Merge remote-tracking branch 'origin/main'

2024-07-26 11:30:11 -05:00 · 2024-07-26 11:30:11 -05:00 · b157935e93
commit b157935e93
parent a33bc7e455 53df50c8d6
8 changed files with 222 additions and 63 deletions
--- a/.forgejo/workflows/nix.yaml
+++ b/.forgejo/workflows/nix.yaml
@ -0,0 +1,25 @@
 on: [push]
 jobs:
  check:
    runs-on: beefcake
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    # cache not needed since we now run on the host directly
    # - name: Load cached nix store
    #   id: cache-nix-store
    #   uses: actions/cache/restore@v4
    #   with:
    #     path: /nix/store
    #     key: ${{ runner.os }}-nix-store
    - name: Check nix flake
      run: |
        nix flake check
    # - name: Save nix store
    #   uses: actions/cache/save@v4
    #   with:
    #     path: /nix/store
    #     key: ${{ steps.cache-nix-store.outputs.cache-primary-key }}
--- a/flake.lock
+++ b/flake.lock
@ -76,10 +76,33 @@
        "type": "github"
      }
    },
    "git-hooks": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1721042469,
        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "git-hooks.nix",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
-          "pre-commit",
+          "git-hooks",
          "nixpkgs"
        ]
      },
@ -332,16 +355,16 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1718811006,
+        "lastModified": 1720386169,
-        "narHash": "sha256-0Y8IrGhRmBmT7HHXlxxepg2t8j1X90++qRN3lukGaIk=",
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "03d771e513ce90147b65fe922d87d3a0356fc125",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -410,39 +433,16 @@
        "type": "github"
      }
    },
    "pre-commit": {
      "inputs": {
        "flake-compat": "flake-compat",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1719259945,
        "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "git-hooks": "git-hooks",
        "hardware": "hardware",
        "helix": "helix",
        "home-manager": "home-manager",
        "hyprland": "hyprland",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pre-commit": "pre-commit",
        "slippi": "slippi",
        "sops-nix": "sops-nix"
      }
@ -477,11 +477,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1720625270,
+        "lastModified": 1721686199,
-        "narHash": "sha256-7JGUXmp6LxPkinxy9kEnrdbZQPF8QGZwvRxWU/ZwJKY=",
+        "narHash": "sha256-4rMu207y5HCLkRDbZXdFhFqAfDKxwCJ1r9UOsXmef4Q=",
        "owner": "lytedev",
        "repo": "slippi-nix",
-        "rev": "e86b5e46d53a929303b9ad6539cb6e64e7a8c5b4",
+        "rev": "2b9673de8ec491be1c3ad8d23461b1fe5f2736b0",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -10,8 +10,8 @@
    sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
    sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
-    pre-commit.url = "github:cachix/pre-commit-hooks.nix";
+    git-hooks.url = "github:cachix/git-hooks.nix";
-    pre-commit.inputs.nixpkgs.follows = "nixpkgs";
+    git-hooks.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.url = "github:nix-community/home-manager/release-24.05";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
@ -20,6 +20,7 @@
    hardware.url = "github:nixos/nixos-hardware";
    hyprland.url = "github:hyprwm/Hyprland";
    slippi.url = "github:lytedev/slippi-nix";
    # slippi.url = "git+file:///home/daniel/code/open-source/slippi-nix";
    # nnf.url = "github:thelegy/nixos-nftables-firewall?rev=71fc2b79358d0dbacde83c806a0f008ece567b7b";
  };
@ -50,7 +51,7 @@
    nixpkgs-unstable,
    disko,
    sops-nix,
-    pre-commit,
+    git-hooks,
    home-manager,
    helix,
    hardware,
@ -87,34 +88,35 @@
    # kind of a quirk, but package definitions are actually in the "additions"
    # overlay I did this to work around some recursion problems
    # TODO: https://discourse.nixos.org/t/infinite-recursion-getting-started-with-overlays/48880
-    packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset;});
+    packages = genPkgs (pkgs: {inherit (pkgs) iosevkaLyteTerm iosevkaLyteTermSubset nix-base-container-image;});
    diskoConfigurations = import ./disko;
    templates = import ./templates;
    formatter = genPkgs (p: p.alejandra);
-    checks = pkg ({system}: {
+    checks = genPkgs ({system, ...}: {
-      pre-commit-check = pre-commit.lib.${system}.run {
+      git-hooks = git-hooks.lib.${system}.run {
        src = ./.;
        hooks = {
          alejandra.enable = true;
        };
      };
-    }) {};
+    });
-    devShells = pkg ({
+    devShells = genPkgs ({
      system,
      pkgs,
      mkShell,
      ...
    }: {
      default = mkShell {
-        inherit (outputs.checks.${system}.pre-commit-check) shellHook;
+        inherit (outputs.checks.${system}.git-hooks) shellHook;
        buildInputs = with pkgs; [
          lua-language-server
          nodePackages.bash-language-server
        ];
      };
-    }) {};
+    });
    overlays = {
      # the default overlay composes all the other overlays together
@ -133,6 +135,66 @@
        iosevkaLyteTermSubset = prev.callPackage ./packages/iosevkaLyteTermSubset.nix {
          inherit iosevkaLyteTerm;
        };
        nix-base-container-image = final.dockerTools.buildImageWithNixDb {
          name = "git.lyte.dev/lytedev/nix";
          tag = "latest";
          copyToRoot = with final; [
            bash
            coreutils
            curl
            gawk
            gitFull
            git-lfs
            gnused
            nodejs
            wget
            sudo
            nixFlakes
            cacert
            gnutar
            gzip
            openssh
            xz
            (pkgs.writeTextFile {
              name = "nix.conf";
              destination = "/etc/nix/nix.conf";
              text = ''
                accept-flake-config = true
                experimental-features = nix-command flakes
                build-users-group =
                substituters = https://nix.h.lyte.dev https://cache.nixos.org/
                trusted-substituters = https://nix.h.lyte.dev https://cache.nixos.org/
                trusted-public-keys = h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
              '';
            })
          ];
          extraCommands = ''
            # enable /usr/bin/env for scripts
            mkdir -p usr
            ln -s ../bin usr/bin
            # create /tmp
            mkdir -p tmp
            # create HOME
            mkdir -vp root
          '';
          config = {
            Cmd = ["/bin/bash"];
            Env = [
              "LANG=en_GB.UTF-8"
              "ENV=/etc/profile.d/nix.sh"
              "BASH_ENV=/etc/profile.d/nix.sh"
              "NIX_BUILD_SHELL=/bin/bash"
              "PAGER=cat"
              "PATH=/usr/bin:/bin"
              "SSL_CERT_FILE=${final.cacert}/etc/ssl/certs/ca-bundle.crt"
              "USER=root"
            ];
          };
        };
      };
      modifications = final: prev: {
--- a/modules/home-manager/default.nix
+++ b/modules/home-manager/default.nix
@ -34,6 +34,23 @@
  broot = {};
  emacs = {pkgs, ...}: {
    programs.emacs = {
      enable = true;
      # extraConfig = ''
      # '';
      extraPackages = epkgs: (with epkgs; [
        magit
      ]);
    };
    programs.fish = {
      shellAliases = {
        e = "emacs";
      };
    };
  };
  cargo = {config, ...}: {
    home.file."${config.home.homeDirectory}/.cargo/config.toml" = {
      enable = true;
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -243,11 +243,24 @@
    '';
  };
  emacs = {pkgs, ...}: {
    environment.systemPackages = with pkgs; [
      emacs
    ];
    home-manager.users.daniel = {
      imports = with homeManagerModules; [
        emacs
      ];
    };
  };
  development-tools = {pkgs, ...}: {
    imports = with nixosModules; [
      postgres
      podman
      troubleshooting-tools
      emacs
    ];
    environment.sessionVariables.NIXOS_OZONE_WL = "1";
@ -616,7 +629,9 @@
      podman = {
        enable = true;
        dockerCompat = true;
        dockerSocket.enable = true;
        defaultNetwork.settings.dns_enabled = true;
        # networkSocket.enable = true;
      };
      oci-containers = {
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@ -111,14 +111,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
            owner = config.systemd.services.plausible.serviceConfig.User;
            group = config.systemd.services.plausible.serviceConfig.Group;
          };
-          nextcloud-admin-password = {
+          nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password";
-            path = "/var/lib/nextcloud/admin-password";
+          "forgejo-runner.env" = {mode = "0400";};
            mode = "0440";
            # owner = config.services.nextcloud.serviceConfig.User;
            # group = config.services.nextcloud.serviceConfig.Group;
          };
        };
      };
      systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"];
    }
    {
      # nix binary cache
@ -609,7 +606,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
          paths = [
            "/storage/files.lyte.dev"
            "/storage/daniel"
-            "/storage/gitea" # TODO: should maybe use configuration.nix's services.gitea.dump ?
+            "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ?
            "/storage/postgres-backups"
            # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
@ -696,11 +693,13 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
      ];
    }
    {
-      services.gitea = {
+      services.forgejo = {
        enable = true;
-        appName = "git.lyte.dev";
+        stateDir = "/storage/forgejo";
        stateDir = "/storage/gitea";
        settings = {
          DEFAULT = {
            APP_NAME = "git.lyte.dev";
          };
          server = {
            ROOT_URL = "https://git.lyte.dev";
            HTTP_ADDR = "127.0.0.1";
@ -721,8 +720,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
            LEVEL = "Debug";
          };
          ui = {
-            THEMES = "catppuccin-mocha-sapphire,gitea,arc-green,auto,pitchblack";
+            THEMES = "forgejo-auto,forgejo-light,forgejo-dark,catppuccin-mocha-sapphire";
-            DEFAULT_THEME = "catppuccin-mocha-sapphire";
+            DEFAULT_THEME = "forgejo-auto";
          };
          indexer = {
            REPO_INDEXER_ENABLED = "true";
@ -743,19 +742,51 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
          type = "sqlite3";
        };
      };
-      # services.gitea-actions-runner.instances.main = {
+      services.gitea-actions-runner = {
-      #   # TODO: simple git-based automation would be dope? maybe especially for
+        # TODO: simple git-based automation would be dope? maybe especially for
-      #   # mirroring to github super easy?
+        # mirroring to github super easy?
-      #   enable = false;
+        # enable = true;
-      # };
+        package = pkgs.forgejo-runner;
        instances."beefcake" = {
          enable = true;
          name = "beefcake";
          url = "https://git.lyte.dev";
          settings = {
            container = {
              # use the shared network which is bridged by default
              # this lets us hit git.lyte.dev just fine
              network = "podman";
            };
          };
          labels = [
            # type ":host" does not depend on docker/podman/lxc
            "podman"
            "nix:docker://git.lyte.dev/lytedev/nix:latest"
            "beefcake:host"
          ];
          tokenFile = config.sops.secrets."forgejo-runner.env".path;
          hostPackages = with pkgs; [
            nix
            bash
            coreutils
            curl
            gawk
            gitMinimal
            gnused
            nodejs
            wget
          ];
        };
      };
      # environment.systemPackages = with pkgs; [nodejs];
      services.caddy.virtualHosts."git.lyte.dev" = {
        extraConfig = ''
-          reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
+          reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
        '';
      };
      services.caddy.virtualHosts."http://git.beefcake.lan" = {
        extraConfig = ''
-          reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}
+          reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT}
        '';
      };
    }
@ -986,6 +1017,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
  # should I be using btrfs subvolumes? can I capture file ownership, perimssions, and ACLs?
  virtualisation.oci-containers.backend = "podman";
  virtualisation.podman = {
    # autoPrune.enable = true;
    # defaultNetwork.settings = {
    # driver = "host";
    # };
  };
  environment.systemPackages = with pkgs; [
    linuxquota
    htop
--- a/nixos/router.nix
+++ b/nixos/router.nix
@ -48,6 +48,7 @@
        "nix.h.lyte.dev"
        "git.lyte.dev"
        "video.lyte.dev"
        "a.lyte.dev"
        "bw.lyte.dev"
        "files.lyte.dev"
        "vpn.h.lyte.dev"
--- a/secrets/beefcake/secrets.yml
+++ b/secrets/beefcake/secrets.yml
@ -12,6 +12,8 @@ plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A
 plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str]
 plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str]
 nextcloud-admin-password: ENC[AES256_GCM,data:QaoSZyommeGED3nWNru92UVO2tjk24HE9fWX7ExYT101o4ZL411TmV1TXHSyfwjmE7yLIm1K/j4xpEbIY3zvFg==,iv:xC5EZVPHumVPOob5jiiXMFAmdFQcFSUPtZgioAgGDDs=,tag:Q/kY38XWkGsqcmCkd2lodg==,type:str]
 #ENC[AES256_GCM,data:IDauOj95sPt6LQkNWOaAV3AR7XPHJljX7Gef/IgtzC227ln7aKpVLCbhxD6pNTwd9/KhIXJp3vagCjfgkO/utA==,iv:Pn5jIPsFMBA2xnp3SUBgBug1NN8d3h3zy1pGVzO2hO0=,tag:NzhLA7nqE7SRRMV+rKgCjQ==,type:comment]
 forgejo-runner.env: ENC[AES256_GCM,data:10wKRImXKS7ezcWnkwz7ak194snQ4wG8GBePeHXN1I23JfOvuD00427fOJ4jbCY=,iv:8jrmcXa2yqFTSf4fFnZXCuyGft90RzUO3S4rZGXaTDI=,tag:EGDqTK8GKBGfogkqkCODxg==,type:str]
 jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str]
 dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLFk8ey3SeXkCf9+GnqpIU5xIZfCP1ZqeSxR03kJx3TPbQeBLZeN/QAYBxHOg/tjXIE6jdIGv0INkVLkExKPlvGN8F+ijwYkwgfqlhKPBf+Q==,iv:EMGlqUxcfvxqn1G1NohrAtJP/fLdolP++zcvaxIvVR4=,tag:1+ueIDCJTxmM586Z7i0aUA==,type:str]
 api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str]
@ -39,8 +41,8 @@ sops:
            b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f
            nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-07T04:00:34Z"
+    lastmodified: "2024-07-24T16:34:28Z"
-    mac: ENC[AES256_GCM,data:e7v7J2QM6p4ljrdEX6uM7PHWb0/DKt1aWIro+YkQct1ym772WKtWFzzm+mV2wqBLLXCAKy7MJ7Y89iTysFO3pdGX1zdw3wMbNfmTCCXCKAUcIih4O0hLHqrfwcoVOuQ0SALESshDmUew/Gqu6NSrL6Wo+jNo7LEAHZ7kFtkP8rQ=,iv:0fmHOKlBzIhKQ4G6DDwlIW2WpLjIS/OAWLexND+/HAQ=,tag:FSqO8/14JwhobpIKaHk77w==,type:str]
+    mac: ENC[AES256_GCM,data:/zOixu65MHMRj5hermm6mmkpS5q97yEwALP+LwC6j9NIXxL2nIFB+jqQtiyMwlErB1Vf5cZvH3PA1sOqHnPOsv5p58S5Ww7eIHb4ElPXufGLqhA6sTiz1RrlWwUqtDtR42V3kql6Hro57PXV+NZ6NEnvzHKct9S30OCOWWtGwTs=,iv:JTF5u4rva9PgLAG2ysTz+pA4wTRq5WJR7xJZNGbciUA=,tag:0X0NlvxBoaELANxp/vwnnw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1