diff options
35 files changed, 608 insertions, 498 deletions
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml deleted file mode 100644 index 1a9a6ea..0000000 --- a/.github/workflows/check.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: check flake - -on: - pull_request: - paths: - - "**.nix" - push: - paths: - - "**.nix" - workflow_dispatch: - workflow_call: - -jobs: - check: - runs-on: ubuntu-latest - steps: - - name: checkout repo - uses: actions/checkout@v3 - - - name: install nix - uses: cachix/install-nix-action@v20 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - - - name: run nix flake check - run: | - export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1 - export NIXPKGS_ALLOW_BROKEN=1 - export NIXPKGS_ALLOW_UNFREE=1 - nix flake check --impure diff --git a/.github/workflows/update-inputs.yaml b/.github/workflows/update-inputs.yaml new file mode 100644 index 0000000..35b22d4 --- /dev/null +++ b/.github/workflows/update-inputs.yaml @@ -0,0 +1,44 @@ +name: update all inputs + +on: + #schedule: + # # run every saturday + # - cron: "0 0 * * 6" + workflow_dispatch: + +permissions: read-all + +jobs: + update-lock: + runs-on: ubuntu-latest + + steps: + - name: checkout repo + uses: actions/checkout@v3 + + - name: install nix + uses: cachix/install-nix-action@v20 + with: + github_access_token: ${{ secrets.GITHUB_TOKEN }} + + - name: setup cachix + uses: cachix/cachix-action@v12 + with: + name: getchoo + + - name: update all inputs + uses: DeterminateSystems/update-flake-lock@v19 + with: + inputs: nixpkgs nixpkgsUnstable + commit-msg: "chore: update all inputs" + pr-title: "chore: update all inputs" + pr-body: | + Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. + + ``` + ${{ env.GIT_COMMIT_MESSAGE }} + ``` + + bors r+ + nix-options: "--accept-flake-config" + token: ${{ secrets.FLAKE_UPDATE }} diff --git a/.github/workflows/update-nixpkgs.yaml b/.github/workflows/update-nixpkgs.yaml new file mode 100644 index 0000000..1e86fe6 --- /dev/null +++ b/.github/workflows/update-nixpkgs.yaml @@ -0,0 +1,44 @@ +name: update nixpkgs inputs + +on: + #schedule: + # # run every 2 days, sunday-friday + # - cron: "0 0 * * 0-5/2" + workflow_dispatch: + +permissions: read-all + +jobs: + update-nixpkgs: + runs-on: ubuntu-latest + + steps: + - name: checkout repo + uses: actions/checkout@v3 + + - name: install nix + uses: cachix/install-nix-action@v20 + with: + github_access_token: ${{ secrets.GITHUB_TOKEN }} + + - name: setup cachix + uses: cachix/cachix-action@v12 + with: + name: getchoo + + - name: update nixpkgs inputs + uses: DeterminateSystems/update-flake-lock@v19 + with: + inputs: nixpkgs nixpkgs-stable + commit-msg: "chore: update nixpkgs inputs" + pr-title: "chore: update nixpkgs inputs" + pr-body: | + Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. + + ``` + ${{ env.GIT_COMMIT_MESSAGE }} + ``` + + bors r+ + nix-options: "--accept-flake-config" + token: ${{ secrets.FLAKE_UPDATE }} diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml deleted file mode 100644 index 6125d2f..0000000 --- a/.github/workflows/update.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: update nixpkgs inputs - -on: - schedule: - - cron: "0 0 * * *" - workflow_dispatch: - -jobs: - update-lock: - runs-on: ubuntu-latest - - steps: - - name: checkout repo - uses: actions/checkout@v3 - - - name: install nix - uses: cachix/install-nix-action@v20 - with: - github_access_token: ${{ secrets.GITHUB_TOKEN }} - - - name: update inputs - run: nix flake lock --update-input nixpkgs --update-input nixpkgsUnstable --update-input openwrt-imagebuilder - - - name: add and commit - uses: EndBug/add-and-commit@v9 - with: - default_author: github_actions - message: "chore: update nixpkgs inputs" - check: - uses: ./.github/workflows/check.yml @@ -143,7 +143,28 @@ "flake-parts": { "inputs": { "nixpkgs-lib": [ - "nixpkgsUnstable" + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1683560683, + "narHash": "sha256-XAygPMN5Xnk/W2c1aW0jyEa6lfMDZWlQgiNtmHXytPc=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "006c75898cf814ef9497252b022e91c946ba8e17", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" ] }, "locked": { @@ -201,21 +222,19 @@ "flake-compat": [ "flake-compat" ], - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1684306480, "narHash": "sha256-6mgNbTWDqraRBldd4/QZ8ZRB3K25+1zCmvSOkrhj7Ac=", "owner": "getchoo", - "repo": "overlay", + "repo": "nix-exprs", "rev": "423914276f9623786e1d33e486b26a1406115067", "type": "github" }, "original": { "owner": "getchoo", - "repo": "overlay", + "repo": "nix-exprs", "type": "github" } }, @@ -242,9 +261,7 @@ }, "guzzle_api": { "inputs": { - "nixpkgs": [ - "nixpkgsUnstable" - ], + "nixpkgs": "nixpkgs_2", "pre-commit-hooks": [ "pre-commit-hooks" ] @@ -263,74 +280,6 @@ "type": "github" } }, - "haskell-flake": { - "locked": { - "lastModified": 1678745009, - "narHash": "sha256-ujfwSrkxThmHJozibkCnJmlXLVyxm+Cbo2Q4wXPbCS4=", - "owner": "srid", - "repo": "haskell-flake", - "rev": "26852ade574c712bc3912ad28de52b0c4cf7d4cb", - "type": "github" - }, - "original": { - "owner": "srid", - "ref": "0.2.0", - "repo": "haskell-flake", - "type": "github" - } - }, - "hercules-ci-agent": { - "inputs": { - "flake-parts": [ - "flake-parts" - ], - "haskell-flake": "haskell-flake", - "nix-darwin": "nix-darwin", - "nixpkgs": "nixpkgs", - "pre-commit-hooks-nix": [ - "pre-commit-hooks" - ] - }, - "locked": { - "lastModified": 1681758488, - "narHash": "sha256-RBd/RNq3wL52FvoajMwrnfyZPfq67KMzmp6rtNAx/2o=", - "owner": "hercules-ci", - "repo": "hercules-ci-agent", - "rev": "ef296dd6211e2ffeb942f12e6232a2d9abdd488d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "hercules-ci-agent", - "type": "github" - } - }, - "hercules-ci-effects": { - "inputs": { - "flake-parts": [ - "flake-parts" - ], - "hercules-ci-agent": [ - "hercules-ci-agent" - ], - "nixpkgs": [ - "nixpkgsUnstable" - ] - }, - "locked": { - "lastModified": 1681898675, - "narHash": "sha256-nIJ7CAdiHv4i1no/VgDoeTJLzbLYwu5+/Ycoyzn0S78=", - "owner": "hercules-ci", - "repo": "hercules-ci-effects", - "rev": "15ff4f63e5f28070391a5b09a82f6d5c6cc5c9d0", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "hercules-ci-effects", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -357,15 +306,11 @@ "flake-compat": [ "flake-compat" ], - "flake-parts": [ - "flake-parts" - ], + "flake-parts": "flake-parts_2", "flake-utils": [ "flake-utils" ], - "nixpkgs": [ - "nixpkgs" - ], + "nixpkgs": "nixpkgs_3", "pre-commit-hooks-nix": [ "pre-commit-hooks" ], @@ -385,31 +330,10 @@ "type": "github" } }, - "nix-darwin": { - "inputs": { - "nixpkgs": [ - "hercules-ci-agent", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1680266963, - "narHash": "sha256-IW/lzbUCOcldLHWHjNSg1YoViDnZOmz0ZJL7EH9OkV8=", - "owner": "LnL7", - "repo": "nix-darwin", - "rev": "99d4187d11be86b49baa3a1aec0530004072374f", - "type": "github" - }, - "original": { - "owner": "LnL7", - "repo": "nix-darwin", - "type": "github" - } - }, "nixinate": { "inputs": { "nixpkgs": [ - "nixpkgsUnstable" + "nixpkgs" ] }, "locked": { @@ -470,21 +394,35 @@ }, "nixpkgs": { "locked": { - "lastModified": 1680213900, - "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", + "lastModified": 1684690104, + "narHash": "sha256-It8pY+NukmjrBrQ3AeTLpF5m7ecVfIYxE+qzV33YNmo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e3652e0735fbec227f342712f180f4f21f0594f2", + "rev": "601b8658d53c5e25ac3b5203e4a163122a77a84b", "type": "github" }, "original": { + "id": "nixpkgs", + "ref": "nixos-unstable-small", + "type": "indirect" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1684580438, + "narHash": "sha256-LUPswmDn6fXP3lEBJFA2Id8PkcYDgzUilevWackYVvQ=", "owner": "NixOS", - "ref": "nixos-unstable", "repo": "nixpkgs", + "rev": "7dc71aef32e8faf065cb171700792cf8a65c152d", "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" } }, - "nixpkgsUnstable": { + "nixpkgs_2": { "locked": { "lastModified": 1684570954, "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", @@ -499,21 +437,53 @@ "type": "indirect" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { - "lastModified": 1684580438, - "narHash": "sha256-LUPswmDn6fXP3lEBJFA2Id8PkcYDgzUilevWackYVvQ=", + "lastModified": 1684690104, + "narHash": "sha256-It8pY+NukmjrBrQ3AeTLpF5m7ecVfIYxE+qzV33YNmo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7dc71aef32e8faf065cb171700792cf8a65c152d", + "rev": "601b8658d53c5e25ac3b5203e4a163122a77a84b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.11", + "ref": "nixos-unstable", "type": "indirect" } }, + "nixpkgs_5": { + "locked": { + "lastModified": 1684570954, + "narHash": "sha256-FX5y4Sm87RWwfu9PI71XFvuRpZLowh00FQpIJ1WfXqE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "3005f20ce0aaa58169cdee57c8aa12e5f1b6e1b3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1684701889, @@ -559,7 +529,7 @@ ], "gitignore": "gitignore", "nixpkgs": [ - "nixpkgsUnstable" + "nixpkgs" ], "nixpkgs-stable": [ "nixpkgs" @@ -584,9 +554,7 @@ "agenix": "agenix", "crane": "crane_2", "flake-utils": "flake-utils_2", - "nixpkgs": [ - "nixpkgsUnstable" - ], + "nixpkgs": "nixpkgs_5", "rust-overlay": "rust-overlay_2" }, "locked": { @@ -610,15 +578,13 @@ "flake-utils": "flake-utils", "getchoo": "getchoo", "guzzle_api": "guzzle_api", - "hercules-ci-agent": "hercules-ci-agent", - "hercules-ci-effects": "hercules-ci-effects", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "nixinate": "nixinate", "nixos-hardware": "nixos-hardware", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_2", - "nixpkgsUnstable": "nixpkgsUnstable", + "nixpkgs": "nixpkgs_4", + "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", "openwrt-imagebuilder": "openwrt-imagebuilder", "pre-commit-hooks": "pre-commit-hooks", @@ -5,102 +5,93 @@ extra-substituters = [ "https://getchoo.cachix.org" # personal cache "https://nix-community.cachix.org" # nix-community - "https://hercules-ci.cachix.org" # hercules-ci "https://wurzelpfropf.cachix.org" # ragenix ]; extra-trusted-public-keys = [ "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" ]; }; inputs = { - nixpkgs.url = "nixpkgs/nixos-22.11"; - nixpkgsUnstable.url = "nixpkgs/nixos-unstable"; + nixpkgs.url = "nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "nixpkgs/nixos-22.11"; + + # this is just to avoid having multiple versions in flake.lock flake-compat = { url = "github:edolstra/flake-compat"; flake = false; }; - # this is just to avoid having multiple versions in flake.lock flake-utils.url = "github:numtide/flake-utils"; + flake-parts = { url = "github:hercules-ci/flake-parts"; - inputs.nixpkgs-lib.follows = "nixpkgsUnstable"; + inputs.nixpkgs-lib.follows = "nixpkgs"; }; + getchoo = { - url = "github:getchoo/overlay"; - inputs.nixpkgs.follows = "nixpkgs"; + url = "github:getchoo/nix-exprs"; inputs.flake-compat.follows = "flake-compat"; }; + guzzle_api = { url = "github:getchoo/guzzle_api"; - inputs.nixpkgs.follows = "nixpkgsUnstable"; inputs.pre-commit-hooks.follows = "pre-commit-hooks"; }; - hercules-ci-agent = { - url = "github:hercules-ci/hercules-ci-agent"; - inputs.flake-parts.follows = "flake-parts"; - inputs.pre-commit-hooks-nix.follows = "pre-commit-hooks"; - }; - hercules-ci-effects = { - url = "github:hercules-ci/hercules-ci-effects"; - inputs.nixpkgs.follows = "nixpkgsUnstable"; - inputs.flake-parts.follows = "flake-parts"; - inputs.hercules-ci-agent.follows = "hercules-ci-agent"; - }; + home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + lanzaboote = { url = "github:nix-community/lanzaboote"; - inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-compat.follows = "flake-compat"; inputs.flake-utils.follows = "flake-utils"; - inputs.flake-parts.follows = "flake-parts"; inputs.pre-commit-hooks-nix.follows = "pre-commit-hooks"; }; + nixinate = { url = "github:MatthewCroughan/nixinate"; - inputs.nixpkgs.follows = "nixpkgsUnstable"; + inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-wsl = { url = "github:nix-community/NixOS-WSL/main"; inputs.nixpkgs.follows = "nixpkgs"; inputs.flake-compat.follows = "flake-compat"; inputs.flake-utils.follows = "flake-utils"; }; + nixos-hardware.url = "github:NixOS/nixos-hardware"; nur.url = "github:nix-community/NUR"; + openwrt-imagebuilder = { url = "github:astro/nix-openwrt-imagebuilder"; inputs.nixpkgs.follows = "nixpkgs"; }; + pre-commit-hooks = { url = "github:cachix/pre-commit-hooks.nix"; - inputs.nixpkgs.follows = "nixpkgsUnstable"; + inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs-stable.follows = "nixpkgs"; inputs.flake-compat.follows = "flake-compat"; inputs.flake-utils.follows = "flake-utils"; }; - ragenix = { - url = "github:yaxitech/ragenix"; - inputs.nixpkgs.follows = "nixpkgsUnstable"; - }; + + ragenix.url = "github:yaxitech/ragenix"; }; - outputs = inputs: let - inherit (inputs) getchoo; - inherit (inputs.flake-parts.lib) mkFlake; - in - mkFlake {inherit inputs;} { + outputs = inputs: + inputs.flake-parts.lib.mkFlake + {inherit inputs;} + { imports = [ ./hosts - ./users ./modules/flake - getchoo.flakeModules.homeConfigurations + ./users + inputs.getchoo.flakeModules.default ]; }; } diff --git a/hosts/atlas/cachix.nix b/hosts/atlas/cachix.nix new file mode 100644 index 0000000..1dc1830 --- /dev/null +++ b/hosts/atlas/cachix.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: let + uploadToCachix = pkgs.writeScriptBin "upload-to-cachix" '' + #!/bin/sh + set -euf + + OUT_END=$(echo ''${OUT_PATHS: -10}) + if [ "$OUT_END" == "-spec.json" ]; then + exit 0 + fi + + export HOME=/root + exec ${pkgs.cachix}/bin/cachix -c /etc/cachix/cachix.dhall push getchoo $OUT_PATHS > /tmp/hydra_cachix 2>&1 + ''; +in { + nix.extraOptions = '' + post-build-hook = ${uploadToCachix}/bin/upload-to-cachix + ''; +} diff --git a/hosts/atlas/default.nix b/hosts/atlas/default.nix index 220592d..cf17462 100644 --- a/hosts/atlas/default.nix +++ b/hosts/atlas/default.nix @@ -5,6 +5,7 @@ }: { imports = [ ./hardware-configuration.nix + ./cachix.nix ./miniflux.nix ./nginx.nix ./prometheus.nix @@ -24,11 +25,18 @@ loader.efi.canTouchEfiVariables = true; }; + getchoo.server = { + secrets.enable = true; + services.loki.enable = true; + }; + networking = { domain = "mydadleft.me"; hostName = "atlas"; }; + nix.settings.trusted-users = ["bob"]; + system.stateVersion = "22.11"; users.users = let @@ -44,6 +52,14 @@ passwordFile = config.age.secrets.userPassword.path; inherit openssh; }; + bob = { + isNormalUser = true; + shell = pkgs.bash; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtbxHjDADxqsG+AgCoiDq0uCsgcnJCIH+9rB6K5pIi9 p-body@p-body" + "ssh-ed25519 aaaac3nzac1lzdi1nte5aaaaimpv9widwxvyovh347caulkdgzg7+1m/rz1av5fk3bhm atlas [email protected]" + ]; + }; }; zramSwap.enable = true; diff --git a/hosts/default.nix b/hosts/default.nix index 4cd0381..1eafe16 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -1,25 +1,16 @@ { inputs, + myLib, self, withSystem, ... -}: let - inherit (import ./profiles.nix {inherit inputs self;}) personal server; - - mkNixOS = { - name, - modules ? profile.modules, - profile ? personal, - system ? profile.system, - specialArgs ? profile.specialArgs, - }: - profile.builder { - inherit specialArgs system; - modules = [./${name}] ++ modules ++ profile.modules; - }; -in { +}: { flake = { - nixosConfigurations = { + nixosConfigurations = let + inherit (myLib.my) mkNixOS; + + profiles = import ./profiles.nix {inherit self inputs;}; + in { glados = mkNixOS { name = "glados"; modules = with inputs; [ @@ -28,62 +19,35 @@ in { nixos-hardware.nixosModules.common-pc-ssd lanzaboote.nixosModules.lanzaboote ]; + profile = profiles.personal; }; glados-wsl = mkNixOS { name = "glados-wsl"; modules = [inputs.nixos-wsl.nixosModules.wsl]; + profile = profiles.personal; }; atlas = mkNixOS { name = "atlas"; - modules = [ - inputs.hercules-ci-agent.nixosModules.agent-service - - { - getchoo.server = { - secrets.enable = true; - services.hercules-ci = { - enable = true; - secrets.enable = true; - }; - }; - } - ]; - system = "aarch64-linux"; - profile = server; + profile = profiles.server; }; p-body = mkNixOS { name = "p-body"; - modules = with inputs; [ - hercules-ci-agent.nixosModules.agent-service - guzzle_api.nixosModules.guzzle_api - - { - getchoo.server = { - secrets.enable = true; - services.hercules-ci = { - enable = true; - secrets.enable = true; - }; - }; - } - ]; - + modules = [inputs.guzzle_api.nixosModules.guzzle_api]; system = "x86_64-linux"; - profile = server; + profile = profiles.server; }; }; nixosModules.getchoo = import ../modules/nixos; - # openwrt-imagebuilder seems to only work - # on x64 - packages.x86_64-linux.turret = - withSystem "x86_64-linux" - (s: s.pkgs.callPackage ./turret {inherit (inputs) openwrt-imagebuilder;}); + packages.x86_64-linux.turret = withSystem "x86_64-linux" ({pkgs, ...}: + pkgs.callPackage ./turret { + inherit (inputs) openwrt-imagebuilder; + }); }; perSystem = {system, ...}: { diff --git a/hosts/p-body/buildMachines.nix b/hosts/p-body/buildMachines.nix new file mode 100644 index 0000000..5facb2d --- /dev/null +++ b/hosts/p-body/buildMachines.nix @@ -0,0 +1,26 @@ +{config, ...}: let + inherit (config.networking) hostName; +in { + nix = { + buildMachines = [ + { + hostName = "localhost"; + speedFactor = -1; + supportedFeatures = ["big-parallel" "benchmark" "kvm" "nixos-test"]; + system = "x86_64-linux"; + } + { + hostName = "atlas"; + maxJobs = 4; + speedFactor = 2; + sshUser = "bob"; + sshKey = config.age.secrets."${hostName}2atlas".path; + supportedFeatures = ["benchmark" "big-parallel" "gccarch-armv8-a" "kvm" "nixos-test"]; + system = "aarch64-linux"; + } + ]; + + distributedBuilds = true; + settings.builders-use-substitutes = true; + }; +} diff --git a/hosts/p-body/cachix.nix b/hosts/p-body/cachix.nix new file mode 100644 index 0000000..1dc1830 --- /dev/null +++ b/hosts/p-body/cachix.nix @@ -0,0 +1,18 @@ +{pkgs, ...}: let + uploadToCachix = pkgs.writeScriptBin "upload-to-cachix" '' + #!/bin/sh + set -euf + + OUT_END=$(echo ''${OUT_PATHS: -10}) + if [ "$OUT_END" == "-spec.json" ]; then + exit 0 + fi + + export HOME=/root + exec ${pkgs.cachix}/bin/cachix -c /etc/cachix/cachix.dhall push getchoo $OUT_PATHS > /tmp/hydra_cachix 2>&1 + ''; +in { + nix.extraOptions = '' + post-build-hook = ${uploadToCachix}/bin/upload-to-cachix + ''; +} diff --git a/hosts/p-body/default.nix b/hosts/p-body/default.nix index 35cbabb..2892a15 100644 --- a/hosts/p-body/default.nix +++ b/hosts/p-body/default.nix @@ -7,8 +7,11 @@ }: { imports = [ (modulesPath + "/virtualisation/digital-ocean-image.nix") + ./buildMachines.nix + ./cachix.nix ./forgejo.nix ./grafana.nix + ./hydra.nix ./loki.nix ./nginx.nix ./prometheus.nix @@ -22,6 +25,8 @@ hermetic = false; }; + getchoo.server.secrets.enable = true; + networking = { domain = "mydadleft.me"; hostName = "p-body"; diff --git a/hosts/p-body/forgejo.nix b/hosts/p-body/forgejo.nix index 034dd5a..8955830 100644 --- a/hosts/p-body/forgejo.nix +++ b/hosts/p-body/forgejo.nix @@ -2,7 +2,7 @@ config, lib, pkgs, - nixpkgsUnstable, + nixpkgs, ... }: let theme = pkgs.fetchzip { @@ -22,7 +22,7 @@ in { domain = "git.${config.networking.domain}"; in { enable = true; - package = (import nixpkgsUnstable {inherit (pkgs) system;}).forgejo; + package = (import nixpkgs {inherit (pkgs) system;}).forgejo; inherit domain; rootUrl = "https://${domain}/"; appName = "forgejo: with daddy issues"; diff --git a/hosts/p-body/hydra.nix b/hosts/p-body/hydra.nix new file mode 100644 index 0000000..56975b5 --- /dev/null +++ b/hosts/p-body/hydra.nix @@ -0,0 +1,64 @@ +{ + config, + self, + ... +}: let + hydraUser = config.users.users.hydra.name; + hydraGroup = config.users.users.hydra.group; + inherit (config.networking) domain hostName; +in { + config = { + age.secrets = let + commonArgs = { + mode = "440"; + owner = hydraUser; + group = hydraGroup; + }; + in { + "${hostName}2atlas" = + { + file = "${self}/secrets/hosts/${hostName}/${hostName}2atlas.age"; + } + // commonArgs; + + "hydraGH" = + { + file = "${self}/secrets/hosts/${hostName}/hydraGH.age"; + } + // commonArgs; + }; + + services.hydra = { + enable = true; + hydraURL = "https://hydra.${domain}"; + notificationSender = "hydra@${domain}"; + listenHost = "localhost"; + port = 6000; + useSubstitutes = true; + extraConfig = '' + Include ${config.age.secrets.hydraGH.path} + + compress_build_logs = 1 + queue_runner_metrics_address = 127.0.0.1:6002 + + <githubstatus> + jobs = .* + useShortContext = true + </githubstatus> + + <hydra_notify> + <prometheus> + listen_address = 127.0.0.1 + port = 6001 + </prometheus> + </hydra_notify> + ''; + extraEnv = {HYDRA_DISALLOW_UNFREE = "0";}; + }; + + users.users = { + hydra-queue-runner.extraGroups = [hydraGroup]; + hydra-www.extraGroups = [hydraGroup]; + }; + }; +} diff --git a/hosts/p-body/nginx.nix b/hosts/p-body/nginx.nix index 51d06ed..8f2f0da 100644 --- a/hosts/p-body/nginx.nix +++ b/hosts/p-body/nginx.nix @@ -1,8 +1,4 @@ -{ - config, - pkgs, - ... -}: let +{config, ...}: let inherit (config.networking) domain; in { networking.firewall.allowedTCPPorts = [80 443]; @@ -15,8 +11,6 @@ in { services.nginx = { enable = true; - additionalModules = [pkgs.nginxModules.fancyindex]; - recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; @@ -27,28 +21,41 @@ in { virtualHosts = let mkProxy = endpoint: port: { "${endpoint}" = { - proxyPass = "http://127.0.0.1:${port}"; + proxyPass = "http://localhost:${port}"; proxyWebsockets = true; }; }; in { "api.${domain}" = { enableACME = true; - serverAliases = ["www.api.${domain}"]; + addSSL = true; locations = mkProxy "/" "8080"; }; "git.${domain}" = { enableACME = true; - serverAliases = ["www.git.${domain}"]; + addSSL = true; locations = mkProxy "/" "3000"; }; + "hydra.${domain}" = { + enableACME = true; + addSSL = true; + + locations."/" = { + proxyPass = "http://localhost:${toString config.services.hydra.port}"; + extraConfig = '' + add_header Front-End-Https on; + ''; + }; + }; + "grafana.${domain}" = { enableACME = true; - serverAliases = ["www.grafana.${domain}"]; + addSSL = true; + locations = mkProxy "/" "4000"; }; }; diff --git a/hosts/p-body/p-body2atlas.pub b/hosts/p-body/p-body2atlas.pub new file mode 100644 index 0000000..100f9ab --- /dev/null +++ b/hosts/p-body/p-body2atlas.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtbxHjDADxqsG+AgCoiDq0uCsgcnJCIH+9rB6K5pIi9 p-body@p-body diff --git a/hosts/p-body/prometheus.nix b/hosts/p-body/prometheus.nix index 26e9d0e..e65d828 100644 --- a/hosts/p-body/prometheus.nix +++ b/hosts/p-body/prometheus.nix @@ -21,6 +21,8 @@ in { scrapeConfigs = [ (scrapeExporter "p-body" "localhost" "${toString config.services.prometheus.exporters.node.port}") (scrapeExporter "atlas" "atlas" "${toString config.services.prometheus.exporters.node.port}") + (scrapeExporter "p-body-hydra" "127.0.0.1" "6001") + (scrapeExporter "p-body-hydra-queue" "127.0.0.1" "6002") ]; }; diff --git a/hosts/profiles.nix b/hosts/profiles.nix index 614933e..13f5e44 100644 --- a/hosts/profiles.nix +++ b/hosts/profiles.nix @@ -2,11 +2,11 @@ inputs, self, }: let - inherit (inputs) getchoo home-manager nixpkgs nixpkgsUnstable nur ragenix; + inherit (inputs) getchoo home-manager nixpkgs nixpkgs-stable nur ragenix; in { personal = { system = "x86_64-linux"; - builder = nixpkgsUnstable.lib.nixosSystem; + builder = nixpkgs.lib.nixosSystem; modules = [ ragenix.nixosModules.default @@ -35,21 +35,19 @@ in { nix = { registry = { getchoo.flake = getchoo; - nixpkgs.flake = nixpkgsUnstable; + nixpkgs.flake = nixpkgs; }; settings = { trusted-substituters = [ "https://getchoo.cachix.org" "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" "https://wurzelpfropf.cachix.org" ]; trusted-public-keys = [ "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" ]; }; @@ -64,7 +62,7 @@ in { }; server = { - builder = nixpkgs.lib.nixosSystem; + builder = nixpkgs-stable.lib.nixosSystem; modules = [ ragenix.nixosModules.default @@ -80,7 +78,7 @@ in { services.promtail.enable = true; }; }; - nix.registry.nixpkgs.flake = nixpkgs; + nix.registry.nixpkgs.flake = nixpkgs-stable; } ]; diff --git a/lib/ci.nix b/lib/ci.nix new file mode 100644 index 0000000..36185f6 --- /dev/null +++ b/lib/ci.nix @@ -0,0 +1,70 @@ +lib: supportedSystems: let + inherit (builtins) attrNames baseNameOf elem getContext head mapAttrs seq stringLength substring; + inherit (lib) filterAttrs; + check = string: elem string supportedSystems; +in rec { + # filters systems in basic flake output + # ex: + # + # packages = { + # x86_64-linux = {}; + # aarch64-linux = {}; + # x86_64-darwin = {}; + # aarch64-darwin = {}; + # }; + # mkCompatible packages -> {x86_64-linux = {}; aarch64-linux = {};} + mkCompatible = filterAttrs (system: _: check system); + + # mkCompatible but for apps, since their attribute + # also needs to be editied in order to be picked up + # by hydra + mkCompatibleApps = apps: + mkCompatible (mapAttrs ( + _: + mapAttrs (_: v: { + program = let + ctx = getContext v.program; + drvPath = head (attrNames ctx); + basename = baseNameOf drvPath; + hashLength = 33; + l = stringLength basename; + in { + name = substring hashLength (l - hashLength - 4) basename; + type = "derivation"; + inherit drvPath; + }; + }) + ) + apps); + + # mkCompatible but for formatters + mkCompatibleFormatters = filterAttrs (system: fmt: check system && elem system (fmt.meta.platforms or [])); + + # mkComaptible, but maps nixosConfigurations + # to their toplevel build attribute so they can + # be picked up by hydra + mkCompatibleCfg = configs: + filterAttrs (_: config: check config.system) + (mapAttrs (_: v: v.config.system.build.toplevel) configs); + + # mkCompatibleCfg, but the toplevel build attribute + # is only evaluated + mkCompatibleCfg' = configs: + filterAttrs (_: config: check config.system) + (mapAttrs (_: v: + seq + v.config.system.build.toplevel + v._module.args.pkgs.emptyFile) + configs); + + # mkCompatible, but maps homeConfigurations + # to their activationPackage so they can be + # picked up by hydra + mkCompatibleHM = configs: + filterAttrs (system: _: check system) + (mapAttrs (_: mapAttrs (_: deriv: deriv.activationPackage or {})) configs); + + # mkCompatible, but for packages + # meta.platforms is also checked to ensure compatibility + mkCompatiblePkgs = mapAttrs (system: filterAttrs (_: deriv: elem system (deriv.meta.platforms or []))); +} diff --git a/lib/configs.nix b/lib/configs.nix new file mode 100644 index 0000000..8da37bc --- /dev/null +++ b/lib/configs.nix @@ -0,0 +1,37 @@ +inputs: { + mkNixOS = { + name, + profile, + modules ? profile.modules, + system ? profile.system, + specialArgs ? profile.specialArgs, + }: + profile.builder { + inherit specialArgs system; + modules = + [../hosts/${name}] + ++ ( + if modules == profile.modules + then modules + else modules ++ profile.modules + ); + }; + + mkHMUser = { + name, + modules ? [], + pkgs ? import inputs.nixpkgs {system = "x86_64-linux";}, + extraSpecialArgs ? inputs, + }: + inputs.home-manager.lib.homeManagerConfiguration { + inherit pkgs extraSpecialArgs; + modules = + [ + { + programs.home-manager.enable = true; + } + ] + ++ [../users/${name}/home.nix] + ++ modules; + }; +} diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..67a102e --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,18 @@ +{ + lib, + inputs, +}: let + configs = import ./configs.nix inputs; +in + lib.extend (_: _: { + my = { + inherit (configs) mkHMUser mkNixOS; + + ci = import ./ci.nix lib; + + mkFlakeFns = systems: nixpkgs: rec { + forAllSystems = lib.genAttrs systems; + nixpkgsFor = forAllSystems (system: import nixpkgs {inherit system;}); + }; + }; + }) diff --git a/modules/flake/ci.nix b/modules/flake/ci.nix index 91dc397..9f4e58d 100644 --- a/modules/flake/ci.nix +++ b/modules/flake/ci.nix @@ -1,56 +1,23 @@ { + myLib, self, - inputs, ... -}: let - inherit (inputs) hercules-ci-effects nixpkgs; -in { - imports = [ - hercules-ci-effects.flakeModule - ]; - - hercules-ci = { - flake-update = { - enable = true; - when = { - hour = [0]; - minute = 0; +}: { + flake = { + hydraJobs = let + supportedSystems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + with (myLib.my.ci supportedSystems); { + apps = mkCompatibleApps self.apps; + checks = mkCompatible self.checks; + devShells = mkCompatible self.devShells; + formatter = mkCompatibleFormatters self.formatter; + homeConfigurations = mkCompatibleHM self.homeConfigurations; + packages = mkCompatiblePkgs self.packages; + hosts = mkCompatibleCfg self.nixosConfigurations; }; - }; - }; - - herculesCI = let - inherit - (import - (hercules-ci-effects + "/vendor/hercules-ci-agent/default-herculesCI-for-flake.nix")) - flakeToOutputs - ; - in rec { - ciSystems = [ - "x86_64-linux" - "aarch64-linux" - ]; - - onPush = { - default = { - outputs = with builtins; - with nixpkgs.lib; let - # use defaults, but only evaluate hosts - defaults = - removeAttrs - (flakeToOutputs self { - ciSystems = genAttrs ciSystems (_: {}); - }) - ["nixosConfigurations" "packages"]; - - evaluate = mapAttrs (_: v: - seq - v.config.system.build.toplevel - v._module.args.pkgs.emptyFile) - self.nixosConfigurations; - in - mkForce (defaults // evaluate); - }; - }; }; } diff --git a/modules/flake/default.nix b/modules/flake/default.nix index 29c6c63..655ca47 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -1,9 +1,22 @@ -_: { +{ + inputs, + self, + ... +}: { imports = [ ./ci.nix ./dev.nix ]; + _module.args.myLib = self.lib { + inherit inputs; + inherit (inputs.nixpkgs) lib; + }; + + flake = { + lib = import ../../lib; + }; + systems = [ "x86_64-linux" "aarch64-linux" diff --git a/modules/flake/dev.nix b/modules/flake/dev.nix index 089c77a..6543fdd 100644 --- a/modules/flake/dev.nix +++ b/modules/flake/dev.nix @@ -1,18 +1,16 @@ { - self, inputs, + self, ... -}: let - inherit (inputs) pre-commit-hooks ragenix; -in { +}: { perSystem = { pkgs, system, ... }: { checks = { - pre-commit-check = pre-commit-hooks.lib.${system}.run { - src = ./..; + pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { + src = ./.; hooks = { actionlint.enable = true; alejandra.enable = true; @@ -29,12 +27,12 @@ in { in { default = mkShell { inherit (self.checks.${system}.pre-commit-check) shellHook; - packages = with pkgs; [ + packages = with pkgs; + with inputs; [ actionlint alejandra deadnix just - nil ragenix.packages.${system}.ragenix statix stylua diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 210484e..55680d2 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -31,14 +31,12 @@ in { trusted-substituters = [ "https://getchoo.cachix.org" "https://nix-community.cachix.org" - "https://hercules-ci.cachix.org" "https://wurzelpfropf.cachix.org" ]; trusted-public-keys = [ "getchoo.cachix.org-1:ftdbAUJVNaFonM0obRGgR5+nUmdLMM+AOvDOSx0z5tE=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0=" "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0=" ]; }; diff --git a/secrets/hosts/atlas/binaryCache.age b/secrets/hosts/atlas/binaryCache.age deleted file mode 100644 index 688a845..0000000 --- a/secrets/hosts/atlas/binaryCache.age +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSBkM3FQ -UXJ0dCtLMFBZWmRRWkdPdG5LVmdJeWs4bk9JcFJvK0FmcW0rOUVZCjA0cXNEUmN5 -cVJhdGJYeVM3cUFSdSsvVTBhempHREQ0c21XOGxQRGJ3M1kKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIFBNMVY0QzdlamN0NmZ0SGE3SmIvcU5CRTRTMWs1QytNV0NwaDZO -OVZwRG8KSlVjL0FiUCtXT2pUV0ZIbnZYcEJ1dVFONjhHdWNOaUhVd2dQTnVrVHhw -QQotPiBzc2gtZWQyNTUxOSAycm0zd2cgRzNyNzVpWTFMUXB4QVZMc1V3dW1HcDN3 -UXQxU3MzNFg3bWsxRFh3cE53bwo4NlI4ZFY5K3UrMG1vMmpLeGxEREJPWUpSUGxN -a2pUTjgyblVHUTUvamNnCi0+IDVvLWdyZWFzZSA0ZVEyR21eJwowSDlUMHRPMGVB -NHNuaWo5VkF5RG90RUZqNWsKLS0tIHJ1SVErK1BVL3pyU2pMWFN4Y01SeUhnaTF0 -eGx4L2JvQTMzeUg1SFllR3cKFtQfIi8hRcQUmWg1JY4EJFkj4PQSsp4TAKKsAwLg -NkLj6jNk7BuamnzGwJd/KQQDKDG1BX4bEL6k91OqMJFQlky7//gKEh1PjlU5qrUS -HkFA5T/1RF+unLMAkhCLki2AXNsZr8L9hovEsw4xobFe954SKbvSZ64mn/Tnz/eD -ehbYhpRT81NTyKWjA5sOGlSxKZuet/BRCXdB3SZRjnif0sTJPXwXw77nYus2ys1A -L9/PdVCEVNBbuBLpTrkFdhM/iGvn+dIkevizjiFFgprUhNyWGLjr2bviMJQs0dXt -k7v/z3koGVFJYatsPos0i0dbtZlbWEYJdvKoDv+ZojO9LNOH7vt90Lice2kP8dcE -tYuGnw16XB60dmyJs4NVXov288LNSfRHAwk74t9FYUzq+UrTwIFQpaTFPedKj7Bm -Ak2hBE7ZQ2s/sygbqjEgFkIE5t7giSZVPqLCvCc/QXObaik= ------END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/atlas/clusterToken.age b/secrets/hosts/atlas/clusterToken.age deleted file mode 100644 index 084c6e4..0000000 --- a/secrets/hosts/atlas/clusterToken.age +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSBDSGhi -VW9ETGZucUVWUys2V1B3T0FCcnNCVnMzMUJNVXhRQmhwRTBEbzNFClRzZ1RxUSt3 -ZFp6TmU5VlhjL2R2SkxRTnhxbTh0Mi9PZWlBTWlUUXAwSnMKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIDFMbGZNRG15Q3RhMTcxV1BzQ3Nib2ZER0xwWmtoaFlrRnExMTl4 -dmsrU3MKajRuNEpOeUk0aGcrMENRbE5jUVhrQzdmYm9Fb0tkR0NqU3lLeFlWTEtW -WQotPiBzc2gtZWQyNTUxOSAycm0zd2cgTWtoRVNWeG5BbFpZdFVqRWhtd1VHOWVZ -d0dEdkhZRStJWUFXY3g2R3hCMAp1REJtblpneENTWEtQRVV6OXF3ZUtDb2VEQm54 -alhhaW5ma00rTm1nL0tvCi0+IC4wXXItZ3JlYXNlIF8tOyBRfCBXQWNwRltjICQo -a34zWDctCgotLS0gQnZ3WkllM1dzMzJQZmF4WlVBMit1cTBYYVYvdXdwVzZldFlZ -OUIyNldTMApW6XDdIQruISaX8BTwnqWRbSKtMzKY+LsGJZSqwZbCoKGT8jf6TNG0 -+0aHt5mz/HjomPVjNb2dTVUH2eR5pYYo2dKcRgUU6GFzWpUInIG7aaijZlAGkTnR -UBuCVbbwDyh6D+8zNGmlgyFiWaP/1coF0NHAh/RkbxteN9qySL/nYlHnS8KNW8si -pPhvZDhYUKzTQRtO+RCimWJuQqYaTkgqMVDd6K95pnyZbvbIDjZf21gB95AXwzVN -Adrn3eTc3lVxfZo7cuIMM95ckDaW5kCgsI/5QbFlxujqqLn9XMdyiYr0YbsDyQAa -lb0jIHWH9niuSGdimpcE/fhYvT6nvn/1vhjnGRztn7bziheT ------END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/atlas/secretsJson.age b/secrets/hosts/atlas/secretsJson.age deleted file mode 100644 index 661858a..0000000 --- a/secrets/hosts/atlas/secretsJson.age +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSBtVEwv -WE1XdTBHWnlCWm5mdTlJMnozZUwvWlQ1QXhLRmVMaU1UQ3RZcWpnCjBjRkt6NnhF -SHUzTmJ0Kzg2aGVhL0hZZlBuRTNYTWZYeVQrZGVYVVgzQ1UKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIDFsaFl3Tm1QNGJMbHdqbXRneUxmZFBXWVdkUVJ1TlYrKzcrclVy -aXBkVFkKRmJZZXQ5NVB5c1NHZlNzU0YrZmUwUWVsdmJFWmdNZ1VBdkdIMlpaYm1M -UQotPiBzc2gtZWQyNTUxOSAycm0zd2cgaWV2aFNITzJHTlV2dWo0cjhaQU55dHU4 -UVRhUEl6aUdpZlNmL3J6TFlRWQpHUHJhMUpOVTNiSU1nRkNYKy96R2hRSnlObzh3 -S3R0VCtRcXpRckdQVWxJCi0+IGxjO3ctalQtZ3JlYXNlIDJINCBSLk1CWSwzIC43 -LnhbeyBMCmhyZEFsTnk3ajFBR2dMWEl2UlBTMjNLZ3dGN1NHQ0pUTEZNa1o3dFNL -THJrdm9hU3FZc1NxRjh6VDVzcnJpVQotLS0gR2ptcUNOeFU2cC9mWk81VkR3N0RD -RDJDdTFSQTlzU29YNU00OTNKT1dVYwqKsKpFxIRRSzXX857VG9KnCK3AtyEv+Pj9 -hlcWScyY1Id4HjdISKExH+ybEqD5lF7tOKNJT4M6rIFHJnip1cYgNBD8WS8joXD3 -99Qmo98SP/x+0LhjJ/A/YPjtu9RcFmvBXP36y/3YCZOGcc6xc6jrzfGI9hTa+9lf -pPLquxs8eME3Di0/u1l63pgX1Rqr07SU8kPf+D1ByQPQifECJJ39cipnEIg8mJV7 -2HLy0jxFV3FzVEYPCfOoBGfmqF4IUgZU6FDZ1AyS8ZJ12QD639FedgYEIYAH/Zz7 -BLIhXHDkU6JzOE4II7E9bWPAykofPlb1FdqD4WKAFXTSAmed68bLmYfwHfOuO6P3 -iv1zq87YLJaqe8b0ZgeqX0jEbsRdUURf9hFlSnHQXaW4owGVQU/JmlpOMpK47xNS -yrWmaw== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/binaryCache.age b/secrets/hosts/p-body/binaryCache.age deleted file mode 100644 index 19e40d3..0000000 --- a/secrets/hosts/p-body/binaryCache.age +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSBQcklp -cnlycDgyTnR1Sm0ybVBjSkRWRDJ4MFhDbFJCU2xCRmwxK1pYSWlBCmFvbkRHOU16 -MWJIMzVheTJTam9XRSs1d0c2RjcwS0h4L3NzQWl4cUh2anMKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIEpLL21ncHdtZlVuSm1pTWJPR0M0OWpUMjlBTVh3NkwyMzhQa3Mz -bDN0eUEKNWphbjB5dFk3WWpVZFJBRlNXL05KSGVsK3pXdXRMaGUxRk1uNXNib1F0 -WQotPiBzc2gtZWQyNTUxOSAycm0zd2cgQlRhdVV1M2hJNUZCc2pabmFCRVgrZGUy -YzVUaXNWdHdiN2J2MlpNNnlpbwo0NTNzYWdYVlg5MEtvOE4rM3hJaUl5N2g3a0pR -emU5SmdUSHhaTk5WZ3BrCi0+IDVsaTRCKzNRLWdyZWFzZSBMXFpLCkFLV0RqdEhV -WG1QRnQ1VlFBODRYSmV5RU44M3UzQUxsMDhyRU56SFAKLS0tIDg0Vjg0dnJudnNr -d2N2V2dIQjRYcnlzNS9RZXRleHhiNUZGK05sNHlTd2sKjVbalKa3CSoF71E1G8Km -n9NcgkB1u2EOegbT+PPM7ik8j8RGu7KvKEHUEMgrTq0r4iy0QKfkrtWcrOA9ofy9 -OoVufNUVWdLEV4X8c4SfNSFvNKE2B/hsWFwG5jO+PQWlGLWB4xjcJ3wpMH/N8smt -EHJipVuZX0YtXbovtCgtFtWD2+VFfG4P+5LCwH4qJuKpVMgu2efGeSmgLFhodKzd -objXxM/k1FEYGuwEduXVd3BiE3lPPTHR8BChXgh0XhqhFoFGW0zBBo1o4pgTHL1D -zgKes/T/MWP7N9V+DGLAky/z9AtDDYEcNiQe7ADIsOrU3zD1bkU5hOGvECUaHlqH -CI1vywVkZMzpI7X4ulpR3+sCWFL6DY4sg6jG9EWx4+cf9TSLnv+RpAKPPDBgEIA4 -eO5RqlcjTGiOfNgnSf58R7OG6d79wzZVkzl+AQrrkE79Zzwm2DWU4aGmgWO7j2Z8 -ng== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/clusterToken.age b/secrets/hosts/p-body/clusterToken.age deleted file mode 100644 index 73d617d..0000000 --- a/secrets/hosts/p-body/clusterToken.age +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSAxQlFo -MkNwbzhSWmIyVHZiZk1wTnZlaFAyNVBxeDZSR3dwZjdSekxJL3dVCjZDTk1ZUzdY -RXBpNHRsMVZIb0NxWU16MXQ1VGIwTGZwUmRNdzZ5Y3BCMGMKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIE5SeFUyb2FMTDY4a3QzOXFWYWJJenQ3VmlYMERRcU1VV3NJNDR4 -eE40MmcKNEZUTXhkVEl5MkRueWpCUGx3NHNraWhJdFQyRWhvamNVNkxEZUNhL2FB -dwotPiBzc2gtZWQyNTUxOSAycm0zd2cgcDNaaktLWnVSZitrdCtIZXRRSUE2d21N -d0FkU3hmRXVxb2k5cWhqOHJHMApwSW5CZG9mSlRBZkNPQ2VTM3cyMmVPNEROUUlR -cTZvcFUydzVwaGVFa1RZCi0+IFtZLWdyZWFzZSBoUlxQICZ4YC87OFV4CjNDQUY1 -NzlMZUEKLS0tIGFBRHp5dkZ6OUtVczNpaXllTnRBekVrZ3FUbXI3UXJETGVtRTJ3 -L3hocFUK6ywg9Q6adzKoyp/v/USlp35PYuZJwNNyBu5Mjb+npN9eO8s40WqCPwVS -T9r8uf9S05wmOkZ+fBC0qjY4Y2uMc3GZFSyuGUgBq/0rppwbQiET8OFP68lmSTuC -vv39gq6nBixqPMir2yo0jw1Qh/FwykFVRbz7KBSWcOmu0iKTqDzcjfTpsiWqNHoH -rDIHZ1zbXD2g9LM/koSFWZkAHNigsllili8cKD/Tf0O2XrEl7VWgBAANZqUXH6zK -+z8LEfwprXRj5K0+yvo2WI+hid6AR3+C8UdC62OaSrT7CBqyuTWJqeqdGVxC1eM5 -ShxYuV7C2ztKCu/ya6wTy8woPecRAZtCKa07V0Mm4WUy9Q== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/hydraGH.age b/secrets/hosts/p-body/hydraGH.age new file mode 100644 index 0000000..6e6a8cb --- /dev/null +++ b/secrets/hosts/p-body/hydraGH.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyBMdTN2 +YWxQeVFxRWFXMDgwNmhWVGJqdG5ZdTVOVWUrNDQ2NXNyYjVNanhFCkZlb2owZVk1 +ZmJwZkRZdVkzaGI0dkhpQi82WmlCbitjNzVWZDZrQkx0OU0KLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIGl2aDFQMDB5N3R6RVVhT1puZUpVVDZ1ZWlXUjZQUkE1clZnNGdu +YXd3VjQKdGRWZTkyMjBZY2dYUlk2WkVRM3FyODM0cjVtUE4yOTc2V2JNTm5NVEx3 +MAotPiBLdkBUNToqSy1ncmVhc2UgU0xlcGdPKiB9PzUyamEKQytqR3QvdU5CZWdh +M3Z2MzAvbG82dTg5eGxPc1IwRnE4OVhDUnFEeU54dzhwVUpIbUhzVEk3bThkZ2Z3 +VEl5Ywo1T2RuZWJ5SjRYVFdIWGZ5U29wZgotLS0geThueS9qY1RhVVplSUlhR1NB +a05NYUV2dDcwSVc4dDdBb2wra1p4WHVrNAqR7OU5ahW7JEYcvlOq9FqMJF+CkT00 +KTUZEQNSy9c5VMx8j4DYrpoKH/ukkKmcrHqxDIeEV1FPp8RIQG7ZTgCHv9d+KdNy +qHxjzQ+f2KjkCctkxJHdDLCcBvhIyWVRIKHT1Yndb1NCGMzWNVjh1wvfgl4ZFUlO +RssdI42r9D5siCqqQnMHRGbdH39dT9D0oaHO8TyNMk/1eSi55ub5p+Sh8elhtBBL +s4tcbr3ueeORqTY3L1RCq1O7bZ+6GgvN +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/p-body2atlas.age b/secrets/hosts/p-body/p-body2atlas.age new file mode 100644 index 0000000..e363867 --- /dev/null +++ b/secrets/hosts/p-body/p-body2atlas.age @@ -0,0 +1,19 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDJybTN3ZyB1SkFM +aWt0ZVdBam5aeHg5SHZNVGE5N1U0Y2FHZ2xUdk1QOXRwS094M1RvCjEyTDJwbDFL +SVBwU00wek1lZ2JLNk0rMDRZcDBqTFdkNk1ndWVBempqYXcKLT4gc3NoLWVkMjU1 +MTkgSTkyQTNRIGcxVFIxNnYvekVVenVuVk9BMzQ3dlcwTHhrQ2lwekpHNXBSME85 +UWtSaE0KbEhkdHN1MFRDMkY2T0FhUW8wdHVZb0hpOHZoWFFyTEtIOWt1Y3ByU2NI +TQotPiBFMmdUQHMpLWdyZWFzZSB1IFc7QWteIFIvJSBxCjJIM2ljOS9sY3NDS1FH +ZElDYUdKZVZsUFZKcjNxY1dGc3QzeFVCVjExbXRTczJuRURPM0VHbGsKLS0tIDFh +UUY0VW1MQ2dMUU5WUWV6TCtPUjhTZitVa2NRTlRSeEhUNUNDWUp5QUEKE+ByvnxH +m4R3epPuQBAIqdjQC79QYNnONisPKts27hVdtZgXrj234oBla4QRfOokifoiQi6d +3SgBRQgE3w3aXp3O02VMKS8KOcPat0Q4IhQOjyQsVzHpLFJq2BryJUb/3LGcXtYQ +eCxhe+2fqs7Ysoq9q4nZRpVAYIUZVD/PflgU4t/g3fc18d4QMpnc9fGFTsKmrBlk +EmJLglK7PJTp0jXpzSHK/lnv6bsolnU6o+ySKAY8UEtqGPi+EDeQZv6zbv5G2r+i +sgIoiDN+MB4RwX0KZpiMfKyx4Dzup87BZskQOZqZp/CRZ6+qwfDGeq/ACfsSZ/sM ++iBWu2Yh8EfgxkP4GDvAXxOXebHH4FXsx+E1o7HW0I51MDHA4DQI3PPOjxQcfJgj +1sk8TKAoghAcp//mXJXyqNdZM5Ua7X3G/9f5c9voKxl/wzRNatpL8/R2O89qZ5tQ +81lhSKgsJ7YglNzSB7eCyT30HEoAVVfYr9ArEgnc5ZPMgMJbC5ffkElN2juSD7+Q +Fw5akYz6R/dZg/obEXnWld8TM/rb7jM/mRuynuNL4YXhdrl0YKIajCY= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/hosts/p-body/secretsJson.age b/secrets/hosts/p-body/secretsJson.age deleted file mode 100644 index 019a3a4..0000000 --- a/secrets/hosts/p-body/secretsJson.age +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEk5MkEzUSBmbENM -VkRPb2Q1eUdFSjFVeGpNTm9mT0Nab3lpOHRaT3FpdnV5elpPQXhBClpmSjVTMlNW -OHNYeGhGbEFRRFZSVGRBa1RZd1VnTURsQm5CNXhZUW9hZEEKLT4gc3NoLWVkMjU1 -MTkgbFdJVUZRIFhaWW9FblJ3SFREOUFSR00xZDc0NFNqdkxWNnFReHpKRk9uOUo3 -UWZoQWsKbXA2N0t3VG42MEZBanlHSkRjdFBzZE5YNkdPOS8xRGNvOXJTN1B1L3Fv -UQotPiBzc2gtZWQyNTUxOSAycm0zd2cgYk13cGQrbi8rZWkzaEk2TzhWQVNNdGlm -NXFFNWlqdFdTV2ovSkRtMUh6OAorVUlwZ29OYnpER0pRdDZPbzBuRXhiWVplL2RF -cUJwd1hQaFJEYXFlaHZnCi0+IENIdmN9OHBULWdyZWFzZSAnYmFfVnNGXApTbXYx -VGhlZFU4bko5YkZ6M2k5eTdzcHZjMVFwV3hHV3NKMkd4dWNDOGdlU3I2OAotLS0g -VXdkQ2djUUpnNUtGSHlaRWlxWmpQcVpUVjFIOERSbGd1Vyt4ak1tcWl1WQrPIPcR -RWUyNQeHQxxsp7lc+4N0LTMnnIsW531/hVEy0FRarRkseJoMTIL84OLhqSjlVxoZ -/XOey4eFfTbJiP0h8r3VjB7ATFyi0w3lBFpH71dULuxqb4Xsz48Rtdu0JE0Qhdle -Udl5kxHF5+ZRtN/vyaBFfVNRfGuiTj9DXqelmPyb5l8xYqi71Yap5LD/r4WenOBe -qx53etdTsfOgeLwR4ULC42269PSJHAoMq92K7m3VZwQ0THsBiMyTNOWN3JkBYOIt -IEkUkVkm6lhQsCbRF1CLQ6G7+tJy1Rt7Ibnx4TPtJ4hJ0878ZL2jTeYDgWJBk8x6 -lkaxEqjYollG7g0RvUxd3m+f0gdh50E68JF4LMmmxb+oP9BiTuCOp9jGXWwCBZXr -qpIFmauExIjVIpzErG2yCcXze5fN24Caug== ------END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index b917292..4dc1cff 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,23 +3,18 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix" ]; - atlas = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA861lnShM2ejpzn9arzhpw33I4XdtULfZWhMp/plvL root@atlas"]; - p-body = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVieG9wj00Cz0Co7QYNkoTgfO+B8EO5vlZdfMvCHD76 root@p-body"]; - keys = main ++ atlas ++ p-body; + atlas = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBA861lnShM2ejpzn9arzhpw33I4XdtULfZWhMp/plvL root@atlas"] ++ main; + p-body = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVieG9wj00Cz0Co7QYNkoTgfO+B8EO5vlZdfMvCHD76 root@p-body"] ++ main; in { "shared/rootPassword.age".publicKeys = main; "shared/sethPassword.age".publicKeys = main; - "hosts/atlas/rootPassword.age".publicKeys = keys; - "hosts/atlas/userPassword.age".publicKeys = keys; - "hosts/atlas/binaryCache.age".publicKeys = keys; - "hosts/atlas/clusterToken.age".publicKeys = keys; - "hosts/atlas/secretsJson.age".publicKeys = keys; - "hosts/atlas/miniflux.age".publicKeys = keys; + "hosts/atlas/rootPassword.age".publicKeys = atlas; + "hosts/atlas/userPassword.age".publicKeys = atlas; + "hosts/atlas/miniflux.age".publicKeys = atlas; - "hosts/p-body/rootPassword.age".publicKeys = keys; - "hosts/p-body/userPassword.age".publicKeys = keys; - "hosts/p-body/binaryCache.age".publicKeys = keys; - "hosts/p-body/clusterToken.age".publicKeys = keys; - "hosts/p-body/secretsJson.age".publicKeys = keys; + "hosts/p-body/rootPassword.age".publicKeys = p-body; + "hosts/p-body/userPassword.age".publicKeys = p-body; + "hosts/p-body/p-body2atlas.age".publicKeys = p-body; + "hosts/p-body/hydraGH.age".publicKeys = p-body; } diff --git a/users/default.nix b/users/default.nix index 47ff5a0..78e2ee8 100644 --- a/users/default.nix +++ b/users/default.nix @@ -1,27 +1,15 @@ -{inputs, ...}: let - mkHMUser = { - name, - modules ? [], - pkgs ? import inputs.nixpkgs {system = "x86_64-linux";}, - extraSpecialArgs ? inputs, - }: - inputs.home-manager.lib.homeManagerConfiguration { - inherit pkgs extraSpecialArgs; - modules = - [ - { - programs.home-manager.enable = true; - } - ] - ++ [./${name}/home.nix] - ++ modules; - }; -in { - perSystem = {system, ...}: { +{ + inputs, + myLib, + ... +}: { + perSystem = {system, ...}: let + inherit (myLib.my) mkHMUser; + in { homeConfigurations = { seth = mkHMUser { name = "seth"; - pkgs = import inputs.nixpkgsUnstable { + pkgs = import inputs.nixpkgs { inherit system; overlays = with inputs; [nur.overlay getchoo.overlays.default]; }; |