maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

Pimp sudo use

Browse source
This commit is contained in:
Malte Brandy 2021-01-10 22:32:07 +01:00
parent 69e0a23d2f
commit c0622e77b4
3 changed files with 22 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
nixos/roles/laminar/default.nix
View file

@ -4,6 +4,8 @@ let
stateDir = "/var/lib/laminar";
cfgDir = "${stateDir}/cfg";
cfg = config.services.laminar;
cacheResult = "${pkgs.writeShellScript "cache-result-as-root"
"${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}";
in {
options = {
services.laminar = {
@ -21,6 +23,14 @@ in {
};
imports = [ ./kassandra.nix ./test-config.nix ];
config = {
security.sudo.extraRules = let allowedCommands = [ cacheResult ];
in [{
commands = map (command: {
inherit command;
options = [ "NOPASSWD" ];
}) allowedCommands;
users = [ "laminar" ];
}];
services.laminar.cfgFiles = {
env = builtins.toFile "laminar-env" ''
TIMEOUT=14400
@ -31,6 +41,9 @@ in {
ghcEnv.PATH = "${lib.makeBinPath [ pkgs.laminar pkgs.nix ]}:$PATH";
ghcArgs = [ "-threaded" ];
} (builtins.readFile ./nix-jobs.hs);
"cache-result" = pkgs.writeShellScript "cache-result" ''
/run/wrappers/bin/sudo ${cacheResult} $1 $2
'';
};
jobs = {
"nix-build.run" = pkgs.writeShellScript "nix-build" ''

1
nixos/roles/laminar/kassandra.nix
View file

@ -16,6 +16,7 @@ let
drv=$(readlink -f $(nix-instantiate release.nix -A ${name} --add-root ./drv --indirect $FLAGS))
echo "Evaluation done."
nix-jobs realise $drv
cache-result $drv kassandra-${name}-result
'';
in {
services.laminar.cfgFiles.jobs = {

14
nixos/roles/laminar/test-config.nix
View file

@ -11,20 +11,24 @@ let
say [i|Trying to build ${name} config for #{hostname}.|]
(Text.dropAround ('"' ==) . decodeUtf8 . trim -> derivationName) <- (nix_instantiate $ ${drv}) |> captureTrim
exe "nix-jobs" ["realise", toString derivationName]
exe "/run/wrappers/bin/sudo" ["${cacheResult}", toString derivationName, ${target}]
exe "cache-result" [toString derivationName, ${target}]
say [i|Build of ${name} config for #{hostname} was successful.|]
'';
test-system-config = pkgs.writeHaskellScript {
name = "test-system-config";
inherit bins;
inherit imports;
} (haskellBody "system" ''buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]'' "[i|result-system-#{hostname}|]");
} (haskellBody "system" ''
buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]''
"[i|result-system-#{hostname}|]");
test-home-config = pkgs.writeHaskellScript {
name = "test-home-config";
inherit bins;
inherit imports;
} (haskellBody "home" ''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]'' "[i|result-home-manager-#{hostname}|]");
} (haskellBody "home"
''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]''
"[i|result-home-manager-#{hostname}|]");
path = [ pkgs.git pkgs.nix pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.laminar ];
common = ''
set -e
@ -66,8 +70,6 @@ let
});
deployCommand = "${pkgs.writeShellScript "deploy-system-config"
"${pkgs.systemd}/bin/systemctl start update-config"}";
cacheResult = "${pkgs.writeShellScript "cache-result"
"${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}";
in {
services.laminar.cfgFiles.jobs = {
"test-config.run" = pkgs.writeHaskell "test-config" {
@ -87,7 +89,7 @@ in {
} (builtins.readFile ./bump-config.hs);
} // lib.listToAttrs (map mkHomeJob homes)
// lib.listToAttrs (map mkSystemJob homes);
security.sudo.extraRules = let allowedCommands = [ deployCommand cacheResult ];
security.sudo.extraRules = let allowedCommands = [ deployCommand ];
in [{
commands = map (command: {
inherit command;