simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

Compare commits

base: simon:master
Branches Tags
simon:master
simon:koyomi
simon:ci-runner
simon:24.05
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server
..
compare: simon:24.05
Branches Tags
simon:koyomi
simon:master
simon:ci-runner
simon:24.05
simon:okarin2
simon:hyper
simon:catering
simon:reuse
simon:yuzuru2
simon:renge2
simon:23.11
simon:nazuna
simon:neomutt
simon:sayuri-mesa-clover
simon:upower
simon:binfmt
simon:ayu
simon:restic-rest-server

No commits in common. "master" and "24.05" have entirely different histories.
master ... 24.05

24 changed files with 101 additions and 464 deletions
Show stats Expand all files Collapse all files

8
.sops.yaml
View file

@ -20,7 +20,6 @@ keys:
- &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
- &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
- &koyomi a53d4ca8d2cf54613822c81d660e69babee42643 - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
- &ci-runner 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -106,13 +105,6 @@ creation_rules:
- *simon-alpha - *simon-alpha
- *simon-beta - *simon-beta
- *koyomi - *koyomi
- path_regex: machines/ci-runner/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *simon-alpha
- *simon-beta
- *ci-runner
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:

92
flake.lock
View file

@ -85,11 +85,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720042825, "lastModified": 1716736833,
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -106,11 +106,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722630065, "lastModified": 1717316182,
"narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=", "narHash": "sha256-Xi0EpZcu39N0eW7apLjFfUOR9y80toyjYizez7J1wMI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "afc892db74d65042031a093adb6010c4c3378422", "rev": "9b53a10f4c91892f5af87cf55d08fba59ca086af",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -189,11 +189,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703863825, "lastModified": 1698974481,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=", "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-github-actions", "repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547", "rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -212,11 +212,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1721042469, "lastModified": 1716213921,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -228,11 +228,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1722332872, "lastModified": 1717248095,
"narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=", "narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "14c333162ba53c02853add87a0000cbd7aa230c2", "rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -244,11 +244,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1722519197, "lastModified": 1717144377,
"narHash": "sha256-VEdJmVU2eLFtLqCjTYJd1J7+Go8idAcZoT11IewFiRg=", "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "05405724efa137a0b899cce5ab4dde463b4fd30b", "rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -272,11 +272,11 @@
"poetry2nix": "poetry2nix" "poetry2nix": "poetry2nix"
}, },
"locked": { "locked": {
"lastModified": 1719952130, "lastModified": 1712934106,
"narHash": "sha256-j38XlExNwK4ycmoNEdH/dHUd1QGdNvD3gx/UuLY+04Q=", "narHash": "sha256-JubHgaV6HUZarwwq4y2rxJaaj2a6euErJfCqpmhrhWk=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "3487b8ce24d40cc898f3dba0a9af5e028e1d5844", "rev": "2bcb2b6c7b0e04f4ef8e51e00fd93a5e5cb00bf8",
"revCount": 68, "revCount": 66,
"type": "git", "type": "git",
"url": "https://git.sbruder.de/simon/nixpkgs-overlay" "url": "https://git.sbruder.de/simon/nixpkgs-overlay"
}, },
@ -287,43 +287,43 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1720386169, "lastModified": 1710695816,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-24.05", "ref": "nixos-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1721524707, "lastModified": 1717265169,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", "narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", "rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-24.05", "ref": "release-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1722421184, "lastModified": 1716948383,
"narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -359,11 +359,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1721396844, "lastModified": 1703801091,
"narHash": "sha256-VduymKyeovo7JzcJ3ar4fryebNu36RnKlI+/TOMWN8w=", "narHash": "sha256-ay1oI2IxhODG4KheqdxqlHlt6bUmvAogRZbzIcavR+k=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "a09c08847b2539a069833d9ef72d74224c170a54", "rev": "9bddae5f112cdc471faf1a71d34bc4cc2497e946",
"revCount": 19, "revCount": 16,
"type": "git", "type": "git",
"url": "https://git.sbruder.de/simon/password-hash-self-service" "url": "https://git.sbruder.de/simon/password-hash-self-service"
}, },
@ -387,11 +387,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1714509427, "lastModified": 1701399357,
"narHash": "sha256-YTcd6n7BeAVxBNhzOgUHMmsgBkfQ2Cz9ZcFotXrpEg8=", "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
"owner": "nix-community", "owner": "nix-community",
"repo": "poetry2nix", "repo": "poetry2nix",
"rev": "184960be60652ca7f865123e8394ece988afb566", "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -450,11 +450,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1722114803, "lastModified": 1717297459,
"narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", "narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", "rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -501,11 +501,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1714058656, "lastModified": 1699786194,
"narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"type": "github" "type": "github"
}, },
"original": { "original": {

28
keys/machines/ci-runner.asc
View file

@ -1,28 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADCLQ+QHuf+tfp88c7rUzPPLLsfSNvH4lPw57cIz0hCADDIyBfs
xZH+uSfBDX7EJyCdpRulpKeI+ixoMtpTo1sgLLnXTaiVY024+ZNtbHUtN28CuS5P
O1uBfWn8ska524DobfHsiIfWRlHrrOdQpgoFfNLIalgbDJv84ktkV92e4NXwp9fg
6/KzcR/LOwUr/ps/OV0+nXgWir9Kz7FepDBIu60UnMeqmqrpptFfxyhB9drps9m0
8wQwaqX+1H4MRNnDVcZEQSdyCHrb3ia7Nc/ysUtguRlhmCuUxRAg1iGoQ4CwDadQ
SgS8eofAmueoV0D0AM6zptFtHydX4U7ZYUeaVdEoKqAcl2IOEydSDg71bDrHDonc
II71WezXY8B76M9W7vvphYjql97x8Eb7HMiDecrqxpaOcnPDeGSy2J9+ENXUhVbk
tak2itzD7FXXpDy15Oam3zNAZV718TfyvsxjOq8xNIDUh1x5iDlR/YAOErro3qF/
fQWIGaKZDDllOpP6BxTR87x85w56i9yPRJ1jl5UvUYKkU30HrnIo/sScy4s1NeSH
XyIGHemm+8e1S2LYEQ/w2bnwKHHNS5kdfARMnaSpMurD+Pd9UBOHPn+M+ZVjX7hT
wCn8QJSJZiUA0b1lJ8YgbXRodHn9jdpZugQ8frtImcDE3Lq+H/VqzJm0tQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQ6LctUsOqOe4CGw8CGQEAAC2dEAABcy5TinEg/yr40qtrPmdR
+qw+B3CezIZOhkFVXJ5SnKSD6kNmijgJjloSJgpQf9qqDsZ8asWzZN79h5s9fqNa
GBn5jBBqoSLPtnNAvxiLk62iRyCbb7y645I1u5Cmg5eBPLjGpVrxI3rPcGojkBz7
1LjtxCY94JI7lRYMpN6qOvyQlrTOxlFDE+C/x60UeliNzL3Ld17O9iuqlSGiYpz4
kellyHF4zHvOcSmURmGmHDzPQvkLop81rCogMZkVoA0tg446U1sPdIo8HJZD+cLt
LXCNlyLU/MK7RCAG25+Z2KE43Z0xuXyNmHc0tpYOWs6oob7+ZmsWFObpyN6v69G/
rTnZbQCp/H/Rr19UbJhoEhDpB6J+6O1OlJXe5hUDiiIYpC6vtzJV8B0ERQ9Vr1TC
nCo+RaBJoPbkJySSO500G3/psQugsxBcxRtCy78cHV1B4fKEJM4e1Hi3VP2uhCju
gRaiLGikDy4rpQQxasszOO2Yt57OGV5qySnZ9hfDLhtmhmNjL2HazZlVT1um28j4
+DZQ7JUmjvlmzZPPt2fWG4k2zv6Xy1p2aLiuL+6TrQLjEyIMa41Lxf6bB7hlYo1Y
3Xl5yE94wvBx2+gKEArlqdrn/P8cdktHuGrELBwVaVgvHHtBM3qfzBik2lIRJMIx
haEIuBv/ZtSMbM/ItaAnJA==
=eW+j
-----END PGP PUBLIC KEY BLOCK-----

15
machines/ci-runner/README.md
View file

@ -1,15 +0,0 @@
<!--
SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
SPDX-License-Identifier: CC-BY-SA-4.0
-->
# ci-runner
## Hardware
QEMU/KVM virtual machine on [koyomi](../koyomi/README.md).
## Purpose
It will serve as a CI runner for Forgejo.

79
machines/ci-runner/configuration.nix
View file

@ -1,79 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
instances = {
personal = {
url = "https://git.sbruder.de";
};
codeberg = {
url = "https://codeberg.org";
};
};
in
{
imports = [
./hardware-configuration.nix
../../modules
];
sbruder = {
full = false;
};
networking.hostName = "ci-runner";
system.stateVersion = "24.05";
sops.secrets = lib.mapAttrs'
(name: _: lib.nameValuePair "forgejo-runner-token-${name}" {
sopsFile = ./secrets.yaml;
})
instances;
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances = lib.mapAttrs
(name: cfg: {
inherit (cfg) url;
enable = true;
name = "koyomi-vm";
tokenFile = config.sops.secrets."forgejo-runner-token-${name}".path;
labels = [
"nix:host"
];
settings = {
log.level = "warn"; # seems to have little effect
runner = {
capacity = 4;
timeout = "1h";
};
};
hostPackages = with pkgs; [
bash
coreutils
git
git-lfs
nix
nodejs
podman
];
})
instances;
};
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
containers.containersConf.settings = {
engine.cgroup_manager = "cgroupfs"; # systemd does not work for system user
};
};
}

56
machines/ci-runner/hardware-configuration.nix
View file

@ -1,56 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
sbruder.machine.isVm = true;
boot = {
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
kernelParams = [ "console=ttyS0" ];
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
kernelModules = [ ];
};
loader = {
grub.enable = false;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/e1a9b0bb-9f04-498c-ac2f-aad9da4639f3";
fsType = "btrfs";
options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
};
"/boot" = {
device = "/dev/disk/by-uuid/7A51-7897";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
};
systemd.network = {
enable = true;
networks = {
eth0 = {
name = "eth0";
DHCP = "yes";
domains = [ "sbruder.de" ];
};
};
};
}

73
machines/ci-runner/secrets.yaml
View file

@ -1,73 +0,0 @@
forgejo-runner-token-codeberg: ENC[AES256_GCM,data:dOoTwNaXUDrkE5qUldDMI/SQt3mufCF4Aeua7jqvSFTXuB15rLgdbC99+7MlMTc=,iv:7jakhJ3gKWxN0ACG9MfkOeA/X2HnTKHXxMvLJ/b/9uM=,tag:i7uk5pjd5ALnQrH6F5WhZg==,type:str]
forgejo-runner-token-personal: ENC[AES256_GCM,data:U2VmQW3mO+3lNBczxU5MmKjseCICXcu1q9g4xctrJMl7Hcau0Hfy2IT8YzaEnTo=,iv:IRf+5sTyx20cMyUCg8jffDiSIuNgVRySD7eqOlzzAXY=,tag:vLEo/E2VUZ4Uu/vTFDomUw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-07-31T15:26:48Z"
mac: ENC[AES256_GCM,data:qS+MsheUb+zsG5VuNqPAQz4QHDutltBQoY/qWWxSHpp5ty9O477mpsAGwP2okQJfrfbr5zfy9fUMOB/9GV3VWwhNfzmLSbSHM9f/0a1sgv7q2qsX3Z9HTyYoYJD1i9vfIX+AYCgeP7IlbPH/DOi5R6zYO34ETk1UqgSAtWjpu44=,iv:/oe5jlyzDTPZlNB0ToZpsJr/nwGU3QoGerHd7N4TjDY=,tag:U1R8PwdeWvViEhHJ04Un2w==,type:str]
pgp:
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAV+XCpuYtwJAQ0tudjofCp9kLhagt3iFPOZxMVm7Wu38w
7h11CkDL2crHptPFundK0cVC1C149l8fpTRM3w6HzrqrYeSb2rVB3sTJnquWE6vc
hF4Dub78fMESoMASAQdAyxaxQvNwxAVVLs2zfhpaEVJMJTVb2X8Re28T5oyzBTsw
vfLrp2aF9f6aR0rKawCdWCtbkdT84RqjcmFeRFm80aKg/moUOsEGKrJIom8bvzgC
hF4DM6AcvgVUx2MSAQdAkmk2DPVyggHcMG98DGidvPx2lx6f1jUctmu4bgCOCXow
JmC3Navjws1ki32t3AYO18VLzTdJnnoUZsMgKIZjrmTYq1SYEbZF7YkHpFKyD2P/
1GgBCQIQznxhAwr2Y1EfOOIurUCAFioUkb00NYurpRtXkwlq6zXj+g3mqy4oIxwE
G8PWC0Gd5DDf3vgY8gu+yIPdQYVtPEmcgdVAuf2URXeZzOYkYdME9aHjmOkZZLgl
q+rcko9nXtgqfQ==
=a7Tl
-----END PGP MESSAGE-----
fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4Dub78fMESoMASAQdAn4gu062b6uphH7aptsB+qJsJvw5j1jeEijaiN3g3HCEw
7efyFGEXz5Jr3QBkvA86zzzw4uaj6s8jcpGkygPgVxkid+wNPNE7Od2GxwsQ7Rzs
1GgBCQIQznKTHLTufQbnTxtYWdZ7Vd7d90/hl9ZkGRXCq5llvppaYkuO+RO3HeW1
Z4hAPFKrvOjNctb/Puh9kbmQ2g02KFdzs1xUvq3+Ma6gI+WeefV/R/VewAVve8+2
G/CwY+iDECvL1A==
=QVmD
-----END PGP MESSAGE-----
fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DLHeEFiC484ASAQdAwLuRB1t778hUtgsjaQisVwMhBudnSIOtrBFehLU5Smow
AA29mIR2539iMz/Qkdjoumj3IIKGu6a/fBeu0eLUcZqSt5PtpMKMDnF47HeRv/QQ
1GgBCQIQGjEJcIaQyjBPuHyxUNryt6M72ed5eKsnsHBhe+xmwc8AFliP2rt/kZOn
yJGjhMrFAib5i8rRDQiW+HlDHKZeGxsX3yLGdOSI9KfIFvawcYV8pxDFzIca/3X1
TcVFed7B2BUIow==
=6bPt
-----END PGP MESSAGE-----
fp: 403215E0F99D2582C7055C512C77841620B8F380
- created_at: "2024-07-19T10:09:12Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA+i3LVLDqjnuARAArF6aiDcKtyilbZXdBga+6nAqwBdpeYfXlnTMUztFLRYs
cSSe2HKu6J9G1oMqpZuNcGLUXgrdKk8PO3YmivWcPubQ0ruiorgzmSnXDhYvij7+
b9b3dSWXwe82sdCVlSQZRNeapeb1hW8wcrKSoFDUYyIl3HdlxFcB1Y7hKe3XpzAy
UMxgZ8B+Ne1JOHZw97YhZmr834F7/i4vCUv/US+dGd5Fl4a3bX/8ft43T0uj5JWW
PsbjZa2LIuV6dhXu8URraQHj24Z2xM/PSSmm277MzFiXVT/0jWHe38iXLxsp7/KV
hFYqbH49P7gTC7GWJ0xHJaICWXR9WJKSttc5ue8sMkf4rj3C/ULmxS7uKbUn4FgD
Po4XCOSanZZZos4Tz/KxExLjDioJbCBUSBVQUP07RRDyVjIEe4GlOG7QCVgqty6U
LJk7sQLgFOsCgaMGuA5u5hulWx7YDHqaZxKwWZ4ME8huoP2F7L4HzoWJGK33chCR
1t+p/cnflcz459bSGmDMjprZAtD2XFD08/GbDqS7rotPy0h+dnbT7TnvHrFFGjd2
Qw8SIytL0D0KcqKOIXztwtt30RqTMp3CnV22NasGJsbhshAV3zVheI/8dA6UuB4r
kltGrz+O+Z7HMwuYKKTUzz3C29VJYYhPlf4uq3kF+JJZC6ZQUNAoD5rgVDeZDyDS
WAEqbel5S7ImX3oAsIF21iI11jsbWHS1/PjHdsBQdSeBzVXooiRfVa/e4ixgk8S1
tbJl8GcvK4vdDxW689A86w7DoquocXRzJIYsKB/GVfsrTlTofAwPjHY=
=bQn7
-----END PGP MESSAGE-----
fp: 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
unencrypted_suffix: _unencrypted
version: 3.8.1

5
machines/default.nix
View file

@ -85,9 +85,4 @@ in
targetHost = "koyomi.sbruder.de"; targetHost = "koyomi.sbruder.de";
}; };
ci-runner = {
system = "x86_64-linux";
targetHost = "ci-runner.sbruder.de";
};
} }

1
machines/fuuko/configuration.nix
View file

@ -19,7 +19,6 @@
sbruder = { sbruder = {
wireguard.home.enable = true; wireguard.home.enable = true;
nginx.hardening.enable = true; nginx.hardening.enable = true;
printing.server.enable = true;
restic.system = { restic.system = {
enable = true; enable = true;
qos = true; qos = true;

1
machines/hitagi/configuration.nix
View file

@ -18,7 +18,6 @@
}; };
gui.enable = true; gui.enable = true;
media-proxy.enable = true; media-proxy.enable = true;
podman.enable = true;
restic.system = { restic.system = {
enable = true; enable = true;
qos = true; qos = true;

24
machines/renge/services/element-web.nix
View file

@ -3,7 +3,20 @@
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }: { lib, pkgs, ... }:
let
# This uses
# https://github.com/vector-im/element-web#configuration-best-practices
# but allows to disable the frame-ancestors rule for /usercontent/.
mkSecurityHeaders = withFrameOptions: ''
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
'' + lib.optionalString withFrameOptions ''
add_header Content-Security-Policy "frame-ancestors 'none'";
'' + lib.optionalString (!withFrameOptions) ''
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
in
{ {
services.nginx.virtualHosts."chat.sbruder.de" = { services.nginx.virtualHosts."chat.sbruder.de" = {
enableACME = true; enableACME = true;
@ -11,13 +24,8 @@
root = pkgs.element-web; root = pkgs.element-web;
# https://github.com/vector-im/element-web#configuration-best-practices extraConfig = mkSecurityHeaders true;
extraConfig = '' locations."/usercontent/".extraConfig = mkSecurityHeaders false;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
# nixpkgss override mechanism doesnt allow overriding of all options # nixpkgss override mechanism doesnt allow overriding of all options
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } { locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {

BIN
machines/vueko/secrets/mail-users.nix
View file

Binary file not shown.

1
machines/yuzuru/configuration.nix
View file

@ -10,7 +10,6 @@
../../modules ../../modules
./services/static-sites.nix ./services/static-sites.nix
./services/li7y.nix
]; ];
sbruder = { sbruder = {

5
machines/yuzuru/secrets.yaml
View file

@ -1,13 +1,12 @@
wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str] wg-home-private-key: ENC[AES256_GCM,data:0ylkx9p62CBGqVg+T52eHbMwbLcZM/v3tg/wJukDq76heN1TtQqbbqgVZKc=,iv:/aUkqKhihnBWQFLIRjS7kHigBCBXX7L4KY5q+cO9Q00=,tag:jQSMVElMfIyrG5hs7HuxUQ==,type:str]
li7y-environment: ENC[AES256_GCM,data:cm4+672JelbYsBm0rwrF/I9gS72XfAlj335v0+EfXmPSD1LCBJ3clR7jZC7SVH5D9ZSaSlrY8J/+7hgDmzsiR2kypNBvfMvN825AF5QFehnYeHhxUktU+uig7RzpRUeWSPM0r8j6lmpGNc7vd3S+L3TWn2ZfCJ8Kc28Ad2M9yFiZ7PPqB6qqLnsx2peQuafDhefuohLPOYA=,iv:84yL6l7zqeb7l3w3ARskJoQEvI1+HxoCCKrLhB0kx7E=,tag:GCetAOW7pvyjKEM26A9ZbA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-07-14T17:32:43Z" lastmodified: "2024-01-02T22:37:47Z"
mac: ENC[AES256_GCM,data:7D9xHNpdhI6CgX94PAoJJIJqVZ403ZL7dXbdnod2do4M+Qf0yRrRDxi6hPipf0BX0vsSq1npdiXcnwP50PZHal8LW7IJRjfefW5WnO+BLD42sIxt5mikdNfZhpyg3dHB7j+8m1lE1+veK/Ho06V32sckibhBG4AFBfMZ/k1VIns=,iv:NS9CaSyEUdmJEKFejiaugtZ5Nf8norhoaCaOwPZsxow=,tag:Y2Nu92iYO0PSqtXMLc3D7g==,type:str] mac: ENC[AES256_GCM,data:oBfM/DF/TfWJIW1VlvZ4Z+vBQxCmHm8J83pjILtHFBwU14f1H09iIsswY1xyAwO9wO3cttf4xjrSa6mGGUyQFqLdEzj8z/JkCm1vwpLZQW+j8FpRjH1ryyE6G/3eS5tboUZgmAwBPDsulJr3NBi121RHhZvWf1dv2T/J5IcZMxI=,iv://TpDpO8tNaibh8ABqE1AT6CPK62rtUZiFmYP9ST3MA=,tag:5SErG/jDycIdxX3ABOcsow==,type:str]
pgp: pgp:
- created_at: "2024-01-22T00:20:20Z" - created_at: "2024-01-22T00:20:20Z"
enc: |- enc: |-

60
machines/yuzuru/services/li7y.nix
View file

@ -1,60 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, pkgs, ... }:
{
sops.secrets.li7y-environment = {
sopsFile = ../secrets.yaml;
owner = "li7y";
};
users.users.li7y = {
isSystemUser = true;
home = "/var/lib/li7y";
createHome = true;
group = "li7y";
};
users.groups.li7y = { };
virtualisation = {
podman = {
enable = true;
defaultNetwork.settings = {
ipv6_enabled = true;
};
};
};
systemd.services.podman-li7y = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStartPre = "${pkgs.podman}/bin/podman pull git.sbruder.de/simon/li7y";
ExecStart = "${pkgs.podman}/bin/podman run --rm --name=li7y --userns=keep-id -v /run/postgresql:/run/postgresql --env-file ${config.sops.secrets.li7y-environment.path} -e 'DATABASE_URL=postgres:///?port=5432&host=/run/postgresql' -e LISTEN_ADDRESS=:: -p 127.0.0.1:8080:8080 git.sbruder.de/simon/li7y";
User = "li7y";
};
};
services.nginx = {
enable = true;
virtualHosts."i7y.eu" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "li7y" ];
ensureUsers = [
{
name = "li7y";
ensureDBOwnership = true;
}
];
};
}

62
modules/cups.nix
View file

@ -1,58 +1,36 @@
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de> # SPDX-FileCopyrightText: 2020-2022 Simon Bruder <simon@sbruder.de>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
printersPerServer = { gutenprintWithVersion = "gutenprint.${lib.versions.majorMinor (lib.getVersion pkgs.gutenprint)}";
fuuko = [
{
name = "etikettierviech";
deviceUri = "usb://SII/SLP650?serial=32152867B0";
model = "seiko/siislp650.ppd.gz";
}
];
};
in in
{ lib.mkIf config.sbruder.gui.enable {
options.sbruder.printing = { services = {
server.enable = lib.mkEnableOption "printing server"; printing = {
client.enable = (lib.mkEnableOption "printing client") // { default = config.sbruder.gui.enable; };
};
config = lib.mkMerge [
(lib.mkIf (config.sbruder.printing.client.enable || config.sbruder.printing.server.enable) {
services.printing = {
enable = true; enable = true;
drivers = with pkgs; [ drivers = with pkgs; [
cups-sii-slp-400-600
gutenprint gutenprint
]; ] ++ lib.optional config.sbruder.unfree.allowSoftware (cups-kyocera-ecosys-m552x-p502x.override {
# in Kyocera terms, EU means duplex enabled by default
region = "EU";
});
}; };
}) avahi.enable = true;
(lib.mkIf config.sbruder.printing.server.enable {
services.printing = {
stateless = true;
startWhenNeeded = false; # cups.socket interferes with cups.service (cups.socket binds to IPv4, so cups.service can only bind to IPv6)
listenAddresses = [ "*:631" ];
allowFrom = [ "all" ];
openFirewall = true;
defaultShared = true;
extraConf = ''
ServerAlias fuuko.lan.shinonome-lab.de
'';
}; };
hardware.printers.ensurePrinters = printersPerServer.${config.networking.hostName};
})
(lib.mkIf config.sbruder.printing.client.enable {
services.avahi.enable = true;
hardware.printers.ensurePrinters = [ hardware.printers.ensurePrinters = [
{ {
name = "etikettierviech"; name = "ich_drucke_nicht";
model = "everywhere"; deviceUri = "socket://192.168.178.26";
deviceUri = "ipps://fuuko.lan.shinonome-lab.de:631/printers/etikettierviech"; model = "${gutenprintWithVersion}://bjc-TS3100-series/expert";
description = "SII SLP 650"; }
] ++ lib.optionals config.sbruder.unfree.allowSoftware [
{
name = "elma";
deviceUri = "socket://elma.fritz.box";
model = "Kyocera/Kyocera ECOSYS P5021cdn.PPD";
} }
]; ];
})
];
} }

12
modules/nix.nix
View file

@ -31,6 +31,11 @@ in
nixpkgs-unstable.flake = nixpkgs-unstable; nixpkgs-unstable.flake = nixpkgs-unstable;
}; };
nixPath = [
"nixpkgs-overlays=${overlaysCompat}"
"nixpkgs-unstable=flake:nixpkgs-unstable"
];
settings = { settings = {
# Make sudoers trusted nix users # Make sudoers trusted nix users
trusted-users = [ "@wheel" ]; trusted-users = [ "@wheel" ];
@ -39,13 +44,6 @@ in
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = "nix-command flakes"; experimental-features = "nix-command flakes";
# nix.nixPath does not work when nix.channel.enable == false (for some reason)
nix-path = [
"nixpkgs-overlays=${overlaysCompat}"
"nixpkgs=flake:nixpkgs"
"nixpkgs-unstable=flake:nixpkgs-unstable"
];
} // (lib.optionalAttrs config.sbruder.full { } // (lib.optionalAttrs config.sbruder.full {
# Keep output of derivations with gc root # Keep output of derivations with gc root
keep-outputs = true; keep-outputs = true;

1
modules/podman.nix
View file

@ -12,7 +12,6 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
buildah buildah
passt # required by buildah by default
podman-compose podman-compose
skopeo skopeo
]; ];

4
modules/prometheus/smartctl_exporter.nix
View file

@ -4,9 +4,9 @@
{ config, lib, ... }: { config, lib, ... }:
lib.mkIf (config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm) { {
services.prometheus.exporters.smartctl = { services.prometheus.exporters.smartctl = {
enable = true; enable = config.sbruder.wireguard.home.enable && !config.sbruder.machine.isVm;
listenAddress = config.sbruder.wireguard.home.address; listenAddress = config.sbruder.wireguard.home.address;
# devices need to be specified for all systems that use NVMe # devices need to be specified for all systems that use NVMe
# https://github.com/NixOS/nixpkgs/issues/210041 # https://github.com/NixOS/nixpkgs/issues/210041

1
users/simon/modules/default.nix
View file

@ -24,7 +24,6 @@
./neovim ./neovim
./pass.nix ./pass.nix
./programs.nix ./programs.nix
./rust.nix
./scripts ./scripts
./sway ./sway
./tmate.nix ./tmate.nix

2
users/simon/modules/gpg.nix
View file

@ -20,7 +20,7 @@
enableZshIntegration = true; enableZshIntegration = true;
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable; enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
pinentryPackage = if nixosConfig.sbruder.gui.enable then pkgs.pinentry-qt else pkgs.pinentry-curses; pinentryPackage = if nixosConfig.sbruder.gui.enable then pkgs.pinentry-gnome3 else pkgs.pinentry-curses;
defaultCacheTtl = 300; defaultCacheTtl = 300;
defaultCacheTtlSsh = defaultCacheTtl; defaultCacheTtlSsh = defaultCacheTtl;

3
users/simon/modules/neovim/init.lua
View file

@ -437,9 +437,6 @@ require('nvim-treesitter.configs').setup {
}, },
indent = { indent = {
enable = true, enable = true,
disable = {
'rust', -- broken in macros, annoying with maud
},
}, },
} }

16
users/simon/modules/rust.nix
View file

@ -1,16 +0,0 @@
# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
{
home.file.".cargo/config.toml".source = (pkgs.formats.toml { }).generate "cargo-config.toml" {
registry = {
global-credential-providers = lib.singleton "cargo:token-from-stdout ${pkgs.writeShellScript "" ''
set -eu
pass cargo/registry-token/"$(base64 -w0 <<< "''${CARGO_REGISTRY_INDEX_URL}")"
''}";
};
};
}

2
users/simon/modules/youtube-dl.nix
View file

@ -25,10 +25,12 @@ let
in in
{ {
xdg.configFile = { xdg.configFile = {
"youtube-dl/config".text = textConfig;
"yt-dlp/config".text = textConfig; "yt-dlp/config".text = textConfig;
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
youtube-dl
unstable.yt-dlp unstable.yt-dlp
]; ];
} }