nix: add staging deployment

diff --git a/.envrc b/.envrc
index e5b1e4192c4cda7f868d18e1eb0a0f2a44cb251f..3d730fe05bdae7d8349c6e963e919fdb7b0fdf5c 100644 (file)
--- a/.envrc
+++ b/.envrc
@@ -2,7 +2,7 @@
 nix_version=2.3
 nix_openpgp=B541D55301270E0BCF15CA5D8170B4726D7198DE
 nixpkgs_channel=nixos-19.09-small
-nixshell_sources=(shell.nix $(test ! -d shell || find shell -type f | sort))
+nixshell_sources=(shell.nix $(test ! -d shell || find shell -type f -not -name "*~" | sort))
 
 # nix
 if ! has nix || test "$(nix --version)" != "nix (Nix) $nix_version"
@@ -61,13 +61,13 @@ else log_status "building .cache/nix-shell/$hash/"
    ${OFFLINE:+--option substituters ""} \
    --realise $(nix-store --query --references .cache/nix-shell/"$hash"/shell.drv)
   # Dump the environment from within the nix-shell
-  local tmp_cache
-  tmp_cache="$(mktemp .cache/nix-shell/dump-XXXXXXXX)"
+  local dump
+  dump="$(mktemp .cache/nix-shell/dump-XXXXXXXX)"
   if nix-shell ${TRACE:+--show-trace} --pure \
-   --run "$(command -v direnv) dump" >"$tmp_cache" \
+   --run "$(command -v direnv) dump" >"$dump" \
    ${OFFLINE:+--option substituters ""}
-  then mv -f "$tmp_cache" .cache/nix-shell/"$hash"/dump
-  else rm -f "$tmp_cache"; false
+  then mv -f "$dump" .cache/nix-shell/"$hash"/dump
+  else rm -f "$dump"; false
   fi
   trap "" EXIT
 fi

diff --git a/Makefile b/Makefile
index b1fd7b6e2c7cd69e7ba85e1761ef737921acad17..809cfe211365d982f715d1eab83acf065daa6689 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,5 @@
 all: init
 
-include .lib/nix/Makefile.make
 include .lib/nixops/Makefile.make
 
 #

diff --git a/config/gitolite b/config/gitolite
index 003cd2b6ae1642056c2127d0fd80761444039817..679912ca101c07a1c064aee611f935fd96c95688 160000 (submodule)
--- a/config/gitolite
+++ b/config/gitolite
@@ -1 +1 @@
-Subproject commit 003cd2b6ae1642056c2127d0fd80761444039817
+Subproject commit 679912ca101c07a1c064aee611f935fd96c95688

diff --git a/servers/mermet.nix b/servers/mermet.nix
index 20e8fdf194b6f616f65bceb587f8e6338c38ef5c..cc5ef0d68119f117405944b3740731cba9be5105 100644 (file)
--- a/servers/mermet.nix
+++ b/servers/mermet.nix
@@ -2,10 +2,7 @@
 # Usable by nixos-install and used by nixops.
 # It is NOT copied nor usable on the target machine,
 # only the resulting closure is copied to the target machine.
-{ pkgs, lib, config, options
-# NixOps extra module inputs
-, nodes, name, uuid, resources
-, ... }:
+{ pkgs, lib, config, options, ... }:
 let
   inherit (builtins) readFile;
   inherit (builtins.extraBuiltins) pass pass-chomp;
@@ -25,10 +22,6 @@ in
 
   imports =
     [ ../nixos/defaults.nix
-      mermet/apu2e4.nix
-      mermet/zfs.nix
-      mermet/lesptts.nix
-      mermet/shorewall.nix
       mermet/unbound.nix
       mermet/nsd.nix
       mermet/openldap.nix

diff --git a/servers/mermet/nsd.nix b/servers/mermet/nsd.nix
index 10c0861bc19a04be7f97eea628885fde1a890838..a0d702136cc0a89db6c058f5f32bd09b8b08ca8f 100644 (file)
--- a/servers/mermet/nsd.nix
+++ b/servers/mermet/nsd.nix
@@ -13,11 +13,12 @@ in
     ipv6 = true;
     verbosity = 5;
     #zones = {};
+    /*
     interfaces = lib.unique [
-      (builtins.elemAt networking.interfaces.enp1s0.ipv4.addresses 0).address
-      (builtins.elemAt networking.interfaces.enp2s0.ipv4.addresses 0).address
-      #("["+(builtins.elemAt networking.interfaces.enp1s0.ipv6.addresses 0).address+"]")
+      #(builtins.elemAt networking.interfaces."${networking.defaultGateway.interface}".ipv4.addresses 0).address
+      #networking.privateIPv4
     ];
+    */
     # SEE: http://www.nlnetlabs.nl/blog/2012/10/11/nsd-ratelimit/
     ratelimit.enable = true;
      # 100 less than the default to preserve a few Mio of RAM

diff --git a/servers/mermet/nsd/sourcephile.nix b/servers/mermet/nsd/sourcephile.nix
index bc13cf3ef6d653a374801807cc64aa4ce73a5b9f..c69dadc75141e4ac03dceeebb53fb43529804d6f 100644 (file)
--- a/servers/mermet/nsd/sourcephile.nix
+++ b/servers/mermet/nsd/sourcephile.nix
@@ -21,8 +21,8 @@ let inherit (builtins.extraBuiltins) pass git;
     */
     # FIXME: make dedicated config options
     #ipv4 = (elemAt networking.interfaces.enp1s0.ipv4.addresses 0).address;
-    ipv4 = "80.67.180.251";
-    ipv6 = (elemAt networking.interfaces.enp1s0.ipv6.addresses 0).address;
+    ipv4 = "80.67.180.129";
+    #ipv6 = (elemAt networking.interfaces.enp1s0.ipv6.addresses 0).address;
     sourcephileZone = domain: ''
       ; A (DNS -> IPv4)
       @ A ${ipv4}

diff --git a/servers/mermet/production.nix b/servers/mermet/production.nix
new file mode 100644 (file)
index 0000000..b1f0d29
--- /dev/null
+++ b/servers/mermet/production.nix
@@ -0,0 +1,17 @@
+{ pkgs, lib, config, options
+# NixOps extra module inputs
+, nodes, name, uuid, resources
+, ... }:
+let inherit (config) networking; in
+{
+imports =
+  [ production/apu2e4.nix
+    production/lesptts.nix
+    production/zfs.nix
+    production/shorewall.nix
+  ];
+deployment = {
+  targetEnv = "none";
+  targetHost = (builtins.elemAt networking.interfaces.enp1s0.ipv4.addresses 0).address;
+};
+}

diff --git a/servers/mermet/apu2e4.nix b/servers/mermet/production/apu2e4.nix
similarity index 100%
rename from servers/mermet/apu2e4.nix
rename to servers/mermet/production/apu2e4.nix

diff --git a/servers/mermet/lesptts.nix b/servers/mermet/production/lesptts.nix
similarity index 91%
rename from servers/mermet/lesptts.nix
rename to servers/mermet/production/lesptts.nix
index d9aa394c8674fdc9917728e2ff27273ea7558d80..969d777656b4267a38601a578eddb5a353bc2cf0 100644 (file)
--- a/servers/mermet/lesptts.nix
+++ b/servers/mermet/production/lesptts.nix
@@ -3,10 +3,10 @@ with builtins;
 let
   inherit (builtins.extraBuiltins) pass pass-to-file;
   inherit (config) networking users;
-  netIPv4        = "91.216.110.35";
-  netIPv4Gateway = "91.216.110.1";
-  netIPv6        = "2001:912:400:104::35";
-  netIPv6Gateway = "2001:912:400:104::1";
+  netIPv4        = "80.67.180.129";
+  netIPv4Gateway = "80.67.180.134";
+  #netIPv6        = "2001:912:400:104::35";
+  #netIPv6Gateway = "2001:912:400:104::1";
   lanIPv4        = "192.168.1.214";
   lanNet         = "192.168.1.0/24";
   lanIPv4Gateway = "192.168.1.1";
@@ -82,14 +82,14 @@ in
       # NOTE: ${lanIPv4}/24 would not work with initrd's ip, hence ${lanNet}
 
     # IPv6 net
-    ip -6 address add ${netIPv6} dev enp1s0
-    ip -6 route add ${netIPv6Gateway} dev enp1s0
-    ip -6 route add default via ${netIPv6Gateway} dev enp1s0
+    #ip -6 address add ''${netIPv6} dev enp1s0
+    #ip -6 route add ''${netIPv6Gateway} dev enp1s0
+    #ip -6 route add default via ''${netIPv6Gateway} dev enp1s0
 
     ip -4 address
     ip -4 route
-    ip -6 address
-    ip -6 route
+    #ip -6 address
+    #ip -6 route
 
     set +x
 
@@ -98,7 +98,7 @@ in
     ${config.boot.initrd.network.postCommands}
   '';
   # Workaround https://github.com/NixOS/nixpkgs/issues/56822
-  boot.initrd.kernelModules = [ "ipv6" ];
+  #boot.initrd.kernelModules = [ "ipv6" ];
 
   # This is a remote headless server: always try to start all the units (default.target)
   # systemd's emergency shell does not try to start sshd, hence is no help.
@@ -117,42 +117,48 @@ in
   # (though / may still be encrypted at this point).
   # boot.kernelParams = [ "boot.shell_on_fail" ];
 
+  services.nsd.interfaces = [ netIPv4 ];
   networking = {
     useDHCP = false;
     defaultGateway = {
       address = netIPv4Gateway;
       interface = "enp1s0";
     };
+    /*
     defaultGateway6 = {
       address = netIPv6Gateway;
       interface = "enp1s0";
     };
+    */
     #nameservers = [ ];
     interfaces.enp1s0 = {
       useDHCP = false;
       ipv4.addresses = [ { address = netIPv4; prefixLength = 32; } ];
       ipv4.routes    = [ { address = networking.defaultGateway.address; prefixLength = 32; } ];
 
+      /*
       ipv6.addresses = [ { address = netIPv6; prefixLength = 64; }
                          { address = "fe80::1"; prefixLength = 10; }
                        ];
       ipv6.routes    = [ { address = networking.defaultGateway6.address; prefixLength = 64; } ];
+      */
     };
     interfaces.enp2s0 = {
       useDHCP = false;
       ipv4.addresses = [ { address = lanIPv4; prefixLength = 24; } ];
+      /*
       # FIXME: remove this /1 hack when the machine will be racked at PTT
       ipv4.routes    = [ { address = "0.0.0.0";   prefixLength = 1; via = "192.168.1.1"; }
                          { address = "128.0.0.0"; prefixLength = 1; via = "192.168.1.1"; }
                          ];
+      */
+      /*
       ipv6.addresses = [ { address = "fe80::1"; prefixLength = 10; } ];
       ipv6.routes    = [ ];
+      */
     };
     interfaces.enp3s0 = {
       useDHCP = false;
     };
   };
-  deployment = {
-    targetHost = (elemAt networking.interfaces.enp2s0.ipv4.addresses 0).address;
-  };
 }

diff --git a/servers/mermet/shorewall.nix b/servers/mermet/production/shorewall.nix
similarity index 99%
rename from servers/mermet/shorewall.nix
rename to servers/mermet/production/shorewall.nix
index 9a2f6751aa49e5f7b0da9ab4dffc00ce797da21b..9566abd2e1b19be1892e5cc0d767fd6009697e64 100644 (file)
--- a/servers/mermet/shorewall.nix
+++ b/servers/mermet/production/shorewall.nix
@@ -80,7 +80,7 @@ in
         # DOC: shorewall-interfaces(5)
         ?FORMAT 2
         net    enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
-        lan    enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
+        lan    enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
         unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
       '';
       policy = ''

diff --git a/servers/mermet/zfs.nix b/servers/mermet/production/zfs.nix
similarity index 100%
rename from servers/mermet/zfs.nix
rename to servers/mermet/production/zfs.nix

diff --git a/servers/mermet/staging.nix b/servers/mermet/staging.nix
new file mode 100644 (file)
index 0000000..74b2a73
--- /dev/null
+++ b/servers/mermet/staging.nix
@@ -0,0 +1,23 @@
+{ pkgs, lib, config, options
+# NixOps extra module inputs
+, nodes, name, uuid, resources
+, ... }:
+let inherit (config) networking; in
+{
+imports =
+  [ staging/shorewall.nix
+  ];
+config = {
+  services.nsd.interfaces = [ networking.privateIPv4 ];
+  deployment = /*lib.mkIf (builtins.hasAttr "mermet" nodes)*/ {
+    targetEnv             = "virtualbox";
+    virtualbox.headless   = true;
+    virtualbox.memorySize = 1024;
+    virtualbox.vcpu       = 2;
+    virtualbox.disks.disk1.baseImage = ../../.cache/nixops/virtualbox/nixops.vmdk;
+    # NOTE: resize not yet supported.
+    #virtualbox.disks.disk1.size = 6024;
+    #storeKeysOnMachine = true;
+  };
+};
+}

diff --git a/servers/mermet/staging/shorewall.nix b/servers/mermet/staging/shorewall.nix
new file mode 100644 (file)
index 0000000..71e95d5
--- /dev/null
+++ b/servers/mermet/staging/shorewall.nix
@@ -0,0 +1,153 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (builtins) hasAttr readFile;
+  inherit (pkgs.lib) unlinesAttrs;
+  inherit (config.services) shorewall shorewall6;
+  fw2net = ''
+    # By protocol
+    Ping(ACCEPT)   $FW net
+
+    # By port
+    DNS(ACCEPT)    $FW net
+    Git(ACCEPT)    $FW net
+    HTTP(ACCEPT)   $FW net
+    HTTPS(ACCEPT)  $FW net
+    SMTP(ACCEPT)   $FW net
+    SMTPS(ACCEPT)  $FW net
+    SSH(ACCEPT)    $FW net
+  '';
+  net2fw = ''
+    # By protocol
+    Ping(ACCEPT)   net $FW
+
+    # By port
+    #HTTPS(ACCEPT) net $FW
+    DNS(ACCEPT)    net $FW
+    IMAPS(ACCEPT)  net $FW
+    Mosh(ACCEPT)   net $FW
+    POP3S(ACCEPT)  net $FW
+    SMTP(ACCEPT)   net $FW
+    SMTPS(ACCEPT)  net $FW
+    SSH(ACCEPT)    net $FW
+  '';
+  fw2lan = ''
+    Ping(ACCEPT)   $FW lan
+    DNS(ACCEPT)    $FW lan
+    HTTPS(ACCEPT)  $FW lan
+  '';
+  lan2fw = ''
+    Ping(ACCEPT)   lan $FW
+    SSH(ACCEPT)    lan $FW
+    HTTP(ACCEPT)   lan $FW
+    HTTPS(ACCEPT)  lan $FW
+    DNS(ACCEPT)    lan $FW
+  '';
+  macros = {
+    "macro.Git" = ''
+      ?FORMAT 2
+      #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+      #                               PORT(S) PORT(S) LIMIT   GROUP
+      PARAM   -       -       tcp     9418
+    '';
+    "macro.Mosh" = ''
+      ?FORMAT 2
+      #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+      #                               PORT(S) PORT(S) LIMIT   GROUP
+      PARAM   -       -       udp     60000-61000
+    '';
+  };
+in
+{
+  services.shorewall = {
+    enable  = true;
+    configs = macros // {
+      "shorewall.conf" = ''
+        ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
+        #
+        ## Custom config
+        ###
+        STARTUP_ENABLED=Yes
+        ZONE2ZONE=2
+      '';
+      zones = ''
+        # DOC: shorewall-zones(5)
+        fw firewall
+        net    ipv4
+        lan    ipv4
+      '';
+      interfaces = ''
+        # DOC: shorewall-interfaces(5)
+        ?FORMAT 2
+        net    enp0s3 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
+        lan    enp0s8 arp_filter,nosmurfs,routefilter=1,tcpflags,dhcp
+      '';
+      policy = ''
+        # DOC: shorewall-policy(5)
+        $FW    all DROP
+        lan    all DROP   none
+        net    all DROP   none
+        # WARNING: the following policy must be last
+        all    all REJECT none
+      '';
+      rules = ''
+        # DOC: shorewall-rules(5)
+        #SECTION ALL
+        #SECTION ESTABLISHED
+        #SECTION RELATED
+        ?SECTION NEW
+
+        ${fw2net}
+        ${net2fw}
+
+        ${fw2lan}
+        ${lan2fw}
+      '';
+    };
+  };
+  services.shorewall6 = {
+    enable  = true;
+    configs = macros // {
+      "shorewall6.conf" = ''
+        ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
+        #
+        ## Custom config
+        ###
+        STARTUP_ENABLED=Yes
+        ZONE2ZONE=2
+        '';
+      zones = ''
+        # DOC: shorewall-zones(5)
+        fw firewall
+        net    ipv6
+        lan    ipv6
+      '';
+      interfaces = ''
+        # DOC: shorewall-interfaces(5)
+        ?FORMAT 2
+        net    enp0s3 nosmurfs,tcpflags
+        lan    enp0s8 nosmurfs,tcpflags
+      '';
+      policy = ''
+        # DOC: shorewall-policy(5)
+        $FW    all DROP
+        lan    all DROP   none
+        net    all DROP   none
+        # WARNING: the following policy must be last
+        all    all REJECT none
+      '';
+      rules = ''
+        # DOC: shorewall-rules(5)
+        #SECTION ALL
+        #SECTION ESTABLISHED
+        #SECTION RELATED
+        ?SECTION NEW
+
+        ${fw2net}
+        ${net2fw}
+
+        ${fw2lan}
+        ${lan2fw}
+      '';
+    };
+  };
+}

diff --git a/servers/mermet/virtualbox.nix b/servers/mermet/virtualbox.nix
deleted file mode 100644 (file)
index 6e8cf7a..0000000
--- a/servers/mermet/virtualbox.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ pkgs, lib, config, options, nodes, ... }:
-{
-  deployment = lib.mkIf (builtins.hasAttr "mermet" nodes) {
-    targetEnv             = "virtualbox";
-    virtualbox.headless   = true;
-    virtualbox.memorySize = 1024;
-    virtualbox.vcpu       = 2;
-    virtualbox.disks.disk1.baseImage = ../../../.cache/nixops/virtualbox/nixops.vmdk;
-    # NOTE: resize not yet supported.
-    #virtualbox.disks.disk1.size = 6024;
-    storeKeysOnMachine = true;
-  };
-}

diff --git a/servers/production.nix b/servers/production.nix
new file mode 100644 (file)
index 0000000..8b019e5
--- /dev/null
+++ b/servers/production.nix
@@ -0,0 +1,3 @@
+{
+  mermet = import mermet/production.nix;
+}

diff --git a/servers/staging.nix b/servers/staging.nix
new file mode 100644 (file)
index 0000000..7671a98
--- /dev/null
+++ b/servers/staging.nix
@@ -0,0 +1,3 @@
+{
+  mermet = import mermet/staging.nix;
+}

diff --git a/shell.nix b/shell.nix
index 3ef203b462bdd9f8bb5a8701381de5b0e285a73e..3e38343397f12a136d0a2ff3a34e515297670440 100644 (file)
--- a/shell.nix
+++ b/shell.nix
@@ -44,6 +44,9 @@ let
         UserKnownHostsFile ${builtins.toString ../sec/ssh/known_hosts}
       '';
     };
+    virtualbox = {
+      enable = true;
+    };
   };
 
   # Using modules enables to separate specific configurations
@@ -97,7 +100,7 @@ pkgs.stdenv.mkDerivation {
     #pkgs.rxvt_unicode.terminfo
     #pkgs.sqlite
     pkgs.sqlite
-    pkgs.sudo
+    #pkgs.sudo
     pkgs.tig
     pkgs.time
     #pkgs.tmux
@@ -122,7 +125,7 @@ pkgs.stdenv.mkDerivation {
     # (or when… entering the directory with direnv
     # which spawns a nix-shell just to get the env).
     trap "cd '$PWD' && find ../sec/tmp -type f -exec shred -fu {} +" EXIT
-    
+
     ${modules.nix-shell.shellHook}
 
     # nix
@@ -133,9 +136,7 @@ pkgs.stdenv.mkDerivation {
     # executables
     PATH_NIX="$(dirname "$(PATH="${builtins.getEnv "PATH"}"; which nix)")"
     PATH_NIXOS=/run/wrappers/bin
-    PATH_FHS="$PWD"/.config/nix/fhs-bin
-    PATH_FHS_VBOX="$PWD"/.config/fhs-vbox-bin
-    export PATH="$PATH_NIXOS:$PATH_FHS_VBOX:$PATH_FHS:$PATH:$PATH_NIX"
+    export PATH="$PATH_NIXOS:$PATH:$PATH_NIX:/usr/sbin:/usr/bin:/bin"
 
     # NOTE: sudo needs to be own by root with the setuid bit,
     # but this won't be the case for the sudo provided by Nix outside NixOS,
@@ -150,7 +151,7 @@ pkgs.stdenv.mkDerivation {
 
     # password-store
     export PASSWORD_STORE_DIR="$PWD"/../sec/pass
-    
+
     # gpg
     export GPG_TTY=$(tty)
     gpg-connect-agent updatestartuptty /bye >/dev/null

diff --git a/shell/modules/virtualisation/virtualbox.nix b/shell/modules/virtualisation/virtualbox.nix
new file mode 100644 (file)
index 0000000..9c1ab36
--- /dev/null
+++ b/shell/modules/virtualisation/virtualbox.nix
@@ -0,0 +1,31 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib) types;
+  inherit (config) virtualbox;
+  virtualbox-init = pkgs.writeShellScriptBin "virtualbox-init" ''
+    set -eu
+    TMPDIR=/tmp \
+    time ${pkgs.nix}/bin/nix build \
+     -I nixpkgs=${pkgs.path} \
+     --out-link .cache/nixops/virtualbox \
+     --argstr system ${virtualbox.system} \
+     -f pkgs/installer/nixops-virtualbox
+    '';
+in
+{
+options.virtualbox = {
+  enable = lib.mkEnableOption "VirtualBox image for NixOps";
+  system = lib.mkOption {
+    type = types.str;
+    example = "x86_64-linux";
+    default = pkgs.stdenv.hostPlatform.system;
+  };
+};
+config = lib.mkIf virtualbox.enable {
+  nix-shell.buildInputs = [
+    virtualbox-init
+  ];
+  nix-shell.shellHook = ''
+  '';
+};
+}