Things

flake.lock

@@ -361,6 +361,63 @@
       "inputs": {
         "nixpkgs-lib": "nixpkgs-lib_3"
       },
+      "locked": {
+        "lastModified": 1698882062,
+        "narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_6": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_4"
+      },
+      "locked": {
+        "lastModified": 1701473968,
+        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_7": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixThePlanet",
+          "hercules-ci-effects",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1696343447,
+        "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-parts",
+        "type": "indirect"
+      }
+    },
+    "flake-parts_8": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_5"
+      },
       "locked": {
         "lastModified": 1678379998,
         "narHash": "sha256-TZdfNqftHhDuIFwBcN9MUThx5sQXCTeZk9je5byPKRw=",
@@ -524,6 +581,25 @@
         "type": "github"
       }
     },
+    "hercules-ci-effects_3": {
+      "inputs": {
+        "flake-parts": "flake-parts_7",
+        "nixpkgs": "nixpkgs_8"
+      },
+      "locked": {
+        "lastModified": 1701009247,
+        "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -624,6 +700,72 @@
         "type": "github"
       }
     },
+    "nix-fast-build": {
+      "inputs": {
+        "flake-parts": "flake-parts_5",
+        "nixpkgs": [
+          "nixpkgsUnstable"
+        ],
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1703607026,
+        "narHash": "sha256-Emh0BPoqlS4ntp2UJrwydXfIP4qIMF0VBB2FUE3/M/E=",
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "rev": "4376b8a33b217ee2f78ba3dcff01a3e464d13a46",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "nix-fast-build",
+        "type": "github"
+      }
+    },
+    "nixDarwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgsUnstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1707707289,
+        "narHash": "sha256-YuDt/eSTXMEHv8jS8BEZJgqCcG8Tr3cyqaZjJFXZHsw=",
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "rev": "44f50a5ecaab72a61d5fd8e5c5717bc4bf9c25dd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "LnL7",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nixThePlanet": {
+      "inputs": {
+        "flake-parts": "flake-parts_6",
+        "hercules-ci-effects": "hercules-ci-effects_3",
+        "nixpkgs": [
+          "nixpkgsUnstable"
+        ],
+        "osx-kvm": "osx-kvm"
+      },
+      "locked": {
+        "lastModified": 1708168451,
+        "narHash": "sha256-loWlwexnfQGFsEHeJbXpWbnmeDFkBwZB38+4BkUcGhM=",
+        "owner": "aciceri",
+        "repo": "NixThePlanet",
+        "rev": "e8c91035d01f5082ccf30e351dcd993a5b480a72",
+        "type": "github"
+      },
+      "original": {
+        "owner": "aciceri",
+        "ref": "nix-in-darwin",
+        "repo": "NixThePlanet",
+        "type": "github"
+      }
+    },
     "nixosHardware": {
       "locked": {
         "lastModified": 1706182238,
@@ -708,6 +850,42 @@
       }
     },
     "nixpkgs-lib_3": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1698611440,
+        "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib_4": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1701253981,
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-lib_5": {
       "locked": {
         "dir": "lib",
         "lastModified": 1678375444,
@@ -870,6 +1048,22 @@
       }
     },
     "nixpkgs_8": {
+      "locked": {
+        "lastModified": 1697723726,
+        "narHash": "sha256-SaTWPkI8a5xSHX/rrKzUe+/uVNy6zCGMXgoeMb7T9rg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "7c9cc5a6e5d38010801741ac830a3f8fd667a7a0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_9": {
       "locked": {
         "lastModified": 1678470307,
         "narHash": "sha256-OEeMUr3ueLIXyW/OaFUX5jUdimyQwMg/7e+/Q0gC/QE=",
@@ -900,6 +1094,22 @@
         "type": "github"
       }
     },
+    "osx-kvm": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1701316418,
+        "narHash": "sha256-Sk8LYhFovoMX1ln7DWYArJQphW2a4h8Xg7/ZEZXwZv4=",
+        "owner": "kholia",
+        "repo": "OSX-KVM",
+        "rev": "09daff670a7eb9ff616073df329586c5995623a9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kholia",
+        "repo": "OSX-KVM",
+        "type": "github"
+      }
+    },
     "panfork": {
       "flake": false,
       "locked": {
@@ -984,13 +1194,13 @@
     "rock5b": {
       "inputs": {
         "fan-control": "fan-control",
-        "flake-parts": "flake-parts_5",
+        "flake-parts": "flake-parts_8",
         "kernel-src": "kernel-src",
-        "nixpkgs": "nixpkgs_8",
+        "nixpkgs": "nixpkgs_9",
         "nixpkgs-kernel": "nixpkgs-kernel",
         "panfork": "panfork",
         "tow-boot": "tow-boot",
-        "treefmt-nix": "treefmt-nix"
+        "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
         "lastModified": 1685695782,
@@ -1018,13 +1228,16 @@
         "homeManager": "homeManager",
         "homeManagerGitWorkspace": "homeManagerGitWorkspace",
         "homeManagerSwayNC": "homeManagerSwayNC",
+        "nix-fast-build": "nix-fast-build",
+        "nixDarwin": "nixDarwin",
+        "nixThePlanet": "nixThePlanet",
         "nixosHardware": "nixosHardware",
         "nixpkgsStable": "nixpkgsStable",
         "nixpkgsUnstable": "nixpkgsUnstable",
         "nur": "nur",
         "pre-commit-hooks": "pre-commit-hooks",
         "rock5b": "rock5b",
-        "treefmt-nix": "treefmt-nix_2"
+        "treefmt-nix": "treefmt-nix_3"
       }
     },
     "slimlock": {
@@ -1112,6 +1325,27 @@
       }
     },
     "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nix-fast-build",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698438538,
+        "narHash": "sha256-AWxaKTDL3MtxaVTVU5lYBvSnlspOS0Fjt8GxBgnU0Do=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "5deb8dc125a9f83b65ca86cf0c8167c46593e0b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
       "inputs": {
         "nixpkgs": [
           "rock5b",
@@ -1132,7 +1366,7 @@
         "type": "github"
       }
     },
-    "treefmt-nix_2": {
+    "treefmt-nix_3": {
       "inputs": {
         "nixpkgs": [
           "nixpkgsUnstable"

flake.nix

@@ -44,6 +44,18 @@
     hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
     dream2nix.url = "github:nix-community/dream2nix";
     hercules-ci-agent.url = "github:hercules-ci/hercules-ci-agent";
+    nix-fast-build = {
+      url = "github:Mic92/nix-fast-build";
+      inputs.nixpkgs.follows = "nixpkgsUnstable";
+    };
+    nixThePlanet = {
+      url = "github:aciceri/NixThePlanet/nix-in-darwin";
+      inputs.nixpkgs.follows = "nixpkgsUnstable";
+    };
+    nixDarwin = {
+      url = "github:LnL7/nix-darwin";
+      inputs.nixpkgs.follows = "nixpkgsUnstable";
+    };
   };
 
   outputs = inputs @ {flakeParts, ...}:

hosts/archer/#default.nix#

@@ -0,0 +1,26 @@
+{pkgs, ...}: {
+  # $ nix-env -qaP | grep wget
+  environment.systemPackages =
+    [ pkgs.vim
+    ];
+
+  # # Auto upgrade nix package and the daemon service.
+  # services.nix-daemon.enable = true;
+  # # nix.package = pkgs.nix;
+
+  # # Necessary for using flakes on this system.
+  # nix.settings.experimental-features = "nix-command flakes";
+
+  # # Create /etc/zshrc that loads the nix-darwin environment.
+  # programs.zsh.enable = true;  # default shell on catalina
+  # # programs.fish.enable = true;
+
+  # # # Set Git commit hash for darwin-version.
+  # # system.configurationRevision = self.rev or self.dirtyRev or null;
+
+  # # Used for backwards compatibility, please read the changelog before changing.
+  # # $ darwin-rebuild changelog
+  # system.stateVersion = 4;
+
+  # # The platform the configuration will be used on.
+}

hosts/archer/default.nix

@@ -0,0 +1,13 @@
+{pkgs, ...}: {
+  environment.systemPackages = [
+    pkgs.vim
+  ];
+
+  nix.settings.experimental-features = "nix-command flakes";
+
+  programs.fish.enable = true;
+
+  services.nix-daemon.enable = true;
+
+  nixpkgs.hostPlatform = "x86_64-darwin";
+}

hosts/default.nix

@@ -8,6 +8,9 @@
   imports = [./module.nix];
 
   fleet = {
+    darwinHosts.archer = {
+    };
+
     hosts = {
       # thinkpad = {
       #   extraModules = with inputs; [
@@ -99,6 +102,7 @@
         };
         extraModules = [
           inputs.disko.nixosModules.disko
+          inputs.nixThePlanet.nixosModules.macos-ventura
           # inputs.hercules-ci-agent.nixosModules.agent-service
         ];
         extraHmModules = [
@@ -117,7 +121,7 @@
           "autistici-password".owner = "ccr";
           "restic-hetzner-password" = {};
           "aws-credentials".owner = "hercules-ci-agent";
-          "forgejo-runners-token".owner = "forgejo-runners";
+          "forgejo-runners-token".owner = "nixuser";
         };
       };
 
@@ -145,6 +149,7 @@
           "aws-credentials".owner = "hercules-ci-agent";
           "hass-ssh-key".owner = "hass";
           "matrix-registration-shared-secret".owner = "matrix-synapse";
+          "matrix-sliding-sync-secret".owner = "matrix-synapse";
         };
       };
     };
@@ -161,4 +166,9 @@
     lib.mapAttrs
     config.fleet._mkNixosConfiguration
     config.fleet.hosts;
+
+  flake.darwinConfigurations =
+    lib.mapAttrs
+    config.fleet._mkDarwinConfiguration
+    config.fleet.darwinHosts;
 }

hosts/module.nix

@@ -8,10 +8,46 @@
   config,
   inputs,
   ...
-}: let
+} @ flakePartsArgs: let
   cfg = config.fleet;
 in {
   options.fleet = {
+    darwinHosts = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
+        options = {
+          name = lib.mkOption {
+            description = "Host name";
+            type = lib.types.strMatching "^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$";
+            default = name;
+          };
+          system = lib.mkOption {
+            description = "NixOS architecture (a.k.a. system)";
+            type = lib.types.str;
+            default = "x86_64-darwin";
+          };
+          nixpkgs = lib.mkOption {
+            description = "Used nixpkgs";
+            type = lib.types.anything;
+            default = inputs.nixpkgsUnstable;
+          };
+          extraModules = lib.mkOption {
+            description = "Extra NixOS modules";
+            type = lib.types.listOf lib.types.deferredModule;
+            default = [];
+          };
+          overlays = lib.mkOption {
+            description = "Enabled Nixpkgs overlays";
+            type = lib.types.listOf (lib.mkOptionType {
+              name = "nixpkgs-overlay";
+              description = "nixpkgs overlay";
+              check = lib.isFunction;
+              merge = lib.mergeOneOption;
+            });
+            default = [];
+          };
+        };
+      }));
+    };
     hosts = lib.mkOption {
       description = "Host configuration";
       type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
@@ -183,8 +219,29 @@ in {
             fleetHmModules = builtins.map (moduleName: "${self.outPath}/hmModules/${moduleName}");
             fleetFlake = self;
             vpn = cfg.vpnExtra // (lib.mapAttrs (_: host: host.vpn) cfg.hosts);
+            inherit (flakePartsArgs.config.allSystems.${config.system}.allModuleArgs.config._module.args) inputs';
           };
         };
     };
+    _mkDarwinConfiguration = lib.mkOption {
+      description = "Function returning a proper Darwin configuration";
+      type = lib.types.functionTo (lib.types.functionTo lib.types.attrs); # TODO improve this type
+      internal = true;
+      default = hostname: config:
+        inputs.nixDarwin.lib.darwinSystem {
+          modules = [
+            ({
+              lib,
+              pkgs,
+              ...
+            }: {
+              networking.hostName = lib.mkForce hostname;
+              nixpkgs.overlays = config.overlays;
+              nixpkgs.hostPlatform = config.system;
+            })
+            "${self.outPath}/hosts/${hostname}"
+          ];
+        };
+    };
   };
 }

hosts/picard/default.nix

@@ -35,6 +35,8 @@
       "syncthing"
       "hass-poweroff"
       "forgejo-runners"
+      "teamviewer"
+      "macos-ventura"
     ]
     ++ [
       ./disko.nix

modules/cloudflare-dyndns/default.nix

@@ -13,6 +13,7 @@
       "vpn.aciceri.dev"
       "cache.aciceri.dev"
       "matrix.aciceri.dev"
+      "syncv3.matrix.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
   };

modules/docker/default.nix

@@ -10,5 +10,5 @@
     docker-compose
     podman-compose
   ];
-  ccr.extraGroups = ["docker"];
+  ccr.extraGroups = ["docker" "podman"];
 }

modules/forgejo-runners/default.nix

@@ -1,25 +1,206 @@
+# heavily based on https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279
 {
   config,
+  inputs',
+  pkgs,
   lib,
   ...
-}: {
-  users.users.forgejo-runners = {
-    isSystemUser = true;
-    group = "forgejo-runners";
-  };
+}: let
+  storeDeps = pkgs.runCommand "store-deps" {} ''
+    mkdir -p $out/bin
+    for dir in ${toString [pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs inputs'.nix-fast-build.packages.nix-fast-build]}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
 
-  users.groups.forgejo-runners = {};
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+  numInstances = 1;
+  pushToCache = pkgs.writeScript "push-to-cache.sh" ''
+    #!/bin/sh
+    set -eu
+    set -f # disable globbing
+    export IFS=' '
 
-  services.gitea-actions-runner.instances.test = {
-    enable = true;
-    name = "test";
-    url = "https://git.aciceri.dev";
-    tokenFile = config.age.secrets.forgejo-runners-token.file;
-    labels = ["test"];
-  };
+    echo "Uploading paths" $OUT_PATHS
+    exec nix copy --to "s3://cache?profile=default&region=eu-south-1&scheme=https&endpoint=cache.aciceri.dev" $OUT_PATHS
+  '';
+in
+  lib.mkMerge [
+    {
+      # everything here has no dependencies on the store
+      systemd.services.gitea-runner-nix-image = {
+        wantedBy = ["multi-user.target"];
+        after = ["podman.service"];
+        requires = ["podman.service"];
+        path = [config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
 
-  systemd.services.gitea-runner-test.serviceConfig = {
-    User = lib.mkForce "forgejo-runners";
-    Group = lib.mkForce "forgejo-runners";
-  };
-}
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          post-build-hook = ${pushToCache}
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      users.users.nixuser = {
+        group = "nixuser";
+        description = "Used for running nix ci jobs";
+        home = "/var/empty";
+        isSystemUser = true;
+        # extraGroups = [ "podman" ];
+      };
+      users.groups.nixuser = {};
+    }
+    {
+      # Format of the token file:
+      virtualisation = {
+        podman.enable = true;
+      };
+
+      # virtualisation.containers.storage.settings = {
+      #   storage.driver = "zfs";
+      #   storage.graphroot = "/var/lib/containers/storage";
+      #   storage.runroot = "/run/containers/storage";
+      #   storage.options.zfs.fsname = "zroot/root/podman";
+      # };
+
+      # virtualisation.containers.containersConf.settings = {
+      #   # podman seems to not work with systemd-resolved
+      #   containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
+      # };
+    }
+    {
+      systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
+        # TODO: systemd confinment
+        serviceConfig = {
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK"];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      });
+
+      services.gitea-actions-runner = {
+        package = pkgs.forgejo-actions-runner;
+        instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
+          enable = true;
+          name = "nix-runner";
+          # take the git root url from the gitea config
+          # only possible if you've also configured your gitea though the same nix config
+          # otherwise you need to set it manually
+          url = "https://git.aciceri.dev";
+          # use your favourite nix secret manager to get a path for this
+          tokenFile = config.age.secrets.forgejo-runners-token.path;
+          labels = ["nix:docker://gitea-runner-nix"];
+          settings = {
+            container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+            # the default network that also respects our dns server settings
+            container.network = "host";
+            container.valid_volumes = [
+              "/nix"
+              "${storeDeps}/bin"
+              "${storeDeps}/etc/ssl"
+            ];
+          };
+        });
+      };
+    }
+  ]

modules/macos-ventura/default.nix

@@ -0,0 +1,14 @@
+{fleetFlake, ...}: {
+  services.macos-ventura = {
+    enable = true;
+    cores = 8;
+    threads = 8;
+    mem = "8G";
+    vncListenAddr = "0.0.0.0";
+    extraQemuFlags = ["-nographic"];
+    sshPort = 2021;
+    installNix = true;
+    stateless = true;
+    darwinConfig = fleetFlake.darwinConfigurations.archer;
+  };
+}

modules/matrix/default.nix

@@ -4,7 +4,10 @@
   pkgs,
   ...
 }: let
-  clientConfig."m.homeserver".base_url = "https://matrix.aciceri.dev";
+  clientConfig = {
+    "m.homeserver".base_url = "https://matrix.aciceri.dev";
+    "org.matrix.msc3575.proxy".url = "https://syncv3.matrix.aciceri.dev";
+  };
   serverConfig."m.server" = "matrix.aciceri.dev:443";
   mkWellKnown = data: ''
     default_type application/json;
@@ -48,6 +51,7 @@ in {
   services.matrix-synapse = {
     enable = true;
     dataDir = "/mnt/hd/matrix-synapse";
+    configureRedisLocally = true;
     settings = {
       server_name = "aciceri.dev";
       public_baseurl = "https://matrix.aciceri.dev";
@@ -79,4 +83,18 @@ in {
     enable = true;
     databases = ["matrix-synapse"];
   };
+
+  services.matrix-sliding-sync = {
+    enable = true;
+    environmentFile = config.age.secrets.matrix-sliding-sync-secret.path;
+    settings = {
+      SYNCV3_SERVER = "http://localhost:8008";
+    };
+  };
+
+  services.nginx.virtualHosts."syncv3.matrix.aciceri.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = config.services.matrix-sliding-sync.settings.SYNCV3_SERVER;
+  };
 }

modules/nix/default.nix

@@ -2,11 +2,14 @@
   config,
   lib,
   fleetFlake,
+  pkgs,
   ...
 }: {
   nix = {
     optimise.automatic = true;
 
+    package = pkgs.nixUnstable;
+
     settings = {
       auto-optimise-store = true;
       trusted-users = [
@@ -66,24 +69,23 @@
     };
 
     distributedBuilds = true;
-    buildMachines =
-      (lib.lists.optional (config.networking.hostName == "picard") {
-        hostName = "sisko.fleet";
-        system = "aarch64-linux";
-        maxJobs = 4;
-        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
-        protocol = "ssh-ng";
-        sshUser = "root";
-        sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
-      })
-      ++ (lib.lists.optional (config.networking.hostName == "picard") {
-        hostName = "mac.staging.mlabs.city";
-        system = "x86_64-darwin";
-        maxJobs = 4;
-        supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
-        protocol = "ssh-ng";
-        sshUser = "root";
-        sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
-      });
+    buildMachines = lib.lists.optional (config.networking.hostName == "picard") {
+      hostName = "sisko.fleet";
+      system = "aarch64-linux";
+      maxJobs = 4;
+      supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
+      protocol = "ssh-ng";
+      sshUser = "root";
+      sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
+    };
+    # ++ (lib.lists.optional (config.networking.hostName == "picard") {
+    #   hostName = "mac.staging.mlabs.city";
+    #   system = "x86_64-darwin";
+    #   maxJobs = 4;
+    #   supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
+    #   protocol = "ssh-ng";
+    #   sshUser = "root";
+    #   sshKey = "/home/${config.ccr.username}/.ssh/id_rsa";
+    # });
   };
 }

modules/transmission/default.nix

@@ -21,8 +21,8 @@
 
       upload-slots-per-torrent = 1000;
 
-      alt-speed-up = 1000; # 1MB/s
-      alt-speed-down = 2000; # 3MB/s
+      alt-speed-up = 300000; # 300MB/s
+      alt-speed-down = 500000; # 500MB/s
       alt-speed-time-enabled = true;
       alt-speed-time-begin = 540; # 9AM, minutes after midnight
       alt-speed-time-end = 1380; # 11PM

secrets/forgejo-runners-token.age

@@ -1,29 +1,29 @@
 age-encryption.org/v1
 -> ssh-rsa /AagBw
-Z16SvgU6/7dOl+1UxJkOjXGRWzj6EwS2Df+4PwSaxraCN3bZmFKbS/XoHKfrl+IM
-HWLtHspDOCFVDoncA4RrhjhFmZFXEYHLQhvaK6br274ALahEPf3kNZWfHntVKJyy
-wLyBnGpW5hscln1X/NSC0xXkUKfmZAE6lkpFj/C3TUZpIKnQ6LFpyGs5mAj6PEuY
-amPVOotBSGgbJQed8JpmWcX8XiO05cfPEi6oSiDkauXKGVSzWfXk3GSChzBl/Y2a
-8llIvJ9BNy6cFC0d7pZBJrpV1FXlDxo6LxkC6WeUzMJH7s44UvOhVbjPp0dNjLLD
-AqYotOWm6r4KMBlpUU8q+9t4ipBRDYhxEgjZyuEfwXcXilJJ0IYYLwGSlkTFbGUQ
-RwiZnRHbdHrpkysTRemLbZl4ZqvCcV9k+uGDaVLNnYZoXmO1jd3A49lr4Pg31niQ
-wdfEhbQF2m3ERERiNgz/FkO2jXp8uRKPvFnkFkeE5rf3p7rA8iNdAAIKOkMtqn23
-u5RRNDXx547Z47C7DaXpzu91wa7cp1PmAgsuvvO0+7EWCIkZh+CsSuJqQwFbGuTf
-RUK/cxLjU3M/1WyedNaWRt4g6WfbBGptuLJgGV7dAR+4sJdNTD2wCeovmBnAjk4z
-uz0BrfQjkLgFk8h2/nNShCshHqjo6WgbS/0uhHyVFCA
+Fj/1xLPhucklZ7WD60a+Rtj1k7V3ttBj+B8yrpD+D8rdXRIKLHaBCRRuRcyJD7QD
+Qb+GkOFGJqbMaOOt7Xy5OJcz6M5T41fbvKQOQK19ZmrsNuFwMlDQNwCL519WroGw
+PsKSip4nJOhlWgOfbHM3hlbsFCPuT79Di+zOBDXJYiui+Skkl18+EyC+4dJ7gwuI
+7nWVy2KuJMdX5a7r3rqGSinoWHCRBLAOVVooQQq59THHymJga7a9L6e/YT5md+A7
+fhIJRdn5593yvH4AOoaQDOBhW0D9HL/rhyJi3CRzPIOqyyO3L/4C+qck8CwXrKAu
+1PK3GsXRvTk5x8bUCnZoosNgxLfKh0tH8Eg+fkZ7NX1pdLtyS0+jHEnfXP3R9+c8
+NS+BZtY3lp3QunF6tDJi6xTwjyAjLaPNxQW1jnV0ItiPdf4dHacymyWpdgHfmOGo
+7RlHlcsQUa+Q6iukZo2sw0tsq7zDvlYOO6ZBz4G/VEPk4IgamlMzTcdZvEQLmV0B
+6ht2+cgQ5Z128a6rIEIUqmsU6LB3HsFcJ9fxikQEQsGG86RTkcfmQ8fnai+fWkGn
+L8YNAwLc0O7SX7G+oeb7+Rn9OHf7z/8WQ+EuipYueluG4blMx8nluR9zaHbj3sup
+a5qyGRUrLIkMYGENkn67WlPPh5mucNrru4s837a0GvE
 -> ssh-rsa QHr3/A
-EoP1VXE5X5h6XHFzfE+vdAQHA92DqOAu+d4DFPTUJMjns3roMcW1Q0p0B288H7zl
-lo2Q+9MmQNkSCdeJbAZBirUidr9UHRrQqONHxa9Dc3Q9vx82Z2M+BYJ+wiVyEX3x
-8yZwuVl2W0zjQzhSmkymFQJHsMLD8icMH5gQSL2nS38Dbm2qtD0zkUPg4wYchy8p
-Yzu9OotRT1AigoSjBgUG4ChlZSLmKFlHPI3Fkh80OsflobhM80jkMDQ1n66G2GLv
-0swhI5vBbHbwUbEl0LJpKKsY4zBLm91dIAa4m3L95WNEr21YwplLZ+FV2deExfkZ
-rimqEjsS2lJMpul7ondDDuG2u3Wr7tTkKgfotu3+Es8oOtOsvnmhQOZS1uYYK9mu
-kiyg3RDo0CN78VN0XSw/oPNxR6xVDA9eNbn4mnXoPf8jZHxJ9mjZ64zusNgN8TuU
-Yr/GlnJoTOkbjPvqtRDA+uz6ovhq9KIExhDXMAelmoxs3BmAyAXkGX+6f8ds0ZWA
-I6hrhaY1hqbnyyNf18pldvi0XhI4CoD3VVCc5qeMN4aSfKM6Sz+vlRiiKY0snwa0
-2OnCbcTJbxFr/niQI27d/T2G8P9LYumY38Ez+FLhCdICTmaCKjzsIkujGzzd/M8l
-nWC3BxPuWlvBs3frX5Ujun0UKyqWZCpRNZXNQwWr2L0
--> ssh-ed25519 /WmILg Q88RuUxDh5UDcN6I7sbvIcYnY8sl4wN9e72pk9MKCXo
-yd0XyHfUuYAr+gcB2q95JlddvYj61IkweeRH/YA4SYo
---- 3vWlg+QLHC83h7gKBavcsZPVO/twVSbWNhRHQBwnoQA
-	a¡Lùw§…5‡$£^zîdF©Ôè“àºþÿ"ã—.<2E>à'·¢0*¢'^>aîyÊÚ²øÀ£ª#o£ùI.ÁœÄìqÌÞÊ@£!BÒaÉ!†•dªÎyË[ÒëÚ£(ÑWuk ­¨<C2AD>Äôš³
+QuQPqe0bsxz+xdFBdDkZpnUNx9/2utg6QOghWDp2FS4V4bmSwreiwqY8mVvhRdWI
+7B7Vh3PHCOsh7V2OGvs3gjeOiHkMSH7N0WeByB2ZHwy9irW24YStZAOrNGpMJT1I
+fG/ySYz6TcwmBKhm7iFdlW1HztPLURQR//oCWWwILoZTZpf9K3FUz94vsrIkYiir
+DhkYfVh126H1uN1NSzodk581LTkl8tV70uC05GxfjsVlSQyKJOL+cCDuavDlluxD
+Tl6pD5fq5iX1Ui+H84DaKqRQd0GpReEmh6QQVcPFshUClsLjgcgkqK1dWgthhueG
+J2eA6FmOX50Iyn18jNhtKKlImzZcWCyHobGPOOQcaqswTlC0w13i/wjm/lBH3tOZ
+cBUgNBAtyzoU+Qfa7KjbRCg8z61JwieL5R4PFgggxzx8wWwb0Q1vbwzG3R+W67of
+U3Vr37lzRoEcZ0uIogkD+QUJH4KujDIiajX74Ik2RLsZJ8mgmTPibnNuhntIntKc
+j9K+1cynZyRNvLQs/HOkJTkC4jRuEMztnw3Rlto15ZxfC5hLTlfnl6boixiM+L7t
+LeDCs6x2abyMcbwqjp559zXC9G5lXssObJEiYRAoEdJ/L4m2I+IyP9/lUj+z516k
+rTmThTezLukBIX65O6bMn0m0FAKiK8+Tc5VrDBfQUok
+-> ssh-ed25519 /WmILg gypYkxf3zWRz+NWC9WW0oGm4txFNmb1AmJ82/3oDX34
+5JMgsEsU+YrP0WVu+FJEBBC3Loj2W49j9qJfPa+8OQI
+--- Nhwnzj6Kr2OiSXbqqOeS3nJynvvnYLxskjqMEP6SbCc
+°l^/gÚŠh‰€µÔ‡wÿ[³ó€oGjítð‡Ü6wxñdPæ0Ÿ°û­Ké<4B>œ»„
Å*Ï‹¹E¾Ê.€ÁçÇÂÎœç5}/n&3n

secrets/matrix-sliding-sync-secret.age

@@ -0,0 +1,30 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+PbxZQ6iBDuSrJG3CKVPSiAl4OWui9tlAwHL8TzhY+zFm2RauBVxkD+OFEHCXv0jR
+raMZitNrvvs5B66Gy48cg5Cz1kWCM72o+zN1f3ZzIvCFa9wVmsOhtc69E7XinzM7
+M8pDiORbQqmO4gP3/h9CXJAL9U31ub05J70Jdl0mIfq/Epkkem2ouN9OwzYsjeUP
+/KS8F+/+8ptrpF6PuhptS0gP2jqqEKvCgQwSO4VAHMwMiRB+okC+j/VmnOp6NBdy
+fH02ecEYJyqLEOGNcjCb6ExnNL/4HgNC8MpT25OPDi7rIxlWwWP6USqpov1LD+pe
+Z7F8ieecVppevZ81WPpXdKgQi5l609jrCVoxXtQ3L3pd08HHhAkyHH6dhzbJ3QIv
+sglukBrJSGFpaE1iqqKTVyc4dLOfnTd5iF0WnZ5k9UeDlCafduNWl8AVxkNVvziD
+M9/9+vD5WTrkLETSnmzI5ZWgGk1MLfulwDQ0JRpOe+NAEKGnr+5QFZueNJZgnTr9
+z8B4e4YHvsyp5yiLmnhvY/zvwoqZvMduU8DT6c4WXLJBjgxptoU17Skw6pBxOmlF
+xOCSJsMqyQ2E3YZYpglMdgxDE1SNHlODE32GFq8wbXN2RyRWFrz8Mj4zdUVh9Xc4
+LaO3HvVBkTTopCELNpLgeuhSpEpgwds0psspYUFMvoc
+-> ssh-rsa QHr3/A
+QtR91zBRNdFQxTg0j4kOeYfgyk7tolQm8Jb2Vjpq6teLVZYZHUqj0NX5lBH0CIMz
+YToMn3e860YnT06y0nkCdG26M7vSkN3KDPRYVjsNBofmd5L21W5Wf59sOTTkUg7o
+OK6cbBjYKKBPdD+qhGks02bLyg/JCyAwvILO0Yow2QX8jastB5jfaKpG7BcO181B
+/4LDjNGH2fZi0ghKZabKyZxIR+Nz6LI+CfRlG6hnvi9Pm3zj7SRpmfga0uzBtoJw
+MH8qRejpvoTsUFiZzReyZK/eQfT8yapd2rYJFBIUk8gh4swd4reNc6Qrgzc+lnI7
+pwLhAEV3DKVPNCwDAG2X4VvoArjMknFUWgA8xTy1jrwxqxp5RWaG9mZNVxyN057s
+PUyHcCP1u+2GlMQZ+IqQAQgHF5iP5psz9EMsPuKEsnqxahm/Buo9+TdAk6F0wBqH
+H8S/WQ76BAXkqCHlYZ6caXSidu10kbp6VhsHIkEXf5C/lQAUf2cUqP0gAXBKk/em
++jdju/dSKDiOfQUGvrB+ZvDWkfARU4KR1wDU2FsBWEg4KqTGCtiip1xAWyVs2qzk
+HxQHdqJWHX8X6uGHMPutd5Kxcqiw/dixHWqsF2JxpFwcdJw8FtFNu/53TqkLLp4c
+eR75ieANJgPSFdMZ0iN2VyKk6ef1BeM5fMEJNNFqk2w
+-> ssh-ed25519 OgJHCw Ru7jfhtzgiw5p02NAWUAye5LAz8QV4oGGdDUcOX/yVU
+jmSZteHQfrdLjrG5FOGuHENHwbcTJylwd3K5d0MQBoE
+--- YufP2k3r5d82rW9wZy3ShR1jARNnA2kOtv1W8/VU+Is
+ 5š~œ–‚L.qõ†89
0D©|Åôž¹€E?w[y4ÜaªïEF$O ¥2_,-Ð
+ui;Þ1Øèp×êwä%åë[†	
ŸdØ›KñåD}$'#[¯ªo dUôj{>æ<>Ü!®Mç‰$Ê‘ò

secrets/secrets.nix

@@ -22,6 +22,7 @@ in
     "restic-hetzner-password.age".publicKeys = [ccr-ssh ccr-gpg picard sisko kirk];
     "hass-ssh-key.age".publicKeys = [ccr-ssh ccr-gpg sisko];
     "matrix-registration-shared-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
+    "matrix-sliding-sync-secret.age".publicKeys = [ccr-ssh ccr-gpg sisko];
     "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard];
 
     # WireGuard