maralorn/nixos-config
1
0
Fork 0
Code Wiki Activity

Fix system builds

Browse source
This commit is contained in:
Malte 2023-02-02 04:58:37 +01:00
parent 0eeabc63b5
commit 3492f871ee
27 changed files with 196 additions and 202 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
flake.lock
View file

@ -4,7 +4,7 @@
"inputs": {
"darwin": "darwin",
"nixpkgs": [
"nixpkgs"
"nixos-unstable"
]
},
"locked": {
@ -62,7 +62,7 @@
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"nixpkgs"
"nixos-unstable"
]
},
"locked": {
@ -114,6 +114,38 @@
"type": "github"
}
},
"hexa-nur-packages": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1675199516,
"narHash": "sha256-U/50T9feHTIXb4E/s43/kgf2QvDsc6I5N4xsNSWKh+M=",
"owner": "mweinelt",
"repo": "nur-packages",
"rev": "c5ee6567584c06af0d7b027fcd858dc03d3a68a4",
"type": "github"
},
"original": {
"owner": "mweinelt",
"repo": "nur-packages",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1674550793,
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
"type": "github"
},
"original": {
"id": "nixos-hardware",
"type": "indirect"
}
},
"nixos-stable": {
"locked": {
"lastModified": 1675154384,
@ -130,13 +162,13 @@
"type": "github"
}
},
"nixpkgs": {
"nixos-unstable": {
"locked": {
"lastModified": 1675115703,
"narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=",
"lastModified": 1675183161,
"narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44",
"rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
"type": "github"
},
"original": {
@ -146,13 +178,29 @@
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1624561540,
"narHash": "sha256-izJ2PYZMGMsSkg+e7c9A1x3t/yOLT+qzUM6WQsc2tqo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c6a049a3d32293b24c0f894a840872cf67fd7c11",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
"nixos-unstable"
],
"nixpkgs-stable": [
"nixos-stable"
@ -176,19 +224,24 @@
"inputs": {
"agenix": "agenix",
"flake-parts": "flake-parts",
"hexa-nur-packages": "hexa-nur-packages",
"nixos-hardware": "nixos-hardware",
"nixos-stable": "nixos-stable",
"nixpkgs": "nixpkgs",
"nixos-unstable": "nixos-unstable",
"nixpkgs": [
"nixos-unstable"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"secrets": "secrets"
}
},
"secrets": {
"locked": {
"lastModified": 1675214458,
"narHash": "sha256-79JdedIoZ0QpLSB4m0jlTLXEtVex7LNJuEAun43sHyI=",
"lastModified": 1675309422,
"narHash": "sha256-Y9v+JaIzUi0dZMjiFobQEbt0Co0eF7Elxf2A+WtagJQ=",
"ref": "refs/heads/main",
"rev": "147bf3431575832da87e6a587aca2641f7df0187",
"revCount": 166,
"rev": "9f9b064b6b8fe2d166bfa6400a94606b0a869726",
"revCount": 173,
"type": "git",
"url": "ssh://git@hera.m-0.eu/config-secrets"
},

54
flake.nix
View file

@ -8,50 +8,34 @@
secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets";
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixos-unstable";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11";
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
nixpkgs.follows = "nixos-unstable";
flake-parts.inputs.nixpkgs-lib.follows = "nixos-unstable";
hexa-nur-packages.url = "github:mweinelt/nur-packages";
pre-commit-hooks-nix = {
url = "github:cachix/pre-commit-hooks.nix";
inputs = {
nixpkgs-stable.follows = "nixos-stable";
nixpkgs.follows = "nixpkgs";
nixpkgs.follows = "nixos-unstable";
};
};
};
outputs = inputs @ {
nixpkgs,
flake-parts,
...
}:
flake-parts.lib.mkFlake {inherit inputs;} {
outputs = inputs @ {nixos-hardware, ...}: let
unstable = inputs.nixos-unstable.legacyPackages.x86_64-linux;
inherit (import ./packages {pkgs = unstable;}) haskellPackagesOverlay selectHaskellPackages;
in
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
imports = [
inputs.pre-commit-hooks-nix.flakeModule
];
systems = ["x86_64-linux"];
flake.nixosConfigurations = {
zeus = inputs.nixos-stable.lib.nixosSystem {
modules = [
(inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
./nixos/machines/zeus/configuration.nix
inputs.secrets.nixosModules.secrets
inputs.agenix.nixosModules.default
({pkgs, ...}: {
nixpkgs.overlays = [
(self: super:
{
unstable = nixpkgs.legacyPackages.x86_64-linux;
nixpkgs-channel = "nixos-stable";
home-manager-channel = "home-manager-stable";
}
// inputs.secrets.private)
];
})
];
};
flake = {
nixosConfigurations = import ./nixos/configurations.nix inputs;
overlays.haskellPackages = haskellPackagesOverlay;
};
perSystem = {
self',
@ -61,9 +45,8 @@
lib,
...
}: let
inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
hpkgs = pkgs.haskellPackages.override {
overrides = haskellPackagesOverlay;
overrides = inputs.self.overlays.haskellPackages;
};
in {
devShells.default = hpkgs.shellFor {
@ -75,8 +58,13 @@
inputs'.agenix.packages.default
];
};
checks = {
system-checks = pkgs.runCommand "system-checks" {} ''
${lib.concatMapStringsSep "\n" (x: "# ${x.config.system.build.toplevel}") (builtins.attrValues inputs.self.nixosConfigurations)}
echo success > $out
'';
};
packages = selectHaskellPackages hpkgs;
legacyPackages = {inherit haskellPackagesOverlay;};
pre-commit = {
check.enable = true;

86
lib/default.nix
View file

@ -1,86 +0,0 @@
rec {
themes = rec {
default = material-light;
material-light = rec {
# Matches papercolor
primary = {
foreground = "#2e2e2d";
background = "#eaeaea";
};
normal = {
black = "#212121";
red = "#b7141f";
green = "#457b24";
yellow = "#fc7b08";
blue = "#134eb2";
magenta = "#560088";
cyan = "#0e717c";
white = "#efefef";
};
bright = {
white = "#bcbcbc";
red = "#d70000";
green = "#d70087";
yellow = "#8700af";
blue = "#d75f00";
magenta = "#d75f00";
cyan = "#005faf";
black = "#005f87";
};
};
solarized-light = {
primary = {
foreground = "#586e75";
background = "#fdf6e3";
};
normal = {
black = "#073642";
red = "#dc322f";
green = "#859900";
yellow = "#b58900";
blue = "#268bd2";
magenta = "#d33682";
cyan = "#2aa198";
white = "#eee8d5";
};
bright = {
black = "#002b36";
red = "#cb4b16";
green = "#586e75";
yellow = "#657b83";
blue = "#839496";
magenta = "#6c71c4";
cyan = "#93a1a1";
white = "#fdf6e3";
};
};
maralorn-dark = {
primary = {
foreground = "#dddbff";
background = "#000018";
};
normal = {
black = "#000000";
red = "#e34b4f";
green = "#67b779";
yellow = "#ff9c00";
blue = "#5c67ff";
magenta = "#cb85ff";
cyan = "#17d0f4";
white = "#dddbff";
};
bright = {
black = "#55508f";
red = "#e34b4f";
green = "#45b75e";
yellow = "#ff9c00";
blue = "#5c67ff";
magenta = "#cb85ff";
cyan = "#17d0f4";
white = "#ffffff";
};
};
};
}

37
nixos/configurations.nix Normal file
View file

@ -0,0 +1,37 @@
flake-inputs: let
inherit (flake-inputs.nixos-stable) lib;
networkingModule = name: "${flake-inputs.nixos-unstable}/nixos/modules/services/networking/${name}.nix";
modules = [
# nftables using module not available in 22.11.
(networkingModule "firewall-iptables")
(networkingModule "firewall-nftables")
(networkingModule "firewall")
(networkingModule "nat-iptables")
(networkingModule "nat-nftables")
(networkingModule "nat")
(networkingModule "nftables")
(_: {
disabledModules = [
"services/networking/firewall.nix"
"services/networking/nftables.nix"
"services/networking/nat.nix"
"services/networking/redsocks.nix"
"services/networking/miniupnpd.nix"
"services/audio/roon-server.nix"
"services/audio/roon-bridge.nix"
];
})
];
makeSystem = name:
lib.nixosSystem {
modules =
[
(import (./. + "/machines/${name}/configuration.nix") flake-inputs)
flake-inputs.secrets.nixosModules.secrets
flake-inputs.agenix.nixosModules.default
(_: {config._module.args.flake-inputs = flake-inputs // {inherit modules;};})
]
++ modules;
};
in
lib.genAttrs ["zeus" "apollo" "hera" "fluffy"] makeSystem

4
nixos/machines/apollo/configuration.nix
View file

@ -1,4 +1,4 @@
{
flake-inputs: {
lib,
config,
pkgs,
@ -8,7 +8,7 @@
inherit (config.m-0) hosts prefix;
inherit ((import ../../../nix/sources.nix)) nixos-hardware;
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
vpn = (import ../../../private.nix).privateValue (_: _: {}) "vpn";
vpn = flake-inputs.secrets.private.privateValue (_: _: {}) "vpn";
in {
imports = [
"${nixos-hardware}/lenovo/thinkpad/t480s"

7
nixos/machines/apollo/hardware-configuration.nix
View file

@ -2,10 +2,12 @@
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
loader = {
efi = {
@ -41,5 +43,6 @@
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
nix.settings.max-jobs = lib.mkDefault 8;
}

2
nixos/machines/fluffy/configuration.nix
View file

@ -1,4 +1,4 @@
{
_: {
config,
pkgs,
lib,

1
nixos/machines/fluffy/hardware-configuration.nix
View file

@ -40,4 +40,5 @@
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

2
nixos/machines/hera/boot.nix
View file

@ -1,5 +1,5 @@
{pkgs, ...}: {
m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
m-0.server.initSSHKey = "/var/boot-ssh-key";
boot = {
loader.grub = {

6
nixos/machines/hera/cloud.nix
View file

@ -2,9 +2,9 @@
pkgs,
config,
lib,
flake-inputs,
...
}:
with lib; let
}: let
adminCreds =
pkgs.privateValue
{
@ -78,7 +78,7 @@ with lib; let
privateNetwork = true;
hostBridge = "bridge";
config = {pkgs, ...}: {
imports = [../../roles];
imports = [(args @ {pkgs, ...}: import ../../roles (args // {inherit flake-inputs;}))] ++ flake-inputs.modules;
networking = {
interfaces.eth0 = {

8
nixos/machines/hera/configuration.nix
View file

@ -1,4 +1,4 @@
{
_: {
config,
pkgs,
lib,
@ -115,8 +115,8 @@ in {
group = "nginx";
user = "maralorn";
openDefaultPorts = true;
cert = pkgs.privatePath "syncthing/hera/cert.pem";
key = pkgs.privatePath "syncthing/hera/key.pem";
cert = config.age.secrets."syncthing/hera/cert.pem".path;
key = config.age.secrets."syncthing/hera/key.pem".path;
}
// syncthing.declarativeWith ["apollo" "zeus" "pegasus"] "/media";
};
@ -133,7 +133,7 @@ in {
isNormalUser = true;
uid = 1001;
extraGroups = ["wheel" "systemd-journal"];
passwordFile = pkgs.privatePath "pam-login-password-choreutes";
passwordFile = config.age.secrets.pam-login-password-choreutes.path;
};
ved-backup = {
isNormalUser = true;

7
nixos/machines/hera/hardware-configuration.nix
View file

@ -5,9 +5,12 @@
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
boot.kernelModules = [];
@ -26,4 +29,6 @@
swapDevices = [{device = "/dev/disk/by-uuid/1e651bde-94b5-4fe2-9e6a-7af916d80057";}];
nix.settings.max-jobs = lib.mkDefault 4;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

4
nixos/machines/hera/web.nix
View file

@ -13,12 +13,12 @@ in {
host = "hera-intern:9113";
}
];
security.acme.certs = lib.mkIf pkgs.withSecrets {
security.acme.certs = {
"hera.m-0.eu".keyType = "rsa4096";
};
services = {
nginx = {
enable = lib.mkForce pkgs.withSecrets;
enable = true;
virtualHosts =
{
"tasks.maralorn.de" = {

6
nixos/machines/zeus/configuration.nix
View file

@ -1,4 +1,4 @@
{
flake-inputs: {
config,
pkgs,
lib,
@ -6,11 +6,11 @@
}: let
wireguard = import ../../../common/wireguard.nix;
inherit (config.m-0) hosts prefix;
inherit (import ../../../nix/sources.nix) nixos-hardware;
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
in {
imports = [
"${nixos-hardware}/common/gpu/amd/sea-islands"
(flake-inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
"${flake-inputs.nixos-hardware}/common/gpu/amd/sea-islands"
./hardware-configuration.nix
../../roles
../../roles/admin.nix

1
nixos/machines/zeus/hardware-configuration.nix
View file

@ -62,4 +62,5 @@
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
nix.settings.max-jobs = lib.mkDefault 12;
}

2
nixos/roles/admin.nix
View file

@ -5,7 +5,7 @@
...
}: let
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
passwordFile = config.age.secrets.pam-login-password.path;
passwordFile = lib.mkIf (config.networking.hostName != "chor-cloud") config.age.secrets.pam-login-password.path;
in {
users.users = {
maralorn = {

7
nixos/roles/coturn.nix
View file

@ -5,10 +5,7 @@
...
}: let
fqdn = "${config.networking.hostName}.${config.networking.domain}";
key_dir =
if pkgs.withSecrets
then config.security.acme.certs."${fqdn}".directory
else "/dummy-dir/";
key_dir = config.security.acme.certs."${fqdn}".directory;
in {
users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;
networking.firewall = let
@ -30,7 +27,7 @@ in {
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
security.acme.certs = lib.mkIf pkgs.withSecrets {
security.acme.certs = {
"${fqdn}".postRun = "systemctl restart coturn.service";
};
services = {

34
nixos/roles/default.nix
View file

@ -2,30 +2,10 @@
pkgs,
config,
lib,
flake-inputs,
...
}: let
inherit (import ../../nix/sources.nix) nixos-unstable;
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
in {
# nftables using module not available in 22.11.
disabledModules = [
"services/networking/firewall.nix"
"services/networking/nftables.nix"
"services/networking/nat.nix"
"services/networking/redsocks.nix"
"services/networking/miniupnpd.nix"
"services/audio/roon-server.nix"
"services/audio/roon-bridge.nix"
];
}: {
imports = [
(networkingModule "firewall-iptables")
(networkingModule "firewall-nftables")
(networkingModule "firewall")
(networkingModule "nat-iptables")
(networkingModule "nat-nftables")
(networkingModule "nat")
(networkingModule "nftables")
../../common
./admin.nix
];
@ -37,7 +17,15 @@ in {
# For nixos-rebuild
nixpkgs.overlays =
[(_: _: (import ../../channels.nix)."${config.networking.hostName}")]
[
(_: _:
{
unstable = flake-inputs.nixos-unstable.legacyPackages.x86_64-linux;
nixpkgs-channel = "nixos-stable";
home-manager-channel = "home-manager-stable";
}
// flake-inputs.secrets.private)
]
++ import ../../overlays {inherit lib;};
time.timeZone = "Europe/Berlin";

3
nixos/roles/firefox-sync.nix
View file

@ -1,6 +1,7 @@
{
pkgs,
lib,
config,
...
}: {
services.mysql = {
@ -18,7 +19,7 @@
services = {
firefox-syncserver = {
enable = true;
secrets = pkgs.privatePath "firefox-syncserver-secrets";
secrets = config.age.secrets.firefox-syncserver-secrets.path;
logLevel = "trace";
database = {
name = "firefox_syncserver";

6
nixos/roles/git.nix
View file

@ -2,8 +2,10 @@
config,
pkgs,
lib,
#flake-inputs,
...
}: let
flake-inputs.secrets = "help";
gitoliteCfg = config.services.gitolite;
post-update =
pkgs.writeHaskellScript
@ -103,13 +105,13 @@ in {
isSystemUser = true;
inherit (gitoliteCfg) group;
};
systemd.services.gitolite-init.postStart = lib.mkIf pkgs.withSecrets ''
systemd.services.gitolite-init.postStart = ''
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no"
dir=$(mktemp -d)
cd $dir
git clone git@localhost:gitolite-admin
cd gitolite-admin
cp -r ${../../private/gitolite}/* .
cp -r ${flake-inputs.secrets}/gitolite/* .
if [[ "$(git status --porcelain)" != "" ]]; then
git "config" "user.email" "git@hera.m-0.eu"
git "config" "user.name" "git user"

8
nixos/roles/home-assistant/hexa-cards.nix
View file

@ -1,5 +1,9 @@
{pkgs, ...}: let
nur = import pkgs.sources.hexa-nur-packages {};
{
pkgs,
flake-inputs,
...
}: let
nur = flake-inputs.hexa-nur-packages.packages.x86_64-linux;
mkLovelaceModule = name: {
url = "custom/${name}.js?${nur.hassLovelaceModules."${name}".version}";

7
nixos/roles/miniflux.nix
View file

@ -7,7 +7,7 @@
in {
services.miniflux = {
enable = true;
adminCredentialsFile = pkgs.privatePath "miniflux-admin-credentials";
adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
config = {
POLLING_FREQUENCY = "525600"; # We dont want polling so we set this to a year.
BATCH_SIZE = "1000"; # To make sure that all feeds can get refreshed. Default is 100, which is probably fine.
@ -21,16 +21,17 @@ in {
};
mastodon-digest = {
script = ''
ln -fs ${pkgs.privatePath "mastodon-env"} .env
now=$(date "+%Y-%m-%d")
mkdir -p /var/www/rss/mastodon/$now-home-feed-highlights
mkdir -p /var/www/rss/mastodon/$now-read-all-list
source $CREDENTIALS_DIRECTORY/mastodon-auth-env
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-home-feed-highlights -n 24 -t lax --theme light
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-read-all-list -n 24 -t all --theme light -f list:3811
${pkgs.logfeed}/bin/mastodon2rss /var/www/rss/mastodon.xml /var/www/rss/mastodon
'';
serviceConfig = {
Type = "oneshot";
LoadCredential = ["mastodon-auth-env:${config.age.secrets.mastodon-auth-env.path}"];
};
};
refresh-miniflux = {
@ -40,7 +41,7 @@ in {
startAt = "20:00:00";
serviceConfig = {
Type = "oneshot";
LoadCredential = ["auth-header:${pkgs.privatePath "miniflux-refresh-auth-header"}"];
LoadCredential = ["auth-header:${config.age.secrets.miniflux-refresh-auth-header.path}"];
};
};
};

2
nixos/roles/monitoring/default.nix
View file

@ -11,7 +11,7 @@
allow ${config.m-0.prefix}::/64;
deny all;
'';
basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
};
in {
imports = [

20
nixos/roles/nixpkgs-bot.nix
View file

@ -1,6 +1,10 @@
{pkgs, ...}: let
{
pkgs,
config,
...
}: let
stateDirectory = "/var/lib/nixpkgs-bot";
config = {
configFile = {
server = "https://matrix.maralorn.de";
database = "${stateDirectory}/state.sqlite";
repo = {
@ -16,11 +20,6 @@
"nixpkgs-unstable" = [];
"nixos-unstable-small" = ["nixos-unstable"];
"nixos-unstable" = [];
"staging-22.05" = ["staging-next-22.05"];
"staging-next-22.05" = ["release-22.05"];
"release-22.05" = ["nixos-22.05-small"];
"nixos-22.05-small" = ["nixos-22.05"];
"nixos-22.05" = [];
"staging-22.11" = ["staging-next-22.11"];
"staging-next-22.11" = ["release-22.11"];
"release-22.11" = ["nixos-22.11-small"];
@ -34,9 +33,12 @@ in {
description = "nixpkgs-bot";
path = [pkgs.git];
serviceConfig = {
LoadCredential = ["matrix_token:${pkgs.privatePath "nixpkgs-bot/matrix_token"}" "github_token:${pkgs.privatePath "nixpkgs-bot/github_token"}"];
LoadCredential = [
"matrix_token:${config.age.secrets."nixpkgs-bot/matrix_token".path}"
"github_token:${config.age.secrets."nixpkgs-bot/github_token".path}"
];
WorkingDirectory = "/var/lib/nixpkgs-bot";
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON config)}";
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON configFile)}";
DynamicUser = true;
StateDirectory = "nixpkgs-bot";
};

2
nixos/roles/server/init_ssh.nix
View file

@ -12,7 +12,7 @@ with lib; {
network = {
enable = true;
ssh = {
enable = pkgs.withSecrets;
enable = true;
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [config.m-0.server.initSSHKey];
};

3
overlays/mastodon-digest/default.nix
View file

@ -24,10 +24,7 @@ in {
name = "mastodon_digest";
runtimeInputs = [python-env];
text = ''
set -o allexport
# shellcheck source=/dev/null
source .env
set +o allexport
cd ${patchedSrc} && python run.py "''${@}"
'';
};

2
private

@ -1 +1 @@
Subproject commit 147bf3431575832da87e6a587aca2641f7df0187
Subproject commit 9f9b064b6b8fe2d166bfa6400a94606b0a869726