steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'staging' into 'master'

Browse source 
Periodic merge of staging to master

See merge request steveeJ/infra!8
This commit is contained in:
steveej 2019-01-18 10:53:52 +00:00
commit 5fb1df2b53
44 changed files with 1019 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg
View file

Binary file not shown.

1
.gitignore vendored
View file

@ -1,3 +1,4 @@
*.swp *.swp
*.qcow2 *.qcow2
.*.log .*.log
.env

10
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,10 @@
stages:
- build
build:
stage: build
tags:
- nix
script:
# Test the nix-shell
- nix-shell --run "echo OK"

120
Justfile
View file

@ -1,14 +1,19 @@
_usage: _usage:
just -l just -l
_device action dir +moreargs="": _get_nix_path versionsPath:
echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}} --argstr rebuildarg "dummy")
_device recipe dir +moreargs="":
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
sudo $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A {{action}} --argstr dir {{dir}} {{moreargs}}) source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
$(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})
_render_templates: _render_templates:
#!/usr/bin/env bash #!/usr/bin/env bash
set -ex set -ex
source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
@ -16,6 +21,11 @@ _rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
set -ex set -ex
just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}
rebuild-remote-device dir target rebuildarg="dry-activate" :
#!/usr/bin/env bash
set -ex
just -v _rebuild-device {{dir}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"
# Rebulid this device's NixOS # Rebulid this device's NixOS
rebuild-this-device rebuildarg="dry-activate": rebuild-this-device rebuildarg="dry-activate":
#!/usr/bin/env bash #!/usr/bin/env bash
@ -45,6 +55,7 @@ rebuild-this-device rebuildarg="dry-activate":
if type home-manager > /dev/null 2>&1; then if type home-manager > /dev/null 2>&1; then
echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode...
source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix)
if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then
echo Home rebuild successful echo Home rebuild successful
else else
@ -57,16 +68,34 @@ rebuild-this-device rebuildarg="dry-activate":
# --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'" # --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'"
# Update nix-channels and switch to updated NixOS and home environments # Update the channel versions and (by default) switch to new environment
update-this-device: update-this-device rebuild-mode='switch':
#!/usr/bin/env bash #!/usr/bin/env bash
set -e set -xe
template=nix/os/devices/$(hostname -s)/versions.tmpl.nix
outfile=nix/os/devices/$(hostname -s)/versions.nix
esh -o ${outfile} ${template}
if ! test "$(git diff ${outfile})"; then
echo Already on latest versions
exit 0
fi
export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
just -v rebuild-this-device dry-activate || {
echo ERROR: Update failed, reverting ${outfile}...
git checkout ${outfile}
exit 1
}
echo Updating system channels... git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions"
sudo nix-channel --update
just -v rebuild-this-device switch
just -v rebuild-this-device {{rebuild-mode}} || {
echo WARNING: Rebuilding in {{rebuild-mode}}-mode failed
}
# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
hm-iterate-qtile: hm-iterate-qtile:
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
@ -82,6 +111,9 @@ hm-iterate-qtile:
disk-prepare dir: disk-prepare dir:
just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy"
disk-relabel dir previous:
just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}}
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir: disk-mount dir:
just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" just -v _device diskMount {{dir}} --argstr rebuildarg "dummy"
@ -93,3 +125,75 @@ disk-umount dir:
# Perform an offline installation on the mounted target disk, specified by device configuration directory # Perform an offline installation on the mounted target disk, specified by device configuration directory
disk-install dir: _render_templates disk-install dir: _render_templates
just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy"
verify-n-unlock sshserver attempts="10":
#!/usr/bin/env bash
set -e
: ${VNCSOCK:?VNCSOCK must be set}
: ${VNCPW:?VNCPW must be set}
export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
export TESS_ARGS="-c debug_file=/dev/null --psm 4"
function send() {
local what="${1:?need something to send}"
ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
}
function expect() {
local what="${1:?need something to expect}"
vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
tesseract ${TESS_ARGS} screenshot.tiff screenshot
grep --quiet "${what}" screenshot.txt
}
function send_and_expect() {
local send="${1:?need something to send}"
local expect="${2:?need something to expect}"
if ! send "${send}"; then
echo warning: cannot send > /dev/stderr
return -1
fi
expect "${expect}"
}
trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT
for i in `seq 1 {{attempts}}`; do
echo Attempt $i...
expect="$(pwgen -0 12)"
send="'\0033\0143'${expect}"
if send_and_expect "${send}" "${expect}"; then
pipe=$(mktemp -u)
mkfifo ${pipe}
exec 3<>${pipe}
rm ${pipe}
echo Verification succeeded at attempt $i. Unlocking remote drive...
ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
eval ${GETPW} | head -n1 >&3
for j in `seq 1 120`; do
sleep 0.5
if expect '— success'; then
echo Unlock successful.
exit 0
fi
done
echo Unlock failed...
exit 1
fi
done
echo Verification failed {{attempts}} times. Giving up...
exit 1
_get_pass_entry path key:
pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }'
# jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:")
run-with-channels +cmds:
#!/usr/bin/env bash
source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
{{cmds}}

0
_archive/container-images/build.sh → nix/container-images/build.sh
View file

0
_archive/container-images/default.nix → nix/container-images/default.nix
View file

26
nix/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ versionsPath }:
{
channelSources =
let
# channelVersions = (import ((builtins.getEnv "PWD")+"/${dir}/versions.nix"));
channelVersions = (import versionsPath);
mkChannelSource = channel: builtins.fetchGit {
# Descriptive name to make the store path easier to identify
url = "https://github.com/NixOS/nixpkgs-channels/";
# Commit hash for nixos-unstable as of 2018-09-12
# `git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable`
ref = (builtins.getAttr channel channelVersions)."ref";
rev = (builtins.getAttr channel channelVersions)."rev";
name = "nixpkgs-channels-${channel}";
};
nix_path = builtins.foldl' (sum: elem: sum +":" + builtins.concatStringsSep "=" elem) "" [
[ "nixpkgs" (mkChannelSource "channelsNixosStable") ]
[ "nixos" (mkChannelSource "channelsNixosStable" + "/nixos") ]
[ "channels-nixos-stable" (mkChannelSource "channelsNixosStable") ]
[ "channels-nixos-unstable" (mkChannelSource "channelsNixosUnstable") ]
];
in (import (mkChannelSource "channelsNixosStable") {}).writeText "channels.rc" ''
export NIX_PATH=${nix_path}
'';
}

57
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -4,7 +4,7 @@
let let
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs.config; }; unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
in { in {
imports = [ imports = [
@ -27,9 +27,11 @@ in {
gnutls = true; gnutls = true;
}; };
android_sdk.accept_license = true;
packageOverrides = pkgs: with pkgs; { packageOverrides = pkgs: with pkgs; {
myPython36 = python36Full.withPackages (ps: with ps; [ myPython36 = python36Full.withPackages (ps: with ps; [
pylint pep8 yapf flake8 pep8 yapf flake8
# autopep8 (broken) # autopep8 (broken)
# pylint (broken) # pylint (broken)
ipython ipython
@ -92,6 +94,7 @@ in {
unstablepkgs.pijul unstablepkgs.pijul
gitless gitless
gitRepo gitRepo
git-lfs
# Cloud/Remote System Management # Cloud/Remote System Management
google-cloud-sdk google-cloud-sdk
@ -120,19 +123,13 @@ in {
# Password Management # Password Management
gnupg gnupg
yubikey-manager
yubikey-neo-manager yubikey-neo-manager
yubikey-personalization yubikey-personalization
yubikey-personalization-gui yubikey-personalization-gui
gnome3.gnome_keyring gnome3.gnome_keyring
gnome3.seahorse gnome3.seahorse
# Security
tpm-tools
tpmmanager
# Web Browsers
links2
# Language Support # Language Support
hunspellDicts.en-us hunspellDicts.en-us
hunspellDicts.de-de hunspellDicts.de-de
@ -142,7 +139,7 @@ in {
hexchat hexchat
aspellDicts.en aspellDicts.en
aspellDicts.de aspellDicts.de
unstablepkgs.skype skype
zoom-us zoom-us
unstablepkgs.bluejeans-gui unstablepkgs.bluejeans-gui
thunderbird thunderbird
@ -152,10 +149,10 @@ in {
# Virtualization # Virtualization
virtmanager virtmanager
qemu (pkgs.lib.hiPrio qemu)
# virtualbox # virtualbox
vagrant vagrant
unstablepkgs.rkt rkt
python27Packages.docker_compose python27Packages.docker_compose
# unstablepkgs.kubernetes # unstablepkgs.kubernetes
unstablepkgs.minikube unstablepkgs.minikube
@ -189,6 +186,8 @@ in {
iperf iperf
bind bind
socat socat
linssid
iptraf-ng
# samba # samba
iptables iptables
@ -230,12 +229,12 @@ in {
# Modelling Tools # Modelling Tools
plantuml # plantuml
umlet # umlet
staruml staruml
eclipses.eclipse-modeling # eclipses.eclipse-modeling
dia # dia
astah-community # astah-community
# Misc Development Tools # Misc Development Tools
qrcode qrcode
@ -293,12 +292,13 @@ in {
# s3ql # s3ql
# rclone # rclone
rsync rsync
duplicacy
# Filesystem Tools # Filesystem Tools
ntfs3g ntfs3g
ddrescue ddrescue
ncdu ncdu
unstablepkgs.woeusb woeusb
unetbootin unetbootin
pcmanfm pcmanfm
hdparm hdparm
@ -328,11 +328,11 @@ in {
androidsdk androidsdk
## Java ## Java
jre # jre
openjdk # openjdk
## Ruby ## Ruby
ruby # ruby
## Python ## Python
myPython36 myPython36
@ -342,8 +342,6 @@ in {
nodejs-8_x nodejs-8_x
npm2nix npm2nix
emscripten emscripten
etcd
sigal
# Code generators # Code generators
unstablepkgs.swagger-codegen unstablepkgs.swagger-codegen
@ -352,7 +350,6 @@ in {
ltunify ltunify
solaar solaar
dex dex
roxterm
# kitty # kitty
busyboxStatic busyboxStatic
xorg.xbacklight xorg.xbacklight
@ -367,14 +364,14 @@ in {
glib.dev # contains gdbus tool glib.dev # contains gdbus tool
# Screen recording # Screen recording
gtk-recordmydesktop # can't select the window # gtk-recordmydesktop # can't select the window
qt-recordmydesktop # qt-recordmydesktop
vokoscreen # vokoscreen
shutter # shutter
# kazam # doesn't start # kazam # doesn't start
# xvidcap # doesn't keep the recording rectangle # xvidcap # doesn't keep the recording rectangle
obs-studio obs-studio
shotcut # shotcut
openshot-qt # openshot-qt
]); ]);
} }

11
nix/home-manager/configuration/graphical-removable.nix
View file

@ -3,7 +3,8 @@
... }: ... }:
let let
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs.config; }; unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs.config; };
in { in {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
@ -25,6 +26,8 @@ in {
gnutls = true; gnutls = true;
}; };
android_sdk.accept_license = true;
packageOverrides = pkgs: with pkgs; { packageOverrides = pkgs: with pkgs; {
myPython36 = python36Full.withPackages (ps: with ps; [ myPython36 = python36Full.withPackages (ps: with ps; [
pylint pep8 yapf flake8 pylint pep8 yapf flake8
@ -52,9 +55,6 @@ in {
}; };
}; };
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
# unstablepkgs = import <nixos-unstable> { config = { allowUnfree = true; }; };
home.sessionVariables = { home.sessionVariables = {
}; };
@ -147,5 +147,8 @@ in {
myPython36 myPython36
busyboxStatic busyboxStatic
# Virtualization
virtmanager
]); ]);
} }

1
nix/home-manager/configuration/text-minimal.txt
View file

@ -22,5 +22,6 @@ in {
home.packages = [] home.packages = []
++ (with pkgs; [ ++ (with pkgs; [
iperf3
]); ]);
} }

1
nix/home-manager/profiles/common.nix
View file

@ -27,6 +27,7 @@ in {
}; };
just = pkgs.callPackage ../../pkgs/just.nix {}; just = pkgs.callPackage ../../pkgs/just.nix {};
duplicacy = pkgs.callPackage ../../pkgs/duplicacy {};
}; };
}; };

6
nix/home-manager/profiles/nix-channels.nix
View file

@ -6,14 +6,16 @@
let let
in { in {
home.file.".nix-channels".text = '' home.file.".nix-channels".text = ''
https://nixos.org/channels/nixos-18.09 nixos
https://nixos.org/channels/nixos-unstable nixos-unstable
''; '';
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
set -ex set -ex
if test -f $HOME/.nix-channels; then if test -f $HOME/.nix-channels; then
echo Uninstalling available channels...
while read url channel; do
nix-channel --remove $channel
done < $HOME/.nix-channel
echo Moving existing file away... echo Moving existing file away...
touch $HOME/.nix-channels.dummy touch $HOME/.nix-channels.dummy
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels

14
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -13,7 +13,7 @@ let
pulseaudio findutils gnugrep pulseaudio findutils gnugrep
]}:$PATH ]}:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}./.qtilemute export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
case $1 in case $1 in
mute) mute)
newstate=$(( $(cat $MUTEFILE || echo 0 ) ^ 1 )) newstate=$(( $(cat $MUTEFILE || echo 0 ) ^ 1 ))
@ -203,9 +203,9 @@ for i in range(0, screens_count+1):
widget.WindowName(), widget.WindowName(),
widget.Prompt(), widget.Prompt(),
widget.CPUGraph(), widget.CPUGraph(),
widget.MemoryGraph(), widget.Memory(),
widget.NetGraph(bandwidth_type='down'), widget.Net(interface='eth0'),
widget.NetGraph(bandwidth_type='up'), widget.Net(interface='wlan0'),
widget.Clock(format='%Y-%m-%d %a %I:%M %p'), widget.Clock(format='%Y-%m-%d %a %I:%M %p'),
] ]
if i is 0: if i is 0:
@ -282,6 +282,12 @@ in {
${pkgs.autorandr}/bin/autorandr -c ${pkgs.autorandr}/bin/autorandr -c
${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png
''; '';
pointerCursor = {
name = "Vanilla-DMZ-AA";
package = pkgs.vanilla-dmz;
size = 32;
};
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [

6
nix/home-manager/programs/firefox.nix
View file

@ -1,5 +1,5 @@
{ { pkgs
... , ...
}: }:
{ {
@ -15,5 +15,7 @@
"firefox" "firefox"
]; ];
}; };
home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
} }

15
nix/home-manager/programs/neovim.nix
View file

@ -3,7 +3,7 @@
}: }:
let let
unstablepkgs = import <nixos-unstable> {}; unstablepkgs = import <channels-nixos-unstable> {};
in { in {
home.sessionVariables = { home.sessionVariables = {
@ -54,6 +54,17 @@ in {
buildInputs = [ zip vim ]; buildInputs = [ zip vim ];
}; };
vim-yaml = vimUtils.buildVimPlugin {
name = "vim-yaml";
src = fetchFromGitHub {
owner = "stephpy";
repo = "vim-yaml";
rev = "e97e063b16eba4e593d620676a0a15fa98613979";
sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk";
};
};
vim-markdown-toc = vimUtils.buildVimPlugin { vim-markdown-toc = vimUtils.buildVimPlugin {
name = "vim-markdown-toc"; name = "vim-markdown-toc";
src = fetchFromGitHub { src = fetchFromGitHub {
@ -88,6 +99,7 @@ in {
default = [ default = [
"delimitMate" "delimitMate"
"vim-airline" "vim-airline"
"vim-airline-themes"
"ctrlp" "ctrlp"
"vim-css-color" "vim-css-color"
"rainbow_parentheses" "rainbow_parentheses"
@ -123,6 +135,7 @@ in {
# YAML # YAML
"yaml-folds" "yaml-folds"
"vim-yaml"
# Perl # Perl
# "vim-perl" # "vim-perl"

9
nix/home-manager/programs/neovim/vimrc
View file

@ -53,14 +53,18 @@ let g:ctrlp_custom_ignore = {
"let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' }
"let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict'
" allways show status line " always show status line
set ls=2 set ls=2
" let g:airline#extensions#tabline#formatter = 'default'
" let g:airline#extensions#tabline#enabled=1
let g:airline_theme='papercolor'
set tabstop=4 set tabstop=4
set shiftwidth=4 set shiftwidth=4
set softtabstop=4 set softtabstop=4
set expandtab set expandtab
"set textwidth=80 "set textwidth=80
set backspace=indent,eol,start set backspace=indent,eol,start
set wildignore+=*/site/*,*.so,*.swp,*.zip set wildignore+=*/site/*,*.so,*.swp,*.zip
@ -111,6 +115,7 @@ au Syntax * RainbowParenthesesLoadBraces
" } " }
set t_ut= set t_ut=
set background=light
colorscheme PaperColor colorscheme PaperColor
" Python {{{ " Python {{{
@ -124,7 +129,7 @@ augroup END
" YAML {{{ " YAML {{{
augroup ft_yaml augroup ft_yaml
au! au!
setlocal autoindent sw=2 et tabstop=2 shiftwidth=2 softtabstop=2 setlocal tabstop=2 shiftwidth=2 softtabstop=2 expandtab
augroup END augroup END
" }}} " }}}

5
nix/home-manager/programs/zsh.nix
View file

@ -4,6 +4,9 @@
}: }:
let let
channelSources = (import ../../default.nix {
versionsPath = ../../variables/versions.nix;
}).channelSources;
in { in {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -34,6 +37,8 @@ in {
# don't cd into directories when executed # don't cd into directories when executed
unsetopt AUTO_CD unsetopt AUTO_CD
source ${channelSources}
''; '';
sessionVariables = { sessionVariables = {

8
nix/os/devices/CFB4ED74/boot.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib
, ...
}:
{
boot.loader.grub.efiSupport = lib.mkForce false;
boot.extraModulePackages = [ ];
}

16
nix/os/devices/CFB4ED74/configuration.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
disabledModules = [
"services/continuous-integration/gitlab-runner.nix"
];
imports = [
../../profiles/common/configuration.nix
../../modules/encryptedDisk.nix
../../modules/gitlab-runner.nix
./system.nix
./hw.nix
./pkg.nix
];
}

30
nix/os/devices/CFB4ED74/hw.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
let
stage1Modules = [
"aesni_intel"
"kvm-intel"
"aes_x86_64"
"virtio_balloon"
"virtio_scsi"
"virtio_net"
"virtio_pci"
"virtio_ring"
"virtio"
"scsi_mod"
];
in
{
# TASK: new device
hardware.encryptedDisk = {
enable = true;
diskId = "scsi-0QEMU_QEMU_HARDDISK_drive-scsi0";
};
boot.initrd.availableKernelModules = stage1Modules;
boot.initrd.kernelModules = stage1Modules;
boot.extraModprobeConfig = ''
'';
}

58
nix/os/devices/CFB4ED74/pkg.nix Normal file
View file

@ -0,0 +1,58 @@
{ config
, pkgs
, lib
, ...
}:
{
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.txt;
services.syncthing = {
enable = true;
openDefaultPorts = true;
};
services.hydra = {
enable = true;
hydraURL = "http://localhost:3000"; # externally visible URL
notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
buildMachinesFiles = [];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
};
nix.buildMachines = [
{ hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
maxJobs = 4;
}
];
services.gitlab-runner = {
enable = true;
packages = with pkgs; [
bash
gitlab-runner
nix
gitFull
git-crypt
];
configFile = let
nixRunnerToken = "/etc/secrets/gitlab-runner/nix-runner.token";
in pkgs.writeText "config.toml" ''
concurrent = 2
check_interval = 0
[[runners]]
name = "nix-runner"
url = "https://gitlab.com"
token = "<% sed -z 's/[\n\s]//g' ${nixRunnerToken} %>"
executor = "shell"
shell = "bash"
[runners.cache]
'';
};
}

60
nix/os/devices/CFB4ED74/system.nix Normal file
View file

@ -0,0 +1,60 @@
{ pkgs
, lib
, config
, ... }:
let
keys = import ../../../variables/keys.nix;
in {
# TASK: new device
networking.hostName = "contabo1"; # Define your hostname.
networking.domain = "bootstrap.clusters.stefanjunker.de";
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
5201
];
networking.useDHCP = true;
networking.usePredictableInterfaceNames = false;
networking.interfaces.eth0 = {
ipv6.addresses = [
{ address = "2a02:c207:3003:2387::1"; prefixLength = 64; }
];
};
networking.defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
# Kubernetes
# services.kubernetes.roles = ["master" "node"];
# virtualization
virtualisation = {
docker.enable = true;
};
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
boot.initrd.network = {
enable = true;
udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ];
ssh = {
enable = true;
authorizedKeys = keys.users.steveej.openssh;
};
};
boot.initrd.postMountCommands = ''
for iface in $(cd /sys/class/net && ls); do
echo "Bringing down $iface..."
ip address flush dev $iface
ip link set $iface down
done
'';
}

10
nix/os/devices/CFB4ED74/versions.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "44b02b52ea6a49674f124f50009299f192ed78bb";
};
}

124
nix/os/devices/default.nix
View file

@ -1,16 +1,15 @@
{ pkgs ? import <nixpkgs> {} { pkgs ? import <channels-nixos-stable> {}
, ownLib ? import ../lib/default.nix { } , ownLib ? import ../lib/default.nix { }
, dir , dir
, rebuildarg , rebuildarg
, moreargs ? "" , moreargs ? ""
, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId , diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId
, gitRoot ? "$(git rev-parse --show-toplevel)" , gitRoot ? "$(git rev-parse --show-toplevel)"
, previousDiskId ? ""
}: }:
let let
mntRootVol="/mnt/${diskId}-root"; rebuildargsSudo = [ "switch" "boot" ];
in rec {
rebuild = pkgs.writeScript "script" '' rebuild = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
@ -20,115 +19,22 @@ in rec {
[[ -e "''${NIXOS_CONFIG}" ]] [[ -e "''${NIXOS_CONFIG}" ]]
nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ${if (builtins.elem rebuildarg rebuildargsSudo)
&& builtins.match ".*--target-host.*" moreargs == null
then
"sudo -E \\"
else
""
}
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
if test -L result; then if test -L result; then
rm result rm result
fi fi
''; '';
diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
echo Mounting ${diskId}
cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
vgchange -ay ${ownLib.disk.volumeGroup diskId}
mkdir -p /mnt
mkdir ${mntRootVol}
mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
'';
diskUmount = pkgs.writeScript "script" '' in {
#!/usr/bin/env bash recipes = {
set -xe inherit rebuild;
umount -R ${mntRootVol} } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; });
rmdir ${mntRootVol}
vgchange -an ${ownLib.disk.volumeGroup diskId}
cryptsetup luksClose ${ownLib.disk.luksName diskId}
sync
'';
diskInstall = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
pushd ${gitRoot}/${dir}
export NIXOS_CONFIG="$PWD"/configuration.nix
[[ -e "''${NIXOS_CONFIG}" ]]
[[ -e "${mntRootVol}/nixos" ]]
nixos-install --max-jobs 5 --cores 4 --no-root-passwd --root ${mntRootVol}/nixos
'';
diskPrepare = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
* ) echo "Exiting..."; exit 1;;
esac
# Partition
sync
{
fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF
g
n
1
+1M
n
2
+512M
n
3
t
1
4
x
n
2
2-${diskId}
n
3
3-${diskId}
r
w
EOF
} || {
sync
partprobe ${ownLib.disk.bootGrubDevice diskId}
}
# Encrypt
cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
# LVM
vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
# Filesystem
mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId}
mkfs.btrfs ${ownLib.disk.rootFsDevice diskId}
mkswap ${ownLib.disk.swapFsDevice diskId}
# Subvolume and FS hierharchy
mkdir -p /mnt
mkdir ${mntRootVol}
mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
btrfs subvolume create ${mntRootVol}/nixos
btrfs subvolume create ${mntRootVol}/home
mkdir ${mntRootVol}/nixos/{boot,home}
${diskUmount}
'';
} }

171
nix/os/devices/disk.nix Normal file
View file

@ -0,0 +1,171 @@
{ pkgs
, ownLib
, dir
, rebuildarg
, moreargs
, diskId
, gitRoot
, previousDiskId ? ""
}:
let
mntRootVol="/mnt/${diskId}-root";
in rec {
diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
echo Mounting ${diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt
sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
'';
diskUmount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
sudo umount -R ${mntRootVol}
sudo rmdir ${mntRootVol}
sudo vgchange -an ${ownLib.disk.volumeGroup diskId}
sudo cryptsetup luksClose ${ownLib.disk.luksName diskId}
sync
'';
diskInstall = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
pushd ${gitRoot}/${dir}
export NIXOS_CONFIG="$PWD"/configuration.nix
[[ -e "''${NIXOS_CONFIG}" ]]
[[ -e "${mntRootVol}/nixos" ]]
sudo -E $SHELL <<EOF
# 'having $system set breaks nixos-install'
unset system
nixos-install --max-jobs 5 --cores 4 --no-root-passwd --root ${mntRootVol}/nixos
EOF
'';
diskPrepare = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
* ) echo "Exiting..."; exit 1;;
esac
# Partition
sync
{
fdisk -w always -W always ${ownLib.disk.bootGrubDevice diskId} <<EOF
g
n
1
+1M
n
2
+512M
n
3
t
1
4
x
n
2
2-${diskId}
n
3
3-${diskId}
r
w
EOF
} || {
sync
partprobe ${ownLib.disk.bootGrubDevice diskId}
}
# Encrypt
cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
# LVM
vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.luksPhysicalVolume diskId}
lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
# Filesystem
mkfs.vfat -F32 ${ownLib.disk.bootFsDevice diskId}
mkfs.btrfs ${ownLib.disk.rootFsDevice diskId}
mkswap ${ownLib.disk.swapFsDevice diskId}
# Subvolume and FS hierharchy
mkdir -p /mnt
mkdir ${mntRootVol}
mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
btrfs subvolume create ${mntRootVol}/nixos
btrfs subvolume create ${mntRootVol}/home
mkdir ${mntRootVol}/nixos/{boot,home}
${diskUmount}
'';
diskRelabel = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
* ) echo "Exiting..."; exit 1;;
esac
sync
{
sudo fdisk ${ownLib.disk.bootGrubDevice diskId} <<EOF
x
n
2
2-${diskId}
n
3
3-${diskId}
r
i
2
i
3
w
EOF
} || {
sync
sudo partprobe ${ownLib.disk.bootGrubDevice diskId}
}
if test "${previousDiskId}"; then
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sync
sleep 1
if sudo vgs ${previousDiskId}; then
sudo vgrename ${previousDiskId} ${diskId}
sudo vgscan
fi
fi
sudo cryptsetup close ${ownLib.disk.luksName diskId}
'';
}

16
nix/os/devices/hydra.json Normal file
View file

@ -0,0 +1,16 @@
{
"enabled": 1,
"hidden": false,
"description": "Jobsets",
"nixexprinput": "src",
"nixexprpath": "default.nix",
"checkinterval": 300,
"schedulingshares": 100,
"enableemail": false,
"emailoverride": "",
"keepnr": 3,
"inputs": {
"src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false },
"nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false }
}
}

2
nix/os/devices/steveej-laptop/system.nix
View file

@ -5,7 +5,7 @@
}: }:
let let
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs; }; unstablepkgs = import <channels-nixos-unstable> { config = config.nixpkgs; };
in { in {
# The NixOS release to be compatible with for stateful data such as databases. # The NixOS release to be compatible with for stateful data such as databases.

10
nix/os/devices/steveej-laptop/versions.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "44b02b52ea6a49674f124f50009299f192ed78bb";
};
}

10
nix/os/devices/steveej-rmvbl-sduusb3128g/versions.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "c2950341d038995bf46a7b72db961bb3d3e9ac12";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "eebd1a9263716a04689a37b6537e50801d376b5e";
};
}

6
nix/os/devices/steveej-t480s-work/configuration.nix
View file

@ -1,7 +1,13 @@
{ ... }: { ... }:
{ {
disabledModules = [
"system/boot/initrd-network.nix"
];
imports = [ imports = [
../../modules/initrd-network.nix
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix
../../modules/encryptedDisk.nix ../../modules/encryptedDisk.nix

10
nix/os/devices/steveej-t480s-work/hw.nix
View file

@ -7,6 +7,12 @@ let
"aes_x86_64" "aes_x86_64"
"nvme" "nvme"
"nvme_core" "nvme_core"
"pcieport"
"thunderbolt"
"e1000e"
"xhci_pci"
"hxci_hcd"
]; ];
in in
@ -14,7 +20,7 @@ in
# TASK: new device # TASK: new device
hardware.encryptedDisk = { hardware.encryptedDisk = {
enable = true; enable = true;
diskId = "nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K827498"; diskId = "nvme-Samsung_SSD_970_PRO_1TB_S462NF0K904663D";
}; };
# boot.initrd.availableKernelModules = stage1Modules; # boot.initrd.availableKernelModules = stage1Modules;
@ -25,4 +31,6 @@ in
options kvm-intel enable_apicv=1 options kvm-intel enable_apicv=1
options kvm-intel ept=1 options kvm-intel ept=1
''; '';
hardware.brightnessctl.enable = false;
} }

1
nix/os/devices/steveej-t480s-work/pkg.nix
View file

@ -4,4 +4,5 @@
{ {
home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix;
services.teamviewer.enable = true;
} }

47
nix/os/devices/steveej-t480s-work/system.nix
View file

@ -1,16 +1,18 @@
{ pkgs { pkgs
, lib , lib
, config
, ... }: , ... }:
{ let
keys = import ../../../variables/keys.nix;
in {
# TASK: new device # TASK: new device
networking.hostName = "steveej-t480s-work"; # Define your hostname. networking.hostName = "steveej-t480s-work"; # Define your hostname.
# Used for testing local Tectonic clusters # Used for testing local Openshift clusters
environment.etc."NetworkManager/dnsmasq.d/tectonic.conf".text = '' environment.etc."NetworkManager/dnsmasq.d/tectonic.conf".text = ''
server=/tt.testing/192.168.124.1 server=/openshift.testing/192.168.126.1
server=/tectonic-ci.de/192.168.124.1
server=/tectonic-ci.lan/192.168.124.1
''; '';
networking.firewall.enable = lib.mkForce false; networking.firewall.enable = lib.mkForce false;
networking.firewall.checkReversePath = false; networking.firewall.checkReversePath = false;
@ -30,21 +32,42 @@
]; ];
}; };
# TODO: get external fingerprint reader services.fprintd.enable = true;
# services.fprintd.enable = true; security.pam.services = {
# security.pam.services = { login.fprintAuth = true;
# login.fprintAuth = true; sudo.fprintAuth = true;
# sudo.fprintAuth = true; };
# };
# Kubernetes # Kubernetes
# services.kubernetes.roles = ["master" "node"]; # services.kubernetes.roles = ["master" "node"];
# virtualization # virtualization
virtualisation = { virtualisation = {
libvirtd.enable = true; libvirtd = {
enable = true;
extraOptions = [
"--listen"
];
extraConfig = ''
listen_tls = 0
listen_tcp = 1
auth_tcp="none"
tcp_port = "16509"
'';
};
virtualbox.host.enable = true; virtualbox.host.enable = true;
virtualbox.host.addNetworkInterface = true; virtualbox.host.addNetworkInterface = true;
docker.enable = true; docker.enable = true;
}; };
boot.initrd.network = {
enable = true;
useDHCP = true;
udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ];
ssh = {
enable = true;
authorizedKeys = keys.users.steveej.openssh;
};
};
} }

10
nix/os/devices/steveej-t480s-work/versions.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "97e0d53d669cd07f0750a42fd535524b3cdd46d1";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "be445a9074f139d63e704fa82610d25456562c3d";
};
}

10
nix/os/devices/steveej-t480s-work/versions.tmpl.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-18.09 | awk '{ print $1 }' | tr -d '\n' -%>";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "<% git ls-remote https://github.com/nixos/nixpkgs-channels nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>";
};
}

149
nix/os/modules/gitlab-runner.nix Normal file
View file

@ -0,0 +1,149 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.gitlab-runner;
configFile =
if (cfg.configFile == null) then
(pkgs.runCommand "config.toml" {
buildInputs = [ pkgs.remarshal ];
} ''
remarshal -if json -of toml \
< ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \
> $out
'')
else
cfg.configFile;
hasDocker = config.virtualisation.docker.enable;
in
{
options.services.gitlab-runner = {
enable = mkEnableOption "Gitlab Runner";
configFile = mkOption {
default = null;
description = ''
Configuration file for gitlab-runner.
Use this option in favor of configOptions to avoid placing CI tokens in the nix store.
<option>configFile</option> takes precedence over <option>configOptions</option>.
Warning: Not using <option>configFile</option> will potentially result in secrets
leaking into the WORLD-READABLE nix store.
'';
type = types.nullOr types.path;
};
configOptions = mkOption {
description = ''
Configuration for gitlab-runner
<option>configFile</option> will take precedence over this option.
Warning: all Configuration, especially CI token, will be stored in a
WORLD-READABLE file in the Nix Store.
If you want to protect your CI token use <option>configFile</option> instead.
'';
type = types.attrs;
example = {
concurrent = 2;
runners = [{
name = "docker-nix-1.11";
url = "https://CI/";
token = "TOKEN";
executor = "docker";
builds_dir = "";
docker = {
host = "";
image = "nixos/nix:1.11";
privileged = true;
disable_cache = true;
cache_dir = "";
};
}];
};
};
gracefulTermination = mkOption {
default = false;
type = types.bool;
description = ''
Finish all remaining jobs before stopping, restarting or reconfiguring.
If not set gitlab-runner will stop immediatly without waiting for jobs to finish,
which will lead to failed builds.
'';
};
gracefulTimeout = mkOption {
default = "infinity";
type = types.str;
example = "5min 20s";
description = ''Time to wait until a graceful shutdown is turned into a forceful one.'';
};
workDir = mkOption {
default = "/var/lib/gitlab-runner";
type = types.path;
description = "The working directory used";
};
package = mkOption {
description = "Gitlab Runner package to use";
default = pkgs.gitlab-runner;
defaultText = "pkgs.gitlab-runner";
type = types.package;
example = literalExample "pkgs.gitlab-runner_1_11";
};
packages = mkOption {
default = [ pkgs.bash pkgs.docker-machine ];
defaultText = "[ pkgs.bash pkgs.docker-machine ]";
type = types.listOf types.package;
description = ''
Packages to add to PATH for the gitlab-runner process.
'';
};
};
config = mkIf cfg.enable {
systemd.services.gitlab-runner = {
path = cfg.packages;
environment = config.networking.proxy.envVars;
description = "Gitlab Runner";
after = [ "network.target" ]
++ optional hasDocker "docker.service";
requires = optional hasDocker "docker.service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "gitlab-runner";
Group = "gitlab-runner";
WorkingDirectory = cfg.workDir;
ExecStart = ''/usr/bin/env bash -c "exec ${cfg.package.bin}/bin/gitlab-runner run \
--working-directory ${cfg.workDir} \
--config <(${pkgs.esh}/bin/esh -o - -- ${configFile}) \
--service gitlab-runner \
"'';
} // optionalAttrs (cfg.gracefulTermination) {
TimeoutStopSec = "${cfg.gracefulTimeout}";
KillSignal = "SIGQUIT";
KillMode = "process";
};
};
# Make the gitlab-runner command availabe so users can query the runner
environment.systemPackages = [ cfg.package ];
users.users.gitlab-runner = {
group = "gitlab-runner";
extraGroups = optional hasDocker "docker";
uid = config.ids.uids.gitlab-runner;
home = cfg.workDir;
createHome = true;
};
users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
};
}

129
nix/os/modules/initrd-network.nix Normal file
View file

@ -0,0 +1,129 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.boot.initrd.network;
udhcpcScript = pkgs.writeScript "udhcp-script"
''
#! /bin/sh
if [ "$1" = bound ]; then
ip address add "$ip/$mask" dev "$interface"
if [ -n "$router" ]; then
ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud)
ip route add default via "$router" dev "$interface"
fi
if [ -n "$dns" ]; then
rm -f /etc/resolv.conf
for i in $dns; do
echo "nameserver $dns" >> /etc/resolv.conf
done
fi
fi
'';
udhcpcArgs = toString cfg.udhcpc.extraArgs;
in
{
options = {
boot.initrd.network.enable = mkOption {
type = types.bool;
default = false;
description = ''
Add network connectivity support to initrd. The network may be
configured using the <literal>ip</literal> kernel parameter,
as described in <link
xlink:href="https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt">the
kernel documentation</link>. Otherwise, if
<option>networking.initrd.network.useDHCP</option> is enabled, an IP address
is acquired using DHCP.
You should add the module(s) required for your network card to
boot.initrd.availableKernelModules. lspci -v -s &lt;ethernet controller&gt;
will tell you which.
'';
};
boot.initrd.network.udhcpc.extraArgs = mkOption {
default = [];
type = types.listOf types.str;
description = ''
Additional command-line arguments passed verbatim to udhcpc if
<option>boot.initrd.network.enable</option> and <option>networking.useDHCP</option>
are enabled.
'';
};
boot.initrd.network.postCommands = mkOption {
default = "";
type = types.lines;
description = ''
Shell commands to be executed after stage 1 of the
boot has initialised the network.
'';
};
boot.initrd.network.useDHCP = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable DHCP for the network interfaces.
'';
};
};
config = mkIf cfg.enable {
warnings = [ "Enabled SSH for stage1" ];
boot.initrd.kernelModules = [ "af_packet" ];
boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig
'';
boot.initrd.preLVMCommands = mkBefore (
# Search for interface definitions in command line.
''
for o in $(cat /proc/cmdline); do
case $o in
ip=*)
ipconfig $o && hasNetwork=1
;;
esac
done
''
# Otherwise, use DHCP.
+ optionalString cfg.useDHCP ''
if [ -z "$hasNetwork" ]; then
# Bring up all interfaces.
for iface in $(cd /sys/class/net && ls); do
echo "bringing up network interface $iface..."
ip link set "$iface" up
done
# Acquire a DHCP lease.
echo "acquiring IP address via DHCP..."
udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1
fi
''
+ ''
if [ -n "$hasNetwork" ]; then
echo "networking is up!"
${cfg.postCommands}
fi
'');
};
}

24
nix/os/profiles/common/system.nix
View file

@ -65,25 +65,7 @@
mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
''; '';
programs.zsh = { programs.zsh.enable = true;
enable = false; users.defaultUserShell = pkgs.zsh;
# TODO: basic zsh config environment.pathsToLink = [ "/share/zsh" ];
# enableAutosuggestions = true; # enableCompletion = true;
# syntaxHighlighting.enable = true;
# syntaxHighlighting.patterns = {};
# ohMyZsh = {
# enable = true;
# theme = "tjkirch";
# };
# promptInit = ''
# autoload -U promptinit
# promptinit
# ZSH_THEME_GIT_PROMPT_PREFIX='@ '
# PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f %F{magenta}$(git_prompt_info)%f
#%_%F{%(!.red.green)}$(prompt_char)%f '
# RPROMPT=""
# '';
# interactiveShellInit = ''
# '';
};
} }

5
nix/os/profiles/graphical/system.nix
View file

@ -14,10 +14,9 @@
"interface-name:*cni*" "interface-name:*cni*"
]; ];
}; };
services.resolved.enable = false; networking.usePredictableInterfaceNames = false;
users.defaultUserShell = pkgs.zsh; services.resolved.enable = false;
environment.pathsToLink = [ "/share/zsh" ];
# hardware related services # hardware related services
services.illum.enable = true; services.illum.enable = true;

2
nix/os/profiles/removable-medium/system.nix
View file

@ -12,7 +12,7 @@ in {
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
virtualisation = { virtualisation = {
libvirtd.enable = false; libvirtd.enable = true;
virtualbox.host.enable = false; virtualbox.host.enable = false;
docker.enable = true; docker.enable = true;
}; };

3
nix/scripts/pre-eval-fixed.sh
View file

@ -1,5 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe
INFILE="${1:?Please set arg1 to INFILE}" INFILE="${1:?Please set arg1 to INFILE}"
OUTFILE="${2:?Please set arg2 to OUTFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}"
hash=$(nix-build ${INFILE} --arg pkgs 'import <nixpkgs> {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1) hash=$(nix-build ${INFILE} --arg pkgs 'import <channels-nixos-stable> {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1)
sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE}

6
nix/variables/keys.nix
View file

@ -2,8 +2,12 @@
users = { users = {
steveej = { steveej = {
openssh = [ openssh = [
# active, current
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559"
# active but deprecated
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnrvnvECGpBU4OXK7m7oJOOu7aJzAxOQyvEWhkRBEEyme8/eIiTJMi99wX5kKMWtpbUvinIyZ37VIrnVZv0bJ3WpJQJQkrqAkV1Bs3m5dE7AGIH0BrxgLXHuNxkW3BwmAaqUOq21r4MaYVu2xF38xwKrrk57nQkNjuZ2eiv7XyHaDn+n352jULJzcIXVKyJExhsiGomrwEXq/cmmD+s6M3yUp559fw4cQTdg6iaK76gUAFukL35HCWN3sFKPVEC/yxvfKUIhVsKuwjHfvsSxJgSjcS5yXEtJOB1RhlJ3dLfSyJzuY/AHSqSpMwUSCksMn4xTUKHLGD4wJJI8tRHbsp cardno:000605247559"
]; ];
}; };
}; };

10
nix/variables/versions.nix Normal file
View file

@ -0,0 +1,10 @@
{
channelsNixosStable = {
ref = "nixos-18.09";
rev = "7e88992a8c7b2de0bcb89182d8686b27bd93e46a";
};
channelsNixosUnstable = {
ref = "nixos-unstable";
rev = "44b02b52ea6a49674f124f50009299f192ed78bb";
};
}

16
shell.nix
View file

@ -1,15 +1,25 @@
with import <nixpkgs> {}; { ... }:
let let
channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/7e88992a8c7b2de0bcb89182d8686b27bd93e46a.tar.gz);
channels-nixos-stable = import channels-nixos-stable-path {};
in in
with channels-nixos-stable;
stdenv.mkDerivation { stdenv.mkDerivation {
name = "infra-env"; name = "infra-env";
buildInputs = [ buildInputs = [
(with import (channels-nixos-stable-path+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ])
(pkgs.callPackage ./nix/pkgs/just.nix {}) (pkgs.callPackage ./nix/pkgs/just.nix {})
git-crypt git-crypt
vcsh vcsh
gnupg gnupg
vncdo
tesseract
imagemagick
esh
]; ];
# Set Environment Variables # Set Environment Variables