summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--default.nix3
-rw-r--r--jeschli/1systems/bln/source.nix4
-rw-r--r--jeschli/1systems/bolide/source.nix4
-rw-r--r--jeschli/1systems/brauerei/source.nix4
-rw-r--r--jeschli/1systems/enklave/source.nix3
-rw-r--r--jeschli/1systems/reagenzglas/.source.nix.swpbin12288 -> 0 bytes
-rw-r--r--jeschli/1systems/reagenzglas/source.nix4
-rw-r--r--jeschli/source.nix26
-rw-r--r--krebs/0tests/deploy.nix5
-rw-r--r--krebs/1systems/hotdog/source.nix3
-rw-r--r--krebs/1systems/onebutton/source.nix13
-rw-r--r--krebs/1systems/puyak/source.nix3
-rw-r--r--krebs/1systems/test-all-krebs-modules/source.nix3
-rw-r--r--krebs/1systems/test-arch/source.nix3
-rw-r--r--krebs/1systems/test-centos6/source.nix3
-rw-r--r--krebs/1systems/test-centos7/source.nix3
-rw-r--r--krebs/1systems/test-failing/source.nix3
-rw-r--r--krebs/1systems/test-minimal-deploy/source.nix3
-rw-r--r--krebs/1systems/wolf/source.nix3
-rw-r--r--krebs/2configs/default.nix1
-rw-r--r--krebs/5pkgs/simple/Reaktor/plugins.nix2
-rw-r--r--krebs/5pkgs/simple/stockholm/default.nix230
-rw-r--r--krebs/5pkgs/simple/syncthing-device-id.nix49
-rw-r--r--krebs/krops.nix2
-rw-r--r--krebs/source.nix29
-rw-r--r--lass/1systems/blue/source.nix4
-rw-r--r--lass/1systems/cabal/source.nix4
-rw-r--r--lass/1systems/daedalus/source.nix4
-rw-r--r--lass/1systems/icarus/source.nix4
-rw-r--r--lass/1systems/littleT/source.nix4
-rw-r--r--lass/1systems/mors/source.nix4
-rw-r--r--lass/1systems/prism/source.nix4
-rw-r--r--lass/1systems/red/source.nix4
-rw-r--r--lass/1systems/shodan/source.nix3
-rw-r--r--lass/1systems/skynet/source.nix4
-rw-r--r--lass/1systems/uriel/source.nix3
-rw-r--r--lass/1systems/xerxes/source.nix5
-rw-r--r--lass/source.nix29
-rw-r--r--makefu/2configs/tools/dev.nix1
-rw-r--r--makefu/source.nix2
-rw-r--r--nin/1systems/axon/source.nix4
-rw-r--r--nin/1systems/hiawatha/source.nix4
-rw-r--r--nin/1systems/onondaga/source.nix4
-rw-r--r--nin/source.nix23
-rw-r--r--shell.nix38
-rw-r--r--tv/1systems/alnus/source.nix4
-rw-r--r--tv/1systems/mu/source.nix3
-rw-r--r--tv/1systems/nomic/source.nix4
-rw-r--r--tv/1systems/querel/source.nix3
-rw-r--r--tv/1systems/wu/source.nix4
-rw-r--r--tv/1systems/xu/source.nix4
-rw-r--r--tv/1systems/zu/source.nix4
-rw-r--r--tv/source.nix37
53 files changed, 53 insertions, 568 deletions
diff --git a/default.nix b/default.nix
index cab55d40a..5ae8e399e 100644
--- a/default.nix
+++ b/default.nix
@@ -13,10 +13,7 @@ import <nixpkgs/nixos/lib/eval-config.nix> {
(attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems"))))
(name: let
config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix");
- source = import (<stockholm> + "/${ns}/1systems/${name}/source.nix");
in import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [ config ];
- } // {
- inherit source;
});
}
diff --git a/jeschli/1systems/bln/source.nix b/jeschli/1systems/bln/source.nix
deleted file mode 100644
index 0864fd90c..000000000
--- a/jeschli/1systems/bln/source.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import <stockholm/jeschli/source.nix> {
- name = "bln";
- secure = true;
-}
diff --git a/jeschli/1systems/bolide/source.nix b/jeschli/1systems/bolide/source.nix
deleted file mode 100644
index 0bd7af50f..000000000
--- a/jeschli/1systems/bolide/source.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import <stockholm/jeschli/source.nix> {
- name = "bolide";
- secure = true;
-}
diff --git a/jeschli/1systems/brauerei/source.nix b/jeschli/1systems/brauerei/source.nix
deleted file mode 100644
index 61978768e..000000000
--- a/jeschli/1systems/brauerei/source.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import <stockholm/jeschli/source.nix> {
- name = "brauerei";
- secure = true;
-}
diff --git a/jeschli/1systems/enklave/source.nix b/jeschli/1systems/enklave/source.nix
deleted file mode 100644
index 4f9f37be7..000000000
--- a/jeschli/1systems/enklave/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/jeschli/source.nix> {
- name = "enklave";
-}
diff --git a/jeschli/1systems/reagenzglas/.source.nix.swp b/jeschli/1systems/reagenzglas/.source.nix.swp
deleted file mode 100644
index 8c1a75f39..000000000
--- a/jeschli/1systems/reagenzglas/.source.nix.swp
+++ /dev/null
Binary files differ
diff --git a/jeschli/1systems/reagenzglas/source.nix b/jeschli/1systems/reagenzglas/source.nix
deleted file mode 100644
index 7543de6b9..000000000
--- a/jeschli/1systems/reagenzglas/source.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import <stockholm/jeschli/source.nix> {
- name = "reagenzglas";
- secure = true;
-}
diff --git a/jeschli/source.nix b/jeschli/source.nix
deleted file mode 100644
index fc1413ee4..000000000
--- a/jeschli/source.nix
+++ /dev/null
@@ -1,26 +0,0 @@
-with import <stockholm/lib>;
-host@{ name, secure ? false, override ? {} }: let
- builder = if getEnv "dummy_secrets" == "true"
- then "buildbot"
- else "jeschli";
- _file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
- pkgs = import <nixpkgs> {
- overlays = map import [
- <stockholm/krebs/5pkgs>
- <stockholm/submodules/nix-writers/pkgs>
- ];
- };
-in
- evalSource (toString _file) [
- {
- nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
- nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
- secrets.file = getAttr builder {
- buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
- jeschli = "${getEnv "HOME"}/secrets/${name}";
- };
- stockholm.file = toString <stockholm>;
- stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
- }
- override
- ]
diff --git a/krebs/0tests/deploy.nix b/krebs/0tests/deploy.nix
index d96963500..5fae60ecc 100644
--- a/krebs/0tests/deploy.nix
+++ b/krebs/0tests/deploy.nix
@@ -44,11 +44,6 @@ let
exec >&2
source=${pkgs.writeJSON "source.json" populate-source}
LOGNAME=krebs ${pkgs.populate}/bin/populate --force root@server:22/var/src/ < "$source"
- # TODO: make deploy work
- #LOGNAME=krebs ${pkgs.stockholm}/bin/deploy \
- # --force-populate \
- # --source=${./data/test-source.nix} \
- # --system=server \
'';
minimalSystem = (import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [
diff --git a/krebs/1systems/hotdog/source.nix b/krebs/1systems/hotdog/source.nix
deleted file mode 100644
index 0fa61b20f..000000000
--- a/krebs/1systems/hotdog/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "hotdog";
-}
diff --git a/krebs/1systems/onebutton/source.nix b/krebs/1systems/onebutton/source.nix
deleted file mode 100644
index 91a998de7..000000000
--- a/krebs/1systems/onebutton/source.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-with import <stockholm/lib>;
-let
- pkgs = import <nixpkgs> {};
- nixpkgs = builtins.fetchTarball {
- url = https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz;
- };
-in import <stockholm/krebs/source.nix> {
- name = "onebutton";
- override.nixpkgs = mkForce {
- file = toString nixpkgs;
- };
-
-}
diff --git a/krebs/1systems/puyak/source.nix b/krebs/1systems/puyak/source.nix
deleted file mode 100644
index a21651899..000000000
--- a/krebs/1systems/puyak/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "puyak";
-}
diff --git a/krebs/1systems/test-all-krebs-modules/source.nix b/krebs/1systems/test-all-krebs-modules/source.nix
deleted file mode 100644
index 66fdaa773..000000000
--- a/krebs/1systems/test-all-krebs-modules/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-all-krebs-modules";
-}
diff --git a/krebs/1systems/test-arch/source.nix b/krebs/1systems/test-arch/source.nix
deleted file mode 100644
index bff9d4325..000000000
--- a/krebs/1systems/test-arch/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-arch";
-}
diff --git a/krebs/1systems/test-centos6/source.nix b/krebs/1systems/test-centos6/source.nix
deleted file mode 100644
index 3693bbb29..000000000
--- a/krebs/1systems/test-centos6/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-centos6";
-}
diff --git a/krebs/1systems/test-centos7/source.nix b/krebs/1systems/test-centos7/source.nix
deleted file mode 100644
index 44230f08d..000000000
--- a/krebs/1systems/test-centos7/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-centos7";
-}
diff --git a/krebs/1systems/test-failing/source.nix b/krebs/1systems/test-failing/source.nix
deleted file mode 100644
index 60b77a0a0..000000000
--- a/krebs/1systems/test-failing/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-failing";
-}
diff --git a/krebs/1systems/test-minimal-deploy/source.nix b/krebs/1systems/test-minimal-deploy/source.nix
deleted file mode 100644
index 032ab12bb..000000000
--- a/krebs/1systems/test-minimal-deploy/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "test-minimal-deploy";
-}
diff --git a/krebs/1systems/wolf/source.nix b/krebs/1systems/wolf/source.nix
deleted file mode 100644
index c292bfa62..000000000
--- a/krebs/1systems/wolf/source.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import <stockholm/krebs/source.nix> {
- name = "wolf";
-}
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 7b970923d..fafcd72c3 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -49,6 +49,7 @@ with import <stockholm/lib>;
users.mutableUsers = false;
users.extraUsers.root.openssh.authorizedKeys.keys = [
# TODO
+ config.krebs.users.jeschli-brauerei.pubkey
config.krebs.users.lass.pubkey
config.krebs.users.lass-mors.pubkey
config.krebs.users.makefu.pubkey
diff --git a/krebs/5pkgs/simple/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix
index 700f9b40d..92a270ef3 100644
--- a/krebs/5pkgs/simple/Reaktor/plugins.nix
+++ b/krebs/5pkgs/simple/Reaktor/plugins.nix
@@ -160,7 +160,7 @@ rec {
task-list = buildSimpleReaktorPlugin "task-list" {
pattern = "^task-list";
script = pkgs.writeDash "task-list" ''
- ${pkgs.taskwarrior}/bin/task rc:${taskrcFile} minimal
+ ${pkgs.taskwarrior}/bin/task rc:${taskrcFile} export | ${pkgs.jq}/bin/jq -r '.[] | select(.id != 0) | "\(.id) \(.description)"'
'';
};
diff --git a/krebs/5pkgs/simple/stockholm/default.nix b/krebs/5pkgs/simple/stockholm/default.nix
deleted file mode 100644
index c973386d6..000000000
--- a/krebs/5pkgs/simple/stockholm/default.nix
+++ /dev/null
@@ -1,230 +0,0 @@
-{ pkgs }: let
-
- stockholm-dir = ../../../..;
-
- lib = import (stockholm-dir + "/lib");
-
- #
- # high level commands
- #
-
- cmds.deploy = pkgs.withGetopt {
- force-populate = { default = /* sh */ "false"; switch = true; };
- quiet = { default = /* sh */ "false"; switch = true; };
- source_file = {
- default = /* sh */ "$user/1systems/$system/source.nix";
- long = "source";
- };
- system = {};
- target.default = /* sh */ "$system";
- user.default = /* sh */ "$LOGNAME";
- } (opts: pkgs.writeDash "stockholm.deploy" ''
- set -efu
-
- . ${init.env}
- . ${init.proxy "deploy" opts}
-
- # Use system's nixos-rebuild, which is not self-contained
- export PATH=/run/current-system/sw/bin
- exec ${utils.with-whatsupnix} \
- nixos-rebuild switch \
- --show-trace \
- -I "$target_path"
- '');
-
- cmds.get-version = pkgs.writeDash "get-version" ''
- set -efu
- hostname=''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}
- version=git.$(${pkgs.git}/bin/git describe --always --dirty)
- case $version in (*-dirty)
- version=$version@$hostname
- esac
- date=$(${pkgs.coreutils}/bin/date +%y.%m)
- echo "$date.$version"
- '';
-
- cmds.install = pkgs.withGetopt {
- force-populate = { default = /* sh */ "false"; switch = true; };
- quiet = { default = /* sh */ "false"; switch = true; };
- source_file = {
- default = /* sh */ "$user/1systems/$system/source.nix";
- long = "source";
- };
- system = {};
- target = {};
- user.default = /* sh */ "$LOGNAME";
- } (opts: pkgs.writeBash "stockholm.install" ''
- set -efu
-
- . ${init.env}
-
- if \test "''${using_proxy-}" != true; then
- ${pkgs.openssh}/bin/ssh \
- -o StrictHostKeyChecking=no \
- -o UserKnownHostsFile=/dev/null \
- "$target_user@$target_host" -p "$target_port" \
- env target_path=$(${pkgs.quote}/bin/quote "$target_path") \
- sh -s prepare \
- < ${stockholm-dir + "/krebs/4lib/infest/prepare.sh"}
- # TODO inline prepare.sh?
- fi
-
- . ${init.proxy "install" opts}
-
- # these variables get defined by nix-shell (i.e. nix-build) from
- # XDG_RUNTIME_DIR and reference the wrong directory (/run/user/0),
- # which only exists on / and not at /mnt.
- export NIX_BUILD_TOP=/tmp
- export TEMPDIR=/tmp
- export TEMP=/tmp
- export TMPDIR=/tmp
- export TMP=/tmp
- export XDG_RUNTIME_DIR=/tmp
-
- export NIXOS_CONFIG="$target_path/nixos-config"
-
- cd
- exec nixos-install
- '');
-
- cmds.test = pkgs.withGetopt {
- force-populate = { default = /* sh */ "false"; switch = true; };
- quiet = { default = /* sh */ "false"; switch = true; };
- source_file = {
- default = /* sh */ "$user/1systems/$system/source.nix";
- long = "source";
- };
- system = {};
- target = {};
- user.default = /* sh */ "$LOGNAME";
- } (opts: pkgs.writeDash "stockholm.test" /* sh */ ''
- set -efu
-
- export dummy_secrets=true
-
- . ${init.env}
- . ${init.proxy "test" opts}
-
- exec ${utils.build} config.system.build.toplevel
- '');
-
- #
- # low level commands
- #
-
- # usage: get-source SOURCE_FILE
- cmds.get-source = pkgs.writeDash "stockholm.get-source" ''
- set -efu
- exec ${pkgs.nix}/bin/nix-instantiate \
- --eval \
- --json \
- --readonly-mode \
- --show-trace \
- --strict \
- "$1"
- '';
-
- # usage: parse-target [--default=TARGET] TARGET
- # TARGET = [USER@]HOST[:PORT][/PATH]
- cmds.parse-target = pkgs.withGetopt {
- default_target = {
- long = "default";
- short = "d";
- };
- } (opts: pkgs.writeDash "stockholm.parse-target" ''
- set -efu
- target=$1; shift
- for arg; do echo "$0: bad argument: $arg" >&2; done
- if \test $# != 0; then exit 2; fi
- exec ${pkgs.jq}/bin/jq \
- -enr \
- --arg default_target "$default_target" \
- --arg target "$target" \
- -f ${pkgs.writeText "stockholm.parse-target.jq" ''
- def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
- user: .captures[0].string,
- host: .captures[1].string,
- port: .captures[2].string,
- path: .captures[3].string,
- };
- def sanitize: with_entries(select(.value != null));
- ($default_target | parse) + ($target | parse | sanitize) |
- . + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) }
- ''}
- '');
-
- init.env = pkgs.writeText "init.env" /* sh */ ''
-
- export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
-
- export quiet
- export system
- export target
- export user
-
- default_target=root@$system:22/var/src
-
- export target_object="$(
- ${cmds.parse-target} "$target" -d "$default_target"
- )"
- export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
- export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
- export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
- export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
- export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
- '';
-
- init.proxy = command: opts: pkgs.writeText "init.proxy" /* sh */ ''
- if \test "''${using_proxy-}" != true; then
-
- source=$(${cmds.get-source} "$source_file")
- qualified_target=$target_user@$target_host:$target_port$target_path
- if \test "$force_populate" = true; then
- echo "$source" | ${pkgs.populate}/bin/populate --force "$qualified_target"
- else
- echo "$source" | ${pkgs.populate}/bin/populate "$qualified_target"
- fi
-
- if \test "$target_local" != true; then
- exec ${pkgs.openssh}/bin/ssh \
- "$target_user@$target_host" -p "$target_port" \
- cd "$target_path/stockholm" \; \
- NIX_PATH=$(${pkgs.quote}/bin/quote "$target_path") \
- nix-shell --run "$(${pkgs.quote}/bin/quote "
- ${lib.concatStringsSep " " (lib.mapAttrsToList
- (name: opt: /* sh */
- "${opt.varname}=\$(${pkgs.quote}/bin/quote ${opt.ref})")
- opts
- )} \
- using_proxy=true \
- ${lib.shell.escape command} \
- $WITHGETOPT_ORIG_ARGS \
- ")"
- fi
- fi
- '';
-
- utils.build = pkgs.writeDash "utils.build" ''
- set -efu
- ${utils.with-whatsupnix} \
- ${pkgs.nix}/bin/nix-build \
- --no-out-link \
- --show-trace \
- -E "with import <stockholm>; $1" \
- -I "$target_path" \
- '';
-
- utils.with-whatsupnix = pkgs.writeDash "utils.with-whatsupnix" ''
- set -efu
- if \test "$quiet" = true; then
- "$@" -Q 2>&1 | ${pkgs.whatsupnix}/bin/whatsupnix
- else
- exec "$@"
- fi
- '';
-
-in
-
- pkgs.write "stockholm" (lib.mapAttrs' (name: link:
- lib.nameValuePair "/bin/${name}" { inherit link; }
- ) cmds)
diff --git a/krebs/5pkgs/simple/syncthing-device-id.nix b/krebs/5pkgs/simple/syncthing-device-id.nix
new file mode 100644
index 000000000..9533800fd
--- /dev/null
+++ b/krebs/5pkgs/simple/syncthing-device-id.nix
@@ -0,0 +1,49 @@
+{ openssl, writePython2Bin }:
+
+writePython2Bin "syncthing-device-id" {
+ flakeIgnore = [
+ "E226"
+ "E302"
+ "E305"
+ "E501"
+ "F401"
+ ];
+} /* python */ ''
+ import base64
+ import hashlib
+ import subprocess
+ import sys
+
+ B32ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
+
+ def luhn_checksum(data, alphabet=B32ALPHABET):
+ n = len(alphabet)
+ number = tuple(alphabet.index(i) for i in reversed(data))
+ result = (sum(number[::2]) +
+ sum(sum(divmod(i * 2, n)) for i in number[1::2])) % n
+ return alphabet[-result]
+
+ def main(incert):
+ der_data = subprocess.check_output([
+ '${openssl}/bin/openssl',
+ 'x509',
+ '-outform',
+ 'DER',
+ ], stdin=incert)
+ data_hash = hashlib.sha256(der_data)
+ b32_hash = base64.b32encode(data_hash.digest()).decode('ascii')
+
+ result = b32_hash.upper().rstrip('=')
+ blocks = [result[pos:pos+13] for pos in range(0, len(result), 13)]
+ result = '''.join(block + luhn_checksum(block) for block in blocks)
+
+ blocks = [result[pos:pos+7] for pos in range(0, len(result), 7)]
+ print('-'.join(blocks))
+
+ if __name__ == '__main__':
+ import argparse
+ parser = argparse.ArgumentParser(description='Generate syncthing ID from certificate')
+ parser.add_argument('incert', type=argparse.FileType('rb'), help='Certificate path')
+ args = parser.parse_args()
+ main(**vars(args))
+''
diff --git a/krebs/krops.nix b/krebs/krops.nix
index 5378d6fb0..e5013ad08 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -18,7 +18,7 @@
stockholm.file = toString ../.;
stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" ''
set -efu
- cd $HOME/stockholm
+ cd ${lib.escapeShellArg krebs-source.stockholm.file}
V=$(${pkgs.coreutils}/bin/date +%y.%m)
if test -d .git; then
V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty)
diff --git a/krebs/source.nix b/krebs/source.nix
deleted file mode 100644
index 5b86e89c6..000000000
--- a/krebs/source.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-with import <stockholm/lib>;
-host@{ name, secure ? false, override ? {} }: let
- builder = if getEnv "dummy_secrets" == "true"
- then "buildbot"