summaryrefslogtreecommitdiff
path: root/modules/nixos/custom
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/custom')
-rw-r--r--modules/nixos/custom/default.nix8
-rw-r--r--modules/nixos/custom/determinate.nix68
-rw-r--r--modules/nixos/custom/github-mirror/default.nix103
-rwxr-xr-xmodules/nixos/custom/github-mirror/update-mirror.sh78
-rw-r--r--modules/nixos/custom/nvd-diff.nix28
-rw-r--r--modules/nixos/custom/remote-builders.nix96
6 files changed, 381 insertions, 0 deletions
diff --git a/modules/nixos/custom/default.nix b/modules/nixos/custom/default.nix
new file mode 100644
index 0000000..db24a63
--- /dev/null
+++ b/modules/nixos/custom/default.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./determinate.nix
+ ./github-mirror
+ ./nvd-diff.nix
+ ./remote-builders.nix
+ ];
+}
diff --git a/modules/nixos/custom/determinate.nix b/modules/nixos/custom/determinate.nix
new file mode 100644
index 0000000..3c1a97e
--- /dev/null
+++ b/modules/nixos/custom/determinate.nix
@@ -0,0 +1,68 @@
+{
+ config,
+ lib,
+ inputs',
+ ...
+}:
+
+let
+ cfg = config.borealis.determinate;
+
+ package = inputs'.determinate.packages.default;
+in
+
+{
+ config = lib.mkIf cfg.enable (
+ lib.mkMerge [
+ (lib.mkIf cfg.determinate-nixd.enable {
+ environment = {
+ # `determinate-nixd` overrides /etc/nix/nix.conf with it's own
+ etc."nix/nix.custom.conf" = { inherit (config.environment.etc."nix/nix.conf") source; };
+
+ systemPackages = [
+ package
+ ];
+ };
+
+ systemd = {
+ services.nix-daemon.serviceConfig = {
+ ExecStart = [
+ ""
+ "@${lib.getExe' package "determinate-nixd"} determinate-nixd --nix-bin ${config.nix.package}/bin daemon"
+ ];
+ KillMode = lib.mkDefault "process";
+ LimitNOFILE = lib.mkDefault 1048576;
+ LimitSTACK = lib.mkDefault "64M";
+ TasksMax = lib.mkDefault 1048576;
+ };
+
+ sockets = {
+ determinate-nixd = {
+ description = "Determinate Nixd Daemon Socket";
+ wantedBy = [ "sockets.target" ];
+ before = [ "multi-user.target" ];
+
+ unitConfig = {
+ RequiresMountsFor = [
+ "/nix/store"
+ "/nix/var/determinate"
+ ];
+ };
+
+ socketConfig = {
+ Service = "nix-daemon.service";
+ FileDescriptorName = "determinate-nixd.socket";
+ ListenStream = "/nix/var/determinate/determinate-nixd.socket";
+ DirectoryMode = "0755";
+ };
+ };
+
+ nix-daemon.socketConfig = {
+ FileDescriptorName = "nix-daemon.socket";
+ };
+ };
+ };
+ })
+ ]
+ );
+}
diff --git a/modules/nixos/custom/github-mirror/default.nix b/modules/nixos/custom/github-mirror/default.nix
new file mode 100644
index 0000000..76d8853
--- /dev/null
+++ b/modules/nixos/custom/github-mirror/default.nix
@@ -0,0 +1,103 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+
+let
+ cfg = config.borealis.github-mirror;
+ cgitInstance = config.services.cgit.${cfg.hostname};
+
+ update-mirror =
+ pkgs.runCommand "update-mirror"
+ {
+ nativeBuildInputs = [ pkgs.patsh ];
+
+ buildInputs = [
+ config.programs.git.package
+ pkgs.curl
+ pkgs.jq
+ ];
+ }
+ ''
+ patsh -s ${builtins.storeDir} ${./update-mirror.sh} $out
+ chmod 755 $out
+ patchShebangs $out
+ '';
+in
+
+{
+ options.borealis.github-mirror = {
+ enable = lib.mkEnableOption "the github-mirror service";
+
+ hostname = lib.mkOption {
+ type = lib.types.str;
+ description = "Hostname of the cgit service to create";
+ example = lib.literalExpression "git.example.com";
+ };
+
+ mirroredUsers = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ description = "List of GitHub users to mirror repositories for";
+ example = lib.literalExpression ''[ "edolstra" ]'';
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ assertions = [
+ {
+ assertion = cfg.mirroredUsers != [ ];
+ message = "`borealis.github-mirror.mirroredUsers` must have at least one user";
+ }
+ ];
+
+ services.cgit.${cfg.hostname} = {
+ enable = true;
+
+ scanPath = "/var/lib/cgit/${cfg.hostname}";
+ settings = {
+ robots = "none"; # noindex, nofollow
+ };
+
+ user = "cgit";
+ group = "cgit";
+ };
+
+ systemd = {
+ services.github-mirror = {
+ description = "Mirror a GitHub repository";
+
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+
+ script = toString (
+ [
+ "exec"
+ (toString update-mirror)
+ "--directory"
+ cgitInstance.scanPath
+ ]
+ ++ cfg.mirroredUsers
+ );
+
+ serviceConfig = {
+ Type = "oneshot";
+ User = cgitInstance.user;
+ Group = cgitInstance.group;
+ };
+ };
+
+ timers.github-mirror = {
+ description = "Hourly timer for %N";
+ timerConfig.OnCalendar = "hourly";
+ };
+
+ tmpfiles.settings."10-github-mirror" = {
+ ${cgitInstance.scanPath}.d = {
+ inherit (cgitInstance) user group;
+ };
+ };
+ };
+ };
+}
diff --git a/modules/nixos/custom/github-mirror/update-mirror.sh b/modules/nixos/custom/github-mirror/update-mirror.sh
new file mode 100755
index 0000000..88ff6eb
--- /dev/null
+++ b/modules/nixos/custom/github-mirror/update-mirror.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+help() {
+ echo "Mirror a GitHub user's repositories
+
+Usage: $(basename "$0") [options] <user>...
+
+Options:
+ -h --help Show this screen
+ -d --directory DIRECTORY Where to clone repositories (defaults to ./git)"
+}
+
+create_if_not_exists() {
+ if [ ! -d "$1" ]; then
+ mkdir -p "$1"
+ fi
+}
+
+repo_endpoint() {
+ echo "https://api.github.com/users/$1/repos"
+}
+
+users=()
+output_directory="git"
+
+while [ "$#" -gt 0 ]; do
+ case $1 in
+ -h | --help)
+ help
+ exit 0
+ ;;
+ -d | --directory)
+ output_directory="$2"
+ shift
+ shift
+ ;;
+ -*)
+ echo "error: unknown option $1"
+ help
+ exit 1
+ ;;
+ *)
+ users+=("$1")
+ shift
+ ;;
+ esac
+done
+
+if [ "${#users[@]}" -lt 1 ]; then
+ echo "error: at least one user must be specified"
+ help
+ exit 1
+fi
+
+create_if_not_exists "$output_directory"
+cd "$output_directory"
+
+for user in "${users[@]}"; do
+ create_if_not_exists "$user"
+
+ url="$(repo_endpoint "$user")"
+ curl --fail --location --show-error --silent "$url" | jq --raw-output '.[].name' | while read -r repo; do
+ repo_path="$user"/"$repo"
+
+ if [ -d "$repo_path" ]; then
+ pushd "$repo_path" &>/dev/null
+ echo "Pulling $repo_path..."
+ if ! git remote update --prune &>/dev/null; then
+ echo "Unable to pull $repo_path! Continuing..."
+ fi
+ popd &>/dev/null
+ else
+ echo "Cloning $repo_path..."
+ git clone --bare --mirror https://github.com/"$repo_path".git "$repo_path" &>/dev/null
+ fi
+ done
+done
diff --git a/modules/nixos/custom/nvd-diff.nix b/modules/nixos/custom/nvd-diff.nix
new file mode 100644
index 0000000..0e88d10
--- /dev/null
+++ b/modules/nixos/custom/nvd-diff.nix
@@ -0,0 +1,28 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+
+let
+ cfg = config.borealis.nvd-diff;
+in
+
+{
+ options.borealis.nvd-diff = {
+ enable = lib.mkEnableOption "`nvd` to show configuration diffs on upgrade";
+ };
+
+ config = lib.mkIf cfg.enable {
+ system.activationScripts."upgrade-diff" = {
+ supportsDryActivation = true;
+
+ text = ''
+ ${lib.getExe pkgs.nvd} \
+ --nix-bin-dir=${config.nix.package}/bin \
+ diff /run/current-system "$systemConfig"
+ '';
+ };
+ };
+}
diff --git a/modules/nixos/custom/remote-builders.nix b/modules/nixos/custom/remote-builders.nix
new file mode 100644
index 0000000..74d0538
--- /dev/null
+++ b/modules/nixos/custom/remote-builders.nix
@@ -0,0 +1,96 @@
+{
+ config,
+ lib,
+ secretsDir,
+ ...
+}:
+
+let
+ cfg = config.borealis.remote-builders;
+in
+
+{
+ options.borealis.remote-builders = {
+ enable = lib.mkEnableOption "the use of remote builders";
+
+ manageSecrets = lib.mkEnableOption "automatic management of SSH keys for builders" // {
+ default = true;
+ };
+
+ builders = {
+ atlas = lib.mkEnableOption "`atlas` as a remote builder";
+ macstadium = lib.mkEnableOption "`macstadium` as a remote builder";
+ };
+ };
+
+ config = lib.mkIf cfg.enable (
+ lib.mkMerge [
+ {
+ nix = {
+ distributedBuilds = true;
+
+ settings = {
+ builders-use-substitutes = true;
+ };
+ };
+ }
+
+ (lib.mkIf cfg.builders.atlas {
+ nix.buildMachines = [
+ {
+ hostName = "atlas";
+ maxJobs = 4;
+ publicHostKey = "IyBhdGxhczoyMiBTU0gtMi4wLVRhaWxzY2FsZQphdGxhcyBzc2gtZWQyNTUxOSBBQUFBQzNOemFDMWxaREkxTlRFNUFBQUFJQzdZaVNZWXgvK3ptVk9QU0NFUkh6U3NNZVVRdEErVnQxVzBzTFV3NFloSwo=";
+ sshUser = "atlas";
+ supportedFeatures = [
+ "benchmark"
+ "big-parallel"
+ "gccarch-armv8-a"
+ "kvm"
+ "nixos-test"
+ ];
+ systems = [
+ "aarch64-linux"
+ ];
+ }
+ ];
+ })
+
+ (lib.mkIf cfg.builders.macstadium {
+ nix.buildMachines = [
+ (lib.mkMerge [
+ {
+ hostName = "mini.scrumplex.net";
+ maxJobs = 8;
+ publicHostKey = "IyBtaW5pLnNjcnVtcGxleC5uZXQ6MjIgU1NILTIuMC1PcGVuU1NIXzkuOAptaW5pLnNjcnVtcGxleC5uZXQgc3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU9DV1lXL29TbW5GYU1sOGQ0eHNjaGhxNkNKZkdjQ1M4djhLYkErb0dmQ3IK";
+ sshUser = "bob-the-builder";
+ supportedFeatures = [
+ "nixos-test"
+ "benchmark"
+ "big-parallel"
+ "apple-virt"
+ ];
+ systems = [
+ "aarch64-darwin"
+ "x86_64-darwin"
+ ];
+ }
+
+ (lib.mkIf cfg.manageSecrets {
+ sshKey = config.age.secrets.macstadium.path;
+ })
+ ])
+ ];
+ })
+
+ (lib.mkIf (cfg.manageSecrets && cfg.builders.macstadium) {
+ age.secrets = {
+ macstadium = {
+ file = secretsDir + "/macstadium.age";
+ mode = "600";
+ };
+ };
+ })
+ ]
+ );
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 13:03:40 +0000