From 1af70a3095b819200fc4b056e9b7b3175464b57f Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 12 Jul 2023 15:25:07 +0200
Subject: [PATCH] initial commit

---
 .gitignore                         |  1 +
 config.sh                          | 13 ++++++++
 fleet.nix                          | 36 ++++++++++++++++++++
 hosts/example/configuration.nix    |  0
 hosts/example/utils                |  1 +
 hosts/nb-dominik/configuration.nix |  0
 hosts/nb-dominik/utils             |  1 +
 utils/bento.nix                    | 53 ++++++++++++++++++++++++++++++
 8 files changed, 105 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 config.sh
 create mode 100644 fleet.nix
 create mode 100644 hosts/example/configuration.nix
 create mode 120000 hosts/example/utils
 create mode 100644 hosts/nb-dominik/configuration.nix
 create mode 120000 hosts/nb-dominik/utils
 create mode 100644 utils/bento.nix

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bd24e28
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.null*.nix
diff --git a/config.sh b/config.sh
new file mode 100644
index 0000000..d77f16c
--- /dev/null
+++ b/config.sh
@@ -0,0 +1,13 @@
+CHROOT_DIR=/home/chroot
+REMOTE_IP=git.cloonar.com
+
+# Optional
+
+# maxium time waiting for the SFTP connection to connect
+# default value is 20
+#TIMEOUT=20
+# port to connect to the remote server
+# default is 22
+#REMOTE_PORT=22
+# don't build locally
+#NOLOCALBUILD=1
diff --git a/fleet.nix b/fleet.nix
new file mode 100644
index 0000000..975cfd4
--- /dev/null
+++ b/fleet.nix
@@ -0,0 +1,36 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  create_users = host: {
+    users.users."${host.username}" = {
+      createHome = false;
+      home = "/home/chroot/" + host.username;
+      isNormalUser = false;
+      isSystemUser = true;
+      group = "sftp_users";
+      openssh.authorizedKeys.keys = [host.key];
+      shell = null;
+    };
+  };
+
+  users = [
+    {
+      username = "router";
+      key = "ssh-ed25519 AAAAC3NzaC2aZGI1OTE5AAAAOIOZKLFCZLM67viQXHYRjraE6WLfvETMkjjgSz0mxMzS root@router";
+    }
+  ];
+in {
+  imports = builtins.map create_users users;
+
+  users.groups = {sftp_users = {};};
+
+  services.openssh.extraConfig = ''
+    Match Group sftp_users
+      X11Forwarding no
+      AllowTcpForwarding no
+      ChrootDirectory %h
+      ForceCommand internal-sftp
+  '';
+}
diff --git a/hosts/example/configuration.nix b/hosts/example/configuration.nix
new file mode 100644
index 0000000..e69de29
diff --git a/hosts/example/utils b/hosts/example/utils
new file mode 120000
index 0000000..7d6b64a
--- /dev/null
+++ b/hosts/example/utils
@@ -0,0 +1 @@
+../../utils/
\ No newline at end of file
diff --git a/hosts/nb-dominik/configuration.nix b/hosts/nb-dominik/configuration.nix
new file mode 100644
index 0000000..e69de29
diff --git a/hosts/nb-dominik/utils b/hosts/nb-dominik/utils
new file mode 120000
index 0000000..7d6b64a
--- /dev/null
+++ b/hosts/nb-dominik/utils
@@ -0,0 +1 @@
+../../utils/
\ No newline at end of file
diff --git a/utils/bento.nix b/utils/bento.nix
new file mode 100644
index 0000000..b4d3a73
--- /dev/null
+++ b/utils/bento.nix
@@ -0,0 +1,53 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  timer = "*:0/15";
+in {
+  systemd.services.bento-upgrade = {
+    enable = true;
+    startAt = lib.mkDefault "${timer}";
+    path = with pkgs; [openssh git nixos-rebuild nix gzip];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      cd /var/bento
+      /bin/sh update.sh
+    '';
+    restartIfChanged = false;
+  };
+
+  systemd.services.bento-reboot = {
+    # this is disabled by default
+    # to avoid wrong expectations from users
+    enable = false;
+    startAt = "04:00";
+    path = with pkgs; [coreutils systemd];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
+      built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
+      if [ ! "$booted" = "$built" ]
+      then
+          systemctl kexec || systemctl reboot
+      fi
+    '';
+  };
+
+
+  systemd.sockets.listen-update = {
+    enable = true;
+    wantedBy = ["sockets.target"];
+    requires = ["network.target"];
+    listenStreams = ["51337"];
+    socketConfig.Accept = "yes";
+  };
+
+  systemd.services."listen-update@" = {
+    path = with pkgs; [systemd];
+    enable = true;
+    serviceConfig.StandardInput = "socket";
+    serviceConfig.ExecStart = "${pkgs.systemd.out}/bin/systemctl start bento-upgrade.service";
+    serviceConfig.ExecStartPost = "${pkgs.systemd.out}/bin/journalctl -f --no-pager -u bento-upgrade.service";
+  };
+}