aciceri/nixfleet
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Things

Browse source
This commit is contained in:
Andrea Ciceri 2024-02-17 15:35:43 +01:00
parent a2681cc220
commit d1b74a5bf6
Signed by: aciceri
SSH key fingerprint: SHA256:/AagBweyV4Hlfg9u092n8hbHwD5fcB6A3qhDiDA65Rg
17 changed files with 675 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

244
flake.lock generated
View file

@ -361,6 +361,63 @@
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib_3" "nixpkgs-lib": "nixpkgs-lib_3"
}, },
"locked": {
"lastModified": 1698882062,
"narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_6": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_4"
},
"locked": {
"lastModified": 1701473968,
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_7": {
"inputs": {
"nixpkgs-lib": [
"nixThePlanet",
"hercules-ci-effects",
"nixpkgs"
]
},
"locked": {
"lastModified": 1696343447,
"narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-parts_8": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_5"
},
"locked": { "locked": {
"lastModified": 1678379998, "lastModified": 1678379998,
"narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=", "narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=",
@ -524,6 +581,25 @@
"type": "github" "type": "github"
} }
}, },
"hercules-ci-effects_3": {
"inputs": {
"flake-parts": "flake-parts_7",
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1701009247,
"narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -624,6 +700,72 @@
"type": "github" "type": "github"
} }
}, },
"nix-fast-build": {
"inputs": {
"flake-parts": "flake-parts_5",
"nixpkgs": [
"nixpkgsUnstable"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1703607026,
"narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=",
"owner": "Mic92",
"repo": "nix-fast-build",
"rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "nix-fast-build",
"type": "github"
}
},
"nixDarwin": {
"inputs": {
"nixpkgs": [
"nixpkgsUnstable"
]
},
"locked": {
"lastModified": 1707707289,
"narHash": "sha256-YuDt/eSTXMEHv8jS8BEZJgqCcG8Tr3cyqaZjJFXZHsw=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "44f50a5ecaab72a61d5fd8e5c5717bc4bf9c25dd",
"type": "github"
},
"original": {
"owner": "LnL7",
"repo": "nix-darwin",
"type": "github"
}
},
"nixThePlanet": {
"inputs": {
"flake-parts": "flake-parts_6",
"hercules-ci-effects": "hercules-ci-effects_3",
"nixpkgs": [
"nixpkgsUnstable"
],
"osx-kvm": "osx-kvm"
},
"locked": {
"lastModified": 1708168451,
"narHash": "sha256-loWlwexnfQGFsEHeJbXpWbnmeDFkBwZB38+4BkUcGhM=",
"owner": "aciceri",
"repo": "NixThePlanet",
"rev": "e8c91035d01f5082ccf30e351dcd993a5b480a72",
"type": "github"
},
"original": {
"owner": "aciceri",
"ref": "nix-in-darwin",
"repo": "NixThePlanet",
"type": "github"
}
},
"nixosHardware": { "nixosHardware": {
"locked": { "locked": {
"lastModified": 1706182238, "lastModified": 1706182238,
@ -708,6 +850,42 @@
} }
}, },
"nixpkgs-lib_3": { "nixpkgs-lib_3": {
"locked": {
"dir": "lib",
"lastModified": 1698611440,
"narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib_4": {
"locked": {
"dir": "lib",
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib_5": {
"locked": { "locked": {
"dir": "lib", "dir": "lib",
"lastModified": 1678375444, "lastModified": 1678375444,
@ -870,6 +1048,22 @@
} }
}, },
"nixpkgs_8": { "nixpkgs_8": {
"locked": {
"lastModified": 1697723726,
"narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1678470307, "lastModified": 1678470307,
"narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=", "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=",
@ -900,6 +1094,22 @@
"type": "github" "type": "github"
} }
}, },
"osx-kvm": {
"flake": false,
"locked": {
"lastModified": 1701316418,
"narHash": "sha256-Sk8LYhFovoMX1ln7DWYArJQphW2a4h8Xg7/ZEZXwZv4=",
"owner": "kholia",
"repo": "OSX-KVM",
"rev": "09daff670a7eb9ff616073df329586c5995623a9",
"type": "github"
},
"original": {
"owner": "kholia",
"repo": "OSX-KVM",
"type": "github"
}
},
"panfork": { "panfork": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -984,13 +1194,13 @@
"rock5b": { "rock5b": {
"inputs": { "inputs": {
"fan-control": "fan-control", "fan-control": "fan-control",
"flake-parts": "flake-parts_5", "flake-parts": "flake-parts_8",
"kernel-src": "kernel-src", "kernel-src": "kernel-src",
"nixpkgs": "nixpkgs_8", "nixpkgs": "nixpkgs_9",
"nixpkgs-kernel": "nixpkgs-kernel", "nixpkgs-kernel": "nixpkgs-kernel",
"panfork": "panfork", "panfork": "panfork",
"tow-boot": "tow-boot", "tow-boot": "tow-boot",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1685695782, "lastModified": 1685695782,
@ -1018,13 +1228,16 @@
"homeManager": "homeManager", "homeManager": "homeManager",
"homeManagerGitWorkspace": "homeManagerGitWorkspace", "homeManagerGitWorkspace": "homeManagerGitWorkspace",
"homeManagerSwayNC": "homeManagerSwayNC", "homeManagerSwayNC": "homeManagerSwayNC",
"nix-fast-build": "nix-fast-build",
"nixDarwin": "nixDarwin",
"nixThePlanet": "nixThePlanet",
"nixosHardware": "nixosHardware", "nixosHardware": "nixosHardware",
"nixpkgsStable": "nixpkgsStable", "nixpkgsStable": "nixpkgsStable",
"nixpkgsUnstable": "nixpkgsUnstable", "nixpkgsUnstable": "nixpkgsUnstable",
"nur": "nur", "nur": "nur",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"rock5b": "rock5b", "rock5b": "rock5b",
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_3"
} }
}, },
"slimlock": { "slimlock": {
@ -1112,6 +1325,27 @@
} }
}, },
"treefmt-nix": { "treefmt-nix": {
"inputs": {
"nixpkgs": [
"nix-fast-build",
"nixpkgs"
]
},
"locked": {
"lastModified": 1698438538,
"narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"rock5b", "rock5b",
@ -1132,7 +1366,7 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_2": { "treefmt-nix_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgsUnstable" "nixpkgsUnstable"

12
flake.nix
View file

@ -44,6 +44,18 @@
hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects"; hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
dream2nix.url = "github:nix-community/dream2nix"; dream2nix.url = "github:nix-community/dream2nix";
hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent"; hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent";
nix-fast-build = {
url = "github:Mic92/nix-fast-build";
inputs.nixpkgs.follows = "nixpkgsUnstable";
};
nixThePlanet = {
url = "github:aciceri/NixThePlanet/nix-in-darwin";
inputs.nixpkgs.follows = "nixpkgsUnstable";
};
nixDarwin = {
url = "github:LnL7/nix-darwin";
inputs.nixpkgs.follows = "nixpkgsUnstable";
};
}; };
outputs = inputs @ {flakeParts, ...}: outputs = inputs @ {flakeParts, ...}:

26
hosts/archer/#default.nix# Normal file
View file

@ -0,0 +1,26 @@
{pkgs, ...}: {
# $ nix-env -qaP | grep wget
environment.systemPackages =
[ pkgs.vim
];
# # Auto upgrade nix package and the daemon service.
# services.nix-daemon.enable = true;
# # nix.package = pkgs.nix;
# # Necessary for using flakes on this system.
# nix.settings.experimental-features = "nix-command flakes";
# # Create /etc/zshrc that loads the nix-darwin environment.
# programs.zsh.enable = true; # default shell on catalina
# # programs.fish.enable = true;
# # # Set Git commit hash for darwin-version.
# # system.configurationRevision = self.rev or self.dirtyRev or null;
# # Used for backwards compatibility, please read the changelog before changing.
# # $ darwin-rebuild changelog
# system.stateVersion = 4;
# # The platform the configuration will be used on.
}

13
hosts/archer/default.nix Normal file
View file

@ -0,0 +1,13 @@
{pkgs, ...}: {
environment.systemPackages = [
pkgs.vim
];
nix.settings.experimental-features = "nix-command flakes";
programs.fish.enable = true;
services.nix-daemon.enable = true;
nixpkgs.hostPlatform = "x86_64-darwin";
}

12
hosts/default.nix
View file

@ -8,6 +8,9 @@
imports = [./module.nix]; imports = [./module.nix];
fleet = { fleet = {
darwinHosts.archer = {
};
hosts = { hosts = {
# thinkpad = { # thinkpad = {
# extraModules = with inputs; [ # extraModules = with inputs; [
@ -99,6 +102,7 @@
}; };
extraModules = [ extraModules = [
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.nixThePlanet.nixosModules.macos-ventura
# inputs.hercules-ci-agent.nixosModules.agent-service # inputs.hercules-ci-agent.nixosModules.agent-service
]; ];
extraHmModules = [ extraHmModules = [
@ -117,7 +121,7 @@
"autistici-password".owner = "ccr"; "autistici-password".owner = "ccr";
"restic-hetzner-password" = {}; "restic-hetzner-password" = {};
"aws-credentials".owner = "hercules-ci-agent"; "aws-credentials".owner = "hercules-ci-agent";
"forgejo-runners-token".owner = "forgejo-runners"; "forgejo-runners-token".owner = "nixuser";
}; };
}; };
@ -145,6 +149,7 @@
"aws-credentials".owner = "hercules-ci-agent"; "aws-credentials".owner = "hercules-ci-agent";
"hass-ssh-key".owner = "hass"; "hass-ssh-key".owner = "hass";
"matrix-registration-shared-secret".owner = "matrix-synapse"; "matrix-registration-shared-secret".owner = "matrix-synapse";
"matrix-sliding-sync-secret".owner = "matrix-synapse";
}; };
}; };
}; };
@ -161,4 +166,9 @@
lib.mapAttrs lib.mapAttrs
config.fleet._mkNixosConfiguration config.fleet._mkNixosConfiguration
config.fleet.hosts; config.fleet.hosts;
flake.darwinConfigurations =
lib.mapAttrs
config.fleet._mkDarwinConfiguration
config.fleet.darwinHosts;
} }

59
hosts/module.nix
View file

@ -8,10 +8,46 @@
config, config,
inputs, inputs,
... ...
}: let } @ flakePartsArgs: let
cfg = config.fleet; cfg = config.fleet;
in { in {
options.fleet = { options.fleet = {
darwinHosts = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
name = lib.mkOption {
description = "Host name";
type = lib.types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
default = name;
};
system = lib.mkOption {
description = "NixOS architecture (a.k.a. system)";
type = lib.types.str;
default = "x86_64-darwin";
};
nixpkgs = lib.mkOption {
description = "Used nixpkgs";
type = lib.types.anything;
default = inputs.nixpkgsUnstable;
};
extraModules = lib.mkOption {
description = "Extra NixOS modules";
type = lib.types.listOf lib.types.deferredModule;
default = [];
};
overlays = lib.mkOption {
description = "Enabled Nixpkgs overlays";
type = lib.types.listOf (lib.mkOptionType {
name = "nixpkgs-overlay";
description = "nixpkgs overlay";
check = lib.isFunction;
merge = lib.mergeOneOption;
});
default = [];
};
};
}));
};
hosts = lib.mkOption { hosts = lib.mkOption {
description = "Host configuration"; description = "Host configuration";
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
@ -183,8 +219,29 @@ in {
fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}"); fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}");
fleetFlake = self; fleetFlake = self;
vpn = cfg.vpnExtra // (lib.mapAttrs (_: host: host.vpn) cfg.hosts); vpn = cfg.vpnExtra // (lib.mapAttrs (_: host: host.vpn) cfg.hosts);
inherit (flakePartsArgs.config.allSystems.${config.system}.allModuleArgs.config._module.args) inputs';
}; };
}; };
}; };
_mkDarwinConfiguration = lib.mkOption {
description = "Function returning a proper Darwin configuration";
type = lib.types.functionTo (lib.types.functionTo lib.types.attrs); # TODO improve this type
internal = true;
default = hostname: config:
inputs.nixDarwin.lib.darwinSystem {
modules = [
({
lib,
pkgs,
...
}: {
networking.hostName = lib.mkForce hostname;
nixpkgs.overlays = config.overlays;
nixpkgs.hostPlatform = config.system;
})
"${self.outPath}/hosts/${hostname}"
];
};
};
}; };
} }

2
hosts/picard/default.nix
View file

@ -35,6 +35,8 @@
"syncthing" "syncthing"
"hass-poweroff" "hass-poweroff"
"forgejo-runners" "forgejo-runners"
"teamviewer"
"macos-ventura"
] ]
++ [ ++ [
./disko.nix ./disko.nix

1
modules/cloudflare-dyndns/default.nix
View file

@ -13,6 +13,7 @@
"vpn.aciceri.dev" "vpn.aciceri.dev"
"cache.aciceri.dev" "cache.aciceri.dev"
"matrix.aciceri.dev" "matrix.aciceri.dev"
"syncv3.matrix.aciceri.dev"
]; ];
apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path; apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
}; };

2
modules/docker/default.nix
View file

@ -10,5 +10,5 @@
docker-compose docker-compose
podman-compose podman-compose
]; ];
ccr.extraGroups = ["docker"]; ccr.extraGroups = ["docker" "podman"];
} }

207
modules/forgejo-runners/default.nix
View file

@ -1,25 +1,206 @@
# heavily based on https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279
{ {
config, config,
inputs',
pkgs,
lib, lib,
... ...
}: { }: let
users.users.forgejo-runners = { storeDeps = pkgs.runCommand "store-deps" {} ''
mkdir -p $out/bin
for dir in ${toString [pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs inputs'.nix-fast-build.packages.nix-fast-build]}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
numInstances = 1;
pushToCache = pkgs.writeScript "push-to-cache.sh" ''
#!/bin/sh
set -eu
set -f # disable globbing
export IFS=' '
echo "Uploading paths" $OUT_PATHS
exec nix copy --to "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" $OUT_PATHS
'';
in
lib.mkMerge [
{
# everything here has no dependencies on the store
systemd.services.gitea-runner-nix-image = {
wantedBy = ["multi-user.target"];
after = ["podman.service"];
requires = ["podman.service"];
path = [config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
post-build-hook = ${pushToCache}
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "gitea-runner-nix-image";
WorkingDirectory = "/run/gitea-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true; isSystemUser = true;
group = "forgejo-runners"; # extraGroups = [ "podman" ];
};
users.groups.nixuser = {};
}
{
# Format of the token file:
virtualisation = {
podman.enable = true;
}; };
users.groups.forgejo-runners = {}; # virtualisation.containers.storage.settings = {
# storage.driver = "zfs";
# storage.graphroot = "/var/lib/containers/storage";
# storage.runroot = "/run/containers/storage";
# storage.options.zfs.fsname = "zroot/root/podman";
# };
services.gitea-actions-runner.instances.test = { # virtualisation.containers.containersConf.settings = {
# # podman seems to not work with systemd-resolved
# containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
# };
}
{
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
# TODO: systemd confinment
serviceConfig = {
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~@swap"
# needed by go?
#"~@resources"
"~@privileged"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK"];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
};
});
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
enable = true; enable = true;
name = "test"; name = "nix-runner";
# take the git root url from the gitea config
# only possible if you've also configured your gitea though the same nix config
# otherwise you need to set it manually
url = "https://git.aciceri.dev"; url = "https://git.aciceri.dev";
tokenFile = config.age.secrets.forgejo-runners-token.file; # use your favourite nix secret manager to get a path for this
labels = ["test"]; tokenFile = config.age.secrets.forgejo-runners-token.path;
labels = ["nix:docker://gitea-runner-nix"];
settings = {
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
}; };
});
systemd.services.gitea-runner-test.serviceConfig = {
User = lib.mkForce "forgejo-runners";
Group = lib.mkForce "forgejo-runners";
}; };
} }
]

14
modules/macos-ventura/default.nix Normal file
View file

@ -0,0 +1,14 @@
{fleetFlake, ...}: {
services.macos-ventura = {
enable = true;
cores = 8;
threads = 8;
mem = "8G";
vncListenAddr = "0.0.0.0";
extraQemuFlags = ["-nographic"];
sshPort = 2021;
installNix = true;
stateless = true;
darwinConfig = fleetFlake.darwinConfigurations.archer;
};
}

20
modules/matrix/default.nix
View file

@ -4,7 +4,10 @@
pkgs, pkgs,
... ...
}: let }: let
clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev"; clientConfig = {
"m.homeserver".base_url = "https://matrix.aciceri.dev";
"org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev";
};
serverConfig."m.server" = "matrix.aciceri.dev:443"; serverConfig."m.server" = "matrix.aciceri.dev:443";
mkWellKnown = data: '' mkWellKnown = data: ''
default_type application/json; default_type application/json;
@ -48,6 +51,7 @@ in {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
dataDir = "/mnt/hd/matrix-synapse"; dataDir = "/mnt/hd/matrix-synapse";
configureRedisLocally = true;
settings = { settings = {
server_name = "aciceri.dev"; server_name = "aciceri.dev";
public_baseurl = "https://matrix.aciceri.dev"; public_baseurl = "https://matrix.aciceri.dev";
@ -79,4 +83,18 @@ in {
enable = true; enable = true;
databases = ["matrix-synapse"]; databases = ["matrix-synapse"];
}; };
services.matrix-sliding-sync = {
enable = true;
environmentFile = config.age.secrets.matrix-sliding-sync-secret.path;
settings = {
SYNCV3_SERVER = "http://localhost:8008";
};
};
services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER;
};
} }

26
modules/nix/default.nix
View file

@ -2,11 +2,14 @@
config, config,
lib, lib,
fleetFlake, fleetFlake,
pkgs,
... ...
}: { }: {
nix = { nix = {
optimise.automatic = true; optimise.automatic = true;
package = pkgs.nixUnstable;
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ trusted-users = [
@ -66,8 +69,7 @@
}; };
distributedBuilds = true; distributedBuilds = true;
buildMachines = buildMachines = lib.lists.optional (config.networking.hostName == "picard") {
(lib.lists.optional (config.networking.hostName == "picard") {
hostName = "sisko.fleet"; hostName = "sisko.fleet";
system = "aarch64-linux"; system = "aarch64-linux";
maxJobs = 4; maxJobs = 4;
@ -75,15 +77,15 @@
protocol = "ssh-ng"; protocol = "ssh-ng";
sshUser = "root"; sshUser = "root";
sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
}) };
++ (lib.lists.optional (config.networking.hostName == "picard") { # ++ (lib.lists.optional (config.networking.hostName == "picard") {
hostName = "mac.staging.mlabs.city"; # hostName = "mac.staging.mlabs.city";
system = "x86_64-darwin"; # system = "x86_64-darwin";
maxJobs = 4; # maxJobs = 4;
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; # supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
protocol = "ssh-ng"; # protocol = "ssh-ng";
sshUser = "root"; # sshUser = "root";
sshKey = "/home/${config.ccr.username}/.ssh/id_rsa"; # sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
}); # });
}; };
} }

4
modules/transmission/default.nix
View file

@ -21,8 +21,8 @@
upload-slots-per-torrent = 1000; upload-slots-per-torrent = 1000;
alt-speed-up = 1000; # 1MB/s alt-speed-up = 300000; # 300MB/s
alt-speed-down = 2000; # 3MB/s alt-speed-down = 500000; # 500MB/s
alt-speed-time-enabled = true; alt-speed-time-enabled = true;
alt-speed-time-begin = 540; # 9AM, minutes after midnight alt-speed-time-begin = 540; # 9AM, minutes after midnight
alt-speed-time-end = 1380; # 11PM alt-speed-time-end = 1380; # 11PM

52
secrets/forgejo-runners-token.age
View file

@ -1,29 +1,29 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-rsa /AagBw -> ssh-rsa /AagBw
Z16SvgU6/7dOl+1UxJkOjXGRWzj6EwS2Df+4PwSaxraCN3bZmFKbS/XoHKfrl+IM Fj/1xLPhucklZ7WD60a+Rtj1k7V3ttBj+B8yrpD+D8rdXRIKLHaBCRRuRcyJD7QD
HWLtHspDOCFVDoncA4RrhjhFmZFXEYHLQhvaK6br274ALahEPf3kNZWfHntVKJyy Qb+GkOFGJqbMaOOt7Xy5OJcz6M5T41fbvKQOQK19ZmrsNuFwMlDQNwCL519WroGw
wLyBnGpW5hscln1X/NSC0xXkUKfmZAE6lkpFj/C3TUZpIKnQ6LFpyGs5mAj6PEuY PsKSip4nJOhlWgOfbHM3hlbsFCPuT79Di+zOBDXJYiui+Skkl18+EyC+4dJ7gwuI
amPVOotBSGgbJQed8JpmWcX8XiO05cfPEi6oSiDkauXKGVSzWfXk3GSChzBl/Y2a 7nWVy2KuJMdX5a7r3rqGSinoWHCRBLAOVVooQQq59THHymJga7a9L6e/YT5md+A7
8llIvJ9BNy6cFC0d7pZBJrpV1FXlDxo6LxkC6WeUzMJH7s44UvOhVbjPp0dNjLLD fhIJRdn5593yvH4AOoaQDOBhW0D9HL/rhyJi3CRzPIOqyyO3L/4C+qck8CwXrKAu
AqYotOWm6r4KMBlpUU8q+9t4ipBRDYhxEgjZyuEfwXcXilJJ0IYYLwGSlkTFbGUQ 1PK3GsXRvTk5x8bUCnZoosNgxLfKh0tH8Eg+fkZ7NX1pdLtyS0+jHEnfXP3R9+c8
RwiZnRHbdHrpkysTRemLbZl4ZqvCcV9k+uGDaVLNnYZoXmO1jd3A49lr4Pg31niQ NS+BZtY3lp3QunF6tDJi6xTwjyAjLaPNxQW1jnV0ItiPdf4dHacymyWpdgHfmOGo
wdfEhbQF2m3ERERiNgz/FkO2jXp8uRKPvFnkFkeE5rf3p7rA8iNdAAIKOkMtqn23 7RlHlcsQUa+Q6iukZo2sw0tsq7zDvlYOO6ZBz4G/VEPk4IgamlMzTcdZvEQLmV0B
u5RRNDXx547Z47C7DaXpzu91wa7cp1PmAgsuvvO0+7EWCIkZh+CsSuJqQwFbGuTf 6ht2+cgQ5Z128a6rIEIUqmsU6LB3HsFcJ9fxikQEQsGG86RTkcfmQ8fnai+fWkGn
RUK/cxLjU3M/1WyedNaWRt4g6WfbBGptuLJgGV7dAR+4sJdNTD2wCeovmBnAjk4z L8YNAwLc0O7SX7G+oeb7+Rn9OHf7z/8WQ+EuipYueluG4blMx8nluR9zaHbj3sup
uz0BrfQjkLgFk8h2/nNShCshHqjo6WgbS/0uhHyVFCA a5qyGRUrLIkMYGENkn67WlPPh5mucNrru4s837a0GvE
-> ssh-rsa QHr3/A -> ssh-rsa QHr3/A
EoP1VXE5X5h6XHFzfE+vdAQHA92DqOAu+d4DFPTUJMjns3roMcW1Q0p0B288H7zl QuQPqe0bsxz+xdFBdDkZpnUNx9/2utg6QOghWDp2FS4V4bmSwreiwqY8mVvhRdWI
lo2Q+9MmQNkSCdeJbAZBirUidr9UHRrQqONHxa9Dc3Q9vx82Z2M+BYJ+wiVyEX3x 7B7Vh3PHCOsh7V2OGvs3gjeOiHkMSH7N0WeByB2ZHwy9irW24YStZAOrNGpMJT1I
8yZwuVl2W0zjQzhSmkymFQJHsMLD8icMH5gQSL2nS38Dbm2qtD0zkUPg4wYchy8p fG/ySYz6TcwmBKhm7iFdlW1HztPLURQR//oCWWwILoZTZpf9K3FUz94vsrIkYiir
Yzu9OotRT1AigoSjBgUG4ChlZSLmKFlHPI3Fkh80OsflobhM80jkMDQ1n66G2GLv DhkYfVh126H1uN1NSzodk581LTkl8tV70uC05GxfjsVlSQyKJOL+cCDuavDlluxD
0swhI5vBbHbwUbEl0LJpKKsY4zBLm91dIAa4m3L95WNEr21YwplLZ+FV2deExfkZ Tl6pD5fq5iX1Ui+H84DaKqRQd0GpReEmh6QQVcPFshUClsLjgcgkqK1dWgthhueG
rimqEjsS2lJMpul7ondDDuG2u3Wr7tTkKgfotu3+Es8oOtOsvnmhQOZS1uYYK9mu J2eA6FmOX50Iyn18jNhtKKlImzZcWCyHobGPOOQcaqswTlC0w13i/wjm/lBH3tOZ
kiyg3RDo0CN78VN0XSw/oPNxR6xVDA9eNbn4mnXoPf8jZHxJ9mjZ64zusNgN8TuU cBUgNBAtyzoU+Qfa7KjbRCg8z61JwieL5R4PFgggxzx8wWwb0Q1vbwzG3R+W67of
Yr/GlnJoTOkbjPvqtRDA+uz6ovhq9KIExhDXMAelmoxs3BmAyAXkGX+6f8ds0ZWA U3Vr37lzRoEcZ0uIogkD+QUJH4KujDIiajX74Ik2RLsZJ8mgmTPibnNuhntIntKc
I6hrhaY1hqbnyyNf18pldvi0XhI4CoD3VVCc5qeMN4aSfKM6Sz+vlRiiKY0snwa0 j9K+1cynZyRNvLQs/HOkJTkC4jRuEMztnw3Rlto15ZxfC5hLTlfnl6boixiM+L7t
2OnCbcTJbxFr/niQI27d/T2G8P9LYumY38Ez+FLhCdICTmaCKjzsIkujGzzd/M8l LeDCs6x2abyMcbwqjp559zXC9G5lXssObJEiYRAoEdJ/L4m2I+IyP9/lUj+z516k
nWC3BxPuWlvBs3frX5Ujun0UKyqWZCpRNZXNQwWr2L0 rTmThTezLukBIX65O6bMn0m0FAKiK8+Tc5VrDBfQUok
-> ssh-ed25519 /WmILg Q88RuUxDh5UDcN6I7sbvIcYnY8sl4wN9e72pk9MKCXo -> ssh-ed25519 /WmILg gypYkxf3zWRz+NWC9WW0oGm4txFNmb1AmJ82/3oDX34
yd0XyHfUuYAr+gcB2q95JlddvYj61IkweeRH/YA4SYo 5JMgsEsU+YrP0WVu+FJEBBC3Loj2W49j9qJfPa+8OQI
--- 3vWlg+QLHC83h7gKBavcsZPVO/twVSbWNhRHQBwnoQA --- Nhwnzj6Kr2OiSXbqqOeS3nJynvvnYLxskjqMEP6SbCc
a¡Lùw§…5‡$£^zîdF©Ôè“àºþÿ"ã—.<2E>à'·¢0*¢'^>aîyÊÚ²øÀ£ª#o£ùI.ÁœÄìqÌÞÊ@£!BÒaÉ!†•dªÎyË[ÒëÚ£(ÑWuk ­¨<C2AD>Äôš³ °l^/gÚŠh‰€µÔ‡wÿ[³ó€oGjítð‡Ü6wxñdPæ0Ÿ°û­<4B>œ»„Å*Ï‹¹E¾Ê.€ÁçÇÂÎœç5}/n&3n

30
secrets/matrix-sliding-sync-secret.age Normal file
View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-rsa /AagBw
PbxZQ6iBDuSrJG3CKVPSiAl4OWui9tlAwHL8TzhY+zFm2RauBVxkD+OFEHCXv0jR
raMZitNrvvs5B66Gy48cg5Cz1kWCM72o+zN1f3ZzIvCFa9wVmsOhtc69E7XinzM7
M8pDiORbQqmO4gP3/h9CXJAL9U31ub05J70Jdl0mIfq/Epkkem2ouN9OwzYsjeUP
/KS8F+/+8ptrpF6PuhptS0gP2jqqEKvCgQwSO4VAHMwMiRB+okC+j/VmnOp6NBdy
fH02ecEYJyqLEOGNcjCb6ExnNL/4HgNC8MpT25OPDi7rIxlWwWP6USqpov1LD+pe
Z7F8ieecVppevZ81WPpXdKgQi5l609jrCVoxXtQ3L3pd08HHhAkyHH6dhzbJ3QIv
sglukBrJSGFpaE1iqqKTVyc4dLOfnTd5iF0WnZ5k9UeDlCafduNWl8AVxkNVvziD
M9/9+vD5WTrkLETSnmzI5ZWgGk1MLfulwDQ0JRpOe+NAEKGnr+5QFZueNJZgnTr9
z8B4e4YHvsyp5yiLmnhvY/zvwoqZvMduU8DT6c4WXLJBjgxptoU17Skw6pBxOmlF
xOCSJsMqyQ2E3YZYpglMdgxDE1SNHlODE32GFq8wbXN2RyRWFrz8Mj4zdUVh9Xc4
LaO3HvVBkTTopCELNpLgeuhSpEpgwds0psspYUFMvoc
-> ssh-rsa QHr3/A
QtR91zBRNdFQxTg0j4kOeYfgyk7tolQm8Jb2Vjpq6teLVZYZHUqj0NX5lBH0CIMz
YToMn3e860YnT06y0nkCdG26M7vSkN3KDPRYVjsNBofmd5L21W5Wf59sOTTkUg7o
OK6cbBjYKKBPdD+qhGks02bLyg/JCyAwvILO0Yow2QX8jastB5jfaKpG7BcO181B
/4LDjNGH2fZi0ghKZabKyZxIR+Nz6LI+CfRlG6hnvi9Pm3zj7SRpmfga0uzBtoJw
MH8qRejpvoTsUFiZzReyZK/eQfT8yapd2rYJFBIUk8gh4swd4reNc6Qrgzc+lnI7
pwLhAEV3DKVPNCwDAG2X4VvoArjMknFUWgA8xTy1jrwxqxp5RWaG9mZNVxyN057s
PUyHcCP1u+2GlMQZ+IqQAQgHF5iP5psz9EMsPuKEsnqxahm/Buo9+TdAk6F0wBqH
H8S/WQ76BAXkqCHlYZ6caXSidu10kbp6VhsHIkEXf5C/lQAUf2cUqP0gAXBKk/em
+jdju/dSKDiOfQUGvrB+ZvDWkfARU4KR1wDU2FsBWEg4KqTGCtiip1xAWyVs2qzk
HxQHdqJWHX8X6uGHMPutd5Kxcqiw/dixHWqsF2JxpFwcdJw8FtFNu/53TqkLLp4c
eR75ieANJgPSFdMZ0iN2VyKk6ef1BeM5fMEJNNFqk2w
-> ssh-ed25519 OgJHCw Ru7jfhtzgiw5p02NAWUAye5LAz8QV4oGGdDUcOX/yVU
jmSZteHQfrdLjrG5FOGuHENHwbcTJylwd3K5d0MQBoE
--- YufP2k3r5d82rW9wZy3ShR1jARNnA2kOtv1W8/VU+Is
5š~œL.qõ†89 0D©ôž¹€E?w[y4ÜaªïEF$O ¥2_,-Ð
ui;Þ1Øèp×êwä%å ë[† ŸKñåD}$'#[¯ªo dUôj{>æ<>Ü!®Mç‰$Ê‘ò

1
secrets/secrets.nix
View file

@ -22,6 +22,7 @@ in
"restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk]; "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
"hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
"matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
"matrix-sliding-sync-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
"forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard];
# WireGuard # WireGuard