Fix system builds
This commit is contained in:
parent
0eeabc63b5
commit
3492f871ee
77
flake.lock
77
flake.lock
|
@ -4,7 +4,7 @@
|
|||
"inputs": {
|
||||
"darwin": "darwin",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
"nixos-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
|
@ -62,7 +62,7 @@
|
|||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
"nixpkgs"
|
||||
"nixos-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
|
@ -114,6 +114,38 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"hexa-nur-packages": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1675199516,
|
||||
"narHash": "sha256-U/50T9feHTIXb4E/s43/kgf2QvDsc6I5N4xsNSWKh+M=",
|
||||
"owner": "mweinelt",
|
||||
"repo": "nur-packages",
|
||||
"rev": "c5ee6567584c06af0d7b027fcd858dc03d3a68a4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "mweinelt",
|
||||
"repo": "nur-packages",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1674550793,
|
||||
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixos-hardware",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixos-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1675154384,
|
||||
|
@ -130,13 +162,13 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1675115703,
|
||||
"narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=",
|
||||
"lastModified": 1675183161,
|
||||
"narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44",
|
||||
"rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -146,13 +178,29 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1624561540,
|
||||
"narHash": "sha256-izJ2PYZMGMsSkg+e7c9A1x3t/yOLT+qzUM6WQsc2tqo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c6a049a3d32293b24c0f894a840872cf67fd7c11",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pre-commit-hooks-nix": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": "flake-utils",
|
||||
"gitignore": "gitignore",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
"nixos-unstable"
|
||||
],
|
||||
"nixpkgs-stable": [
|
||||
"nixos-stable"
|
||||
|
@ -176,19 +224,24 @@
|
|||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"flake-parts": "flake-parts",
|
||||
"hexa-nur-packages": "hexa-nur-packages",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixos-stable": "nixos-stable",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixos-unstable": "nixos-unstable",
|
||||
"nixpkgs": [
|
||||
"nixos-unstable"
|
||||
],
|
||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
||||
"secrets": "secrets"
|
||||
}
|
||||
},
|
||||
"secrets": {
|
||||
"locked": {
|
||||
"lastModified": 1675214458,
|
||||
"narHash": "sha256-79JdedIoZ0QpLSB4m0jlTLXEtVex7LNJuEAun43sHyI=",
|
||||
"lastModified": 1675309422,
|
||||
"narHash": "sha256-Y9v+JaIzUi0dZMjiFobQEbt0Co0eF7Elxf2A+WtagJQ=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "147bf3431575832da87e6a587aca2641f7df0187",
|
||||
"revCount": 166,
|
||||
"rev": "9f9b064b6b8fe2d166bfa6400a94606b0a869726",
|
||||
"revCount": 173,
|
||||
"type": "git",
|
||||
"url": "ssh://git@hera.m-0.eu/config-secrets"
|
||||
},
|
||||
|
|
54
flake.nix
54
flake.nix
|
@ -8,50 +8,34 @@
|
|||
secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets";
|
||||
agenix = {
|
||||
url = "github:ryantm/agenix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.nixpkgs.follows = "nixos-unstable";
|
||||
};
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||
nixpkgs.follows = "nixos-unstable";
|
||||
flake-parts.inputs.nixpkgs-lib.follows = "nixos-unstable";
|
||||
hexa-nur-packages.url = "github:mweinelt/nur-packages";
|
||||
pre-commit-hooks-nix = {
|
||||
url = "github:cachix/pre-commit-hooks.nix";
|
||||
inputs = {
|
||||
nixpkgs-stable.follows = "nixos-stable";
|
||||
nixpkgs.follows = "nixpkgs";
|
||||
nixpkgs.follows = "nixos-unstable";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
outputs = inputs @ {
|
||||
nixpkgs,
|
||||
flake-parts,
|
||||
...
|
||||
}:
|
||||
flake-parts.lib.mkFlake {inherit inputs;} {
|
||||
outputs = inputs @ {nixos-hardware, ...}: let
|
||||
unstable = inputs.nixos-unstable.legacyPackages.x86_64-linux;
|
||||
inherit (import ./packages {pkgs = unstable;}) haskellPackagesOverlay selectHaskellPackages;
|
||||
in
|
||||
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
|
||||
imports = [
|
||||
inputs.pre-commit-hooks-nix.flakeModule
|
||||
];
|
||||
systems = ["x86_64-linux"];
|
||||
flake.nixosConfigurations = {
|
||||
zeus = inputs.nixos-stable.lib.nixosSystem {
|
||||
modules = [
|
||||
(inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
|
||||
./nixos/machines/zeus/configuration.nix
|
||||
inputs.secrets.nixosModules.secrets
|
||||
inputs.agenix.nixosModules.default
|
||||
({pkgs, ...}: {
|
||||
nixpkgs.overlays = [
|
||||
(self: super:
|
||||
{
|
||||
unstable = nixpkgs.legacyPackages.x86_64-linux;
|
||||
nixpkgs-channel = "nixos-stable";
|
||||
home-manager-channel = "home-manager-stable";
|
||||
}
|
||||
// inputs.secrets.private)
|
||||
];
|
||||
})
|
||||
];
|
||||
};
|
||||
flake = {
|
||||
nixosConfigurations = import ./nixos/configurations.nix inputs;
|
||||
overlays.haskellPackages = haskellPackagesOverlay;
|
||||
};
|
||||
perSystem = {
|
||||
self',
|
||||
|
@ -61,9 +45,8 @@
|
|||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
|
||||
hpkgs = pkgs.haskellPackages.override {
|
||||
overrides = haskellPackagesOverlay;
|
||||
overrides = inputs.self.overlays.haskellPackages;
|
||||
};
|
||||
in {
|
||||
devShells.default = hpkgs.shellFor {
|
||||
|
@ -75,8 +58,13 @@
|
|||
inputs'.agenix.packages.default
|
||||
];
|
||||
};
|
||||
checks = {
|
||||
system-checks = pkgs.runCommand "system-checks" {} ''
|
||||
${lib.concatMapStringsSep "\n" (x: "# ${x.config.system.build.toplevel}") (builtins.attrValues inputs.self.nixosConfigurations)}
|
||||
echo success > $out
|
||||
'';
|
||||
};
|
||||
packages = selectHaskellPackages hpkgs;
|
||||
legacyPackages = {inherit haskellPackagesOverlay;};
|
||||
|
||||
pre-commit = {
|
||||
check.enable = true;
|
||||
|
|
|
@ -1,86 +0,0 @@
|
|||
rec {
|
||||
themes = rec {
|
||||
default = material-light;
|
||||
material-light = rec {
|
||||
# Matches papercolor
|
||||
primary = {
|
||||
foreground = "#2e2e2d";
|
||||
background = "#eaeaea";
|
||||
};
|
||||
normal = {
|
||||
black = "#212121";
|
||||
red = "#b7141f";
|
||||
green = "#457b24";
|
||||
yellow = "#fc7b08";
|
||||
blue = "#134eb2";
|
||||
magenta = "#560088";
|
||||
cyan = "#0e717c";
|
||||
white = "#efefef";
|
||||
};
|
||||
bright = {
|
||||
white = "#bcbcbc";
|
||||
red = "#d70000";
|
||||
green = "#d70087";
|
||||
yellow = "#8700af";
|
||||
blue = "#d75f00";
|
||||
magenta = "#d75f00";
|
||||
cyan = "#005faf";
|
||||
black = "#005f87";
|
||||
};
|
||||
};
|
||||
|
||||
solarized-light = {
|
||||
primary = {
|
||||
foreground = "#586e75";
|
||||
background = "#fdf6e3";
|
||||
};
|
||||
normal = {
|
||||
black = "#073642";
|
||||
red = "#dc322f";
|
||||
green = "#859900";
|
||||
yellow = "#b58900";
|
||||
blue = "#268bd2";
|
||||
magenta = "#d33682";
|
||||
cyan = "#2aa198";
|
||||
white = "#eee8d5";
|
||||
};
|
||||
bright = {
|
||||
black = "#002b36";
|
||||
red = "#cb4b16";
|
||||
green = "#586e75";
|
||||
yellow = "#657b83";
|
||||
blue = "#839496";
|
||||
magenta = "#6c71c4";
|
||||
cyan = "#93a1a1";
|
||||
white = "#fdf6e3";
|
||||
};
|
||||
};
|
||||
|
||||
maralorn-dark = {
|
||||
primary = {
|
||||
foreground = "#dddbff";
|
||||
background = "#000018";
|
||||
};
|
||||
normal = {
|
||||
black = "#000000";
|
||||
red = "#e34b4f";
|
||||
green = "#67b779";
|
||||
yellow = "#ff9c00";
|
||||
blue = "#5c67ff";
|
||||
magenta = "#cb85ff";
|
||||
cyan = "#17d0f4";
|
||||
white = "#dddbff";
|
||||
};
|
||||
bright = {
|
||||
black = "#55508f";
|
||||
red = "#e34b4f";
|
||||
green = "#45b75e";
|
||||
yellow = "#ff9c00";
|
||||
blue = "#5c67ff";
|
||||
magenta = "#cb85ff";
|
||||
cyan = "#17d0f4";
|
||||
white = "#ffffff";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
37
nixos/configurations.nix
Normal file
37
nixos/configurations.nix
Normal file
|
@ -0,0 +1,37 @@
|
|||
flake-inputs: let
|
||||
inherit (flake-inputs.nixos-stable) lib;
|
||||
networkingModule = name: "${flake-inputs.nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||
modules = [
|
||||
# nftables using module not available in 22.11.
|
||||
(networkingModule "firewall-iptables")
|
||||
(networkingModule "firewall-nftables")
|
||||
(networkingModule "firewall")
|
||||
(networkingModule "nat-iptables")
|
||||
(networkingModule "nat-nftables")
|
||||
(networkingModule "nat")
|
||||
(networkingModule "nftables")
|
||||
(_: {
|
||||
disabledModules = [
|
||||
"services/networking/firewall.nix"
|
||||
"services/networking/nftables.nix"
|
||||
"services/networking/nat.nix"
|
||||
"services/networking/redsocks.nix"
|
||||
"services/networking/miniupnpd.nix"
|
||||
"services/audio/roon-server.nix"
|
||||
"services/audio/roon-bridge.nix"
|
||||
];
|
||||
})
|
||||
];
|
||||
makeSystem = name:
|
||||
lib.nixosSystem {
|
||||
modules =
|
||||
[
|
||||
(import (./. + "/machines/${name}/configuration.nix") flake-inputs)
|
||||
flake-inputs.secrets.nixosModules.secrets
|
||||
flake-inputs.agenix.nixosModules.default
|
||||
(_: {config._module.args.flake-inputs = flake-inputs // {inherit modules;};})
|
||||
]
|
||||
++ modules;
|
||||
};
|
||||
in
|
||||
lib.genAttrs ["zeus" "apollo" "hera" "fluffy"] makeSystem
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
flake-inputs: {
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
|
@ -8,7 +8,7 @@
|
|||
inherit (config.m-0) hosts prefix;
|
||||
inherit ((import ../../../nix/sources.nix)) nixos-hardware;
|
||||
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
||||
vpn = (import ../../../private.nix).privateValue (_: _: {}) "vpn";
|
||||
vpn = flake-inputs.secrets.private.privateValue (_: _: {}) "vpn";
|
||||
in {
|
||||
imports = [
|
||||
"${nixos-hardware}/lenovo/thinkpad/t480s"
|
||||
|
|
|
@ -2,10 +2,12 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
|
||||
|
||||
imports = [
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
boot = {
|
||||
loader = {
|
||||
efi = {
|
||||
|
@ -41,5 +43,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
nix.settings.max-jobs = lib.mkDefault 8;
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
_: {
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
|
|
|
@ -40,4 +40,5 @@
|
|||
};
|
||||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{pkgs, ...}: {
|
||||
m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
|
||||
m-0.server.initSSHKey = "/var/boot-ssh-key";
|
||||
|
||||
boot = {
|
||||
loader.grub = {
|
||||
|
|
|
@ -2,9 +2,9 @@
|
|||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
flake-inputs,
|
||||
...
|
||||
}:
|
||||
with lib; let
|
||||
}: let
|
||||
adminCreds =
|
||||
pkgs.privateValue
|
||||
{
|
||||
|
@ -78,7 +78,7 @@ with lib; let
|
|||
privateNetwork = true;
|
||||
hostBridge = "bridge";
|
||||
config = {pkgs, ...}: {
|
||||
imports = [../../roles];
|
||||
imports = [(args @ {pkgs, ...}: import ../../roles (args // {inherit flake-inputs;}))] ++ flake-inputs.modules;
|
||||
|
||||
networking = {
|
||||
interfaces.eth0 = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
_: {
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
|
@ -115,8 +115,8 @@ in {
|
|||
group = "nginx";
|
||||
user = "maralorn";
|
||||
openDefaultPorts = true;
|
||||
cert = pkgs.privatePath "syncthing/hera/cert.pem";
|
||||
key = pkgs.privatePath "syncthing/hera/key.pem";
|
||||
cert = config.age.secrets."syncthing/hera/cert.pem".path;
|
||||
key = config.age.secrets."syncthing/hera/key.pem".path;
|
||||
}
|
||||
// syncthing.declarativeWith ["apollo" "zeus" "pegasus"] "/media";
|
||||
};
|
||||
|
@ -133,7 +133,7 @@ in {
|
|||
isNormalUser = true;
|
||||
uid = 1001;
|
||||
extraGroups = ["wheel" "systemd-journal"];
|
||||
passwordFile = pkgs.privatePath "pam-login-password-choreutes";
|
||||
passwordFile = config.age.secrets.pam-login-password-choreutes.path;
|
||||
};
|
||||
ved-backup = {
|
||||
isNormalUser = true;
|
||||
|
|
|
@ -5,9 +5,12 @@
|
|||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}: {
|
||||
imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
|
||||
imports = [
|
||||
(modulesPath + "/profiles/qemu-guest.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
|
||||
boot.kernelModules = [];
|
||||
|
@ -26,4 +29,6 @@
|
|||
swapDevices = [{device = "/dev/disk/by-uuid/1e651bde-94b5-4fe2-9e6a-7af916d80057";}];
|
||||
|
||||
nix.settings.max-jobs = lib.mkDefault 4;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
}
|
||||
|
|
|
@ -13,12 +13,12 @@ in {
|
|||
host = "hera-intern:9113";
|
||||
}
|
||||
];
|
||||
security.acme.certs = lib.mkIf pkgs.withSecrets {
|
||||
security.acme.certs = {
|
||||
"hera.m-0.eu".keyType = "rsa4096";
|
||||
};
|
||||
services = {
|
||||
nginx = {
|
||||
enable = lib.mkForce pkgs.withSecrets;
|
||||
enable = true;
|
||||
virtualHosts =
|
||||
{
|
||||
"tasks.maralorn.de" = {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
flake-inputs: {
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
|
@ -6,11 +6,11 @@
|
|||
}: let
|
||||
wireguard = import ../../../common/wireguard.nix;
|
||||
inherit (config.m-0) hosts prefix;
|
||||
inherit (import ../../../nix/sources.nix) nixos-hardware;
|
||||
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
||||
in {
|
||||
imports = [
|
||||
"${nixos-hardware}/common/gpu/amd/sea-islands"
|
||||
(flake-inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
|
||||
"${flake-inputs.nixos-hardware}/common/gpu/amd/sea-islands"
|
||||
./hardware-configuration.nix
|
||||
../../roles
|
||||
../../roles/admin.nix
|
||||
|
|
|
@ -62,4 +62,5 @@
|
|||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
# high-resolution display
|
||||
hardware.video.hidpi.enable = lib.mkDefault true;
|
||||
nix.settings.max-jobs = lib.mkDefault 12;
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
...
|
||||
}: let
|
||||
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
|
||||
passwordFile = config.age.secrets.pam-login-password.path;
|
||||
passwordFile = lib.mkIf (config.networking.hostName != "chor-cloud") config.age.secrets.pam-login-password.path;
|
||||
in {
|
||||
users.users = {
|
||||
maralorn = {
|
||||
|
|
|
@ -5,10 +5,7 @@
|
|||
...
|
||||
}: let
|
||||
fqdn = "${config.networking.hostName}.${config.networking.domain}";
|
||||
key_dir =
|
||||
if pkgs.withSecrets
|
||||
then config.security.acme.certs."${fqdn}".directory
|
||||
else "/dummy-dir/";
|
||||
key_dir = config.security.acme.certs."${fqdn}".directory;
|
||||
in {
|
||||
users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;
|
||||
networking.firewall = let
|
||||
|
@ -30,7 +27,7 @@ in {
|
|||
allowedTCPPorts = ports;
|
||||
allowedUDPPorts = ports;
|
||||
};
|
||||
security.acme.certs = lib.mkIf pkgs.withSecrets {
|
||||
security.acme.certs = {
|
||||
"${fqdn}".postRun = "systemctl restart coturn.service";
|
||||
};
|
||||
services = {
|
||||
|
|
|
@ -2,30 +2,10 @@
|
|||
pkgs,
|
||||
config,
|
||||
lib,
|
||||
flake-inputs,
|
||||
...
|
||||
}: let
|
||||
inherit (import ../../nix/sources.nix) nixos-unstable;
|
||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||
in {
|
||||
# nftables using module not available in 22.11.
|
||||
disabledModules = [
|
||||
"services/networking/firewall.nix"
|
||||
"services/networking/nftables.nix"
|
||||
"services/networking/nat.nix"
|
||||
"services/networking/redsocks.nix"
|
||||
"services/networking/miniupnpd.nix"
|
||||
"services/audio/roon-server.nix"
|
||||
"services/audio/roon-bridge.nix"
|
||||
];
|
||||
|
||||
}: {
|
||||
imports = [
|
||||
(networkingModule "firewall-iptables")
|
||||
(networkingModule "firewall-nftables")
|
||||
(networkingModule "firewall")
|
||||
(networkingModule "nat-iptables")
|
||||
(networkingModule "nat-nftables")
|
||||
(networkingModule "nat")
|
||||
(networkingModule "nftables")
|
||||
../../common
|
||||
./admin.nix
|
||||
];
|
||||
|
@ -37,7 +17,15 @@ in {
|
|||
|
||||
# For nixos-rebuild
|
||||
nixpkgs.overlays =
|
||||
[(_: _: (import ../../channels.nix)."${config.networking.hostName}")]
|
||||
[
|
||||
(_: _:
|
||||
{
|
||||
unstable = flake-inputs.nixos-unstable.legacyPackages.x86_64-linux;
|
||||
nixpkgs-channel = "nixos-stable";
|
||||
home-manager-channel = "home-manager-stable";
|
||||
}
|
||||
// flake-inputs.secrets.private)
|
||||
]
|
||||
++ import ../../overlays {inherit lib;};
|
||||
|
||||
time.timeZone = "Europe/Berlin";
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{
|
||||
pkgs,
|
||||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
services.mysql = {
|
||||
|
@ -18,7 +19,7 @@
|
|||
services = {
|
||||
firefox-syncserver = {
|
||||
enable = true;
|
||||
secrets = pkgs.privatePath "firefox-syncserver-secrets";
|
||||
secrets = config.age.secrets.firefox-syncserver-secrets.path;
|
||||
logLevel = "trace";
|
||||
database = {
|
||||
name = "firefox_syncserver";
|
||||
|
|
|
@ -2,8 +2,10 @@
|
|||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
#flake-inputs,
|
||||
...
|
||||
}: let
|
||||
flake-inputs.secrets = "help";
|
||||
gitoliteCfg = config.services.gitolite;
|
||||
post-update =
|
||||
pkgs.writeHaskellScript
|
||||
|
@ -103,13 +105,13 @@ in {
|
|||
isSystemUser = true;
|
||||
inherit (gitoliteCfg) group;
|
||||
};
|
||||
systemd.services.gitolite-init.postStart = lib.mkIf pkgs.withSecrets ''
|
||||
systemd.services.gitolite-init.postStart = ''
|
||||
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no"
|
||||
dir=$(mktemp -d)
|
||||
cd $dir
|
||||
git clone git@localhost:gitolite-admin
|
||||
cd gitolite-admin
|
||||
cp -r ${../../private/gitolite}/* .
|
||||
cp -r ${flake-inputs.secrets}/gitolite/* .
|
||||
if [[ "$(git status --porcelain)" != "" ]]; then
|
||||
git "config" "user.email" "git@hera.m-0.eu"
|
||||
git "config" "user.name" "git user"
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
{pkgs, ...}: let
|
||||
nur = import pkgs.sources.hexa-nur-packages {};
|
||||
{
|
||||
pkgs,
|
||||
flake-inputs,
|
||||
...
|
||||
}: let
|
||||
nur = flake-inputs.hexa-nur-packages.packages.x86_64-linux;
|
||||
|
||||
mkLovelaceModule = name: {
|
||||
url = "custom/${name}.js?${nur.hassLovelaceModules."${name}".version}";
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
in {
|
||||
services.miniflux = {
|
||||
enable = true;
|
||||
adminCredentialsFile = pkgs.privatePath "miniflux-admin-credentials";
|
||||
adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
|
||||
config = {
|
||||
POLLING_FREQUENCY = "525600"; # We don‘t want polling so we set this to a year.
|
||||
BATCH_SIZE = "1000"; # To make sure that all feeds can get refreshed. Default is 100, which is probably fine.
|
||||
|
@ -21,16 +21,17 @@ in {
|
|||
};
|
||||
mastodon-digest = {
|
||||
script = ''
|
||||
ln -fs ${pkgs.privatePath "mastodon-env"} .env
|
||||
now=$(date "+%Y-%m-%d")
|
||||
mkdir -p /var/www/rss/mastodon/$now-home-feed-highlights
|
||||
mkdir -p /var/www/rss/mastodon/$now-read-all-list
|
||||
source $CREDENTIALS_DIRECTORY/mastodon-auth-env
|
||||
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-home-feed-highlights -n 24 -t lax --theme light
|
||||
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-read-all-list -n 24 -t all --theme light -f list:3811
|
||||
${pkgs.logfeed}/bin/mastodon2rss /var/www/rss/mastodon.xml /var/www/rss/mastodon
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
LoadCredential = ["mastodon-auth-env:${config.age.secrets.mastodon-auth-env.path}"];
|
||||
};
|
||||
};
|
||||
refresh-miniflux = {
|
||||
|
@ -40,7 +41,7 @@ in {
|
|||
startAt = "20:00:00";
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
LoadCredential = ["auth-header:${pkgs.privatePath "miniflux-refresh-auth-header"}"];
|
||||
LoadCredential = ["auth-header:${config.age.secrets.miniflux-refresh-auth-header.path}"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
allow ${config.m-0.prefix}::/64;
|
||||
deny all;
|
||||
'';
|
||||
basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
|
||||
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
|
||||
};
|
||||
in {
|
||||
imports = [
|
||||
|
|
|
@ -1,6 +1,10 @@
|
|||
{pkgs, ...}: let
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
stateDirectory = "/var/lib/nixpkgs-bot";
|
||||
config = {
|
||||
configFile = {
|
||||
server = "https://matrix.maralorn.de";
|
||||
database = "${stateDirectory}/state.sqlite";
|
||||
repo = {
|
||||
|
@ -16,11 +20,6 @@
|
|||
"nixpkgs-unstable" = [];
|
||||
"nixos-unstable-small" = ["nixos-unstable"];
|
||||
"nixos-unstable" = [];
|
||||
"staging-22.05" = ["staging-next-22.05"];
|
||||
"staging-next-22.05" = ["release-22.05"];
|
||||
"release-22.05" = ["nixos-22.05-small"];
|
||||
"nixos-22.05-small" = ["nixos-22.05"];
|
||||
"nixos-22.05" = [];
|
||||
"staging-22.11" = ["staging-next-22.11"];
|
||||
"staging-next-22.11" = ["release-22.11"];
|
||||
"release-22.11" = ["nixos-22.11-small"];
|
||||
|
@ -34,9 +33,12 @@ in {
|
|||
description = "nixpkgs-bot";
|
||||
path = [pkgs.git];
|
||||
serviceConfig = {
|
||||
LoadCredential = ["matrix_token:${pkgs.privatePath "nixpkgs-bot/matrix_token"}" "github_token:${pkgs.privatePath "nixpkgs-bot/github_token"}"];
|
||||
LoadCredential = [
|
||||
"matrix_token:${config.age.secrets."nixpkgs-bot/matrix_token".path}"
|
||||
"github_token:${config.age.secrets."nixpkgs-bot/github_token".path}"
|
||||
];
|
||||
WorkingDirectory = "/var/lib/nixpkgs-bot";
|
||||
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON config)}";
|
||||
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON configFile)}";
|
||||
DynamicUser = true;
|
||||
StateDirectory = "nixpkgs-bot";
|
||||
};
|
||||
|
|
|
@ -12,7 +12,7 @@ with lib; {
|
|||
network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = pkgs.withSecrets;
|
||||
enable = true;
|
||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||
hostKeys = [config.m-0.server.initSSHKey];
|
||||
};
|
||||
|
|
|
@ -24,10 +24,7 @@ in {
|
|||
name = "mastodon_digest";
|
||||
runtimeInputs = [python-env];
|
||||
text = ''
|
||||
set -o allexport
|
||||
# shellcheck source=/dev/null
|
||||
source .env
|
||||
set +o allexport
|
||||
cd ${patchedSrc} && python run.py "''${@}"
|
||||
'';
|
||||
};
|
||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
|||
Subproject commit 147bf3431575832da87e6a587aca2641f7df0187
|
||||
Subproject commit 9f9b064b6b8fe2d166bfa6400a94606b0a869726
|
Loading…
Reference in a new issue