Tons of changes

2019-07-31 11:16:47 +02:00 · 2019-07-31 11:16:47 +02:00 · c7720b7035
parent 676bc91f74
commit c7720b7035
14 changed files with 140 additions and 79 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -7,9 +7,6 @@ with lib;
 imports = [ ./secret ];

 config = {
-  nixpkgs.overlays = [ (self: super: {
-    unstable = import (builtins.fetchGit { url = "https://github.com/NixOS/nixpkgs-channels"; ref = "nixos-unstable";}) {};
-  })];
  m-0.monitoring = [ {
    host = "apollo:9100";
    name = "apollo";
--- a/common/essentials.nix
+++ b/common/essentials.nix
@ -1,8 +1,18 @@
 let
  inherit (import ../common/lib.nix) niv;
+  pkgs = import <nixpkgs> {};
+  unstable = import <unstable> {};
+  lorriSrc = (import ../nix/sources.nix).lorri;
+  lorri = import lorriSrc { src = lorriSrc; pkgs = unstable; };
+  neovim = pkgs.neovim.override {
+      vimAlias = true;
+      withPython3 = true;
+    };
 in
 {
-  core = pkgs: with pkgs; [
+  core = builtins.attrValues {
+    inherit neovim;
+      inherit (pkgs)
    gitFull
    gnumake
    python3
@ -11,10 +21,6 @@ in
    wget
    curl
    wireguard
-    (pkgs.neovim.override {
-      vimAlias = true;
-      withPython3 = true;
-    })
    gnupg
    mutt
    bind
@ -23,26 +29,24 @@ in
    unzip
    rename
    whois
-    lsof
-    ];
+    lsof;
+  };
+
+  extra = builtins.attrValues {
+    inherit lorri niv;
+    inherit (pkgs.gitAndTools) git-annex;
+    inherit (pkgs.rxvt_unicode) terminfo;
+    inherit (pkgs.pythonPackages) qrcode;
+    inherit (pkgs)

-    extra = pkgs: with pkgs; let
-      lorriSrc = builtins.fetchGit { url = "https://github.com/target/lorri.git"; ref = "rolling-release"; };
-      lorri = import "${lorriSrc}/default.nix" { src = lorriSrc; inherit pkgs; };
-    in
-    [
-    niv
    git-crypt
-    gitAndTools.git-annex
    htop
    tree
-    rxvt_unicode.terminfo
    pwgen
    borgbackup
    inotifyTools

    direnv
-    #lorri

    socat
    nmap
@ -58,10 +62,9 @@ in

    ripgrep

-    pythonPackages.qrcode
    ranger

    pass
-    sshuttle
-    ];
+    sshuttle;
+  };
 }
--- a/common/lib.nix
+++ b/common/lib.nix
@ -6,6 +6,7 @@ let
    broken = false;
    doCheck = false;
  });
+  haskellList = list: ''["${builtins.concatStringsSep ''", "'' list}"]'';
  writeHaskellScript = { name ? "haskell-script", bins ? [pkgs.coreutils], libraries ? [], imports ? []}: code:
    unstable.writers.writeHaskellBin name { libraries = libraries ++ [shh unstable.haskellPackages.string-interpolate ]; } ''
      {-# LANGUAGE DeriveDataTypeable #-}
@ -26,7 +27,7 @@ let

      -- Load binaries from Nix packages. The dependencies will be captured
      -- in the closure.
-      loadFromBins ["${builtins.concatStringsSep ''", "'' (builtins.map toString bins)}"]
+      loadFromBins ${haskellList (builtins.map toString bins)}

      ${code}
    '';
@ -46,7 +47,7 @@ let
          nix_instantiate ["--eval", "-E", [i|toString #{expr}|]] |> trimQuotation
    '';
 in {
-  inherit writeHaskellScript get-niv-path unstable sources;
+  inherit writeHaskellScript get-niv-path unstable sources haskellList;
  niv = (import sources.niv {}).niv;
  home-manager = pkgs.callPackage <home-manager/home-manager> {};
  gcRetentionDays = 5;
--- a/home-manager/modules/laptop.nix
+++ b/home-manager/modules/laptop.nix
@ -77,7 +77,7 @@ mkIf config.m-0.laptop.enable {
    evince
    gnome3.nautilus

-#    (import (fetchTarball https://cachix.org/api/v1/install) {}).cachix
+    (import ../nix/sources.nix).cachix

    # look & feel
    libertine
--- a/hosts/apollo/configuration.nix
+++ b/hosts/apollo/configuration.nix
@ -5,7 +5,7 @@
 let
  inherit (config.m-0.private) me wireguard;
  inherit (config.m-0) hosts prefix;
-  nixos-hardware = (builtins.fetchGit "https://github.com/nixos/nixos-hardware");
+  nixos-hardware = (import ../../nix/sources.nix).nixos-hardware;
 in {

 imports = [
--- a/hosts/hera/configuration.nix
+++ b/hosts/hera/configuration.nix
@ -1,6 +1,7 @@
 { config, pkgs, ... }:

 # You need pw-files for every configured user in ./secret/pw-useralias for login to work.
+# dropbearkey -t rsa -f /etc/nixos/hosts/<hostname>/secret/boot_rsa

 let
  inherit (config.m-0.private) me;
@ -12,6 +13,7 @@ imports = [
 ../../system/test-timer.nix
 ../../system/standalone.nix
 ../../system/server.nix
+ ../../system/git.nix
 ./borg.nix
 ./mail.nix
 ./boot.nix
@ -39,11 +41,6 @@ services = {
  };
 };

-m-0 = {
-  # dropbearkey -t rsa -f /etc/nixos/hosts/<hostname>/secret/boot_rsa
-  git-server.enable = true;
-};
-
 users.users.choreutes = {
      linger = true;
      description = "choreutes";
--- a/hosts/hera/mail.nix
+++ b/hosts/hera/mail.nix
@ -26,7 +26,7 @@ containers.mail = {
  config = { pkgs, lib, ... }: {
    imports = [
      ../../system
-      "${(builtins.fetchGit "ssh://git@hera/nixos-mailserver")}"
+      "${(import ../../nix/sources.nix).nixos-mailserver}"
    ];
    services.prometheus.exporters = {
      node.port = 9101;
@ -44,8 +44,16 @@ containers.mail = {
    };
    systemd.services = {
      atomail = {
-        script = ''
-          ${pkgs.python}/bin/python ${builtins.fetchGit "https://github.com/remko/atomail.git"}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100
+        script =
+        let
+          atomail = pkgs.fetchFromGitHub {
+            owner = "remko";
+            repo = "atomail";
+            rev = "f079966cb808f51fcc67be91b609942cdb49898a";
+            sha256 = "0a4j4xajn2yysgcb17jmb6ak148kk0kwf7khml7dbnh7807fv9b6";
+          };
+        in ''
+          ${pkgs.python}/bin/python ${atomail}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100
          ${pkgs.rsync}/bin/rsync -a /var/vmail/maralorn.de/malte.brandy/.Move.readlater/cur/ /var/vmail/maralorn.de/malte.brandy/.Archiv.unsortiert/cur --remove-source-files
        '';
        startAt = "19:58:00";
--- a/nix/sources.json
+++ b/nix/sources.json
@ -1,4 +1,16 @@
 {
+    "cachix": {
+        "branch": "master",
+        "description": "Command line client for Nix binary cache hosting:",
+        "homepage": "https://cachix.org",
+        "owner": "cachix",
+        "repo": "cachix",
+        "rev": "53e15349b45679fd47a97bf4d030b024dbada9fd",
+        "sha256": "0ir92v4hk60hvvgqbjp97mlrks3wm7881gd2wc177r1hy24wvxdi",
+        "type": "tarball",
+        "url": "https://github.com/cachix/cachix/archive/53e15349b45679fd47a97bf4d030b024dbada9fd.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
    "home-manager": {
        "branch": "release-19.03",
        "description": "Manage a user environment using Nix",
@ -11,6 +23,18 @@
        "url": "https://github.com/rycee/home-manager/archive/a85f22164d56052f027e71718c99ec0a1c3d25d1.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
+    "lorri": {
+        "branch": "rolling-release",
+        "description": "Your project's nix-env",
+        "homepage": "",
+        "owner": "target",
+        "repo": "lorri",
+        "rev": "d3e452ebc2b24ab86aec18af44c8217b2e469b2a",
+        "sha256": "07yf3gl9sixh7acxayq4q8h7z4q8a66412z0r49sr69yxb7b4q89",
+        "type": "tarball",
+        "url": "https://github.com/target/lorri/archive/d3e452ebc2b24ab86aec18af44c8217b2e469b2a.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
    "niv": {
        "branch": "master",
        "description": "Easy dependency management for Nix projects",
@ -23,6 +47,30 @@
        "url": "https://github.com/nmattia/niv/archive/8b7b70465c130d8d7a98fba1396ad1481daee518.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "03db9669a6fc712e9537201d55639287eb606765",
+        "sha256": "1g8kap5qzva58pcwn2xj1cs0k9w9mpbrlk5diaaarlgizp4l2x0z",
+        "type": "tarball",
+        "url": "https://github.com/nixos/nixos-hardware/archive/03db9669a6fc712e9537201d55639287eb606765.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-mailserver": {
+        "branch": "master",
+        "description": "Fork of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git",
+        "homepage": "",
+        "owner": "maralorn",
+        "repo": "nixos-mailserver",
+        "rev": "36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b",
+        "sha256": "1bydmapzvw71qd5lkxkb706jfd8cc5zmnv7dcdxiqd73hyfydpas",
+        "type": "tarball",
+        "url": "https://github.com/maralorn/nixos-mailserver/archive/36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
    "nixpkgs": {
        "branch": "nixos-19.03",
        "description": "Nixpkgs/NixOS branches that track the Nixpkgs/NixOS channels",
--- a/system/default.nix
+++ b/system/default.nix
@ -6,7 +6,6 @@ in {
  imports = [
    ../common
    ./modules/laptop.nix
-    ./modules/git.nix
    ./modules/mathechor.de.nix
    ./modules/blog.nix
    ./modules/riot.nix
--- a/system/git.nix
+++ b/system/git.nix
@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }:
+let
+  inherit (import ../common/lib.nix) writeHaskellScript haskellList;
+  me = config.m-0.private.me;
+  test-command = ["${pkgs.systemd}/bin/systemctl" "start" "test-and-bump-config.service"];
+  upgrade-command = ["${pkgs.systemd}/bin/systemctl" "start" "system-maintenance.service"];
+  post-update = writeHaskellScript {
+    name = "post-update";
+    bins = [ pkgs.git pkgs.nix ];
+    imports = [ "System.Environment (lookupEnv)" "Data.Foldable (for_)"];
+  } ''
+    main = do
+      mirror <- lookupEnv "GL_OPTION_MIRROR"
+      for_ mirror $ \mirror -> do
+        writeOutput ([i|Forwarding push to #{mirror}|] :: String)
+        git "push" "--all" mirror
+      deploy <- lookupEnv "GL_OPTION_WEB_DEPLOY"
+      for_ deploy $ \deploy -> do
+        writeOutput ([i|Deploying build to /var/www/#{deploy}|] :: String)
+        nix "build" "-o" ([i|/var/www/#{deploy}|] :: String)
+        writeOutput "Done"
+      test <- lookupEnv "GL_OPTION_TEST"
+      for_ test $ \_ -> do
+        writeOutput "Triggering a system update … You can wait or disconnect";
+        exe "sudo" ${haskellList test-command};
+        exe "sudo" ${haskellList upgrade-command};
+        writeOutput "Done";
+  '';
+in
+{
+    users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors
+    security.sudo.extraRules = [ { commands = [
+      { command = builtins.concatStringsSep " " test-command; options = [ "NOPASSWD" ]; }
+      { command = builtins.concatStringsSep " " upgrade-command; options = [ "NOPASSWD" ]; }
+    ];  users = [ "git" ]; } ];
+    services.gitolite = {
+      enable = true;
+      user = "git";
+      adminPubkey = builtins.elemAt me.keys 0;
+      commonHooks = [ "${post-update}/bin/post-update" ];
+    };
+}
--- a/system/modules/git.nix
+++ b/system/modules/git.nix
@ -1,39 +0,0 @@
-{ config, pkgs, lib, ... }:
-with lib;
-
-let
-
-  me = config.m-0.private.me;
-
-in
-{
-  options = {
-    m-0.git-server.enable = mkOption {
-      type = types.bool;
-      default = false;
-    };
-  };
-  config = let
-    upgrade-command = "${pkgs.systemd}/bin/systemctl start nixos-upgrade.service";
-  in
-    mkIf config.m-0.git-server.enable {
-    users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors
-    security.sudo.extraRules = [ { commands = [ { command = upgrade-command; options = [ "NOPASSWD" ]; } ];  users = [ "git" ]; } ];
-    services.gitolite = {
-      enable = true;
-      user = "git";
-      adminPubkey = builtins.elemAt me.keys 0;
-      commonHooks = [ "${pkgs.writeShellScriptBin "post-update" ''
-        if [ -n "$GL_OPTION_MIRROR" ]; then
-          echo "Forwarding push to $GL_OPTION_MIRROR";
-          git push --all $GL_OPTION_MIRROR;
-        fi
-        if [ -n "$GL_OPTION_REBUILD" ]; then
-          echo "Triggering a system update … You can wait or disconnect";
-          sudo ${upgrade-command};
-          echo "Done";
-        fi
-      ''}/bin/post-update" ];
-    };
-  };
-}
--- a/system/server.nix
+++ b/system/server.nix
@ -8,6 +8,8 @@ config = {
    startAt = "2:45";
    environment.NIX_PATH = "/etc/nix-path:nixos-config=/etc/nixos/configuration.nix";
    path = [ pkgs.git ];
+    restartIfChanged = false;
+    unitConfig.X-StopOnRemoval = false;
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${(import ./update-lib.nix config.system.build.nixos-rebuild).system-maintenance}/bin/system-maintenance";
--- a/system/standalone.nix
+++ b/system/standalone.nix
@ -25,7 +25,7 @@ with lib;
  environment = {
    # Put these into an extra file so the essential packages can also be included on non selfadminstrated systems from home-manager
    systemPackages = let essentials = import ../common/essentials.nix;
-  in (essentials.core pkgs) ++ (essentials.extra pkgs) ++ (builtins.attrValues {
+  in essentials.core ++ essentials.extra ++ (builtins.attrValues {
        inherit (import ./test-lib.nix) test-system-config test-home-config test-and-bump-config;
        inherit (import ../common/lib.nix) home-manager;
        inherit (import ./update-lib.nix config.system.build.nixos-rebuild) update-system system-maintenance;
--- a/system/test-lib.nix
+++ b/system/test-lib.nix
@ -1,6 +1,6 @@
 let
  pkgs = import <nixpkgs> {};
-  inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv;
+  inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv haskellList;
  haskellBody = commandline:
    ''
    getNivPath dir = readTrim . get_niv_path ([i|#{dir :: String}/nix/sources.nix|] :: String)
@ -33,6 +33,9 @@ let

  repoSrc = "git@hera.m-0.eu:nixos-config";
  configPath = "/etc/nixos";
+  systems = ["apollo"  "hera"];
+  homes = ["apollo"  "hera"  "hephaistos"];
+  keys = ["default"  "apollo"  "hera"];
  test-and-bump-config = writeHaskellScript {
    name = "test-and-bump-config";
    bins = [ test-system-config test-home-config pkgs.git pkgs.coreutils niv pkgs.git-crypt ];
@ -48,10 +51,10 @@ let
        path <- readTrim pwd
        bracket checkout (rm "-rf") $ \dir -> do
          withCurrentDirectory dir $ do
-            mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ["default", "apollo", "hera"]
+            mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${haskellList keys}
            ignoreFailure $ niv "update"
-          mapM_ (test_system_config dir) ["apollo", "hera"]
-          mapM_ (test_home_config dir) ["apollo", "hera", "hephaistos"]
+          mapM_ (test_system_config dir) ${haskellList systems}
+          mapM_ (test_home_config dir) ${haskellList homes}
          changed <- ((mempty /=) <$>) . readTrim $ git "-C" dir "status" "--porcelain"
          when changed $ do
            git "-C" dir "config" "user.email" "maralorn@maralorn.de"