new server

conf

@@ -14,6 +14,10 @@ remote)
 	export NIX_PATH="nixpkgs=$HOME/builds/nixpkgs/:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix
 	eval ${@:2}
 	;;
+remote-new)
+	export NIX_PATH="nixpkgs=https://nixos.org/channels/nixos-16.03/nixexprs.tar.xz:ssh-id-file=`pwd`/deploy_key":secrets=`pwd`/secrets.nix
+	eval ${@:2}
+	;;
 local-deploy)
 	sudo $0 local nixos-rebuild switch
 	;;

network.nix

@@ -8,4 +8,8 @@ with (import <secrets>).hostnames; {
 		imports = [./frumar/configuration.nix];
 		deployment.targetHost = frumar;
 	};
+	pennyworth = {
+		imports = [./pennyworth/configuration.nix];
+		deployment.targetHost = pennyworth;
+	};
 }

nixos-in-place.nix

@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config."nixos-in-place";
+in
+{
+  imports = [ ];
+  options."nixos-in-place" = {
+    enable = mkEnableOption "enable nixos-in-place FS";
+    rootfs = mkOption {
+      type = types.string;
+      description = "device name for root fs";
+    };
+    swapfs = mkOption {
+      type = types.string;
+      description = "device name for root fs";
+    };
+  };
+  config = mkIf cfg.enable {
+    boot = {
+  	  kernelModules = [ ];
+  	  extraModulePackages = [ ];
+  	  kernelParams = ["root=${cfg.rootfs}" "boot.shell_on_fail"];
+      loader.grub  = {
+        enable = true;
+        storePath = "/nixos/nix/store";
+      };
+      initrd = {
+        supportedFilesystems = [ "ext4" ];
+        postDeviceCommands = ''
+          mkdir -p /mnt-root/old-root ;
+          mount -t ext4 ${cfg.rootfs} /mnt-root/old-root ;
+        '';
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/old-root/nixos";
+        fsType = "none";
+        options = [ "bind" ];
+      };
+      "/old-root" = {
+        device = cfg.rootfs;
+        fsType = "ext4";
+      };
+    };
+    swapDevices = [ { device = cfg.swapfs; } ];
+  };
+}

ospinio/configuration.nix

@@ -27,7 +27,7 @@ in
   services.openssh.enable = true;
 
   # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "15.09";
+  system.stateVersion = "16.03";
 
   services.nginx = {
     enable = true;

ospinio/hardware-configuration.nix

@@ -1,46 +1,29 @@
 { config, lib, pkgs, ... }:
-
+let
+  ipconf = (import <secrets>).ipconf.${config.networking.hostName};
+in
 {
-  imports = [ ];
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e"; }
-    ];
-
+  imports = [ ../nixos-in-place.nix ];
+  "nixos-in-place" = {
+    enable = true;
+    rootfs = "/dev/mapper/CAC_VG-CAC_LV";
+    swapfs = "/dev/disk/by-uuid/be7625e5-2e2c-41f2-8d5f-331f90980b9e";
+  };
   boot = {
-	  kernelModules = [ ];
-	  extraModulePackages = [ ];
-	  kernelParams = ["boot.shell_on_fail"];
-	  loader.grub.device = "/dev/sda";
-	  loader.grub.storePath = "/nixos/nix/store";
-	  initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ];
-	  initrd.supportedFilesystems = [ "ext4" ];
-	  initrd.postDeviceCommands = ''
-	    mkdir -p /mnt-root/old-root ;
-	    mount -t ext4 /dev/mapper/CAC_VG-CAC_LV /mnt-root/old-root ;
-	  '';
+    loader.grub.device = "/dev/sda";
+    initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" "floppy" ];
   };
 
-  fileSystems = {
-    "/" = {
-      device = "/old-root/nixos";
-      fsType = "none";
-      "options" = "bind";
-    };
-    "/old-root" = {
-      device = "/dev/mapper/CAC_VG-CAC_LV";
-      fsType = "ext4";
-    };
-  };
   networking = {
     interfaces.enp2s0 = {
-    	useDHCP = false;
-    	ipAddress = "104.233.92.136";
-    	prefixLength = 24;
+      useDHCP = false;
+      inherit (ipconf) ip4 ip6;
     };
-    defaultGateway = "104.233.92.1";
-    nameservers = ["8.8.8.8"];
+    inherit (ipconf) nameservers;
+    defaultGateway  = ipconf.gateway4;
+    #defaultGateway6 = ipconf.gateway6;
   };
+
   nix.maxJobs = 1;
 
 }

packages/gogitget.nix

@@ -15,6 +15,6 @@
     in builtins.toString sshIdFile} $TEMP_ID
     chown `whoami` $TEMP_ID
     chmod 400 $TEMP_ID
-    exec -a ssh ${openssh}/bin/ssh -i $TEMP_ID -o StrictHostKeyChecking=no "$@"
+    exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@"
   '';
 })

packages/gogs.nix

@@ -2,10 +2,10 @@
 { nixpkgs ? import <nixpkgs> {} }: with nixpkgs;
 stdenv.mkDerivation rec {
   name = "gogs-${version}";
-  version = "0.8.10";
+  version = "0.9.0";
   src = fetchzip {
     url = "https://dl.gogs.io/gogs_v${version}_linux_amd64.tar.gz";
-    sha256 = "0c0abr0jinyvwhw84901ga80x6q13a0q8yrs6k5i8jawhpwvfl67";
+    sha256 = "1qyy0hi8hvz2k4p9251mx8xv9z08jwijfzl0rn0drm6sq34a7wg9";
   };
   buildPhase = ''
     patchelf \

pennyworth/configuration.nix

@@ -0,0 +1,72 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, lib, ... }:
+
+let
+  secrets = import <secrets>;
+  yoricc = import ../packages/yori-cc.nix;
+in
+{
+  imports = [
+      ./hardware-configuration.nix
+      ../roles/common.nix
+  ];
+
+  networking.hostName = secrets.hostnames.pennyworth;
+
+  services.openssh.enable = true;
+  networking.enableIPv6 = lib.mkOverride 30 true;
+
+  system.stateVersion = "16.03";
+
+  # root password is useful from console, ssh has password logins disabled
+  users.extraUsers.root.hashedPassword = secrets.pennyworth_hashedPassword;
+
+
+  services.nginx = {
+    enable = true;
+    httpConfig = ''
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  logs/access.log  main;
+      sendfile        on;
+      #tcp_nopush     on;
+
+      #keepalive_timeout  0;
+      keepalive_timeout  65;
+
+
+      gzip  on;
+
+      server {
+        listen       80;
+        server_name  "";
+
+        location / {
+          root   ${pkgs.nginx}/usr/share/nginx/html;
+          index  index.html index.htm;
+        }
+
+        location = /50x.html {
+          root   ${pkgs.nginx}/usr/share/nginx/html;
+        }
+      }
+
+      server {
+        listen 80;
+        server_name yori.cc;
+        server_tokens off;
+        location / {
+          root ${yoricc}/web;
+        }
+      }
+
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [80];
+
+}

pennyworth/hardware-configuration.nix

@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+let
+  ipconf = (import <secrets>).ipconf.${config.networking.hostName};
+in
+{
+  imports = [ ../nixos-in-place.nix ];
+  "nixos-in-place" = {
+    enable = true;
+    rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604";
+    swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985";
+  };
+  # fs layout:
+  # before: /nixos/nix/* /boot/grub/menu.lst
+  # after:  /nix/* /old-root/boot/grub/menu.lst
+  boot = {
+    # use grub 1, don't install
+    loader.grub = {
+      version = 1;
+      extraPerEntryConfig = "root (hd0,0)"; # do we need this?
+      mirroredBoots = [{
+        path = "/old-root/boot";
+        devices = ["nodev"];
+      }];
+    };
+    initrd.availableKernelModules = [ "xen_blkfront" ];
+  };
+  networking = {
+    usePredictableInterfaceNames = false; # only eth0
+    interfaces.eth0 = {
+      useDHCP = false;
+      inherit (ipconf) ip4 ip6;
+    };
+    inherit (ipconf) nameservers;
+    # ideally, it should add a route for this automatically
+    #defaultGateway  = ipconf.gateway4;
+    #defaultGateway6 = ipconf.gateway6;
+  };
+  systemd.services."network-setup".postStart = with ipconf; ''
+    ip route add ${gateway4} dev eth0 || true
+    ip route add default via ${gateway4} || true
+    ip -6 route add ${gateway6} dev eth0 || true
+    ip -6 route add default via ${gateway6} || true
+  '';
+  nix.maxJobs = lib.mkDefault 2;
+}

roles/common.nix

@@ -21,8 +21,11 @@
     https://hydra.nixos.org
   ];
 
-  nix.trustedBinaryCaches = config.nix.binaryCaches;
-  nix.binaryCachePublicKeys = ["hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ];
+  nix.trustedBinaryCaches = config.nix.binaryCaches ++ [http://hydra.cryp.to];
+  nix.binaryCachePublicKeys = [
+    "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
+    "hydra.cryp.to-1:8g6Hxvnp/O//5Q1bjjMTd5RO8ztTsG8DKPOAg9ANr2g="
+  ];
 
   nix.extraOptions = ''
     allow-unsafe-native-code-during-evaluation = true

secrets.nix.asc

@@ -1,22 +1,29 @@
 -----BEGIN PGP MESSAGE-----
 Version: GnuPG v2
 
-hQIMA++MoCsgK05SARAAgsaInIKBcBNB04oarPxeswE+Y+DFWmb3JDPChesJCDy+
-OkVMFp+ZOkNgoVBFdJ/jrCngNNK/MJ4Nx0G87HIy4OEoSyEDWAgZCg6+eZHlUVkY
-XjUVpWMA5ppzEieiqAF3VczZ9sk8kLseagTbIR/AA+DF4cXNjT46zcURtVUsxkTo
-rBoCRlGgzVi5L3dzz81CFR1ZdIbQ1SpDib9isLGd38dPvTXFD8IJLmcef8SR2FkN
-eKoaA2HIC3CF3BfGBlKj+pcXsytHXgs5B2JUzGo0RYdLokQBh4/JhFT8obT5/udz
-IbiqdcREyp6rUw+VMmcFSu1OIdpQ+OzfiiKcMkNIO1VO1GXNQkfUfo5FbVMIxKu1
-DQ4l00DBr6vWS3S3djPzMMmznAUIXAsBrby7cta5Utel+lcTjSa4tbEVHMQKx+Qy
-mjzS/GnpRBPnAsxapUDLdTmUPxALpI76mZVRm9xZyYYcliphUdO6Sx9Er8BEEnuz
-DdTgOO3bDz/wx3+oth9YNn+FqYKMItUJ/FZIcdPklrNd1/zKbS5hLt6+tmjQAJGH
-rMWumhEc9NQIKbWdl8TovV9jF+NYS7mmxzi/TP4C+eNlYuZYNf8tAS+edr+Z0wSy
-crHANbmnfLwAWzpJhqWAFtPJ8fLFoNUEz2Z+Sc3MgCCN6zXl2qMyDDd/Ns6+FInS
-wFsBcOTNfaHqkiaMQSJQVx0H8yhLos25ECwLu7+ux7uRRGc5m+cMyq6nRBT7HPEa
-7bfYE2xGMirIsHsxFkx+0U3ytUSRoPQYBIQuM3al71ao1b7WCyZFr58FF59wVUqp
-9Dz7bNUpXuSzyahJAX6+RHFliLgKwsKHox93eBgcTI1FvJc5sqfHfzfqhdjylTgA
-yWIpeZTjMhwXf4j0JrbUZt1b/9U2vzwbJQpYKkVn21zntTea+9+LMNziWHW1q2Lx
-gJJPD5P9eTHuAjzdzQwEReijDicx3E1+AaPAvEqbGSP58p24c/K+Mlf3BQu1QgZz
-mwDKQO9XZf1WCTvybsMktrFQzpOYhNIVDy1R7HSVB4wRu3LslrKmRpByjZ9y
-=rpa6
+hQIMA++MoCsgK05SAQ/+LvophpN/moY95XS96yuFU6UYe1zssnx0BXVlaG97U/PN
+bKwhhuCWizCvF3jG2hhSQdcwd8ezi9Wf9YXPITN+jrBxyona7/Z271Pw6Wes0skf
+wx5RX5m0QKH6ml35J160BIREiEm1U0CYSlGLX61hKHU2btvVxI0KnpzFZ9RGPe1J
+oSY4hsjZGvXja6ZmouJX2gDDIIyibgkAvLk5ooJ6zr6qP4e8u2n5rDXDBOjvxjig
+JXdCzBzCICFaU3UbAfD9KHjC9aWQD1fwKMg0HQo49SRuGqokIhpKgDbkiZev2Rnz
+5nncwpTqM5oCmUjgJLHmCFvBOVFxyxxDmLDNU3BY6SU+xFNar63tQwSrmcW3Qlt0
+2tFE+OOC04o7efcT+Ca2VKVzQKeGbCwKdwktYVkpXYphGUo8HnqR+b3lQUXkK1Om
+2kbYQtH8ztMIDUcb94sVcWANvhJhHAeeXVxCvDsaSWF5N1rrW6i/R4DxaBcgfkcn
++ioTVSOmlfOXWcBtucOS1KS2vl4WugslYXKi8RLgNYOj0h02jVsCdgPJqas7/TJc
++DkGbGLIsnwCt15yyw4d2NZz26ouX2vtfTR5wt9wChIuxL1j8MiBlw4QMPxmDDs5
+PQSLLyBySiibZVYWYaDv2Icp6AZ7kgD3XNf6z57BOAoyy7RdwuYEyq5cwZOIs1/S
+6QHC5J0WQ6H0sL6k/mQYLOAGbsa7EW3Tv1wWXyPTZyWonVZOgU3mYnWLp2qKPSae
+1sMWRvfd9hh41T8BVaDR9uXjFNeHo6Xk/mk2eWYyaNdlSulh2JpFjKJ3+2/DlLtR
+gBxFIHaXXBPONlFMzq5GQ2xD6zS+tFJOc+MHjGNg3qIC0B4UnePOeT/OrhecufQG
+BwobrUqO1JfUF30TX8ncGeb69GUI6TUiVENB1yQ5SU9+hW5zE6QM/ZiiUMMbHkAJ
+2NTAnKmZQBZlWhb3GLeVq+bUIrn+QUNqJQN5bT1resOL3b7nVxrrQp9ryH2gu0Fb
+rUIHL+RVYPb7IXsxLGskmHQffIEQ3AIag3LR8VuSzOd5EpIE+h90jSB0B85ENVYo
+PkojI8buXckXVV7ro3t2BHcT7r2o6ZmhnW7IkF7P6QpV7oycRw3WdZ7C0mwmNbJq
+ZWqG3N8aMv9URyBcIXI0qXcEHImx2v+6oLsZ/XUP3RGnbU1B7Twh/LHcZ3QfCA/u
+7TdBxnBgLnRXBt48W+iSoLRw9SxIdLlpXpez/vQIjFHGM/a6XLRJgctMcK5rQdGS
+yd3CXR0hVpDaZH33LFop67Phj5vvdop3ONHOmfV6NMqHbkH/p7rhHcdWBOVtNvry
+j9vekI7qlEVBwuXgx9HHMPNNlkve94qbZSjpiGn+PHQmaF4/jCTZ41PmBaSp8mGC
+eTMA9NQbUsBNew9UcryWl6rFrNMIcwu7De9REh0ovjoo6g3mxJhZuhWPwtmnEHpt
+zzoF4hSeoisJwg+JwGq4lQbjVJBgjdcFqke6BAEvam1Jqale5CKJ1GKb
+=fAua
 -----END PGP MESSAGE-----