From fbdaf370ead750fdad91d744b70d6ab1aab007c0 Mon Sep 17 00:00:00 2001 From: Lyn Date: Sat, 31 Aug 2024 00:23:59 +0200 Subject: [PATCH 01/14] add soaps support to flake --- flake.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 7ced256..9780666 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,9 @@ description = "Lyns flake"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = { self, nixpkgs }@inputs: { + outputs = { self, nixpkgs, sops-nix }@inputs: { nixosConfigurations = { "forgejo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -12,6 +13,7 @@ # old configuration file can still take effect. # Note: configuration.nix itself is also a Nixpkgs Module, ./configuration.nix + sops-nix.nixosModules.sops ]; specialArgs = { inherit inputs; -- 2.46.0 From 1a594abb189afe2c5a4e9aad18e68584fbcaac0e Mon Sep 17 00:00:00 2001 From: Lyn Date: Sun, 1 Sep 2024 00:06:13 +0200 Subject: [PATCH 02/14] restructure --- hosts/forgenite/default.nix | 69 ++++--------------------------------- meta/enable.nix | 8 +++++ meta/mkLocalModule.nix | 23 +++++++++++++ services/forgejo.nix | 41 ++++++++++++++++++++++ users/lyn/default.nix | 8 +++++ users/lyn/ssh.nix | 3 ++ 6 files changed, 89 insertions(+), 63 deletions(-) create mode 100644 meta/enable.nix create mode 100644 meta/mkLocalModule.nix create mode 100644 services/forgejo.nix create mode 100644 users/lyn/default.nix create mode 100644 users/lyn/ssh.nix diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index d1f1fb0..22e2ff9 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -1,16 +1,12 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running `nixos-help`). - -{ config, pkgs, ... }: - -{ +{ config, pkgs, lib, inputs, ... }: with lib.meta; { imports = [ ./hardware-configuration.nix - # comment in backup.nix for borgbackuping forgejo - #./backup.nix ]; + + # will this work? + users.lyn.enable = true; + services.forgejo.enable = true; # Write path for borgbackup repos for backup.nix _module.args.borgrepolistfile = ./borgrepos; @@ -29,16 +25,6 @@ # Set your time zone. time.timeZone = "Europe/Berlin"; - users.users.lyn = { - isNormalUser = true; - extraGroups = [ "wheel"]; - openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local" - ]; - packages = with pkgs; [ - ]; -}; - # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ @@ -48,9 +34,6 @@ curl htop ]; - - - # Enable the OpenSSH daemon. services.openssh = { @@ -62,44 +45,6 @@ }; openFirewall = true; }; - #Forgejo - services.forgejo = { - enable = true; - settings.server = { - ROOT_URL = "https://git.shibe.pro"; - DOMAIN = "git.shibe.pro"; - HTTP_PORT = 48540; - OFFLINE_MODE = true; # disable gravatar, CDN - }; - settings.actions = { - ENABLED = true; - }; - settings."repository.upload" = { - FILE_MAX_SIZE = 4095; - MAX_FILES = 20; - }; - settings."attachment" = { - MAX_SIZE = 4095; - MAX_FILES = 20; - }; - - settings.service = { - DISABLE_REGISTRATION = true; - DEFAULT_KEEP_EMAIL_PRIVATE = true; - }; - database = { - user = "forgejo"; - passwordFile = "/etc/nixos/forgejo-dbpassword"; - name = "forgejodb"; - type = "mysql"; - }; - }; - - # Allow forgejo user to adjust authorized_keys dynamically - services.openssh.extraConfig = '' - Match User forgejo - AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys - ''; #enable qemu-guestagent services.qemuGuest.enable = true; @@ -109,9 +54,7 @@ # Firewall stuff: networking.firewall.enable = true; networking.firewall.allowPing = true; - - # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [48540 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/meta/enable.nix b/meta/enable.nix new file mode 100644 index 0000000..0f129b0 --- /dev/null +++ b/meta/enable.nix @@ -0,0 +1,8 @@ +{lib, config, ...}: { + lib.meta.enable = list: lib.genAttrs + list + (name: + ${name}.enable = true; + ) + ; +} diff --git a/meta/mkLocalModule.nix b/meta/mkLocalModule.nix new file mode 100644 index 0000000..b2171d9 --- /dev/null +++ b/meta/mkLocalModule.nix @@ -0,0 +1,23 @@ +{lib, config, ...}: { + lib.mkLocalModule = pathInterpolation: optDesc: config: let + #example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g; + marker = "local-modules"; + splitAfterMarker = marker: input: builtins.foldl' (acc: new: + if acc == false then # marker not found yet + if new == marker then [] else acc + else # marker found + if builtins.typeOf new == "string" + then acc ++ [new] + else acc + ) false (builtins.split "/" (builtins.toString input)); + path = splitAfterMarker marker pathInterpolation; + inputs = { + #optDesc = "enable this"; + inherit optDesc: config; + }; + mod = {config, ...}: { + options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc); + config = lib.mkIf (lib.getAttrByPath path config) inputs.config; + }; + in mod; +} diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..2adf26e --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,41 @@ +{pkgs, lib, config}: +with lib with builtins; { + services.forgejo = { + enable = true; + settings.server = { + ROOT_URL = "https://git.shibe.pro"; + DOMAIN = "git.shibe.pro"; + HTTP_PORT = 48540; + OFFLINE_MODE = true; # disable gravatar, CDN + }; + settings.actions = { + ENABLED = true; + }; + settings."repository.upload" = { + FILE_MAX_SIZE = 4095; + MAX_FILES = 20; + }; + settings."attachment" = { + MAX_SIZE = 4095; + MAX_FILES = 20; + }; + + settings.service = { + DISABLE_REGISTRATION = true; + DEFAULT_KEEP_EMAIL_PRIVATE = true; + }; + database = { + user = "forgejo"; + passwordFile = "/etc/nixos/forgejo-dbpassword"; + name = "forgejodb"; + type = "mysql"; + }; + }; + + # Allow forgejo user to adjust authorized_keys dynamically + services.openssh.extraConfig = '' + Match User forgejo + AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys + ''; + networking.firewall.allowedTCPPorts = [48540]; +} \ No newline at end of file diff --git a/users/lyn/default.nix b/users/lyn/default.nix new file mode 100644 index 0000000..fe21ce0 --- /dev/null +++ b/users/lyn/default.nix @@ -0,0 +1,8 @@ +{lib, config, ...}:{ + users.users.lyn = { + isNormalUser = true; + extraGroups = [ "wheel"]; + packages = with pkgs; [ + ]; +} +} \ No newline at end of file diff --git a/users/lyn/ssh.nix b/users/lyn/ssh.nix new file mode 100644 index 0000000..80ac56f --- /dev/null +++ b/users/lyn/ssh.nix @@ -0,0 +1,3 @@ +{lib, config, ...}: lib.mkLocalModule ./. "Lyn SSH user config" { + users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"]; +} \ No newline at end of file -- 2.46.0 From d45afe123ae93072891d8c785571cf056a21ef43 Mon Sep 17 00:00:00 2001 From: Lyn Date: Tue, 3 Sep 2024 21:25:47 +0200 Subject: [PATCH 03/14] removed mkLocalModule until it works, hotfixed a few things --- flake.nix | 6 ++---- hosts/forgenite/default.nix | 10 ++++------ users/lyn/default.nix | 9 ++++++--- users/lyn/ssh.nix | 4 ++-- 4 files changed, 14 insertions(+), 15 deletions(-) diff --git a/flake.nix b/flake.nix index 9780666..a09e140 100644 --- a/flake.nix +++ b/flake.nix @@ -5,14 +5,12 @@ sops-nix.url = "github:Mic92/sops-nix"; }; outputs = { self, nixpkgs, sops-nix }@inputs: { + nixosConfigurations = { "forgejo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - # Import the configuration.nix here, so that the - # old configuration file can still take effect. - # Note: configuration.nix itself is also a Nixpkgs Module, - ./configuration.nix + ./hosts/forgenite/default.nix sops-nix.nixosModules.sops ]; specialArgs = { diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 22e2ff9..6571911 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -1,14 +1,12 @@ -{ config, pkgs, lib, inputs, ... }: with lib.meta; { +{ config, pkgs, lib, inputs, ... }: { imports = [ + ./../../services/forgejo.nix + ./../../users/lyn ./hardware-configuration.nix ]; - - # will this work? - users.lyn.enable = true; - services.forgejo.enable = true; # Write path for borgbackup repos for backup.nix - _module.args.borgrepolistfile = ./borgrepos; + #_module.args.borgrepolistfile = ./borgrepos; # Enable Flakes and the new command-line tool nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/users/lyn/default.nix b/users/lyn/default.nix index fe21ce0..98dd833 100644 --- a/users/lyn/default.nix +++ b/users/lyn/default.nix @@ -1,8 +1,11 @@ -{lib, config, ...}:{ - users.users.lyn = { +{lib,pkgs, config, ...}:{ + imports = [ + ./ssh.nix + ]; + users.users.lyn = { isNormalUser = true; extraGroups = [ "wheel"]; packages = with pkgs; [ ]; + }; } -} \ No newline at end of file diff --git a/users/lyn/ssh.nix b/users/lyn/ssh.nix index 80ac56f..039fb5c 100644 --- a/users/lyn/ssh.nix +++ b/users/lyn/ssh.nix @@ -1,3 +1,3 @@ -{lib, config, ...}: lib.mkLocalModule ./. "Lyn SSH user config" { +{lib, config, ...}: { users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"]; -} \ No newline at end of file +} -- 2.46.0 From 6e83f34133d6d9be5368c98046f34c7c53f9871f Mon Sep 17 00:00:00 2001 From: Lyn Date: Thu, 5 Sep 2024 21:10:31 +0200 Subject: [PATCH 04/14] removed auto upgrade due to it currently not working with flakes --- flake.lock | 79 +++++++++++++++++++++++++++++++++++++ hosts/forgenite/default.nix | 4 -- 2 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 flake.lock diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..60405eb --- /dev/null +++ b/flake.lock @@ -0,0 +1,79 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1725001927, + "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1721466660, + "narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1723501126, + "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "be0eec2d27563590194a9206f551a6f73d52fa34", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 6571911..3c95c98 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -70,10 +70,6 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "24.05"; # Did you read the comment? - system.autoUpgrade = { - enable = true; - allowReboot = true; - }; nix.gc = { automatic = true; persistent = true; -- 2.46.0 From 5cb312b8f23c4076b9b78ce1427e9a14f62f08fe Mon Sep 17 00:00:00 2001 From: Lyn Date: Thu, 5 Sep 2024 21:11:15 +0200 Subject: [PATCH 05/14] fixed forgejo service so it can build --- services/forgejo.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/forgejo.nix b/services/forgejo.nix index 2adf26e..01f18c0 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -1,5 +1,5 @@ -{pkgs, lib, config}: -with lib with builtins; { +{pkgs, lib, config, ...}: +with lib; with builtins; { services.forgejo = { enable = true; settings.server = { @@ -38,4 +38,4 @@ with lib with builtins; { AuthorizedKeysFile ${config.users.users.forgejo.home}/.ssh/authorized_keys ''; networking.firewall.allowedTCPPorts = [48540]; -} \ No newline at end of file +} -- 2.46.0 From 0826c10ca65d9b8b5eb676560f3e41d30f289694 Mon Sep 17 00:00:00 2001 From: Lyn Date: Thu, 5 Sep 2024 22:22:18 +0200 Subject: [PATCH 06/14] refactored host configuration into host-agnostic profile files --- hosts/forgenite/default.nix | 50 ++----------------------------------- meta/profiles/base.nix | 29 +++++++++++++++++++++ meta/profiles/vm.nix | 5 ++++ 3 files changed, 36 insertions(+), 48 deletions(-) create mode 100644 meta/profiles/base.nix create mode 100644 meta/profiles/vm.nix diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 3c95c98..62156bf 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -4,64 +4,18 @@ ./../../services/forgejo.nix ./../../users/lyn ./hardware-configuration.nix + ./../../meta/profiles/base.nix + ./../../meta/profiles/vm.nix ]; - # Write path for borgbackup repos for backup.nix - #_module.args.borgrepolistfile = ./borgrepos; - - # Enable Flakes and the new command-line tool - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - # Set default editor to vim - environment.variables.EDITOR = "vim"; # Use UEFI boot.loader.systemd-boot.enable = true; - # Use the GRUB 2 boot loader. - #boot.loader.grub.enable = true; - #boot.loader.grub.device = "/dev/sda"; - networking.hostName = "forgejo"; # Define your hostname. - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - git - vim - wget - curl - htop - ]; - - # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - settings = { - X11Forwarding = true; - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; - openFirewall = true; - }; - - #enable qemu-guestagent - services.qemuGuest.enable = true; - # Disable password checking for wheel group users so we can solely rely on ssh keys - security.sudo.wheelNeedsPassword = false; # Firewall stuff: networking.firewall.enable = true; networking.firewall.allowPing = true; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - # system.copySystemConfiguration = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave diff --git a/meta/profiles/base.nix b/meta/profiles/base.nix new file mode 100644 index 0000000..7d5c927 --- /dev/null +++ b/meta/profiles/base.nix @@ -0,0 +1,29 @@ +{lib, config, pkgs, ...}: { + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nixpkgs.config.allowUnfree = true; + + environment.variables.EDITOR = "vim"; + + time.timeZone = "Europe/Berlin"; + + services.openssh = { + enable = true; + settings = { + X11Forwarding = true; + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + openFirewall = true; + }; + # Disable password checking for wheel group users so we can solely rely on ssh keys + security.sudo.wheelNeedsPassword = false; + + environment.systemPackages = with pkgs; [ + git + vim + wget + curl + htop + ]; +} \ No newline at end of file diff --git a/meta/profiles/vm.nix b/meta/profiles/vm.nix new file mode 100644 index 0000000..75c7eab --- /dev/null +++ b/meta/profiles/vm.nix @@ -0,0 +1,5 @@ +{ config, pkgs, lib, ... }: +{ + #enable qemu-guestagent + services.qemuGuest.enable = true; +} \ No newline at end of file -- 2.46.0 From 95ebd02445c912908ac751818e11173d870108d6 Mon Sep 17 00:00:00 2001 From: Lyn Date: Thu, 5 Sep 2024 23:48:43 +0200 Subject: [PATCH 07/14] got started with sops and made forgejo use it --- .sops.yaml | 15 +++++++++++++++ secrets/hosts/forgenite.yaml | 31 +++++++++++++++++++++++++++++++ services/forgejo.nix | 2 +- 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 .sops.yaml create mode 100644 secrets/hosts/forgenite.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..f14f0e2 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,15 @@ + keys: + - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + creation_rules: + - path_regex: secrets/all/[^/]+\.yaml$ + key_groups: + - age: + - *Lyn + - *forgenite + #hosts + - path_regex: secrets/hosts/forgenite.yaml + key_groups: + - age: + - *Lyn + - *forgenite diff --git a/secrets/hosts/forgenite.yaml b/secrets/hosts/forgenite.yaml new file mode 100644 index 0000000..39435ed --- /dev/null +++ b/secrets/hosts/forgenite.yaml @@ -0,0 +1,31 @@ +forgejo: + db_password: ENC[AES256_GCM,data:Gkk441Tlty2ENGqBSDL/xSS75FOunM/Bfa0TBVV9KjW1DnD/Bx7lSw==,iv:V6g/vuPIhEE6OBaHDPdWIDdv7YAgy0crpmUMpMceJnk=,tag:LH8+qRtrCaHJLKzRB5Nnvw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySlhJWGtCd21zM3BxeEox + NG9VcHBoYkxHeUVwN1dQMHZVVmtpVTV6ekRRClB2MzNlKzVwbkdXRFY0QlUwOEUw + R2xBNkZGK09pZzBmTUJDdC95bU4vdTAKLS0tIGQ2Z1RpZjRHQUNya2JzZzFQQjA0 + YlJIcmQrUVJMMUdkMjNoOUkva1hIMWMK+56bsZXNIeYiuj+QAuajsCDWPAv9IYV9 + 7oh61PZvFYql6TXWjVioIBpS0MxKTbidjWQoYwD4vp8ZikfYUwuoqQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R2lUZkdXQTUrQmRhMnE3 + bnRkdUF1WW1obG1acmdQN0NmSkNmWGlFYzFJCkNGQ2lNVFMvYXZYT2dERE1aMVEy + a3AybWpZcTZIakVrUExHeTl0MXoxbFkKLS0tIE4wdTRtcUtZTkxiWVkyZC9QSDlR + YnpWY3ZsZWdQcEc2YTJJeldTaTdCVkkKA8cfHrWV7COWKYf19IP/dt/mPM6PDWvm + DiTB8JBSKTlsBsvA26qkPHcKyXCBjLDaSi1hmGI6PhI7nIDTQ15t6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-05T21:45:11Z" + mac: ENC[AES256_GCM,data:201CRHfhVUf5v1X1LfMH1p59eiLd+ZYEU937iZqCo5+rZ05hSpfXF6XVUdqMI6qgtl1jHY7hWQC4frnprM1BRh0ai/9aV4MKZn4oUCGq6x/avEf442eDL/RPV5pLlvVw1w/SA7lDqOqjaCuF9nDjr03uO7IhqsCLDaUv4JOI/Fg=,iv:W5ulyrMD6XeQ5j3TGhMfC8bh76C+jgXXSn9Em1+XbQo=,tag:sJne9+WMTh1HWTbqzHAiHQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/services/forgejo.nix b/services/forgejo.nix index 01f18c0..0bf7267 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -26,7 +26,7 @@ with lib; with builtins; { }; database = { user = "forgejo"; - passwordFile = "/etc/nixos/forgejo-dbpassword"; + passwordFile = config.sops.secrets."hosts/forgenite/forgejo/db_password".path; name = "forgejodb"; type = "mysql"; }; -- 2.46.0 From ea9f076254c7a0a0e04a285461183ee10c65dcad Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 01:11:33 +0200 Subject: [PATCH 08/14] =?UTF-8?q?does=20this=20work=3F=F0=9F=A5=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/forgenite/default.nix | 1 + services/forgejo.nix | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 62156bf..f5adaf7 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -7,6 +7,7 @@ ./../../meta/profiles/base.nix ./../../meta/profiles/vm.nix ]; + sops.secrets.forgenite.sopsFile = ./../../secrets/hosts/forgenite.yaml # Use UEFI boot.loader.systemd-boot.enable = true; diff --git a/services/forgejo.nix b/services/forgejo.nix index 0bf7267..8f85864 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -26,7 +26,7 @@ with lib; with builtins; { }; database = { user = "forgejo"; - passwordFile = config.sops.secrets."hosts/forgenite/forgejo/db_password".path; + passwordFile = config.sops.secrets."forgejo/db_password".path; name = "forgejodb"; type = "mysql"; }; -- 2.46.0 From e28fe0eef04c372c81ac4a4e76176c4670799631 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 02:01:59 +0200 Subject: [PATCH 09/14] ich werd zum joker --- hosts/forgenite/default.nix | 2 +- meta/modules/sops/default.nix | 23 +++++++++++++++++++++++ secrets/hosts/forgenite.yaml | 9 +++++---- services/forgejo.nix | 2 +- 4 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 meta/modules/sops/default.nix diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index f5adaf7..68090b3 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -7,7 +7,7 @@ ./../../meta/profiles/base.nix ./../../meta/profiles/vm.nix ]; - sops.secrets.forgenite.sopsFile = ./../../secrets/hosts/forgenite.yaml + sops.secrets."hosts/forgenite/db_password" = {}; # Use UEFI boot.loader.systemd-boot.enable = true; diff --git a/meta/modules/sops/default.nix b/meta/modules/sops/default.nix new file mode 100644 index 0000000..49b8cb7 --- /dev/null +++ b/meta/modules/sops/default.nix @@ -0,0 +1,23 @@ +{ pkgs, lib, config, ... }: +let + cfg = config.lyn.sops; +in +{ + options.lyn.sops = with lib; { + secrets = mkOption { + type = types.attrs; + default = { }; + }; + }; + config = { + sops.secrets = lib.mapAttrs + (name: value: + let + name_split = lib.splitString "/" name; + in + { + sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml; + } // value) + cfg.secrets; + }; +} diff --git a/secrets/hosts/forgenite.yaml b/secrets/hosts/forgenite.yaml index 39435ed..31c4db4 100644 --- a/secrets/hosts/forgenite.yaml +++ b/secrets/hosts/forgenite.yaml @@ -1,5 +1,6 @@ -forgejo: - db_password: ENC[AES256_GCM,data:Gkk441Tlty2ENGqBSDL/xSS75FOunM/Bfa0TBVV9KjW1DnD/Bx7lSw==,iv:V6g/vuPIhEE6OBaHDPdWIDdv7YAgy0crpmUMpMceJnk=,tag:LH8+qRtrCaHJLKzRB5Nnvw==,type:str] +hosts: + forgenite: + forgejo_db_password: ENC[AES256_GCM,data:1Qp6kLbt4tO+9/i5JN2rRjZJW0gJDKEQV9XmDEEts4bVvOsBCu6wYg==,iv:FZCthW7Yo9z0KqJvjhnQaNX1rqdUeINyfdM3xdLcOrk=,tag:32peH4VsZ3hLeC7XAqINAg==,type:str] sops: kms: [] gcp_kms: [] @@ -24,8 +25,8 @@ sops: YnpWY3ZsZWdQcEc2YTJJeldTaTdCVkkKA8cfHrWV7COWKYf19IP/dt/mPM6PDWvm DiTB8JBSKTlsBsvA26qkPHcKyXCBjLDaSi1hmGI6PhI7nIDTQ15t6w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-05T21:45:11Z" - mac: ENC[AES256_GCM,data:201CRHfhVUf5v1X1LfMH1p59eiLd+ZYEU937iZqCo5+rZ05hSpfXF6XVUdqMI6qgtl1jHY7hWQC4frnprM1BRh0ai/9aV4MKZn4oUCGq6x/avEf442eDL/RPV5pLlvVw1w/SA7lDqOqjaCuF9nDjr03uO7IhqsCLDaUv4JOI/Fg=,iv:W5ulyrMD6XeQ5j3TGhMfC8bh76C+jgXXSn9Em1+XbQo=,tag:sJne9+WMTh1HWTbqzHAiHQ==,type:str] + lastmodified: "2024-09-06T00:00:08Z" + mac: ENC[AES256_GCM,data:LC/WIffWQMHRk0ty3bnSGNyUySjYIA84euR5dgb95+uegLzAaMtBehnE5GB36eMzciMSP95jP2KOHfDimwU7eugeauEgJLrtv8Sp5r29LnU+MLDpAVwqw/HDZq8J7LIoYspqMr19ZxwcG1K4kfNlB7JYSuP7V7DhXo+I5/Qjv8A=,iv:CHf0KGCpbFIEMjgkxxS8RvSfOrGRYdGd/rdVJ/XPkoI=,tag:ZghIOEu9NLchxz7j4Er6QQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/services/forgejo.nix b/services/forgejo.nix index 8f85864..e2e9e31 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -26,7 +26,7 @@ with lib; with builtins; { }; database = { user = "forgejo"; - passwordFile = config.sops.secrets."forgejo/db_password".path; + passwordFile = config.sops.secrets."hosts/forgenite/forgejo_db_password".path; name = "forgejodb"; type = "mysql"; }; -- 2.46.0 From 94310bf128cd0dee0ecadecdd321f76bd9bd6066 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 03:10:39 +0200 Subject: [PATCH 10/14] uses lix now --- flake.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index a09e140..95cff65 100644 --- a/flake.nix +++ b/flake.nix @@ -3,8 +3,12 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; sops-nix.url = "github:Mic92/sops-nix"; + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, sops-nix }@inputs: { + outputs = {self, nixpkgs, lix-module, sops-nix }@inputs: { nixosConfigurations = { "forgejo" = nixpkgs.lib.nixosSystem { @@ -12,6 +16,7 @@ modules = [ ./hosts/forgenite/default.nix sops-nix.nixosModules.sops + lix-module.nixosModules.default ]; specialArgs = { inherit inputs; -- 2.46.0 From ff7c4cce10410c38d7a9df041735e4e95910b624 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 02:47:41 +0200 Subject: [PATCH 11/14] it's finally working O.O --- hosts/forgenite/default.nix | 2 +- meta/profiles/base.nix | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index 68090b3..ba02e48 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -7,7 +7,7 @@ ./../../meta/profiles/base.nix ./../../meta/profiles/vm.nix ]; - sops.secrets."hosts/forgenite/db_password" = {}; + lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo"; # Use UEFI boot.loader.systemd-boot.enable = true; diff --git a/meta/profiles/base.nix b/meta/profiles/base.nix index 7d5c927..f86da25 100644 --- a/meta/profiles/base.nix +++ b/meta/profiles/base.nix @@ -1,5 +1,7 @@ {lib, config, pkgs, ...}: { - + imports = [ + ../modules/sops + ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; @@ -26,4 +28,4 @@ curl htop ]; -} \ No newline at end of file +} -- 2.46.0 From 4171e29e6828dc77b8c3a4419e181e7bfebd9677 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 05:01:21 +0200 Subject: [PATCH 12/14] switched lix to nixpkgs unstable, switched forgejo to unstable too --- flake.lock | 37 +++++++++++++++++++++++++++---------- flake.nix | 22 +++++++++++----------- meta/profiles/base.nix | 2 +- services/forgejo.nix | 1 + 4 files changed, 40 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index 60405eb..7ca4cde 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1725001927, - "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", + "lastModified": 1725407940, + "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", + "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3", "type": "github" }, "original": { @@ -32,13 +32,29 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-unstable": { "locked": { - "lastModified": 1721466660, - "narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=", + "lastModified": 1725432240, + "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100", + "rev": "ad416d066ca1222956472ab7d0555a6946746a80", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", "type": "github" }, "original": { @@ -51,6 +67,7 @@ "root": { "inputs": { "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, @@ -60,11 +77,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1723501126, - "narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", + "lastModified": 1725540166, + "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=", "owner": "Mic92", "repo": "sops-nix", - "rev": "be0eec2d27563590194a9206f551a6f73d52fa34", + "rev": "d9d781523a1463965cd1e1333a306e70d9feff07", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 95cff65..1593567 100644 --- a/flake.nix +++ b/flake.nix @@ -3,25 +3,25 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; sops-nix.url = "github:Mic92/sops-nix"; - lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = {self, nixpkgs, lix-module, sops-nix }@inputs: { + outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: { nixosConfigurations = { "forgejo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ - ./hosts/forgenite/default.nix + ./hosts/forgenite sops-nix.nixosModules.sops - lix-module.nixosModules.default + ({lib,config,...}:{ + options.inputs = lib.mkOption{type = lib.types.attrs;}; + config.inputs = inputs; + options.pkgsInstances = lib.mkOption{type = lib.types.attrs;}; + config.pkgsInstances = { + unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;}; + }; + }) ]; - specialArgs = { - inherit inputs; - flake = self; - }; }; }; }; diff --git a/meta/profiles/base.nix b/meta/profiles/base.nix index f86da25..3c101ef 100644 --- a/meta/profiles/base.nix +++ b/meta/profiles/base.nix @@ -4,7 +4,7 @@ ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; nixpkgs.config.allowUnfree = true; - + nix.package = config.pkgsInstances.unstable.lix; environment.variables.EDITOR = "vim"; time.timeZone = "Europe/Berlin"; diff --git a/services/forgejo.nix b/services/forgejo.nix index e2e9e31..db1f4f4 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -2,6 +2,7 @@ with lib; with builtins; { services.forgejo = { enable = true; + package = config.pkgsInstances.unstable.forgejo; settings.server = { ROOT_URL = "https://git.shibe.pro"; DOMAIN = "git.shibe.pro"; -- 2.46.0 From 4f1447a5de3ad69ee451adc906a1f98b98369e93 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 06:04:32 +0200 Subject: [PATCH 13/14] added initial support for forgejo-ci-runner --- .sops.yaml | 7 ++++ flake.nix | 38 ++++++++++++++------- hosts/forgejo-ci/default.nix | 19 +++++++++++ hosts/forgejo-ci/hardware-configuration.nix | 38 +++++++++++++++++++++ hosts/forgenite/default.nix | 2 +- secrets/hosts/forgejo-ci.yaml | 32 +++++++++++++++++ services/forgejo-ci.nix | 29 ++++++++++++++++ 7 files changed, 151 insertions(+), 14 deletions(-) create mode 100644 hosts/forgejo-ci/default.nix create mode 100644 hosts/forgejo-ci/hardware-configuration.nix create mode 100644 secrets/hosts/forgejo-ci.yaml create mode 100644 services/forgejo-ci.nix diff --git a/.sops.yaml b/.sops.yaml index f14f0e2..6a98abc 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,8 @@ keys: - &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv - &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38 + - &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj + creation_rules: - path_regex: secrets/all/[^/]+\.yaml$ key_groups: @@ -13,3 +15,8 @@ - age: - *Lyn - *forgenite + - path_regex: secrets/hosts/forgejo-ci.yaml + key_groups: + - age: + - *Lyn + - *forgejo-ci diff --git a/flake.nix b/flake.nix index 1593567..2109647 100644 --- a/flake.nix +++ b/flake.nix @@ -5,24 +5,36 @@ sops-nix.url = "github:Mic92/sops-nix"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; }; - outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: { + outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let - nixosConfigurations = { - "forgejo" = nixpkgs.lib.nixosSystem { + passInputs = ({lib,config,...}:{ + options.inputs = lib.mkOption{type = lib.types.attrs;}; + config.inputs = inputs; + options.pkgsInstances = lib.mkOption{type = lib.types.attrs;}; + config.pkgsInstances = { + unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;}; + }; + }); + + in { + + nixosConfigurations = { + "forgejo" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ + modules = [ ./hosts/forgenite sops-nix.nixosModules.sops - ({lib,config,...}:{ - options.inputs = lib.mkOption{type = lib.types.attrs;}; - config.inputs = inputs; - options.pkgsInstances = lib.mkOption{type = lib.types.attrs;}; - config.pkgsInstances = { - unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;}; - }; - }) + passInputs ]; + }; + "forgejo-ci" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./hosts/forgejo-ci + sops-nix.nixosModules.sops + passInputs + ]; + }; }; }; -}; } diff --git a/hosts/forgejo-ci/default.nix b/hosts/forgejo-ci/default.nix new file mode 100644 index 0000000..a0727aa --- /dev/null +++ b/hosts/forgejo-ci/default.nix @@ -0,0 +1,19 @@ +{ config, pkgs, lib, inputs, ... }: { + imports = + [ + ./../../services/forgejo-ci.nix + ./hardware-configuration.nix + ./../../users/lyn + ./../../meta/profiles/base.nix + ./../../meta/profiles/vm.nix + ]; + lyn.sops.secrets."hosts/frottjo-ci-runner/forgejo_ci-token".owner = "gitea-runner"; + # Use UEFI + boot.loader.systemd-boot.enable = true; + + networking.hostName = "forgenite"; # Define your hostname. + + # Firewall stuff: + networking.firewall.enable = true; + networking.firewall.allowPing = true; +} \ No newline at end of file diff --git a/hosts/forgejo-ci/hardware-configuration.nix b/hosts/forgejo-ci/hardware-configuration.nix new file mode 100644 index 0000000..0f10cb8 --- /dev/null +++ b/hosts/forgejo-ci/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/58fe64e6-74c3-4a96-885c-340a3126d1f0"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/40A9-C398"; + fsType = "vfat"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/4d39c334-1726-4646-95d3-ecbedbf21ddb"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/forgenite/default.nix b/hosts/forgenite/default.nix index ba02e48..3d2af14 100644 --- a/hosts/forgenite/default.nix +++ b/hosts/forgenite/default.nix @@ -11,7 +11,7 @@ # Use UEFI boot.loader.systemd-boot.enable = true; - networking.hostName = "forgejo"; # Define your hostname. + networking.hostName = "forgenite"; # Define your hostname. # Firewall stuff: networking.firewall.enable = true; diff --git a/secrets/hosts/forgejo-ci.yaml b/secrets/hosts/forgejo-ci.yaml new file mode 100644 index 0000000..adb9d56 --- /dev/null +++ b/secrets/hosts/forgejo-ci.yaml @@ -0,0 +1,32 @@ +hosts: + forgejo-ci: + forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMG5zVlFXWjNYdFVjdEd3 + WWliRGtBR2YrTEtYcXF0WmI1NnNQc0NnN2dFCjVMMXVWVzJ3Z3g3NjlBaFNSdFFy + NWxSNjNxN2hFNWYyQkRVUHBGa25laFkKLS0tIFpWaEE4MDBPTWhFdnBOOWNtRC80 + YW9QUWJCRmhhYm1Zb2t6RFJ1SStERHMK8Yk/lGQYocea8MaR4c7/7tkRSqIcjYrO + +i1HN9gIrasVtZF1k0YuSB7sCCQ+oVvKtVCR7TRoeJhoxqgQZ/q5RQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TWhSM3lYK3JMQUc0WDUz + VlEySTNTN2ZaMHo0OXlyTWNPYVhSWE5uZkNJCkFqNHJCc3h6WkVJUkYxM0VibFRY + MWdYYWdtd1FnMmdtMndIY3gvcmJVQzQKLS0tIFpZV2RrZTg3cWxJOFlkY2F3TWRW + SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8 + Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-06T03:55:48Z" + mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/services/forgejo-ci.nix b/services/forgejo-ci.nix new file mode 100644 index 0000000..6294b1d --- /dev/null +++ b/services/forgejo-ci.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, inputs, ... }: +{ + environment.systemPackages = with pkgs; [ + docker + forgejo-actions-runner + +]; + + # Enable docker + virtualisation.docker = { + enable = true; + daemon.settings = { + fixed-cidr-v6 = "fd00::/80"; + ipv6 = true; + }; + }; + # Forgejo actions runner + services.gitea-actions-runner = { + instances = { + "shibepro-ci" = { + enable = true; + url = "https://git.shibe.pro"; + name = "shibepro-ci"; + tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci-token".path; + labels = []; + }; + }; + }; +} \ No newline at end of file -- 2.46.0 From a12174a4aac4d3525fdb860e94cbd1424fa51a72 Mon Sep 17 00:00:00 2001 From: Lyn Date: Fri, 6 Sep 2024 06:52:04 +0200 Subject: [PATCH 14/14] fixed forgejo ci-runner --- hosts/forgejo-ci/default.nix | 5 +++-- services/forgejo-ci.nix | 7 +++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/hosts/forgejo-ci/default.nix b/hosts/forgejo-ci/default.nix index a0727aa..bd0caf8 100644 --- a/hosts/forgejo-ci/default.nix +++ b/hosts/forgejo-ci/default.nix @@ -7,7 +7,7 @@ ./../../meta/profiles/base.nix ./../../meta/profiles/vm.nix ]; - lyn.sops.secrets."hosts/frottjo-ci-runner/forgejo_ci-token".owner = "gitea-runner"; + lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {}; # Use UEFI boot.loader.systemd-boot.enable = true; @@ -16,4 +16,5 @@ # Firewall stuff: networking.firewall.enable = true; networking.firewall.allowPing = true; -} \ No newline at end of file + system.stateVersion = "23.05"; +} diff --git a/services/forgejo-ci.nix b/services/forgejo-ci.nix index 6294b1d..5a06c1e 100644 --- a/services/forgejo-ci.nix +++ b/services/forgejo-ci.nix @@ -2,8 +2,6 @@ { environment.systemPackages = with pkgs; [ docker - forgejo-actions-runner - ]; # Enable docker @@ -16,14 +14,15 @@ }; # Forgejo actions runner services.gitea-actions-runner = { + package = config.pkgsInstances.unstable.forgejo-runner; instances = { "shibepro-ci" = { enable = true; url = "https://git.shibe.pro"; name = "shibepro-ci"; - tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci-token".path; + tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path; labels = []; }; }; }; -} \ No newline at end of file +} -- 2.46.0