diff --git a/flake.lock b/flake.lock index 33b6fa2..8d9ac2c 100644 --- a/flake.lock +++ b/flake.lock @@ -100,11 +100,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1731915700, - "narHash": "sha256-IVhIHdQaY4LU+6wOmXM6IhjKN8k0nbTacedIfxmt0RI=", + "lastModified": 1732113111, + "narHash": "sha256-KgGKWOEbqP15O2J6kue4JShHDk5yGG5e1GfY22bjuZU=", "owner": "nix-community", "repo": "dream2nix", - "rev": "e118d69b142dea7690555fc4502f288030c1d4ed", + "rev": "91bec8a0854abfa581a40b5030cfa8f98d2f8ee5", "type": "github" }, "original": { @@ -119,11 +119,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1732093299, - "narHash": "sha256-LFw807llsc/qIMbSBHN4C3jtOeWHLtSgo2V2yhv1nC8=", + "lastModified": 1732179669, + "narHash": "sha256-zpaoCm2sakoi8hsabMjTq7kYTz0SJo7PhRUGk48QjXY=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "79d8dd3148860718bc78b73c7e4972f850b19541", + "rev": "46cbce8bc96c36a83a2cae9312026b3028bdcb87", "type": "github" }, "original": { @@ -223,6 +223,27 @@ } }, "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -240,7 +261,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "nixThePlanet", @@ -398,7 +419,7 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": "nixpkgs_6" }, "locked": { @@ -622,6 +643,28 @@ "type": "github" } }, + "nix-fast-build": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1730278911, + "narHash": "sha256-CrbqsC+lEA3w6gLfpqfDMDEKoEta2sl4sbQK6Z/gXak=", + "owner": "Mic92", + "repo": "nix-fast-build", + "rev": "8e7c9d76979381441facb8888f21408312cf177a", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-fast-build", + "type": "github" + } + }, "nix-formatter-pack": { "inputs": { "nixpkgs": [ @@ -712,7 +755,7 @@ }, "nixThePlanet": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "hercules-ci-effects": "hercules-ci-effects", "nixpkgs": [ "nixpkgs" @@ -892,11 +935,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1731676054, - "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { @@ -953,11 +996,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1731676054, - "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { @@ -1119,12 +1162,13 @@ "lix-eval-jobs": "lix-eval-jobs", "lix-module": "lix-module", "mobile-nixos": "mobile-nixos", + "nix-fast-build": "nix-fast-build", "nix-on-droid": "nix-on-droid", "nixDarwin": "nixDarwin", "nixThePlanet": "nixThePlanet", "nixosHardware": "nixosHardware", "nixpkgs": "nixpkgs_7", - "treefmt-nix": "treefmt-nix_2", + "treefmt-nix": "treefmt-nix_3", "vscode-server": "vscode-server" } }, @@ -1256,15 +1300,36 @@ "treefmt-nix_2": { "inputs": { "nixpkgs": [ + "nix-fast-build", "nixpkgs" ] }, "locked": { - "lastModified": 1732013921, - "narHash": "sha256-grEEN4LjL4DTDZUyZjVcj9dXRykH/SKnpOIADN0q5w8=", + "lastModified": 1723808491, + "narHash": "sha256-rhis3qNuGmJmYC/okT7Dkc4M8CeUuRCSvW6kC2f3hBc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5f5c2787576f3e39bbc2ebdbf8521b3177c5c19c", + "rev": "1d07739554fdc4f8481068f1b11d6ab4c1a4167a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732187120, + "narHash": "sha256-XdW2mYXvPHYtZ8oQqO3tRYtxx7kI0Hs3NU64IwAtD68=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "37f8f47cb618eddee0c0dd31a582b1cd3013c7f6", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index de2ff34..e42bff9 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,10 @@ }; catppuccin.url = "github:catppuccin/nix"; emacs-overlay.url = "github:nix-community/emacs-overlay"; + nix-fast-build = { + url = "github:Mic92/nix-fast-build"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = diff --git a/hosts/default.nix b/hosts/default.nix index 5636017..f86454b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -110,11 +110,13 @@ "cloudflare-dyndns-api-token" = { }; "restic-hetzner-password" = { }; "hass-ssh-key".owner = "hass"; + "sisko-attic-environment-file".owner = "atticd"; "autistici-password" = { # FIXME terrible, should create a third ad-hoc group owner = "grafana"; group = "forgejo"; }; + }; }; }; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index ba45c12..65c5e0b 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -18,7 +18,7 @@ "sisko-proxy" "invidious" "searx" - "sisko-nfs" + "sisko-share" "forgejo" "prometheus" "grafana" @@ -30,6 +30,7 @@ "immich" "paperless" "syncthing" + "atticd" ] ++ [ ./disko.nix diff --git a/modules/atticd/default.nix b/modules/atticd/default.nix new file mode 100644 index 0000000..507ba59 --- /dev/null +++ b/modules/atticd/default.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: +{ + services.atticd = { + enable = true; + settings = { + listen = "0.0.0.0:8081"; + allowed-hosts = [ ]; # Allow all hosts + # api-endpoint = "https://cache.staging.mlabs.city/"; + soft-delete-caches = false; + require-proof-of-possession = true; + + database.url = "sqlite://${config.services.atticd.settings.storage.path}/server.db?mode=rwc"; + + storage = { + type = "local"; + path = "/mnt/hd/atticd"; + }; + + compression = { + level = 8; + type = "zstd"; + }; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + }; + environmentFile = config.age.secrets.sisko-attic-environment-file.path; + }; + + systemd.services.atticd = { + serviceConfig = { + DynamicUser = lib.mkForce false; + }; + }; + + systemd.tmpfiles.rules = [ + "d config.services.atticd.settings.storage.path 770 atticd atticd" + ]; + + users = { + groups.atticd = { }; + users.atticd = { + group = "atticd"; + home = config.services.atticd.settings.storage.path; + isSystemUser = true; + }; + }; +} diff --git a/modules/forgejo-runners/default.nix b/modules/forgejo-runners/default.nix index 1d88c82..e9b52b9 100644 --- a/modules/forgejo-runners/default.nix +++ b/modules/forgejo-runners/default.nix @@ -23,6 +23,7 @@ let nix-fast-build curl tea + attic-client ] }; do for bin in "$dir"/bin/*; do diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index cebc663..9cde4b4 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -70,15 +70,6 @@ in "::1" ]; }; - # ffmpeg = {}; - # camera = [ - # { - # name = "EyeToy"; - # platform = "ffmpeg"; - # input = "/dev/video1"; - # extra_arguments = "-vcodec h264"; - # } - # ]; homeassistant = { unit_system = "metric"; time_zone = "Europe/Rome"; @@ -87,17 +78,6 @@ in internal_url = "http://rock5b.fleet:8123"; }; logger.default = "WARNING"; - # backup = {}; - # media_player = [{ - # platform = "webostv"; - # host = "10.1.1.213"; - # name = "TV"; - # timeout = "5"; - # turn_on_action = { - # service = "wake_on_lan.send_magic_packet"; - # data.mac = "20:28:bc:74:14:c2"; - # }; - # }]; wake_on_lan = { }; switch = [ { @@ -109,7 +89,6 @@ in } ]; shell_command.turn_off_picard = ''${pkgs.openssh}/bin/ssh -i /var/lib/hass/.ssh/id_ed25519 -o StrictHostKeyChecking=no hass@picard.fleet "exec sudo \$(readlink \$(which systemctl)) poweroff"''; - # shell_command.turn_off_picard = ''whoami''; prometheus = { namespace = "hass"; }; diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 84e36c4..a46e84e 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -2,17 +2,23 @@ config, lib, fleetFlake, + pkgs, ... }: { nixpkgs.overlays = [ (final: _: { + nix-fast-build = fleetFlake.inputs.nix-fast-build.packages.${final.system}.nix-fast-build // { + nix = final.nix; + }; nix-eval-job = fleetFlake.inputs.lix-eval-jobs.packages.${final.system}.nix-eval-jobs // { nix = final.nix; }; }) ]; + environment.systemPackages = [ pkgs.nix-fast-build ]; + nix = { optimise.automatic = true; diff --git a/modules/sisko-nfs/default.nix b/modules/sisko-nfs/default.nix deleted file mode 100644 index 7e9b82b..0000000 --- a/modules/sisko-nfs/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - systemd.tmpfiles.rules = [ - "d /export 770 nobody nogroup" - ]; - - fileSystems."/export/hd" = { - device = "/mnt/hd"; - options = [ "bind" ]; - }; - - services.nfs.server = { - enable = true; - exports = '' - /export 10.100.0.1/24(rw,fsid=0,no_subtree_check) - /export/hd 10.100.0.1/24(rw,nohide,insecure,no_subtree_check,no_root_squash) - ''; - }; - - networking.firewall.allowedTCPPorts = [ 2049 ]; -} diff --git a/modules/sisko-share/default.nix b/modules/sisko-share/default.nix new file mode 100644 index 0000000..41ea29b --- /dev/null +++ b/modules/sisko-share/default.nix @@ -0,0 +1,39 @@ +{ + systemd.tmpfiles.rules = [ + "d /export 770 nobody nogroup" + ]; + + fileSystems."/export/hd" = { + device = "/mnt/hd"; + options = [ "bind" ]; + }; + + services.nfs.server = { + enable = true; + exports = '' + /export 10.100.0.1/24(rw,fsid=0,no_subtree_check) + /export/hd 10.100.0.1/24(rw,nohide,insecure,no_subtree_check,no_root_squash) + ''; + }; + + services.webdav = { + enable = true; + + settings = { + address = "10.1.1.2"; # accessible only in LAN, used by Kodi installed on the TV + port = 9999; + scope = "/mnt/hd/torrent"; + modify = false; + auth = false; # TODO should we enable authentication? It's only reachable in LAN + debug = true; + users = [ ]; + }; + }; + + users.users.webdav.extraGroups = [ "transmission" ]; + + networking.firewall.allowedTCPPorts = [ + 2049 + 9999 + ]; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e5e95f4..52a3217 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -161,6 +161,11 @@ with keys.users; ccr-gpg sisko ]; + "sisko-attic-environment-file.age".publicKeys = [ + ccr-ssh + ccr-gpg + sisko + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/sisko-attic-environment-file.age b/secrets/sisko-attic-environment-file.age new file mode 100644 index 0000000..9727463 Binary files /dev/null and b/secrets/sisko-attic-environment-file.age differ