diff --git a/.forgejo/workflows/nix.yaml b/.forgejo/workflows/nix.yaml new file mode 100644 index 0000000..204f9b8 --- /dev/null +++ b/.forgejo/workflows/nix.yaml @@ -0,0 +1,25 @@ +on: [push] +jobs: + check: + runs-on: beefcake + steps: + - name: Checkout + uses: actions/checkout@v3 + + # cache not needed since we now run on the host directly + # - name: Load cached nix store + # id: cache-nix-store + # uses: actions/cache/restore@v4 + # with: + # path: /nix/store + # key: ${{ runner.os }}-nix-store + + - name: Check nix flake + run: | + nix flake check + + # - name: Save nix store + # uses: actions/cache/save@v4 + # with: + # path: /nix/store + # key: ${{ steps.cache-nix-store.outputs.cache-primary-key }} diff --git a/flake.lock b/flake.lock index 78dcacc..09ed8a1 100644 --- a/flake.lock +++ b/flake.lock @@ -76,10 +76,33 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1721042469, + "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ - "pre-commit", + "git-hooks", "nixpkgs" ] }, @@ -332,16 +355,16 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1718811006, - "narHash": "sha256-0Y8IrGhRmBmT7HHXlxxepg2t8j1X90++qRN3lukGaIk=", + "lastModified": 1720386169, + "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "03d771e513ce90147b65fe922d87d3a0356fc125", + "rev": "194846768975b7ad2c4988bdb82572c00222c0d7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -410,39 +433,16 @@ "type": "github" } }, - "pre-commit": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1719259945, - "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "type": "github" - } - }, "root": { "inputs": { "disko": "disko", + "git-hooks": "git-hooks", "hardware": "hardware", "helix": "helix", "home-manager": "home-manager", "hyprland": "hyprland", "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", - "pre-commit": "pre-commit", "slippi": "slippi", "sops-nix": "sops-nix" } @@ -477,11 +477,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1720625270, - "narHash": "sha256-7JGUXmp6LxPkinxy9kEnrdbZQPF8QGZwvRxWU/ZwJKY=", + "lastModified": 1721686199, + "narHash": "sha256-4rMu207y5HCLkRDbZXdFhFqAfDKxwCJ1r9UOsXmef4Q=", "owner": "lytedev", "repo": "slippi-nix", - "rev": "e86b5e46d53a929303b9ad6539cb6e64e7a8c5b4", + "rev": "2b9673de8ec491be1c3ad8d23461b1fe5f2736b0", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 641b74a..8b02b4a 100644 --- a/flake.nix +++ b/flake.nix @@ -10,8 +10,8 @@ sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable"; sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs"; - pre-commit.url = "github:cachix/pre-commit-hooks.nix"; - pre-commit.inputs.nixpkgs.follows = "nixpkgs"; + git-hooks.url = "github:cachix/git-hooks.nix"; + git-hooks.inputs.nixpkgs.follows = "nixpkgs"; home-manager.url = "github:nix-community/home-manager/release-24.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; @@ -20,6 +20,7 @@ hardware.url = "github:nixos/nixos-hardware"; hyprland.url = "github:hyprwm/Hyprland"; slippi.url = "github:lytedev/slippi-nix"; + # slippi.url = "git+file:///home/daniel/code/open-source/slippi-nix"; # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b"; }; @@ -50,7 +51,7 @@ nixpkgs-unstable, disko, sops-nix, - pre-commit, + git-hooks, home-manager, helix, hardware, @@ -87,34 +88,35 @@ # kind of a quirk, but package definitions are actually in the "additions" # overlay I did this to work around some recursion problems # TODO: https://discourse.nixos.org/t/infinite-recursion-getting-started-with-overlays/48880 - packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset;}); + packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset nix-base-container-image;}); diskoConfigurations = import ./disko; templates = import ./templates; formatter = genPkgs (p: p.alejandra); - checks = pkg ({system}: { - pre-commit-check = pre-commit.lib.${system}.run { + checks = genPkgs ({system, ...}: { + git-hooks = git-hooks.lib.${system}.run { src = ./.; hooks = { alejandra.enable = true; }; }; - }) {}; + }); - devShells = pkg ({ + devShells = genPkgs ({ system, pkgs, mkShell, + ... }: { default = mkShell { - inherit (outputs.checks.${system}.pre-commit-check) shellHook; + inherit (outputs.checks.${system}.git-hooks) shellHook; buildInputs = with pkgs; [ lua-language-server nodePackages.bash-language-server ]; }; - }) {}; + }); overlays = { # the default overlay composes all the other overlays together @@ -133,6 +135,66 @@ iosevkaLyteTermSubset = prev.callPackage ./packages/iosevkaLyteTermSubset.nix { inherit iosevkaLyteTerm; }; + nix-base-container-image = final.dockerTools.buildImageWithNixDb { + name = "git.lyte.dev/lytedev/nix"; + tag = "latest"; + + copyToRoot = with final; [ + bash + coreutils + curl + gawk + gitFull + git-lfs + gnused + nodejs + wget + sudo + nixFlakes + cacert + gnutar + gzip + openssh + xz + (pkgs.writeTextFile { + name = "nix.conf"; + destination = "/etc/nix/nix.conf"; + text = '' + accept-flake-config = true + experimental-features = nix-command flakes + build-users-group = + substituters = https://nix.h.lyte.dev https://cache.nixos.org/ + trusted-substituters = https://nix.h.lyte.dev https://cache.nixos.org/ + trusted-public-keys = h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + ''; + }) + ]; + + extraCommands = '' + # enable /usr/bin/env for scripts + mkdir -p usr + ln -s ../bin usr/bin + + # create /tmp + mkdir -p tmp + + # create HOME + mkdir -vp root + ''; + config = { + Cmd = ["/bin/bash"]; + Env = [ + "LANG=en_GB.UTF-8" + "ENV=/etc/profile.d/nix.sh" + "BASH_ENV=/etc/profile.d/nix.sh" + "NIX_BUILD_SHELL=/bin/bash" + "PAGER=cat" + "PATH=/usr/bin:/bin" + "SSL_CERT_FILE=${final.cacert}/etc/ssl/certs/ca-bundle.crt" + "USER=root" + ]; + }; + }; }; modifications = final: prev: { diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index 44658b7..8080bae 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -34,6 +34,23 @@ broot = {}; + emacs = {pkgs, ...}: { + programs.emacs = { + enable = true; + # extraConfig = '' + # ''; + extraPackages = epkgs: (with epkgs; [ + magit + ]); + }; + + programs.fish = { + shellAliases = { + e = "emacs"; + }; + }; + }; + cargo = {config, ...}: { home.file."${config.home.homeDirectory}/.cargo/config.toml" = { enable = true; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 826f2e9..7a8ae8d 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -243,11 +243,24 @@ ''; }; + emacs = {pkgs, ...}: { + environment.systemPackages = with pkgs; [ + emacs + ]; + + home-manager.users.daniel = { + imports = with homeManagerModules; [ + emacs + ]; + }; + }; + development-tools = {pkgs, ...}: { imports = with nixosModules; [ postgres podman troubleshooting-tools + emacs ]; environment.sessionVariables.NIXOS_OZONE_WL = "1"; @@ -616,7 +629,9 @@ podman = { enable = true; dockerCompat = true; + dockerSocket.enable = true; defaultNetwork.settings.dns_enabled = true; + # networkSocket.enable = true; }; oci-containers = { diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 2f76345..0aedb8f 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -111,14 +111,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 owner = config.systemd.services.plausible.serviceConfig.User; group = config.systemd.services.plausible.serviceConfig.Group; }; - nextcloud-admin-password = { - path = "/var/lib/nextcloud/admin-password"; - mode = "0440"; - # owner = config.services.nextcloud.serviceConfig.User; - # group = config.services.nextcloud.serviceConfig.Group; - }; + nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password"; + "forgejo-runner.env" = {mode = "0400";}; }; }; + systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"]; } { # nix binary cache @@ -609,7 +606,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 paths = [ "/storage/files.lyte.dev" "/storage/daniel" - "/storage/gitea" # TODO: should maybe use configuration.nix's services.gitea.dump ? + "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ? "/storage/postgres-backups" # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault @@ -696,11 +693,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 ]; } { - services.gitea = { + services.forgejo = { enable = true; - appName = "git.lyte.dev"; - stateDir = "/storage/gitea"; + stateDir = "/storage/forgejo"; settings = { + DEFAULT = { + APP_NAME = "git.lyte.dev"; + }; server = { ROOT_URL = "https://git.lyte.dev"; HTTP_ADDR = "127.0.0.1"; @@ -721,8 +720,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 LEVEL = "Debug"; }; ui = { - THEMES = "catppuccin-mocha-sapphire,gitea,arc-green,auto,pitchblack"; - DEFAULT_THEME = "catppuccin-mocha-sapphire"; + THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha-sapphire"; + DEFAULT_THEME = "forgejo-auto"; }; indexer = { REPO_INDEXER_ENABLED = "true"; @@ -743,19 +742,51 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 type = "sqlite3"; }; }; - # services.gitea-actions-runner.instances.main = { - # # TODO: simple git-based automation would be dope? maybe especially for - # # mirroring to github super easy? - # enable = false; - # }; + services.gitea-actions-runner = { + # TODO: simple git-based automation would be dope? maybe especially for + # mirroring to github super easy? + # enable = true; + package = pkgs.forgejo-runner; + instances."beefcake" = { + enable = true; + name = "beefcake"; + url = "https://git.lyte.dev"; + settings = { + container = { + # use the shared network which is bridged by default + # this lets us hit git.lyte.dev just fine + network = "podman"; + }; + }; + labels = [ + # type ":host" does not depend on docker/podman/lxc + "podman" + "nix:docker://git.lyte.dev/lytedev/nix:latest" + "beefcake:host" + ]; + tokenFile = config.sops.secrets."forgejo-runner.env".path; + hostPackages = with pkgs; [ + nix + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + ]; + }; + }; + # environment.systemPackages = with pkgs; [nodejs]; services.caddy.virtualHosts."git.lyte.dev" = { extraConfig = '' - reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT} + reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} ''; }; services.caddy.virtualHosts."http://git.beefcake.lan" = { extraConfig = '' - reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT} + reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} ''; }; } @@ -986,6 +1017,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # should I be using btrfs subvolumes? can I capture file ownership, perimssions, and ACLs? virtualisation.oci-containers.backend = "podman"; + virtualisation.podman = { + # autoPrune.enable = true; + # defaultNetwork.settings = { + # driver = "host"; + # }; + }; environment.systemPackages = with pkgs; [ linuxquota htop diff --git a/nixos/router.nix b/nixos/router.nix index 8674eca..1931dad 100644 --- a/nixos/router.nix +++ b/nixos/router.nix @@ -48,6 +48,7 @@ "nix.h.lyte.dev" "git.lyte.dev" "video.lyte.dev" + "a.lyte.dev" "bw.lyte.dev" "files.lyte.dev" "vpn.h.lyte.dev" diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index 74273da..411e745 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -12,6 +12,8 @@ plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str] plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str] nextcloud-admin-password: ENC[AES256_GCM,data:QaoSZyommeGED3nWNru92UVO2tjk24HE9fWX7ExYT101o4ZL411TmV1TXHSyfwjmE7yLIm1K/j4xpEbIY3zvFg==,iv:xC5EZVPHumVPOob5jiiXMFAmdFQcFSUPtZgioAgGDDs=,tag:Q/kY38XWkGsqcmCkd2lodg==,type:str] +#ENC[AES256_GCM,data:IDauOj95sPt6LQkNWOaAV3AR7XPHJljX7Gef/IgtzC227ln7aKpVLCbhxD6pNTwd9/KhIXJp3vagCjfgkO/utA==,iv:Pn5jIPsFMBA2xnp3SUBgBug1NN8d3h3zy1pGVzO2hO0=,tag:NzhLA7nqE7SRRMV+rKgCjQ==,type:comment] +forgejo-runner.env: ENC[AES256_GCM,data:10wKRImXKS7ezcWnkwz7ak194snQ4wG8GBePeHXN1I23JfOvuD00427fOJ4jbCY=,iv:8jrmcXa2yqFTSf4fFnZXCuyGft90RzUO3S4rZGXaTDI=,tag:EGDqTK8GKBGfogkqkCODxg==,type:str] jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str] dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLFk8ey3SeXkCf9+GnqpIU5xIZfCP1ZqeSxR03kJx3TPbQeBLZeN/QAYBxHOg/tjXIE6jdIGv0INkVLkExKPlvGN8F+ijwYkwgfqlhKPBf+Q==,iv:EMGlqUxcfvxqn1G1NohrAtJP/fLdolP++zcvaxIvVR4=,tag:1+ueIDCJTxmM586Z7i0aUA==,type:str] api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] @@ -39,8 +41,8 @@ sops: b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-07T04:00:34Z" - mac: ENC[AES256_GCM,data:e7v7J2QM6p4ljrdEX6uM7PHWb0/DKt1aWIro+YkQct1ym772WKtWFzzm+mV2wqBLLXCAKy7MJ7Y89iTysFO3pdGX1zdw3wMbNfmTCCXCKAUcIih4O0hLHqrfwcoVOuQ0SALESshDmUew/Gqu6NSrL6Wo+jNo7LEAHZ7kFtkP8rQ=,iv:0fmHOKlBzIhKQ4G6DDwlIW2WpLjIS/OAWLexND+/HAQ=,tag:FSqO8/14JwhobpIKaHk77w==,type:str] + lastmodified: "2024-07-24T16:34:28Z" + mac: ENC[AES256_GCM,data:/zOixu65MHMRj5hermm6mmkpS5q97yEwALP+LwC6j9NIXxL2nIFB+jqQtiyMwlErB1Vf5cZvH3PA1sOqHnPOsv5p58S5Ww7eIHb4ElPXufGLqhA6sTiz1RrlWwUqtDtR42V3kql6Hro57PXV+NZ6NEnvzHKct9S30OCOWWtGwTs=,iv:JTF5u4rva9PgLAG2ysTz+pA4wTRq5WJR7xJZNGbciUA=,tag:0X0NlvxBoaELANxp/vwnnw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1