Skip to content

Instantly share code, notes, and snippets.

@oconnore

oconnore/nix.cf

Created February 23, 2016 20:29
Show Gist options
  • Save oconnore/6752565161fb24aa26f8 to your computer and use it in GitHub Desktop.
Save oconnore/6752565161fb24aa26f8 to your computer and use it in GitHub Desktop.
Download ZIP
CFengine Nix promises
Raw
nix.cf
# ==============================================================
# Nix Configuration
# ==============================================================
bundle agent nix_setup {
files:
"/etc/nix/users"
create => "true",
perms => mog("644", "root", "root"),
copy_from => _copy_file("$(g.files)/nix_users"),
changes => secure,
action => cached_("15"),
classes => when_kept("nix_users");
"/etc/profile.d/nix.sh"
create => "true",
perms => mog("644", "root", "root"),
copy_from => _copy_file("$(g.nix)/global_profile"),
move_obstructions => "true",
changes => secure,
action => cached_("15"),
classes => when_kept("nix_profile");
methods:
"daemon" usebundle => nix_daemon;
"builders" usebundle => nix_builders;
"users" usebundle => forall_setup_users;
"gc" usebundle => nix_gc("7");
reports:
!not_nix_users:: "/etc/nix/users ok.";
not_nix_users:: "/etc/nix/users failure.";
!not_nix_profile:: "/etc/profile.d/nix.sh ok.";
not_nix_profile:: "/etc/profile.d/nix.sh failure.";
}
bundle agent nix_daemon {
files:
"/nix/var/nix/daemon-socket/."
create => "true",
perms => mog(755, "root", "$(g.nix_usergroup)"),
classes => when_kept("socket");
methods:
"my_method"
usebundle => systemd_service("nix-root-daemon.service",
"$(g.systemd)/nix-root-daemon.service", "false", "true"),
action => cached("15", "5"),
classes => when_kept("nix");
reports:
nix:: "Nix daemon is ok.";
!nix.!not_nix:: "Nix daemon is ok (cached).";
nix_repaired:: "Nix daemon was repaired.";
not_nix:: "Nix daemon failure.";
}
bundle agent nix_builders {
vars:
"output" string => execresult("seq -s, 1 $(g.nix_builders)", "useshell");
"builditer" slist => string_split("$(output)", ",", "1000");
users:
"nix_$(builditer)"
policy => "present",
home_dir => "/dev/null",
group_primary => "$(g.nix_buildgroup)",
groups_secondary => { "$(g.nix_buildgroup)" },
shell => "/usr/sbin/nologin",
classes => when_kept("user_$(builditer)");
reports:
"Repaired user nix_$(builditer)" ifvarclass => "user_$(builditer)_repaired";
}
bundle agent nix_gc(age_in_days) {
vars:
"daystr" string => "$(age_in_days)d";
"ctime" string => format("%d", eval("24 * 60", "math", "infix"));
commands:
"$(g.bootstrap)/nix-pkg.sh nix nix-collect-garbage --delete-older-than $(daystr)"
contain => root_command_noout,
action => cached("$(ctime)", "5"),
classes => when_kept("nixgc");
reports:
nixgc_repaired:: "Ran Nix garbage collector (cache=$(ctime)).";
}
bundle agent forall_setup_users {
vars:
"nix_users"
slist => readstringlist("$(g.files)/nix_users", "#.*", "\n", 200, 40000);
"homedirs_parse" int =>
readstringarray("homedirs", "/etc/passwd", "#.*", ":",
500, 5000000);
"iels" slist => getindices("homedirs");
"els" slist => intersection("nix_users", "iels");
classes:
"home_exists_$(els)" expression => isdir("$(homedirs[$(els)][5])");
methods:
"setup_$(els)"
usebundle => setup_nix_user("$(els)", "$(homedirs[$(els)][5])", "$(homedirs[$(els)][6])"),
ifvarclass => "home_exists_$(els)",
action => cached("30", "15"),
classes => when_kept("kept_$(els)");
reports:
"User $(els) is ok (checked)."
ifvarclass => "kept_$(els).!kept_$(els)_repaired";
"User $(els) is ok (cached)."
ifvarclass => "!kept_$(els).!not_kept_$(els).!kept_$(els)_repaired";
"User $(els) was repaired."
ifvarclass => "kept_$(els)_repaired";
"User $(els) is not ok."
ifvarclass => "not_kept_$(els)";
}
bundle agent setup_nix_user(user, home, shell) {
vars:
"group" string => "nixusers";
"base" string => "/nix/var/nix";
"gcroot" string => "$(base)/gcroots/per-user/$(user)";
"profile" string => "$(base)/profiles/per-user/$(user)";
"user_profile" string => "$(home)/.nix-profile";
"default" string => "$(base)/profiles/default";
classes:
"profile" expression => isdir("$(profile)");
"user_profile_exists" and => {
islink("$(user_profile)"),
regcmp("$(profile)/default", filestat("$(user_profile)", "linktarget_shallow"))
};
"bash_shell" expression => regcmp(".*/bash", "$(shell)");
"fish_shell" expression => regcmp(".*/fish", "$(shell)");
"channel" expression =>
isgreaterthan(execresult("find $(home)/.nix-defexpr -maxdepth 1 -type l | wc -l", "useshell"), "0");
files:
"$(home)/.nix-channels"
create => "true",
perms => mog("644", "$(user)", "$(group)"),
copy_from => _copy_file("$(g.nix)/nix-channels"),
move_obstructions => "true";
"$(home)/.nix-profile"
create => "true",
perms => mog("777", "$(user)", "$(group)"),
link_from => symlink_file("/nix/var/nix/profiles/per-user/$(user)/default"),
move_obstructions => "true",
classes => when_kept("user_profile");
"$(home)/.bashrc"
create => "true",
perms => mog("644", "$(user)", "$(group)"),
edit_line => shell_insert("nix", "$(g.nix)/bash");
"$(home)/.bash_profile"
create => "true",
perms => mog("644", "$(user)", "$(group)"),
edit_line => shell_insert("nix", "$(g.nix)/bash");
fish_shell::
"$(home)/.config/fish/config.fish"
create => "true",
perms => mog("600", "$(user)", "$(group)"),
edit_line => shell_insert("nix", "$(g.nix)/nix_conf.fish");
commands:
!channel::
"su $(user) -s /bin/sh -c '. $(g.nix)/envvars; $(g.bootstrap)/nix-pkg.sh nix nix-channel --update'"
contain => root_command,
comment => "Updating channel for $(user)";
not_user_profile::
"su $(user) -s /bin/sh -c '. $(g.nix)/envvars; $(g.bootstrap)/nix-pkg.sh nix nix-env -i nix'"
contain => root_command,
comment => "Installing nix for $(user)";
reports:
!not_user_profile:: "Kept profile $(user_profile) for $(user):$(group)";
user_profile_repaired:: "Repaired profile $(user_profile) for $(user):$(group)";
!user_profile:: "Missing profile $(user_profile) for $(user) $(group)";
channel:: ".nix-defexpr contains some channels";
}
# EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment