diff --git a/common/default.nix b/common/default.nix index f13d0279..d3a1c2a0 100644 --- a/common/default.nix +++ b/common/default.nix @@ -7,9 +7,6 @@ with lib; imports = [ ./secret ]; config = { - nixpkgs.overlays = [ (self: super: { - unstable = import (builtins.fetchGit { url = "https://github.com/NixOS/nixpkgs-channels"; ref = "nixos-unstable";}) {}; - })]; m-0.monitoring = [ { host = "apollo:9100"; name = "apollo"; diff --git a/common/essentials.nix b/common/essentials.nix index 99bb037a..6dcc2e69 100644 --- a/common/essentials.nix +++ b/common/essentials.nix @@ -1,8 +1,18 @@ let inherit (import ../common/lib.nix) niv; + pkgs = import {}; + unstable = import {}; + lorriSrc = (import ../nix/sources.nix).lorri; + lorri = import lorriSrc { src = lorriSrc; pkgs = unstable; }; + neovim = pkgs.neovim.override { + vimAlias = true; + withPython3 = true; + }; in { - core = pkgs: with pkgs; [ + core = builtins.attrValues { + inherit neovim; + inherit (pkgs) gitFull gnumake python3 @@ -11,10 +21,6 @@ in wget curl wireguard - (pkgs.neovim.override { - vimAlias = true; - withPython3 = true; - }) gnupg mutt bind @@ -23,26 +29,24 @@ in unzip rename whois - lsof - ]; + lsof; + }; + + extra = builtins.attrValues { + inherit lorri niv; + inherit (pkgs.gitAndTools) git-annex; + inherit (pkgs.rxvt_unicode) terminfo; + inherit (pkgs.pythonPackages) qrcode; + inherit (pkgs) - extra = pkgs: with pkgs; let - lorriSrc = builtins.fetchGit { url = "https://github.com/target/lorri.git"; ref = "rolling-release"; }; - lorri = import "${lorriSrc}/default.nix" { src = lorriSrc; inherit pkgs; }; - in - [ - niv git-crypt - gitAndTools.git-annex htop tree - rxvt_unicode.terminfo pwgen borgbackup inotifyTools direnv - #lorri socat nmap @@ -58,10 +62,9 @@ in ripgrep - pythonPackages.qrcode ranger pass - sshuttle - ]; + sshuttle; + }; } diff --git a/common/lib.nix b/common/lib.nix index 7bd666a2..3848aeb9 100644 --- a/common/lib.nix +++ b/common/lib.nix @@ -6,6 +6,7 @@ let broken = false; doCheck = false; }); + haskellList = list: ''["${builtins.concatStringsSep ''", "'' list}"]''; writeHaskellScript = { name ? "haskell-script", bins ? [pkgs.coreutils], libraries ? [], imports ? []}: code: unstable.writers.writeHaskellBin name { libraries = libraries ++ [shh unstable.haskellPackages.string-interpolate ]; } '' {-# LANGUAGE DeriveDataTypeable #-} @@ -26,7 +27,7 @@ let -- Load binaries from Nix packages. The dependencies will be captured -- in the closure. - loadFromBins ["${builtins.concatStringsSep ''", "'' (builtins.map toString bins)}"] + loadFromBins ${haskellList (builtins.map toString bins)} ${code} ''; @@ -46,7 +47,7 @@ let nix_instantiate ["--eval", "-E", [i|toString #{expr}|]] |> trimQuotation ''; in { - inherit writeHaskellScript get-niv-path unstable sources; + inherit writeHaskellScript get-niv-path unstable sources haskellList; niv = (import sources.niv {}).niv; home-manager = pkgs.callPackage {}; gcRetentionDays = 5; diff --git a/home-manager/modules/laptop.nix b/home-manager/modules/laptop.nix index d0c843fd..3b73eb07 100644 --- a/home-manager/modules/laptop.nix +++ b/home-manager/modules/laptop.nix @@ -77,7 +77,7 @@ mkIf config.m-0.laptop.enable { evince gnome3.nautilus -# (import (fetchTarball https://cachix.org/api/v1/install) {}).cachix + (import ../nix/sources.nix).cachix # look & feel libertine diff --git a/hosts/apollo/configuration.nix b/hosts/apollo/configuration.nix index bdaa5986..e64c6ad8 100644 --- a/hosts/apollo/configuration.nix +++ b/hosts/apollo/configuration.nix @@ -5,7 +5,7 @@ let inherit (config.m-0.private) me wireguard; inherit (config.m-0) hosts prefix; - nixos-hardware = (builtins.fetchGit "https://github.com/nixos/nixos-hardware"); + nixos-hardware = (import ../../nix/sources.nix).nixos-hardware; in { imports = [ diff --git a/hosts/hera/configuration.nix b/hosts/hera/configuration.nix index c45ed8c5..48a65d0d 100644 --- a/hosts/hera/configuration.nix +++ b/hosts/hera/configuration.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: # You need pw-files for every configured user in ./secret/pw-useralias for login to work. +# dropbearkey -t rsa -f /etc/nixos/hosts//secret/boot_rsa let inherit (config.m-0.private) me; @@ -12,6 +13,7 @@ imports = [ ../../system/test-timer.nix ../../system/standalone.nix ../../system/server.nix + ../../system/git.nix ./borg.nix ./mail.nix ./boot.nix @@ -39,11 +41,6 @@ services = { }; }; -m-0 = { - # dropbearkey -t rsa -f /etc/nixos/hosts//secret/boot_rsa - git-server.enable = true; -}; - users.users.choreutes = { linger = true; description = "choreutes"; diff --git a/hosts/hera/mail.nix b/hosts/hera/mail.nix index bcce7334..c60dc485 100644 --- a/hosts/hera/mail.nix +++ b/hosts/hera/mail.nix @@ -26,7 +26,7 @@ containers.mail = { config = { pkgs, lib, ... }: { imports = [ ../../system - "${(builtins.fetchGit "ssh://git@hera/nixos-mailserver")}" + "${(import ../../nix/sources.nix).nixos-mailserver}" ]; services.prometheus.exporters = { node.port = 9101; @@ -44,8 +44,16 @@ containers.mail = { }; systemd.services = { atomail = { - script = '' - ${pkgs.python}/bin/python ${builtins.fetchGit "https://github.com/remko/atomail.git"}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100 + script = + let + atomail = pkgs.fetchFromGitHub { + owner = "remko"; + repo = "atomail"; + rev = "f079966cb808f51fcc67be91b609942cdb49898a"; + sha256 = "0a4j4xajn2yysgcb17jmb6ak148kk0kwf7khml7dbnh7807fv9b6"; + }; + in '' + ${pkgs.python}/bin/python ${atomail}/atomail.py --title "Readlater-E-Mails" --uri="http://hera-intern-v4:8842/rss.xml" /var/www/rss.xml --mode=maildir --file "/var/vmail/maralorn.de/malte.brandy/.Move.readlater/" --max-items=100 ${pkgs.rsync}/bin/rsync -a /var/vmail/maralorn.de/malte.brandy/.Move.readlater/cur/ /var/vmail/maralorn.de/malte.brandy/.Archiv.unsortiert/cur --remove-source-files ''; startAt = "19:58:00"; diff --git a/nix/sources.json b/nix/sources.json index 8b31bcdc..2351a27f 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -1,4 +1,16 @@ { + "cachix": { + "branch": "master", + "description": "Command line client for Nix binary cache hosting:", + "homepage": "https://cachix.org", + "owner": "cachix", + "repo": "cachix", + "rev": "53e15349b45679fd47a97bf4d030b024dbada9fd", + "sha256": "0ir92v4hk60hvvgqbjp97mlrks3wm7881gd2wc177r1hy24wvxdi", + "type": "tarball", + "url": "https://github.com/cachix/cachix/archive/53e15349b45679fd47a97bf4d030b024dbada9fd.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "home-manager": { "branch": "release-19.03", "description": "Manage a user environment using Nix", @@ -11,6 +23,18 @@ "url": "https://github.com/rycee/home-manager/archive/a85f22164d56052f027e71718c99ec0a1c3d25d1.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "lorri": { + "branch": "rolling-release", + "description": "Your project's nix-env", + "homepage": "", + "owner": "target", + "repo": "lorri", + "rev": "d3e452ebc2b24ab86aec18af44c8217b2e469b2a", + "sha256": "07yf3gl9sixh7acxayq4q8h7z4q8a66412z0r49sr69yxb7b4q89", + "type": "tarball", + "url": "https://github.com/target/lorri/archive/d3e452ebc2b24ab86aec18af44c8217b2e469b2a.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "niv": { "branch": "master", "description": "Easy dependency management for Nix projects", @@ -23,6 +47,30 @@ "url": "https://github.com/nmattia/niv/archive/8b7b70465c130d8d7a98fba1396ad1481daee518.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, + "nixos-hardware": { + "branch": "master", + "description": "A collection of NixOS modules covering hardware quirks.", + "homepage": "", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "03db9669a6fc712e9537201d55639287eb606765", + "sha256": "1g8kap5qzva58pcwn2xj1cs0k9w9mpbrlk5diaaarlgizp4l2x0z", + "type": "tarball", + "url": "https://github.com/nixos/nixos-hardware/archive/03db9669a6fc712e9537201d55639287eb606765.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "nixos-mailserver": { + "branch": "master", + "description": "Fork of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git", + "homepage": "", + "owner": "maralorn", + "repo": "nixos-mailserver", + "rev": "36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b", + "sha256": "1bydmapzvw71qd5lkxkb706jfd8cc5zmnv7dcdxiqd73hyfydpas", + "type": "tarball", + "url": "https://github.com/maralorn/nixos-mailserver/archive/36f0b7ed587be92bfa9032d45bcc3c9b3520ed6b.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, "nixpkgs": { "branch": "nixos-19.03", "description": "Nixpkgs/NixOS branches that track the Nixpkgs/NixOS channels", diff --git a/system/default.nix b/system/default.nix index 49b20934..92a281ca 100644 --- a/system/default.nix +++ b/system/default.nix @@ -6,7 +6,6 @@ in { imports = [ ../common ./modules/laptop.nix - ./modules/git.nix ./modules/mathechor.de.nix ./modules/blog.nix ./modules/riot.nix diff --git a/system/git.nix b/system/git.nix new file mode 100644 index 00000000..82f6da03 --- /dev/null +++ b/system/git.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +let + inherit (import ../common/lib.nix) writeHaskellScript haskellList; + me = config.m-0.private.me; + test-command = ["${pkgs.systemd}/bin/systemctl" "start" "test-and-bump-config.service"]; + upgrade-command = ["${pkgs.systemd}/bin/systemctl" "start" "system-maintenance.service"]; + post-update = writeHaskellScript { + name = "post-update"; + bins = [ pkgs.git pkgs.nix ]; + imports = [ "System.Environment (lookupEnv)" "Data.Foldable (for_)"]; + } '' + main = do + mirror <- lookupEnv "GL_OPTION_MIRROR" + for_ mirror $ \mirror -> do + writeOutput ([i|Forwarding push to #{mirror}|] :: String) + git "push" "--all" mirror + deploy <- lookupEnv "GL_OPTION_WEB_DEPLOY" + for_ deploy $ \deploy -> do + writeOutput ([i|Deploying build to /var/www/#{deploy}|] :: String) + nix "build" "-o" ([i|/var/www/#{deploy}|] :: String) + writeOutput "Done" + test <- lookupEnv "GL_OPTION_TEST" + for_ test $ \_ -> do + writeOutput "Triggering a system update … You can wait or disconnect"; + exe "sudo" ${haskellList test-command}; + exe "sudo" ${haskellList upgrade-command}; + writeOutput "Done"; + ''; +in +{ + users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors + security.sudo.extraRules = [ { commands = [ + { command = builtins.concatStringsSep " " test-command; options = [ "NOPASSWD" ]; } + { command = builtins.concatStringsSep " " upgrade-command; options = [ "NOPASSWD" ]; } + ]; users = [ "git" ]; } ]; + services.gitolite = { + enable = true; + user = "git"; + adminPubkey = builtins.elemAt me.keys 0; + commonHooks = [ "${post-update}/bin/post-update" ]; + }; +} diff --git a/system/modules/git.nix b/system/modules/git.nix deleted file mode 100644 index 683ff99d..00000000 --- a/system/modules/git.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, pkgs, lib, ... }: -with lib; - -let - - me = config.m-0.private.me; - -in -{ - options = { - m-0.git-server.enable = mkOption { - type = types.bool; - default = false; - }; - }; - config = let - upgrade-command = "${pkgs.systemd}/bin/systemctl start nixos-upgrade.service"; - in - mkIf config.m-0.git-server.enable { - users.users.git.linger = true; # Frequent restarting of the systemd-user-unit leads to errors - security.sudo.extraRules = [ { commands = [ { command = upgrade-command; options = [ "NOPASSWD" ]; } ]; users = [ "git" ]; } ]; - services.gitolite = { - enable = true; - user = "git"; - adminPubkey = builtins.elemAt me.keys 0; - commonHooks = [ "${pkgs.writeShellScriptBin "post-update" '' - if [ -n "$GL_OPTION_MIRROR" ]; then - echo "Forwarding push to $GL_OPTION_MIRROR"; - git push --all $GL_OPTION_MIRROR; - fi - if [ -n "$GL_OPTION_REBUILD" ]; then - echo "Triggering a system update … You can wait or disconnect"; - sudo ${upgrade-command}; - echo "Done"; - fi - ''}/bin/post-update" ]; - }; - }; -} diff --git a/system/server.nix b/system/server.nix index 804edad2..b306f00f 100644 --- a/system/server.nix +++ b/system/server.nix @@ -8,6 +8,8 @@ config = { startAt = "2:45"; environment.NIX_PATH = "/etc/nix-path:nixos-config=/etc/nixos/configuration.nix"; path = [ pkgs.git ]; + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; serviceConfig = { Type = "oneshot"; ExecStart = "${(import ./update-lib.nix config.system.build.nixos-rebuild).system-maintenance}/bin/system-maintenance"; diff --git a/system/standalone.nix b/system/standalone.nix index 5cca6219..a6c34834 100644 --- a/system/standalone.nix +++ b/system/standalone.nix @@ -25,7 +25,7 @@ with lib; environment = { # Put these into an extra file so the essential packages can also be included on non selfadminstrated systems from home-manager systemPackages = let essentials = import ../common/essentials.nix; - in (essentials.core pkgs) ++ (essentials.extra pkgs) ++ (builtins.attrValues { + in essentials.core ++ essentials.extra ++ (builtins.attrValues { inherit (import ./test-lib.nix) test-system-config test-home-config test-and-bump-config; inherit (import ../common/lib.nix) home-manager; inherit (import ./update-lib.nix config.system.build.nixos-rebuild) update-system system-maintenance; diff --git a/system/test-lib.nix b/system/test-lib.nix index b6dd8523..2e3144b1 100644 --- a/system/test-lib.nix +++ b/system/test-lib.nix @@ -1,6 +1,6 @@ let pkgs = import {}; - inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv; + inherit (import ../common/lib.nix) writeHaskellScript get-niv-path home-manager unstable niv haskellList; haskellBody = commandline: '' getNivPath dir = readTrim . get_niv_path ([i|#{dir :: String}/nix/sources.nix|] :: String) @@ -33,6 +33,9 @@ let repoSrc = "git@hera.m-0.eu:nixos-config"; configPath = "/etc/nixos"; + systems = ["apollo" "hera"]; + homes = ["apollo" "hera" "hephaistos"]; + keys = ["default" "apollo" "hera"]; test-and-bump-config = writeHaskellScript { name = "test-and-bump-config"; bins = [ test-system-config test-home-config pkgs.git pkgs.coreutils niv pkgs.git-crypt ]; @@ -48,10 +51,10 @@ let path <- readTrim pwd bracket checkout (rm "-rf") $ \dir -> do withCurrentDirectory dir $ do - mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ["default", "apollo", "hera"] + mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${haskellList keys} ignoreFailure $ niv "update" - mapM_ (test_system_config dir) ["apollo", "hera"] - mapM_ (test_home_config dir) ["apollo", "hera", "hephaistos"] + mapM_ (test_system_config dir) ${haskellList systems} + mapM_ (test_home_config dir) ${haskellList homes} changed <- ((mempty /=) <$>) . readTrim $ git "-C" dir "status" "--porcelain" when changed $ do git "-C" dir "config" "user.email" "maralorn@maralorn.de"