Merge remote-tracking branch 'origin/main'

.forgejo/workflows/nix.yaml

@@ -0,0 +1,25 @@
+on: [push]
+jobs:
+  check:
+    runs-on: beefcake
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+        
+    # cache not needed since we now run on the host directly
+    # - name: Load cached nix store
+    #   id: cache-nix-store
+    #   uses: actions/cache/restore@v4
+    #   with:
+    #     path: /nix/store
+    #     key: ${{ runner.os }}-nix-store
+
+    - name: Check nix flake
+      run: |
+        nix flake check
+
+    # - name: Save nix store
+    #   uses: actions/cache/save@v4
+    #   with:
+    #     path: /nix/store
+    #     key: ${{ steps.cache-nix-store.outputs.cache-primary-key }}

flake.lock

@@ -76,10 +76,33 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1721042469,
+        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
-          "pre-commit",
+          "git-hooks",
           "nixpkgs"
         ]
       },
@@ -332,16 +355,16 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1718811006,
-        "narHash": "sha256-0Y8IrGhRmBmT7HHXlxxepg2t8j1X90++qRN3lukGaIk=",
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "03d771e513ce90147b65fe922d87d3a0356fc125",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -410,39 +433,16 @@
         "type": "github"
       }
     },
-    "pre-commit": {
-      "inputs": {
-        "flake-compat": "flake-compat",
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
-      },
-      "locked": {
-        "lastModified": 1719259945,
-        "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "pre-commit-hooks.nix",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "disko": "disko",
+        "git-hooks": "git-hooks",
         "hardware": "hardware",
         "helix": "helix",
         "home-manager": "home-manager",
         "hyprland": "hyprland",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "pre-commit": "pre-commit",
         "slippi": "slippi",
         "sops-nix": "sops-nix"
       }
@@ -477,11 +477,11 @@
         "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1720625270,
-        "narHash": "sha256-7JGUXmp6LxPkinxy9kEnrdbZQPF8QGZwvRxWU/ZwJKY=",
+        "lastModified": 1721686199,
+        "narHash": "sha256-4rMu207y5HCLkRDbZXdFhFqAfDKxwCJ1r9UOsXmef4Q=",
         "owner": "lytedev",
         "repo": "slippi-nix",
-        "rev": "e86b5e46d53a929303b9ad6539cb6e64e7a8c5b4",
+        "rev": "2b9673de8ec491be1c3ad8d23461b1fe5f2736b0",
         "type": "github"
       },
       "original": {

flake.nix

@@ -10,8 +10,8 @@
     sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
     sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
 
-    pre-commit.url = "github:cachix/pre-commit-hooks.nix";
-    pre-commit.inputs.nixpkgs.follows = "nixpkgs";
+    git-hooks.url = "github:cachix/git-hooks.nix";
+    git-hooks.inputs.nixpkgs.follows = "nixpkgs";
 
     home-manager.url = "github:nix-community/home-manager/release-24.05";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
@@ -20,6 +20,7 @@
     hardware.url = "github:nixos/nixos-hardware";
     hyprland.url = "github:hyprwm/Hyprland";
     slippi.url = "github:lytedev/slippi-nix";
+    # slippi.url = "git+file:///home/daniel/code/open-source/slippi-nix";
 
     # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
   };
@@ -50,7 +51,7 @@
     nixpkgs-unstable,
     disko,
     sops-nix,
-    pre-commit,
+    git-hooks,
     home-manager,
     helix,
     hardware,
@@ -87,34 +88,35 @@
     # kind of a quirk, but package definitions are actually in the "additions"
     # overlay I did this to work around some recursion problems
     # TODO: https://discourse.nixos.org/t/infinite-recursion-getting-started-with-overlays/48880
-    packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset;});
+    packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset nix-base-container-image;});
     diskoConfigurations = import ./disko;
     templates = import ./templates;
     formatter = genPkgs (p: p.alejandra);
 
-    checks = pkg ({system}: {
-      pre-commit-check = pre-commit.lib.${system}.run {
+    checks = genPkgs ({system, ...}: {
+      git-hooks = git-hooks.lib.${system}.run {
         src = ./.;
         hooks = {
           alejandra.enable = true;
         };
       };
-    }) {};
+    });
 
-    devShells = pkg ({
+    devShells = genPkgs ({
       system,
       pkgs,
       mkShell,
+      ...
     }: {
       default = mkShell {
-        inherit (outputs.checks.${system}.pre-commit-check) shellHook;
+        inherit (outputs.checks.${system}.git-hooks) shellHook;
 
         buildInputs = with pkgs; [
           lua-language-server
           nodePackages.bash-language-server
         ];
       };
-    }) {};
+    });
 
     overlays = {
       # the default overlay composes all the other overlays together
@@ -133,6 +135,66 @@
         iosevkaLyteTermSubset = prev.callPackage ./packages/iosevkaLyteTermSubset.nix {
           inherit iosevkaLyteTerm;
         };
+        nix-base-container-image = final.dockerTools.buildImageWithNixDb {
+          name = "git.lyte.dev/lytedev/nix";
+          tag = "latest";
+
+          copyToRoot = with final; [
+            bash
+            coreutils
+            curl
+            gawk
+            gitFull
+            git-lfs
+            gnused
+            nodejs
+            wget
+            sudo
+            nixFlakes
+            cacert
+            gnutar
+            gzip
+            openssh
+            xz
+            (pkgs.writeTextFile {
+              name = "nix.conf";
+              destination = "/etc/nix/nix.conf";
+              text = ''
+                accept-flake-config = true
+                experimental-features = nix-command flakes
+                build-users-group =
+                substituters = https://nix.h.lyte.dev https://cache.nixos.org/
+                trusted-substituters = https://nix.h.lyte.dev https://cache.nixos.org/
+                trusted-public-keys = h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+              '';
+            })
+          ];
+
+          extraCommands = ''
+            # enable /usr/bin/env for scripts
+            mkdir -p usr
+            ln -s ../bin usr/bin
+
+            # create /tmp
+            mkdir -p tmp
+
+            # create HOME
+            mkdir -vp root
+          '';
+          config = {
+            Cmd = ["/bin/bash"];
+            Env = [
+              "LANG=en_GB.UTF-8"
+              "ENV=/etc/profile.d/nix.sh"
+              "BASH_ENV=/etc/profile.d/nix.sh"
+              "NIX_BUILD_SHELL=/bin/bash"
+              "PAGER=cat"
+              "PATH=/usr/bin:/bin"
+              "SSL_CERT_FILE=${final.cacert}/etc/ssl/certs/ca-bundle.crt"
+              "USER=root"
+            ];
+          };
+        };
       };
 
       modifications = final: prev: {

modules/home-manager/default.nix

@@ -34,6 +34,23 @@
 
   broot = {};
 
+  emacs = {pkgs, ...}: {
+    programs.emacs = {
+      enable = true;
+      # extraConfig = ''
+      # '';
+      extraPackages = epkgs: (with epkgs; [
+        magit
+      ]);
+    };
+
+    programs.fish = {
+      shellAliases = {
+        e = "emacs";
+      };
+    };
+  };
+
   cargo = {config, ...}: {
     home.file."${config.home.homeDirectory}/.cargo/config.toml" = {
       enable = true;

modules/nixos/default.nix

@@ -243,11 +243,24 @@
     '';
   };
 
+  emacs = {pkgs, ...}: {
+    environment.systemPackages = with pkgs; [
+      emacs
+    ];
+
+    home-manager.users.daniel = {
+      imports = with homeManagerModules; [
+        emacs
+      ];
+    };
+  };
+
   development-tools = {pkgs, ...}: {
     imports = with nixosModules; [
       postgres
       podman
       troubleshooting-tools
+      emacs
     ];
 
     environment.sessionVariables.NIXOS_OZONE_WL = "1";
@@ -616,7 +629,9 @@
       podman = {
         enable = true;
         dockerCompat = true;
+        dockerSocket.enable = true;
         defaultNetwork.settings.dns_enabled = true;
+        # networkSocket.enable = true;
       };
 
       oci-containers = {

nixos/beefcake.nix

@@ -111,14 +111,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
             owner = config.systemd.services.plausible.serviceConfig.User;
             group = config.systemd.services.plausible.serviceConfig.Group;
           };
-          nextcloud-admin-password = {
-            path = "/var/lib/nextcloud/admin-password";
-            mode = "0440";
-            # owner = config.services.nextcloud.serviceConfig.User;
-            # group = config.services.nextcloud.serviceConfig.Group;
-          };
+          nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password";
+          "forgejo-runner.env" = {mode = "0400";};
         };
       };
+      systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"];
     }
     {
       # nix binary cache
@@ -609,7 +606,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
           paths = [
             "/storage/files.lyte.dev"
             "/storage/daniel"
-            "/storage/gitea" # TODO: should maybe use configuration.nix's services.gitea.dump ?
+            "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ?
             "/storage/postgres-backups"
 
             # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
@@ -696,11 +693,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
       ];
     }
     {
-      services.gitea = {
+      services.forgejo = {
         enable = true;
-        appName = "git.lyte.dev";
-        stateDir = "/storage/gitea";
+        stateDir = "/storage/forgejo";
         settings = {
+          DEFAULT = {
+            APP_NAME = "git.lyte.dev";
+          };
           server = {
             ROOT_URL = "https://git.lyte.dev";
             HTTP_ADDR = "127.0.0.1";
@@ -721,8 +720,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
             LEVEL = "Debug";
           };
           ui = {
-            THEMES = "catppuccin-mocha-sapphire,gitea,arc-green,auto,pitchblack";
-            DEFAULT_THEME = "catppuccin-mocha-sapphire";
+            THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha-sapphire";
+            DEFAULT_THEME = "forgejo-auto";
           };
           indexer = {
             REPO_INDEXER_ENABLED = "true";
@@ -743,19 +742,51 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
           type = "sqlite3";
         };
       };
-      # services.gitea-actions-runner.instances.main = {
-      #   # TODO: simple git-based automation would be dope? maybe especially for
-      #   # mirroring to github super easy?
-      #   enable = false;
-      # };
+      services.gitea-actions-runner = {
+        # TODO: simple git-based automation would be dope? maybe especially for
+        # mirroring to github super easy?
+        # enable = true;
+        package = pkgs.forgejo-runner;
+        instances."beefcake" = {
+          enable = true;
+          name = "beefcake";
+          url = "https://git.lyte.dev";
+          settings = {
+            container = {
+              # use the shared network which is bridged by default
+              # this lets us hit git.lyte.dev just fine
+              network = "podman";
+            };
+          };
+          labels = [
+            # type ":host" does not depend on docker/podman/lxc
+            "podman"
+            "nix:docker://git.lyte.dev/lytedev/nix:latest"
+            "beefcake:host"
+          ];
+          tokenFile = config.sops.secrets."forgejo-runner.env".path;
+          hostPackages = with pkgs; [
+            nix
+            bash
+            coreutils
+            curl
+            gawk
+            gitMinimal
+            gnused
+            nodejs
+            wget
+          ];
+        };
+      };
+      # environment.systemPackages = with pkgs; [nodejs];
       services.caddy.virtualHosts."git.lyte.dev" = {
         extraConfig = ''
-          reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
+          reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
         '';
       };
       services.caddy.virtualHosts."http://git.beefcake.lan" = {
         extraConfig = ''
-          reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
+          reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
         '';
       };
     }
@@ -986,6 +1017,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
   # should I be using btrfs subvolumes? can I capture file ownership, perimssions, and ACLs?
 
   virtualisation.oci-containers.backend = "podman";
+  virtualisation.podman = {
+    # autoPrune.enable = true;
+    # defaultNetwork.settings = {
+    # driver = "host";
+    # };
+  };
   environment.systemPackages = with pkgs; [
     linuxquota
     htop

nixos/router.nix

@@ -48,6 +48,7 @@
         "nix.h.lyte.dev"
         "git.lyte.dev"
         "video.lyte.dev"
+        "a.lyte.dev"
         "bw.lyte.dev"
         "files.lyte.dev"
         "vpn.h.lyte.dev"

secrets/beefcake/secrets.yml

@@ -12,6 +12,8 @@ plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A
 plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str]
 plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str]
 nextcloud-admin-password: ENC[AES256_GCM,data:QaoSZyommeGED3nWNru92UVO2tjk24HE9fWX7ExYT101o4ZL411TmV1TXHSyfwjmE7yLIm1K/j4xpEbIY3zvFg==,iv:xC5EZVPHumVPOob5jiiXMFAmdFQcFSUPtZgioAgGDDs=,tag:Q/kY38XWkGsqcmCkd2lodg==,type:str]
+#ENC[AES256_GCM,data:IDauOj95sPt6LQkNWOaAV3AR7XPHJljX7Gef/IgtzC227ln7aKpVLCbhxD6pNTwd9/KhIXJp3vagCjfgkO/utA==,iv:Pn5jIPsFMBA2xnp3SUBgBug1NN8d3h3zy1pGVzO2hO0=,tag:NzhLA7nqE7SRRMV+rKgCjQ==,type:comment]
+forgejo-runner.env: ENC[AES256_GCM,data:10wKRImXKS7ezcWnkwz7ak194snQ4wG8GBePeHXN1I23JfOvuD00427fOJ4jbCY=,iv:8jrmcXa2yqFTSf4fFnZXCuyGft90RzUO3S4rZGXaTDI=,tag:EGDqTK8GKBGfogkqkCODxg==,type:str]
 jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str]
 dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLFk8ey3SeXkCf9+GnqpIU5xIZfCP1ZqeSxR03kJx3TPbQeBLZeN/QAYBxHOg/tjXIE6jdIGv0INkVLkExKPlvGN8F+ijwYkwgfqlhKPBf+Q==,iv:EMGlqUxcfvxqn1G1NohrAtJP/fLdolP++zcvaxIvVR4=,tag:1+ueIDCJTxmM586Z7i0aUA==,type:str]
 api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str]
@@ -39,8 +41,8 @@ sops:
             b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f
             nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-07T04:00:34Z"
-    mac: ENC[AES256_GCM,data:e7v7J2QM6p4ljrdEX6uM7PHWb0/DKt1aWIro+YkQct1ym772WKtWFzzm+mV2wqBLLXCAKy7MJ7Y89iTysFO3pdGX1zdw3wMbNfmTCCXCKAUcIih4O0hLHqrfwcoVOuQ0SALESshDmUew/Gqu6NSrL6Wo+jNo7LEAHZ7kFtkP8rQ=,iv:0fmHOKlBzIhKQ4G6DDwlIW2WpLjIS/OAWLexND+/HAQ=,tag:FSqO8/14JwhobpIKaHk77w==,type:str]
+    lastmodified: "2024-07-24T16:34:28Z"
+    mac: ENC[AES256_GCM,data:/zOixu65MHMRj5hermm6mmkpS5q97yEwALP+LwC6j9NIXxL2nIFB+jqQtiyMwlErB1Vf5cZvH3PA1sOqHnPOsv5p58S5Ww7eIHb4ElPXufGLqhA6sTiz1RrlWwUqtDtR42V3kql6Hro57PXV+NZ6NEnvzHKct9S30OCOWWtGwTs=,iv:JTF5u4rva9PgLAG2ysTz+pA4wTRq5WJR7xJZNGbciUA=,tag:0X0NlvxBoaELANxp/vwnnw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1