From d1b74a5bf6b3aa620f841ffff6e3d29b6a6f8406 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Sat, 17 Feb 2024 15:35:43 +0100 Subject: [PATCH] Things --- flake.lock | 244 ++++++++++++++++++++++++- flake.nix | 12 ++ hosts/archer/#default.nix# | 26 +++ hosts/archer/default.nix | 13 ++ hosts/default.nix | 12 +- hosts/module.nix | 59 +++++- hosts/picard/default.nix | 2 + modules/cloudflare-dyndns/default.nix | 1 + modules/docker/default.nix | 2 +- modules/forgejo-runners/default.nix | 217 ++++++++++++++++++++-- modules/macos-ventura/default.nix | 14 ++ modules/matrix/default.nix | 20 +- modules/nix/default.nix | 40 ++-- modules/transmission/default.nix | 4 +- secrets/forgejo-runners-token.age | 52 +++--- secrets/matrix-sliding-sync-secret.age | 30 +++ secrets/secrets.nix | 1 + 17 files changed, 675 insertions(+), 74 deletions(-) create mode 100644 hosts/archer/#default.nix# create mode 100644 hosts/archer/default.nix create mode 100644 modules/macos-ventura/default.nix create mode 100644 secrets/matrix-sliding-sync-secret.age diff --git a/flake.lock b/flake.lock index f845836..b1b0b16 100644 --- a/flake.lock +++ b/flake.lock @@ -361,6 +361,63 @@ "inputs": { "nixpkgs-lib": "nixpkgs-lib_3" }, + "locked": { + "lastModified": 1698882062, + "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_6": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_4" + }, + "locked": { + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_7": { + "inputs": { + "nixpkgs-lib": [ + "nixThePlanet", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "flake-parts_8": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_5" + }, "locked": { "lastModified": 1678379998, "narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=", @@ -524,6 +581,25 @@ "type": "github" } }, + "hercules-ci-effects_3": { + "inputs": { + "flake-parts": "flake-parts_7", + "nixpkgs": "nixpkgs_8" + }, + "locked": { + "lastModified": 1701009247, + "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -624,6 +700,72 @@ "type": "github" } }, + "nix-fast-build": { + "inputs": { + "flake-parts": "flake-parts_5", + "nixpkgs": [ + "nixpkgsUnstable" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1703607026, + "narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=", + "owner": "Mic92", + "repo": "nix-fast-build", + "rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-fast-build", + "type": "github" + } + }, + "nixDarwin": { + "inputs": { + "nixpkgs": [ + "nixpkgsUnstable" + ] + }, + "locked": { + "lastModified": 1707707289, + "narHash": "sha256-YuDt/eSTXMEHv8jS8BEZJgqCcG8Tr3cyqaZjJFXZHsw=", + "owner": "LnL7", + "repo": "nix-darwin", + "rev": "44f50a5ecaab72a61d5fd8e5c5717bc4bf9c25dd", + "type": "github" + }, + "original": { + "owner": "LnL7", + "repo": "nix-darwin", + "type": "github" + } + }, + "nixThePlanet": { + "inputs": { + "flake-parts": "flake-parts_6", + "hercules-ci-effects": "hercules-ci-effects_3", + "nixpkgs": [ + "nixpkgsUnstable" + ], + "osx-kvm": "osx-kvm" + }, + "locked": { + "lastModified": 1708168451, + "narHash": "sha256-loWlwexnfQGFsEHeJbXpWbnmeDFkBwZB38+4BkUcGhM=", + "owner": "aciceri", + "repo": "NixThePlanet", + "rev": "e8c91035d01f5082ccf30e351dcd993a5b480a72", + "type": "github" + }, + "original": { + "owner": "aciceri", + "ref": "nix-in-darwin", + "repo": "NixThePlanet", + "type": "github" + } + }, "nixosHardware": { "locked": { "lastModified": 1706182238, @@ -708,6 +850,42 @@ } }, "nixpkgs-lib_3": { + "locked": { + "dir": "lib", + "lastModified": 1698611440, + "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_4": { + "locked": { + "dir": "lib", + "lastModified": 1701253981, + "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib_5": { "locked": { "dir": "lib", "lastModified": 1678375444, @@ -870,6 +1048,22 @@ } }, "nixpkgs_8": { + "locked": { + "lastModified": 1697723726, + "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_9": { "locked": { "lastModified": 1678470307, "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=", @@ -900,6 +1094,22 @@ "type": "github" } }, + "osx-kvm": { + "flake": false, + "locked": { + "lastModified": 1701316418, + "narHash": "sha256-Sk8LYhFovoMX1ln7DWYArJQphW2a4h8Xg7/ZEZXwZv4=", + "owner": "kholia", + "repo": "OSX-KVM", + "rev": "09daff670a7eb9ff616073df329586c5995623a9", + "type": "github" + }, + "original": { + "owner": "kholia", + "repo": "OSX-KVM", + "type": "github" + } + }, "panfork": { "flake": false, "locked": { @@ -984,13 +1194,13 @@ "rock5b": { "inputs": { "fan-control": "fan-control", - "flake-parts": "flake-parts_5", + "flake-parts": "flake-parts_8", "kernel-src": "kernel-src", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nixpkgs-kernel": "nixpkgs-kernel", "panfork": "panfork", "tow-boot": "tow-boot", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1685695782, @@ -1018,13 +1228,16 @@ "homeManager": "homeManager", "homeManagerGitWorkspace": "homeManagerGitWorkspace", "homeManagerSwayNC": "homeManagerSwayNC", + "nix-fast-build": "nix-fast-build", + "nixDarwin": "nixDarwin", + "nixThePlanet": "nixThePlanet", "nixosHardware": "nixosHardware", "nixpkgsStable": "nixpkgsStable", "nixpkgsUnstable": "nixpkgsUnstable", "nur": "nur", "pre-commit-hooks": "pre-commit-hooks", "rock5b": "rock5b", - "treefmt-nix": "treefmt-nix_2" + "treefmt-nix": "treefmt-nix_3" } }, "slimlock": { @@ -1112,6 +1325,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1698438538, + "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "rock5b", @@ -1132,7 +1366,7 @@ "type": "github" } }, - "treefmt-nix_2": { + "treefmt-nix_3": { "inputs": { "nixpkgs": [ "nixpkgsUnstable" diff --git a/flake.nix b/flake.nix index 84b47c3..60d92e0 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,18 @@ hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects"; dream2nix.url = "github:nix-community/dream2nix"; hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent"; + nix-fast-build = { + url = "github:Mic92/nix-fast-build"; + inputs.nixpkgs.follows = "nixpkgsUnstable"; + }; + nixThePlanet = { + url = "github:aciceri/NixThePlanet/nix-in-darwin"; + inputs.nixpkgs.follows = "nixpkgsUnstable"; + }; + nixDarwin = { + url = "github:LnL7/nix-darwin"; + inputs.nixpkgs.follows = "nixpkgsUnstable"; + }; }; outputs = inputs @ {flakeParts, ...}: diff --git a/hosts/archer/#default.nix# b/hosts/archer/#default.nix# new file mode 100644 index 0000000..cbde1a4 --- /dev/null +++ b/hosts/archer/#default.nix# @@ -0,0 +1,26 @@ +{pkgs, ...}: { + # $ nix-env -qaP | grep wget + environment.systemPackages = + [ pkgs.vim + ]; + + # # Auto upgrade nix package and the daemon service. + # services.nix-daemon.enable = true; + # # nix.package = pkgs.nix; + + # # Necessary for using flakes on this system. + # nix.settings.experimental-features = "nix-command flakes"; + + # # Create /etc/zshrc that loads the nix-darwin environment. + # programs.zsh.enable = true; # default shell on catalina + # # programs.fish.enable = true; + + # # # Set Git commit hash for darwin-version. + # # system.configurationRevision = self.rev or self.dirtyRev or null; + + # # Used for backwards compatibility, please read the changelog before changing. + # # $ darwin-rebuild changelog + # system.stateVersion = 4; + + # # The platform the configuration will be used on. +} diff --git a/hosts/archer/default.nix b/hosts/archer/default.nix new file mode 100644 index 0000000..e3adb84 --- /dev/null +++ b/hosts/archer/default.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + environment.systemPackages = [ + pkgs.vim + ]; + + nix.settings.experimental-features = "nix-command flakes"; + + programs.fish.enable = true; + + services.nix-daemon.enable = true; + + nixpkgs.hostPlatform = "x86_64-darwin"; +} diff --git a/hosts/default.nix b/hosts/default.nix index 09b3afb..3d36331 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -8,6 +8,9 @@ imports = [./module.nix]; fleet = { + darwinHosts.archer = { + }; + hosts = { # thinkpad = { # extraModules = with inputs; [ @@ -99,6 +102,7 @@ }; extraModules = [ inputs.disko.nixosModules.disko + inputs.nixThePlanet.nixosModules.macos-ventura # inputs.hercules-ci-agent.nixosModules.agent-service ]; extraHmModules = [ @@ -117,7 +121,7 @@ "autistici-password".owner = "ccr"; "restic-hetzner-password" = {}; "aws-credentials".owner = "hercules-ci-agent"; - "forgejo-runners-token".owner = "forgejo-runners"; + "forgejo-runners-token".owner = "nixuser"; }; }; @@ -145,6 +149,7 @@ "aws-credentials".owner = "hercules-ci-agent"; "hass-ssh-key".owner = "hass"; "matrix-registration-shared-secret".owner = "matrix-synapse"; + "matrix-sliding-sync-secret".owner = "matrix-synapse"; }; }; }; @@ -161,4 +166,9 @@ lib.mapAttrs config.fleet._mkNixosConfiguration config.fleet.hosts; + + flake.darwinConfigurations = + lib.mapAttrs + config.fleet._mkDarwinConfiguration + config.fleet.darwinHosts; } diff --git a/hosts/module.nix b/hosts/module.nix index 2e039bf..a1da41a 100644 --- a/hosts/module.nix +++ b/hosts/module.nix @@ -8,10 +8,46 @@ config, inputs, ... -}: let +} @ flakePartsArgs: let cfg = config.fleet; in { options.fleet = { + darwinHosts = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { + options = { + name = lib.mkOption { + description = "Host name"; + type = lib.types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$"; + default = name; + }; + system = lib.mkOption { + description = "NixOS architecture (a.k.a. system)"; + type = lib.types.str; + default = "x86_64-darwin"; + }; + nixpkgs = lib.mkOption { + description = "Used nixpkgs"; + type = lib.types.anything; + default = inputs.nixpkgsUnstable; + }; + extraModules = lib.mkOption { + description = "Extra NixOS modules"; + type = lib.types.listOf lib.types.deferredModule; + default = []; + }; + overlays = lib.mkOption { + description = "Enabled Nixpkgs overlays"; + type = lib.types.listOf (lib.mkOptionType { + name = "nixpkgs-overlay"; + description = "nixpkgs overlay"; + check = lib.isFunction; + merge = lib.mergeOneOption; + }); + default = []; + }; + }; + })); + }; hosts = lib.mkOption { description = "Host configuration"; type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { @@ -183,8 +219,29 @@ in { fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}"); fleetFlake = self; vpn = cfg.vpnExtra // (lib.mapAttrs (_: host: host.vpn) cfg.hosts); + inherit (flakePartsArgs.config.allSystems.${config.system}.allModuleArgs.config._module.args) inputs'; }; }; }; + _mkDarwinConfiguration = lib.mkOption { + description = "Function returning a proper Darwin configuration"; + type = lib.types.functionTo (lib.types.functionTo lib.types.attrs); # TODO improve this type + internal = true; + default = hostname: config: + inputs.nixDarwin.lib.darwinSystem { + modules = [ + ({ + lib, + pkgs, + ... + }: { + networking.hostName = lib.mkForce hostname; + nixpkgs.overlays = config.overlays; + nixpkgs.hostPlatform = config.system; + }) + "${self.outPath}/hosts/${hostname}" + ]; + }; + }; }; } diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index 2175678..cd8db46 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -35,6 +35,8 @@ "syncthing" "hass-poweroff" "forgejo-runners" + "teamviewer" + "macos-ventura" ] ++ [ ./disko.nix diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix index d9c40b5..4b8e74a 100644 --- a/modules/cloudflare-dyndns/default.nix +++ b/modules/cloudflare-dyndns/default.nix @@ -13,6 +13,7 @@ "vpn.aciceri.dev" "cache.aciceri.dev" "matrix.aciceri.dev" + "syncv3.matrix.aciceri.dev" ]; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; }; diff --git a/modules/docker/default.nix b/modules/docker/default.nix index c29f292..70feed8 100644 --- a/modules/docker/default.nix +++ b/modules/docker/default.nix @@ -10,5 +10,5 @@ docker-compose podman-compose ]; - ccr.extraGroups = ["docker"]; + ccr.extraGroups = ["docker" "podman"]; } diff --git a/modules/forgejo-runners/default.nix b/modules/forgejo-runners/default.nix index 3c5742e..b7c086e 100644 --- a/modules/forgejo-runners/default.nix +++ b/modules/forgejo-runners/default.nix @@ -1,25 +1,206 @@ +# heavily based on https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279 { config, + inputs', + pkgs, lib, ... -}: { - users.users.forgejo-runners = { - isSystemUser = true; - group = "forgejo-runners"; - }; +}: let + storeDeps = pkgs.runCommand "store-deps" {} '' + mkdir -p $out/bin + for dir in ${toString [pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs inputs'.nix-fast-build.packages.nix-fast-build]}; do + for bin in "$dir"/bin/*; do + ln -s "$bin" "$out/bin/$(basename "$bin")" + done + done - users.groups.forgejo-runners = {}; + # Add SSL CA certs + mkdir -p $out/etc/ssl/certs + cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt + ''; + numInstances = 1; + pushToCache = pkgs.writeScript "push-to-cache.sh" '' + #!/bin/sh + set -eu + set -f # disable globbing + export IFS=' ' - services.gitea-actions-runner.instances.test = { - enable = true; - name = "test"; - url = "https://git.aciceri.dev"; - tokenFile = config.age.secrets.forgejo-runners-token.file; - labels = ["test"]; - }; + echo "Uploading paths" $OUT_PATHS + exec nix copy --to "s3://cache?profile=default®ion=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" $OUT_PATHS + ''; +in + lib.mkMerge [ + { + # everything here has no dependencies on the store + systemd.services.gitea-runner-nix-image = { + wantedBy = ["multi-user.target"]; + after = ["podman.service"]; + requires = ["podman.service"]; + path = [config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent]; + # we also include etc here because the cleanup job also wants the nixuser to be present + script = '' + set -eux -o pipefail + mkdir -p etc/nix - systemd.services.gitea-runner-test.serviceConfig = { - User = lib.mkForce "forgejo-runners"; - Group = lib.mkForce "forgejo-runners"; - }; -} + # Create an unpriveleged user that we can use also without the run-as-user.sh script + touch etc/passwd etc/group + groupid=$(cut -d: -f3 < <(getent group nixuser)) + userid=$(cut -d: -f3 < <(getent passwd nixuser)) + groupadd --prefix $(pwd) --gid "$groupid" nixuser + emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.' + useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser + + cat < etc/nix/nix.conf + accept-flake-config = true + experimental-features = nix-command flakes + post-build-hook = ${pushToCache} + NIX_CONFIG + + cat < etc/nsswitch.conf + passwd: files mymachines systemd + group: files mymachines systemd + shadow: files + + hosts: files mymachines dns myhostname + networks: files + + ethers: files + services: files + protocols: files + rpc: files + NSSWITCH + + # list the content as it will be imported into the container + tar -cv . | tar -tvf - + tar -cv . | podman import - gitea-runner-nix + ''; + serviceConfig = { + RuntimeDirectory = "gitea-runner-nix-image"; + WorkingDirectory = "/run/gitea-runner-nix-image"; + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + + users.users.nixuser = { + group = "nixuser"; + description = "Used for running nix ci jobs"; + home = "/var/empty"; + isSystemUser = true; + # extraGroups = [ "podman" ]; + }; + users.groups.nixuser = {}; + } + { + # Format of the token file: + virtualisation = { + podman.enable = true; + }; + + # virtualisation.containers.storage.settings = { + # storage.driver = "zfs"; + # storage.graphroot = "/var/lib/containers/storage"; + # storage.runroot = "/run/containers/storage"; + # storage.options.zfs.fsname = "zroot/root/podman"; + # }; + + # virtualisation.containers.containersConf.settings = { + # # podman seems to not work with systemd-resolved + # containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; + # }; + } + { + systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: { + # TODO: systemd confinment + serviceConfig = { + # Hardening (may overlap with DynamicUser=) + # The following options are only for optimizing output of systemd-analyze + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + UMask = "0066"; + ProtectProc = "invisible"; + SystemCallFilter = [ + "~@clock" + "~@cpu-emulation" + "~@module" + "~@mount" + "~@obsolete" + "~@raw-io" + "~@reboot" + "~@swap" + # needed by go? + #"~@resources" + "~@privileged" + "~capset" + "~setdomainname" + "~sethostname" + ]; + RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK"]; + + # Needs network access + PrivateNetwork = false; + # Cannot be true due to Node + MemoryDenyWriteExecute = false; + + # The more restrictive "pid" option makes `nix` commands in CI emit + # "GC Warning: Couldn't read /proc/stat" + # You may want to set this to "pid" if not using `nix` commands + ProcSubset = "all"; + # Coverage programs for compiled code such as `cargo-tarpaulin` disable + # ASLR (address space layout randomization) which requires the + # `personality` syscall + # You may want to set this to `true` if not using coverage tooling on + # compiled code + LockPersonality = false; + + # Note that this has some interactions with the User setting; so you may + # want to consult the systemd docs if using both. + DynamicUser = true; + }; + }); + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: { + enable = true; + name = "nix-runner"; + # take the git root url from the gitea config + # only possible if you've also configured your gitea though the same nix config + # otherwise you need to set it manually + url = "https://git.aciceri.dev"; + # use your favourite nix secret manager to get a path for this + tokenFile = config.age.secrets.forgejo-runners-token.path; + labels = ["nix:docker://gitea-runner-nix"]; + settings = { + container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings + container.network = "host"; + container.valid_volumes = [ + "/nix" + "${storeDeps}/bin" + "${storeDeps}/etc/ssl" + ]; + }; + }); + }; + } + ] diff --git a/modules/macos-ventura/default.nix b/modules/macos-ventura/default.nix new file mode 100644 index 0000000..128729b --- /dev/null +++ b/modules/macos-ventura/default.nix @@ -0,0 +1,14 @@ +{fleetFlake, ...}: { + services.macos-ventura = { + enable = true; + cores = 8; + threads = 8; + mem = "8G"; + vncListenAddr = "0.0.0.0"; + extraQemuFlags = ["-nographic"]; + sshPort = 2021; + installNix = true; + stateless = true; + darwinConfig = fleetFlake.darwinConfigurations.archer; + }; +} diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 0478717..5fc24b1 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -4,7 +4,10 @@ pkgs, ... }: let - clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev"; + clientConfig = { + "m.homeserver".base_url = "https://matrix.aciceri.dev"; + "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev"; + }; serverConfig."m.server" = "matrix.aciceri.dev:443"; mkWellKnown = data: '' default_type application/json; @@ -48,6 +51,7 @@ in { services.matrix-synapse = { enable = true; dataDir = "/mnt/hd/matrix-synapse"; + configureRedisLocally = true; settings = { server_name = "aciceri.dev"; public_baseurl = "https://matrix.aciceri.dev"; @@ -79,4 +83,18 @@ in { enable = true; databases = ["matrix-synapse"]; }; + + services.matrix-sliding-sync = { + enable = true; + environmentFile = config.age.secrets.matrix-sliding-sync-secret.path; + settings = { + SYNCV3_SERVER = "http://localhost:8008"; + }; + }; + + services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER; + }; } diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 1568d5c..071851b 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -2,11 +2,14 @@ config, lib, fleetFlake, + pkgs, ... }: { nix = { optimise.automatic = true; + package = pkgs.nixUnstable; + settings = { auto-optimise-store = true; trusted-users = [ @@ -66,24 +69,23 @@ }; distributedBuilds = true; - buildMachines = - (lib.lists.optional (config.networking.hostName == "picard") { - hostName = "sisko.fleet"; - system = "aarch64-linux"; - maxJobs = 4; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; - protocol = "ssh-ng"; - sshUser = "root"; - sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; - }) - ++ (lib.lists.optional (config.networking.hostName == "picard") { - hostName = "mac.staging.mlabs.city"; - system = "x86_64-darwin"; - maxJobs = 4; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; - protocol = "ssh-ng"; - sshUser = "root"; - sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; - }); + buildMachines = lib.lists.optional (config.networking.hostName == "picard") { + hostName = "sisko.fleet"; + system = "aarch64-linux"; + maxJobs = 4; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + protocol = "ssh-ng"; + sshUser = "root"; + sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; + }; + # ++ (lib.lists.optional (config.networking.hostName == "picard") { + # hostName = "mac.staging.mlabs.city"; + # system = "x86_64-darwin"; + # maxJobs = 4; + # supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + # protocol = "ssh-ng"; + # sshUser = "root"; + # sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; + # }); }; } diff --git a/modules/transmission/default.nix b/modules/transmission/default.nix index 575da82..8af0001 100644 --- a/modules/transmission/default.nix +++ b/modules/transmission/default.nix @@ -21,8 +21,8 @@ upload-slots-per-torrent = 1000; - alt-speed-up = 1000; # 1MB/s - alt-speed-down = 2000; # 3MB/s + alt-speed-up = 300000; # 300MB/s + alt-speed-down = 500000; # 500MB/s alt-speed-time-enabled = true; alt-speed-time-begin = 540; # 9AM, minutes after midnight alt-speed-time-end = 1380; # 11PM diff --git a/secrets/forgejo-runners-token.age b/secrets/forgejo-runners-token.age index c50ffc1..5fa9e0b 100644 --- a/secrets/forgejo-runners-token.age +++ b/secrets/forgejo-runners-token.age @@ -1,29 +1,29 @@ age-encryption.org/v1 -> ssh-rsa /AagBw -Z16SvgU6/7dOl+1UxJkOjXGRWzj6EwS2Df+4PwSaxraCN3bZmFKbS/XoHKfrl+IM -HWLtHspDOCFVDoncA4RrhjhFmZFXEYHLQhvaK6br274ALahEPf3kNZWfHntVKJyy -wLyBnGpW5hscln1X/NSC0xXkUKfmZAE6lkpFj/C3TUZpIKnQ6LFpyGs5mAj6PEuY -amPVOotBSGgbJQed8JpmWcX8XiO05cfPEi6oSiDkauXKGVSzWfXk3GSChzBl/Y2a -8llIvJ9BNy6cFC0d7pZBJrpV1FXlDxo6LxkC6WeUzMJH7s44UvOhVbjPp0dNjLLD -AqYotOWm6r4KMBlpUU8q+9t4ipBRDYhxEgjZyuEfwXcXilJJ0IYYLwGSlkTFbGUQ -RwiZnRHbdHrpkysTRemLbZl4ZqvCcV9k+uGDaVLNnYZoXmO1jd3A49lr4Pg31niQ -wdfEhbQF2m3ERERiNgz/FkO2jXp8uRKPvFnkFkeE5rf3p7rA8iNdAAIKOkMtqn23 -u5RRNDXx547Z47C7DaXpzu91wa7cp1PmAgsuvvO0+7EWCIkZh+CsSuJqQwFbGuTf -RUK/cxLjU3M/1WyedNaWRt4g6WfbBGptuLJgGV7dAR+4sJdNTD2wCeovmBnAjk4z -uz0BrfQjkLgFk8h2/nNShCshHqjo6WgbS/0uhHyVFCA +Fj/1xLPhucklZ7WD60a+Rtj1k7V3ttBj+B8yrpD+D8rdXRIKLHaBCRRuRcyJD7QD +Qb+GkOFGJqbMaOOt7Xy5OJcz6M5T41fbvKQOQK19ZmrsNuFwMlDQNwCL519WroGw +PsKSip4nJOhlWgOfbHM3hlbsFCPuT79Di+zOBDXJYiui+Skkl18+EyC+4dJ7gwuI +7nWVy2KuJMdX5a7r3rqGSinoWHCRBLAOVVooQQq59THHymJga7a9L6e/YT5md+A7 +fhIJRdn5593yvH4AOoaQDOBhW0D9HL/rhyJi3CRzPIOqyyO3L/4C+qck8CwXrKAu +1PK3GsXRvTk5x8bUCnZoosNgxLfKh0tH8Eg+fkZ7NX1pdLtyS0+jHEnfXP3R9+c8 +NS+BZtY3lp3QunF6tDJi6xTwjyAjLaPNxQW1jnV0ItiPdf4dHacymyWpdgHfmOGo +7RlHlcsQUa+Q6iukZo2sw0tsq7zDvlYOO6ZBz4G/VEPk4IgamlMzTcdZvEQLmV0B +6ht2+cgQ5Z128a6rIEIUqmsU6LB3HsFcJ9fxikQEQsGG86RTkcfmQ8fnai+fWkGn +L8YNAwLc0O7SX7G+oeb7+Rn9OHf7z/8WQ+EuipYueluG4blMx8nluR9zaHbj3sup +a5qyGRUrLIkMYGENkn67WlPPh5mucNrru4s837a0GvE -> ssh-rsa QHr3/A -EoP1VXE5X5h6XHFzfE+vdAQHA92DqOAu+d4DFPTUJMjns3roMcW1Q0p0B288H7zl -lo2Q+9MmQNkSCdeJbAZBirUidr9UHRrQqONHxa9Dc3Q9vx82Z2M+BYJ+wiVyEX3x -8yZwuVl2W0zjQzhSmkymFQJHsMLD8icMH5gQSL2nS38Dbm2qtD0zkUPg4wYchy8p -Yzu9OotRT1AigoSjBgUG4ChlZSLmKFlHPI3Fkh80OsflobhM80jkMDQ1n66G2GLv -0swhI5vBbHbwUbEl0LJpKKsY4zBLm91dIAa4m3L95WNEr21YwplLZ+FV2deExfkZ -rimqEjsS2lJMpul7ondDDuG2u3Wr7tTkKgfotu3+Es8oOtOsvnmhQOZS1uYYK9mu -kiyg3RDo0CN78VN0XSw/oPNxR6xVDA9eNbn4mnXoPf8jZHxJ9mjZ64zusNgN8TuU -Yr/GlnJoTOkbjPvqtRDA+uz6ovhq9KIExhDXMAelmoxs3BmAyAXkGX+6f8ds0ZWA -I6hrhaY1hqbnyyNf18pldvi0XhI4CoD3VVCc5qeMN4aSfKM6Sz+vlRiiKY0snwa0 -2OnCbcTJbxFr/niQI27d/T2G8P9LYumY38Ez+FLhCdICTmaCKjzsIkujGzzd/M8l -nWC3BxPuWlvBs3frX5Ujun0UKyqWZCpRNZXNQwWr2L0 --> ssh-ed25519 /WmILg Q88RuUxDh5UDcN6I7sbvIcYnY8sl4wN9e72pk9MKCXo -yd0XyHfUuYAr+gcB2q95JlddvYj61IkweeRH/YA4SYo ---- 3vWlg+QLHC83h7gKBavcsZPVO/twVSbWNhRHQBwnoQA - aLw5$^zdF".'0*'^>ayڲ#oI.q@!Ba!dy[ڣ(Wuk \ No newline at end of file +QuQPqe0bsxz+xdFBdDkZpnUNx9/2utg6QOghWDp2FS4V4bmSwreiwqY8mVvhRdWI +7B7Vh3PHCOsh7V2OGvs3gjeOiHkMSH7N0WeByB2ZHwy9irW24YStZAOrNGpMJT1I +fG/ySYz6TcwmBKhm7iFdlW1HztPLURQR//oCWWwILoZTZpf9K3FUz94vsrIkYiir +DhkYfVh126H1uN1NSzodk581LTkl8tV70uC05GxfjsVlSQyKJOL+cCDuavDlluxD +Tl6pD5fq5iX1Ui+H84DaKqRQd0GpReEmh6QQVcPFshUClsLjgcgkqK1dWgthhueG +J2eA6FmOX50Iyn18jNhtKKlImzZcWCyHobGPOOQcaqswTlC0w13i/wjm/lBH3tOZ +cBUgNBAtyzoU+Qfa7KjbRCg8z61JwieL5R4PFgggxzx8wWwb0Q1vbwzG3R+W67of +U3Vr37lzRoEcZ0uIogkD+QUJH4KujDIiajX74Ik2RLsZJ8mgmTPibnNuhntIntKc +j9K+1cynZyRNvLQs/HOkJTkC4jRuEMztnw3Rlto15ZxfC5hLTlfnl6boixiM+L7t +LeDCs6x2abyMcbwqjp559zXC9G5lXssObJEiYRAoEdJ/L4m2I+IyP9/lUj+z516k +rTmThTezLukBIX65O6bMn0m0FAKiK8+Tc5VrDBfQUok +-> ssh-ed25519 /WmILg gypYkxf3zWRz+NWC9WW0oGm4txFNmb1AmJ82/3oDX34 +5JMgsEsU+YrP0WVu+FJEBBC3Loj2W49j9qJfPa+8OQI +--- Nhwnzj6Kr2OiSXbqqOeS3nJynvvnYLxskjqMEP6SbCc +l^/gڊhԇw[oGjt6wxdP0K鍜*ϋE.Μ5}/n&3n \ No newline at end of file diff --git a/secrets/matrix-sliding-sync-secret.age b/secrets/matrix-sliding-sync-secret.age new file mode 100644 index 0000000..403cc44 --- /dev/null +++ b/secrets/matrix-sliding-sync-secret.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +PbxZQ6iBDuSrJG3CKVPSiAl4OWui9tlAwHL8TzhY+zFm2RauBVxkD+OFEHCXv0jR +raMZitNrvvs5B66Gy48cg5Cz1kWCM72o+zN1f3ZzIvCFa9wVmsOhtc69E7XinzM7 +M8pDiORbQqmO4gP3/h9CXJAL9U31ub05J70Jdl0mIfq/Epkkem2ouN9OwzYsjeUP +/KS8F+/+8ptrpF6PuhptS0gP2jqqEKvCgQwSO4VAHMwMiRB+okC+j/VmnOp6NBdy +fH02ecEYJyqLEOGNcjCb6ExnNL/4HgNC8MpT25OPDi7rIxlWwWP6USqpov1LD+pe +Z7F8ieecVppevZ81WPpXdKgQi5l609jrCVoxXtQ3L3pd08HHhAkyHH6dhzbJ3QIv +sglukBrJSGFpaE1iqqKTVyc4dLOfnTd5iF0WnZ5k9UeDlCafduNWl8AVxkNVvziD +M9/9+vD5WTrkLETSnmzI5ZWgGk1MLfulwDQ0JRpOe+NAEKGnr+5QFZueNJZgnTr9 +z8B4e4YHvsyp5yiLmnhvY/zvwoqZvMduU8DT6c4WXLJBjgxptoU17Skw6pBxOmlF +xOCSJsMqyQ2E3YZYpglMdgxDE1SNHlODE32GFq8wbXN2RyRWFrz8Mj4zdUVh9Xc4 +LaO3HvVBkTTopCELNpLgeuhSpEpgwds0psspYUFMvoc +-> ssh-rsa QHr3/A +QtR91zBRNdFQxTg0j4kOeYfgyk7tolQm8Jb2Vjpq6teLVZYZHUqj0NX5lBH0CIMz +YToMn3e860YnT06y0nkCdG26M7vSkN3KDPRYVjsNBofmd5L21W5Wf59sOTTkUg7o +OK6cbBjYKKBPdD+qhGks02bLyg/JCyAwvILO0Yow2QX8jastB5jfaKpG7BcO181B +/4LDjNGH2fZi0ghKZabKyZxIR+Nz6LI+CfRlG6hnvi9Pm3zj7SRpmfga0uzBtoJw +MH8qRejpvoTsUFiZzReyZK/eQfT8yapd2rYJFBIUk8gh4swd4reNc6Qrgzc+lnI7 +pwLhAEV3DKVPNCwDAG2X4VvoArjMknFUWgA8xTy1jrwxqxp5RWaG9mZNVxyN057s +PUyHcCP1u+2GlMQZ+IqQAQgHF5iP5psz9EMsPuKEsnqxahm/Buo9+TdAk6F0wBqH +H8S/WQ76BAXkqCHlYZ6caXSidu10kbp6VhsHIkEXf5C/lQAUf2cUqP0gAXBKk/em ++jdju/dSKDiOfQUGvrB+ZvDWkfARU4KR1wDU2FsBWEg4KqTGCtiip1xAWyVs2qzk +HxQHdqJWHX8X6uGHMPutd5Kxcqiw/dixHWqsF2JxpFwcdJw8FtFNu/53TqkLLp4c +eR75ieANJgPSFdMZ0iN2VyKk6ef1BeM5fMEJNNFqk2w +-> ssh-ed25519 OgJHCw Ru7jfhtzgiw5p02NAWUAye5LAz8QV4oGGdDUcOX/yVU +jmSZteHQfrdLjrG5FOGuHENHwbcTJylwd3K5d0MQBoE +--- YufP2k3r5d82rW9wZy3ShR1jARNnA2kOtv1W8/VU+Is + 5~L.q89 0D|E?w[y4aEF$O2_,- +ui;1pw% [ d؛KD}$'#[odUj{>!M$ʑ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 331df8f..b292ff3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,6 +22,7 @@ in "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk]; "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "matrix-sliding-sync-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; # WireGuard