Pimp sudo use
This commit is contained in:
parent
69e0a23d2f
commit
c0622e77b4
3 changed files with 22 additions and 6 deletions
|
@ -4,6 +4,8 @@ let
|
||||||
stateDir = "/var/lib/laminar";
|
stateDir = "/var/lib/laminar";
|
||||||
cfgDir = "${stateDir}/cfg";
|
cfgDir = "${stateDir}/cfg";
|
||||||
cfg = config.services.laminar;
|
cfg = config.services.laminar;
|
||||||
|
cacheResult = "${pkgs.writeShellScript "cache-result-as-root"
|
||||||
|
"${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}";
|
||||||
in {
|
in {
|
||||||
options = {
|
options = {
|
||||||
services.laminar = {
|
services.laminar = {
|
||||||
|
@ -21,6 +23,14 @@ in {
|
||||||
};
|
};
|
||||||
imports = [ ./kassandra.nix ./test-config.nix ];
|
imports = [ ./kassandra.nix ./test-config.nix ];
|
||||||
config = {
|
config = {
|
||||||
|
security.sudo.extraRules = let allowedCommands = [ cacheResult ];
|
||||||
|
in [{
|
||||||
|
commands = map (command: {
|
||||||
|
inherit command;
|
||||||
|
options = [ "NOPASSWD" ];
|
||||||
|
}) allowedCommands;
|
||||||
|
users = [ "laminar" ];
|
||||||
|
}];
|
||||||
services.laminar.cfgFiles = {
|
services.laminar.cfgFiles = {
|
||||||
env = builtins.toFile "laminar-env" ''
|
env = builtins.toFile "laminar-env" ''
|
||||||
TIMEOUT=14400
|
TIMEOUT=14400
|
||||||
|
@ -31,6 +41,9 @@ in {
|
||||||
ghcEnv.PATH = "${lib.makeBinPath [ pkgs.laminar pkgs.nix ]}:$PATH";
|
ghcEnv.PATH = "${lib.makeBinPath [ pkgs.laminar pkgs.nix ]}:$PATH";
|
||||||
ghcArgs = [ "-threaded" ];
|
ghcArgs = [ "-threaded" ];
|
||||||
} (builtins.readFile ./nix-jobs.hs);
|
} (builtins.readFile ./nix-jobs.hs);
|
||||||
|
"cache-result" = pkgs.writeShellScript "cache-result" ''
|
||||||
|
/run/wrappers/bin/sudo ${cacheResult} $1 $2
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
jobs = {
|
jobs = {
|
||||||
"nix-build.run" = pkgs.writeShellScript "nix-build" ''
|
"nix-build.run" = pkgs.writeShellScript "nix-build" ''
|
||||||
|
|
|
@ -16,6 +16,7 @@ let
|
||||||
drv=$(readlink -f $(nix-instantiate release.nix -A ${name} --add-root ./drv --indirect $FLAGS))
|
drv=$(readlink -f $(nix-instantiate release.nix -A ${name} --add-root ./drv --indirect $FLAGS))
|
||||||
echo "Evaluation done."
|
echo "Evaluation done."
|
||||||
nix-jobs realise $drv
|
nix-jobs realise $drv
|
||||||
|
cache-result $drv kassandra-${name}-result
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
services.laminar.cfgFiles.jobs = {
|
services.laminar.cfgFiles.jobs = {
|
||||||
|
|
|
@ -11,20 +11,24 @@ let
|
||||||
say [i|Trying to build ${name} config for #{hostname}.|]
|
say [i|Trying to build ${name} config for #{hostname}.|]
|
||||||
(Text.dropAround ('"' ==) . decodeUtf8 . trim -> derivationName) <- (nix_instantiate $ ${drv}) |> captureTrim
|
(Text.dropAround ('"' ==) . decodeUtf8 . trim -> derivationName) <- (nix_instantiate $ ${drv}) |> captureTrim
|
||||||
exe "nix-jobs" ["realise", toString derivationName]
|
exe "nix-jobs" ["realise", toString derivationName]
|
||||||
exe "/run/wrappers/bin/sudo" ["${cacheResult}", toString derivationName, ${target}]
|
exe "cache-result" [toString derivationName, ${target}]
|
||||||
say [i|Build of ${name} config for #{hostname} was successful.|]
|
say [i|Build of ${name} config for #{hostname} was successful.|]
|
||||||
'';
|
'';
|
||||||
test-system-config = pkgs.writeHaskellScript {
|
test-system-config = pkgs.writeHaskellScript {
|
||||||
name = "test-system-config";
|
name = "test-system-config";
|
||||||
inherit bins;
|
inherit bins;
|
||||||
inherit imports;
|
inherit imports;
|
||||||
} (haskellBody "system" ''buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]'' "[i|result-system-#{hostname}|]");
|
} (haskellBody "system" ''
|
||||||
|
buildSystemParams ++ paths ++ ["-I", [i|nixos-config=#{configDir}/nixos/machines/#{hostname}/configuration.nix|]]''
|
||||||
|
"[i|result-system-#{hostname}|]");
|
||||||
|
|
||||||
test-home-config = pkgs.writeHaskellScript {
|
test-home-config = pkgs.writeHaskellScript {
|
||||||
name = "test-home-config";
|
name = "test-home-config";
|
||||||
inherit bins;
|
inherit bins;
|
||||||
inherit imports;
|
inherit imports;
|
||||||
} (haskellBody "home" ''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]'' "[i|result-home-manager-#{hostname}|]");
|
} (haskellBody "home"
|
||||||
|
''paths ++ [[i|#{configDir}/home-manager/target.nix|], "-A", hostname]''
|
||||||
|
"[i|result-home-manager-#{hostname}|]");
|
||||||
path = [ pkgs.git pkgs.nix pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.laminar ];
|
path = [ pkgs.git pkgs.nix pkgs.gnutar pkgs.gzip pkgs.openssh pkgs.laminar ];
|
||||||
common = ''
|
common = ''
|
||||||
set -e
|
set -e
|
||||||
|
@ -66,8 +70,6 @@ let
|
||||||
});
|
});
|
||||||
deployCommand = "${pkgs.writeShellScript "deploy-system-config"
|
deployCommand = "${pkgs.writeShellScript "deploy-system-config"
|
||||||
"${pkgs.systemd}/bin/systemctl start update-config"}";
|
"${pkgs.systemd}/bin/systemctl start update-config"}";
|
||||||
cacheResult = "${pkgs.writeShellScript "cache-result"
|
|
||||||
"${pkgs.nix}/bin/nix-store -r --indirect --add-root /var/cache/gc-links/$2 $1"}";
|
|
||||||
in {
|
in {
|
||||||
services.laminar.cfgFiles.jobs = {
|
services.laminar.cfgFiles.jobs = {
|
||||||
"test-config.run" = pkgs.writeHaskell "test-config" {
|
"test-config.run" = pkgs.writeHaskell "test-config" {
|
||||||
|
@ -87,7 +89,7 @@ in {
|
||||||
} (builtins.readFile ./bump-config.hs);
|
} (builtins.readFile ./bump-config.hs);
|
||||||
} // lib.listToAttrs (map mkHomeJob homes)
|
} // lib.listToAttrs (map mkHomeJob homes)
|
||||||
// lib.listToAttrs (map mkSystemJob homes);
|
// lib.listToAttrs (map mkSystemJob homes);
|
||||||
security.sudo.extraRules = let allowedCommands = [ deployCommand cacheResult ];
|
security.sudo.extraRules = let allowedCommands = [ deployCommand ];
|
||||||
in [{
|
in [{
|
||||||
commands = map (command: {
|
commands = map (command: {
|
||||||
inherit command;
|
inherit command;
|
||||||
|
|
Loading…
Reference in a new issue