it finally worky now \o/
This commit is contained in:
parent
2746f3de5c
commit
51b7e7887d
23 changed files with 103 additions and 233 deletions
17
flake.nix
17
flake.nix
|
@ -7,36 +7,37 @@
|
||||||
};
|
};
|
||||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||||
imports = [
|
imports = [
|
||||||
./meta
|
|
||||||
];
|
];
|
||||||
passInputs = ({lib,config,...}:{
|
passInputs = ({lib,config,...}:{
|
||||||
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
options.flakePath = lib.mkOption {type = lib.types.path;};
|
||||||
|
config.flakePath = ./.;
|
||||||
|
options.inputs = lib.mkOption {type = lib.types.attrs;};
|
||||||
config.inputs = inputs;
|
config.inputs = inputs;
|
||||||
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
|
||||||
config.pkgsInstances = {
|
config.pkgsInstances = {
|
||||||
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
inherit (nixpkgs) lib;
|
||||||
|
mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
|
||||||
in {
|
in {
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
"forgejo" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
./meta
|
|
||||||
./hosts/forgenite
|
./hosts/forgenite
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
passInputs
|
passInputs
|
||||||
|
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/forgejo-ci
|
./hosts/forgejo-ci
|
||||||
./meta
|
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
passInputs
|
passInputs
|
||||||
|
(mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
./../../services/forgejo-ci.nix
|
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./../../users/lyn
|
./../../users/lyn
|
||||||
./../../meta/profiles/base.nix
|
|
||||||
./../../meta/profiles/vm.nix
|
|
||||||
];
|
];
|
||||||
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
|
||||||
#lyn.kernel = enable ["latest" "hardened"];
|
lyn.kernel.latest.enable = true;
|
||||||
|
lyn.profiles.base.enable = true;
|
||||||
|
lyn.profiles.vm.enable = true;
|
||||||
|
lyn.services.forgejo-ci.enable = true;
|
||||||
|
lyn.services.forgejo-ci.domain = "git.shibe.pro";
|
||||||
|
lyn.services.forgejo-ci.instancename = "shibepro-ci";
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
networking.hostName = "forgenite"; # Define your hostname.
|
networking.hostName = "forgejo-ci"; # Define your hostname.
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
|
@ -1,7 +1,6 @@
|
||||||
{ config, pkgs, lib, inputs, ... }: {
|
{ config, pkgs, lib, inputs, ... }: {
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
./../../services/forgejo.nix
|
|
||||||
./../../users/lyn
|
./../../users/lyn
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
./../../meta/profiles/base.nix
|
./../../meta/profiles/base.nix
|
||||||
|
@ -10,7 +9,9 @@
|
||||||
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
# enable git
|
||||||
|
lyn.services.forgejo.enable = true;
|
||||||
|
lyn.services.forgejo.domain = "git.shibe.pro";
|
||||||
networking.hostName = "forgenite"; # Define your hostname.
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
{lib, config, pkgs, ...}: config.lyn.lib.mkLocalModule ./latest.nix "latest linux kernel" {
|
|
||||||
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
||||||
}
|
|
|
@ -1,8 +1,7 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./mkLocalModule.nix
|
./mkLocalMods.nix
|
||||||
./enable.nix
|
# ./enable.nix
|
||||||
./lib.nix
|
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
16
meta/lib.nix
16
meta/lib.nix
|
@ -1,16 +0,0 @@
|
||||||
{lib, config, ...}: {
|
|
||||||
options.lyn = {
|
|
||||||
lib = lib.mkOption {
|
|
||||||
type = lib.types.attrs;
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
prelude = lib.mkOption {
|
|
||||||
type = lib.types.attrs;
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
config = {
|
|
||||||
lyn.prelude.llib = config.lyn.lib;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
53
meta/mkLocalMods.nix
Normal file
53
meta/mkLocalMods.nix
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
{lib, ...}:
|
||||||
|
let
|
||||||
|
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
||||||
|
#kv = key: value: {inherit key value;};
|
||||||
|
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
||||||
|
match = builtins.match "(.*)[.]nix" k;
|
||||||
|
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
||||||
|
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
||||||
|
else {key = null; value = null;}
|
||||||
|
) (builtins.readDir curPath);
|
||||||
|
|
||||||
|
getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
|
||||||
|
if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
||||||
|
else [{path = prefix ++ [k]; value = v;}]
|
||||||
|
) as);
|
||||||
|
|
||||||
|
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
||||||
|
|
||||||
|
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
||||||
|
transformLocalMod = {path, value}: let
|
||||||
|
modFn = if lib.isFunction (import value) then import value else (p: import value);
|
||||||
|
newMod = p: let
|
||||||
|
paramNew = p // {
|
||||||
|
cfg = lib.getAttrFromPath path p.config;
|
||||||
|
};
|
||||||
|
|
||||||
|
pathStr = builtins.concatStringsSep "." path;
|
||||||
|
modRaw = modFn paramNew;
|
||||||
|
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
||||||
|
|
||||||
|
mod = modRaw.mod or {};
|
||||||
|
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
||||||
|
enablePath = path ++ ["enable"];
|
||||||
|
|
||||||
|
imports = [ {
|
||||||
|
_file = fileCtx "`opt` processor";
|
||||||
|
key = fileCtx "`opt` processor";
|
||||||
|
options = lib.setAttrByPath path (modRaw.opt or {});
|
||||||
|
} {
|
||||||
|
_file = fileCtx "`enable` definition";
|
||||||
|
key = fileCtx "`enable` definition";
|
||||||
|
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
||||||
|
} ({config, ...}: {
|
||||||
|
_file = fileCtx "config wrapper";
|
||||||
|
key = fileCtx "config wrapper";
|
||||||
|
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
||||||
|
})];
|
||||||
|
|
||||||
|
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
||||||
|
in newMod; in lib.mirrorFunctionArgs modFn newMod;
|
||||||
|
|
||||||
|
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
||||||
|
in mkLocalMods
|
|
@ -1,71 +0,0 @@
|
||||||
{lib, ...}: { config.lyn.lib = rec {
|
|
||||||
/**
|
|
||||||
Split a string, and return all elements after a marker.
|
|
||||||
|
|
||||||
# Example
|
|
||||||
|
|
||||||
```
|
|
||||||
splitAfterMarker "/" "modules" /home/user/flake/modules/abc/def
|
|
||||||
== ["abc" "def"]
|
|
||||||
```
|
|
||||||
*/
|
|
||||||
splitAfterMarker = splitter: marker: input: builtins.foldl' (acc: new:
|
|
||||||
if acc == false then # marker not found yet
|
|
||||||
if new == marker then [] /* marker found */ else false
|
|
||||||
else acc ++ [new] # marker already found, add to output list
|
|
||||||
) false (lib.splitString splitter input);
|
|
||||||
/**
|
|
||||||
Make a Nix module, with its attrpath being the local path
|
|
||||||
relative to a marker directory. Accepts a prefix, and removes `.nix` file endings.
|
|
||||||
|
|
||||||
# Example
|
|
||||||
|
|
||||||
```
|
|
||||||
mkLocalModuleMarker "modules" ["myModules" "abc"] ./current-file.nix "enable something" {}
|
|
||||||
{ myModules.abc.current.file.path.current-file.enable = true; }
|
|
||||||
```
|
|
||||||
*/
|
|
||||||
mkLocalModuleMarker = marker: prefix: currentPath: optDesc: moduleConfig: let
|
|
||||||
normalizedPath = lib.strings.removeSuffix ".nix" (builtins.toString currentPath);
|
|
||||||
attrPath = prefix ++ (splitAfterMarker "/" marker normalizedPath);
|
|
||||||
mod = {config, ...}: {
|
|
||||||
options = lib.setAttrsByPath attrPath (lib.mkEnableOption optDesc);
|
|
||||||
config = lib.mkIf (lib.getAttrByPath attrPath config) moduleConfig;
|
|
||||||
};
|
|
||||||
in mod;
|
|
||||||
/**
|
|
||||||
Find a folder or a parent folder containing a file.
|
|
||||||
|
|
||||||
# Example
|
|
||||||
|
|
||||||
```
|
|
||||||
findFolderWithFile "flake.nix" ./.
|
|
||||||
== /home/user/flake/
|
|
||||||
```
|
|
||||||
*/
|
|
||||||
findFolderWithFile = file: arg:
|
|
||||||
if builtins.pathExists (arg + "/" + file) then arg
|
|
||||||
else if arg == /. then throw "could not find folder containing ${file}"
|
|
||||||
else findFolderWithFile file (arg + "/..");
|
|
||||||
/**
|
|
||||||
Shorthand for mkLocalModuleMarker, setting marker to your flake and prefix to l.
|
|
||||||
*/
|
|
||||||
mkLocalModule = path: mkLocalModuleMarker (findFolderWithFile "flake.nix" path) ["lyn"] path;
|
|
||||||
};}
|
|
||||||
|
|
||||||
# foldl' op nul [x0 x1 x2 ...] = op (op (op nul x0) x1) x2) .... For example, foldl' (x: y: x + y) 0 [1 2 3]
|
|
||||||
|
|
||||||
|
|
||||||
# input = /home/alina/flake/desktop/common
|
|
||||||
# options.desktop.common
|
|
||||||
# input' = /nix/store/aaa-flake/desktop/common
|
|
||||||
# foldl' (split "/" input)
|
|
||||||
# marker = flake
|
|
||||||
# foldl' ([home alina flake modules audio.nix ])
|
|
||||||
# acc = false false [] [modules] [modules audio.nix]
|
|
||||||
# | ^ marker found
|
|
||||||
# | marker not found yet
|
|
||||||
|
|
||||||
|
|
||||||
# $ echo "abc\ndef" > readme
|
|
||||||
# readPathsFromFile "readme" == [./abc ./def]
|
|
|
@ -1,14 +1,14 @@
|
||||||
{lib, pkgs, config, ...}: let
|
{lib, pkgs, config, ...}: let
|
||||||
ifApparmor = config.l.kernel.lsm.apparmor.enable;
|
ifApparmor = config.lyn.kernel.hardened.apparmor.enable;
|
||||||
in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
in{
|
||||||
boot.kernelPackages = let
|
boot.kernelPackages = let
|
||||||
kernel = pkgs.linux-libre;
|
kernel = pkgs.linux-libre;
|
||||||
llvm = pkgs.llvmPackages_latest;
|
llvm = pkgs.llvmPackages_latest;
|
||||||
|
|
||||||
version = pkgs.kernelPatches.hardened${kernel.meta.branch}.version;
|
version = pkgs.kernelPatches."hardened${kernel.meta.branch}".version;
|
||||||
major = lib.versions.major version;
|
major = lib.versions.major version;
|
||||||
|
|
||||||
sha256 = pkgs.kernelPatches.hardened.${kernel.meta.branch}.sha256;
|
sha256 = pkgs.kernelPatches.hardened."${kernel.meta.branch}:".sha256;
|
||||||
modDirVer = lib.replaceStrings
|
modDirVer = lib.replaceStrings
|
||||||
[ kernel.version ]
|
[ kernel.version ]
|
||||||
[ version ]
|
[ version ]
|
||||||
|
@ -17,10 +17,10 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
||||||
stdenv = llvm.stdenv;
|
stdenv = llvm.stdenv;
|
||||||
extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
|
extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
|
||||||
kernelPatches = kernel.kernelPatches
|
kernelPatches = kernel.kernelPatches
|
||||||
++ [ pkgs.kernelPatches.hardened.${kernel.meta.branch} ];
|
++ [ pkgs.kernelPatches.hardened."${kernel.meta.branch}" ];
|
||||||
modDirVersionArg =
|
modDirVersionArg =
|
||||||
modDirVer +
|
modDirVer +
|
||||||
(pkgs.kernelPatches.hardened.${kernel.meta.branch}).extra;
|
(pkgs.kernelPatches.hardened."${kernel.meta.branch}").extra;
|
||||||
isHardened = true;
|
isHardened = true;
|
||||||
argsOverride = {
|
argsOverride = {
|
||||||
inherit version;
|
inherit version;
|
||||||
|
@ -93,7 +93,6 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
||||||
# randomize allocator freelists, harden metadata
|
# randomize allocator freelists, harden metadata
|
||||||
SLAB_FREELIST_RANDOM = yes;
|
SLAB_FREELIST_RANDOM = yes;
|
||||||
SLAB_FREELIST_HARDENED = yes;
|
SLAB_FREELIST_HARDENED = yes;
|
||||||
SHUFFLE_PAGE_ALLOCATOR = yes;
|
|
||||||
RANDOM_KMALLOC_CACHES = yes;
|
RANDOM_KMALLOC_CACHES = yes;
|
||||||
|
|
||||||
# sanity check userspace page table mappings
|
# sanity check userspace page table mappings
|
||||||
|
@ -189,7 +188,7 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
||||||
SECURITY_SAFESETID = yes;
|
SECURITY_SAFESETID = yes;
|
||||||
DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
|
DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
|
||||||
DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
|
DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
|
||||||
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1";)
|
SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1");
|
||||||
|
|
||||||
# mark LSM hooks read-only after init
|
# mark LSM hooks read-only after init
|
||||||
SECURITY_WRITABLE_HOOKS = no;
|
SECURITY_WRITABLE_HOOKS = no;
|
||||||
|
@ -230,7 +229,7 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
||||||
# disable IO delay
|
# disable IO delay
|
||||||
IO_DELAY_NONE = yes;
|
IO_DELAY_NONE = yes;
|
||||||
};
|
};
|
||||||
}))
|
}));
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
# set apparmor as the default security module
|
# set apparmor as the default security module
|
||||||
(lib.mkIf ifApparmor "security=apparmor")
|
(lib.mkIf ifApparmor "security=apparmor")
|
||||||
|
@ -278,9 +277,6 @@ in config.l.lib.mkLocalModule ./hardened.nix "custom hardened linux kernel" {
|
||||||
# restrict ptrace()
|
# restrict ptrace()
|
||||||
"kernel.yama.ptrace_scope" = 1;
|
"kernel.yama.ptrace_scope" = 1;
|
||||||
|
|
||||||
# hide kernel memory addresses
|
|
||||||
"kernel.kptr_restrict" = 2;
|
|
||||||
|
|
||||||
# enable hardened eBPF JIT
|
# enable hardened eBPF JIT
|
||||||
"net.core.bpf_jit_enable" = 1;
|
"net.core.bpf_jit_enable" = 1;
|
||||||
"net.core.bpf_jit_harden" = 1;
|
"net.core.bpf_jit_harden" = 1;
|
3
modules/kernel/latest.nix
Normal file
3
modules/kernel/latest.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
{lib, config, pkgs, ...}: {
|
||||||
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
||||||
|
}
|
|
@ -1,11 +1,9 @@
|
||||||
{lib, config, pkgs, ...}: {
|
{lib, config, pkgs, ...}: {
|
||||||
imports = [
|
lyn.sops.default.enable = true;
|
||||||
../modules/sops
|
|
||||||
];
|
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
nix.package = config.pkgsInstances.unstable.lix;
|
nix.package = config.pkgsInstances.unstable.lix;
|
||||||
environment.variables.EDITOR = "vim";
|
environment.variables.EDITOR = "nvim";
|
||||||
|
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
@ -23,7 +21,8 @@
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git
|
git
|
||||||
vim
|
vim
|
||||||
|
neovim
|
||||||
wget
|
wget
|
||||||
curl
|
curl
|
||||||
htop
|
htop
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, lib, inputs, ... }:
|
{ config, pkgs, lib, inputs, cfg, ... }:
|
||||||
{
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
docker
|
docker
|
||||||
|
@ -12,14 +12,16 @@
|
||||||
ipv6 = true;
|
ipv6 = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
opt.domain = lib.mkOption {type = lib.types.str;};
|
||||||
|
opt.instancename = lib.mkOption {type = lib.types.str;};
|
||||||
# Forgejo actions runner
|
# Forgejo actions runner
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
package = config.pkgsInstances.unstable.forgejo-runner;
|
package = config.pkgsInstances.unstable.forgejo-runner;
|
||||||
instances = {
|
instances = {
|
||||||
"shibepro-ci" = {
|
"${cfg.instancename}" = {
|
||||||
enable = true;
|
enable = true;
|
||||||
url = "https://git.shibe.pro";
|
url = "https://${cfg.domain}";
|
||||||
name = "shibepro-ci";
|
name = cfg.instancename;
|
||||||
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
|
||||||
labels = [];
|
labels = [];
|
||||||
};
|
};
|
|
@ -1,11 +1,12 @@
|
||||||
{pkgs, lib, config, ...}:
|
{pkgs, lib, config, cfg, ...}:
|
||||||
with lib; with builtins; {
|
with lib; with builtins; {
|
||||||
|
opt.domain = lib.mkOption {type = lib.types.string;};
|
||||||
services.forgejo = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = config.pkgsInstances.unstable.forgejo;
|
package = config.pkgsInstances.unstable.forgejo;
|
||||||
settings.server = {
|
settings.server = {
|
||||||
ROOT_URL = "https://git.shibe.pro";
|
ROOT_URL = "https://${cfg.domain}";
|
||||||
DOMAIN = "git.shibe.pro";
|
DOMAIN = cfg.domain;
|
||||||
HTTP_PORT = 48540;
|
HTTP_PORT = 48540;
|
||||||
OFFLINE_MODE = true; # disable gravatar, CDN
|
OFFLINE_MODE = true; # disable gravatar, CDN
|
||||||
};
|
};
|
|
@ -16,7 +16,7 @@ in
|
||||||
name_split = lib.splitString "/" name;
|
name_split = lib.splitString "/" name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
|
||||||
} // value)
|
} // value)
|
||||||
cfg.secrets;
|
cfg.secrets;
|
||||||
};
|
};
|
|
@ -1,6 +0,0 @@
|
||||||
{config, cfg, lib, ...}: {
|
|
||||||
#mod.desc = "an example";
|
|
||||||
options.networking.hostName = lib.mkOption { default = "nixos"; };
|
|
||||||
opt.name = lib.mkOption { default = "foo"; };
|
|
||||||
config.networking.hostName = cfg.name;
|
|
||||||
}
|
|
|
@ -1,6 +1,6 @@
|
||||||
hosts:
|
hosts:
|
||||||
forgejo-ci:
|
forgejo-ci:
|
||||||
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
|
forgejo_ci_token: ENC[AES256_GCM,data:mUGfczGcttcKQ8kXmESnRjpOxF1WNHZn7PSuek5dsbuZyaErCqQxtIUjvV90sQ==,iv:CjTrx56WChzFq5PSGj23dirl6iWF6Nqx93yCLHJQPRo=,tag:FrkOjdAiTq0kAYaUAQKfBQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -25,8 +25,8 @@ sops:
|
||||||
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
||||||
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-09-06T03:55:48Z"
|
lastmodified: "2024-09-17T00:30:12Z"
|
||||||
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
|
mac: ENC[AES256_GCM,data:bppWgKwMHPDHwHdegjcseFJefUZ2bThMWvk9s8l3IG/jRJaP5bTtdJppKeC0EGE0W1FjQtFP+aYscZRLsFYdpVqJMvo5XJp5VcW+vE1IZ09Qs5GCMpHHDEmuU5tx6h8fTIk5KLskGfxbtBvSABS+QZgF6QRa6FRq2DxVaf07P2I=,iv:NVrqJZOfpTwkTlmycR1Zg0XdHJwRkDaiR5uud7IML3g=,tag:I++gzcdhJR2eiIMJHUZ9Ag==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.9.0
|
version: 3.9.0
|
||||||
|
|
91
test.nix
91
test.nix
|
@ -1,91 +0,0 @@
|
||||||
let
|
|
||||||
flake = builtins.getFlake "/home/lyn/flake";
|
|
||||||
pkgs = import flake.inputs.nixpkgs {};
|
|
||||||
lib = pkgs.lib;
|
|
||||||
|
|
||||||
mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
|
|
||||||
#kv = key: value: {inherit key value;};
|
|
||||||
recurseNaive = curPath: fn: mapAttrKVs (k: v: let
|
|
||||||
match = builtins.match "(.*)[.]nix" k;
|
|
||||||
in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
|
|
||||||
else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
|
|
||||||
else {key = null; value = null;}
|
|
||||||
) (builtins.readDir curPath);
|
|
||||||
|
|
||||||
getAttrKVsRec = prefix: as: pkgs.lib.flatten (pkgs.lib.mapAttrsToList (k: v:
|
|
||||||
if pkgs.lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
|
|
||||||
else [{path = prefix ++ [k]; value = v;}]
|
|
||||||
) as);
|
|
||||||
|
|
||||||
getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
|
|
||||||
|
|
||||||
unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
|
|
||||||
transformLocalMod = {path, value}: p: let
|
|
||||||
param = p // {
|
|
||||||
cfg = lib.getAttrFromPath path p.config;
|
|
||||||
};
|
|
||||||
|
|
||||||
pathStr = builtins.concatStringsSep "." path;
|
|
||||||
modFn = p: let i = import value; in if lib.isFunction i then i p else i;
|
|
||||||
modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
|
|
||||||
|
|
||||||
meta = modRaw.mod or {};
|
|
||||||
fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
|
|
||||||
enablePath = path ++ ["enable"];
|
|
||||||
|
|
||||||
merge = cur: upd:
|
|
||||||
|
|
||||||
runExts = exts: let
|
|
||||||
nul = x: rec {
|
|
||||||
# First pass
|
|
||||||
args = p; # Args to call the module with. This immediately changes the params of `raw`, `mod` etc. through Nix magic
|
|
||||||
deletedKeys = ["opt" "mod"]; # Keys to delete before calling unifyModuleSyntax
|
|
||||||
|
|
||||||
# Second pass
|
|
||||||
imports = {}; # Put any modules to import as *attributes* here (for other extensions to modify them)
|
|
||||||
raw = modFn x.args; # The raw module result, called with `args`
|
|
||||||
mod = unifyMod pathStr pathStr (builtins.removeAttrs raw x.deletedKeys); # The unified module, e.g. the result of `unifyModuleSyntax .. .. raw`, and has the default module attrs
|
|
||||||
meta = raw.mod or {}; # Equivalent to raw.mod, contains metadata of the module
|
|
||||||
};
|
|
||||||
firstPass = builtins.foldl' (acc: ext:
|
|
||||||
builtins.foldl' (acc: ext: let
|
|
||||||
acc' = acc // (let acc2 = (ext acc) // acc; in rec {
|
|
||||||
raw = modFn acc2.args;
|
|
||||||
mod = unifyMod pathStr pathStr (builtins.removeAttrs raw acc2.deletedKeys);
|
|
||||||
meta = raw.mod or {};
|
|
||||||
});
|
|
||||||
res = lib.recursiveUpdate acc' (ext acc');
|
|
||||||
in res) exts
|
|
||||||
|
|
||||||
addMod = c: ctx: newMod: { mod.imports = c.mod.imports ++ [ (newMod // {_file = fileCtx ctx;}) ]; };
|
|
||||||
|
|
||||||
defaultExtensions = [
|
|
||||||
(c: { imports.opt = {
|
|
||||||
name = "`opt` processor";
|
|
||||||
options = lib.setAttrByPath c.path raw.opt;
|
|
||||||
};})
|
|
||||||
(c: { imports.enable = {
|
|
||||||
name "`enable` definition";
|
|
||||||
opt.enable = lib.mkEnableOption (c.meta.desc or c.meta.description or c.meta.name or pathStr);
|
|
||||||
};})
|
|
||||||
(c: {
|
|
||||||
|
|
||||||
})
|
|
||||||
]
|
|
||||||
|
|
||||||
imports = [ {
|
|
||||||
_file = fileCtx "`opt` processor";
|
|
||||||
options = lib.setAttrByPath path modRaw.opt;
|
|
||||||
} {
|
|
||||||
_file = fileCtx "`enable` definition";
|
|
||||||
options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
|
|
||||||
} ({config, ...}: {
|
|
||||||
_file = fileCtx "config wrapper";
|
|
||||||
config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
|
|
||||||
}) ];
|
|
||||||
|
|
||||||
newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
|
|
||||||
in newMod;
|
|
||||||
|
|
||||||
mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
|
|
||||||
in cfg: (pkgs.lib.evalModules { modules = [ (mkLocalMods {prefix = ["lyn"]; dir = ./modules;}) cfg ]; })
|
|
Loading…
Reference in a new issue