nix on git yippee

flake.lock

@@ -0,0 +1,190 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1747575206,
+        "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "4835b1dc898959d8547a871ef484930675cb47f1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1745391562,
+        "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1748162331,
+        "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1682134069,
+        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs_2",
+        "vscode-server": "vscode-server"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "vscode-server": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1729422940,
+        "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-vscode-server",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,40 @@
+# flake.nix
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    vscode-server.url = "github:nix-community/nixos-vscode-server";
+    agenix.url = "github:ryantm/agenix";
+  };
+
+  outputs = { self, nixpkgs, vscode-server, agenix }: {
+    nixosConfigurations = {
+      valefar = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/valefar  # imports configuration.nix automatically
+          
+          # External modules
+          vscode-server.nixosModules.default
+          agenix.nixosModules.default
+          
+          # Global external module config
+          ({ config, pkgs, ... }: {
+            services.vscode-server.enable = true;
+            services.vscode-server.nodejsPackage = pkgs.nodejs_20;
+            environment.systemPackages = [ agenix.packages.x86_64-linux.default ];
+          })
+        ];
+      };
+      
+      # Easy to add more hosts
+      /*server2 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/server2
+          agenix.nixosModules.default
+          # different services for server2
+        ];
+      };*/
+    };
+  };
+}

host-secrets.nix

@@ -0,0 +1,35 @@
+{
+  users.users.garage = {
+    isSystemUser = true;
+    group = "garage";
+    home = "/var/lib/garage";
+    description = "Garage service user";
+  };
+  
+  users.groups.garage = {};
+  
+  age.secrets = {
+    "build-token".file = ./secrets/build-token.age;
+    
+    "garage-rpc-secret" = {
+      file = ./secrets/garage-rpc-secret.age;
+      owner = "garage";
+      group = "garage";
+      mode = "0400";
+    };
+  
+    "garage-admin-token" = {
+      file = ./secrets/garage-admin-token.age;
+      owner = "garage";
+      group = "garage"; 
+      mode = "0400";
+    };
+  
+    "garage-metrics-token" = {
+      file = ./secrets/garage-metrics-token.age;
+      owner = "garage";
+      group = "garage";
+      mode = "0400";
+    };
+  };
+}

hosts/valefar/default.nix

@@ -0,0 +1,33 @@
+# hosts/valefar/configuration.nix (or default.nix)
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    # Host-specific hardware
+    ./hardware.nix
+    ./secrets.nix
+    
+    # Common modules shared across hosts
+    ../../modules/common/system.nix
+    ../../modules/common/users.nix
+    ../../modules/common/services.nix
+    
+    # Services specific to this host
+    ../../services/garage.nix
+    ../../services/forgejo.nix
+
+    # Common secrets
+    ../../host-secrets.nix
+  ];
+
+  # pin host platform & microcode
+  nixpkgs.hostPlatform               = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault
+    config.hardware.enableRedistributableFirmware;
+
+  networking.hostName = "valefar";
+  networking.hostId = "2a07da90";
+  
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernelModules = [ "nct6775" "coretemp" ];
+}

hosts/valefar/hardware.nix

@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = { 
+    device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/6340-211B";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/garage" = {
+    device = "garage";
+    fsType = "zfs";
+  };
+
+  fileSystems."/storage" = {
+    device = "storage";
+    fsType = "zfs";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+}

hosts/valefar/secrets.nix

@@ -0,0 +1,3 @@
+{
+  
+}

modules/common/services.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+{
+  # system packages + services
+  environment.systemPackages = with pkgs; [
+    vim 
+    wget
+    fastfetch
+    lsof
+    btop
+    git
+    openssl
+    stdenv
+    gnumake
+    parted
+    zfs
+
+    code-server
+  ];
+
+  virtualisation.docker = {
+    enable = true;
+    enableOnBoot = true;
+    package = pkgs.docker.override {
+      buildGoModule = pkgs.buildGo123Module;
+    };
+  };
+
+  services.openssh.enable         = true;
+  services.printing.enable        = true;
+  services.tailscale.enable       = true;
+  services.tailscale.useRoutingFeatures = "both";
+}

modules/common/system.nix

@@ -0,0 +1,51 @@
+{ pkgs, config, ... }:
+{
+  # boot, networking, locale, stateVersion
+  boot.loader.systemd-boot.enable     = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  boot.supportedFilesystems = [ "zfs" ];
+  fileSystems."/boot".options = [ "umask=0077" ];
+
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  
+
+  services.zfs.autoScrub.enable = true;
+  services.zfs.trim.enable = true;
+
+  networking = {
+    firewall.enable = false;
+    firewall.trustedInterfaces = [
+	    "tailscale0"
+    ];
+    nameservers   = [ "192.168.4.3" "1.1.1.1" ];
+    useDHCP       = true;
+    firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 
+  };
+
+  services.resolved = {
+    enable      = true;
+    dnssec      = "true";
+    domains     = [ "~." ];
+    fallbackDns = [ "192.168.4.3" "1.0.0.1#one.one.one.one" ];
+    dnsovertls  = "true";
+  };
+
+  systemd.services.fancontrol = {
+    enable = true;
+    description = "Fan speed control";
+    serviceConfig = {
+      ExecStart = "${pkgs.lm_sensors}/bin/fancontrol";
+      Restart = "always";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  environment.variables.EDITOR = "neovim";
+
+  time.timeZone     = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  system.stateVersion = "24.11";
+}
+

modules/common/users.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  users.users.regent = {
+    isNormalUser    = true;
+    extraGroups     = [ "docker" "wheel" ];
+    packages        = with pkgs; [ tree ];
+  };
+
+  security.sudo.enable             = true;
+  security.sudo.wheelNeedsPassword = false;
+}
+

secrets/build-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 i9wBeA VasuCf7L03zsABerLELUSNGcI3QLxaE+nvN+5XwLk18
+Vzdd3tKTL3DJpWe1XNRPSt2YhWxATljyBK6bDUiMai4
+-> ssh-ed25519 UbxDgg S0b5rEN5xbcZ12Sjx+gI7cyTyMv/PPoHpzfHVGOlMgA
+Z0n4Qxq8NwQGNpJH8ES90bBt4MuAF/m8V8xNkEWMfPQ
+--- 1mqOAP0OMMkMkWUcCE/cXqjRr/aZuLDcn6HEC9X2hR4
+Mz›_H2шկ̰Fqý~÷Û¸'ÕftTÓ5ŠnþaÛ¯^n¯“^Ç^iï=
c²N¦L(­ÙœBºÐ‚oÂŒìhêO)Š¬u˜eî`4[Mž–uèõnMŸZÉI<13>6Á9¥Ÿ¶"ƒq‘öFñíÚ@!n¿K·,ÃMkl

secrets/garage-admin-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 i9wBeA 7XwEZNaAWzH5QgPXBW/S7HHSAFO0UgFF0MP+o6Z8ymo
+hmw36GBOfv/AvT++JpBNRLydL2j3mASS/JrLROG1ifs
+-> ssh-ed25519 UbxDgg cvcbnv9O2OHt3F4K+0g0ux4sq1MCrZnaLnTNM+5lJho
+efNO6FWLKj1l2eZx4mk8TucMtE12Y3Hf+JHl/FxodSo
+--- I7BjJid4vdH0bN0V6aFnFnq86XQNFO/JJLfD4rqE+9Y
+:<Ä£T›U–ðnÿ¨ÈZnô\Ñ#Ç*ñ<7F>š<EFBFBD>˜Øhý=kôÂã%Ù¨®xëÈK»åd<vÝ"M$»wBÞ#*ŽSÎ{7}f<>C™ 

secrets/garage-metrics-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 i9wBeA FmWklgH5yY/8itKCgiitrzMRCBp64zgOytDLQE2akgk
+sfJIlVzowBTLsIHFDmC+SdTb9Ks6wIMQyY9HfewMpNU
+-> ssh-ed25519 UbxDgg PL+q7o31Gr2dYGZGc/aVdLvDGtB8wVPkMO0MdCXgcDA
+AgjVKXt23x1wYSOWaS+prfsEEpX6BKimR0KGPrG6bko
+--- EvOF9JjHYoml+j3tMDfU09+GfHyMS56ZbqkmTZCQHSw
+Vü”\[´¥Š'ŽŒéÀ±Î+<2B><>î&úb

Œ«T¥ß¯8fo„Êpó<70>ÇÂct)h>¡ñvŠ‡ü½bŽÝÕËCWiÛo`LR‰	êF

secrets/garage-rpc-secret.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 i9wBeA j+jwToOHaeIOAEuPB7qzlJofOVPQO2mI16HspjKSxAM
+XXv1+ZQQSgcPNMVD5PjrSj67+7NWgUbWV3fSWG93r90
+-> ssh-ed25519 UbxDgg DR+Q+abB52OEE1ELl7rSjHT8ObJTD6rY9v94H1YriQQ
+vA31Tw0ItQAgY649sQogIQPvqJppmDYQ4MVPTGerFhE
+--- ttD8bkuH/5MXyipRWBb2UbxIwyFftPki50NP0BiJQok
+	g]¶óS(hýv­üùç¯M<*¡¬*e½”ɉª‰hÅÊ´ՌgyH6ôŽn‘M<E28098>ç<EFBFBD>½¿J2W/‰ýì±áåÙÙ€B߸ؽÏìËUÉ›k*È8¿©E¬!A.&Ç

secrets/secrets.nix

@@ -0,0 +1,14 @@
+let
+  regent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb regent@orobas.local";
+  users = [ regent ];
+
+  valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlXq2lSfiWwRwIxsxhffW5FDGmjt0QKYN+BaikmRR71";
+  systems = [ valefar ];
+in
+{
+  #"secret1.age".publicKeys = [ user1 system1 ];
+  "build-token.age".publicKeys = users ++ systems;
+  "garage-rpc-secret.age".publicKeys = users ++ systems;
+  "garage-admin-token.age".publicKeys = users ++ systems;
+  "garage-metrics-token.age".publicKeys = users ++ systems;
+}

services/forgejo.nix

@@ -0,0 +1,29 @@
+{lib, pkgs, config, ...}:
+
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
+{
+  services.forgejo = {
+    enable = true;
+    database = {
+      type = "sqlite3";
+      path = "/var/lib/forgejo/forgejo.db";
+    };
+    lfs.enable = true;
+    settings = {
+      server = {
+        domain = "git.nekomimi.pet";
+        ROOT_URL = "https://git.nekomimi.pet";
+        LANDING_PAGE = "explore";
+        HTTP_PORT = 5000;
+      };
+      # service.DISABLE_REGISTRATION = true; 
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+    };
+  };
+}

services/garage.nix

@@ -0,0 +1,32 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.garage = {
+    enable = true;
+    package = pkgs.garage;
+    settings = {
+      metadata_dir = "/garage/metadata";
+      data_dir = "/garage/data";
+      db_engine = "lmdb";
+      replication_mode = "none";
+      rpc_bind_addr = "[::]:3901";
+      rpc_public_addr = "[::]:3901";
+      rpc_secret_file = config.age.secrets."garage-rpc-secret".path;
+      s3_api = {
+        s3_region = "garage";
+        api_bind_addr = "[::]:3900";
+        root_domain = ".s3.nekomimi.pet";
+      };
+      s3_web = {
+        bind_addr = "[::]:3902";
+        root_domain = ".web.nekomimi.pet";
+        index = "index.html";
+      };
+      admin = {
+        api_bind_addr = "[::]:3903";
+        admin_token_file = config.age.secrets."garage-admin-token".path;
+        metrics_token_file = config.age.secrets."garage-metrics-token".path;
+      };
+    };
+  };
+}

services/github-runners.nix

@@ -0,0 +1,35 @@
+{ lib, pkgs, ... }:
+
+let extraPackages = 
+  let gtar = pkgs.runCommandNoCC "gtar" { } ''
+    mkdir -p $out/bin
+    ln -s ${lib.getExe pkgs.gnutar} $out/bin/gtar
+  '';
+  in
+  with pkgs; [
+    nix
+    nixci
+    cachix
+    coreutils
+    which
+    jq
+    gtar
+    docker
+    curl
+  ];
+
+in
+{
+  services.github-runners = {
+    simplelink = {
+      enable     = true;
+      name       = "simplelink";
+      url        = "https://github.com/waveringana/simplelink";
+      token  = config.age.secrets."build-token".path;
+      user = "regent";
+      group = "docker";
+      extraPackages = extraPackages;
+     };
+  };
+}
+