-
-
Save cleverca22/f3e54a2e0ade7e5f38a6ee4b20d83e14 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| with import <nixpkgs> {}; | |
| let | |
| secrets = import ./secrets.nix; | |
| configuration = { | |
| imports = [ /home/clever/iohk/iohk-ops-de-serokell/modules/monitoring-services.nix ]; | |
| services.oauth2_proxy = { | |
| redirectURL = "http://localhost.earthtools.ca/oauth2/callback"; | |
| cookie.secure = false; | |
| }; | |
| services.postgresql.enable = true; | |
| services.monitoring-services = { | |
| enable = true; | |
| enableACME = false; | |
| enableWireguard = false; | |
| metrics = true; | |
| logging = false; | |
| oauth = { | |
| enable = true; | |
| emailDomain = "iohk.io"; | |
| inherit (secrets) clientID clientSecret; | |
| cookie.secret = "fake"; | |
| }; | |
| webhost = "localhost.earthtools.ca"; | |
| grafanaCreds = { | |
| user = "root"; | |
| password = "hunter2"; | |
| }; | |
| monitoredNodes = { | |
| }; | |
| }; | |
| }; | |
| eval = import <nixpkgs/nixos> { inherit configuration; }; | |
| patchedRunit = runit.overrideAttrs (old: { | |
| patches = old.patches ++ [ ./runit.patch ]; | |
| }); | |
| thing = writeScriptBin "thing" '' | |
| #!${pkgs.stdenv.shell} | |
| exec runit | |
| ''; | |
| mkScript = dir: name: text: writeTextFile { | |
| name = name; | |
| text = '' | |
| #!${stdenv.shell} | |
| ${text} | |
| ''; | |
| executable = true; | |
| destination = "${dir}${name}"; | |
| }; | |
| mkService = name: text: writeTextFile { | |
| name = name; | |
| text = '' | |
| #!${stdenv.shell} | |
| ${text} | |
| ''; | |
| executable = true; | |
| destination = "/etc/service/${name}/run"; | |
| }; | |
| stop = writeScriptBin "stop" '' | |
| #!${stdenv.shell} | |
| chmod u+x /etc/runit/stopit | |
| kill -cont 1 | |
| ''; | |
| one = mkScript "/etc/runit/" "1" '' | |
| touch /etc/runit/stopit | |
| chmod 0 /etc/runit/stopit | |
| echo one | |
| mkdir -p /var/lib/postgresql/9.6 | |
| mkdir -p /run/wrappers/bin /run/postgresql /var/lib/prometheus2 /var/lib/grafana | |
| chown -R postgres /run/postgresql | |
| cat /etc/shadow.orig > /etc/shadow | |
| chmod 600 /etc/shadow | |
| sudo -u postgres echo hello | |
| chown prometheus /var/lib/prometheus2 | |
| chown grafana /var/lib/grafana | |
| ''; | |
| passwd = runCommand "passwd" {} '' | |
| mkdir -p $out/etc/pam.d | |
| cat <<EOF > $out/etc/passwd | |
| root:x:0:0:System administrator:/root:/bin/bash | |
| postgres:x:71:71:PostgreSQL server user:/var/lib/postgresql/9.6:/bin/bash | |
| grafana:x:196:65534:Grafana user:/var/lib/grafana:/run/current-system/sw/bin/nologin | |
| nginx:x:60:60::/var/empty:/run/current-system/sw/bin/nologin | |
| prometheus:x:255:255:Prometheus daemon user:/var/empty:/run/current-system/sw/bin/nologin | |
| oauth2_proxy:x:1003:65534:OAuth2 Proxy:/var/empty:/run/current-system/sw/bin/nologin | |
| EOF | |
| cat <<EOF > $out/etc/group | |
| root:x:0: | |
| postgres:x:71: | |
| nginx:x:60: | |
| EOF | |
| cat <<EOF > $out/etc/shadow.orig | |
| root:!:1:::::: | |
| postgres:!:1:::::: | |
| EOF | |
| cat <<EOF > $out/etc/pam.d/sudo | |
| account required pam_unix.so | |
| auth sufficient pam_unix.so likeauth try_first_pass | |
| auth required pam_deny.so | |
| password sufficient pam_unix.so nullok sha512 | |
| session required pam_unix.so | |
| EOF | |
| cat <<EOF > $out/etc/nsswitch.conf | |
| passwd: files mymachines systemd | |
| group: files mymachines systemd | |
| shadow: files | |
| hosts: files mymachines mdns_minimal [NOTFOUND=return] dns mdns myhostname | |
| networks: files | |
| ethers: files | |
| services: files | |
| protocols: files | |
| rpc: files | |
| EOF | |
| ''; | |
| two = mkScript "/etc/runit/" "2" '' | |
| echo two | |
| exec runsvdir -P /etc/service | |
| ''; | |
| three = mkScript "/etc/runit/" "3" '' | |
| echo three | |
| ''; | |
| sleeper = mkService "sleeper" '' | |
| echo taking a nap | |
| sleep 15 | |
| echo woke up! | |
| chmod u+x /etc/runit/stopit | |
| kill -cont 1 | |
| ''; | |
| wrapService = name: mkService name '' | |
| exec ${eval.config.systemd.services.${name}.runner} | |
| ''; | |
| configFiles = buildEnv { | |
| name = "config-files"; | |
| paths = [ | |
| one two three | |
| #sleeper | |
| (wrapService "postgresql") | |
| (wrapService "prometheus2") | |
| #(wrapService "prometheus-blackbox-exporter") | |
| #(wrapService "prometheus-node-exporter") | |
| (wrapService "oauth2_proxy") | |
| (wrapService "nginx") | |
| (wrapService "grafana") | |
| ]; | |
| }; | |
| image = dockerTools.buildLayeredImage { | |
| name = "docker-image"; | |
| tag = "test-image"; | |
| contents = [ | |
| patchedRunit configFiles thing coreutils | |
| passwd | |
| bashInteractive | |
| sudo | |
| linux-pam | |
| nettools | |
| lsof | |
| iana_etc | |
| stop | |
| strace | |
| procps | |
| cacert.out | |
| ]; | |
| config = { | |
| Cmd = [ "thing" ]; | |
| }; | |
| }; | |
| helper = writeScript "helper" '' | |
| #!${pkgs.stdenv.shell} | |
| docker load < ${image} | |
| docker run --rm -i -p 80:80 --cap-add SYS_PTRACE -t docker-image:test-image | |
| ''; | |
| in { | |
| inherit image helper; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix | |
| index 5661edbee2d..71d4b26803f 100644 | |
| --- a/nixos/modules/services/databases/postgresql.nix | |
| +++ b/nixos/modules/services/databases/postgresql.nix | |
| @@ -284,9 +284,9 @@ in | |
| '' | |
| # Create data directory. | |
| if ! test -e ${cfg.dataDir}/PG_VERSION; then | |
| - mkdir -m 0700 -p ${cfg.dataDir} | |
| + mkdir -m 0700 -pv ${cfg.dataDir} | |
| rm -f ${cfg.dataDir}/*.conf | |
| - chown -R postgres:postgres ${cfg.dataDir} | |
| + chown -Rv postgres:postgres ${cfg.dataDir} | |
| fi | |
| ''; # */ | |
| diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix | |
| index d8384e0d35b..1b08eeb26f5 100644 | |
| --- a/nixos/modules/services/monitoring/prometheus/default.nix | |
| +++ b/nixos/modules/services/monitoring/prometheus/default.nix | |
| @@ -833,10 +833,10 @@ in { | |
| systemd.services.prometheus2 = { | |
| wantedBy = [ "multi-user.target" ]; | |
| after = [ "network.target" ]; | |
| + script = "exec ${cfg2.package}/bin/prometheus" + | |
| + optionalString (length cmdlineArgs2 != 0) (" \\\n " + | |
| + concatStringsSep " \\\n " cmdlineArgs2); | |
| serviceConfig = { | |
| - ExecStart = "${cfg2.package}/bin/prometheus" + | |
| - optionalString (length cmdlineArgs2 != 0) (" \\\n " + | |
| - concatStringsSep " \\\n " cmdlineArgs2); | |
| User = promUser; | |
| Restart = "always"; | |
| WorkingDirectory = workingDir2; | |
| diff --git a/nixos/modules/services/security/oauth2_proxy.nix b/nixos/modules/services/security/oauth2_proxy.nix | |
| index 61f203ef9e7..fb533f36db9 100644 | |
| --- a/nixos/modules/services/security/oauth2_proxy.nix | |
| +++ b/nixos/modules/services/security/oauth2_proxy.nix | |
| @@ -77,7 +77,7 @@ let | |
| (mapAttrsToList (name: value: mapConfig (key + "-" + name) value) attr) else | |
| if (builtins.typeOf attr) == "list" then concatMapStringsSep " " (mapConfig key) attr else | |
| if (builtins.typeOf attr) == "bool" then "--${key}=${boolToString attr}" else | |
| - if (builtins.typeOf attr) == "string" then "--${key}='${attr}'" else | |
| + if (builtins.typeOf attr) == "string" then ''--${key}="${attr}"'' else | |
| "--${key}=${toString attr}") | |
| else ""; | |
| @@ -553,11 +553,11 @@ in | |
| path = [ cfg.package ]; | |
| wantedBy = [ "multi-user.target" ]; | |
| after = [ "network.target" ]; | |
| + script = "exec ${cfg.package.bin}/bin/oauth2_proxy ${configString}"; | |
| serviceConfig = { | |
| User = "oauth2_proxy"; | |
| Restart = "always"; | |
| - ExecStart = "${cfg.package.bin}/bin/oauth2_proxy ${configString}"; | |
| EnvironmentFile = mkIf (cfg.keyFile != null) cfg.keyFile; | |
| }; | |
| }; | |
| diff --git a/nixos/modules/testing/service-runner.nix b/nixos/modules/testing/service-runner.nix | |
| index 17d5e337690..c6e20fd1034 100644 | |
| --- a/nixos/modules/testing/service-runner.nix | |
| +++ b/nixos/modules/testing/service-runner.nix | |
| @@ -4,8 +4,10 @@ with lib; | |
| let | |
| - makeScript = name: service: pkgs.writeScript "${name}-runner" | |
| - '' | |
| + makeScript = name: service: | |
| + let | |
| + dropRoot = if service.serviceConfig ? User then "/bin/sudo -E -u ${service.serviceConfig.User} " else ""; | |
| + in pkgs.writeScript "${name}-runner" '' | |
| #! ${pkgs.perl}/bin/perl -w -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix} | |
| use File::Slurp; | |
| @@ -56,7 +58,7 @@ let | |
| }; | |
| # Run the ExecStart program. | |
| - my $cmd = '${service.serviceConfig.ExecStart}'; | |
| + my $cmd = '${dropRoot}${service.serviceConfig.ExecStart}'; | |
| print STDERR "running ExecStart: $cmd\n"; | |
| my $mainPid = run $cmd; | |
| $ENV{'MAINPID'} = $mainPid; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff -ru admin-orig/runit-2.1.2/src/runit.c admin/runit-2.1.2/src/runit.c | |
| --- admin-orig/src/runit.c 2014-08-10 15:22:35.000000000 -0300 | |
| +++ admin/src/runit.c 2019-06-30 23:21:45.947391610 -0300 | |
| @@ -299,6 +299,11 @@ | |
| strerr_warn2(INFO, "sending KILL signal to all processes...", 0); | |
| kill(-1, SIGKILL); | |
| + strerr_warn2(INFO, "syncing...", 0); | |
| + //sync(); | |
| + strerr_warn2(INFO, "exiting...", 0); | |
| + _exit(0); | |
| + | |
| pid =fork(); | |
| switch (pid) { | |
| case 0: | |
| @@ -309,27 +314,27 @@ | |
| reboot_system(RB_AUTOBOOT); | |
| } | |
| else { | |
| -#ifdef RB_POWER_OFF | |
| +# ifdef RB_POWER_OFF | |
| strerr_warn2(INFO, "power off...", 0); | |
| sync(); | |
| reboot_system(RB_POWER_OFF); | |
| sleep(2); | |
| -#endif | |
| -#ifdef RB_HALT_SYSTEM | |
| +# endif // RB_POWER_OFF | |
| +# ifdef RB_HALT_SYSTEM | |
| strerr_warn2(INFO, "system halt.", 0); | |
| sync(); | |
| reboot_system(RB_HALT_SYSTEM); | |
| -#else | |
| -#ifdef RB_HALT | |
| +# else // RB_HALT_SYSTEM | |
| +# ifdef RB_HALT | |
| strerr_warn2(INFO, "system halt.", 0); | |
| sync(); | |
| reboot_system(RB_HALT); | |
| -#else | |
| +# else // RB_HALT | |
| strerr_warn2(INFO, "system reboot.", 0); | |
| sync(); | |
| reboot_system(RB_AUTOBOOT); | |
| -#endif | |
| -#endif | |
| +# endif // RB_HALT | |
| +# endif // RB_HALT_SYSTEM | |
| } | |
| if (pid == 0) _exit(0); | |
| break; | |
| @@ -337,7 +342,7 @@ | |
| sig_unblock(sig_child); | |
| while (wait_pid(0, pid) == -1); | |
| } | |
| -#endif | |
| +#endif // RB_AUTOBOOT | |
| for (;;) sig_pause(); | |
| /* not reached */ | |
| Only in admin/runit-2.1.2/src: .runit.c.swp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment