Fix system builds
This commit is contained in:
parent
0eeabc63b5
commit
3492f871ee
77
flake.lock
77
flake.lock
|
@ -4,7 +4,7 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"darwin": "darwin",
|
"darwin": "darwin",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixos-unstable"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -62,7 +62,7 @@
|
||||||
"flake-parts": {
|
"flake-parts": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs-lib": [
|
"nixpkgs-lib": [
|
||||||
"nixpkgs"
|
"nixos-unstable"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -114,6 +114,38 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"hexa-nur-packages": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1675199516,
|
||||||
|
"narHash": "sha256-U/50T9feHTIXb4E/s43/kgf2QvDsc6I5N4xsNSWKh+M=",
|
||||||
|
"owner": "mweinelt",
|
||||||
|
"repo": "nur-packages",
|
||||||
|
"rev": "c5ee6567584c06af0d7b027fcd858dc03d3a68a4",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "mweinelt",
|
||||||
|
"repo": "nur-packages",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixos-hardware": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1674550793,
|
||||||
|
"narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixos-hardware",
|
||||||
|
"rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixos-hardware",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixos-stable": {
|
"nixos-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1675154384,
|
"lastModified": 1675154384,
|
||||||
|
@ -130,13 +162,13 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixos-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1675115703,
|
"lastModified": 1675183161,
|
||||||
"narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=",
|
"narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44",
|
"rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -146,13 +178,29 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1624561540,
|
||||||
|
"narHash": "sha256-izJ2PYZMGMsSkg+e7c9A1x3t/yOLT+qzUM6WQsc2tqo=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "c6a049a3d32293b24c0f894a840872cf67fd7c11",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "NixOS",
|
||||||
|
"ref": "nixpkgs-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"pre-commit-hooks-nix": {
|
"pre-commit-hooks-nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat",
|
"flake-compat": "flake-compat",
|
||||||
"flake-utils": "flake-utils",
|
"flake-utils": "flake-utils",
|
||||||
"gitignore": "gitignore",
|
"gitignore": "gitignore",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixos-unstable"
|
||||||
],
|
],
|
||||||
"nixpkgs-stable": [
|
"nixpkgs-stable": [
|
||||||
"nixos-stable"
|
"nixos-stable"
|
||||||
|
@ -176,19 +224,24 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"agenix": "agenix",
|
"agenix": "agenix",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
|
"hexa-nur-packages": "hexa-nur-packages",
|
||||||
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixos-stable": "nixos-stable",
|
"nixos-stable": "nixos-stable",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixos-unstable": "nixos-unstable",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixos-unstable"
|
||||||
|
],
|
||||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
|
||||||
"secrets": "secrets"
|
"secrets": "secrets"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"secrets": {
|
"secrets": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1675214458,
|
"lastModified": 1675309422,
|
||||||
"narHash": "sha256-79JdedIoZ0QpLSB4m0jlTLXEtVex7LNJuEAun43sHyI=",
|
"narHash": "sha256-Y9v+JaIzUi0dZMjiFobQEbt0Co0eF7Elxf2A+WtagJQ=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "147bf3431575832da87e6a587aca2641f7df0187",
|
"rev": "9f9b064b6b8fe2d166bfa6400a94606b0a869726",
|
||||||
"revCount": 166,
|
"revCount": 173,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@hera.m-0.eu/config-secrets"
|
"url": "ssh://git@hera.m-0.eu/config-secrets"
|
||||||
},
|
},
|
||||||
|
|
54
flake.nix
54
flake.nix
|
@ -8,50 +8,34 @@
|
||||||
secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets";
|
secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets";
|
||||||
agenix = {
|
agenix = {
|
||||||
url = "github:ryantm/agenix";
|
url = "github:ryantm/agenix";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixos-unstable";
|
||||||
};
|
};
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11";
|
nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11";
|
||||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
nixpkgs.follows = "nixos-unstable";
|
||||||
|
flake-parts.inputs.nixpkgs-lib.follows = "nixos-unstable";
|
||||||
|
hexa-nur-packages.url = "github:mweinelt/nur-packages";
|
||||||
pre-commit-hooks-nix = {
|
pre-commit-hooks-nix = {
|
||||||
url = "github:cachix/pre-commit-hooks.nix";
|
url = "github:cachix/pre-commit-hooks.nix";
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs-stable.follows = "nixos-stable";
|
nixpkgs-stable.follows = "nixos-stable";
|
||||||
nixpkgs.follows = "nixpkgs";
|
nixpkgs.follows = "nixos-unstable";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs @ {
|
outputs = inputs @ {nixos-hardware, ...}: let
|
||||||
nixpkgs,
|
unstable = inputs.nixos-unstable.legacyPackages.x86_64-linux;
|
||||||
flake-parts,
|
inherit (import ./packages {pkgs = unstable;}) haskellPackagesOverlay selectHaskellPackages;
|
||||||
...
|
in
|
||||||
}:
|
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
|
||||||
flake-parts.lib.mkFlake {inherit inputs;} {
|
|
||||||
imports = [
|
imports = [
|
||||||
inputs.pre-commit-hooks-nix.flakeModule
|
inputs.pre-commit-hooks-nix.flakeModule
|
||||||
];
|
];
|
||||||
systems = ["x86_64-linux"];
|
systems = ["x86_64-linux"];
|
||||||
flake.nixosConfigurations = {
|
flake = {
|
||||||
zeus = inputs.nixos-stable.lib.nixosSystem {
|
nixosConfigurations = import ./nixos/configurations.nix inputs;
|
||||||
modules = [
|
overlays.haskellPackages = haskellPackagesOverlay;
|
||||||
(inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
|
|
||||||
./nixos/machines/zeus/configuration.nix
|
|
||||||
inputs.secrets.nixosModules.secrets
|
|
||||||
inputs.agenix.nixosModules.default
|
|
||||||
({pkgs, ...}: {
|
|
||||||
nixpkgs.overlays = [
|
|
||||||
(self: super:
|
|
||||||
{
|
|
||||||
unstable = nixpkgs.legacyPackages.x86_64-linux;
|
|
||||||
nixpkgs-channel = "nixos-stable";
|
|
||||||
home-manager-channel = "home-manager-stable";
|
|
||||||
}
|
|
||||||
// inputs.secrets.private)
|
|
||||||
];
|
|
||||||
})
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
perSystem = {
|
perSystem = {
|
||||||
self',
|
self',
|
||||||
|
@ -61,9 +45,8 @@
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
|
|
||||||
hpkgs = pkgs.haskellPackages.override {
|
hpkgs = pkgs.haskellPackages.override {
|
||||||
overrides = haskellPackagesOverlay;
|
overrides = inputs.self.overlays.haskellPackages;
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
devShells.default = hpkgs.shellFor {
|
devShells.default = hpkgs.shellFor {
|
||||||
|
@ -75,8 +58,13 @@
|
||||||
inputs'.agenix.packages.default
|
inputs'.agenix.packages.default
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
checks = {
|
||||||
|
system-checks = pkgs.runCommand "system-checks" {} ''
|
||||||
|
${lib.concatMapStringsSep "\n" (x: "# ${x.config.system.build.toplevel}") (builtins.attrValues inputs.self.nixosConfigurations)}
|
||||||
|
echo success > $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
packages = selectHaskellPackages hpkgs;
|
packages = selectHaskellPackages hpkgs;
|
||||||
legacyPackages = {inherit haskellPackagesOverlay;};
|
|
||||||
|
|
||||||
pre-commit = {
|
pre-commit = {
|
||||||
check.enable = true;
|
check.enable = true;
|
||||||
|
|
|
@ -1,86 +0,0 @@
|
||||||
rec {
|
|
||||||
themes = rec {
|
|
||||||
default = material-light;
|
|
||||||
material-light = rec {
|
|
||||||
# Matches papercolor
|
|
||||||
primary = {
|
|
||||||
foreground = "#2e2e2d";
|
|
||||||
background = "#eaeaea";
|
|
||||||
};
|
|
||||||
normal = {
|
|
||||||
black = "#212121";
|
|
||||||
red = "#b7141f";
|
|
||||||
green = "#457b24";
|
|
||||||
yellow = "#fc7b08";
|
|
||||||
blue = "#134eb2";
|
|
||||||
magenta = "#560088";
|
|
||||||
cyan = "#0e717c";
|
|
||||||
white = "#efefef";
|
|
||||||
};
|
|
||||||
bright = {
|
|
||||||
white = "#bcbcbc";
|
|
||||||
red = "#d70000";
|
|
||||||
green = "#d70087";
|
|
||||||
yellow = "#8700af";
|
|
||||||
blue = "#d75f00";
|
|
||||||
magenta = "#d75f00";
|
|
||||||
cyan = "#005faf";
|
|
||||||
black = "#005f87";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
solarized-light = {
|
|
||||||
primary = {
|
|
||||||
foreground = "#586e75";
|
|
||||||
background = "#fdf6e3";
|
|
||||||
};
|
|
||||||
normal = {
|
|
||||||
black = "#073642";
|
|
||||||
red = "#dc322f";
|
|
||||||
green = "#859900";
|
|
||||||
yellow = "#b58900";
|
|
||||||
blue = "#268bd2";
|
|
||||||
magenta = "#d33682";
|
|
||||||
cyan = "#2aa198";
|
|
||||||
white = "#eee8d5";
|
|
||||||
};
|
|
||||||
bright = {
|
|
||||||
black = "#002b36";
|
|
||||||
red = "#cb4b16";
|
|
||||||
green = "#586e75";
|
|
||||||
yellow = "#657b83";
|
|
||||||
blue = "#839496";
|
|
||||||
magenta = "#6c71c4";
|
|
||||||
cyan = "#93a1a1";
|
|
||||||
white = "#fdf6e3";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
maralorn-dark = {
|
|
||||||
primary = {
|
|
||||||
foreground = "#dddbff";
|
|
||||||
background = "#000018";
|
|
||||||
};
|
|
||||||
normal = {
|
|
||||||
black = "#000000";
|
|
||||||
red = "#e34b4f";
|
|
||||||
green = "#67b779";
|
|
||||||
yellow = "#ff9c00";
|
|
||||||
blue = "#5c67ff";
|
|
||||||
magenta = "#cb85ff";
|
|
||||||
cyan = "#17d0f4";
|
|
||||||
white = "#dddbff";
|
|
||||||
};
|
|
||||||
bright = {
|
|
||||||
black = "#55508f";
|
|
||||||
red = "#e34b4f";
|
|
||||||
green = "#45b75e";
|
|
||||||
yellow = "#ff9c00";
|
|
||||||
blue = "#5c67ff";
|
|
||||||
magenta = "#cb85ff";
|
|
||||||
cyan = "#17d0f4";
|
|
||||||
white = "#ffffff";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
37
nixos/configurations.nix
Normal file
37
nixos/configurations.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
flake-inputs: let
|
||||||
|
inherit (flake-inputs.nixos-stable) lib;
|
||||||
|
networkingModule = name: "${flake-inputs.nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
||||||
|
modules = [
|
||||||
|
# nftables using module not available in 22.11.
|
||||||
|
(networkingModule "firewall-iptables")
|
||||||
|
(networkingModule "firewall-nftables")
|
||||||
|
(networkingModule "firewall")
|
||||||
|
(networkingModule "nat-iptables")
|
||||||
|
(networkingModule "nat-nftables")
|
||||||
|
(networkingModule "nat")
|
||||||
|
(networkingModule "nftables")
|
||||||
|
(_: {
|
||||||
|
disabledModules = [
|
||||||
|
"services/networking/firewall.nix"
|
||||||
|
"services/networking/nftables.nix"
|
||||||
|
"services/networking/nat.nix"
|
||||||
|
"services/networking/redsocks.nix"
|
||||||
|
"services/networking/miniupnpd.nix"
|
||||||
|
"services/audio/roon-server.nix"
|
||||||
|
"services/audio/roon-bridge.nix"
|
||||||
|
];
|
||||||
|
})
|
||||||
|
];
|
||||||
|
makeSystem = name:
|
||||||
|
lib.nixosSystem {
|
||||||
|
modules =
|
||||||
|
[
|
||||||
|
(import (./. + "/machines/${name}/configuration.nix") flake-inputs)
|
||||||
|
flake-inputs.secrets.nixosModules.secrets
|
||||||
|
flake-inputs.agenix.nixosModules.default
|
||||||
|
(_: {config._module.args.flake-inputs = flake-inputs // {inherit modules;};})
|
||||||
|
]
|
||||||
|
++ modules;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
lib.genAttrs ["zeus" "apollo" "hera" "fluffy"] makeSystem
|
|
@ -1,4 +1,4 @@
|
||||||
{
|
flake-inputs: {
|
||||||
lib,
|
lib,
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -8,7 +8,7 @@
|
||||||
inherit (config.m-0) hosts prefix;
|
inherit (config.m-0) hosts prefix;
|
||||||
inherit ((import ../../../nix/sources.nix)) nixos-hardware;
|
inherit ((import ../../../nix/sources.nix)) nixos-hardware;
|
||||||
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
||||||
vpn = (import ../../../private.nix).privateValue (_: _: {}) "vpn";
|
vpn = flake-inputs.secrets.private.privateValue (_: _: {}) "vpn";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
"${nixos-hardware}/lenovo/thinkpad/t480s"
|
"${nixos-hardware}/lenovo/thinkpad/t480s"
|
||||||
|
|
|
@ -2,10 +2,12 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
|
imports = [
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
boot = {
|
boot = {
|
||||||
loader = {
|
loader = {
|
||||||
efi = {
|
efi = {
|
||||||
|
@ -41,5 +43,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
nix.settings.max-jobs = lib.mkDefault 8;
|
nix.settings.max-jobs = lib.mkDefault 8;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{
|
_: {
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
|
|
@ -40,4 +40,5 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{pkgs, ...}: {
|
{pkgs, ...}: {
|
||||||
m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key";
|
m-0.server.initSSHKey = "/var/boot-ssh-key";
|
||||||
|
|
||||||
boot = {
|
boot = {
|
||||||
loader.grub = {
|
loader.grub = {
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
flake-inputs,
|
||||||
...
|
...
|
||||||
}:
|
}: let
|
||||||
with lib; let
|
|
||||||
adminCreds =
|
adminCreds =
|
||||||
pkgs.privateValue
|
pkgs.privateValue
|
||||||
{
|
{
|
||||||
|
@ -78,7 +78,7 @@ with lib; let
|
||||||
privateNetwork = true;
|
privateNetwork = true;
|
||||||
hostBridge = "bridge";
|
hostBridge = "bridge";
|
||||||
config = {pkgs, ...}: {
|
config = {pkgs, ...}: {
|
||||||
imports = [../../roles];
|
imports = [(args @ {pkgs, ...}: import ../../roles (args // {inherit flake-inputs;}))] ++ flake-inputs.modules;
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
interfaces.eth0 = {
|
interfaces.eth0 = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{
|
_: {
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
@ -115,8 +115,8 @@ in {
|
||||||
group = "nginx";
|
group = "nginx";
|
||||||
user = "maralorn";
|
user = "maralorn";
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
cert = pkgs.privatePath "syncthing/hera/cert.pem";
|
cert = config.age.secrets."syncthing/hera/cert.pem".path;
|
||||||
key = pkgs.privatePath "syncthing/hera/key.pem";
|
key = config.age.secrets."syncthing/hera/key.pem".path;
|
||||||
}
|
}
|
||||||
// syncthing.declarativeWith ["apollo" "zeus" "pegasus"] "/media";
|
// syncthing.declarativeWith ["apollo" "zeus" "pegasus"] "/media";
|
||||||
};
|
};
|
||||||
|
@ -133,7 +133,7 @@ in {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
uid = 1001;
|
uid = 1001;
|
||||||
extraGroups = ["wheel" "systemd-journal"];
|
extraGroups = ["wheel" "systemd-journal"];
|
||||||
passwordFile = pkgs.privatePath "pam-login-password-choreutes";
|
passwordFile = config.age.secrets.pam-login-password-choreutes.path;
|
||||||
};
|
};
|
||||||
ved-backup = {
|
ved-backup = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
|
|
@ -5,9 +5,12 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
modulesPath,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
|
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"];
|
||||||
boot.kernelModules = [];
|
boot.kernelModules = [];
|
||||||
|
@ -26,4 +29,6 @@
|
||||||
swapDevices = [{device = "/dev/disk/by-uuid/1e651bde-94b5-4fe2-9e6a-7af916d80057";}];
|
swapDevices = [{device = "/dev/disk/by-uuid/1e651bde-94b5-4fe2-9e6a-7af916d80057";}];
|
||||||
|
|
||||||
nix.settings.max-jobs = lib.mkDefault 4;
|
nix.settings.max-jobs = lib.mkDefault 4;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,12 +13,12 @@ in {
|
||||||
host = "hera-intern:9113";
|
host = "hera-intern:9113";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
security.acme.certs = lib.mkIf pkgs.withSecrets {
|
security.acme.certs = {
|
||||||
"hera.m-0.eu".keyType = "rsa4096";
|
"hera.m-0.eu".keyType = "rsa4096";
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
nginx = {
|
nginx = {
|
||||||
enable = lib.mkForce pkgs.withSecrets;
|
enable = true;
|
||||||
virtualHosts =
|
virtualHosts =
|
||||||
{
|
{
|
||||||
"tasks.maralorn.de" = {
|
"tasks.maralorn.de" = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{
|
flake-inputs: {
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
@ -6,11 +6,11 @@
|
||||||
}: let
|
}: let
|
||||||
wireguard = import ../../../common/wireguard.nix;
|
wireguard = import ../../../common/wireguard.nix;
|
||||||
inherit (config.m-0) hosts prefix;
|
inherit (config.m-0) hosts prefix;
|
||||||
inherit (import ../../../nix/sources.nix) nixos-hardware;
|
|
||||||
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
"${nixos-hardware}/common/gpu/amd/sea-islands"
|
(flake-inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus")
|
||||||
|
"${flake-inputs.nixos-hardware}/common/gpu/amd/sea-islands"
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
../../roles
|
../../roles
|
||||||
../../roles/admin.nix
|
../../roles/admin.nix
|
||||||
|
|
|
@ -62,4 +62,5 @@
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
# high-resolution display
|
# high-resolution display
|
||||||
hardware.video.hidpi.enable = lib.mkDefault true;
|
hardware.video.hidpi.enable = lib.mkDefault true;
|
||||||
|
nix.settings.max-jobs = lib.mkDefault 12;
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
|
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
|
||||||
passwordFile = config.age.secrets.pam-login-password.path;
|
passwordFile = lib.mkIf (config.networking.hostName != "chor-cloud") config.age.secrets.pam-login-password.path;
|
||||||
in {
|
in {
|
||||||
users.users = {
|
users.users = {
|
||||||
maralorn = {
|
maralorn = {
|
||||||
|
|
|
@ -5,10 +5,7 @@
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
fqdn = "${config.networking.hostName}.${config.networking.domain}";
|
fqdn = "${config.networking.hostName}.${config.networking.domain}";
|
||||||
key_dir =
|
key_dir = config.security.acme.certs."${fqdn}".directory;
|
||||||
if pkgs.withSecrets
|
|
||||||
then config.security.acme.certs."${fqdn}".directory
|
|
||||||
else "/dummy-dir/";
|
|
||||||
in {
|
in {
|
||||||
users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;
|
users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs;
|
||||||
networking.firewall = let
|
networking.firewall = let
|
||||||
|
@ -30,7 +27,7 @@ in {
|
||||||
allowedTCPPorts = ports;
|
allowedTCPPorts = ports;
|
||||||
allowedUDPPorts = ports;
|
allowedUDPPorts = ports;
|
||||||
};
|
};
|
||||||
security.acme.certs = lib.mkIf pkgs.withSecrets {
|
security.acme.certs = {
|
||||||
"${fqdn}".postRun = "systemctl restart coturn.service";
|
"${fqdn}".postRun = "systemctl restart coturn.service";
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
|
|
|
@ -2,30 +2,10 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
flake-inputs,
|
||||||
...
|
...
|
||||||
}: let
|
}: {
|
||||||
inherit (import ../../nix/sources.nix) nixos-unstable;
|
|
||||||
networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
|
|
||||||
in {
|
|
||||||
# nftables using module not available in 22.11.
|
|
||||||
disabledModules = [
|
|
||||||
"services/networking/firewall.nix"
|
|
||||||
"services/networking/nftables.nix"
|
|
||||||
"services/networking/nat.nix"
|
|
||||||
"services/networking/redsocks.nix"
|
|
||||||
"services/networking/miniupnpd.nix"
|
|
||||||
"services/audio/roon-server.nix"
|
|
||||||
"services/audio/roon-bridge.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
(networkingModule "firewall-iptables")
|
|
||||||
(networkingModule "firewall-nftables")
|
|
||||||
(networkingModule "firewall")
|
|
||||||
(networkingModule "nat-iptables")
|
|
||||||
(networkingModule "nat-nftables")
|
|
||||||
(networkingModule "nat")
|
|
||||||
(networkingModule "nftables")
|
|
||||||
../../common
|
../../common
|
||||||
./admin.nix
|
./admin.nix
|
||||||
];
|
];
|
||||||
|
@ -37,7 +17,15 @@ in {
|
||||||
|
|
||||||
# For nixos-rebuild
|
# For nixos-rebuild
|
||||||
nixpkgs.overlays =
|
nixpkgs.overlays =
|
||||||
[(_: _: (import ../../channels.nix)."${config.networking.hostName}")]
|
[
|
||||||
|
(_: _:
|
||||||
|
{
|
||||||
|
unstable = flake-inputs.nixos-unstable.legacyPackages.x86_64-linux;
|
||||||
|
nixpkgs-channel = "nixos-stable";
|
||||||
|
home-manager-channel = "home-manager-stable";
|
||||||
|
}
|
||||||
|
// flake-inputs.secrets.private)
|
||||||
|
]
|
||||||
++ import ../../overlays {inherit lib;};
|
++ import ../../overlays {inherit lib;};
|
||||||
|
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
config,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
|
@ -18,7 +19,7 @@
|
||||||
services = {
|
services = {
|
||||||
firefox-syncserver = {
|
firefox-syncserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
secrets = pkgs.privatePath "firefox-syncserver-secrets";
|
secrets = config.age.secrets.firefox-syncserver-secrets.path;
|
||||||
logLevel = "trace";
|
logLevel = "trace";
|
||||||
database = {
|
database = {
|
||||||
name = "firefox_syncserver";
|
name = "firefox_syncserver";
|
||||||
|
|
|
@ -2,8 +2,10 @@
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
#flake-inputs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
|
flake-inputs.secrets = "help";
|
||||||
gitoliteCfg = config.services.gitolite;
|
gitoliteCfg = config.services.gitolite;
|
||||||
post-update =
|
post-update =
|
||||||
pkgs.writeHaskellScript
|
pkgs.writeHaskellScript
|
||||||
|
@ -103,13 +105,13 @@ in {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
inherit (gitoliteCfg) group;
|
inherit (gitoliteCfg) group;
|
||||||
};
|
};
|
||||||
systemd.services.gitolite-init.postStart = lib.mkIf pkgs.withSecrets ''
|
systemd.services.gitolite-init.postStart = ''
|
||||||
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no"
|
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no"
|
||||||
dir=$(mktemp -d)
|
dir=$(mktemp -d)
|
||||||
cd $dir
|
cd $dir
|
||||||
git clone git@localhost:gitolite-admin
|
git clone git@localhost:gitolite-admin
|
||||||
cd gitolite-admin
|
cd gitolite-admin
|
||||||
cp -r ${../../private/gitolite}/* .
|
cp -r ${flake-inputs.secrets}/gitolite/* .
|
||||||
if [[ "$(git status --porcelain)" != "" ]]; then
|
if [[ "$(git status --porcelain)" != "" ]]; then
|
||||||
git "config" "user.email" "git@hera.m-0.eu"
|
git "config" "user.email" "git@hera.m-0.eu"
|
||||||
git "config" "user.name" "git user"
|
git "config" "user.name" "git user"
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
{pkgs, ...}: let
|
{
|
||||||
nur = import pkgs.sources.hexa-nur-packages {};
|
pkgs,
|
||||||
|
flake-inputs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
nur = flake-inputs.hexa-nur-packages.packages.x86_64-linux;
|
||||||
|
|
||||||
mkLovelaceModule = name: {
|
mkLovelaceModule = name: {
|
||||||
url = "custom/${name}.js?${nur.hassLovelaceModules."${name}".version}";
|
url = "custom/${name}.js?${nur.hassLovelaceModules."${name}".version}";
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
in {
|
in {
|
||||||
services.miniflux = {
|
services.miniflux = {
|
||||||
enable = true;
|
enable = true;
|
||||||
adminCredentialsFile = pkgs.privatePath "miniflux-admin-credentials";
|
adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
|
||||||
config = {
|
config = {
|
||||||
POLLING_FREQUENCY = "525600"; # We don‘t want polling so we set this to a year.
|
POLLING_FREQUENCY = "525600"; # We don‘t want polling so we set this to a year.
|
||||||
BATCH_SIZE = "1000"; # To make sure that all feeds can get refreshed. Default is 100, which is probably fine.
|
BATCH_SIZE = "1000"; # To make sure that all feeds can get refreshed. Default is 100, which is probably fine.
|
||||||
|
@ -21,16 +21,17 @@ in {
|
||||||
};
|
};
|
||||||
mastodon-digest = {
|
mastodon-digest = {
|
||||||
script = ''
|
script = ''
|
||||||
ln -fs ${pkgs.privatePath "mastodon-env"} .env
|
|
||||||
now=$(date "+%Y-%m-%d")
|
now=$(date "+%Y-%m-%d")
|
||||||
mkdir -p /var/www/rss/mastodon/$now-home-feed-highlights
|
mkdir -p /var/www/rss/mastodon/$now-home-feed-highlights
|
||||||
mkdir -p /var/www/rss/mastodon/$now-read-all-list
|
mkdir -p /var/www/rss/mastodon/$now-read-all-list
|
||||||
|
source $CREDENTIALS_DIRECTORY/mastodon-auth-env
|
||||||
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-home-feed-highlights -n 24 -t lax --theme light
|
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-home-feed-highlights -n 24 -t lax --theme light
|
||||||
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-read-all-list -n 24 -t all --theme light -f list:3811
|
${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-read-all-list -n 24 -t all --theme light -f list:3811
|
||||||
${pkgs.logfeed}/bin/mastodon2rss /var/www/rss/mastodon.xml /var/www/rss/mastodon
|
${pkgs.logfeed}/bin/mastodon2rss /var/www/rss/mastodon.xml /var/www/rss/mastodon
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
LoadCredential = ["mastodon-auth-env:${config.age.secrets.mastodon-auth-env.path}"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
refresh-miniflux = {
|
refresh-miniflux = {
|
||||||
|
@ -40,7 +41,7 @@ in {
|
||||||
startAt = "20:00:00";
|
startAt = "20:00:00";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
LoadCredential = ["auth-header:${pkgs.privatePath "miniflux-refresh-auth-header"}"];
|
LoadCredential = ["auth-header:${config.age.secrets.miniflux-refresh-auth-header.path}"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
allow ${config.m-0.prefix}::/64;
|
allow ${config.m-0.prefix}::/64;
|
||||||
deny all;
|
deny all;
|
||||||
'';
|
'';
|
||||||
basicAuthFile = pkgs.privatePath "basic-auth/monitoring";
|
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
{pkgs, ...}: let
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
stateDirectory = "/var/lib/nixpkgs-bot";
|
stateDirectory = "/var/lib/nixpkgs-bot";
|
||||||
config = {
|
configFile = {
|
||||||
server = "https://matrix.maralorn.de";
|
server = "https://matrix.maralorn.de";
|
||||||
database = "${stateDirectory}/state.sqlite";
|
database = "${stateDirectory}/state.sqlite";
|
||||||
repo = {
|
repo = {
|
||||||
|
@ -16,11 +20,6 @@
|
||||||
"nixpkgs-unstable" = [];
|
"nixpkgs-unstable" = [];
|
||||||
"nixos-unstable-small" = ["nixos-unstable"];
|
"nixos-unstable-small" = ["nixos-unstable"];
|
||||||
"nixos-unstable" = [];
|
"nixos-unstable" = [];
|
||||||
"staging-22.05" = ["staging-next-22.05"];
|
|
||||||
"staging-next-22.05" = ["release-22.05"];
|
|
||||||
"release-22.05" = ["nixos-22.05-small"];
|
|
||||||
"nixos-22.05-small" = ["nixos-22.05"];
|
|
||||||
"nixos-22.05" = [];
|
|
||||||
"staging-22.11" = ["staging-next-22.11"];
|
"staging-22.11" = ["staging-next-22.11"];
|
||||||
"staging-next-22.11" = ["release-22.11"];
|
"staging-next-22.11" = ["release-22.11"];
|
||||||
"release-22.11" = ["nixos-22.11-small"];
|
"release-22.11" = ["nixos-22.11-small"];
|
||||||
|
@ -34,9 +33,12 @@ in {
|
||||||
description = "nixpkgs-bot";
|
description = "nixpkgs-bot";
|
||||||
path = [pkgs.git];
|
path = [pkgs.git];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
LoadCredential = ["matrix_token:${pkgs.privatePath "nixpkgs-bot/matrix_token"}" "github_token:${pkgs.privatePath "nixpkgs-bot/github_token"}"];
|
LoadCredential = [
|
||||||
|
"matrix_token:${config.age.secrets."nixpkgs-bot/matrix_token".path}"
|
||||||
|
"github_token:${config.age.secrets."nixpkgs-bot/github_token".path}"
|
||||||
|
];
|
||||||
WorkingDirectory = "/var/lib/nixpkgs-bot";
|
WorkingDirectory = "/var/lib/nixpkgs-bot";
|
||||||
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON config)}";
|
ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON configFile)}";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
StateDirectory = "nixpkgs-bot";
|
StateDirectory = "nixpkgs-bot";
|
||||||
};
|
};
|
||||||
|
|
|
@ -12,7 +12,7 @@ with lib; {
|
||||||
network = {
|
network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ssh = {
|
ssh = {
|
||||||
enable = pkgs.withSecrets;
|
enable = true;
|
||||||
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
|
||||||
hostKeys = [config.m-0.server.initSSHKey];
|
hostKeys = [config.m-0.server.initSSHKey];
|
||||||
};
|
};
|
||||||
|
|
|
@ -24,10 +24,7 @@ in {
|
||||||
name = "mastodon_digest";
|
name = "mastodon_digest";
|
||||||
runtimeInputs = [python-env];
|
runtimeInputs = [python-env];
|
||||||
text = ''
|
text = ''
|
||||||
set -o allexport
|
|
||||||
# shellcheck source=/dev/null
|
# shellcheck source=/dev/null
|
||||||
source .env
|
|
||||||
set +o allexport
|
|
||||||
cd ${patchedSrc} && python run.py "''${@}"
|
cd ${patchedSrc} && python run.py "''${@}"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
||||||
Subproject commit 147bf3431575832da87e6a587aca2641f7df0187
|
Subproject commit 9f9b064b6b8fe2d166bfa6400a94606b0a869726
|
Loading…
Reference in a new issue