diff --git a/flake.lock b/flake.lock index e48dcf3..8d9ac2c 100644 --- a/flake.lock +++ b/flake.lock @@ -80,11 +80,11 @@ ] }, "locked": { - "lastModified": 1731549112, - "narHash": "sha256-c9I3i1CwZ10SoM5npQQVnfwgvB86jAS3lT4ZqkRoSOI=", + "lastModified": 1732109232, + "narHash": "sha256-iYh6h8yueU8IyOfNclbiBG2+fBFcjjUfXm90ZBzk0c0=", "owner": "nix-community", "repo": "disko", - "rev": "5fd852c4155a689098095406500d0ae3d04654a8", + "rev": "a0c384e0a3b8bcaed30a6bcf3783f8a7c8b35be4", "type": "github" }, "original": { @@ -100,11 +100,11 @@ "pyproject-nix": "pyproject-nix" }, "locked": { - "lastModified": 1731424167, - "narHash": "sha256-nKKeRwq7mxcW8cBTmPKzSg0DR/inVrtuJudVM81GISU=", + "lastModified": 1732113111, + "narHash": "sha256-KgGKWOEbqP15O2J6kue4JShHDk5yGG5e1GfY22bjuZU=", "owner": "nix-community", "repo": "dream2nix", - "rev": "44d41411686bc798876bd6d9f36a4c1143138d85", + "rev": "91bec8a0854abfa581a40b5030cfa8f98d2f8ee5", "type": "github" }, "original": { @@ -119,11 +119,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1731574827, - "narHash": "sha256-QneOtCpfBNkgJCs32Y8LaKDpontw7W9ATQxIW4qb6qc=", + "lastModified": 1732179669, + "narHash": "sha256-zpaoCm2sakoi8hsabMjTq7kYTz0SJo7PhRUGk48QjXY=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "4639038b0f5e66e7d0f3d103b8e44ded3ab7e337", + "rev": "46cbce8bc96c36a83a2cae9312026b3028bdcb87", "type": "github" }, "original": { @@ -209,11 +209,11 @@ ] }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -223,6 +223,27 @@ } }, "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "nix-fast-build", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { "inputs": { "nixpkgs-lib": "nixpkgs-lib_2" }, @@ -240,7 +261,7 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ "nixThePlanet", @@ -266,11 +287,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -340,11 +361,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1731363552, - "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -398,7 +419,7 @@ }, "hercules-ci-effects": { "inputs": { - "flake-parts": "flake-parts_4", + "flake-parts": "flake-parts_5", "nixpkgs": "nixpkgs_6" }, "locked": { @@ -464,11 +485,11 @@ ] }, "locked": { - "lastModified": 1731535640, - "narHash": "sha256-2EckCJn4wxran/TsRiCOFcmVpep2m9EBKl99NBh2GnM=", + "lastModified": 1732025103, + "narHash": "sha256-qjEI64RKvDxRyEarY0jTzrZMa8ebezh2DEZmJJrpVdo=", "owner": "nix-community", "repo": "home-manager", - "rev": "35b055009afd0107b69c286fca34d2ad98940d57", + "rev": "a46e702093a5c46e192243edbd977d5749e7f294", "type": "github" }, "original": { @@ -525,11 +546,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1730739295, - "narHash": "sha256-aYeJ/P/9AuK6Kee63ZdsmDjEwhnksF+gIv/OyGtlBJE=", + "lastModified": 1731941836, + "narHash": "sha256-zpmAzrvK8KdssBSwiIwwRxaUJ77oWORbW0XFvgCFpTE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "cef39a78679c266300874e7a7000b4da066228d4", + "rev": "2f48272f34174fd2a5ab3df4d8a46919247be879", "type": "github" }, "original": { @@ -568,11 +589,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1731185443, - "narHash": "sha256-9qkRZFTgbMonlBaLqL+OW6iiHLWXuBJlThISMhwQuGg=", + "lastModified": 1731890968, + "narHash": "sha256-6xMxT2duVMO6fo1AXfTjqh7LW3ZmNiHw6kBaAhweLGo=", "ref": "refs/heads/main", - "rev": "57ddb99e781d19704f8a84036f9890e6ca554c41", - "revCount": 613, + "rev": "912a9d63319e71ca131e16eea3348145a255db2e", + "revCount": 616, "type": "git", "url": "https://git.lix.systems/lix-project/nix-eval-jobs" }, @@ -593,11 +614,11 @@ ] }, "locked": { - "lastModified": 1731185731, - "narHash": "sha256-RNaIu43b9PoXEhW4OqXUNZKY/jezQyCYWwdv1M0VjsA=", + "lastModified": 1731967274, + "narHash": "sha256-n6dPGRlMGdL8X5gviA6ZuRfUdbdD5KiNN/BpABA5YT0=", "ref": "refs/heads/main", - "rev": "691193879d96bdfd1e6ab5ebcca2fadc7604cf34", - "revCount": 117, + "rev": "aa2846680fa9a2032939d720487942567fd9eb63", + "revCount": 119, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -609,11 +630,11 @@ "mobile-nixos": { "flake": false, "locked": { - "lastModified": 1730912712, - "narHash": "sha256-T5A9I6Tfh9zrv9sRWfu/ZKN6VkE670YQ6bjC5sbpTzk=", + "lastModified": 1732038579, + "narHash": "sha256-NHf24Zmhh5vFBarfgBdgbYQXUppmPitMUkj6Gvddab8=", "owner": "NixOS", "repo": "mobile-nixos", - "rev": "2268e358ed407d9c0a4499ae767d105eeaeec586", + "rev": "b7db416f5db80a749b45083876e908cda64506ad", "type": "github" }, "original": { @@ -622,6 +643,28 @@ "type": "github" } }, + "nix-fast-build": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1730278911, + "narHash": "sha256-CrbqsC+lEA3w6gLfpqfDMDEKoEta2sl4sbQK6Z/gXak=", + "owner": "Mic92", + "repo": "nix-fast-build", + "rev": "8e7c9d76979381441facb8888f21408312cf177a", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-fast-build", + "type": "github" + } + }, "nix-formatter-pack": { "inputs": { "nixpkgs": [ @@ -697,11 +740,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1731454423, - "narHash": "sha256-TtwvgFxUa0wyptLhQbKaixgNW1UXf3+TDqfX3Kp63oM=", + "lastModified": 1732016537, + "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "6c71c49e2448e51ad830ed211024e6d0edc50116", + "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4", "type": "github" }, "original": { @@ -712,7 +755,7 @@ }, "nixThePlanet": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "hercules-ci-effects": "hercules-ci-effects", "nixpkgs": [ "nixpkgs" @@ -735,11 +778,11 @@ }, "nixosHardware": { "locked": { - "lastModified": 1731403644, - "narHash": "sha256-T9V7CTucjRZ4Qc6pUEV/kpgNGzQbHWfGcfK6JJLfUeI=", + "lastModified": 1731797098, + "narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "f6581f1c3b137086e42a08a906bdada63045f991", + "rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6", "type": "github" }, "original": { @@ -828,11 +871,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1731386116, - "narHash": "sha256-lKA770aUmjPHdTaJWnP3yQ9OI1TigenUqVC3wweqZuI=", + "lastModified": 1731797254, + "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "689fed12a013f56d4c4d3f612489634267d86529", + "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59", "type": "github" }, "original": { @@ -892,11 +935,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1731319897, - "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc460ec76cbff0e66e269457d7b728432263166c", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { @@ -953,11 +996,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1731319897, - "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc460ec76cbff0e66e269457d7b728432263166c", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { @@ -1119,12 +1162,13 @@ "lix-eval-jobs": "lix-eval-jobs", "lix-module": "lix-module", "mobile-nixos": "mobile-nixos", + "nix-fast-build": "nix-fast-build", "nix-on-droid": "nix-on-droid", "nixDarwin": "nixDarwin", "nixThePlanet": "nixThePlanet", "nixosHardware": "nixosHardware", "nixpkgs": "nixpkgs_7", - "treefmt-nix": "treefmt-nix_2", + "treefmt-nix": "treefmt-nix_3", "vscode-server": "vscode-server" } }, @@ -1240,11 +1284,11 @@ ] }, "locked": { - "lastModified": 1729613947, - "narHash": "sha256-XGOvuIPW1XRfPgHtGYXd5MAmJzZtOuwlfKDgxX5KT3s=", + "lastModified": 1730321837, + "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "aac86347fb5063960eccb19493e0cadcdb4205ca", + "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc", "type": "github" }, "original": { @@ -1256,15 +1300,36 @@ "treefmt-nix_2": { "inputs": { "nixpkgs": [ + "nix-fast-build", "nixpkgs" ] }, "locked": { - "lastModified": 1730321837, - "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=", + "lastModified": 1723808491, + "narHash": "sha256-rhis3qNuGmJmYC/okT7Dkc4M8CeUuRCSvW6kC2f3hBc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc", + "rev": "1d07739554fdc4f8481068f1b11d6ab4c1a4167a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732187120, + "narHash": "sha256-XdW2mYXvPHYtZ8oQqO3tRYtxx7kI0Hs3NU64IwAtD68=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "37f8f47cb618eddee0c0dd31a582b1cd3013c7f6", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index de2ff34..e42bff9 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,10 @@ }; catppuccin.url = "github:catppuccin/nix"; emacs-overlay.url = "github:nix-community/emacs-overlay"; + nix-fast-build = { + url = "github:Mic92/nix-fast-build"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = diff --git a/hosts/default.nix b/hosts/default.nix index 5636017..f86454b 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -110,11 +110,13 @@ "cloudflare-dyndns-api-token" = { }; "restic-hetzner-password" = { }; "hass-ssh-key".owner = "hass"; + "sisko-attic-environment-file".owner = "atticd"; "autistici-password" = { # FIXME terrible, should create a third ad-hoc group owner = "grafana"; group = "forgejo"; }; + }; }; }; diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index ba45c12..65c5e0b 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -18,7 +18,7 @@ "sisko-proxy" "invidious" "searx" - "sisko-nfs" + "sisko-share" "forgejo" "prometheus" "grafana" @@ -30,6 +30,7 @@ "immich" "paperless" "syncthing" + "atticd" ] ++ [ ./disko.nix diff --git a/modules/atticd/default.nix b/modules/atticd/default.nix new file mode 100644 index 0000000..507ba59 --- /dev/null +++ b/modules/atticd/default.nix @@ -0,0 +1,52 @@ +{ config, lib, ... }: +{ + services.atticd = { + enable = true; + settings = { + listen = "0.0.0.0:8081"; + allowed-hosts = [ ]; # Allow all hosts + # api-endpoint = "https://cache.staging.mlabs.city/"; + soft-delete-caches = false; + require-proof-of-possession = true; + + database.url = "sqlite://${config.services.atticd.settings.storage.path}/server.db?mode=rwc"; + + storage = { + type = "local"; + path = "/mnt/hd/atticd"; + }; + + compression = { + level = 8; + type = "zstd"; + }; + + chunking = { + nar-size-threshold = 64 * 1024; # 64 KiB + min-size = 16 * 1024; # 16 KiB + avg-size = 64 * 1024; # 64 KiB + max-size = 256 * 1024; # 256 KiB + }; + }; + environmentFile = config.age.secrets.sisko-attic-environment-file.path; + }; + + systemd.services.atticd = { + serviceConfig = { + DynamicUser = lib.mkForce false; + }; + }; + + systemd.tmpfiles.rules = [ + "d config.services.atticd.settings.storage.path 770 atticd atticd" + ]; + + users = { + groups.atticd = { }; + users.atticd = { + group = "atticd"; + home = config.services.atticd.settings.storage.path; + isSystemUser = true; + }; + }; +} diff --git a/modules/forgejo-runners/default.nix b/modules/forgejo-runners/default.nix index 1d88c82..e9b52b9 100644 --- a/modules/forgejo-runners/default.nix +++ b/modules/forgejo-runners/default.nix @@ -23,6 +23,7 @@ let nix-fast-build curl tea + attic-client ] }; do for bin in "$dir"/bin/*; do diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix index cebc663..9cde4b4 100644 --- a/modules/home-assistant/default.nix +++ b/modules/home-assistant/default.nix @@ -70,15 +70,6 @@ in "::1" ]; }; - # ffmpeg = {}; - # camera = [ - # { - # name = "EyeToy"; - # platform = "ffmpeg"; - # input = "/dev/video1"; - # extra_arguments = "-vcodec h264"; - # } - # ]; homeassistant = { unit_system = "metric"; time_zone = "Europe/Rome"; @@ -87,17 +78,6 @@ in internal_url = "http://rock5b.fleet:8123"; }; logger.default = "WARNING"; - # backup = {}; - # media_player = [{ - # platform = "webostv"; - # host = "10.1.1.213"; - # name = "TV"; - # timeout = "5"; - # turn_on_action = { - # service = "wake_on_lan.send_magic_packet"; - # data.mac = "20:28:bc:74:14:c2"; - # }; - # }]; wake_on_lan = { }; switch = [ { @@ -109,7 +89,6 @@ in } ]; shell_command.turn_off_picard = ''${pkgs.openssh}/bin/ssh -i /var/lib/hass/.ssh/id_ed25519 -o StrictHostKeyChecking=no hass@picard.fleet "exec sudo \$(readlink \$(which systemctl)) poweroff"''; - # shell_command.turn_off_picard = ''whoami''; prometheus = { namespace = "hass"; }; diff --git a/modules/nix/default.nix b/modules/nix/default.nix index 84e36c4..a46e84e 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -2,17 +2,23 @@ config, lib, fleetFlake, + pkgs, ... }: { nixpkgs.overlays = [ (final: _: { + nix-fast-build = fleetFlake.inputs.nix-fast-build.packages.${final.system}.nix-fast-build // { + nix = final.nix; + }; nix-eval-job = fleetFlake.inputs.lix-eval-jobs.packages.${final.system}.nix-eval-jobs // { nix = final.nix; }; }) ]; + environment.systemPackages = [ pkgs.nix-fast-build ]; + nix = { optimise.automatic = true; diff --git a/modules/sisko-nfs/default.nix b/modules/sisko-nfs/default.nix deleted file mode 100644 index 7e9b82b..0000000 --- a/modules/sisko-nfs/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - systemd.tmpfiles.rules = [ - "d /export 770 nobody nogroup" - ]; - - fileSystems."/export/hd" = { - device = "/mnt/hd"; - options = [ "bind" ]; - }; - - services.nfs.server = { - enable = true; - exports = '' - /export 10.100.0.1/24(rw,fsid=0,no_subtree_check) - /export/hd 10.100.0.1/24(rw,nohide,insecure,no_subtree_check,no_root_squash) - ''; - }; - - networking.firewall.allowedTCPPorts = [ 2049 ]; -} diff --git a/modules/sisko-share/default.nix b/modules/sisko-share/default.nix new file mode 100644 index 0000000..41ea29b --- /dev/null +++ b/modules/sisko-share/default.nix @@ -0,0 +1,39 @@ +{ + systemd.tmpfiles.rules = [ + "d /export 770 nobody nogroup" + ]; + + fileSystems."/export/hd" = { + device = "/mnt/hd"; + options = [ "bind" ]; + }; + + services.nfs.server = { + enable = true; + exports = '' + /export 10.100.0.1/24(rw,fsid=0,no_subtree_check) + /export/hd 10.100.0.1/24(rw,nohide,insecure,no_subtree_check,no_root_squash) + ''; + }; + + services.webdav = { + enable = true; + + settings = { + address = "10.1.1.2"; # accessible only in LAN, used by Kodi installed on the TV + port = 9999; + scope = "/mnt/hd/torrent"; + modify = false; + auth = false; # TODO should we enable authentication? It's only reachable in LAN + debug = true; + users = [ ]; + }; + }; + + users.users.webdav.extraGroups = [ "transmission" ]; + + networking.firewall.allowedTCPPorts = [ + 2049 + 9999 + ]; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e5e95f4..52a3217 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -161,6 +161,11 @@ with keys.users; ccr-gpg sisko ]; + "sisko-attic-environment-file.age".publicKeys = [ + ccr-ssh + ccr-gpg + sisko + ]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ diff --git a/secrets/sisko-attic-environment-file.age b/secrets/sisko-attic-environment-file.age new file mode 100644 index 0000000..9727463 Binary files /dev/null and b/secrets/sisko-attic-environment-file.age differ