palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Projects Releases Wiki Activity

Compare commits

base: palo:152f6bc6102a3f02a2822031768ea8188fd10ffc
Branches Tags
palo:main
palo:update
palo:refactor/component/ssh
palo:orbi-ssh-unlock-works
...
compare: palo:0aad87d14490b1424536de55673a7089eabbd0ef
Branches Tags
palo:main
palo:update
palo:refactor/component/ssh
palo:orbi-ssh-unlock-works

3 commits
152f6bc610 ... 0aad87d144

Author SHA1 Message Date
Ingolf Wagner 0aad87d144
upgrade
All checks were successful
/ build (push) Successful in 1h37m43s
Details
2024-07-20 14:26:47 +02:00
Ingolf Wagner 1c78afe0cc
update
Some checks failed
/ build (push) Failing after 3h14m35s
Details
2024-07-20 14:17:18 +02:00
Ingolf Wagner 6a07f4259a
working on using new created cache 2024-07-20 13:56:03 +02:00
9 changed files with 127 additions and 65 deletions
Show stats Expand all files Collapse all files

5
.forgejo/workflows/build.yaml
View file

@ -11,15 +11,16 @@ jobs:
${{ secrets.SSH_KEY }} ${{ secrets.SSH_KEY }}
EOF EOF
chmod 600 .id_rsa chmod 600 .id_rsa
eval $(ssh-agent) eval $(ssh-agent)
ssh-add .id_rsa ssh-add .id_rsa
cat <<EOF > "$GITHUB_ENV" cat <<EOF > "$GITHUB_ENV"
SSH_AUTH_SOCK="$SSH_AUTH_SOCK" SSH_AUTH_SOCK="$SSH_AUTH_SOCK"
SSH_AGENT_PID=$SSH_AGENT_PID SSH_AGENT_PID=$SSH_AGENT_PID
EOF EOF
- run: nix flake check
# - run: nix flake update # - run: nix flake update
- run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel - run: nix build .#nixosConfigurations.orbi.config.system.build.toplevel
- run: nix build .#nixosConfigurations.cream.config.system.build.toplevel - run: nix build .#nixosConfigurations.cream.config.system.build.toplevel

2
components/network/sshd/default.nix
View file

@ -61,7 +61,7 @@ in
# We might want to remove this once, openssh is fixed everywhere: # We might want to remove this once, openssh is fixed everywhere:
# Workaround for CVE-2024-6387 and CVE-2024-6409 # Workaround for CVE-2024-6387 and CVE-2024-6409
# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128 # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
settings.LoginGraceTime = 0; # settings.LoginGraceTime = 0;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;

6
components/network/wireguard.nix
View file

@ -22,6 +22,12 @@ with lib;
# }; # };
#}; #};
config = {
networking.extraHosts = ''
10.100.0.1 cache.orbi.wg0
'';
};
} }

116
flake.lock
View file

@ -53,11 +53,11 @@
"base16-helix": { "base16-helix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696727917, "lastModified": 1720809814,
"narHash": "sha256-FVrbPk+NtMra0jtlC5oxyNchbm8FosmvXIatkRbYy1g=", "narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "base16-helix", "repo": "base16-helix",
"rev": "dbe1480d99fe80f08df7970e471fac24c05f2ddb", "rev": "34f41987bec14c0f3f6b2155c19787b1f6489625",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -121,11 +121,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1720975977, "lastModified": 1721402843,
"narHash": "sha256-9x2Yjsw6t++go/jZ5prKGJFDl4b5+ei5eCgm10xorDI=", "narHash": "sha256-/DiRx6TgI/3KcrgO5SAs0FjLz68j7lqp3kf8MbfSCcw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "buildbot-nix", "repo": "buildbot-nix",
"rev": "93942c0a662b7c6ad80810ae9f99f80988a27b1d", "rev": "5bdbb7609689989a79f7d6e6e59c4b7985634230",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -148,11 +148,11 @@
"treefmt-nix": "treefmt-nix_2" "treefmt-nix": "treefmt-nix_2"
}, },
"locked": { "locked": {
"lastModified": 1720716544, "lastModified": 1721420605,
"narHash": "sha256-SoWNPWkxRaEvTs1w//AKIdFzU2N8WikpWgL69rW0aMI=", "narHash": "sha256-E2je0KB09PXoJE1ofL2GUYnwB+BIE7D5Y2Fy+F/2cJw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "0bbab9484122735a5a42412be641a1af60da2039", "rev": "f3c9c379e61d127b2c5a1f7a848dcdf0e7a307b3",
"revCount": 3395, "revCount": 3512,
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
}, },
@ -191,11 +191,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720056646, "lastModified": 1720661479,
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=", "narHash": "sha256-nsGgA14vVn0GGiqEfomtVgviRJCuSR3UEopfP8ixW1I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e", "rev": "786965e1b1ed3fd2018d78399984f461e2a44689",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -426,11 +426,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1720734513, "lastModified": 1721135958,
"narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", "narHash": "sha256-H548rpPMsn25LDKn1PCFmPxmWlClJJGnvdzImHkqjuY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "90ae324e2c56af10f20549ab72014804a3064c7f", "rev": "afd2021bedff2de92dfce0e257a3d03ae65c603d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -467,11 +467,11 @@
}, },
"locked": { "locked": {
"dir": "nix", "dir": "nix",
"lastModified": 1720421296, "lastModified": 1721284730,
"narHash": "sha256-Pl8n7CkrurvRFGyWV6oi9jmxRHDcsrcM4AlUMYG0rwU=", "narHash": "sha256-eWPldqxXsqtbWrXflLEhZBjiSq0TJvIYoXQ/ExDKmls=",
"owner": "kmonad", "owner": "kmonad",
"repo": "kmonad", "repo": "kmonad",
"rev": "97a3dea051a3565e97f2bdde60473a2d78182b07", "rev": "e5e839bcbedda23df0b8a3f8659edfa2c9bef8f8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -510,11 +510,11 @@
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_3"
}, },
"locked": { "locked": {
"lastModified": 1719852663, "lastModified": 1720926282,
"narHash": "sha256-83rF68wdvOc9iyHSIxlgk/PMoFXilIYabOxC+meamyo=", "narHash": "sha256-JOF4DNpKHzK7noVkh9tP+Rg9yZUyOBrEKPbdqKom5KI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-anywhere", "repo": "nixos-anywhere",
"rev": "f99d120b3788a286989db4e592a698f5d310d2f6", "rev": "daf19effbafba2cfeac4c41e17dccdd07ca86cb3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -525,11 +525,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1720737798, "lastModified": 1721413321,
"narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", "narHash": "sha256-0GdiQScDceUrVGbxYpV819LHesK3szHOhJ09e6sgES4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", "rev": "ab165a8a6cd12781d76fe9cbccb9e975d0fb634f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -549,11 +549,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720055024, "lastModified": 1720659757,
"narHash": "sha256-c5rsiI1R7tnCDpcgfsa7ouSdn6wpctbme9TUp53CFyU=", "narHash": "sha256-ltzUuCsEfPA9CYM9BAnwObBGqDyQIs2OLkbVMeOOk00=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-images", "repo": "nixos-images",
"rev": "f8650460d37d9d1820a93ebb7f0db5b6c3621946", "rev": "5eddae0afbcfd4283af5d6676d08ad059ca04b70",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -605,11 +605,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720890539, "lastModified": 1721215108,
"narHash": "sha256-1K32XHPcQBo8XdLDQNybfLQc9I8hqSZdjA/Ur3zW/io=", "narHash": "sha256-aOiSBcftoGye0spDdIylZE6TVTo7C/B4atYH25tSemQ=",
"owner": "Nixos", "owner": "Nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "19116ccf234e32acf133863d430506da68008550", "rev": "7edc243443b44444eba596557de03ee52beca2eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -653,11 +653,11 @@
}, },
"nixpkgs-legacy_2405": { "nixpkgs-legacy_2405": {
"locked": { "locked": {
"lastModified": 1720691131, "lastModified": 1721226092,
"narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", "narHash": "sha256-UBvzVpo5sXSi2S/Av+t+Q+C2mhMIw/LBEZR+d6NMjws=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", "rev": "c716603a63aca44f39bef1986c13402167450e0a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -681,11 +681,11 @@
}, },
"nixpkgs-unstable-small": { "nixpkgs-unstable-small": {
"locked": { "locked": {
"lastModified": 1720760861, "lastModified": 1721393053,
"narHash": "sha256-/j6neSfVGNaW5BfNP1vD5fU6qYImnXStX9MANDzAqDk=", "narHash": "sha256-xNiw9gIxyF6xsyXCiFESPjxMjuVAfmr4sBpM9u2l5io=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "03bad7d9c068c6d73772148f314b69072a6bd179", "rev": "a0691657e9634cfc001f02995cca394025e3e940",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -760,11 +760,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1720542800, "lastModified": 1721379653,
"narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=", "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "feb2849fdeb70028c70d73b848214b00d324a497", "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -806,11 +806,11 @@
}, },
"nixpkgs_9": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1720585496, "lastModified": 1721215108,
"narHash": "sha256-UONPcQR2r0voopd6pcNFmUv7p4TJPeAXzwnqWmaPujw=", "narHash": "sha256-aOiSBcftoGye0spDdIylZE6TVTo7C/B4atYH25tSemQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e01511309fe8b0432aa58a547365e51d5a3ecf85", "rev": "7edc243443b44444eba596557de03ee52beca2eb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -983,11 +983,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720321395, "lastModified": 1720926522,
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=", "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea", "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1001,11 +1001,11 @@
"nixpkgs": "nixpkgs_9" "nixpkgs": "nixpkgs_9"
}, },
"locked": { "locked": {
"lastModified": 1720691926, "lastModified": 1721263500,
"narHash": "sha256-VE9ZfWRbyBjps5GV8KXiF8XodAykmwRpcJtPiVWCu8M=", "narHash": "sha256-6l0+MciXkktANuZ+Rwc6BZJxtMi7jHZRiSnzG+xpwyk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "srvos", "repo": "srvos",
"rev": "e3e8ff545ef14f13c69a0f743078637fde952018", "rev": "ef4f2248e1bbd84a0dd269ab31b9927d9c0bf2e6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1033,11 +1033,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719525570, "lastModified": 1721429336,
"narHash": "sha256-xSO/H67GAHEW0siD2PHoO/e97MbROL3r3s5SpF6A6Dc=", "narHash": "sha256-DTJUvI4Xkj4KC5tdq15OEUkPpk7Ebvqcz356dIT6jtY=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "1ff9d37d27377bfe8994c24a8d6c6c1734ffa116", "rev": "6bbae4f85b891df2e6e48b649919420434088507",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1105,11 +1105,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720818892, "lastModified": 1721059077,
"narHash": "sha256-f52x9srIcqQm1Df3T+xYR5P6VfdnDFa2vkkcLhlTp6U=", "narHash": "sha256-gCICMMX7VMSKKt99giDDtRLkHJ0cwSgBtDijJAqTlto=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "5b002f8a53ed04c1a4177e7b00809d57bd2c696f", "rev": "0fb28f237f83295b4dd05e342f333b447c097398",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1126,11 +1126,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720436211, "lastModified": 1720930114,
"narHash": "sha256-/cKXod0oGLl+vH4bKBZnTV3qxrw4jgOLnyQ8KXey5J8=", "narHash": "sha256-VZK73b5hG5bSeAn97TTcnPjXUXtV7j/AtS4KN8ggCS0=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "6fc8bded78715cdd43a3278a14ded226eb3a239e", "rev": "b92afa1501ac73f1d745526adc4f89b527595f14",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
flake.nix
View file

@ -179,6 +179,7 @@
assets = ./assets; assets = ./assets;
factsGenerator = clan-fact-generators.lib { inherit pkgs; }; factsGenerator = clan-fact-generators.lib { inherit pkgs; };
clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; }; clanLib = import ./lib/clanlib.nix { inherit (pkgs) lib; machineDir = ./machines; };
zerotierDeviceName = "ztbn67ogn2";
}; };
}; };
@ -251,9 +252,14 @@
]; ];
}) })
# configure nix # configure nix
({ pkgs, lib, ... }: ({ pkgs, lib, clanLib, ... }:
{ {
nix.settings.substituters = [ "https://cache.nixos.org/" ]; nix.settings.substituters = [
"http://cache.orbi.wg0/"
];
nix.settings.trusted-public-keys = [
(clanLib.readFact "nix-serve.pub" "orbi")
];
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.max-jobs = 1; nix.settings.max-jobs = 1;
# no channesl needed this way # no channesl needed this way

1
machines/orbi/configuration.nix
View file

@ -16,6 +16,7 @@
./service-vaultwarden.nix ./service-vaultwarden.nix
#./service-surrealdb.nix # not really needed at the moment #./service-surrealdb.nix # not really needed at the moment
./service-vikunja.nix ./service-vikunja.nix
./service-nix-cache.nix
./nginx-ingolf-wagner-de.nix ./nginx-ingolf-wagner-de.nix
./nginx-wkd.nix ./nginx-wkd.nix

1
machines/orbi/facts/nix-serve.pub Normal file
View file

@ -0,0 +1 @@
cache.orbi.wg0:TAQd7qqh08yKkCU6WofWTVH1ORFAnmwxZJaYXWtuojQ=

4
machines/orbi/service-forgejo-runner.nix
View file

@ -17,7 +17,7 @@ in
}; };
users.groups.gitea-runner = { }; users.groups.gitea-runner = { };
clanCore.facts.services.gitea-runner = { clan.core.facts.services.gitea-runner = {
secret."gitea-runner.token" = { }; secret."gitea-runner.token" = { };
generator = { generator = {
prompt = "please enter your gitea-runner password"; prompt = "please enter your gitea-runner password";
@ -51,7 +51,7 @@ in
pkgs.openssh pkgs.openssh
]; ];
url = "https://git.ingolf-wagner.de"; url = "https://git.ingolf-wagner.de";
tokenFile = config.clanCore.facts.services.gitea-runner.secret."gitea-runner.token".path; tokenFile = config.clan.core.facts.services.gitea-runner.secret."gitea-runner.token".path;
name = "fick_deine_mudda"; name = "fick_deine_mudda";
labels = [ labels = [
# provide a debian base with nodejs for actions # provide a debian base with nodejs for actions

47
machines/orbi/service-nix-cache.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
{
# nixpkgs.config.packageOverrides = p: {
# nix-serve = p.haskellPackages.nix-serve-ng;
# };
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
clan.core.facts.services."nix-serve" = {
secret."nix-serve.key" = { };
public."nix-serve.pub" = { };
generator.path = with pkgs; [ coreutils nix ];
generator.script = ''
nix-store --generate-binary-cache-key "cache.${config.networking.hostName}.wg0" nix-serve.key nix-serve.pub
mv nix-serve.key "$secrets"/nix-serve.key
mv nix-serve.pub "$facts"/nix-serve.pub
'';
};
services.nix-serve = {
enable = true;
secretKeyFile = config.clan.core.facts.services.nix-serve.secret."nix-serve.key".path;
port = 5005;
};
services.nginx = {
enable = true;
virtualHosts."cache.${config.networking.hostName}.wg0" = {
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
allow ${config.wireguard.wg0.subnet};
deny all;
'';
locations."= /nix-cache-info".extraConfig = ''
alias ${pkgs.writeText "cache-info" ''
StoreDir: /nix/store
WantMassQuery: 1
Priority: 42
''};
allow ${config.wireguard.wg0.subnet};
deny all;
'';
};
};
}