Tons of changes
This commit is contained in:
parent
676bc91f74
commit
c7720b7035
|
@ -7,9 +7,6 @@ with lib;
|
|||
imports = [ ./secret ];
|
||||
|
||||
config = {
|
||||
nixpkgs.overlays = [ (self: super: {
|
||||
unstable = import (builtins.fetchGit { url = "https://github.com/NixOS/nixpkgs-channels"; ref = "nixos-unstable";}) {};
|
||||
})];
|
||||
m-0.monitoring = [ {
|
||||
host = "apollo:9100";
|
||||
name = "apollo";
|
||||
|
|
|
@ -1,8 +1,18 @@
|
|||
let
|
||||
inherit (import ../common/lib.nix) niv;
|
||||
pkgs = import <nixpkgs> {};
|
||||
unstable = import <unstable> {};
|
||||
lorriSrc = (import ../nix/sources.nix).lorri;
|
||||
lorri = import lorriSrc { src = lorriSrc; pkgs = unstable; };
|
||||
neovim = pkgs.neovim.override {
|
||||
vimAlias = true;
|
||||
withPython3 = true;
|
||||
};
|
||||
in
|
||||
{
|
||||
core = pkgs: with pkgs; [
|
||||
core = builtins.attrValues {
|
||||
inherit neovim;
|
||||
inherit (pkgs)
|
||||
gitFull
|
||||
gnumake
|
||||
python3
|
||||
|
@ -11,10 +21,6 @@ in
|
|||
wget
|
||||
curl
|
||||
wireguard
|
||||
(pkgs.neovim.override {
|
||||
vimAlias = true;
|
||||
withPython3 = true;
|
||||
})
|
||||
gnupg
|
||||
mutt
|
||||
bind
|
||||
|
@ -23,26 +29,24 @@ in
|
|||
unzip
|
||||
rename
|
||||
whois
|
||||
lsof
|
||||
];
|
||||
lsof;
|
||||
};
|
||||
|
||||
extra = builtins.attrValues {
|
||||
inherit lorri niv;
|
||||
inherit (pkgs.gitAndTools) git-annex;
|
||||
inherit (pkgs.rxvt_unicode) terminfo;
|
||||
inherit (pkgs.pythonPackages) qrcode;
|
||||
inherit (pkgs)
|
||||
|
||||
extra = pkgs: with pkgs; let
|
||||
lorriSrc = builtins.fetchGit { url = "https://github.com/target/lorri.git"; ref = "rolling-release"; };
|
||||
lorri = import "${lorriSrc}/default.nix" { src = lorriSrc; inherit pkgs; };
|
||||
in
|
||||
[
|
||||
niv
|
||||
git-crypt
|
||||
gitAndTools.git-annex
|
||||
htop
|
||||
tree
|
||||
rxvt_unicode.terminfo
|
||||
pwgen
|
||||
borgbackup
|
||||
inotifyTools
|
||||
|
||||
direnv
|
||||
#lorri
|
||||
|
||||
socat
|
||||
nmap
|
||||
|
@ -58,10 +62,9 @@ in
|
|||
|
||||
ripgrep
|
||||
|
||||
pythonPackages.qrcode
|
||||
ranger
|
||||
|
||||
pass
|
||||
sshuttle
|
||||
];
|
||||
sshuttle;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ let
|
|||
broken = false;
|
||||
doCheck = false;
|
||||
});
|
||||
haskellList = list: ''["${builtins.concatStringsSep ''", "'' list}"]'';
|
||||
writeHaskellScript = { name ? "haskell-script", bins ? [pkgs.coreutils], libraries ? [], imports ? []}: code:
|
||||
unstable.writers.writeHaskellBin name { libraries = libraries ++ [shh unstable.haskellPackages.string-interpolate ]; } ''
|
||||
{-# LANGUAGE DeriveDataTypeable #-}
|
||||
|
@ -26,7 +27,7 @@ let
|
|||
|
||||
-- Load binaries from Nix packages. The dependencies will be captured
|
||||
-- in the closure.
|
||||
loadFromBins ["${builtins.concatStringsSep ''", "'' (builtins.map toString bins)}"]
|
||||
loadFromBins ${haskellList (builtins.map toString bins)}
|
||||
|
||||
${code}
|
||||
'';
|
||||
|
@ -46,7 +47,7 @@ let
|
|||
nix_instantiate ["--eval", "-E", [i|toString #{expr}|]] |> trimQuotation
|
||||
'';
|
||||
in {
|
||||
inherit writeHaskellScript get-niv-path unstable sources;
|
||||
inherit writeHaskellScript get-niv-path unstable sources haskellList;
|
||||
niv = (import sources.niv {}).niv;
|
||||
home-manager = pkgs.callPackage <home-manager/home-manager> {};
|
||||
gcRetentionDays = 5;
|
||||
|
|
|
@ -77,7 +77,7 @@ mkIf config.m-0.laptop.enable {
|
|||
evince
|
||||
gnome3.nautilus
|
||||
|
||||
# (import (fetchTarball https://cachix.org/api/v1/install) {}).cachix
|
||||
(import ../nix/sources.nix).cachix
|
||||
|
||||
# look & feel
|
||||
libertine
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
let
|
||||
inherit (config.m-0.private) me wireguard;
|
||||
inherit (config.m-0) hosts prefix;
|
||||
nixos-hardware = (builtins.fetchGit "https://github.com/nixos/nixos-hardware");
|
||||
nixos-hardware = (import ../../nix/sources.nix).nixos-hardware;
|
||||
in {
|
||||
|
||||
imports = [
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
# You need pw-files for every configured user in ./secret/pw-useralias for login to work.
|
||||
# dropbearkey -t rsa -f /etc/nixos/hosts/<hostname>/secret/boot_rsa
|
||||
|
||||
let
|
||||
inherit (config.m-0.private) me;
|
||||
|
@ -12,6 +13,7 @@ imports = [
|
|||
../../system/test-timer.nix
|
||||
../../system/standalone.nix
|
||||
../../system/server.nix
|
||||
../../system/git.nix
|
||||
./borg.nix
|
||||
./mail.nix
|
||||
./boot.nix
|
||||
|
@ -39,11 +41,6 @@ services = {
|
|||
};
|
||||
};
|
||||
|
||||
m-0 = {
|
||||
# dropbearkey -t rsa -f /etc/nixos/hosts/<hostname>/secret/boot_rsa
|
||||
git-server.enable = true;
|
||||
};
|
||||
|
||||
users.users.choreutes = {
|
||||
linger = true;
|
||||
description = "choreutes";
|
||||
|
|
|
@ -26,7 +26,7 @@ containers.mail = {
|
|||
config = { pkgs, lib, ... }: {
|
||||
imports = [
|
||||
../../system
|
||||
"${(builtins.fetchGit "ssh://git@hera/nixos-mailserver")}"
|
||||
"${(import ../../nix/sources.nix).nixos-mailserver}"
|
||||
];
|
||||
services.prometheus.exporters = {
|
||||
node.port = 9101;
|
||||
|
@ -44,8 +44,16 @@ containers.mail = {
|
|||
};
|
||||
systemd.services = {
|
||||
atomail = {
|
||||
script = ''
|
||||
${pkgs.python}/bin/python ${builtins.fetchGit "https://github.com/remko/atomail.git"}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100
|
||||
script =
|
||||
let
|
||||
atomail = pkgs.fetchFromGitHub {
|
||||
owner = "remko";
|
||||
repo = "atomail";
|
||||
rev = "f079966cb808f51fcc67be91b609942cdb49898a";
|
||||
sha256 = "0a4j4xajn2yysgcb17jmb6ak148kk0kwf7khml7dbnh7807fv9b6";
|
||||
};
|
||||
in ''
|
||||
${pkgs.python}/bin/python ${atomail}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100
|
||||
${pkgs.rsync}/bin/rsync -a /var/vmail/maralorn.de/malte.brandy/.Move.readlater/cur/ /var/vmail/maralorn.de/malte.brandy/.Archiv.unsortiert/cur --remove-source-files
|
||||
'';
|
||||
startAt = "19:58:00";
|
||||
|
|
|
@ -1,4 +1,16 @@
|
|||
{
|
||||
"cachix": {
|
||||
"branch": "master",
|
||||
"description": "Command line client for Nix binary cache hosting:",
|
||||
"homepage": "https://cachix.org",
|
||||
"owner": "cachix",
|
||||
"repo": "cachix",
|
||||
"rev": "53e15349b45679fd47a97bf4d030b024dbada9fd",
|
||||
"sha256": "0ir92v4hk60hvvgqbjp97mlrks3wm7881gd2wc177r1hy24wvxdi",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/cachix/cachix/archive/53e15349b45679fd47a97bf4d030b024dbada9fd.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"home-manager": {
|
||||
"branch": "release-19.03",
|
||||
"description": "Manage a user environment using Nix",
|
||||
|
@ -11,6 +23,18 @@
|
|||
"url": "https://github.com/rycee/home-manager/archive/a85f22164d56052f027e71718c99ec0a1c3d25d1.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"lorri": {
|
||||
"branch": "rolling-release",
|
||||
"description": "Your project's nix-env",
|
||||
"homepage": "",
|
||||
"owner": "target",
|
||||
"repo": "lorri",
|
||||
"rev": "d3e452ebc2b24ab86aec18af44c8217b2e469b2a",
|
||||
"sha256": "07yf3gl9sixh7acxayq4q8h7z4q8a66412z0r49sr69yxb7b4q89",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/target/lorri/archive/d3e452ebc2b24ab86aec18af44c8217b2e469b2a.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"niv": {
|
||||
"branch": "master",
|
||||
"description": "Easy dependency management for Nix projects",
|
||||
|
@ -23,6 +47,30 @@
|
|||
"url": "https://github.com/nmattia/niv/archive/8b7b70465c130d8d7a98fba1396ad1481daee518.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"branch": "master",
|
||||
"description": "A collection of NixOS modules covering hardware quirks.",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "03db9669a6fc712e9537201d55639287eb606765",
|
||||
"sha256": "1g8kap5qzva58pcwn2xj1cs0k9w9mpbrlk5diaaarlgizp4l2x0z",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixos-hardware/archive/03db9669a6fc712e9537201d55639287eb606765.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"branch": "master",
|
||||
"description": "Fork of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git",
|
||||
"homepage": "",
|
||||
"owner": "maralorn",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b",
|
||||
"sha256": "1bydmapzvw71qd5lkxkb706jfd8cc5zmnv7dcdxiqd73hyfydpas",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/maralorn/nixos-mailserver/archive/36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-19.03",
|
||||
"description": "Nixpkgs/NixOS branches that track the Nixpkgs/NixOS channels",
|
||||
|
|
|
@ -6,7 +6,6 @@ in {
|
|||
imports = [
|
||||
../common
|
||||
./modules/laptop.nix
|
||||
./modules/git.nix
|
||||
./modules/mathechor.de.nix
|
||||
./modules/blog.nix
|
||||
./modules/riot.nix
|
||||
|
|
42
system/git.nix
Normal file
42
system/git.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
inherit (import ../common/lib.nix) writeHaskellScript haskellList;
|
||||
me = config.m-0.private.me;
|
||||
test-command = ["${pkgs.systemd}/bin/systemctl" "start" "test-and-bump-config.service"];
|
||||
upgrade-command = ["${pkgs.systemd}/bin/systemctl" "start" "system-maintenance.service"];
|
||||
post-update = writeHaskellScript {
|
||||
name = "post-update";
|
||||
bins = [ pkgs.git pkgs.nix ];
|
||||
imports = [ "System.Environment (lookupEnv)" "Data.Foldable (for_)"];
|
||||
} ''
|
||||
main = do
|
||||
mirror <- lookupEnv "GL_OPTION_MIRROR"
|
||||
for_ mirror $ \mirror -> do
|
||||
writeOutput ([i|Forwarding push to #{mirror}|] :: String)
|
||||
git "push" "--all" mirror
|
||||
deploy <- lookupEnv "GL_OPTION_WEB_DEPLOY"
|
||||
for_ deploy $ \deploy -> do
|
||||
writeOutput ([i|Deploying build to /var/www/#{deploy}|] :: String)
|
||||
nix "build" "-o" ([i|/var/www/#{deploy}|] :: String)
|
||||
writeOutput "Done"
|
||||
test <- lookupEnv "GL_OPTION_TEST"
|
||||
for_ test $ \_ -> do
|
||||
writeOutput "Triggering a system update … You can wait or disconnect";
|
||||
exe "sudo" ${haskellList test-command};
|
||||
exe "sudo" ${haskellList upgrade-command};
|
||||
writeOutput "Done";
|
||||
'';
|
||||
in
|
||||
{
|
||||
users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors
|
||||
security.sudo.extraRules = [ { commands = [
|
||||
{ command = builtins.concatStringsSep " " test-command; options = [ "NOPASSWD" ]; }
|
||||
{ command = builtins.concatStringsSep " " upgrade-command; options = [ "NOPASSWD" ]; }
|
||||
]; users = [ "git" ]; } ];
|
||||
services.gitolite = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
adminPubkey = builtins.elemAt me.keys 0;
|
||||
commonHooks = [ "${post-update}/bin/post-update" ];
|
||||
};
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
me = config.m-0.private.me;
|
||||
|
||||
in
|
||||
{
|
||||
options = {
|
||||
m-0.git-server.enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
config = let
|
||||
upgrade-command = "${pkgs.systemd}/bin/systemctl start nixos-upgrade.service";
|
||||
in
|
||||
mkIf config.m-0.git-server.enable {
|
||||
users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors
|
||||
security.sudo.extraRules = [ { commands = [ { command = upgrade-command; options = [ "NOPASSWD" ]; } ]; users = [ "git" ]; } ];
|
||||
services.gitolite = {
|
||||
enable = true;
|
||||
user = "git";
|
||||
adminPubkey = builtins.elemAt me.keys 0;
|
||||
commonHooks = [ "${pkgs.writeShellScriptBin "post-update" ''
|
||||
if [ -n "$GL_OPTION_MIRROR" ]; then
|
||||
echo "Forwarding push to $GL_OPTION_MIRROR";
|
||||
git push --all $GL_OPTION_MIRROR;
|
||||
fi
|
||||
if [ -n "$GL_OPTION_REBUILD" ]; then
|
||||
echo "Triggering a system update … You can wait or disconnect";
|
||||
sudo ${upgrade-command};
|
||||
echo "Done";
|
||||
fi
|
||||
''}/bin/post-update" ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -8,6 +8,8 @@ config = {
|
|||
startAt = "2:45";
|
||||
environment.NIX_PATH = "/etc/nix-path:nixos-config=/etc/nixos/configuration.nix";
|
||||
path = [ pkgs.git ];
|
||||
restartIfChanged = false;
|
||||
unitConfig.X-StopOnRemoval = false;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${(import ./update-lib.nix config.system.build.nixos-rebuild).system-maintenance}/bin/system-maintenance";
|
||||
|
|
|
@ -25,7 +25,7 @@ with lib;
|
|||
environment = {
|
||||
# Put these into an extra file so the essential packages can also be included on non selfadminstrated systems from home-manager
|
||||
systemPackages = let essentials = import ../common/essentials.nix;
|
||||
in (essentials.core pkgs) ++ (essentials.extra pkgs) ++ (builtins.attrValues {
|
||||
in essentials.core ++ essentials.extra ++ (builtins.attrValues {
|
||||
inherit (import ./test-lib.nix) test-system-config test-home-config test-and-bump-config;
|
||||
inherit (import ../common/lib.nix) home-manager;
|
||||
inherit (import ./update-lib.nix config.system.build.nixos-rebuild) update-system system-maintenance;
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
let
|
||||
pkgs = import <nixpkgs> {};
|
||||
inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv;
|
||||
inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv haskellList;
|
||||
haskellBody = commandline:
|
||||
''
|
||||
getNivPath dir = readTrim . get_niv_path ([i|#{dir :: String}/nix/sources.nix|] :: String)
|
||||
|
@ -33,6 +33,9 @@ let
|
|||
|
||||
repoSrc = "git@hera.m-0.eu:nixos-config";
|
||||
configPath = "/etc/nixos";
|
||||
systems = ["apollo" "hera"];
|
||||
homes = ["apollo" "hera" "hephaistos"];
|
||||
keys = ["default" "apollo" "hera"];
|
||||
test-and-bump-config = writeHaskellScript {
|
||||
name = "test-and-bump-config";
|
||||
bins = [ test-system-config test-home-config pkgs.git pkgs.coreutils niv pkgs.git-crypt ];
|
||||
|
@ -48,10 +51,10 @@ let
|
|||
path <- readTrim pwd
|
||||
bracket checkout (rm "-rf") $ \dir -> do
|
||||
withCurrentDirectory dir $ do
|
||||
mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ["default", "apollo", "hera"]
|
||||
mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${haskellList keys}
|
||||
ignoreFailure $ niv "update"
|
||||
mapM_ (test_system_config dir) ["apollo", "hera"]
|
||||
mapM_ (test_home_config dir) ["apollo", "hera", "hephaistos"]
|
||||
mapM_ (test_system_config dir) ${haskellList systems}
|
||||
mapM_ (test_home_config dir) ${haskellList homes}
|
||||
changed <- ((mempty /=) <$>) . readTrim $ git "-C" dir "status" "--porcelain"
|
||||
when changed $ do
|
||||
git "-C" dir "config" "user.email" "maralorn@maralorn.de"
|
||||
|
|
Loading…
Reference in a new issue