Created
February 23, 2016 20:29
-
-
Save oconnore/6752565161fb24aa26f8 to your computer and use it in GitHub Desktop.
CFengine Nix promises
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ============================================================== | |
# Nix Configuration | |
# ============================================================== | |
bundle agent nix_setup { | |
files: | |
"/etc/nix/users" | |
create => "true", | |
perms => mog("644", "root", "root"), | |
copy_from => _copy_file("$(g.files)/nix_users"), | |
changes => secure, | |
action => cached_("15"), | |
classes => when_kept("nix_users"); | |
"/etc/profile.d/nix.sh" | |
create => "true", | |
perms => mog("644", "root", "root"), | |
copy_from => _copy_file("$(g.nix)/global_profile"), | |
move_obstructions => "true", | |
changes => secure, | |
action => cached_("15"), | |
classes => when_kept("nix_profile"); | |
methods: | |
"daemon" usebundle => nix_daemon; | |
"builders" usebundle => nix_builders; | |
"users" usebundle => forall_setup_users; | |
"gc" usebundle => nix_gc("7"); | |
reports: | |
!not_nix_users:: "/etc/nix/users ok."; | |
not_nix_users:: "/etc/nix/users failure."; | |
!not_nix_profile:: "/etc/profile.d/nix.sh ok."; | |
not_nix_profile:: "/etc/profile.d/nix.sh failure."; | |
} | |
bundle agent nix_daemon { | |
files: | |
"/nix/var/nix/daemon-socket/." | |
create => "true", | |
perms => mog(755, "root", "$(g.nix_usergroup)"), | |
classes => when_kept("socket"); | |
methods: | |
"my_method" | |
usebundle => systemd_service("nix-root-daemon.service", | |
"$(g.systemd)/nix-root-daemon.service", "false", "true"), | |
action => cached("15", "5"), | |
classes => when_kept("nix"); | |
reports: | |
nix:: "Nix daemon is ok."; | |
!nix.!not_nix:: "Nix daemon is ok (cached)."; | |
nix_repaired:: "Nix daemon was repaired."; | |
not_nix:: "Nix daemon failure."; | |
} | |
bundle agent nix_builders { | |
vars: | |
"output" string => execresult("seq -s, 1 $(g.nix_builders)", "useshell"); | |
"builditer" slist => string_split("$(output)", ",", "1000"); | |
users: | |
"nix_$(builditer)" | |
policy => "present", | |
home_dir => "/dev/null", | |
group_primary => "$(g.nix_buildgroup)", | |
groups_secondary => { "$(g.nix_buildgroup)" }, | |
shell => "/usr/sbin/nologin", | |
classes => when_kept("user_$(builditer)"); | |
reports: | |
"Repaired user nix_$(builditer)" ifvarclass => "user_$(builditer)_repaired"; | |
} | |
bundle agent nix_gc(age_in_days) { | |
vars: | |
"daystr" string => "$(age_in_days)d"; | |
"ctime" string => format("%d", eval("24 * 60", "math", "infix")); | |
commands: | |
"$(g.bootstrap)/nix-pkg.sh nix nix-collect-garbage --delete-older-than $(daystr)" | |
contain => root_command_noout, | |
action => cached("$(ctime)", "5"), | |
classes => when_kept("nixgc"); | |
reports: | |
nixgc_repaired:: "Ran Nix garbage collector (cache=$(ctime))."; | |
} | |
bundle agent forall_setup_users { | |
vars: | |
"nix_users" | |
slist => readstringlist("$(g.files)/nix_users", "#.*", "\n", 200, 40000); | |
"homedirs_parse" int => | |
readstringarray("homedirs", "/etc/passwd", "#.*", ":", | |
500, 5000000); | |
"iels" slist => getindices("homedirs"); | |
"els" slist => intersection("nix_users", "iels"); | |
classes: | |
"home_exists_$(els)" expression => isdir("$(homedirs[$(els)][5])"); | |
methods: | |
"setup_$(els)" | |
usebundle => setup_nix_user("$(els)", "$(homedirs[$(els)][5])", "$(homedirs[$(els)][6])"), | |
ifvarclass => "home_exists_$(els)", | |
action => cached("30", "15"), | |
classes => when_kept("kept_$(els)"); | |
reports: | |
"User $(els) is ok (checked)." | |
ifvarclass => "kept_$(els).!kept_$(els)_repaired"; | |
"User $(els) is ok (cached)." | |
ifvarclass => "!kept_$(els).!not_kept_$(els).!kept_$(els)_repaired"; | |
"User $(els) was repaired." | |
ifvarclass => "kept_$(els)_repaired"; | |
"User $(els) is not ok." | |
ifvarclass => "not_kept_$(els)"; | |
} | |
bundle agent setup_nix_user(user, home, shell) { | |
vars: | |
"group" string => "nixusers"; | |
"base" string => "/nix/var/nix"; | |
"gcroot" string => "$(base)/gcroots/per-user/$(user)"; | |
"profile" string => "$(base)/profiles/per-user/$(user)"; | |
"user_profile" string => "$(home)/.nix-profile"; | |
"default" string => "$(base)/profiles/default"; | |
classes: | |
"profile" expression => isdir("$(profile)"); | |
"user_profile_exists" and => { | |
islink("$(user_profile)"), | |
regcmp("$(profile)/default", filestat("$(user_profile)", "linktarget_shallow")) | |
}; | |
"bash_shell" expression => regcmp(".*/bash", "$(shell)"); | |
"fish_shell" expression => regcmp(".*/fish", "$(shell)"); | |
"channel" expression => | |
isgreaterthan(execresult("find $(home)/.nix-defexpr -maxdepth 1 -type l | wc -l", "useshell"), "0"); | |
files: | |
"$(home)/.nix-channels" | |
create => "true", | |
perms => mog("644", "$(user)", "$(group)"), | |
copy_from => _copy_file("$(g.nix)/nix-channels"), | |
move_obstructions => "true"; | |
"$(home)/.nix-profile" | |
create => "true", | |
perms => mog("777", "$(user)", "$(group)"), | |
link_from => symlink_file("/nix/var/nix/profiles/per-user/$(user)/default"), | |
move_obstructions => "true", | |
classes => when_kept("user_profile"); | |
"$(home)/.bashrc" | |
create => "true", | |
perms => mog("644", "$(user)", "$(group)"), | |
edit_line => shell_insert("nix", "$(g.nix)/bash"); | |
"$(home)/.bash_profile" | |
create => "true", | |
perms => mog("644", "$(user)", "$(group)"), | |
edit_line => shell_insert("nix", "$(g.nix)/bash"); | |
fish_shell:: | |
"$(home)/.config/fish/config.fish" | |
create => "true", | |
perms => mog("600", "$(user)", "$(group)"), | |
edit_line => shell_insert("nix", "$(g.nix)/nix_conf.fish"); | |
commands: | |
!channel:: | |
"su $(user) -s /bin/sh -c '. $(g.nix)/envvars; $(g.bootstrap)/nix-pkg.sh nix nix-channel --update'" | |
contain => root_command, | |
comment => "Updating channel for $(user)"; | |
not_user_profile:: | |
"su $(user) -s /bin/sh -c '. $(g.nix)/envvars; $(g.bootstrap)/nix-pkg.sh nix nix-env -i nix'" | |
contain => root_command, | |
comment => "Installing nix for $(user)"; | |
reports: | |
!not_user_profile:: "Kept profile $(user_profile) for $(user):$(group)"; | |
user_profile_repaired:: "Repaired profile $(user_profile) for $(user):$(group)"; | |
!user_profile:: "Missing profile $(user_profile) for $(user) $(group)"; | |
channel:: ".nix-defexpr contains some channels"; | |
} | |
# EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment