From 981186a787ff7a664e81f656d8705dae9e8ab573 Mon Sep 17 00:00:00 2001 From: waveringana Date: Fri, 30 May 2025 01:51:13 -0400 Subject: [PATCH] nix on git yippee --- flake.lock | 190 +++++++++++++++++++++++++++++++ flake.nix | 40 +++++++ host-secrets.nix | 35 ++++++ hosts/valefar/default.nix | 33 ++++++ hosts/valefar/hardware.nix | 45 ++++++++ hosts/valefar/secrets.nix | 3 + modules/common/services.nix | 32 ++++++ modules/common/system.nix | 51 +++++++++ modules/common/users.nix | 12 ++ secrets/build-token.age | 7 ++ secrets/garage-admin-token.age | 7 ++ secrets/garage-metrics-token.age | 7 ++ secrets/garage-rpc-secret.age | 7 ++ secrets/secrets.nix | 14 +++ services/forgejo.nix | 29 +++++ services/garage.nix | 32 ++++++ services/github-runners.nix | 35 ++++++ 17 files changed, 579 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 host-secrets.nix create mode 100644 hosts/valefar/default.nix create mode 100644 hosts/valefar/hardware.nix create mode 100644 hosts/valefar/secrets.nix create mode 100644 modules/common/services.nix create mode 100644 modules/common/system.nix create mode 100644 modules/common/users.nix create mode 100644 secrets/build-token.age create mode 100644 secrets/garage-admin-token.age create mode 100644 secrets/garage-metrics-token.age create mode 100644 secrets/garage-rpc-secret.age create mode 100644 secrets/secrets.nix create mode 100644 services/forgejo.nix create mode 100644 services/garage.nix create mode 100644 services/github-runners.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..757a9e3 --- /dev/null +++ b/flake.lock @@ -0,0 +1,190 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1747575206, + "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "owner": "ryantm", + "repo": "agenix", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1745391562, + "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1748162331, + "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1682134069, + "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "nixpkgs": "nixpkgs_2", + "vscode-server": "vscode-server" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "vscode-server": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1729422940, + "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", + "owner": "nix-community", + "repo": "nixos-vscode-server", + "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-vscode-server", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..ca0704c --- /dev/null +++ b/flake.nix @@ -0,0 +1,40 @@ +# flake.nix +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + vscode-server.url = "github:nix-community/nixos-vscode-server"; + agenix.url = "github:ryantm/agenix"; + }; + + outputs = { self, nixpkgs, vscode-server, agenix }: { + nixosConfigurations = { + valefar = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/valefar # imports configuration.nix automatically + + # External modules + vscode-server.nixosModules.default + agenix.nixosModules.default + + # Global external module config + ({ config, pkgs, ... }: { + services.vscode-server.enable = true; + services.vscode-server.nodejsPackage = pkgs.nodejs_20; + environment.systemPackages = [ agenix.packages.x86_64-linux.default ]; + }) + ]; + }; + + # Easy to add more hosts + /*server2 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/server2 + agenix.nixosModules.default + # different services for server2 + ]; + };*/ + }; + }; +} diff --git a/host-secrets.nix b/host-secrets.nix new file mode 100644 index 0000000..15925d5 --- /dev/null +++ b/host-secrets.nix @@ -0,0 +1,35 @@ +{ + users.users.garage = { + isSystemUser = true; + group = "garage"; + home = "/var/lib/garage"; + description = "Garage service user"; + }; + + users.groups.garage = {}; + + age.secrets = { + "build-token".file = ./secrets/build-token.age; + + "garage-rpc-secret" = { + file = ./secrets/garage-rpc-secret.age; + owner = "garage"; + group = "garage"; + mode = "0400"; + }; + + "garage-admin-token" = { + file = ./secrets/garage-admin-token.age; + owner = "garage"; + group = "garage"; + mode = "0400"; + }; + + "garage-metrics-token" = { + file = ./secrets/garage-metrics-token.age; + owner = "garage"; + group = "garage"; + mode = "0400"; + }; + }; +} diff --git a/hosts/valefar/default.nix b/hosts/valefar/default.nix new file mode 100644 index 0000000..0622b66 --- /dev/null +++ b/hosts/valefar/default.nix @@ -0,0 +1,33 @@ +# hosts/valefar/configuration.nix (or default.nix) +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + # Host-specific hardware + ./hardware.nix + ./secrets.nix + + # Common modules shared across hosts + ../../modules/common/system.nix + ../../modules/common/users.nix + ../../modules/common/services.nix + + # Services specific to this host + ../../services/garage.nix + ../../services/forgejo.nix + + # Common secrets + ../../host-secrets.nix + ]; + + # pin host platform & microcode + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault + config.hardware.enableRedistributableFirmware; + + networking.hostName = "valefar"; + networking.hostId = "2a07da90"; + + boot.supportedFilesystems = [ "zfs" ]; + boot.kernelModules = [ "nct6775" "coretemp" ]; +} diff --git a/hosts/valefar/hardware.nix b/hosts/valefar/hardware.nix new file mode 100644 index 0000000..09b41db --- /dev/null +++ b/hosts/valefar/hardware.nix @@ -0,0 +1,45 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6340-211B"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + fileSystems."/garage" = { + device = "garage"; + fsType = "zfs"; + }; + + fileSystems."/storage" = { + device = "storage"; + fsType = "zfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; +} diff --git a/hosts/valefar/secrets.nix b/hosts/valefar/secrets.nix new file mode 100644 index 0000000..077404a --- /dev/null +++ b/hosts/valefar/secrets.nix @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/modules/common/services.nix b/modules/common/services.nix new file mode 100644 index 0000000..b589d96 --- /dev/null +++ b/modules/common/services.nix @@ -0,0 +1,32 @@ +{ config, pkgs, ... }: +{ + # system packages + services + environment.systemPackages = with pkgs; [ + vim + wget + fastfetch + lsof + btop + git + openssl + stdenv + gnumake + parted + zfs + + code-server + ]; + + virtualisation.docker = { + enable = true; + enableOnBoot = true; + package = pkgs.docker.override { + buildGoModule = pkgs.buildGo123Module; + }; + }; + + services.openssh.enable = true; + services.printing.enable = true; + services.tailscale.enable = true; + services.tailscale.useRoutingFeatures = "both"; +} diff --git a/modules/common/system.nix b/modules/common/system.nix new file mode 100644 index 0000000..08ae056 --- /dev/null +++ b/modules/common/system.nix @@ -0,0 +1,51 @@ +{ pkgs, config, ... }: +{ + # boot, networking, locale, stateVersion + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + boot.supportedFilesystems = [ "zfs" ]; + fileSystems."/boot".options = [ "umask=0077" ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + + services.zfs.autoScrub.enable = true; + services.zfs.trim.enable = true; + + networking = { + firewall.enable = false; + firewall.trustedInterfaces = [ + "tailscale0" + ]; + nameservers = [ "192.168.4.3" "1.1.1.1" ]; + useDHCP = true; + firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; + }; + + services.resolved = { + enable = true; + dnssec = "true"; + domains = [ "~." ]; + fallbackDns = [ "192.168.4.3" "1.0.0.1#one.one.one.one" ]; + dnsovertls = "true"; + }; + + systemd.services.fancontrol = { + enable = true; + description = "Fan speed control"; + serviceConfig = { + ExecStart = "${pkgs.lm_sensors}/bin/fancontrol"; + Restart = "always"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + environment.variables.EDITOR = "neovim"; + + time.timeZone = "America/New_York"; + i18n.defaultLocale = "en_US.UTF-8"; + + system.stateVersion = "24.11"; +} + diff --git a/modules/common/users.nix b/modules/common/users.nix new file mode 100644 index 0000000..a139985 --- /dev/null +++ b/modules/common/users.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +{ + users.users.regent = { + isNormalUser = true; + extraGroups = [ "docker" "wheel" ]; + packages = with pkgs; [ tree ]; + }; + + security.sudo.enable = true; + security.sudo.wheelNeedsPassword = false; +} + diff --git a/secrets/build-token.age b/secrets/build-token.age new file mode 100644 index 0000000..b546b01 --- /dev/null +++ b/secrets/build-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 i9wBeA VasuCf7L03zsABerLELUSNGcI3QLxaE+nvN+5XwLk18 +Vzdd3tKTL3DJpWe1XNRPSt2YhWxATljyBK6bDUiMai4 +-> ssh-ed25519 UbxDgg S0b5rEN5xbcZ12Sjx+gI7cyTyMv/PPoHpzfHVGOlMgA +Z0n4Qxq8NwQGNpJH8ES90bBt4MuAF/m8V8xNkEWMfPQ +--- 1mqOAP0OMMkMkWUcCE/cXqjRr/aZuLDcn6HEC9X2hR4 +Mz_H2կ̰Fq~۸'ftT5naۯ^n^^i=cN L(ٜBЂoŒhO)ue`4[MunMZI69"qF@!nK,Mkl \ No newline at end of file diff --git a/secrets/garage-admin-token.age b/secrets/garage-admin-token.age new file mode 100644 index 0000000..2af394f --- /dev/null +++ b/secrets/garage-admin-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 i9wBeA 7XwEZNaAWzH5QgPXBW/S7HHSAFO0UgFF0MP+o6Z8ymo +hmw36GBOfv/AvT++JpBNRLydL2j3mASS/JrLROG1ifs +-> ssh-ed25519 UbxDgg cvcbnv9O2OHt3F4K+0g0ux4sq1MCrZnaLnTNM+5lJho +efNO6FWLKj1l2eZx4mk8TucMtE12Y3Hf+JHl/FxodSo +--- I7BjJid4vdH0bN0V6aFnFnq86XQNFO/JJLfD4rqE+9Y +:<ģTUnZn\#*񐚐h=k%٨xKd ssh-ed25519 i9wBeA FmWklgH5yY/8itKCgiitrzMRCBp64zgOytDLQE2akgk +sfJIlVzowBTLsIHFDmC+SdTb9Ks6wIMQyY9HfewMpNU +-> ssh-ed25519 UbxDgg PL+q7o31Gr2dYGZGc/aVdLvDGtB8wVPkMO0MdCXgcDA +AgjVKXt23x1wYSOWaS+prfsEEpX6BKimR0KGPrG6bko +--- EvOF9JjHYoml+j3tMDfU09+GfHyMS56ZbqkmTZCQHSw +V\['+&b T߯8fopct)h>vbCWio`LR F \ No newline at end of file diff --git a/secrets/garage-rpc-secret.age b/secrets/garage-rpc-secret.age new file mode 100644 index 0000000..bab3102 --- /dev/null +++ b/secrets/garage-rpc-secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 i9wBeA j+jwToOHaeIOAEuPB7qzlJofOVPQO2mI16HspjKSxAM +XXv1+ZQQSgcPNMVD5PjrSj67+7NWgUbWV3fSWG93r90 +-> ssh-ed25519 UbxDgg DR+Q+abB52OEE1ELl7rSjHT8ObJTD6rY9v94H1YriQQ +vA31Tw0ItQAgY649sQogIQPvqJppmDYQ4MVPTGerFhE +--- ttD8bkuH/5MXyipRWBb2UbxIwyFftPki50NP0BiJQok + g]S(hv M<**eɉh´ՌgyH6nMJ2W/ـB߸ؽUk*8E!A.& \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..46eb378 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,14 @@ +let + regent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb regent@orobas.local"; + users = [ regent ]; + + valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlXq2lSfiWwRwIxsxhffW5FDGmjt0QKYN+BaikmRR71"; + systems = [ valefar ]; +in +{ + #"secret1.age".publicKeys = [ user1 system1 ]; + "build-token.age".publicKeys = users ++ systems; + "garage-rpc-secret.age".publicKeys = users ++ systems; + "garage-admin-token.age".publicKeys = users ++ systems; + "garage-metrics-token.age".publicKeys = users ++ systems; +} diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..2bd55bd --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,29 @@ +{lib, pkgs, config, ...}: + +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + services.forgejo = { + enable = true; + database = { + type = "sqlite3"; + path = "/var/lib/forgejo/forgejo.db"; + }; + lfs.enable = true; + settings = { + server = { + domain = "git.nekomimi.pet"; + ROOT_URL = "https://git.nekomimi.pet"; + LANDING_PAGE = "explore"; + HTTP_PORT = 5000; + }; + # service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; + }; +} \ No newline at end of file diff --git a/services/garage.nix b/services/garage.nix new file mode 100644 index 0000000..bac8f2a --- /dev/null +++ b/services/garage.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +{ + services.garage = { + enable = true; + package = pkgs.garage; + settings = { + metadata_dir = "/garage/metadata"; + data_dir = "/garage/data"; + db_engine = "lmdb"; + replication_mode = "none"; + rpc_bind_addr = "[::]:3901"; + rpc_public_addr = "[::]:3901"; + rpc_secret_file = config.age.secrets."garage-rpc-secret".path; + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.nekomimi.pet"; + }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.nekomimi.pet"; + index = "index.html"; + }; + admin = { + api_bind_addr = "[::]:3903"; + admin_token_file = config.age.secrets."garage-admin-token".path; + metrics_token_file = config.age.secrets."garage-metrics-token".path; + }; + }; + }; +} diff --git a/services/github-runners.nix b/services/github-runners.nix new file mode 100644 index 0000000..6e59b05 --- /dev/null +++ b/services/github-runners.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, ... }: + +let extraPackages = + let gtar = pkgs.runCommandNoCC "gtar" { } '' + mkdir -p $out/bin + ln -s ${lib.getExe pkgs.gnutar} $out/bin/gtar + ''; + in + with pkgs; [ + nix + nixci + cachix + coreutils + which + jq + gtar + docker + curl + ]; + +in +{ + services.github-runners = { + simplelink = { + enable = true; + name = "simplelink"; + url = "https://github.com/waveringana/simplelink"; + token = config.age.secrets."build-token".path; + user = "regent"; + group = "docker"; + extraPackages = extraPackages; + }; + }; +} +