From f3ad1c5a40ab25c4baf5c8b29ac5346d3d087a2d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 11:16:08 +0100 Subject: [PATCH 01/68] nix/home/graphical-fullblown: add duplicacy --- nix/home-manager/configuration/graphical-fullblown.nix | 1 + nix/home-manager/profiles/common.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 967d92b..f3fb327 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -293,6 +293,7 @@ in { # s3ql # rclone rsync + duplicacy # Filesystem Tools ntfs3g diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index e0d029a..4077ab5 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -27,6 +27,7 @@ in { }; just = pkgs.callPackage ../../pkgs/just.nix {}; + duplicacy = pkgs.callPackage ../../pkgs/duplicacy {}; }; }; From cfeabb8e5d0206929152b43b14340c8f2c0ce79d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 11:16:50 +0100 Subject: [PATCH 02/68] nix: mv container-images from archive --- {_archive => nix}/container-images/build.sh | 0 {_archive => nix}/container-images/default.nix | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {_archive => nix}/container-images/build.sh (100%) rename {_archive => nix}/container-images/default.nix (100%) diff --git a/_archive/container-images/build.sh b/nix/container-images/build.sh similarity index 100% rename from _archive/container-images/build.sh rename to nix/container-images/build.sh diff --git a/_archive/container-images/default.nix b/nix/container-images/default.nix similarity index 100% rename from _archive/container-images/default.nix rename to nix/container-images/default.nix From c581e5d0a321f1ba753a3b9c0a84684cac430947 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 11:26:22 +0100 Subject: [PATCH 03/68] nix/os/devices: add CFB4ED74 --- nix/os/devices/CFB4ED74/boot.nix | 11 +++++++++ nix/os/devices/CFB4ED74/configuration.nix | 12 +++++++++ nix/os/devices/CFB4ED74/hw.nix | 30 +++++++++++++++++++++++ nix/os/devices/CFB4ED74/pkg.nix | 7 ++++++ nix/os/devices/CFB4ED74/system.nix | 21 ++++++++++++++++ 5 files changed, 81 insertions(+) create mode 100644 nix/os/devices/CFB4ED74/boot.nix create mode 100644 nix/os/devices/CFB4ED74/configuration.nix create mode 100644 nix/os/devices/CFB4ED74/hw.nix create mode 100644 nix/os/devices/CFB4ED74/pkg.nix create mode 100644 nix/os/devices/CFB4ED74/system.nix diff --git a/nix/os/devices/CFB4ED74/boot.nix b/nix/os/devices/CFB4ED74/boot.nix new file mode 100644 index 0000000..6e17997 --- /dev/null +++ b/nix/os/devices/CFB4ED74/boot.nix @@ -0,0 +1,11 @@ +{ lib +, ... +}: + +{ + boot.loader.grub.efiSupport = lib.mkForce false; +# boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; +# boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + + boot.extraModulePackages = [ ]; +} diff --git a/nix/os/devices/CFB4ED74/configuration.nix b/nix/os/devices/CFB4ED74/configuration.nix new file mode 100644 index 0000000..617813c --- /dev/null +++ b/nix/os/devices/CFB4ED74/configuration.nix @@ -0,0 +1,12 @@ +{ ... }: + +{ + imports = [ + ../../profiles/common/configuration.nix + ../../modules/encryptedDisk.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ]; +} diff --git a/nix/os/devices/CFB4ED74/hw.nix b/nix/os/devices/CFB4ED74/hw.nix new file mode 100644 index 0000000..7a04340 --- /dev/null +++ b/nix/os/devices/CFB4ED74/hw.nix @@ -0,0 +1,30 @@ +{ ... }: + +let + stage1Modules = [ + "aesni_intel" + "kvm-intel" + "aes_x86_64" + + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + ]; + +in +{ + # TASK: new device + hardware.encryptedDisk = { + enable = true; + diskId = "scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; + }; + + boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = '' + ''; +} diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/CFB4ED74/pkg.nix new file mode 100644 index 0000000..0bbf536 --- /dev/null +++ b/nix/os/devices/CFB4ED74/pkg.nix @@ -0,0 +1,7 @@ +{ +... +}: + +{ + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix; +} diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix new file mode 100644 index 0000000..d9618e1 --- /dev/null +++ b/nix/os/devices/CFB4ED74/system.nix @@ -0,0 +1,21 @@ +{ pkgs +, lib +, ... }: + +{ + # TASK: new device + networking.hostName = "CFB4ED74"; # Define your hostname. + + networking.firewall.enable = lib.mkForce false; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { + docker.enable = true; + }; + + services.spice-vdagentd.enable = true; + services.qemuGuest.enable = true; +} From 69034f287c6222bedca7a873a7e8fa9152e9c720 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 11:27:19 +0100 Subject: [PATCH 04/68] nix/os/devices: add a delay after opening the luks partition --- nix/os/devices/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index aef8f58..d31596b 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -31,6 +31,7 @@ in rec { set -xe echo Mounting ${diskId} cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sleep 1 vgchange -ay ${ownLib.disk.volumeGroup diskId} mkdir -p /mnt mkdir ${mntRootVol} From 4e01df65e0a9bb137b9483c79c67f1958bc09662 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 20:20:36 +0100 Subject: [PATCH 05/68] nix/os/devices/steveej-t480s-work: attempt to enable pre-boot SSH --- .../steveej-t480s-work/configuration.nix | 7 + nix/os/devices/steveej-t480s-work/hw.nix | 6 + nix/os/devices/steveej-t480s-work/system.nix | 17 ++- nix/os/modules/initrd-network.nix | 129 ++++++++++++++++++ 4 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 nix/os/modules/initrd-network.nix diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index 6fd394a..d37fb0a1 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -1,7 +1,14 @@ { ... }: { + disabledModules = [ + "system/boot/initrd-network.nix" + + ]; + imports = [ + ../../modules/initrd-network.nix + ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/encryptedDisk.nix diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix index d8b4ab8..19948b5 100644 --- a/nix/os/devices/steveej-t480s-work/hw.nix +++ b/nix/os/devices/steveej-t480s-work/hw.nix @@ -7,6 +7,12 @@ let "aes_x86_64" "nvme" "nvme_core" + + "pcieport" + "thunderbolt" + "e1000e" + "xhci_pci" + "hxci_hcd" ]; in diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index a44044f..f47b808 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -1,8 +1,12 @@ { pkgs , lib +, config , ... }: -{ +let + keys = import ../../../variables/keys.nix; +in { + # TASK: new device networking.hostName = "steveej-t480s-work"; # Define your hostname. @@ -47,4 +51,15 @@ virtualbox.host.addNetworkInterface = true; docker.enable = true; }; + + boot.initrd.network = { + enable = true; + useDHCP = true; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + + ssh = { + enable = true; + authorizedKeys = keys.users.steveej.openssh; + }; + }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix new file mode 100644 index 0000000..4c9da89 --- /dev/null +++ b/nix/os/modules/initrd-network.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.boot.initrd.network; + + udhcpcScript = pkgs.writeScript "udhcp-script" + '' + #! /bin/sh + if [ "$1" = bound ]; then + ip address add "$ip/$mask" dev "$interface" + if [ -n "$router" ]; then + ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) + ip route add default via "$router" dev "$interface" + fi + if [ -n "$dns" ]; then + rm -f /etc/resolv.conf + for i in $dns; do + echo "nameserver $dns" >> /etc/resolv.conf + done + fi + fi + ''; + + udhcpcArgs = toString cfg.udhcpc.extraArgs; + +in + +{ + + options = { + + boot.initrd.network.enable = mkOption { + type = types.bool; + default = false; + description = '' + Add network connectivity support to initrd. The network may be + configured using the ip kernel parameter, + as described in the + kernel documentation. Otherwise, if + is enabled, an IP address + is acquired using DHCP. + + You should add the module(s) required for your network card to + boot.initrd.availableKernelModules. lspci -v -s <ethernet controller> + will tell you which. + ''; + }; + + boot.initrd.network.udhcpc.extraArgs = mkOption { + default = []; + type = types.listOf types.str; + description = '' + Additional command-line arguments passed verbatim to udhcpc if + and + are enabled. + ''; + }; + + boot.initrd.network.postCommands = mkOption { + default = ""; + type = types.lines; + description = '' + Shell commands to be executed after stage 1 of the + boot has initialised the network. + ''; + }; + + boot.initrd.network.useDHCP = mkOption { + type = types.bool; + default = false; + description = '' + Whether to enable DHCP for the network interfaces. + ''; + }; + + }; + + config = mkIf cfg.enable { + + warnings = [ "Enabled SSH for stage1" ]; + + boot.initrd.kernelModules = [ "af_packet" ]; + + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig + ''; + + boot.initrd.preLVMCommands = mkBefore ( + # Search for interface definitions in command line. + '' + for o in $(cat /proc/cmdline); do + case $o in + ip=*) + ipconfig $o && hasNetwork=1 + ;; + esac + done + '' + + # Otherwise, use DHCP. + + optionalString cfg.useDHCP '' + if [ -z "$hasNetwork" ]; then + + # Bring up all interfaces. + for iface in $(cd /sys/class/net && ls); do + echo "bringing up network interface $iface..." + ip link set "$iface" up + done + + # Acquire a DHCP lease. + echo "acquiring IP address via DHCP..." + udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 + fi + '' + + + '' + if [ -n "$hasNetwork" ]; then + echo "networking is up!" + ${cfg.postCommands} + fi + ''); + + }; + +} From e28460c39404054026c7a23a093873a85a719e90 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 20:27:30 +0100 Subject: [PATCH 06/68] nix/os/devices/CFB4ED74: update config --- nix/os/devices/CFB4ED74/pkg.nix | 2 +- nix/os/devices/CFB4ED74/system.nix | 17 ++++++++++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/CFB4ED74/pkg.nix index 0bbf536..43091a2 100644 --- a/nix/os/devices/CFB4ED74/pkg.nix +++ b/nix/os/devices/CFB4ED74/pkg.nix @@ -3,5 +3,5 @@ }: { - home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.txt; } diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index d9618e1..ed8cd1a 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -1,8 +1,12 @@ { pkgs , lib +, config , ... }: -{ +let + keys = import ../../../variables/keys.nix; + +in { # TASK: new device networking.hostName = "CFB4ED74"; # Define your hostname. @@ -18,4 +22,15 @@ services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; + + networking.useDHCP = true; + boot.initrd.network = { + enable = true; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + + ssh = { + enable = true; + authorizedKeys = keys.users.steveej.openssh; + }; + }; } From 41820b9b7ec83492871e80082127cf13a427cea9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 23:19:45 +0100 Subject: [PATCH 07/68] nix/shell: add nixos-install and friends --- shell.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/shell.nix b/shell.nix index a0f6894..a8fa72c 100644 --- a/shell.nix +++ b/shell.nix @@ -6,6 +6,7 @@ in stdenv.mkDerivation { name = "infra-env"; buildInputs = [ + (with import { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]) (pkgs.callPackage ./nix/pkgs/just.nix {}) git-crypt vcsh From 0211fa66b991cebfabcdc2e59539acccc1daf304 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 23:20:08 +0100 Subject: [PATCH 08/68] nix/os: make zsh the default shell for common systems --- nix/os/profiles/common/system.nix | 23 ++--------------------- nix/os/profiles/graphical/system.nix | 3 --- 2 files changed, 2 insertions(+), 24 deletions(-) diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index d7a596f..08e49f7 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -65,25 +65,6 @@ mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - programs.zsh = { - enable = false; -# TODO: basic zsh config -# enableAutosuggestions = true; # enableCompletion = true; -# syntaxHighlighting.enable = true; -# syntaxHighlighting.patterns = {}; -# ohMyZsh = { -# enable = true; -# theme = "tjkirch"; -# }; -# promptInit = '' -# autoload -U promptinit -# promptinit -# ZSH_THEME_GIT_PROMPT_PREFIX='@ ' -# PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f %F{magenta}$(git_prompt_info)%f -#%_%F{%(!.red.green)}$(prompt_char)%f ' -# RPROMPT="" -# ''; -# interactiveShellInit = '' -# ''; - }; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index a924cf8..bfcd3e6 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -16,9 +16,6 @@ }; services.resolved.enable = false; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; - # hardware related services services.illum.enable = true; services.pcscd.enable = true; From 18a628070a3e32f9e6215e59932f147f86d888a1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 12 Nov 2018 23:37:31 +0100 Subject: [PATCH 09/68] Justfile: support rebuild of remote device --- Justfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Justfile b/Justfile index e26cd24..9de7016 100755 --- a/Justfile +++ b/Justfile @@ -16,6 +16,11 @@ _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates set -ex just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} +rebuild-remote-device dir target rebuildarg="dry-activate" : + #!/usr/bin/env bash + set -ex + just -v _rebuild-device {{dir}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" + # Rebulid this device's NixOS rebuild-this-device rebuildarg="dry-activate": #!/usr/bin/env bash From 431c44e33528f52a472062d94223501db3657a60 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 13 Nov 2018 00:54:04 +0100 Subject: [PATCH 10/68] nix/os/devices/CFB4ED74: add syncthing and firewall --- nix/os/devices/CFB4ED74/pkg.nix | 5 +++++ nix/os/devices/CFB4ED74/system.nix | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/CFB4ED74/pkg.nix index 43091a2..b9a638e 100644 --- a/nix/os/devices/CFB4ED74/pkg.nix +++ b/nix/os/devices/CFB4ED74/pkg.nix @@ -4,4 +4,9 @@ { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.txt; + + services.syncthing = { + enable = true; + openDefaultPorts = true; + }; } diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index ed8cd1a..f401d6e 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -10,7 +10,7 @@ in { # TASK: new device networking.hostName = "CFB4ED74"; # Define your hostname. - networking.firewall.enable = lib.mkForce false; + networking.firewall.enable = true; # Kubernetes # services.kubernetes.roles = ["master" "node"]; From d49c719f3696aa675710ae2077d83df1fbbe58a8 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 13 Nov 2018 01:06:23 +0100 Subject: [PATCH 11/68] fixup! nix/os: make zsh the default shell for common systems --- nix/os/profiles/common/system.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 08e49f7..b00e912 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -65,6 +65,7 @@ mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; + programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; environment.pathsToLink = [ "/share/zsh" ]; } From 6bd147b541d87a502d97245bc805ebcdbfded298 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 15 Nov 2018 18:24:28 +0100 Subject: [PATCH 12/68] qtile: fix mute state filepath and add usage note --- Justfile | 1 + nix/home-manager/profiles/qtile-desktop.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 9de7016..ad0b2cb 100755 --- a/Justfile +++ b/Justfile @@ -72,6 +72,7 @@ update-this-device: sudo nix-channel --update just -v rebuild-this-device switch +# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: #!/usr/bin/env bash set -xe diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 97d4f26..8b3fb3a 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -13,7 +13,7 @@ let pulseaudio findutils gnugrep ]}:$PATH - export MUTEFILE=''${TEMPDIR:-/tmp}./.qtilemute + export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute case $1 in mute) newstate=$(( $(cat $MUTEFILE || echo 0 ) ^ 1 )) From f46f1b7d8549cd95b044cd094c6fd6e78847554f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 17 Nov 2018 20:50:55 +0100 Subject: [PATCH 13/68] nix: test hydra --- nix/os/devices/hydra.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 nix/os/devices/hydra.json diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json new file mode 100644 index 0000000..3723c24 --- /dev/null +++ b/nix/os/devices/hydra.json @@ -0,0 +1,16 @@ +{ + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, + "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } + } +} From f7335f8afc4b9181c74a1071a33dd4193d6c0e20 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 00:27:58 +0100 Subject: [PATCH 14/68] gitlab-ci: init config --- .gitlab-ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..4ab2b64 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +stages: + - build + +build: + stage: build + tags: + - nix + script: + # Test the nix-shell + - nix-shell --run "echo OK" From 709f323c5818ac40f5043bddb24c7f743731026d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 01:08:57 +0100 Subject: [PATCH 15/68] nix/os/devices/CFB4ED74: add gitlab-runner --- nix/os/devices/CFB4ED74/configuration.nix | 4 + nix/os/devices/CFB4ED74/pkg.nix | 32 ++++- nix/os/modules/gitlab-runner.nix | 149 ++++++++++++++++++++++ 3 files changed, 183 insertions(+), 2 deletions(-) create mode 100644 nix/os/modules/gitlab-runner.nix diff --git a/nix/os/devices/CFB4ED74/configuration.nix b/nix/os/devices/CFB4ED74/configuration.nix index 617813c..2239b54 100644 --- a/nix/os/devices/CFB4ED74/configuration.nix +++ b/nix/os/devices/CFB4ED74/configuration.nix @@ -1,9 +1,13 @@ { ... }: { + disabledModules = [ + "services/continuous-integration/gitlab-runner.nix" + ]; imports = [ ../../profiles/common/configuration.nix ../../modules/encryptedDisk.nix + ../../modules/gitlab-runner.nix ./system.nix ./hw.nix diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/CFB4ED74/pkg.nix index b9a638e..5d7200e 100644 --- a/nix/os/devices/CFB4ED74/pkg.nix +++ b/nix/os/devices/CFB4ED74/pkg.nix @@ -1,5 +1,7 @@ -{ -... +{ config +, pkgs +, lib +, ... }: { @@ -9,4 +11,30 @@ enable = true; openDefaultPorts = true; }; + + services.gitlab-runner = { + enable = true; + + packages = with pkgs; [ + bash + gitlab-runner + nix + gitFull + git-crypt + ]; + + configFile = let + nixRunnerToken = "/etc/secrets/gitlab-runner/nix-runner.token"; + in pkgs.writeText "config.toml" '' + concurrent = 2 + check_interval = 0 + [[runners]] + name = "nix-runner" + url = "https://gitlab.com" + token = "<% sed -z 's/[\n\s]//g' ${nixRunnerToken} %>" + executor = "shell" + shell = "bash" + [runners.cache] + ''; + }; } diff --git a/nix/os/modules/gitlab-runner.nix b/nix/os/modules/gitlab-runner.nix new file mode 100644 index 0000000..6091350 --- /dev/null +++ b/nix/os/modules/gitlab-runner.nix @@ -0,0 +1,149 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.gitlab-runner; + configFile = + if (cfg.configFile == null) then + (pkgs.runCommand "config.toml" { + buildInputs = [ pkgs.remarshal ]; + } '' + remarshal -if json -of toml \ + < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \ + > $out + '') + else + cfg.configFile; + hasDocker = config.virtualisation.docker.enable; +in +{ + options.services.gitlab-runner = { + enable = mkEnableOption "Gitlab Runner"; + + configFile = mkOption { + default = null; + description = '' + Configuration file for gitlab-runner. + Use this option in favor of configOptions to avoid placing CI tokens in the nix store. + + takes precedence over . + + Warning: Not using will potentially result in secrets + leaking into the WORLD-READABLE nix store. + ''; + type = types.nullOr types.path; + }; + + configOptions = mkOption { + description = '' + Configuration for gitlab-runner + will take precedence over this option. + + Warning: all Configuration, especially CI token, will be stored in a + WORLD-READABLE file in the Nix Store. + + If you want to protect your CI token use instead. + ''; + type = types.attrs; + example = { + concurrent = 2; + runners = [{ + name = "docker-nix-1.11"; + url = "https://CI/"; + token = "TOKEN"; + executor = "docker"; + builds_dir = ""; + docker = { + host = ""; + image = "nixos/nix:1.11"; + privileged = true; + disable_cache = true; + cache_dir = ""; + }; + }]; + }; + }; + + gracefulTermination = mkOption { + default = false; + type = types.bool; + description = '' + Finish all remaining jobs before stopping, restarting or reconfiguring. + If not set gitlab-runner will stop immediatly without waiting for jobs to finish, + which will lead to failed builds. + ''; + }; + + gracefulTimeout = mkOption { + default = "infinity"; + type = types.str; + example = "5min 20s"; + description = ''Time to wait until a graceful shutdown is turned into a forceful one.''; + }; + + workDir = mkOption { + default = "/var/lib/gitlab-runner"; + type = types.path; + description = "The working directory used"; + }; + + package = mkOption { + description = "Gitlab Runner package to use"; + default = pkgs.gitlab-runner; + defaultText = "pkgs.gitlab-runner"; + type = types.package; + example = literalExample "pkgs.gitlab-runner_1_11"; + }; + + packages = mkOption { + default = [ pkgs.bash pkgs.docker-machine ]; + defaultText = "[ pkgs.bash pkgs.docker-machine ]"; + type = types.listOf types.package; + description = '' + Packages to add to PATH for the gitlab-runner process. + ''; + }; + + }; + + config = mkIf cfg.enable { + systemd.services.gitlab-runner = { + path = cfg.packages; + environment = config.networking.proxy.envVars; + description = "Gitlab Runner"; + after = [ "network.target" ] + ++ optional hasDocker "docker.service"; + requires = optional hasDocker "docker.service"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "gitlab-runner"; + Group = "gitlab-runner"; + WorkingDirectory = cfg.workDir; + ExecStart = ''/usr/bin/env bash -c "exec ${cfg.package.bin}/bin/gitlab-runner run \ + --working-directory ${cfg.workDir} \ + --config <(${pkgs.esh}/bin/esh -o - -- ${configFile}) \ + --service gitlab-runner \ + "''; + + } // optionalAttrs (cfg.gracefulTermination) { + TimeoutStopSec = "${cfg.gracefulTimeout}"; + KillSignal = "SIGQUIT"; + KillMode = "process"; + }; + }; + + # Make the gitlab-runner command availabe so users can query the runner + environment.systemPackages = [ cfg.package ]; + + users.users.gitlab-runner = { + group = "gitlab-runner"; + extraGroups = optional hasDocker "docker"; + uid = config.ids.uids.gitlab-runner; + home = cfg.workDir; + createHome = true; + }; + + users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; + }; +} From 9f80fb103331e3b9ad8a2bdf20e959cf66a5b035 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 14:43:34 +0100 Subject: [PATCH 16/68] nix/os/devices/CFB4ED74: enable hydra --- nix/os/devices/CFB4ED74/pkg.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nix/os/devices/CFB4ED74/pkg.nix b/nix/os/devices/CFB4ED74/pkg.nix index 5d7200e..0964d90 100644 --- a/nix/os/devices/CFB4ED74/pkg.nix +++ b/nix/os/devices/CFB4ED74/pkg.nix @@ -12,6 +12,24 @@ openDefaultPorts = true; }; + services.hydra = { + enable = true; + hydraURL = "http://localhost:3000"; # externally visible URL + notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service + # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines + buildMachinesFiles = []; + # you will probably also want, otherwise *everything* will be built from scratch + useSubstitutes = true; + }; + + nix.buildMachines = [ + { hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + maxJobs = 4; + } + ]; + services.gitlab-runner = { enable = true; From c24e6951812e74ac688c978f971483bbb7ee73e1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 14:44:00 +0100 Subject: [PATCH 17/68] nix/os/devices/CFB4ED74: cleanup --- nix/os/devices/CFB4ED74/boot.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nix/os/devices/CFB4ED74/boot.nix b/nix/os/devices/CFB4ED74/boot.nix index 6e17997..18fcc13 100644 --- a/nix/os/devices/CFB4ED74/boot.nix +++ b/nix/os/devices/CFB4ED74/boot.nix @@ -4,8 +4,5 @@ { boot.loader.grub.efiSupport = lib.mkForce false; -# boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; -# boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = [ ]; } From e82047e49d77454479fa9940ab04e96a99f87a87 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 14:44:38 +0100 Subject: [PATCH 18/68] nix/os/devices/CFB4ED74: add static ipv6 static address --- nix/os/devices/CFB4ED74/system.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index f401d6e..5da4f39 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -11,6 +11,13 @@ in { networking.hostName = "CFB4ED74"; # Define your hostname. networking.firewall.enable = true; + networking.interfaces.eth0 = { + useDHCP = true; + ipv6.addresses = [ { + address = "2a02:c207:3003:2387::1"; + prefixLength = 64; + } ]; + }; # Kubernetes # services.kubernetes.roles = ["master" "node"]; @@ -23,7 +30,6 @@ in { services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - networking.useDHCP = true; boot.initrd.network = { enable = true; udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; From e6c4a19832fbaf48628e8d3583b906026a8bae1c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 18 Nov 2018 14:44:58 +0100 Subject: [PATCH 19/68] nix/os/devices/CFB4ED74: open iperf3 port --- nix/os/devices/CFB4ED74/system.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index 5da4f39..b2ff413 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -11,6 +11,10 @@ in { networking.hostName = "CFB4ED74"; # Define your hostname. networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; networking.interfaces.eth0 = { useDHCP = true; ipv6.addresses = [ { From 9fae53fac71b02b15cd364b592d452e36949acc9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 02:03:22 +0100 Subject: [PATCH 20/68] fixup! nix/os/devices/CFB4ED74: add static ipv6 static address --- nix/os/devices/CFB4ED74/system.nix | 23 ++++++++++++++++++----- nix/os/devices/{default.nix => disk.nix} | 0 2 files changed, 18 insertions(+), 5 deletions(-) rename nix/os/devices/{default.nix => disk.nix} (100%) diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index b2ff413..5fb7add 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -15,12 +15,17 @@ in { # iperf3 5201 ]; + + networking.useDHCP = true; + networking.usePredictableInterfaceNames = false; networking.interfaces.eth0 = { - useDHCP = true; - ipv6.addresses = [ { - address = "2a02:c207:3003:2387::1"; - prefixLength = 64; - } ]; + ipv6.addresses = [ + { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } + ]; + }; + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; }; # Kubernetes @@ -43,4 +48,12 @@ in { authorizedKeys = keys.users.steveej.openssh; }; }; + + boot.initrd.postMountCommands = '' + for iface in $(cd /sys/class/net && ls); do + echo "Bringing down $iface..." + ip address flush dev $iface + ip link set $iface down + done + ''; } diff --git a/nix/os/devices/default.nix b/nix/os/devices/disk.nix similarity index 100% rename from nix/os/devices/default.nix rename to nix/os/devices/disk.nix From e8d6e32d0186818c0da601dd7c63e47ea3439455 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 02:03:42 +0100 Subject: [PATCH 21/68] nix/os/devices/CFB4ED74: reconfigure host/domainname --- nix/os/devices/CFB4ED74/system.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index 5fb7add..257996d 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -8,7 +8,8 @@ let in { # TASK: new device - networking.hostName = "CFB4ED74"; # Define your hostname. + networking.hostName = "contabo1"; # Define your hostname. + networking.domain = "bootstrap.clusters.stefanjunker.de"; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ From 47811b22c2eab93e70dd64968f363ab1e8bb2337 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 02:04:26 +0100 Subject: [PATCH 22/68] nix/os/devices: refactor expressions --- Justfile | 4 ++-- nix/os/devices/default.nix | 30 ++++++++++++++++++++++++++++++ nix/os/devices/disk.nix | 25 +++++-------------------- 3 files changed, 37 insertions(+), 22 deletions(-) create mode 100644 nix/os/devices/default.nix diff --git a/Justfile b/Justfile index ad0b2cb..721df5b 100755 --- a/Justfile +++ b/Justfile @@ -1,10 +1,10 @@ _usage: just -l -_device action dir +moreargs="": +_device recipe dir +moreargs="": #!/usr/bin/env bash set -ex - sudo $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A {{action}} --argstr dir {{dir}} {{moreargs}}) + sudo $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: #!/usr/bin/env bash diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix new file mode 100644 index 0000000..23741c8 --- /dev/null +++ b/nix/os/devices/default.nix @@ -0,0 +1,30 @@ +{ pkgs ? import {} +, ownLib ? import ../lib/default.nix { } +, dir +, rebuildarg +, moreargs ? "" +, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId +, gitRoot ? "$(git rev-parse --show-toplevel)" +}: + +let + rebuild = pkgs.writeScript "script" '' + #!/usr/bin/env bash + set -xe + + pushd ${gitRoot}/${dir} + export NIXOS_CONFIG="$PWD"/configuration.nix + + [[ -e "''${NIXOS_CONFIG}" ]] + + nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} + if test -L result; then + rm result + fi + ''; + +in { + recipes = { + inherit rebuild; + } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot; }); +} diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index d31596b..4490311 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -1,31 +1,16 @@ -{ pkgs ? import {} -, ownLib ? import ../lib/default.nix { } +{ pkgs +, ownLib , dir , rebuildarg -, moreargs ? "" -, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId -, gitRoot ? "$(git rev-parse --show-toplevel)" +, moreargs +, diskId +, gitRoot }: let mntRootVol="/mnt/${diskId}-root"; in rec { - rebuild = pkgs.writeScript "script" '' - #!/usr/bin/env bash - set -xe - - pushd ${gitRoot}/${dir} - export NIXOS_CONFIG="$PWD"/configuration.nix - - [[ -e "''${NIXOS_CONFIG}" ]] - - nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} - if test -L result; then - rm result - fi - ''; - diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe From de18ab5720e691236878ef448a932a65566870a7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 02:06:17 +0100 Subject: [PATCH 23/68] nix/home-manager/configuration/text-minimal: add iperf3 --- nix/home-manager/configuration/text-minimal.txt | 1 + nix/os/devices/steveej-t480s-work/configuration.nix | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/home-manager/configuration/text-minimal.txt b/nix/home-manager/configuration/text-minimal.txt index 42bb7e8..79d653d 100644 --- a/nix/home-manager/configuration/text-minimal.txt +++ b/nix/home-manager/configuration/text-minimal.txt @@ -22,5 +22,6 @@ in { home.packages = [] ++ (with pkgs; [ + iperf3 ]); } diff --git a/nix/os/devices/steveej-t480s-work/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix index d37fb0a1..a7700f1 100644 --- a/nix/os/devices/steveej-t480s-work/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -3,7 +3,6 @@ { disabledModules = [ "system/boot/initrd-network.nix" - ]; imports = [ From 67674b86a4080617fbb51e500a297a0a7e09bb14 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 02:07:07 +0100 Subject: [PATCH 24/68] nix/home-manager/configuration/graphical-fullblown: add git-lfs --- nix/home-manager/configuration/graphical-fullblown.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index f3fb327..6e0f086 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -92,6 +92,7 @@ in { unstablepkgs.pijul gitless gitRepo + git-lfs # Cloud/Remote System Management google-cloud-sdk From ecd75c182f7863567a239679ce9816b3d3ef00e4 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 19 Nov 2018 18:25:06 +0100 Subject: [PATCH 25/68] Justfile/shell: experiment to verify server via VNC/SSH --- Justfile | 27 +++++++++++++++++++++++++++ shell.nix | 4 ++++ 2 files changed, 31 insertions(+) diff --git a/Justfile b/Justfile index 721df5b..d2f73e1 100755 --- a/Justfile +++ b/Justfile @@ -99,3 +99,30 @@ disk-umount dir: # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" + +verify-vnc sshserver attempts="10": + #!/usr/bin/env bash + set -e + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" + + send_and_compare() { + local EXPECT="$(pwgen -0 12)" + ssh -4 ${SSHOPTS} root@{{sshserver}} "echo -e '\0033\0143'${EXPECT}>> /dev/tty0" 1>/dev/null 2>&1 + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet ${EXPECT} screenshot.txt + } + + trap "E=$?; set +e; rm screenshot.*; echo Exiting...; exit $E" INT TERM HUP + + for i in `seq 1 {{attempts}}`; do + if send_and_compare; then + echo Verification succeeded at attempt $i. Unlocking remote drive... + # TODO: unlock drive + exit 0 + fi + done + echo Verification failed {{attempts}} times. Giving up... + exit 1 diff --git a/shell.nix b/shell.nix index a8fa72c..1bde9c2 100644 --- a/shell.nix +++ b/shell.nix @@ -11,6 +11,10 @@ stdenv.mkDerivation { git-crypt vcsh gnupg + + vncdo + tesseract + imagemagick ]; # Set Environment Variables From 9691326c028a87caa27d28d0e12cdfbe4a47c4ea Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 20 Nov 2018 13:44:32 +0100 Subject: [PATCH 26/68] nix/home/config/graph-fullblown: cleanup --- .../configuration/graphical-fullblown.nix | 44 +++++++------------ 1 file changed, 17 insertions(+), 27 deletions(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 6e0f086..4007ddd 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -127,13 +127,6 @@ in { gnome3.gnome_keyring gnome3.seahorse - # Security - tpm-tools - tpmmanager - - # Web Browsers - links2 - # Language Support hunspellDicts.en-us hunspellDicts.de-de @@ -143,7 +136,7 @@ in { hexchat aspellDicts.en aspellDicts.de - unstablepkgs.skype + skype zoom-us unstablepkgs.bluejeans-gui thunderbird @@ -156,7 +149,7 @@ in { qemu # virtualbox vagrant - unstablepkgs.rkt + rkt python27Packages.docker_compose # unstablepkgs.kubernetes unstablepkgs.minikube @@ -231,12 +224,12 @@ in { # Modelling Tools - plantuml - umlet + # plantuml + # umlet staruml - eclipses.eclipse-modeling - dia - astah-community + # eclipses.eclipse-modeling + # dia + # astah-community # Misc Development Tools qrcode @@ -300,7 +293,7 @@ in { ntfs3g ddrescue ncdu - unstablepkgs.woeusb + woeusb unetbootin pcmanfm hdparm @@ -330,11 +323,11 @@ in { androidsdk ## Java - jre - openjdk + # jre + # openjdk ## Ruby - ruby + # ruby ## Python myPython36 @@ -344,8 +337,6 @@ in { nodejs-8_x npm2nix emscripten - etcd - sigal # Code generators unstablepkgs.swagger-codegen @@ -354,7 +345,6 @@ in { ltunify solaar dex - roxterm # kitty busyboxStatic xorg.xbacklight @@ -369,14 +359,14 @@ in { glib.dev # contains gdbus tool # Screen recording - gtk-recordmydesktop # can't select the window - qt-recordmydesktop - vokoscreen - shutter + # gtk-recordmydesktop # can't select the window + # qt-recordmydesktop + # vokoscreen + # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle obs-studio - shotcut - openshot-qt + # shotcut + # openshot-qt ]); } From c27c75fbab57611e990623a435aa095e6c4e7327 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 1 Dec 2018 16:08:34 +0100 Subject: [PATCH 27/68] home-manager/firefox: enable the passff host application --- nix/home-manager/programs/firefox.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index b49b51e..89d436f 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,5 +1,5 @@ -{ -... +{ pkgs +, ... }: { @@ -15,5 +15,7 @@ "firefox" ]; }; + + home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; } From bdc7f5546789c89ac18ed4f825e2f3053c291618 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 1 Dec 2018 16:09:02 +0100 Subject: [PATCH 28/68] home/qtile-desktop: set a nice cursor theme --- nix/home-manager/profiles/qtile-desktop.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 8b3fb3a..15a5bd7 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -282,6 +282,12 @@ in { ${pkgs.autorandr}/bin/autorandr -c ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png ''; + + pointerCursor = { + name = "Vanilla-DMZ-AA"; + package = pkgs.vanilla-dmz; + size = 32; + }; }; home.packages = with pkgs; [ From cb3956c55a981fed358a439ca2bd8c02a731d751 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 12 Dec 2018 11:02:46 +0100 Subject: [PATCH 29/68] Justfile: add logic to unlock remote drive --- Justfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index d2f73e1..e2bf4ab 100755 --- a/Justfile +++ b/Justfile @@ -120,8 +120,11 @@ verify-vnc sshserver attempts="10": for i in `seq 1 {{attempts}}`; do if send_and_compare; then echo Verification succeeded at attempt $i. Unlocking remote drive... - # TODO: unlock drive - exit 0 + if $GETPWD | head -n1 | ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass && exit 0" 1>/dev/null 2>&1 > /dev/null; then + echo Unlock successful! + exit 0 + fi + echo Unlock failed... fi done echo Verification failed {{attempts}} times. Giving up... From 17c8ccb8c2a8318761fa2eed9fbdc4417897aa4c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 16 Dec 2018 21:57:20 +0100 Subject: [PATCH 30/68] Justfile,nix/devices: sudo only when needed --- Justfile | 2 +- nix/os/devices/default.nix | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index e2bf4ab..27a0c4f 100755 --- a/Justfile +++ b/Justfile @@ -4,7 +4,7 @@ _usage: _device recipe dir +moreargs="": #!/usr/bin/env bash set -ex - sudo $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) + $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: #!/usr/bin/env bash diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 23741c8..462f1ee 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -7,7 +7,8 @@ , gitRoot ? "$(git rev-parse --show-toplevel)" }: -let +let + rebuildargsSudo = [ "switch" "boot" ]; rebuild = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -17,6 +18,11 @@ let [[ -e "''${NIXOS_CONFIG}" ]] + ${if (builtins.elem rebuildarg rebuildargsSudo) then + "sudo -E \\" + else + "" + } nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} if test -L result; then rm result From c5c4b160a12d01c806801f78fbc659d47132e5c0 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:10:06 +0100 Subject: [PATCH 31/68] nix,steveej-t480s-work: introduce pure versioning --- Justfile | 5 ++++ nix/default.nix | 25 +++++++++++++++++++ .../configuration/graphical-fullblown.nix | 2 +- .../configuration/graphical-removable.nix | 6 ++--- nix/home-manager/profiles/nix-channels.nix | 6 +++-- nix/home-manager/programs/neovim.nix | 2 +- nix/os/devices/default.nix | 2 +- nix/os/devices/steveej-laptop/system.nix | 2 +- .../devices/steveej-t480s-work/versions.nix | 4 +++ nix/scripts/pre-eval-fixed.sh | 3 ++- nix/variables/versions.nix | 4 +++ shell.nix | 7 ++++-- 12 files changed, 55 insertions(+), 13 deletions(-) create mode 100644 nix/default.nix create mode 100644 nix/os/devices/steveej-t480s-work/versions.nix create mode 100644 nix/variables/versions.nix diff --git a/Justfile b/Justfile index 27a0c4f..01e5a23 100755 --- a/Justfile +++ b/Justfile @@ -1,14 +1,19 @@ _usage: just -l +_get_nix_path versionsPath: + echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}} --argstr rebuildarg "dummy") + _device recipe dir +moreargs="": #!/usr/bin/env bash set -ex + source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: #!/usr/bin/env bash set -ex + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 0000000..6cb96b4 --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,25 @@ +{ versionsPath }: + +{ + channelSources = + let + # channelVersions = (import ((builtins.getEnv "PWD")+"/${dir}/versions.nix")); + channelVersions = (import versionsPath); + mkChannelSource = channel: builtins.fetchGit { + # Descriptive name to make the store path easier to identify + url = "https://github.com/NixOS/nixpkgs-channels/"; + # Commit hash for nixos-unstable as of 2018-09-12 + # `git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable` + rev = (builtins.getAttr channel channelVersions); + name = "nixpkgs-channels-${channel}"; + }; + nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [ + [ "nixpkgs" (mkChannelSource "channelsNixosStable") ] + [ "nixos" (mkChannelSource "channelsNixosStable") ] + [ "channels-nixos-stable" (mkChannelSource "channelsNixosStable") ] + [ "channels-nixos-unstable" (mkChannelSource "channelsNixosUnstable") ] + ]; + in (import (mkChannelSource "channelsNixosStable") {}).writeText "channels.rc" '' + export NIX_PATH=${nix_path} + ''; + } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 4007ddd..2c56230 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -4,7 +4,7 @@ let # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; - unstablepkgs = import { config = config.nixpkgs.config; }; + unstablepkgs = import { config = config.nixpkgs.config; }; in { imports = [ diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index aade69f..1cbf3ac 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -3,7 +3,8 @@ ... }: let - unstablepkgs = import { config = config.nixpkgs.config; }; + unstablepkgs = import { config = config.nixpkgs.config; }; + in { imports = [ ../profiles/common.nix @@ -52,9 +53,6 @@ in { }; }; - # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; - # unstablepkgs = import { config = { allowUnfree = true; }; }; - home.sessionVariables = { }; diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index faa9984..4a0eebe 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -6,14 +6,16 @@ let in { home.file.".nix-channels".text = '' - https://nixos.org/channels/nixos-18.09 nixos - https://nixos.org/channels/nixos-unstable nixos-unstable ''; home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' set -ex if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel echo Moving existing file away... touch $HOME/.nix-channels.dummy mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index 8b5a343..b298be4 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -3,7 +3,7 @@ }: let - unstablepkgs = import {}; + unstablepkgs = import {}; in { home.sessionVariables = { diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 462f1ee..5b58d94 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,4 +1,4 @@ -{ pkgs ? import {} +{ pkgs ? import {} , ownLib ? import ../lib/default.nix { } , dir , rebuildarg diff --git a/nix/os/devices/steveej-laptop/system.nix b/nix/os/devices/steveej-laptop/system.nix index 1f55f91..ae87f1d 100644 --- a/nix/os/devices/steveej-laptop/system.nix +++ b/nix/os/devices/steveej-laptop/system.nix @@ -5,7 +5,7 @@ }: let - unstablepkgs = import { config = config.nixpkgs; }; + unstablepkgs = import { config = config.nixpkgs; }; in { # The NixOS release to be compatible with for stateful data such as databases. diff --git a/nix/os/devices/steveej-t480s-work/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix new file mode 100644 index 0000000..57f56b6 --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -0,0 +1,4 @@ +{ + channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; +} diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index 0b22a4f..314346f 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash +set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1) +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1) sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix new file mode 100644 index 0000000..57f56b6 --- /dev/null +++ b/nix/variables/versions.nix @@ -0,0 +1,4 @@ +{ + channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; +} diff --git a/shell.nix b/shell.nix index 1bde9c2..d7104ff 100644 --- a/shell.nix +++ b/shell.nix @@ -1,12 +1,15 @@ -with import {}; +{ ... }: let + channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/7e88992a8c7b2de0bcb89182d8686b27bd93e46a.tar.gz); + channels-nixos-stable = import channels-nixos-stable-path {}; in +with channels-nixos-stable; stdenv.mkDerivation { name = "infra-env"; buildInputs = [ - (with import { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]) + (with import (channels-nixos-stable-path+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]) (pkgs.callPackage ./nix/pkgs/just.nix {}) git-crypt vcsh From 194c2aaf9c61e4affbd27da06aa9ce9cb869902c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:13:13 +0100 Subject: [PATCH 32/68] nix/home/graphical-fullblown: handle android sdk changes --- nix/home-manager/configuration/graphical-fullblown.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 2c56230..0491aad 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -27,9 +27,11 @@ in { gnutls = true; }; + android_sdk.accept_license = true; + packageOverrides = pkgs: with pkgs; { myPython36 = python36Full.withPackages (ps: with ps; [ - pylint pep8 yapf flake8 + pep8 yapf flake8 # autopep8 (broken) # pylint (broken) ipython @@ -146,7 +148,7 @@ in { # Virtualization virtmanager - qemu + (pkgs.lib.hiPrio qemu) # virtualbox vagrant rkt From 8803f835b83dda66ac62819540f410ec5cddaff3 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:14:22 +0100 Subject: [PATCH 33/68] nix/home-manger/neovim: theming and yaml config --- nix/home-manager/programs/neovim.nix | 13 +++++++++++++ nix/home-manager/programs/neovim/vimrc | 8 ++++++-- nix/os/devices/default.nix | 3 ++- 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index b298be4..1c250ae 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -54,6 +54,17 @@ in { buildInputs = [ zip vim ]; }; + vim-yaml = vimUtils.buildVimPlugin { + name = "vim-yaml"; + src = fetchFromGitHub { + owner = "stephpy"; + repo = "vim-yaml"; + rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + }; + }; + + vim-markdown-toc = vimUtils.buildVimPlugin { name = "vim-markdown-toc"; src = fetchFromGitHub { @@ -88,6 +99,7 @@ in { default = [ "delimitMate" "vim-airline" + "vim-airline-themes" "ctrlp" "vim-css-color" "rainbow_parentheses" @@ -123,6 +135,7 @@ in { # YAML "yaml-folds" + "vim-yaml" # Perl # "vim-perl" diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f1742e2..f928efa 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -53,14 +53,18 @@ let g:ctrlp_custom_ignore = { "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' -" allways show status line +" always show status line set ls=2 +" let g:airline#extensions#tabline#formatter = 'default' +" let g:airline#extensions#tabline#enabled=1 +let g:airline_theme='papercolor' set tabstop=4 set shiftwidth=4 set softtabstop=4 set expandtab "set textwidth=80 + set backspace=indent,eol,start set wildignore+=*/site/*,*.so,*.swp,*.zip @@ -124,7 +128,7 @@ augroup END " YAML {{{ augroup ft_yaml au! -setlocal autoindent sw=2 et tabstop=2 shiftwidth=2 softtabstop=2 +setlocal tabstop=2 shiftwidth=2 softtabstop=2 expandtab augroup END " }}} diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 5b58d94..3697a45 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -23,12 +23,13 @@ let else "" } - nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} + nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} if test -L result; then rm result fi ''; + in { recipes = { inherit rebuild; From 4841bce338966d51e98840951803b11722fd197b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:15:21 +0100 Subject: [PATCH 34/68] steveej-t480s-work: DNS reconfig and libvirtd listen on tcp --- nix/os/devices/steveej-t480s-work/system.nix | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index f47b808..f983cd9 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -10,11 +10,9 @@ in { # TASK: new device networking.hostName = "steveej-t480s-work"; # Define your hostname. - # Used for testing local Tectonic clusters + # Used for testing local Openshift clusters environment.etc."NetworkManager/dnsmasq.d/tectonic.conf".text = '' - server=/tt.testing/192.168.124.1 - server=/tectonic-ci.de/192.168.124.1 - server=/tectonic-ci.lan/192.168.124.1 + server=/openshift.testing/192.168.126.1 ''; networking.firewall.enable = lib.mkForce false; networking.firewall.checkReversePath = false; @@ -46,7 +44,18 @@ in { # virtualization virtualisation = { - libvirtd.enable = true; + libvirtd = { + enable = true; + extraOptions = [ + "--listen" + ]; + extraConfig = '' + listen_tls = 0 + listen_tcp = 1 + auth_tcp="none" + tcp_port = "16509" + ''; + }; virtualbox.host.enable = true; virtualbox.host.addNetworkInterface = true; docker.enable = true; From bc2e6f98f36874b76e2f0f8c27a42198df466d91 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:16:48 +0100 Subject: [PATCH 35/68] steveej-t480s-work: explicitly disable userspace backlight support --- nix/os/devices/steveej-t480s-work/hw.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix index 19948b5..181fd30 100644 --- a/nix/os/devices/steveej-t480s-work/hw.nix +++ b/nix/os/devices/steveej-t480s-work/hw.nix @@ -31,4 +31,6 @@ in options kvm-intel enable_apicv=1 options kvm-intel ept=1 ''; + + hardware.brightnessctl.enable = false; } From 1af0a4e8dc65985eb8f87153234e4b918442a998 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:18:35 +0100 Subject: [PATCH 36/68] steveej-t480s-work: enable teamviewer daemon --- nix/os/devices/steveej-t480s-work/pkg.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/os/devices/steveej-t480s-work/pkg.nix b/nix/os/devices/steveej-t480s-work/pkg.nix index 0bbf536..fa0e20a 100644 --- a/nix/os/devices/steveej-t480s-work/pkg.nix +++ b/nix/os/devices/steveej-t480s-work/pkg.nix @@ -4,4 +4,5 @@ { home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix; + services.teamviewer.enable = true; } From a0798079e49e450a2da8d70781436d2bca3153f5 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:18:49 +0100 Subject: [PATCH 37/68] steveej-t480s-work: enable fingerprint authentication --- nix/os/devices/steveej-t480s-work/system.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix index f983cd9..0d95cd7 100644 --- a/nix/os/devices/steveej-t480s-work/system.nix +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -32,12 +32,11 @@ in { ]; }; -# TODO: get external fingerprint reader -# services.fprintd.enable = true; -# security.pam.services = { -# login.fprintAuth = true; -# sudo.fprintAuth = true; -# }; + services.fprintd.enable = true; + security.pam.services = { + login.fprintAuth = true; + sudo.fprintAuth = true; + }; # Kubernetes # services.kubernetes.roles = ["master" "node"]; From 0db3324e890b47271d961f8cda57ec6f70aa797a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:37:58 +0100 Subject: [PATCH 38/68] *: format cleanup --- shell.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shell.nix b/shell.nix index d7104ff..1c73ef9 100644 --- a/shell.nix +++ b/shell.nix @@ -1,10 +1,10 @@ { ... }: -let +let channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/7e88992a8c7b2de0bcb89182d8686b27bd93e46a.tar.gz); channels-nixos-stable = import channels-nixos-stable-path {}; -in +in with channels-nixos-stable; stdenv.mkDerivation { name = "infra-env"; From 7eaa7f6e4530db56786dbb887c9b22a9f1a01780 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:38:12 +0100 Subject: [PATCH 39/68] Justfile: prototype remote drive unlock --- Justfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Justfile b/Justfile index 01e5a23..0095766 100755 --- a/Justfile +++ b/Justfile @@ -108,6 +108,9 @@ disk-install dir: _render_templates verify-vnc sshserver attempts="10": #!/usr/bin/env bash set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" export TESS_ARGS="-c debug_file=/dev/null --psm 4" @@ -134,3 +137,7 @@ verify-vnc sshserver attempts="10": done echo Verification failed {{attempts}} times. Giving up... exit 1 + +_get_pass_entry path key: + pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' + # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") From 97abdf17e0e8d82f07609a0c70d3e44761af79cb Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 22 Dec 2018 13:18:32 +0100 Subject: [PATCH 40/68] nix/home/zsh: source pinned channel sources --- nix/home-manager/programs/zsh.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 54eda37..330d949 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -4,6 +4,9 @@ }: let + channelSources = (import ../../default.nix { + versionsPath = ../../variables/versions.nix; + }).channelSources; in { programs.zsh = { enable = true; @@ -34,6 +37,8 @@ in { # don't cd into directories when executed unsetopt AUTO_CD + + source ${channelSources} ''; sessionVariables = { From 2636941546f696f04f550bef6ef31195af5b7d90 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 17 Dec 2018 13:38:12 +0100 Subject: [PATCH 41/68] Justfile: prototype remote drive unlock --- Justfile | 47 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/Justfile b/Justfile index 0095766..70c81c9 100755 --- a/Justfile +++ b/Justfile @@ -114,25 +114,52 @@ verify-vnc sshserver attempts="10": export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" export TESS_ARGS="-c debug_file=/dev/null --psm 4" - send_and_compare() { - local EXPECT="$(pwgen -0 12)" - ssh -4 ${SSHOPTS} root@{{sshserver}} "echo -e '\0033\0143'${EXPECT}>> /dev/tty0" 1>/dev/null 2>&1 + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null + } + + function expect() { + local what="${1:?need something to expect}" vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet ${EXPECT} screenshot.txt + grep --quiet "${what}" screenshot.txt } - trap "E=$?; set +e; rm screenshot.*; echo Exiting...; exit $E" INT TERM HUP + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + send "${send}" + expect "${expect}" + } + + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT for i in `seq 1 {{attempts}}`; do - if send_and_compare; then + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} + echo Verification succeeded at attempt $i. Unlocking remote drive... - if $GETPWD | head -n1 | ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass && exit 0" 1>/dev/null 2>&1 > /dev/null; then - echo Unlock successful! - exit 0 - fi + ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 + + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done + echo Unlock failed... + exit 1 fi done echo Verification failed {{attempts}} times. Giving up... From 6398d9f8b96d0de46cf9cfbd6537eeb80c4765c9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 2 Jan 2019 12:19:55 +0100 Subject: [PATCH 42/68] Justfile/remote-unlock: warn on failed SSH send --- Justfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 70c81c9..a345578 100755 --- a/Justfile +++ b/Justfile @@ -130,7 +130,10 @@ verify-vnc sshserver attempts="10": function send_and_expect() { local send="${1:?need something to send}" local expect="${2:?need something to expect}" - send "${send}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi expect "${expect}" } From 62d1e8dec798b0bbe1c9e7b781be8b0730d4b140 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 2 Jan 2019 12:20:23 +0100 Subject: [PATCH 43/68] nix/os/devices: never use sudo for remote targets --- nix/os/devices/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 3697a45..b361188 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -18,11 +18,13 @@ let [[ -e "''${NIXOS_CONFIG}" ]] - ${if (builtins.elem rebuildarg rebuildargsSudo) then + ${if (builtins.elem rebuildarg rebuildargsSudo) + && builtins.match ".*--target-host.*" moreargs == null + then "sudo -E \\" else "" - } + } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} if test -L result; then rm result From c4210f3d84454602ca5aec21e303e15d4bafcb53 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 2 Jan 2019 18:20:39 +0100 Subject: [PATCH 44/68] nix/os/devices/CFB4ED74: add versions.nix --- nix/os/devices/CFB4ED74/versions.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 nix/os/devices/CFB4ED74/versions.nix diff --git a/nix/os/devices/CFB4ED74/versions.nix b/nix/os/devices/CFB4ED74/versions.nix new file mode 100644 index 0000000..57f56b6 --- /dev/null +++ b/nix/os/devices/CFB4ED74/versions.nix @@ -0,0 +1,4 @@ +{ + channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; +} From 95bc45e8861c919c906e7c39d588733aeba697fe Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 2 Jan 2019 18:20:58 +0100 Subject: [PATCH 45/68] git: ignore .env file --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index fe9ad7f..5e0fed2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.swp *.qcow2 .*.log +.env From cf657e16ffab115ca52cf85a34ca9e270af0a93c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 6 Jan 2019 02:05:48 +0100 Subject: [PATCH 46/68] nix: handle ref/rev correctly for channel fetch --- Justfile | 1 + nix/default.nix | 3 ++- nix/os/devices/steveej-laptop/versions.nix | 10 ++++++++++ nix/os/devices/steveej-t480s-work/versions.nix | 10 ++++++++-- nix/variables/versions.nix | 10 ++++++++-- 5 files changed, 29 insertions(+), 5 deletions(-) create mode 100644 nix/os/devices/steveej-laptop/versions.nix diff --git a/Justfile b/Justfile index 0095766..52e2e63 100755 --- a/Justfile +++ b/Justfile @@ -55,6 +55,7 @@ rebuild-this-device rebuildarg="dry-activate": if type home-manager > /dev/null 2>&1; then echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... + source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix) if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then echo Home rebuild successful else diff --git a/nix/default.nix b/nix/default.nix index 6cb96b4..b2f3167 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -10,7 +10,8 @@ url = "https://github.com/NixOS/nixpkgs-channels/"; # Commit hash for nixos-unstable as of 2018-09-12 # `git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable` - rev = (builtins.getAttr channel channelVersions); + ref = (builtins.getAttr channel channelVersions)."ref"; + rev = (builtins.getAttr channel channelVersions)."rev"; name = "nixpkgs-channels-${channel}"; }; nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [ diff --git a/nix/os/devices/steveej-laptop/versions.nix b/nix/os/devices/steveej-laptop/versions.nix new file mode 100644 index 0000000..52734ca --- /dev/null +++ b/nix/os/devices/steveej-laptop/versions.nix @@ -0,0 +1,10 @@ +{ + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + }; +} diff --git a/nix/os/devices/steveej-t480s-work/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix index 57f56b6..52734ca 100644 --- a/nix/os/devices/steveej-t480s-work/versions.nix +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -1,4 +1,10 @@ { - channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; - channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + }; } diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 57f56b6..52734ca 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -1,4 +1,10 @@ { - channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; - channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + }; } From fa913126451ebe46d139394e456fea326a9b2d7b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 6 Jan 2019 02:14:54 +0100 Subject: [PATCH 47/68] nix/home/graphical-fullblown: add linssid --- nix/home-manager/configuration/graphical-fullblown.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 0491aad..f3e9207 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -185,6 +185,7 @@ in { iperf bind socat + linssid # samba iptables From 6cb6acd851541461a8703ee4c0b35fa2c924bd28 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 6 Jan 2019 13:19:21 +0100 Subject: [PATCH 48/68] nix/graphical-removable: add pure channel versioning --- nix/home-manager/configuration/graphical-removable.nix | 2 ++ nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index 1cbf3ac..350b1be 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -26,6 +26,8 @@ in { gnutls = true; }; + android_sdk.accept_license = true; + packageOverrides = pkgs: with pkgs; { myPython36 = python36Full.withPackages (ps: with ps; [ pylint pep8 yapf flake8 diff --git a/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix b/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix new file mode 100644 index 0000000..52734ca --- /dev/null +++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix @@ -0,0 +1,10 @@ +{ + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + }; +} From 75a8b3e94f50e83335a19e3e38d2fa1eb7894d54 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 6 Jan 2019 13:19:21 +0100 Subject: [PATCH 49/68] nix/graphical-removable: enable libvirtd --- nix/home-manager/configuration/graphical-removable.nix | 3 +++ nix/os/profiles/removable-medium/system.nix | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index 350b1be..2c11681 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -147,5 +147,8 @@ in { myPython36 busyboxStatic + + # Virtualization + virtmanager ]); } diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 92fc62c..fccfc9e 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -12,7 +12,7 @@ in { services.qemuGuest.enable = true; virtualisation = { - libvirtd.enable = false; + libvirtd.enable = true; virtualbox.host.enable = false; docker.enable = true; }; From a04bc097e38da6e934f4d644b54b50567f05e51b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 10 Jan 2019 23:31:12 +0100 Subject: [PATCH 50/68] nix/os/devices: version bumps --- nix/os/devices/CFB4ED74/versions.nix | 10 ++++++++-- nix/os/devices/steveej-t480s-work/versions.nix | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/nix/os/devices/CFB4ED74/versions.nix b/nix/os/devices/CFB4ED74/versions.nix index 57f56b6..207c7c8 100644 --- a/nix/os/devices/CFB4ED74/versions.nix +++ b/nix/os/devices/CFB4ED74/versions.nix @@ -1,4 +1,10 @@ { - channelsNixosStable = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; - channelsNixosUnstable = "44b02b52ea6a49674f124f50009299f192ed78bb"; + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + }; } diff --git a/nix/os/devices/steveej-t480s-work/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix index 52734ca..19d8582 100644 --- a/nix/os/devices/steveej-t480s-work/versions.nix +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -1,10 +1,10 @@ { channelsNixosStable = { ref = "nixos-18.09"; - rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12"; }; channelsNixosUnstable = { ref = "nixos-unstable"; - rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + rev = "eebd1a9263716a04689a37b6537e50801d376b5e"; }; } From 64ecf2aa1e7fb984835129f373ffcc109c56ca22 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 10 Jan 2019 23:31:33 +0100 Subject: [PATCH 51/68] Justfile: rename remote unlock recipe --- Justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 4ce8ca7..189ef4c 100755 --- a/Justfile +++ b/Justfile @@ -106,7 +106,7 @@ disk-umount dir: disk-install dir: _render_templates just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" -verify-vnc sshserver attempts="10": +verify-n-unlock sshserver attempts="10": #!/usr/bin/env bash set -e : ${VNCSOCK:?VNCSOCK must be set} From 1a78e7019b88a6bce3a286a319673ee77ec71d2f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 10:51:03 +0100 Subject: [PATCH 52/68] vimrc: set light background --- nix/home-manager/programs/neovim/vimrc | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f928efa..7b3ed3f 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -115,6 +115,7 @@ au Syntax * RainbowParenthesesLoadBraces " } set t_ut= +set background=light colorscheme PaperColor " Python {{{ From 4f26e935ee36ddccdf67e8450b57f8e461eabe89 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 22:24:30 +0100 Subject: [PATCH 53/68] nix/os/devices: add relabel command After bytewise-copying from a prevoius disk, the partition labels and logical volume groupnames need to be renamed according to the new disk id. --- Justfile | 3 +++ nix/os/devices/default.nix | 3 ++- nix/os/devices/disk.nix | 47 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 189ef4c..8651c3d 100755 --- a/Justfile +++ b/Justfile @@ -94,6 +94,9 @@ hm-iterate-qtile: disk-prepare dir: just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" +disk-relabel dir previous: + just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}} + # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index b361188..932f730 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -5,6 +5,7 @@ , moreargs ? "" , diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId , gitRoot ? "$(git rev-parse --show-toplevel)" +, previousDiskId ? "" }: let @@ -35,5 +36,5 @@ let in { recipes = { inherit rebuild; - } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot; }); + } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; }); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index 4490311..6b012d8 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -5,6 +5,7 @@ , moreargs , diskId , gitRoot +, previousDiskId ? "" }: let @@ -117,4 +118,50 @@ in rec { ${diskUmount} ''; + + diskRelabel = pkgs.writeScript "script" '' + #!/usr/bin/env bash + set -xe + + read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + case "$choice" in + YES ) echo "Continuing in 3 seconds..."; sleep 3;; + n|N ) echo "Exiting..."; exit 0;; + * ) echo "Exiting..."; exit 1;; + esac + + sync + { + sudo fdisk ${ownLib.disk.bootGrubDevice diskId} < Date: Sat, 12 Jan 2019 22:27:07 +0100 Subject: [PATCH 54/68] nix/channels/nixos: add '/nixos' path suffix --- nix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/default.nix b/nix/default.nix index b2f3167..038994e 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -16,7 +16,7 @@ }; nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [ [ "nixpkgs" (mkChannelSource "channelsNixosStable") ] - [ "nixos" (mkChannelSource "channelsNixosStable") ] + [ "nixos" (mkChannelSource "channelsNixosStable" + "/nixos") ] [ "channels-nixos-stable" (mkChannelSource "channelsNixosStable") ] [ "channels-nixos-unstable" (mkChannelSource "channelsNixosUnstable") ] ]; From 533dfa09dfd937997b3aa853abc5688a70dd7f0f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 22:29:59 +0100 Subject: [PATCH 55/68] nix/os/devices/disk: use sudo for mounting --- nix/os/devices/disk.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index 6b012d8..ff75d5b 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -16,14 +16,14 @@ in rec { #!/usr/bin/env bash set -xe echo Mounting ${diskId} - cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sleep 1 - vgchange -ay ${ownLib.disk.volumeGroup diskId} - mkdir -p /mnt - mkdir ${mntRootVol} - mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home - mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot + sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} + sudo mkdir -p /mnt + sudo mkdir ${mntRootVol} + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; diskUmount = pkgs.writeScript "script" '' From 1876fb8f1de2c5d8235cded122bd5b2bdbd7e86b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 22:30:27 +0100 Subject: [PATCH 56/68] nix/os/devices/disk: unset $system before nixos-install This fixes the nixos-install error > error: selector 'x86_64-linux' matches no derivations which is due to $system being set and used by nixos-install. --- nix/os/devices/disk.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index ff75d5b..6684521 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -45,7 +45,11 @@ in rec { [[ -e "''${NIXOS_CONFIG}" ]] [[ -e "${mntRootVol}/nixos" ]] + sudo -E $SHELL < Date: Sat, 12 Jan 2019 22:32:44 +0100 Subject: [PATCH 57/68] nix/os/devicex/*work*: adapt diskId to new drive --- nix/os/devices/steveej-t480s-work/hw.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix index 181fd30..a5ed9af 100644 --- a/nix/os/devices/steveej-t480s-work/hw.nix +++ b/nix/os/devices/steveej-t480s-work/hw.nix @@ -20,7 +20,7 @@ in # TASK: new device hardware.encryptedDisk = { enable = true; - diskId = "nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K827498"; + diskId = "nvme-Samsung_SSD_970_PRO_1TB_S462NF0K904663D"; }; # boot.initrd.availableKernelModules = stage1Modules; From ab5b5054dec652b010425deb43686a3fccbbbf71 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 22:34:08 +0100 Subject: [PATCH 58/68] Justfile: add a recipe to run cmds with NIX_PATH set --- Justfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Justfile b/Justfile index 8651c3d..c7e157e 100755 --- a/Justfile +++ b/Justfile @@ -175,3 +175,8 @@ verify-n-unlock sshserver attempts="10": _get_pass_entry path key: pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") + # +run-with-channels +cmds: + #/usr/bin/env bash + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + {{cmds}} From 677894c83353d8eb61202dff9182848130a3b29b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 23:38:27 +0100 Subject: [PATCH 59/68] nix/home/profiles/qtile: use textual widgets for mem and net --- nix/home-manager/profiles/qtile-desktop.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 15a5bd7..e1c31b3 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -203,9 +203,9 @@ for i in range(0, screens_count+1): widget.WindowName(), widget.Prompt(), widget.CPUGraph(), - widget.MemoryGraph(), - widget.NetGraph(bandwidth_type='down'), - widget.NetGraph(bandwidth_type='up'), + widget.Memory(), + widget.Net(interface='eth0'), + widget.Net(interface='wlan0'), widget.Clock(format='%Y-%m-%d %a %I:%M %p'), ] if i is 0: From 1c17911c9a90eddb32914191db5340afb7f0665d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 23:39:16 +0100 Subject: [PATCH 60/68] nix/os/profiles/graphical: disable predictable interface names --- nix/os/profiles/graphical/system.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index bfcd3e6..5a23113 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -14,6 +14,8 @@ "interface-name:*cni*" ]; }; + networking.usePredictableInterfaceNames = false; + services.resolved.enable = false; # hardware related services From 9b0fa9016cac08c2efc8d291b43da41147ca8fc1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 23:39:41 +0100 Subject: [PATCH 61/68] nix/os/devices/*sduusb3128g*: bump versions --- nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix b/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix index 52734ca..19d8582 100644 --- a/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix @@ -1,10 +1,10 @@ { channelsNixosStable = { ref = "nixos-18.09"; - rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a"; + rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12"; }; channelsNixosUnstable = { ref = "nixos-unstable"; - rev = "44b02b52ea6a49674f124f50009299f192ed78bb"; + rev = "eebd1a9263716a04689a37b6537e50801d376b5e"; }; } From de6a675cfb947b2b9defc676ec5e7503bee93b12 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sat, 12 Jan 2019 22:29:59 +0100 Subject: [PATCH 62/68] nix/os/devices/disk: use sudo for unmounting --- nix/os/devices/disk.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index 6684521..73796f7 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -29,10 +29,10 @@ in rec { diskUmount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe - umount -R ${mntRootVol} - rmdir ${mntRootVol} - vgchange -an ${ownLib.disk.volumeGroup diskId} - cryptsetup luksClose ${ownLib.disk.luksName diskId} + sudo umount -R ${mntRootVol} + sudo rmdir ${mntRootVol} + sudo vgchange -an ${ownLib.disk.volumeGroup diskId} + sudo cryptsetup luksClose ${ownLib.disk.luksName diskId} sync ''; From cdf22b27f9e550ff1f21eefbc767d17b9cca7186 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 16 Jan 2019 20:50:26 +0100 Subject: [PATCH 63/68] nix/home/config/graphic-full: add yubikey-manager and iptraf-ng --- nix/home-manager/configuration/graphical-fullblown.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index f3e9207..ecd1850 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -123,6 +123,7 @@ in { # Password Management gnupg + yubikey-manager yubikey-neo-manager yubikey-personalization yubikey-personalization-gui @@ -186,6 +187,7 @@ in { bind socat linssid + iptraf-ng # samba iptables From a07dfe6a5b2cdc4eb10dd114de8c3bbf2ba9af8f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 16 Jan 2019 21:24:25 +0100 Subject: [PATCH 64/68] Add 1 git-crypt collaborator New collaborators: CB17E89B Stefan Junker --- ...6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg | Bin 469 -> 469 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index fc0a49826633ec037d9a5ac8bc4b2f18f693618d..9587742f4afa5fabf0455247308b16f5f2413e3d 100644 GIT binary patch literal 469 zcmZo= zvSzbSj6EP4`f2I8D~W7ZOf=r7F=*VqdoDKd^fjGLe!Uf8vlT3+79VuyEbTg9Tr%-t zvs6Q_WGm`mKKK{jnAK2m$E8s`|`VNVshSd9DX_`u?uZ- z5IG7PnJ(?(&A}_6o{5|L0z_@Z>Lf^{Sfs z4b#3n+F-5E$hmjE+`96tLm$?EoflZnCugE@=>RjM&F$G6O{r8nq{po1GGdw z&hb$BV8(46zS+XzVsMnl63Jg0OCFhpUTl8;bk53oVR@?(?^hIW{UK0Nbvv( literal 469 zcmZo=AqEN zL2N0l(?1t$HT!E^F8+B-MJ)KkpNvB}d9h1xG+b;lYUSS{zEbO0bf8*U*19CC-A9Zz zpMCTFnzP|#rUbtww#Sdf@4lUoA1qUNQC>;DXa3v8TRJDVicJ)MGqa%itlqTNd0kHg z;@?hszEfhKi)&ALwxGn9;0WD}b4$#PH}2uBSm+=Ud4el0;z^|I%_`^ZCF@y!p3C^# zzBg&XyhW--6+aIC+nmOkaOi21y0q!1z}CWS%g~S`A5N{=ueG+8ce%{m#H@J%`*!7b zsb<{1fGqNf}D+C9A&jfTT6@mS9xb`6Jq|B#=V{SsFZ8f>gc>x1xCfJ zQ+#!7jm6j8cpiLC#GtTs?%rSfA7vjqXgowQg0g?n;}? g{E=<1pLC;*u{+D(dPk<6$4nLr{_K7b;JsoJ01!#xWdHyG From 180ad60b2574b7d03dc7011c4a502ac13bacf0e1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 16 Jan 2019 22:18:17 +0100 Subject: [PATCH 65/68] nix/vars/keys: add new ssh keys --- nix/variables/keys.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index 92cbb88..8eb8229 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -2,8 +2,12 @@ users = { steveej = { openssh = [ + # active, current + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" + + # active but deprecated "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnrvnvECGpBU4OXK7m7oJOOu7aJzAxOQyvEWhkRBEEyme8/eIiTJMi99wX5kKMWtpbUvinIyZ37VIrnVZv0bJ3WpJQJQkrqAkV1Bs3m5dE7AGIH0BrxgLXHuNxkW3BwmAaqUOq21r4MaYVu2xF38xwKrrk57nQkNjuZ2eiv7XyHaDn+n352jULJzcIXVKyJExhsiGomrwEXq/cmmD+s6M3yUp559fw4cQTdg6iaK76gUAFukL35HCWN3sFKPVEC/yxvfKUIhVsKuwjHfvsSxJgSjcS5yXEtJOB1RhlJ3dLfSyJzuY/AHSqSpMwUSCksMn4xTUKHLGD4wJJI8tRHbsp cardno:000605247559" ]; }; }; From 714a310e72c13dd7acc51c2a90a42268afc0ffa5 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 17 Jan 2019 22:27:55 +0100 Subject: [PATCH 66/68] nix/os/devices/steveej-t480s-work: bump versions --- nix/os/devices/steveej-t480s-work/versions.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/steveej-t480s-work/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix index 19d8582..027884a 100644 --- a/nix/os/devices/steveej-t480s-work/versions.nix +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -1,10 +1,10 @@ { channelsNixosStable = { ref = "nixos-18.09"; - rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12"; + rev = "97e0d53d669cd07f0750a42fd535524b3cdd46d1"; }; channelsNixosUnstable = { ref = "nixos-unstable"; - rev = "eebd1a9263716a04689a37b6537e50801d376b5e"; + rev = "be445a9074f139d63e704fa82610d25456562c3d"; }; } From 7ab7c8be30f1037034ab2fe20639b3b300108457 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 17 Jan 2019 22:35:19 +0100 Subject: [PATCH 67/68] nix: add semi-automatic update process --- Justfile | 31 ++++++++++++++----- .../steveej-t480s-work/versions.tmpl.nix | 10 ++++++ shell.nix | 2 ++ 3 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 nix/os/devices/steveej-t480s-work/versions.tmpl.nix diff --git a/Justfile b/Justfile index c7e157e..a70e622 100755 --- a/Justfile +++ b/Justfile @@ -68,15 +68,32 @@ rebuild-this-device rebuildarg="dry-activate": # --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'" -# Update nix-channels and switch to updated NixOS and home environments -update-this-device: +# Update the channel versions and (by default) switch to new environment +update-this-device rebuild-mode='switch': #!/usr/bin/env bash - set -e - export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + set -xe - echo Updating system channels... - sudo nix-channel --update - just -v rebuild-this-device switch + template=nix/os/devices/$(hostname -s)/versions.tmpl.nix + outfile=nix/os/devices/$(hostname -s)/versions.nix + + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi + + export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + just -v rebuild-this-device dry-activate || { + echo ERROR: Update failed, reverting ${outfile}... + git checkout ${outfile} + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" + + just -v rebuild-this-device {{rebuild-mode}} || { + echo WARNING: Rebuilding in {{rebuild-mode}}-mode failed + } # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: diff --git a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix new file mode 100644 index 0000000..655e1b1 --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix @@ -0,0 +1,10 @@ +{ + channelsNixosStable = { + ref = "nixos-18.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-18.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + channelsNixosUnstable = { + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/shell.nix b/shell.nix index 1c73ef9..d83e92f 100644 --- a/shell.nix +++ b/shell.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation { vncdo tesseract imagemagick + + esh ]; # Set Environment Variables From a18c5cddb35b27c76b302c6b54abafd44b5b2619 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 17 Jan 2019 22:43:11 +0100 Subject: [PATCH 68/68] fixup! Justfile: add a recipe to run cmds with NIX_PATH set --- Justfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index a70e622..8e8aac4 100755 --- a/Justfile +++ b/Justfile @@ -192,8 +192,8 @@ verify-n-unlock sshserver attempts="10": _get_pass_entry path key: pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") - # + run-with-channels +cmds: - #/usr/bin/env bash + #!/usr/bin/env bash source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) {{cmds}}