initial commit

2023-07-12 15:25:07 +02:00
commit 1af70a3095
8 changed files with 105 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 .null*.nix
--- a/config.sh
+++ b/config.sh
@@ -0,0 +1,13 @@
 CHROOT_DIR=/home/chroot
 REMOTE_IP=git.cloonar.com
 # Optional
 # maxium time waiting for the SFTP connection to connect
 # default value is 20
 #TIMEOUT=20
 # port to connect to the remote server
 # default is 22
 #REMOTE_PORT=22
 # don't build locally
 #NOLOCALBUILD=1
--- a/fleet.nix
+++ b/fleet.nix
@@ -0,0 +1,36 @@
 {
  lib,
  pkgs,
  ...
 }: let
  create_users = host: {
    users.users."${host.username}" = {
      createHome = false;
      home = "/home/chroot/" + host.username;
      isNormalUser = false;
      isSystemUser = true;
      group = "sftp_users";
      openssh.authorizedKeys.keys = [host.key];
      shell = null;
    };
  };
  users = [
    {
      username = "router";
      key = "ssh-ed25519 AAAAC3NzaC2aZGI1OTE5AAAAOIOZKLFCZLM67viQXHYRjraE6WLfvETMkjjgSz0mxMzS root@router";
    }
  ];
 in {
  imports = builtins.map create_users users;
  users.groups = {sftp_users = {};};
  services.openssh.extraConfig = ''
    Match Group sftp_users
      X11Forwarding no
      AllowTcpForwarding no
      ChrootDirectory %h
      ForceCommand internal-sftp
  '';
 }
--- a/hosts/example/configuration.nix
+++ b/hosts/example/configuration.nix
--- a/hosts/example/utils
+++ b/hosts/example/utils
@@ -0,0 +1 @@
 ../../utils/
--- a/hosts/nb-dominik/configuration.nix
+++ b/hosts/nb-dominik/configuration.nix
--- a/hosts/nb-dominik/utils
+++ b/hosts/nb-dominik/utils
@@ -0,0 +1 @@
 ../../utils/
--- a/utils/bento.nix
+++ b/utils/bento.nix
@@ -0,0 +1,53 @@
 {
  lib,
  pkgs,
  ...
 }: let
  timer = "*:0/15";
 in {
  systemd.services.bento-upgrade = {
    enable = true;
    startAt = lib.mkDefault "${timer}";
    path = with pkgs; [openssh git nixos-rebuild nix gzip];
    serviceConfig.Type = "oneshot";
    script = ''
      cd /var/bento
      /bin/sh update.sh
    '';
    restartIfChanged = false;
  };
  systemd.services.bento-reboot = {
    # this is disabled by default
    # to avoid wrong expectations from users
    enable = false;
    startAt = "04:00";
    path = with pkgs; [coreutils systemd];
    serviceConfig.Type = "oneshot";
    script = ''
      booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
      built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
      if [ ! "$booted" = "$built" ]
      then
          systemctl kexec || systemctl reboot
      fi
    '';
  };
  systemd.sockets.listen-update = {
    enable = true;
    wantedBy = ["sockets.target"];
    requires = ["network.target"];
    listenStreams = ["51337"];
    socketConfig.Accept = "yes";
  };
  systemd.services."listen-update@" = {
    path = with pkgs; [systemd];
    enable = true;
    serviceConfig.StandardInput = "socket";
    serviceConfig.ExecStart = "${pkgs.systemd.out}/bin/systemctl start bento-upgrade.service";
    serviceConfig.ExecStartPost = "${pkgs.systemd.out}/bin/journalctl -f --no-pager -u bento-upgrade.service";
  };
 }