forked from M-Labs/it-infra
Compare commits
11 Commits
4ec72130b1
...
b10ee89454
Author | SHA1 | Date |
---|---|---|
Astro | b10ee89454 | |
Sebastien Bourdeauducq | 8f62706b08 | |
Sebastien Bourdeauducq | e9379d3b88 | |
Sebastien Bourdeauducq | 9cd9eb43f4 | |
Sebastien Bourdeauducq | ae27312e53 | |
Sebastien Bourdeauducq | dfa0cc7fea | |
Sebastien Bourdeauducq | eb78ee2a7d | |
Sebastien Bourdeauducq | 3738849e22 | |
Sebastien Bourdeauducq | aa8bdf47a0 | |
Sebastien Bourdeauducq | eb83761291 | |
Sebastien Bourdeauducq | 444d74a7a5 |
|
@ -148,7 +148,7 @@ in
|
|||
|
||||
no-resolv
|
||||
|
||||
# Static IPv4s to make Red Pitayas less annoying
|
||||
# Static IPv4s to make Red Pitayas with factory firmware less annoying
|
||||
dhcp-host=rp-f05cc9,192.168.1.190
|
||||
dhcp-host=rp-f0612e,192.168.1.191
|
||||
# Static IPv4s to make port redirections work
|
||||
|
@ -165,6 +165,8 @@ in
|
|||
address=/zynq-experiments/192.168.1.51
|
||||
address=/zc706/192.168.1.52
|
||||
address=/zc706-2/192.168.1.53
|
||||
address=/cora-z7/192.168.1.54
|
||||
address=/rust-pitaya/192.168.1.55
|
||||
address=/sayma/192.168.1.60
|
||||
address=/metlino/192.168.1.65
|
||||
address=/kasli/192.168.1.70
|
||||
|
@ -229,24 +231,26 @@ in
|
|||
hardware.sane.enable = true;
|
||||
hardware.sane.extraBackends = [ pkgs.hplipWithPlugin ];
|
||||
|
||||
users.extraGroups.plugdev = { };
|
||||
users.extraGroups.hkadmin = { };
|
||||
users.extraUsers.sb = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel" "plugdev" "dialout" "lp" "scanner"];
|
||||
shell = pkgs.fish;
|
||||
extraGroups = ["wheel" "hkadmin" "lp" "scanner"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPk5WyFoWSvF4ozehxcVBoZ+UHgrI7VW/OoQfFFwIQe0qvetUZBMZwR2FwkLPAMZV8zz1v4EfncudEkVghy4P+/YVLlDjqDq9zwZnh8Nd/ifu84wmcNWHT2UcqnhjniCdshL8a44memzABnxfLLv+sXhP2x32cJAamo5y6fukr2qLp2jbXzR+3sv3klE0ruUXis/BR1lLqNJEYP8jB6fLn2sLKinnZPfn6DwVOk10mGeQsdME/eGl3phpjhODH9JW5V2V5nJBbC0rBnq+78dyArKVqjPSmIcSy72DEIpTctnMEN1W34BGrnsDd5Xd/DKxKxHKTMCHtZRwLC2X0NWN"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCMALVC8RDTHec+PC8y1s3tcpUAODgq6DEzQdHDf/cyvDMfmCaPiMxfIdmkns5lMa03hymIfSmLUF0jFFDc7biRp7uf9AAXNsrTmplHii0l0McuOOZGlSdZM4eL817P7UwJqFMxJyFXDjkubhQiX6kp25Kfuj/zLnupRCaiDvE7ho/xay6Jrv0XLz935TPDwkc7W1asLIvsZLheB+sRz9SMOb9gtrvk5WXZl5JTOFOLu+JaRwQLHL/xdcHJTOod7tqHYfpoC5JHrEwKzbhTOwxZBQBfTQjQktKENQtBxXHTe71rUEWfEZQGg60/BC4BrRmh4qJjlJu3v4VIhC7SSHn1"
|
||||
];
|
||||
shell = pkgs.fish;
|
||||
};
|
||||
users.extraUsers.rj = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["wheel" "plugdev" "dialout"];
|
||||
extraGroups = ["wheel"];
|
||||
};
|
||||
users.extraUsers.astro = {
|
||||
users.extraUsers.harry = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
shell = pkgs.bashInteractive;
|
||||
extraGroups = ["hkadmin" "lp" "scanner"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDcPNCgtdz8erFPRrAwCr4JrkeYXJUUvoRBgP0X2HlzJgDe1Inuo6sC6CGcO3IXbf4MwVA9XEp8BYPHARVeEHhufg/0wnIABLx2GcK99yxOLDUe4h/3YwtqvOcqHEsDx7w=="
|
||||
];
|
||||
};
|
||||
users.extraUsers.nix = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -1,43 +1,27 @@
|
|||
From d7fc00b5770a7d194c0ba9e70a4cdb2ece621d5b Mon Sep 17 00:00:00 2001
|
||||
From e9d0448929a46df1b5923d69989fa3ca4c9e47ba Mon Sep 17 00:00:00 2001
|
||||
From: Astro <astro@spaceboyz.net>
|
||||
Date: Mon, 5 Oct 2020 14:18:59 +0200
|
||||
Date: Thu, 5 Nov 2020 17:21:09 +0100
|
||||
Subject: [PATCH] networked derivations
|
||||
|
||||
---
|
||||
src/libstore/build.cc | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
src/libstore/build/derivation-goal.cc | 14 ++++++++------
|
||||
src/libstore/build/derivation-goal.hh | 6 ++++++
|
||||
2 files changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
|
||||
index 0499273a4..40fe4e859 100644
|
||||
--- a/src/libstore/build.cc
|
||||
+++ b/src/libstore/build.cc
|
||||
@@ -845,9 +845,16 @@ private:
|
||||
/* The sort of derivation we are building. */
|
||||
DerivationType derivationType;
|
||||
|
||||
+ bool networked;
|
||||
+
|
||||
/* Whether to run the build in a private network namespace. */
|
||||
bool privateNetwork = false;
|
||||
|
||||
+ bool allowNetwork()
|
||||
+ {
|
||||
+ return derivationIsFixed(drv->type()) || networked;
|
||||
+ }
|
||||
+
|
||||
typedef void (DerivationGoal::*GoalState)();
|
||||
GoalState state;
|
||||
|
||||
@@ -1293,6 +1300,8 @@ void DerivationGoal::haveDerivation()
|
||||
parsedDrv = std::make_unique<ParsedDerivation>(drvPath, *drv);
|
||||
|
||||
diff --git a/src/libstore/build/derivation-goal.cc b/src/libstore/build/derivation-goal.cc
|
||||
index bf2bad62c..ef4ce8a0b 100644
|
||||
--- a/src/libstore/build/derivation-goal.cc
|
||||
+++ b/src/libstore/build/derivation-goal.cc
|
||||
@@ -1199,6 +1199,8 @@ void DerivationGoal::startBuilder()
|
||||
additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
|
||||
#endif
|
||||
|
||||
+ networked = parsedDrv->getBoolAttr("__networked");
|
||||
+
|
||||
/* We are first going to try to create the invalid output paths
|
||||
through substitutes. If that doesn't work, we'll build
|
||||
them. */
|
||||
@@ -2210,7 +2219,7 @@ void DerivationGoal::startBuilder()
|
||||
/* Are we doing a chroot build? */
|
||||
{
|
||||
auto noChroot = parsedDrv->getBoolAttr("__noChroot");
|
||||
@@ -1216,7 +1218,7 @@ void DerivationGoal::startBuilder()
|
||||
else if (settings.sandboxMode == smDisabled)
|
||||
useChroot = false;
|
||||
else if (settings.sandboxMode == smRelaxed)
|
||||
|
@ -46,42 +30,68 @@ index 0499273a4..40fe4e859 100644
|
|||
}
|
||||
|
||||
if (worker.store.storeDir != worker.store.realStoreDir) {
|
||||
@@ -2434,7 +2443,7 @@ void DerivationGoal::startBuilder()
|
||||
"nogroup:x:65534:\n") % sandboxGid).str());
|
||||
@@ -1430,7 +1432,7 @@ void DerivationGoal::startBuilder()
|
||||
"nogroup:x:65534:\n", sandboxGid()));
|
||||
|
||||
/* Create /etc/hosts with localhost entry. */
|
||||
- if (!(derivationIsImpure(derivationType)))
|
||||
+ if (!allowNetwork())
|
||||
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
|
||||
writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
|
||||
|
||||
/* Make the closure of the inputs available in the chroot,
|
||||
@@ -2621,7 +2630,7 @@ void DerivationGoal::startBuilder()
|
||||
@@ -1617,7 +1619,7 @@ void DerivationGoal::startBuilder()
|
||||
us.
|
||||
*/
|
||||
|
||||
- if (!(derivationIsImpure(derivationType)))
|
||||
+ if (!allowNetwork())
|
||||
+ if (!allowNetwork() && !(derivationIsImpure(derivationType)))
|
||||
privateNetwork = true;
|
||||
|
||||
userNamespaceSync.create();
|
||||
@@ -2833,7 +2842,7 @@ void DerivationGoal::initEnv()
|
||||
@@ -1865,7 +1867,7 @@ void DerivationGoal::initEnv()
|
||||
to the builder is generally impure, but the output of
|
||||
fixed-output derivations is by definition pure (since we
|
||||
already know the cryptographic hash of the output). */
|
||||
- if (derivationIsImpure(derivationType)) {
|
||||
+ if (allowNetwork()) {
|
||||
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
|
||||
for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
|
||||
env[i] = getEnv(i).value_or("");
|
||||
}
|
||||
@@ -3447,7 +3456,7 @@ void DerivationGoal::runChild()
|
||||
@@ -2487,7 +2489,7 @@ void DerivationGoal::runChild()
|
||||
/* Fixed-output derivations typically need to access the
|
||||
network, so give them access to /etc/resolv.conf and so
|
||||
on. */
|
||||
- if (derivationIsImpure(derivationType)) {
|
||||
+ if (allowNetwork()) {
|
||||
+ if (allowNetwork() || derivationIsImpure(derivationType)) {
|
||||
ss.push_back("/etc/resolv.conf");
|
||||
|
||||
// Only use nss functions to resolve hosts and
|
||||
@@ -2728,7 +2730,7 @@ void DerivationGoal::runChild()
|
||||
|
||||
sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
|
||||
|
||||
- if (derivationIsImpure(derivationType))
|
||||
+ if (allowNetwork() || derivationIsImpure(derivationType))
|
||||
sandboxProfile += "(import \"sandbox-network.sb\")\n";
|
||||
|
||||
/* Add the output paths we'll use at build-time to the chroot */
|
||||
diff --git a/src/libstore/build/derivation-goal.hh b/src/libstore/build/derivation-goal.hh
|
||||
index 4976207e0..c57238403 100644
|
||||
--- a/src/libstore/build/derivation-goal.hh
|
||||
+++ b/src/libstore/build/derivation-goal.hh
|
||||
@@ -134,6 +134,12 @@ private:
|
||||
/* Whether to run the build in a private network namespace. */
|
||||
bool privateNetwork = false;
|
||||
|
||||
+ bool networked;
|
||||
+ bool allowNetwork()
|
||||
+ {
|
||||
+ return derivationIsFixed(drv->type()) || networked;
|
||||
+ }
|
||||
+
|
||||
typedef void (DerivationGoal::*GoalState)();
|
||||
GoalState state;
|
||||
|
||||
--
|
||||
2.28.0
|
||||
2.29.0
|
||||
|
||||
|
|
|
@ -68,6 +68,7 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMviQek/1Wj525Y5QQb3fXimJ9srOgWJNBxKKB5xfOzEzlU/MQr49sUSyq1+wUXOc2lHjQQb4aNbs8QyzhgynvlZZ4C/scFXLv83V8SFd8fXb8YiJ5OXBCxiHAZWJF/99kxQNeLvp3qvU+hWG3nLHd6NDTbyqG+EIEaZkJsVbdCzL/ERUbCZPNkfgY5zv62i9zR8XJtt77lyCprOs4q27wD+FplkjN3skeWJYr0F+yuf2DEC1ZrOS1uYHVgPlOZRSQq8qtWr4K4ZMrFJ0Ul7Qzj/GjtqH59QZFcVgoHJhlSM5MUNn863IKuLPmHOsTYqA57bPj+vulMZwt63Qw0ehpVZnUo3MZjfI/fS5Ox8c0B+7/JmGXxQVe+mQ6feg24h3C3+npzI6VbGXr09+ka36d7bRDJdY6/LEhQZTiwXrwOxstFjbEucGDPFx0rsqDxPeQ77mA0GQw2J/hYr6kc+KDIipclxqq6tE6LEYaAzeiTePU+QSutLsOzEpXezY3vINd/Tp8oySQBliseKsByPV8m37egTHheLNbVvh6a4sfhm68MGDYNBAKGHyMpnnDf/G1PVf97wq0YpQWoCrYNbp7QQZST0UjEk8hARnI/UuZtkYOaube0lcO0zaMUtmX8Qq4dq+RMblcwjWVsqExljFNEhjJqRRY7ZfpJ5OdeiXFLQ=="
|
||||
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ+FieYdkTS3BomeEVp7SMGD3HYDzdQHKi1WgqiFF5c3CYjFiwc/W/NrsCavEkLM9GrLKS1OKxHlG6gpsMGxiHuidoK7NDd3NhHL2jJFzH7haFktJ5DrkfRPPi4QPscZPg=="
|
||||
];
|
||||
};
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
|
||||
pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/master.tar.gz) {};
|
||||
pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz) {};
|
||||
in
|
||||
{
|
||||
deployment.targetHost = host;
|
||||
|
|
|
@ -1,20 +1,6 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
jaime = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPZGCpGW8n+cbGJbIa6Xqp/RpjbRXm55FfGCgw5uQzSk3MJraYaYZVUw4Z4n3WF0XyFirlgOf9RRxYM2GQoXaiq+qwPK1u4GvLTthGtfJ7LJJMjV4ouxooK205jTxp9mb3WTxzMRkcRK44B9tTZH7e36f+snBjCQRsjDTjZaYaxIUQ10gij+I4Cpq9EKrTf7fLgv+56tI6nxz3n8zeihklPOlCauA1WCN8nEU5PxRXL7Fi67kiXBoJJyUmhPg40YhC0zLhOzm7OhhM7RyIGB3bAyF1Q5GKScpPCYiAlm8j9VmQFHtulozs4cwypAOzMr48ekS3VMD1PPwbhHOOlSB1 jaime@jaime-ThinkPad"
|
||||
];
|
||||
};
|
||||
bpmasc = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArypocGpldQFmC1w5cIPnFi9UBKQsZ0F5+RdlxcsBTmpEpPStNAUoo9/WhBkybSyR+LoKgJi50uDHk1PnfCyQ6xEI75aPQKEhAk3Vm3XUesASB7yoRKqEGTxznC0XnIlTIMe1GpLSgJnxTcR6GZWukIX49QoK1qEcZ8z5Cn5CLR849jkBON6Lt9Z+dh/NZT93Ne+Yya1h1weibz4igTrLYelcVTfepgk4R+qRahfQXhjeG0gfAVCBV6AvHqBMs8HaUXQxdVN6OstKiIfw9DQsPf36HToDWmdRuZ1NUhiMr98K83C+AGQIkdZnN0f5ZUz7AB+kmGZgYwLc9R49qkYdvw=="
|
||||
];
|
||||
};
|
||||
gs = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
|
@ -22,18 +8,11 @@
|
|||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGtpxj1UPfV0oy5WGLYq2xXN8wBFUcsry9JStLVdc8eFBbp9VSb01Ba/JnJZOwEPvkOM0X5zdLxdOp3fMdL7tQ1Pqg2q/HdZpvkAHh5hH3fTAHx0Eu18SIWubG46Imv9yoOw/skCpIhIbaTrhzS6BB6A6m1hRv9U96cn9tUWtpAxS+3FZjylaBuJPDpClZB3dFgy0uCm3Pg9W/zdVM9VLlGdu2wVmFIoJ2BKhHJSbG6kA6+9Y5cPON64qoaL8j/LwrNLh+YXRU16kk1bVLfuEmUUE23+jbemkhIkBEFQdGG0+CxtsVpSv1/NJXfST+BuQ9Ef3+85kIl3vmTe4geFNn"
|
||||
];
|
||||
};
|
||||
cp = {
|
||||
yrw = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZybZ/6DWAH7VwS+Mbr68MDtrMXUW5Qe7ovIHjsndprcLRGmkNVhfUU6XdWH4y4Y4KIPLjpJgEKbzYZLFMb0tIR1DbpCAZSRUI/iqyzs95h91qCVMlUyaNDlxag+tEUoV9h2p5tJB24/hSfnKXiZDV+WBFvKBdYXr5/oj13qBT9fFF/gqp9vhn/V81uy7U4r+5wNVUCDrNtFyGhWukDcKqip6Z3UcA3etjsSus5F90z4KAyZZpd3ADQjNJTgacEk0Cg1jR3qdyVW4P2M0QccNmjwAIz+8y3CemMoeiWxGMORVUyxX4biY/VAQR/qXbBXGVJD5S8ewQyTpfPtFHdzAcFn0OeX5RJguwPIx3V8L3X7NZTUyvR1hVNWwA4Ckh1mmwaqDLj2EnGAuWW4GL4TAVRVD1a3xzP0V59u9yuqlJKqWGSqIb7Lqqym/NL3ooPuF1Sf92NeRLmpWCXpd6mHadHZ0ChOT0OUFXxg1HBtUp1mqfelV6aRGpSYNsK7zC1f8="
|
||||
];
|
||||
};
|
||||
jim = {
|
||||
isNormalUser = true;
|
||||
extraGroups = ["plugdev" "dialout"];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoHJaTx/646l19AHq7vuFT0Thd7kzQgka80p8dUFNuf4PxouyMGclUU7Fai4Y1pymE8scU7VL/W1tu1OSkUz7SXDcGNgGAZYfJZIJMvc27R3JsDGKdGDr9bSnOrohBN6pBhRg8edBOHoBLEz6lmJ0EZouiKBhmZFrEl6DSUDNotMHxggAe52wqO2e8aDBz6YkET25pSPdf21SOV3QNszZAWn/3NSJcb0AIsAdMb9FTdNXQK+fdBsWAxG/mGidIvJm/MhMmV1Qfc6TI9wqsXSKT+IeM1kfQ+xgobrdiG9zwnLmyu+uyFS+S3mGbP3P3YasUfSWOWq1lfRVgzGyqZtxj"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwyYQ6NV/+GWFpgLJa7fz8FBiSVYczVi900CWfMSyAYIusYrNt9xBYWBk5bUDqDLKrHlyjbtKIKUTjC9uGmdDD4rWlW1cHNabxeD7wu1DcjdLsRiB6ulFXRleq16RMDlFbFHyVaRD4J2j/1JxWqYTVeMNe4KuW979zcrwCSm/3VtWasLh88089FGyl1bEQiza/yCBqXCUyY1wGfpRESTfxn18zaP5jc1jGOeBl694Ci2iErwk42rjdhtSsQx+B9FAuYYXz6VPfPrQB6fqn2a70QATPQUEbiT9bXgh541xqHC9gt4QLYEj2bNR64DNjvos32jv9wWAjnSpC73m39o5QLNglF77KC1pdz7oMTH2dF+boOGAj0IpsnZJElcFVUpW1SBTuNDgSN2Yc8I5JlpoNUClKNefRQPeNvtenlJKgPI3TETx7PbWprmDaDunSp2URkKCYu+p3JV5MF6Up5crzNUoNLOYlIGauN/7Kh1/8ybVj9+zTKpP2D31RTmZG2ck="
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -59,7 +59,7 @@ in
|
|||
|
||||
documentation.enable = false;
|
||||
environment.systemPackages = with pkgs; [
|
||||
psmisc wget vim git usbutils uhubctl lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
|
||||
psmisc wget vim git sshfs usbutils uhubctl lm_sensors file telnet mosh tmux xc3sprog m-labs.openocd screen gdb minicom picocom
|
||||
];
|
||||
programs.fish.enable = true;
|
||||
programs.wireshark.enable = true;
|
||||
|
|
Loading…
Reference in New Issue