1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
DECRYPT_TARGETS = \
guix/dot_config/espanso/user/censor.yml \
guix/dot_config/transmission/settings.json \
guix/dot_config/wayvnc/config \
guix/dot_config/wayvnc/tls_cert.pem \
guix/dot_config/wayvnc/tls_key.pem \
guix/dotfiles/etc/ssl/ca.pem \
guix/dotfiles/etc/yggdrasil-private.conf \
guix/dotfiles/guixsd/exim/dkim_rsa.private \
guix/private_dot_emacs.d/modules/mjru-network.el \
guix/wugi/etc/mjru/intr.json \
guix/wugi/home/config/openssh.scm \
nix/yggdrasil/yggdrasil.conf
.PHONY: all
all: $(foreach secret,$(DECRYPT_TARGETS),$(secret))
SUBSTITUTE_URLS ?= "https://bordeaux.guix.gnu.org https://mirrors.sjtug.sjtu.edu.cn/guix https://substitutes.nonguix.org"
LOAD_PATH=$(abs_top_srcdir)/guix
PASSWORD_STORE="$(abs_top_srcdir)/.password-store"
$(foreach secret,$(DECRYPT_TARGETS),$(secret)):
mkdir -p $$(dirname $@)
$(GPG) --output $@ --decrypt $(PASSWORD_STORE)/dotfiles/$@.gpg
.PHONY: clean-guile
clean-guile:
rm -rf $(HOME)/.cache/guile/ccache
.PHONY: clean-nix
clean-nix:
rm -rf $(HOME)/.cache/nix
.PHONY: clean-local
clean-local:
$(GIT) clean -xdf
QEMU_FLAGS = \
-vnc :22 \
-daemonize \
-m 4096 \
-smp 2 \
-nic user,model=virtio-net-pci,hostfwd=tcp::10022-:22
GUIX_SYSTEM_VM_CONFIGURATIONS = \
guixsd \
jenkins \
stumpwm
define guix-system-vm-arguments
system vm --load-path="$(LOAD_PATH)" --no-offload $(1)
endef
$(foreach configuration,$(GUIX_SYSTEM_VM_CONFIGURATIONS),guix-system-vm-configuration-$(configuration)):
$(GUIX) $(call guix-system-vm-arguments,guix/dotfiles/system/vm-image-$(subst guix-system-vm-configuration-,,$@).tmpl)
.PHONY: guix/dotfiles/scripts/nix-ssh-known-hosts-to-file.scm
guix/dotfiles/scripts/nix-ssh-known-hosts-to-file.scm:
mkdir -p private_dot_ssh
$(shell $(GUIX) build -f guix/dotfiles/scripts/nix-ssh-known-hosts-to-file.scm)/bin/run.scm > private_dot_ssh/known_hosts2
.PHONY: nix/flake.lock
nix/flake.lock:
sh -c 'set -e; cd nix || exit 1; nix flake lock --update-input nixpkgs'
.PHONY: nix/flake.nix
nix/flake.nix:
sh -c 'set -e; cd nix || exit 1; ./flake.nix'
.PHONY: guix/dotfiles/dns/flake.nix
guix/dotfiles/dns/flake.nix:
sh -c 'set -e; cd guix/dotfiles/dns || exit 1; ./flake.nix'
.PHONY: nix/firefox/generated-firefox-addons.nix
nix/firefox/generated-firefox-addons.nix:
mozilla-addons-to-nix nix/firefox/addons.json nix/firefox/generated-firefox-addons.nix
.PHONY: guix/dotfiles/mjru/intr.nix
guix/dotfiles/mjru/intr.nix:
guix/dotfiles/mjru/intr.nix > guix/wugi/etc/mjru/intr.json
.PHONY: deploy
deploy:
$(GUIX) deploy --load-path="$(LOAD_PATH)" guix/dotfiles/guixsd/deploy.scm
.PHONY: guix/dotfiles/packer/build.scm
guix/dotfiles/packer/build.scm:
sh -c 'cd guix/dotfiles/packer; $(GUIX) build -f build.scm'
GUIX_SYSTEM_CONFIGURATIONS = \
docker-image \
guixsd \
libvirt \
notebook \
pc0 \
pc0-guix-workstation \
vm1 \
vm2 \
vm-guixsd \
wireless \
workstation
define guix-pull
$(GUIX) pull "--channels=$(abs_top_srcdir)/guix/wugi/etc/guix/channels/$(1).scm" --allow-downgrades --cores=$(shell nproc) --substitute-urls=$(SUBSTITUTE_URLS)
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-pull-$(configuration)):
$(call guix-pull,$(call subst,guix-pull-,,$@))
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),root-guix-pull-$(configuration)):
sudo -i $(call guix-pull,$(call subst,root-guix-pull-,,$@))
define guix-time-machine
$(GUIX) time-machine --channels="$(abs_top_srcdir)/guix/wugi/etc/guix/channels/$(1).scm" --substitute-urls=$(SUBSTITUTE_URLS)
endef
define guix-build-expression
build --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) --expression="((@ (wugi system $(1)) %$(2)))"
endef
define guix-system-reconfigure-expression
system reconfigure --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) --expression="((@ (wugi system $(1)) %$(2)))" $(ARGS)
endef
define guix-image-expression
system image --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) --max-layers=100 --image-type=docker --network --expression="((@ (wugi system $(1)) %$(2)))"
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-system-build-$(configuration)):
$(GUIX) $(call guix-build-expression,$(call subst,guix-system-build-,,$@),$(call subst,guix-system-build-,,$@))
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),sudo-guix-system-build-$(configuration)):
sudo -i $(GUIX) $(call guix-build-expression,$(call subst,sudo-guix-system-build-,,$@),$(call subst,sudo-guix-system-build-,,$@))
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-system-reconfigure-$(configuration)):
sudo -i $(GUIX) $(call guix-system-reconfigure-expression,$(call subst,guix-system-reconfigure-,,$@),$(call subst,guix-system-reconfigure-,,$@))
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-time-machine-system-image-$(configuration)):
container=$$($(call guix-time-machine,$(call subst,guix-time-machine-system-image-,,$@)) -- $(call guix-image-expression,$(call subst,guix-time-machine-system-image-,,$@),$(call subst,guix-time-machine-system-image-,,$@)))
IMG=$(container_registry)/library/$(call subst,guix-time-machine-system-image-,,$@):$$(echo $(GIT_COMMIT) | cut -c -8)-$$(date +%s)
$(SKOPEO) copy docker-archive\:$$container docker://$$IMG
echo $$IMG
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-time-machine-system-build-$(configuration)):
$(call guix-time-machine,$(call subst,guix-time-machine-system-build-,,$@)) -- $(call guix-build-expression,$(call subst,guix-time-machine-system-build-,,$@),$(call subst,guix-time-machine-system-build-,,$@))
define system-shepherd-graph
system shepherd-graph --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) --expression="((@ (wugi system $(1)) %$(2)))"
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-system-shepherd-graph-$(configuration)):
$(GUIX) $(call system-shepherd-graph,$(call subst,guix-system-shepherd-graph-,,$@),$(call subst,guix-system-shepherd-graph-,,$@))
define system-extension-graph
extension-graph --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) --expression="((@ (wugi system $(1)) %$(2)))"
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-system-extension-graph-$(configuration)):
$(GUIX) $(call system-extension-graph,$(call subst,guix-system-extension-graph-,,$@),$(call subst,guix-system-extension-graph-,,$@))
define guix-home-expression
home $1 --load-path="$(LOAD_PATH)" --substitute-urls=$(SUBSTITUTE_URLS) -e "((@ (wugi home config $(subst -home-environment,,$2)) %$(3)))"
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-home-build-$(configuration)): $(DECRYPT_TARGETS)
$(GUIX) $(call guix-home-expression,build,$(call subst,guix-home-build-,,$@)-home-environment,$(call subst,guix-home-build-,,$@)-home-environment) $(ARGS)
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-time-machine-home-build-$(configuration)): $(DECRYPT_TARGETS)
$(call guix-time-machine,$(call subst,guix-time-machine-home-build-,,$@)) -- $(call guix-home-expression,build,$(call subst,guix-time-machine-home-build-,,$@)-home-environment,$(call subst,guix-time-machine-home-build-,,$@)-home-environment)
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-home-reconfigure-$(configuration)): $(DECRYPT_TARGETS)
$(GUIX) $(call guix-home-expression,reconfigure,$(call subst,guix-home-reconfigure-,,$@)-home-environment,$(call subst,guix-home-reconfigure-,,$@)-home-environment) --allow-downgrades $(ARGS)
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-time-machine-home-reconfigure-$(configuration)):
$(call guix-time-machine,$(call subst,guix-time-machine-home-reconfigure-,,$@)) -- $(call guix-home-expression,reconfigure,$(call subst,guix-time-machine-home-reconfigure-,,$@)-home-environment,$(call subst,guix-time-machine-home-reconfigure-,,$@)-home-environment) --allow-downgrades
define guix-build-manifest
build --load-path="$(LOAD_PATH)" --expression="((@ (wugi manifests $(subst $(1),,$(2))) %$(subst $(1),,$(2)-manifest)))"
endef
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-build-manifest-$(configuration)):
$(GUIX) $(call guix-build-manifest,guix-build-manifest-,$@)
$(foreach configuration,$(GUIX_SYSTEM_CONFIGURATIONS),guix-time-machine-build-manifest-$(configuration)):
$(call guix-time-machine,$(call subst,guix-time-machine-build-manifest-,,$@)) -- $(call guix-build-manifest,guix-time-machine-build-manifest-,$(call subst,guix-time-machine-build-manifest-,,$@))
.PHONY: github
github:
make --directory=guix/dotfiles/maintenance/github
.PHONY: gitlab
gitlab:
make --directory=guix/dotfiles/maintenance/gitlab
.PHONY: home
home:
herd stop root
rm -f /run/user/1000/shepherd/socket
make install
STATE_TO_VC_HOSTNAMES = \
sr1-dh507-508 \
sr1-mr13-14 \
sw1-dh507 \
sw1-dh508 \
sw1-mr11 \
sw1-mr12 \
sw1-mr14 \
sw2-dh507 \
sw2-dh508 \
sw2-mr12 \
sw2-mr13 \
sw2-mr14 \
sw4-mr11 \
sw4-mr12 \
sw4-mr13 \
sw4-mr14
guix_repository=$(HOME)/src/git.savannah.gnu.org/git/guix
container_registry=harbor.home.wugi.info
.ONESHELL:
$(STATE_TO_VC_HOSTNAMES):
set -o nounset -o errexit -o pipefail
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(guix_repository)/pre-inst-env guix pack -f docker-layered -S /bin=bin --load-path="$(LOAD_PATH)" -e '(@ (packages networking) state-to-vc-$@)')
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/monitoring/$@:$$commit_8
$(GUIX) gc --delete $$container
cd $(HOME)/src/gitlab.intr/cd/state-to-git/apps/*/state-to-git-$@
nix develop git+https://gitlab.intr/nixos/kubernetes --command kustomize edit set image $(container_registry)/monitoring/$@:$$commit_8
if ! $(GIT) commit --message="apps: $$(basename $$(dirname $$(pwd))): state-to-git-$@: Update image to $$commit_8." kustomization.yaml
then
:
fi
state-to-vc-containers: $(STATE_TO_VC_HOSTNAMES)
.ONESHELL:
util-linux-with-udev:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --load-path="$(LOAD_PATH)" --max-layers=100 -S /bin=bin util-linux-with-udev bash coreutils guile guix-refresh.sh)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
$(GUIX) gc --delete $$container
cd apps/base/maintenance-guix-refresh-gita
nix develop git+https://gitlab.intr/nixos/kubernetes --command kustomize edit set image $(container_registry)/library/$@:$$commit_8
if ! $(GIT) commit --message="apps: $$(basename $$(dirname $$(pwd))): maintenance-guix-refresh-gita: Update image to $$commit_8." kustomization.yaml
then
:
fi
.ONESHELL:
skopeo-umoci:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --load-path="$(LOAD_PATH)" --max-layers=100 -S /bin=bin -S /etc=etc bash coreutils skopeo umoci nss-certs)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
$(GUIX) gc --delete $$container
.ONESHELL:
runc:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --load-path="$(LOAD_PATH)" --max-layers=100 -S /bin=bin -S /sbin=sbin util-linux-with-udev bash coreutils runc)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
$(GUIX) gc --delete $$container
.ONESHELL:
guix-entrypoint:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --load-path="$(LOAD_PATH)" --max-layers=100 -S /bin=bin -S /sbin=sbin util-linux-with-udev bash coreutils iproute2)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
$(GUIX) gc --delete $$container
.ONESHELL:
kubeedge-certs:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --load-path="$(LOAD_PATH)" --max-layers=100 -S /bin=bin util-linux-with-udev bash coreutils guile openssl)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
$(GUIX) gc --delete $$container
.ONESHELL:
haproxy:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) pack -f docker --max-layers=100 -S /sbin=sbin haproxy)
$(SKOPEO) copy --insecure-policy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
.ONESHELL:
isc-dhcp:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) system image --load-path=/home/oleg/src/cgit.wugi.info/wigust/dotfiles/guix/wugi --max-layers=100 -t docker --network guix/dotfiles/guixsd/docker-image-isc-dhcp.scm)
$(SKOPEO) copy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
.ONESHELL:
mumble:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) time-machine --channels=guix/dotfiles/channels-guix-mumble.scm -- system image --max-layers=100 -t docker --network guix/wugi/system/docker-image-mumble.scm)
$(SKOPEO) copy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
.ONESHELL:
pc0-manifest:
set -o nounset -o errexit -o pipefail -o xtrace
$(GUIX) time-machine --channels=guix/wugi/etc/guix/channels/workstation.scm -- build --load-path="$(LOAD_PATH)" -m wugi/manifests/pc0.scm --substitute-urls=$(SUBSTITUTE_URLS)
.ONESHELL:
guix-image-builder: $(DECRYPT_TARGETS)
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
container=$$($(GUIX) time-machine --channels=guix/dotfiles/channels-current-guix-image-builder.scm -- system image --substitute-urls=$(SUBSTITUTE_URLS) --max-layers=100 -t docker --network ~/src/cgit.wugi.info/wigust/dotfiles/guix/wugi/system/guix-image-builder.scm)
$(SKOPEO) copy docker-archive\:$$container docker://$(container_registry)/library/$@:$$commit_8
nix-update-upstream-inputs:
$(MAKE) -C nix nur
nix-update-inputs:
$(MAKE) -C nix/container-systemd dotfiles-home-manager
$(MAKE) -C nix/container-systemd-taskexecutor original
$(MAKE) -C nix/container-systemd-nixos-majordomo original
$(MAKE) -C nix/container-systemd-nixos-workstation original
$(MAKE) -C nix/container-systemd-nixos-workstation-guixsd original
$(MAKE) -C nix/container-systemd-nixos-workstation-pc0 original
$(MAKE) -C nix/container-systemd-nixos-zapret original
container-systemd-taskexecutor: $(DECRYPT_TARGETS)
$(MAKE) -C nix/container-systemd-taskexecutor
.ONESHELL:
workstation-controller:
set -o nounset -o errexit -o pipefail -o xtrace
commit_8=$$(echo $(GIT_COMMIT) | cut -c -8)
$(MAKE) -C src/go/workstation-controller docker-build IMG=$(container_registry)/library/$@:$$commit_8
$(MAKE) -C src/go/workstation-controller docker-push IMG=$(container_registry)/library/$@:$$commit_8
.PHONY: dotfiles-update-commit
dotfiles-update-commit:
$(GUIX) shell guile guile-git guile-gcrypt guile-json yq -- guix/dot_local/bin/dotfiles-update-commit
.ONESHELL:
archlinux:
$(MAKE) -C apps/base/kaniko-archlinux
.PHONY: known_hosts
known_hosts:
guix/dotfiles/scripts/nix-ssh-known-hosts-to-file.scm
runc-nix-builder-nixos-rebuild-switch-flake:
$(MAKE) -C nix/container-systemd-builder nixos-rebuild-switch-flake
latest-bview.gz:
wget https://data.ris.ripe.net/rrc10/latest-bview.gz
|
