waveringana/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nix on git yippee

Browse source
This commit is contained in:
waveringana 2025-05-30 01:51:13 -04:00
commit 981186a787
17 changed files with 579 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

190
flake.lock generated Normal file
View file

@ -0,0 +1,190 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1747575206,
"narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
"owner": "ryantm",
"repo": "agenix",
"rev": "4835b1dc898959d8547a871ef484930675cb47f1",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1745391562,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1748162331,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"nixpkgs": "nixpkgs_2",
"vscode-server": "vscode-server"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1729422940,
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-vscode-server",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

40
flake.nix Normal file
View file

@ -0,0 +1,40 @@
# flake.nix
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
vscode-server.url = "github:nix-community/nixos-vscode-server";
agenix.url = "github:ryantm/agenix";
};
outputs = { self, nixpkgs, vscode-server, agenix }: {
nixosConfigurations = {
valefar = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/valefar # imports configuration.nix automatically
# External modules
vscode-server.nixosModules.default
agenix.nixosModules.default
# Global external module config
({ config, pkgs, ... }: {
services.vscode-server.enable = true;
services.vscode-server.nodejsPackage = pkgs.nodejs_20;
environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
})
];
};
# Easy to add more hosts
/*server2 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./hosts/server2
agenix.nixosModules.default
# different services for server2
];
};*/
};
};
}

35
host-secrets.nix Normal file
View file

@ -0,0 +1,35 @@
{
users.users.garage = {
isSystemUser = true;
group = "garage";
home = "/var/lib/garage";
description = "Garage service user";
};
users.groups.garage = {};
age.secrets = {
"build-token".file = ./secrets/build-token.age;
"garage-rpc-secret" = {
file = ./secrets/garage-rpc-secret.age;
owner = "garage";
group = "garage";
mode = "0400";
};
"garage-admin-token" = {
file = ./secrets/garage-admin-token.age;
owner = "garage";
group = "garage";
mode = "0400";
};
"garage-metrics-token" = {
file = ./secrets/garage-metrics-token.age;
owner = "garage";
group = "garage";
mode = "0400";
};
};
}

33
hosts/valefar/default.nix Normal file
View file

@ -0,0 +1,33 @@
# hosts/valefar/configuration.nix (or default.nix)
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
# Host-specific hardware
./hardware.nix
./secrets.nix
# Common modules shared across hosts
../../modules/common/system.nix
../../modules/common/users.nix
../../modules/common/services.nix
# Services specific to this host
../../services/garage.nix
../../services/forgejo.nix
# Common secrets
../../host-secrets.nix
];
# pin host platform & microcode
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault
config.hardware.enableRedistributableFirmware;
networking.hostName = "valefar";
networking.hostId = "2a07da90";
boot.supportedFilesystems = [ "zfs" ];
boot.kernelModules = [ "nct6775" "coretemp" ];
}

45
hosts/valefar/hardware.nix Normal file
View file

@ -0,0 +1,45 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/6340-211B";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/garage" = {
device = "garage";
fsType = "zfs";
};
fileSystems."/storage" = {
device = "storage";
fsType = "zfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
}

3
hosts/valefar/secrets.nix Normal file
View file

@ -0,0 +1,3 @@
{
}

32
modules/common/services.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
{
# system packages + services
environment.systemPackages = with pkgs; [
vim
wget
fastfetch
lsof
btop
git
openssl
stdenv
gnumake
parted
zfs
code-server
];
virtualisation.docker = {
enable = true;
enableOnBoot = true;
package = pkgs.docker.override {
buildGoModule = pkgs.buildGo123Module;
};
};
services.openssh.enable = true;
services.printing.enable = true;
services.tailscale.enable = true;
services.tailscale.useRoutingFeatures = "both";
}

51
modules/common/system.nix Normal file
View file

@ -0,0 +1,51 @@
{ pkgs, config, ... }:
{
# boot, networking, locale, stateVersion
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
boot.supportedFilesystems = [ "zfs" ];
fileSystems."/boot".options = [ "umask=0077" ];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
services.zfs.autoScrub.enable = true;
services.zfs.trim.enable = true;
networking = {
firewall.enable = false;
firewall.trustedInterfaces = [
"tailscale0"
];
nameservers = [ "192.168.4.3" "1.1.1.1" ];
useDHCP = true;
firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002];
};
services.resolved = {
enable = true;
dnssec = "true";
domains = [ "~." ];
fallbackDns = [ "192.168.4.3" "1.0.0.1#one.one.one.one" ];
dnsovertls = "true";
};
systemd.services.fancontrol = {
enable = true;
description = "Fan speed control";
serviceConfig = {
ExecStart = "${pkgs.lm_sensors}/bin/fancontrol";
Restart = "always";
};
wantedBy = [ "multi-user.target" ];
};
environment.variables.EDITOR = "neovim";
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
system.stateVersion = "24.11";
}

12
modules/common/users.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
users.users.regent = {
isNormalUser = true;
extraGroups = [ "docker" "wheel" ];
packages = with pkgs; [ tree ];
};
security.sudo.enable = true;
security.sudo.wheelNeedsPassword = false;
}

7
secrets/build-token.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 i9wBeA VasuCf7L03zsABerLELUSNGcI3QLxaE+nvN+5XwLk18
Vzdd3tKTL3DJpWe1XNRPSt2YhWxATljyBK6bDUiMai4
-> ssh-ed25519 UbxDgg S0b5rEN5xbcZ12Sjx+gI7cyTyMv/PPoHpzfHVGOlMgA
Z0n4Qxq8NwQGNpJH8ES90bBt4MuAF/m8V8xNkEWMfPQ
--- 1mqOAP0OMMkMkWUcCE/cXqjRr/aZuLDcn6HEC9X2hR4
Mz_H2шկ̰Fqý~÷Û¸'ÕftTÓ5ŠnþaÛ¯^n¯“^Ç^iï=c²N¦ L(­ÙœBºÐoÂŒìhêO)Š¬u˜eî`4[MžuèõnMŸZÉI<13>6Á9¥Ÿ¶"ƒqöFñíÚ@!n¿K·,ÃMkl

7
secrets/garage-admin-token.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 i9wBeA 7XwEZNaAWzH5QgPXBW/S7HHSAFO0UgFF0MP+o6Z8ymo
hmw36GBOfv/AvT++JpBNRLydL2j3mASS/JrLROG1ifs
-> ssh-ed25519 UbxDgg cvcbnv9O2OHt3F4K+0g0ux4sq1MCrZnaLnTNM+5lJho
efNO6FWLKj1l2eZx4mk8TucMtE12Y3Hf+JHl/FxodSo
--- I7BjJid4vdH0bN0V6aFnFnq86XQNFO/JJLfD4rqE+9Y
:<Ä£TUðnÿ¨ÈZnô\Ñ#Ç*ñ<7F>š<EFBFBD>˜Øhý=kôÂã%Ù¨®xëÈK»åd <vÝ"M$»wBÞ#*ŽSÎ{7}f<>C™ 

7
secrets/garage-metrics-token.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 i9wBeA FmWklgH5yY/8itKCgiitrzMRCBp64zgOytDLQE2akgk
sfJIlVzowBTLsIHFDmC+SdTb9Ks6wIMQyY9HfewMpNU
-> ssh-ed25519 UbxDgg PL+q7o31Gr2dYGZGc/aVdLvDGtB8wVPkMO0MdCXgcDA
AgjVKXt23x1wYSOWaS+prfsEEpX6BKimR0KGPrG6bko
--- EvOF9JjHYoml+j3tMDfU09+GfHyMS56ZbqkmTZCQHSw
Vü”\[´¥Š'ŽŒéÀ±Î+<2B><>î&úb Œ«T¥ß¯8fo„Êpó<70>ÇÂct)h>¡ñvŠ‡ü½bŽÝÕËCWiÛo`LR‰ êF

7
secrets/garage-rpc-secret.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 i9wBeA j+jwToOHaeIOAEuPB7qzlJofOVPQO2mI16HspjKSxAM
XXv1+ZQQSgcPNMVD5PjrSj67+7NWgUbWV3fSWG93r90
-> ssh-ed25519 UbxDgg DR+Q+abB52OEE1ELl7rSjHT8ObJTD6rY9v94H1YriQQ
vA31Tw0ItQAgY649sQogIQPvqJppmDYQ4MVPTGerFhE
--- ttD8bkuH/5MXyipRWBb2UbxIwyFftPki50NP0BiJQok
g]¶óS(hýv­üùç¯ M<*¡¬*e½”ɉª‰hÅÊ´ՌgyH6ôŽnM<E28098>ç<EFBFBD>½¿J2W/‰ýì±áåÙÙ€B߸ؽÏìËUÉk*È8¿©E¬!A.&Ç

14
secrets/secrets.nix Normal file
View file

@ -0,0 +1,14 @@
let
regent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb regent@orobas.local";
users = [ regent ];
valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlXq2lSfiWwRwIxsxhffW5FDGmjt0QKYN+BaikmRR71";
systems = [ valefar ];
in
{
#"secret1.age".publicKeys = [ user1 system1 ];
"build-token.age".publicKeys = users ++ systems;
"garage-rpc-secret.age".publicKeys = users ++ systems;
"garage-admin-token.age".publicKeys = users ++ systems;
"garage-metrics-token.age".publicKeys = users ++ systems;
}

29
services/forgejo.nix Normal file
View file

@ -0,0 +1,29 @@
{lib, pkgs, config, ...}:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in
{
services.forgejo = {
enable = true;
database = {
type = "sqlite3";
path = "/var/lib/forgejo/forgejo.db";
};
lfs.enable = true;
settings = {
server = {
domain = "git.nekomimi.pet";
ROOT_URL = "https://git.nekomimi.pet";
LANDING_PAGE = "explore";
HTTP_PORT = 5000;
};
# service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
};
};
}

32
services/garage.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
{
services.garage = {
enable = true;
package = pkgs.garage;
settings = {
metadata_dir = "/garage/metadata";
data_dir = "/garage/data";
db_engine = "lmdb";
replication_mode = "none";
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "[::]:3901";
rpc_secret_file = config.age.secrets."garage-rpc-secret".path;
s3_api = {
s3_region = "garage";
api_bind_addr = "[::]:3900";
root_domain = ".s3.nekomimi.pet";
};
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".web.nekomimi.pet";
index = "index.html";
};
admin = {
api_bind_addr = "[::]:3903";
admin_token_file = config.age.secrets."garage-admin-token".path;
metrics_token_file = config.age.secrets."garage-metrics-token".path;
};
};
};
}

35
services/github-runners.nix Normal file
View file

@ -0,0 +1,35 @@
{ lib, pkgs, ... }:
let extraPackages =
let gtar = pkgs.runCommandNoCC "gtar" { } ''
mkdir -p $out/bin
ln -s ${lib.getExe pkgs.gnutar} $out/bin/gtar
'';
in
with pkgs; [
nix
nixci
cachix
coreutils
which
jq
gtar
docker
curl
];
in
{
services.github-runners = {
simplelink = {
enable = true;
name = "simplelink";
url = "https://github.com/waveringana/simplelink";
token = config.age.secrets."build-token".path;
user = "regent";
group = "docker";
extraPackages = extraPackages;
};
};
}