michael/nix-dots
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'main' of https://git.thomasfmly.org/michael/nix-dots

Browse Source
This commit is contained in:
Michael Thomas 2024-06-26 18:49:35 -04:00
commit 147b659960
8 changed files with 160 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
flake.lock generated
View File

@ -73,11 +73,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718345812, "lastModified": 1718440858,
"narHash": "sha256-FJhA+YFsOFrAYe6EaiTEfomNf7jeURaPiG5/+a3DRSc=", "narHash": "sha256-iMVwdob8F6P6Ib+pnhMZqyvYI10ZxmvA885jjnEaO54=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "ff988d78f2f55641efacdf9a585d2937f7e32a9b", "rev": "58b905ea87674592aa84c37873e6c07bc3807aba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -377,11 +377,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717527182, "lastModified": 1718530513,
"narHash": "sha256-vWSkg6AMok1UUQiSYVdGMOXKD2cDFnajITiSi0Zjd1A=", "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "845a5c4c073f74105022533907703441e0464bc3", "rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -452,11 +452,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1718395253, "lastModified": 1718564210,
"narHash": "sha256-kbXUz5Pg0ph9HD9wRO0w+kyCyX9n1YuED0WZGIH8GH4=", "narHash": "sha256-3+uzDpcA2zhcc3wEPwlhE4jE9p1sOkFg7DQw0Hw7Suc=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "cb63398f079b4b4324c04e2e41ba17983d66487c", "rev": "d5ef10abf429355246abcda65fe4c15d886fad7c",
"revCount": 4829, "revCount": 4850,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/hyprwm/Hyprland" "url": "https://github.com/hyprwm/Hyprland"
@ -642,11 +642,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1718328588, "lastModified": 1718501434,
"narHash": "sha256-dTuHdsZkPJg2YS7S/04d5gLpLqCmKEGuJkRO0yHklgo=", "narHash": "sha256-bvsRY6N9bWJg31cPeWrTBahJ2ZbZJ1ncTqXl+fit4Q4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "ae25cb00075c72a2a91497814a11a00f567f5f75", "rev": "8e091c59f250bcc1f6e73350fcacc59b36769ade",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -664,11 +664,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1717976391, "lastModified": 1718470009,
"narHash": "sha256-STKlWaiiFKDybexvQCg5U1+DSLRaxT93NwVaiBSEvTI=", "narHash": "sha256-VBeDG3we0bkbFWMyZy+wjUkmeDN58pGFzw1dQCTeDV8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NixOS-WSL", "repo": "NixOS-WSL",
"rev": "e3f215e518d52f6f2e68cf713cefe773284e1aa6", "rev": "e0a970cbb8c3af05c80ef48a336ad91efd9b2bf6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -768,11 +768,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1718376125, "lastModified": 1718560097,
"narHash": "sha256-NIJZxmY2CWsqJK/9BQCRSHfcCY9K6thjq/1XtJobxmU=", "narHash": "sha256-JI17CzgQbbzeB2H0n3G9N/HtTAMFSq2IFbRPnlJNTt8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "7a2a25af02be25987aa43cd681312f4b5ba12317", "rev": "6ac0d2869d8d5a71547a504900f9199871d62506",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -783,11 +783,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1718397909, "lastModified": 1718559875,
"narHash": "sha256-nQd/7GPc4OC0OY+uw0m2BbfXWj41jRoRotsUBarbN04=", "narHash": "sha256-7jH1WTZnrK1HI1Q/Gn7O0BnNWhXZ7qJWBmGeJldA1No=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "24123cf5fea48b71954e81b0f4fe5db127109979", "rev": "92d4e146d9db87b515fc9d0e4f5f1ffd0a0b47cd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -842,11 +842,11 @@
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1718331519, "lastModified": 1718504420,
"narHash": "sha256-6Ru37wS8uec626nHVIh6hSpCYB7eNc3RPFa2U//bhw4=", "narHash": "sha256-F2HT/abCfr0CDpkvXwYCscJyD66XDTLMVfdrIMRp2ck=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "419e7fae2731f41dd9b3e34dfe8802be68558b92", "rev": "0043c3f92304823cc2c0a4354b0feaa61dfb4cd9",
"type": "github" "type": "github"
}, },
"original": { "original": {

18
flake.nix
View File

@ -91,20 +91,22 @@
}; };
nixosConfigurations = let nixosConfigurations = let
homeModule = fullNixOSModules =
defaultModules
++ [
baseHomeModule baseHomeModule
// { {
home-manager.users.michael = import ./user/environments/nixos/home.nix; home-manager.users.michael = import ./user/environments/nixos/home.nix;
}; }
];
in { in {
kitchen = nixpkgs.lib.nixosSystem { kitchen = nixpkgs.lib.nixosSystem {
system = utils.lib.system.x86_64-linux; system = utils.lib.system.x86_64-linux;
modules = modules =
defaultModules fullNixOSModules
++ [ ++ [
./modules/common.nix ./modules/common.nix
./modules/containers.nix ./modules/containers.nix
homeModule
./machines/kitchen/configuration.nix ./machines/kitchen/configuration.nix
]; ];
@ -114,12 +116,11 @@
thinkcentre = nixpkgs.lib.nixosSystem { thinkcentre = nixpkgs.lib.nixosSystem {
system = utils.lib.system.x86_64-linux; system = utils.lib.system.x86_64-linux;
modules = modules =
defaultModules fullNixOSModules
++ [ ++ [
./modules/common.nix ./modules/common.nix
./modules/hyprland.nix ./modules/hyprland.nix
./modules/containers.nix ./modules/containers.nix
homeModule
./machines/thinkcentre/configuration.nix ./machines/thinkcentre/configuration.nix
agenix.nixosModules.default agenix.nixosModules.default
@ -135,13 +136,12 @@
terra = nixpkgs.lib.nixosSystem { terra = nixpkgs.lib.nixosSystem {
system = utils.lib.system.x86_64-linux; system = utils.lib.system.x86_64-linux;
modules = modules =
defaultModules fullNixOSModules
++ [ ++ [
./modules/common.nix ./modules/common.nix
./modules/hyprland.nix ./modules/hyprland.nix
./modules/containers.nix ./modules/containers.nix
./modules/applications/steam ./modules/applications/steam
homeModule
./machines/terra/configuration.nix ./machines/terra/configuration.nix
agenix.nixosModules.default agenix.nixosModules.default

4
machines/thinkcentre/configuration.nix
View File

@ -55,9 +55,9 @@
}; };
# Configure keymap in X11 # Configure keymap in X11
services.xserver = { services.xserver.xkb = {
layout = "us"; layout = "us";
xkbVariant = ""; variant = "";
}; };
services.openssh = { services.openssh = {

130
modules/services/forgejo/default.nix
View File

@ -9,6 +9,33 @@ with lib; let
inherit (config.my.server) domain proxyIP firewallInterface; inherit (config.my.server) domain proxyIP firewallInterface;
forgejoDomain = "git.${domain}"; forgejoDomain = "git.${domain}";
forgejoUrl = "https://${forgejoDomain}"; forgejoUrl = "https://${forgejoDomain}";
# for nix actions runner
storeDeps = pkgs.runCommand "store-deps" {} ''
mkdir -p $out/bin
for dir in ${
toString [
pkgs.coreutils
pkgs.findutils
pkgs.gnugrep
pkgs.gawk
pkgs.git
pkgs.nix
pkgs.bash
pkgs.jq
pkgs.nodejs
pkgs.devenv
]
}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
in { in {
options.my.services.forgejo = { options.my.services.forgejo = {
enable = mkEnableOption "Forgejo"; enable = mkEnableOption "Forgejo";
@ -34,6 +61,11 @@ in {
config = mkMerge [ config = mkMerge [
(mkIf cfg.enable { (mkIf cfg.enable {
age.secrets.forgejoSendgridKey = {
file = ../../../secrets/sendgrid-key.age;
owner = "forgejo";
group = "forgejo";
};
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.unstable.forgejo; package = pkgs.unstable.forgejo;
@ -56,36 +88,112 @@ in {
settings.oauth2_client = { settings.oauth2_client = {
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
}; };
settings.mailer = {
ENABLED = true;
FROM = "forgejo@michaelt.xyz";
PROTOCOL = "starttls";
SMTP_ADDR = "smtp.sendgrid.net";
SMTP_PORT = 587;
USER = "apikey";
};
mailerPasswordFile = config.age.secrets.forgejoSendgridKey.path;
}; };
networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port]; networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
})
(mkIf cfg.actions.enable {
# build image // taken from https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
# everything here has no dependencies on the store
systemd.services.forgejo-runner-nix-image = {
wantedBy = ["multi-user.target"];
after = ["podman.service"];
requires = ["podman.service"];
path = [
config.virtualisation.podman.package
pkgs.gnutar
pkgs.shadow
pkgs.getent
];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - forgejo-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "forgejo-runner-nix-image";
WorkingDirectory = "/run/forgejo-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nixuser = {};
# configure the actions runner itself
age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age; age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
services.gitea-actions-runner = mkIf cfg.actions.enable { services.gitea-actions-runner = mkIf cfg.actions.enable {
package = pkgs.unstable.forgejo-runner; package = pkgs.unstable.forgejo-runner;
instances.venus = { instances.venus = {
enable = true; enable = true;
name = "venus"; name = "venus-nix-runner";
url = forgejoUrl; url = forgejoUrl;
settings = { settings = {
# log = { # options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
# level = "debug";
# };
options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
runner = { runner = {
capacity = 5; capacity = 1;
timeout = "45m"; timeout = "45m";
}; };
container = { container = {
privileged = true; options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
valid_volumes = ["*"]; # privileged = true;
force_pull = false; valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
# force_pull = false;
network = "bridge"; network = "bridge";
}; };
}; };
labels = [ labels = [
"debian-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest" "nix:docker://forgejo-runner-nix"
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
]; ];
tokenFile = config.age.secrets.forgejoActions.path; tokenFile = config.age.secrets.forgejoActions.path;
}; };

1
secrets/secrets.nix
View File

@ -7,6 +7,7 @@ in {
"wireguard-thinkcentre.age".publicKeys = [venus]; "wireguard-thinkcentre.age".publicKeys = [venus];
"keycloak-db.age".publicKeys = [venus]; "keycloak-db.age".publicKeys = [venus];
"forgejo-actions.age".publicKeys = [venus]; "forgejo-actions.age".publicKeys = [venus];
"sendgrid-key.age".publicKeys = [venus];
# Oracle # Oracle
"wireguard-oracle.age".publicKeys = [oracle]; "wireguard-oracle.age".publicKeys = [oracle];

BIN
secrets/sendgrid-key.age Normal file
View File

Binary file not shown.

1
user/modules/nvim/lazy-lock.json
View File

@ -60,4 +60,3 @@
"vim-illuminate": { "branch": "master", "commit": "e522e0dd742a83506db0a72e1ced68c9c130f185" }, "vim-illuminate": { "branch": "master", "commit": "e522e0dd742a83506db0a72e1ced68c9c130f185" },
"vim-startuptime": { "branch": "master", "commit": "ac2cccb5be617672add1f4f3c0a55ce99ba34e01" }, "vim-startuptime": { "branch": "master", "commit": "ac2cccb5be617672add1f4f3c0a55ce99ba34e01" },
"which-key.nvim": { "branch": "main", "commit": "4433e5ec9a507e5097571ed55c02ea9658fb268a" } "which-key.nvim": { "branch": "main", "commit": "4433e5ec9a507e5097571ed55c02ea9658fb268a" }
}

4
user/modules/nvim/lazyvim.json
View File

@ -4,7 +4,7 @@
"lazyvim.plugins.extras.lang.rust" "lazyvim.plugins.extras.lang.rust"
], ],
"news": { "news": {
"NEWS.md": "3314" "NEWS.md": "5950"
}, },
"version": 3 "version": 6
} }