diff --git a/flake.lock b/flake.lock index 892b140..b935678 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ ] }, "locked": { - "lastModified": 1718345812, - "narHash": "sha256-FJhA+YFsOFrAYe6EaiTEfomNf7jeURaPiG5/+a3DRSc=", + "lastModified": 1718440858, + "narHash": "sha256-iMVwdob8F6P6Ib+pnhMZqyvYI10ZxmvA885jjnEaO54=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "ff988d78f2f55641efacdf9a585d2937f7e32a9b", + "rev": "58b905ea87674592aa84c37873e6c07bc3807aba", "type": "github" }, "original": { @@ -377,11 +377,11 @@ ] }, "locked": { - "lastModified": 1717527182, - "narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=", + "lastModified": 1718530513, + "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", "owner": "rycee", "repo": "home-manager", - "rev": "845a5c4c073f74105022533907703441e0464bc3", + "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", "type": "github" }, "original": { @@ -452,11 +452,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1718395253, - "narHash": "sha256-kbXUz5Pg0ph9HD9wRO0w+kyCyX9n1YuED0WZGIH8GH4=", + "lastModified": 1718564210, + "narHash": "sha256-3+uzDpcA2zhcc3wEPwlhE4jE9p1sOkFg7DQw0Hw7Suc=", "ref": "refs/heads/main", - "rev": "cb63398f079b4b4324c04e2e41ba17983d66487c", - "revCount": 4829, + "rev": "d5ef10abf429355246abcda65fe4c15d886fad7c", + "revCount": 4850, "submodules": true, "type": "git", "url": "https://github.com/hyprwm/Hyprland" @@ -642,11 +642,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1718328588, - "narHash": "sha256-dTuHdsZkPJg2YS7S/04d5gLpLqCmKEGuJkRO0yHklgo=", + "lastModified": 1718501434, + "narHash": "sha256-bvsRY6N9bWJg31cPeWrTBahJ2ZbZJ1ncTqXl+fit4Q4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "ae25cb00075c72a2a91497814a11a00f567f5f75", + "rev": "8e091c59f250bcc1f6e73350fcacc59b36769ade", "type": "github" }, "original": { @@ -664,11 +664,11 @@ ] }, "locked": { - "lastModified": 1717976391, - "narHash": "sha256-STKlWaiiFKDybexvQCg5U1+DSLRaxT93NwVaiBSEvTI=", + "lastModified": 1718470009, + "narHash": "sha256-VBeDG3we0bkbFWMyZy+wjUkmeDN58pGFzw1dQCTeDV8=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "e3f215e518d52f6f2e68cf713cefe773284e1aa6", + "rev": "e0a970cbb8c3af05c80ef48a336ad91efd9b2bf6", "type": "github" }, "original": { @@ -768,11 +768,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1718376125, - "narHash": "sha256-NIJZxmY2CWsqJK/9BQCRSHfcCY9K6thjq/1XtJobxmU=", + "lastModified": 1718560097, + "narHash": "sha256-JI17CzgQbbzeB2H0n3G9N/HtTAMFSq2IFbRPnlJNTt8=", "owner": "nix-community", "repo": "nixvim", - "rev": "7a2a25af02be25987aa43cd681312f4b5ba12317", + "rev": "6ac0d2869d8d5a71547a504900f9199871d62506", "type": "github" }, "original": { @@ -783,11 +783,11 @@ }, "nur": { "locked": { - "lastModified": 1718397909, - "narHash": "sha256-nQd/7GPc4OC0OY+uw0m2BbfXWj41jRoRotsUBarbN04=", + "lastModified": 1718559875, + "narHash": "sha256-7jH1WTZnrK1HI1Q/Gn7O0BnNWhXZ7qJWBmGeJldA1No=", "owner": "nix-community", "repo": "NUR", - "rev": "24123cf5fea48b71954e81b0f4fe5db127109979", + "rev": "92d4e146d9db87b515fc9d0e4f5f1ffd0a0b47cd", "type": "github" }, "original": { @@ -842,11 +842,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1718331519, - "narHash": "sha256-6Ru37wS8uec626nHVIh6hSpCYB7eNc3RPFa2U//bhw4=", + "lastModified": 1718504420, + "narHash": "sha256-F2HT/abCfr0CDpkvXwYCscJyD66XDTLMVfdrIMRp2ck=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "419e7fae2731f41dd9b3e34dfe8802be68558b92", + "rev": "0043c3f92304823cc2c0a4354b0feaa61dfb4cd9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index cdd4ef1..512ca03 100644 --- a/flake.nix +++ b/flake.nix @@ -91,20 +91,22 @@ }; nixosConfigurations = let - homeModule = - baseHomeModule - // { - home-manager.users.michael = import ./user/environments/nixos/home.nix; - }; + fullNixOSModules = + defaultModules + ++ [ + baseHomeModule + { + home-manager.users.michael = import ./user/environments/nixos/home.nix; + } + ]; in { kitchen = nixpkgs.lib.nixosSystem { system = utils.lib.system.x86_64-linux; modules = - defaultModules + fullNixOSModules ++ [ ./modules/common.nix ./modules/containers.nix - homeModule ./machines/kitchen/configuration.nix ]; @@ -114,12 +116,11 @@ thinkcentre = nixpkgs.lib.nixosSystem { system = utils.lib.system.x86_64-linux; modules = - defaultModules + fullNixOSModules ++ [ ./modules/common.nix ./modules/hyprland.nix ./modules/containers.nix - homeModule ./machines/thinkcentre/configuration.nix agenix.nixosModules.default @@ -135,13 +136,12 @@ terra = nixpkgs.lib.nixosSystem { system = utils.lib.system.x86_64-linux; modules = - defaultModules + fullNixOSModules ++ [ ./modules/common.nix ./modules/hyprland.nix ./modules/containers.nix ./modules/applications/steam - homeModule ./machines/terra/configuration.nix agenix.nixosModules.default diff --git a/machines/thinkcentre/configuration.nix b/machines/thinkcentre/configuration.nix index 9e4602e..4da7a28 100644 --- a/machines/thinkcentre/configuration.nix +++ b/machines/thinkcentre/configuration.nix @@ -55,9 +55,9 @@ }; # Configure keymap in X11 - services.xserver = { + services.xserver.xkb = { layout = "us"; - xkbVariant = ""; + variant = ""; }; services.openssh = { diff --git a/modules/services/forgejo/default.nix b/modules/services/forgejo/default.nix index 4e57c68..6fe984c 100644 --- a/modules/services/forgejo/default.nix +++ b/modules/services/forgejo/default.nix @@ -9,6 +9,33 @@ with lib; let inherit (config.my.server) domain proxyIP firewallInterface; forgejoDomain = "git.${domain}"; forgejoUrl = "https://${forgejoDomain}"; + + # for nix actions runner + storeDeps = pkgs.runCommand "store-deps" {} '' + mkdir -p $out/bin + for dir in ${ + toString [ + pkgs.coreutils + pkgs.findutils + pkgs.gnugrep + pkgs.gawk + pkgs.git + pkgs.nix + pkgs.bash + pkgs.jq + pkgs.nodejs + pkgs.devenv + ] + }; do + for bin in "$dir"/bin/*; do + ln -s "$bin" "$out/bin/$(basename "$bin")" + done + done + + # Add SSL CA certs + mkdir -p $out/etc/ssl/certs + cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt + ''; in { options.my.services.forgejo = { enable = mkEnableOption "Forgejo"; @@ -34,6 +61,11 @@ in { config = mkMerge [ (mkIf cfg.enable { + age.secrets.forgejoSendgridKey = { + file = ../../../secrets/sendgrid-key.age; + owner = "forgejo"; + group = "forgejo"; + }; services.forgejo = { enable = true; package = pkgs.unstable.forgejo; @@ -56,36 +88,112 @@ in { settings.oauth2_client = { ENABLE_AUTO_REGISTRATION = true; }; + settings.mailer = { + ENABLED = true; + FROM = "forgejo@michaelt.xyz"; + PROTOCOL = "starttls"; + SMTP_ADDR = "smtp.sendgrid.net"; + SMTP_PORT = 587; + USER = "apikey"; + }; + mailerPasswordFile = config.age.secrets.forgejoSendgridKey.path; }; networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port]; + }) + (mkIf cfg.actions.enable { + # build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix + # everything here has no dependencies on the store + systemd.services.forgejo-runner-nix-image = { + wantedBy = ["multi-user.target"]; + after = ["podman.service"]; + requires = ["podman.service"]; + path = [ + config.virtualisation.podman.package + pkgs.gnutar + pkgs.shadow + pkgs.getent + ]; + # we also include etc here because the cleanup job also wants the nixuser to be present + script = '' + set -eux -o pipefail + mkdir -p etc/nix + # Create an unpriveleged user that we can use also without the run-as-user.sh script + touch etc/passwd etc/group + groupid=$(cut -d: -f3 < <(getent group nixuser)) + userid=$(cut -d: -f3 < <(getent passwd nixuser)) + groupadd --prefix $(pwd) --gid "$groupid" nixuser + emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.' + useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser + + cat < etc/nix/nix.conf + accept-flake-config = true + experimental-features = nix-command flakes + NIX_CONFIG + + cat < etc/nsswitch.conf + passwd: files mymachines systemd + group: files mymachines systemd + shadow: files + + hosts: files mymachines dns myhostname + networks: files + + ethers: files + services: files + protocols: files + rpc: files + NSSWITCH + + # list the content as it will be imported into the container + tar -cv . | tar -tvf - + tar -cv . | podman import - forgejo-runner-nix + ''; + serviceConfig = { + RuntimeDirectory = "forgejo-runner-nix-image"; + WorkingDirectory = "/run/forgejo-runner-nix-image"; + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + + users.users.nixuser = { + group = "nixuser"; + description = "Used for running nix ci jobs"; + home = "/var/empty"; + isSystemUser = true; + }; + users.groups.nixuser = {}; + + # configure the actions runner itself age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age; services.gitea-actions-runner = mkIf cfg.actions.enable { package = pkgs.unstable.forgejo-runner; instances.venus = { enable = true; - name = "venus"; + name = "venus-nix-runner"; url = forgejoUrl; settings = { - # log = { - # level = "debug"; - # }; - options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock"; + # options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock"; runner = { - capacity = 5; + capacity = 1; timeout = "45m"; }; container = { - privileged = true; - valid_volumes = ["*"]; - force_pull = false; + options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # privileged = true; + valid_volumes = [ + "/nix" + "${storeDeps}/bin" + "${storeDeps}/etc/ssl" + ]; + # force_pull = false; network = "bridge"; }; }; labels = [ - "debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" - "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" + "nix:docker://forgejo-runner-nix" ]; tokenFile = config.age.secrets.forgejoActions.path; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2f1fe02..b441023 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,6 +7,7 @@ in { "wireguard-thinkcentre.age".publicKeys = [venus]; "keycloak-db.age".publicKeys = [venus]; "forgejo-actions.age".publicKeys = [venus]; + "sendgrid-key.age".publicKeys = [venus]; # Oracle "wireguard-oracle.age".publicKeys = [oracle]; diff --git a/secrets/sendgrid-key.age b/secrets/sendgrid-key.age new file mode 100644 index 0000000..a9660a1 Binary files /dev/null and b/secrets/sendgrid-key.age differ diff --git a/user/modules/nvim/lazy-lock.json b/user/modules/nvim/lazy-lock.json index 86440b8..413c082 100644 --- a/user/modules/nvim/lazy-lock.json +++ b/user/modules/nvim/lazy-lock.json @@ -60,4 +60,3 @@ "vim-illuminate": { "branch": "master", "commit": "e522e0dd742a83506db0a72e1ced68c9c130f185" }, "vim-startuptime": { "branch": "master", "commit": "ac2cccb5be617672add1f4f3c0a55ce99ba34e01" }, "which-key.nvim": { "branch": "main", "commit": "4433e5ec9a507e5097571ed55c02ea9658fb268a" } -} \ No newline at end of file diff --git a/user/modules/nvim/lazyvim.json b/user/modules/nvim/lazyvim.json index 5086e39..29eff76 100644 --- a/user/modules/nvim/lazyvim.json +++ b/user/modules/nvim/lazyvim.json @@ -4,7 +4,7 @@ "lazyvim.plugins.extras.lang.rust" ], "news": { - "NEWS.md": "3314" + "NEWS.md": "5950" }, - "version": 3 + "version": 6 } \ No newline at end of file