b70bc3ffe8a9bc Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Jul 2015 00:04:04 +0200 Subject: tv.identity -> krebs.build + extraHosts hack --- 1systems/tv/cd.nix | 6 ++-- 1systems/tv/mkdir.nix | 6 ++-- 1systems/tv/nomic.nix | 6 ++-- 1systems/tv/rmdir.nix | 6 ++-- 1systems/tv/wu.nix | 6 ++-- 2configs/tv/charybdis.nix | 8 ++--- 2configs/tv/consul-server.nix | 2 +- 2configs/tv/git.nix | 8 ++--- 2configs/tv/identity.nix | 8 ----- 3modules/krebs/default.nix | 72 ++++++++++++++++++++++++++++++++++++++++ 3modules/tv/default.nix | 1 - 3modules/tv/identity.nix | 77 ------------------------------------------- 12 files changed, 91 insertions(+), 115 deletions(-) delete mode 100644 2configs/tv/identity.nix delete mode 100644 3modules/tv/identity.nix (limited to '3modules/tv') diff --git a/1systems/tv/cd.nix b/1systems/tv/cd.nix index c0c41e9..4b8c40f 100644 --- a/1systems/tv/cd.nix +++ b/1systems/tv/cd.nix @@ -7,6 +7,8 @@ let in { + krebs.build.host = config.krebs.hosts.cd; + imports = [ ../../2configs/tv/CAC-Developer-2.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -32,10 +34,6 @@ in tv.iptables.input-internet-accept-new-tcp = singleton config.krebs.github-hosts-sync.port; } - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.cd; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/mkdir.nix b/1systems/tv/mkdir.nix index 113fc95..938f501 100644 --- a/1systems/tv/mkdir.nix +++ b/1systems/tv/mkdir.nix @@ -3,6 +3,8 @@ with lib; { + krebs.build.host = config.krebs.hosts.mkdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -10,10 +12,6 @@ with lib; ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.mkdir; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/nomic.nix b/1systems/tv/nomic.nix index fc58c16..1f7f6b1 100644 --- a/1systems/tv/nomic.nix +++ b/1systems/tv/nomic.nix @@ -3,16 +3,14 @@ with lib; { + krebs.build.host = config.krebs.hosts.nomic; + imports = [ ../../2configs/tv/AO753.nix ../../2configs/tv/base.nix ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-retiolum.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.nomic; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/rmdir.nix b/1systems/tv/rmdir.nix index 15d624d..45e9997 100644 --- a/1systems/tv/rmdir.nix +++ b/1systems/tv/rmdir.nix @@ -3,6 +3,8 @@ with lib; { + krebs.build.host = config.krebs.hosts.rmdir; + imports = [ ../../2configs/tv/CAC-Developer-1.nix ../../2configs/tv/CAC-CentOS-7-64bit.nix @@ -10,10 +12,6 @@ with lib; ../../2configs/tv/consul-server.nix ../../2configs/tv/exim-smarthost.nix ../../2configs/tv/git.nix - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.rmdir; - } { tv.iptables = { enable = true; diff --git a/1systems/tv/wu.nix b/1systems/tv/wu.nix index 5ca64ce..0b2dab9 100644 --- a/1systems/tv/wu.nix +++ b/1systems/tv/wu.nix @@ -7,6 +7,8 @@ let in { + krebs.build.host = config.krebs.hosts.wu; + imports = [ ../../2configs/tv/w110er.nix ../../2configs/tv/base.nix @@ -16,10 +18,6 @@ in ../../2configs/tv/mail-client.nix ../../2configs/tv/xserver.nix ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled - { - imports = [ ../../2configs/tv/identity.nix ]; - tv.identity.self = config.krebs.hosts.wu; - } { environment.systemPackages = with pkgs; [ diff --git a/2configs/tv/charybdis.nix b/2configs/tv/charybdis.nix index a45c7ae..265f851 100644 --- a/2configs/tv/charybdis.nix +++ b/2configs/tv/charybdis.nix @@ -123,7 +123,7 @@ let #loadmodule "extensions/ip_cloaking.so"; serverinfo { - name = ${toJSON (head config.tv.identity.self.nets.retiolum.aliases)}; + name = ${toJSON (head config.krebs.build.host.nets.retiolum.aliases)}; sid = "4z3"; description = "miep!"; network_name = "irc.retiolum"; @@ -133,9 +133,9 @@ let /* On multi-homed hosts you may need the following. These define * the addresses we connect from to other servers. */ /* for IPv4 */ - vhost = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs4}; + vhost = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs4}; /* for IPv6 */ - vhost6 = ${concatMapStringsSep ", " toJSON config.tv.identity.self.nets.retiolum.addrs6}; + vhost6 = ${concatMapStringsSep ", " toJSON config.krebs.build.host.nets.retiolum.addrs6}; /* ssl_private_key: our ssl private key */ ssl_private_key = "/tmp/ssl.key"; @@ -240,7 +240,7 @@ let */ # XXX This is stupid because only one host is allowed[?] #host = ''${concatMapStringsSep ", " toJSON ( - # config.tv.identity.self.nets.retiolum.addrs + # config.krebs.build.host.nets.retiolum.addrs #)}; port = 6667; sslport = 6697; diff --git a/2configs/tv/consul-server.nix b/2configs/tv/consul-server.nix index 63dabdc..d10f9ea 100644 --- a/2configs/tv/consul-server.nix +++ b/2configs/tv/consul-server.nix @@ -4,7 +4,7 @@ tv.consul = rec { enable = true; - inherit (config.tv.identity) self; + self = config.krebs.build.host; inherit (self) dc; server = true; diff --git a/2configs/tv/git.nix b/2configs/tv/git.nix index b7f9983..f884ea4 100644 --- a/2configs/tv/git.nix +++ b/2configs/tv/git.nix @@ -6,7 +6,7 @@ let out = { krebs.git = { enable = true; - root-title = "public repositories at ${config.tv.identity.self.name}"; + root-title = "public repositories at ${config.krebs.build.host.name}"; root-desc = "keep calm and engage"; inherit repos rules; }; @@ -14,7 +14,7 @@ let repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( public-repos // - optionalAttrs config.tv.identity.self.secure restricted-repos + optionalAttrs config.krebs.build.host.secure restricted-repos ); rules = concatMap make-rules (attrValues repos); @@ -55,8 +55,8 @@ let public = true; hooks = { post-receive = git.irc-announce { - # TODO make nick = config.tv.identity.self.name the default - nick = config.tv.identity.self.name; + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; channel = "#retiolum"; server = "cd.retiolum"; }; diff --git a/2configs/tv/identity.nix b/2configs/tv/identity.nix deleted file mode 100644 index 481ac72..0000000 --- a/2configs/tv/identity.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: - -{ - tv.identity = { - enable = true; - search = "retiolum"; - }; -} diff --git a/3modules/krebs/default.nix b/3modules/krebs/default.nix index 999e68d..601ecf0 100644 --- a/3modules/krebs/default.nix +++ b/3modules/krebs/default.nix @@ -19,6 +19,21 @@ let api = { enable = mkEnableOption "krebs"; + build = mkOption { + type = types.submodule { + options = { + host = mkOption { + type = types.host; + }; + user = mkOption { + type = types.user; + }; + }; + }; + # Define defaul value, so unset values of the submodule get reported. + default = {}; + }; + hosts = mkOption { type = with types; attrsOf host; }; @@ -26,12 +41,69 @@ let users = mkOption { type = with types; attrsOf user; }; + + # XXX is there a better place to define search-domain? + # TODO search-domains :: listOf hostname + search-domain = mkOption { + type = types.hostname; + default = ""; + example = "retiolum"; + }; }; imp = mkMerge [ { krebs = lass-imp; } { krebs = makefu-imp; } { krebs = tv-imp; } + { + # XXX This overlaps with krebs.retiolum + networking.extraHosts = + let + # TODO move domain name providers to a dedicated module + # providers : tree label providername + providers = { + internet = "hosts"; + retiolum = "hosts"; + de.viljetic = "regfish"; + de.krebsco = "ovh"; + }; + + # splitByProvider : [alias] -> set providername [alias] + splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; + + # providerOf : alias -> providername + providerOf = alias: + tree-get (splitString "." alias) providers; + + # insert : k -> v -> set k [v] -> set k [v] + insert = name: value: set: + set // { ${name} = set.${name} or [] ++ [value]; }; + + # tree k v = set k (either v (tree k v)) + + # tree-get : [k] -> tree k v -> v + tree-get = path: x: + let + y = x.${last path}; + in + if typeOf y != "set" + then y + else tree-get (init path) y; + in + concatStringsSep "\n" (flatten ( + # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: + mapAttrsToList (hostname: host: + mapAttrsToList (netname: net: + let + aliases = toString (unique (longs ++ shorts)); + longs = (splitByProvider net.aliases).hosts; + shorts = map (removeSuffix ".${cfg.search-domain}") longs; + in + map (addr: "${addr} ${aliases}") net.addrs + ) host.nets + ) config.krebs.hosts + )); + } ]; lass-imp = { diff --git a/3modules/tv/default.nix b/3modules/tv/default.nix index e267d0b..bb10d82 100644 --- a/3modules/tv/default.nix +++ b/3modules/tv/default.nix @@ -4,7 +4,6 @@ _: imports = [ ./consul.nix ./ejabberd.nix - ./identity.nix ./iptables.nix ]; } diff --git a/3modules/tv/identity.nix b/3modules/tv/identity.nix deleted file mode 100644 index 9de4322..0000000 --- a/3modules/tv/identity.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ../../4lib/tv { inherit lib pkgs; }; -let - cfg = config.tv.identity; - - out = { - options.tv.identity = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "tv.identity"; - - self = mkOption { - type = types.host; - }; - - #others = mkOption { - # type = types.host; - # default = filterAttrs (name: _host: name != cfg.self.name) cfg.hosts; - #}; - - search = mkOption { - type = types.hostname; - }; - }; - - imp = { - networking.extraHosts = - concatStringsSep "\n" (flatten ( - # TODO deepMap ["hosts" "nets"] (hostname: host: netname: net: - mapAttrsToList (hostname: host: - mapAttrsToList (netname: net: - let - aliases = toString (unique (longs ++ shorts)); - longs = (splitByProvider net.aliases).hosts; - shorts = map (removeSuffix ".${cfg.search}") longs; - in - map (addr: "${addr} ${aliases}") net.addrs - ) host.nets - ) config.krebs.hosts - )); - }; - - # TODO move domain name providers to a dedicated module - # providers : tree label providername - providers = { - internet = "hosts"; - retiolum = "hosts"; - de.viljetic = "regfish"; - de.krebsco = "ovh"; - }; - - # splitByProvider : [alias] -> set providername [alias] - splitByProvider = foldl (acc: alias: insert (providerOf alias) alias acc) {}; - - # providerOf : alias -> providername - providerOf = alias: - tree-get (splitString "." alias) providers; - - # insert : k -> v -> set k [v] -> set k [v] - insert = name: value: set: - set // { ${name} = set.${name} or [] ++ [value]; }; - - # tree k v = set k (either v (tree k v)) - - # tree-get : [k] -> tree k v -> v - tree-get = path: x: - let - y = x.${last path}; - in - if typeOf y != "set" - then y - else tree-get (init path) y; -in -out -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/5b000000.lock: No such file or directory (2)