Big readme update and more

Updated readme with tons of information.
Made kazuki a hercules agent.
Fixed secrets ownerships.
Started working on a custom installer iso.
Changed helix theme.

README.md

@@ -3,3 +3,46 @@
   雪定<rp>(</rp><rt>せってい</rt><rp>)</rp>
 </ruby>
 </h1>
+
+## Project structure
+- hosts - per-machine configurations
+  - common - common options between my machines which aren't reusable by others
+  - kazuki - my linux arm server
+  - legion - my linux x86 server[^1]
+  - hijiri - my macbook[^1]
+  - hijiri-vm - linux vm running on my macbook
+  - miyagi - my work machine[^1]
+- modules - options which in principle should be reusable by others
+  - nixos
+    - settei - my opinionated nixos options
+  - flake - flake-parts modules
+- secrets - agenix secrets
+- wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager))
+- assets - miscellaneous values reused throughout my config
+- effects.nix - hercules-ci configuration
+- deploy.nix - deploy-rs configuration
+
+[^1]: Machine not migrated yet or in the process of migrating. See: https://nest.pijul.com/nrabulinski/nix-config
+
+## Code guidelines
+
+Not set rules but general guidelines for myself to hopefully keep this config clean, maintainable, and reusable.
+
+- only importing downwards. this means no `imports = [ ../../foo/bar/some-module.nix ];`
+- ideally only one level of imports.
+this means i'll try to only do `imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not `imports = [ ./x/y/z.nix ];`
+- the file should be roughly in order of most interesting to least interesting options.
+- `imports` should be the first attribute (except for `_file`)
+- anything that goes into `modules` should be usable by others. any options specific to me go into `hosts/default.nix` or `hosts/common`.
+- there should be no implicit state anywhere in the config.
+(sounds obvious but this is already broken with legion and the zfs pool but i'll let that one slide)
+to achieve this i still need to create a proper live iso with my config and my bootstrapping ssh key
+
+## TODOs
+Sorted rougly by priority
+
+- finish migrating legion
+- private nix cache
+- set up hercules agent on legion
+- hercules-ci checking if configuration is valid
+- hercules-ci effects for deploying machines on update (if configuration is valid)

effects.nix

@@ -1,5 +1,9 @@
 {
+  defaultEffectSystem = "aarch64-linux";
   hercules-ci = {
-    flake-update.enable = true;
+    flake-update = {
+      enable = true;
+      when.dayOfWeek = null;
+    };
   };
 }

flake.lock

@@ -175,28 +175,6 @@
         "type": "github"
       }
     },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "hercules-ci-effects",
-          "hercules-ci-agent",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1688466019,
-        "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
     "haskell-flake": {
       "locked": {
         "lastModified": 1684780604,
@@ -215,21 +193,24 @@
     },
     "hercules-ci-agent": {
       "inputs": {
-        "flake-parts": "flake-parts_2",
+        "flake-parts": [
+          "flake-parts"
+        ],
         "haskell-flake": "haskell-flake",
         "nixpkgs": "nixpkgs_2"
       },
       "locked": {
-        "lastModified": 1688568579,
+        "lastModified": 1693397971,
-        "narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=",
+        "narHash": "sha256-P5PQ8KzK/SXvEsw+AzG7OBUgnGhuUzKETNHhqVokc+0=",
         "owner": "hercules-ci",
         "repo": "hercules-ci-agent",
-        "rev": "367dd8cd649b57009a6502e878005a1e54ad78c5",
+        "rev": "344b8b1079731a8c1e144119174f684fb492e03a",
         "type": "github"
       },
       "original": {
-        "id": "hercules-ci-agent",
+        "owner": "hercules-ci",
-        "type": "indirect"
+        "repo": "hercules-ci-agent",
+        "type": "github"
       }
     },
     "hercules-ci-effects": {
@@ -237,10 +218,10 @@
         "flake-parts": [
           "flake-parts"
         ],
-        "hercules-ci-agent": "hercules-ci-agent",
+        "hercules-ci-agent": [
-        "nixpkgs": [
+          "hercules-ci-agent"
-          "nixpkgs"
+        ],
-        ]
+        "nixpkgs": "nixpkgs_3"
       },
       "locked": {
         "lastModified": 1689397210,
@@ -306,7 +287,7 @@
         "flake-parts": [
           "flake-parts"
         ],
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
         "lastModified": 1690830552,
@@ -382,6 +363,21 @@
       }
     },
     "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1689393711,
+        "narHash": "sha256-l3gyTPy/qWLDk1CY1EgYwlsxcGxN2aVd7MlCzQa69rk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "27fcd46fa18df36d270174246e7bd8f1787129ff",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1690753480,
         "narHash": "sha256-GQgPs8fCh/LsyQoYMUZgT2p7jFVWyHu9p+1Nl/dp8GY=",
@@ -397,7 +393,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_5": {
       "locked": {
         "lastModified": 1694760568,
         "narHash": "sha256-3G07BiXrp2YQKxdcdms22MUx6spc6A++MSePtatCYuI=",
@@ -441,11 +437,12 @@
         "deploy-rs": "deploy-rs",
         "disko": "disko",
         "flake-parts": "flake-parts",
+        "hercules-ci-agent": "hercules-ci-agent",
         "hercules-ci-effects": "hercules-ci-effects",
         "home-manager": "home-manager",
         "mailserver": "mailserver",
         "niko-nur": "niko-nur",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_5",
         "racket": "racket",
         "wrapper-manager": "wrapper-manager",
         "wrapper-manager-hm-compat": "wrapper-manager-hm-compat"

flake.nix

@@ -100,10 +100,16 @@
       url = "github:nrabulinski/racket.nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    hercules-ci-agent = {
+      url = "github:hercules-ci/hercules-ci-agent";
+      inputs.flake-parts.follows = "flake-parts";
+    };
     hercules-ci-effects = {
       url = "github:hercules-ci/hercules-ci-effects";
-      inputs.nixpkgs.follows = "nixpkgs";
+      inputs = {
-      inputs.flake-parts.follows = "flake-parts";
+        flake-parts.follows = "flake-parts";
+        hercules-ci-agent.follows = "hercules-ci-agent";
+      };
     };
   };
 
@@ -113,12 +119,14 @@
       "https://cache.garnix.io"
       "https://nix-community.cachix.org"
       "https://cache.nixos.org/"
+      "https://hercules-ci.cachix.org"
     ];
     trusted-public-keys = [
       "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
       "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
       "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
       "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+      "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
     ];
   };
 }

hosts/common/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./hercules.nix
+  ];
+}

hosts/common/hercules.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options.common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration";
+
+  config = lib.mkIf config.common.hercules.enable {
+    age.secrets.hercules-token = {
+      file = ../../secrets/hercules-token.age;
+      owner = config.systemd.services.hercules-ci-agent.serviceConfig.User;
+    };
+
+    services.hercules-ci-agent = {
+      enable = true;
+      settings = {
+        clusterJoinTokenPath = config.age.secrets.hercules-token.path;
+        concurrentTasks = lib.mkDefault 4;
+        binaryCachesPath = pkgs.writeText "empty-caches.json" "{}";
+      };
+    };
+  };
+}

hosts/default.nix

@@ -43,7 +43,9 @@
           inputs.disko.nixosModules.disko
           inputs.mailserver.nixosModules.default
           inputs.home-manager.nixosModules.home-manager
+          inputs.hercules-ci-agent.nixosModules.agent-service
           self.nixosModules.settei
+          ./common
           defaultOptions
           module
         ];
@@ -55,5 +57,6 @@
     ./kazuki
     ./hijiri-vm
     # ./legion
+    ./installer
   ];
 }

hosts/installer/default.nix

@@ -0,0 +1,15 @@
+{lib, ...}: {
+  configurations.nixos = let
+    mkInstaller = system: ({pkgs, ...}: {
+      nixpkgs = {inherit system;};
+
+      environment.systemPackages = [pkgs.nixos-install-tools];
+
+      # Make nixos-anywhere treat this as a installer iso
+      system.nixos.variant_id = "installer";
+    });
+    systems = ["aarch64-linux" "x86_64-linux"];
+    installers = map (system: lib.nameValuePair "installer-${system}" (mkInstaller system)) systems;
+  in
+    lib.listToAttrs installers;
+}

hosts/kazuki/default.nix

@@ -24,5 +24,7 @@
       loader.systemd-boot.configurationLimit = 1;
       loader.efi.canTouchEfiVariables = true;
     };
+
+    common.hercules.enable = true;
   };
 }

hosts/kazuki/vault.nix

@@ -1,5 +1,8 @@
 {config, ...}: {
-  age.secrets.vault-cert-env.file = ../../secrets/vault-cert-env.age;
+  age.secrets.vault-cert-env = {
+    file = ../../secrets/vault-cert-env.age;
+    owner = config.services.nginx.user;
+  };
 
   services.vaultwarden = {
     enable = true;

hosts/legion/default.nix

@@ -9,6 +9,7 @@ in {
     imports = [
       ./hardware.nix
       # ./disks.nix
+      ./initrd.nix
     ];
 
     nixpkgs.system = "x86_64-linux";

hosts/legion/initrd.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  username,
+  ...
+}: {
+  boot.initrd = {
+    availableKernelModules = ["ath10k_pci" "r8169"];
+    network.enable = true;
+    network.ssh = {
+      enable = true;
+      authorizedKeys = config.users.users.${username}.openssh.authorizedKeys.keys;
+    };
+  };
+}

modules/nixos/settei/sane-defaults.nix

@@ -65,11 +65,13 @@
           "https://hyprland.cachix.org"
           "https://cache.garnix.io"
           "https://nix-community.cachix.org"
+          "https://hercules-ci.cachix.org"
         ];
         trusted-public-keys = [
           "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
           "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
           "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+          "hercules-ci.cachix.org-1:ZZeDl9Va+xe9j+KqdzoBZMFJHVQ42Uu/c/1/KMC5Lw0="
         ];
       };
     };

modules/nixos/settei/user.nix

@@ -29,6 +29,8 @@ in {
       home-manager.extraSpecialArgs = cfg.extraArgs;
 
       home-manager.users.${username} = {
+        _file = ./user.nix;
+
         imports = [cfg.config];
 
         home = {

secrets/secrets.nix

@@ -5,4 +5,5 @@ in {
   "alert-nrab-lol-pass.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   "vault-cert-env.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
   # "bitwarden-env-file.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
+  "hercules-token.age".publicKeys = [keys.system.kazuki keys.other.bootstrap];
 }

wrappers/helix/default.nix

@@ -15,6 +15,7 @@
         cursorline = true;
         auto-save = true;
         indent-guides.render = true;
+        theme = "base16_default_dark";
       };
     };
     languages = {