Things

modules/cloudflare-dyndns/default.nix

@@ -13,6 +13,7 @@
       "vpn.aciceri.dev"
       "cache.aciceri.dev"
       "matrix.aciceri.dev"
+      "syncv3.matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
   };

modules/docker/default.nix

@@ -10,5 +10,5 @@
     docker-compose
     podman-compose
   ];
-  ccr.extraGroups = ["docker"];
+  ccr.extraGroups = ["docker" "podman"];
 }

modules/forgejo-runners/default.nix

@@ -1,25 +1,206 @@
+# heavily based on https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279
 {
   config,
+  inputs',
+  pkgs,
   lib,
   ...
-}: {
-  users.users.forgejo-runners = {
-    isSystemUser = true;
-    group = "forgejo-runners";
-  };
+}: let
+  storeDeps = pkgs.runCommand "store-deps" {} ''
+    mkdir -p $out/bin
+    for dir in ${toString [pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs inputs'.nix-fast-build.packages.nix-fast-build]}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
 
-  users.groups.forgejo-runners = {};
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+  numInstances = 1;
+  pushToCache = pkgs.writeScript "push-to-cache.sh" ''
+    #!/bin/sh
+    set -eu
+    set -f # disable globbing
+    export IFS=' '
 
-  services.gitea-actions-runner.instances.test = {
-    enable = true;
-    name = "test";
-    url = "https://git.aciceri.dev";
-    tokenFile = config.age.secrets.forgejo-runners-token.file;
-    labels = ["test"];
-  };
+    echo "Uploading paths" $OUT_PATHS
+    exec nix copy --to "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" $OUT_PATHS
+  '';
+in
+  lib.mkMerge [
+    {
+      # everything here has no dependencies on the store
+      systemd.services.gitea-runner-nix-image = {
+        wantedBy = ["multi-user.target"];
+        after = ["podman.service"];
+        requires = ["podman.service"];
+        path = [config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
 
-  systemd.services.gitea-runner-test.serviceConfig = {
-    User = lib.mkForce "forgejo-runners";
-    Group = lib.mkForce "forgejo-runners";
-  };
-}
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          post-build-hook = ${pushToCache}
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      users.users.nixuser = {
+        group = "nixuser";
+        description = "Used for running nix ci jobs";
+        home = "/var/empty";
+        isSystemUser = true;
+        # extraGroups = [ "podman" ];
+      };
+      users.groups.nixuser = {};
+    }
+    {
+      # Format of the token file:
+      virtualisation = {
+        podman.enable = true;
+      };
+
+      # virtualisation.containers.storage.settings = {
+      #   storage.driver = "zfs";
+      #   storage.graphroot = "/var/lib/containers/storage";
+      #   storage.runroot = "/run/containers/storage";
+      #   storage.options.zfs.fsname = "zroot/root/podman";
+      # };
+
+      # virtualisation.containers.containersConf.settings = {
+      #   # podman seems to not work with systemd-resolved
+      #   containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+      # };
+    }
+    {
+      systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
+        # TODO: systemd confinment
+        serviceConfig = {
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK"];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      });
+
+      services.gitea-actions-runner = {
+        package = pkgs.forgejo-actions-runner;
+        instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
+          enable = true;
+          name = "nix-runner";
+          # take the git root url from the gitea config
+          # only possible if you've also configured your gitea though the same nix config
+          # otherwise you need to set it manually
+          url = "https://git.aciceri.dev";
+          # use your favourite nix secret manager to get a path for this
+          tokenFile = config.age.secrets.forgejo-runners-token.path;
+          labels = ["nix:docker://gitea-runner-nix"];
+          settings = {
+            container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+            # the default network that also respects our dns server settings
+            container.network = "host";
+            container.valid_volumes = [
+              "/nix"
+              "${storeDeps}/bin"
+              "${storeDeps}/etc/ssl"
+            ];
+          };
+        });
+      };
+    }
+  ]

modules/macos-ventura/default.nix

@@ -0,0 +1,14 @@
+{fleetFlake, ...}: {
+  services.macos-ventura = {
+    enable = true;
+    cores = 8;
+    threads = 8;
+    mem = "8G";
+    vncListenAddr = "0.0.0.0";
+    extraQemuFlags = ["-nographic"];
+    sshPort = 2021;
+    installNix = true;
+    stateless = true;
+    darwinConfig = fleetFlake.darwinConfigurations.archer;
+  };
+}

modules/matrix/default.nix

@@ -4,7 +4,10 @@
   pkgs,
   ...
 }: let
-  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
+  clientConfig = {
+    "m.homeserver".base_url = "https://matrix.aciceri.dev";
+    "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev";
+  };
   serverConfig."m.server" = "matrix.aciceri.dev:443";
   mkWellKnown = data: ''
     default_type application/json;
@@ -48,6 +51,7 @@ in {
   services.matrix-synapse = {
     enable = true;
     dataDir = "/mnt/hd/matrix-synapse";
+    configureRedisLocally = true;
     settings = {
       server_name = "aciceri.dev";
       public_baseurl = "https://matrix.aciceri.dev";
@@ -79,4 +83,18 @@ in {
     enable = true;
     databases = ["matrix-synapse"];
   };
+
+  services.matrix-sliding-sync = {
+    enable = true;
+    environmentFile = config.age.secrets.matrix-sliding-sync-secret.path;
+    settings = {
+      SYNCV3_SERVER = "http://localhost:8008";
+    };
+  };
+
+  services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER;
+  };
 }

modules/nix/default.nix

@@ -2,11 +2,14 @@
   config,
   lib,
   fleetFlake,
+  pkgs,
   ...
 }: {
   nix = {
     optimise.automatic = true;
 
+    package = pkgs.nixUnstable;
+
     settings = {
       auto-optimise-store = true;
       trusted-users = [
@@ -66,24 +69,23 @@
     };
 
     distributedBuilds = true;
-    buildMachines =
-      (lib.lists.optional (config.networking.hostName == "picard") {
-        hostName = "sisko.fleet";
-        system = "aarch64-linux";
-        maxJobs = 4;
-        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
-        protocol = "ssh-ng";
-        sshUser = "root";
-        sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
-      })
-      ++ (lib.lists.optional (config.networking.hostName == "picard") {
-        hostName = "mac.staging.mlabs.city";
-        system = "x86_64-darwin";
-        maxJobs = 4;
-        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
-        protocol = "ssh-ng";
-        sshUser = "root";
-        sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
-      });
+    buildMachines = lib.lists.optional (config.networking.hostName == "picard") {
+      hostName = "sisko.fleet";
+      system = "aarch64-linux";
+      maxJobs = 4;
+      supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
+      protocol = "ssh-ng";
+      sshUser = "root";
+      sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
+    };
+    # ++ (lib.lists.optional (config.networking.hostName == "picard") {
+    #   hostName = "mac.staging.mlabs.city";
+    #   system = "x86_64-darwin";
+    #   maxJobs = 4;
+    #   supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
+    #   protocol = "ssh-ng";
+    #   sshUser = "root";
+    #   sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
+    # });
   };
 }

modules/transmission/default.nix

@@ -21,8 +21,8 @@
 
       upload-slots-per-torrent = 1000;
 
-      alt-speed-up = 1000; # 1MB/s
-      alt-speed-down = 2000; # 3MB/s
+      alt-speed-up = 300000; # 300MB/s
+      alt-speed-down = 500000; # 500MB/s
       alt-speed-time-enabled = true;
       alt-speed-time-begin = 540; # 9AM, minutes after midnight
       alt-speed-time-end = 1380; # 11PM