diff --git a/README.md b/README.md index d11785b..f7b1f12 100644 --- a/README.md +++ b/README.md @@ -6,15 +6,13 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, home-manager, and flake-parts modules. > [!CAUTION] -> I tried to make the modules in this repository useful to others without having -> to modify them, meaning I tried to have many configuration options, have them -> be disabled by default, etc. That is no more and although I still encourage -> people to use my config for learning and inspiration, the modules will now -> assume they're running in my infrastructure and I'll only add configuration -> and/or enabling options when it makes sense to me, personally. +> I tried to make the modules in this repository useful to others without having to modify them, +> meaning I tried to have many configuration options, have them be disabled by default, etc. +> That is no more and although I still encourage people to use my config for learning and inspiration, +> the modules will now assume they're running in my infrastructure and I'll only add +> configuration and/or enabling options when it makes sense to me, personally. ## Project structure - - hosts - per-machine configurations - kazuki - my linux arm server - legion - my linux x86 server @@ -26,38 +24,29 @@ Collection of my personal Nix configurations and opinionated NixOS, nix-darwin, - system - my opinionated nixos/nix-darwin modules - home - my opinionated home-manager modules - flake - flake-parts modules -- services - configs for services I self-host - secrets - agenix secrets -- wrappers - nix packages wrapped with my configs (see: - [wrapper-manager](https://github.com/viperML/wrapper-manager)) +- wrappers - nix packages wrapped with my configs (see: [wrapper-manager](https://github.com/viperML/wrapper-manager)) - assets - miscellaneous values reused throughout my config - effects.nix - hercules-ci configuration ## Code guidelines -Not set rules but general guidelines for myself to hopefully keep this config -clean, maintainable, and reusable. +Not set rules but general guidelines for myself to hopefully keep this config clean, maintainable, and reusable. -- only importing downwards. this means no - `imports = [ ../../foo/bar/some-module.nix ];` -- ideally only one level of imports. this means i'll try to only do - `imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not - `imports = [ ./x/y/z.nix ];` -- the file should be roughly in order of most interesting to least interesting - options. +- only importing downwards. this means no `imports = [ ../../foo/bar/some-module.nix ];` +- ideally only one level of imports. +this means i'll try to only do `imports = [ ./foo ];` or `imports = [ ./bar.nix ]` but not `imports = [ ./x/y/z.nix ];` +- the file should be roughly in order of most interesting to least interesting options. - `imports` should be the first attribute (except for `_file`) -- there should be no implicit state anywhere in the config. (sounds obvious but - this is already broken with legion and the zfs pool but i'll let that one - slide) to achieve this i still need to create a proper live iso with my config - and my bootstrapping ssh key +- there should be no implicit state anywhere in the config. +(sounds obvious but this is already broken with legion and the zfs pool but i'll let that one slide) +to achieve this i still need to create a proper live iso with my config and my bootstrapping ssh key ## TODOs - Sorted rougly by priority - bring back ci (sorta done) -- hercules-ci effects for deploying machines on update (if configuration is - valid) +- hercules-ci effects for deploying machines on update (if configuration is valid) - fix disko - make the configuration truly declarative (to a reasonable degree) - themeing solution diff --git a/flake.nix b/flake.nix index f2007c6..8186624 100644 --- a/flake.nix +++ b/flake.nix @@ -16,7 +16,6 @@ ./modules ./wrappers ./pkgs - ./services ]; perSystem = @@ -55,18 +54,6 @@ programs.nixfmt.enable = true; programs.statix.enable = true; programs.fish_indent.enable = true; - programs.deno.enable = true; - programs.stylua.enable = true; - programs.shfmt.enable = true; - settings.global.excludes = [ - # agenix - "*.age" - - # racket - "*.rkt" - "**/rashrc" - ]; - settings.on-unmatched = "fatal"; }; }; }; diff --git a/garnix.yaml b/garnix.yaml index 1829619..8e4aa0f 100644 --- a/garnix.yaml +++ b/garnix.yaml @@ -1,8 +1,8 @@ builds: include: - - "devShells.*.*" - - "packages.*.*" - - "formatter.*" - - "nixosConfigurations.*" - - "darwinConfigurations.*" - - "homeConfigurations.*" + - 'devShells.*.*' + - 'packages.*.*' + - 'formatter.*' + - 'nixosConfigurations.*' + - 'darwinConfigurations.*' + - 'homeConfigurations.*' diff --git a/hosts/default.nix b/hosts/default.nix index 3c334c3..d2e1d5a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -62,10 +62,7 @@ nixos = name: module: baseNixos.extendModules { - modules = [ - module - config.__extraHostConfigs.${name} or { } - ]; + modules = [ module ]; specialArgs.configurationName = name; }; @@ -73,10 +70,7 @@ name: module: let eval = baseDarwin._module.args.extendModules { - modules = [ - module - config.__extraHostConfigs.${name} or { } - ]; + modules = [ module ]; specialArgs.configurationName = name; }; in diff --git a/hosts/hijiri/default.nix b/hosts/hijiri/default.nix index bb7db92..3b75f42 100644 --- a/hosts/hijiri/default.nix +++ b/hosts/hijiri/default.nix @@ -15,7 +15,7 @@ nixpkgs.system = "aarch64-darwin"; settei.user.config = { - settei.desktop.enable = true; + common.desktop.enable = true; home.packages = with pkgs; [ utm qemu @@ -28,7 +28,7 @@ }; # TODO: Declarative syncthing config }; - settei.incus.enable = true; + common.incus.enable = true; # TODO: Setup podman remote system.defaults = { diff --git a/hosts/kazuki/attic.nix b/hosts/kazuki/attic.nix new file mode 100644 index 0000000..87cd289 --- /dev/null +++ b/hosts/kazuki/attic.nix @@ -0,0 +1,115 @@ +{ config, lib, ... }: +let + atticPort = 9476; +in +{ + age.secrets.attic-creds = { + file = ../../secrets/attic-creds.age; + owner = config.services.atticd.user; + }; + age.secrets.nrab-lol-cf = { + file = ../../secrets/nrab-lol-cf.age; + owner = config.services.nginx.user; + }; + + services.atticd = { + enable = true; + environmentFile = config.age.secrets.attic-creds.path; + settings = { + listen = "[::]:${toString atticPort}"; + storage = { + type = "local"; + path = "/storage-box"; + }; + compression.type = "none"; + chunking = { + nar-size-threshold = 0; + min-size = 0; + avg-size = 0; + max-size = 0; + }; + api-endpoint = "https://attic.nrab.lol/"; + }; + }; + + users = { + users.atticd = { + uid = 990; + isSystemUser = true; + group = "atticd"; + home = "/var/lib/atticd"; + createHome = true; + }; + groups.atticd = { + gid = 988; + }; + }; + + systemd.services.atticd = { + after = [ "storage\\x2dbox.mount" ]; + serviceConfig.DynamicUser = lib.mkForce false; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "nikodem@rabulinski.com"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."attic.nrab.lol" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://attic"; + }; + extraConfig = '' + client_max_body_size 24G; + ''; + }; + virtualHosts."cache.nrab.lol" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://attic/public$request_uri"; + }; + extraConfig = '' + proxy_cache nixstore; + proxy_cache_use_stale error timeout http_500 http_502; + proxy_cache_lock on; + proxy_cache_key $request_uri; + proxy_cache_valid 200 24h; + ''; + }; + + upstreams."attic".servers = { + "localhost:${toString atticPort}" = { }; + }; + + appendHttpConfig = '' + proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off; + ''; + }; + + security.acme.certs."attic.nrab.lol" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.nrab-lol-cf.path; + }; + + security.acme.certs."cache.nrab.lol" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.nrab-lol-cf.path; + }; +} diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index df92f1c..77f3e3c 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -13,6 +13,7 @@ ./mail.nix ./vault.nix ./storage.nix + ./attic.nix ./ntfy.nix ./zitadel.nix ./forgejo.nix @@ -41,5 +42,14 @@ routes = [ { Gateway = "fe80::1"; } ]; }; networking.useNetworkd = true; + + common.hercules.enable = true; + common.github-runner = { + enable = true; + runners.settei = { + url = "https://github.com/nrabulinski/settei"; + instances = 2; + }; + }; }; } diff --git a/hosts/kogata/default.nix b/hosts/kogata/default.nix index 6bf9e2f..d6906ec 100644 --- a/hosts/kogata/default.nix +++ b/hosts/kogata/default.nix @@ -4,7 +4,7 @@ { nixpkgs.system = "aarch64-darwin"; - settei.user.config.settei.desktop.enable = true; + settei.user.config.common.desktop.enable = true; settei.unfree.allowedPackages = [ "teams" ]; environment.systemPackages = with pkgs; [ @@ -15,5 +15,11 @@ ipv4 = "100.102.13.61"; ipv6 = "fd7a:115c:a1e0::e126:d3d"; }; + + common.hercules.enable = true; + common.github-runner = { + enable = true; + runners.settei.url = "https://github.com/nrabulinski/settei"; + }; }; } diff --git a/hosts/legion/default.nix b/hosts/legion/default.nix index 92c95be..d293523 100644 --- a/hosts/legion/default.nix +++ b/hosts/legion/default.nix @@ -31,7 +31,7 @@ networking = { hostName = "legion"; - hostId = builtins.substring 0 8 "524209a432724c7abaf04398cdd6eecd"; + hostId = builtins.substring 0 8 (builtins.readFile ./machine-id); networkmanager.enable = true; }; systemd.services.NetworkManager-wait-online.enable = false; @@ -41,7 +41,15 @@ age.secrets.niko-pass.file = ../../secrets/legion-niko-pass.age; users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path; - settei.incus.enable = true; + common.hercules.enable = true; + common.github-runner = { + enable = true; + runners.settei = { + url = "https://github.com/nrabulinski/settei"; + instances = 4; + }; + }; + common.incus.enable = true; virtualisation.podman.enable = true; }; } diff --git a/hosts/legion/desktop.nix b/hosts/legion/desktop.nix index 7d80cd9..a3704cb 100644 --- a/hosts/legion/desktop.nix +++ b/hosts/legion/desktop.nix @@ -11,7 +11,7 @@ nixpkgs.config.allowUnfree = true; settei.user.config = { - settei.desktop.enable = true; + common.desktop.enable = true; home.packages = with pkgs; [ brightnessctl dmenu diff --git a/hosts/legion/machine-id b/hosts/legion/machine-id new file mode 100644 index 0000000..2a76224 --- /dev/null +++ b/hosts/legion/machine-id @@ -0,0 +1 @@ +524209a432724c7abaf04398cdd6eecd diff --git a/hosts/ude/default.nix b/hosts/ude/default.nix index d395fbd..76026d2 100644 --- a/hosts/ude/default.nix +++ b/hosts/ude/default.nix @@ -25,7 +25,16 @@ ipv6 = "fd7a:115c:a1e0:ab12:4843:cd96:6276:2a8b"; }; - settei.incus.enable = true; + common.hercules.enable = true; + services.hercules-ci-agent.settings.concurrentTasks = 6; + common.github-runner = { + enable = true; + runners.settei = { + url = "https://github.com/nrabulinski/settei"; + instances = 6; + }; + }; + common.incus.enable = true; virtualisation.podman.enable = true; services.nginx = { diff --git a/modules/default.nix b/modules/default.nix index ac793fe..e8e95f8 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,39 +1,11 @@ -{ - config, - inputs, - ... -}: -let - flakeModule = import ./flake { inherit (inputs) nixpkgs darwin home-manager; }; -in { imports = [ - flakeModule + ./system + ./flake ]; flake.homeModules = rec { settei = ./home; default = settei; }; - - flake.flakeModules = rec { - settei = flakeModule; - default = settei; - }; - - flake.nixosModules = rec { - settei = import ./system { - inherit (config) perInput; - isLinux = true; - }; - default = settei; - }; - - flake.darwinModules = rec { - settei = import ./system { - inherit (config) perInput; - isLinux = false; - }; - default = settei; - }; } diff --git a/modules/flake/default.nix b/modules/flake/default.nix index 78bb73d..a255829 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -1,13 +1,19 @@ { - nixpkgs, - darwin, - home-manager, + flake-parts-lib, + lib, + inputs, + ... }: +let + inherit (flake-parts-lib) importApply; + flakeModules = { + configurations = importApply ./configurations.nix { inherit (inputs) nixpkgs darwin home-manager; }; + }; +in { - _file = ./default.nix; + imports = lib.attrValues flakeModules; - imports = [ - (import ./configurations.nix { inherit nixpkgs darwin home-manager; }) - ./services.nix - ]; + flake = { + inherit flakeModules; + }; } diff --git a/modules/flake/services.nix b/modules/flake/services.nix deleted file mode 100644 index f2f07d4..0000000 --- a/modules/flake/services.nix +++ /dev/null @@ -1,95 +0,0 @@ -# List of features I want this module to eventually have -# TODO: Automatic port allocation -# TODO: Making it possible to conveniently isolate services (running them in NixOS containers) -# TODO: Handling specializations -# TODO: Convenient http handling -# TODO: Automatic backup -{ config, lib, ... }: -let - serviceModule = - { config, ... }: - { - options = { - host = lib.mkOption { - type = lib.types.str; - }; - ports = lib.mkOption { - type = with lib.types; listOf port; - default = [ ]; - }; - hosts = lib.mkOption { - type = with lib.types; listOf str; - default = [ config.host ]; - }; - config = lib.mkOption { - type = lib.types.deferredModule; - default = { }; - }; - hostConfig = lib.mkOption { - type = with lib.types; attrsOf deferredModule; - default = { }; - }; - }; - }; - - moduleToHostConfigs = - cfg: - lib.genAttrs cfg.hosts (host: { - imports = [ - cfg.config - (cfg.hostConfig.${host} or { }) - ]; - }); - - maybeGetPreviousConfigs = acc: host: (acc.${host} or { imports = [ ]; }).imports; -in -{ - _file = ./services.nix; - - options = { - services = lib.mkOption { - type = with lib.types; attrsOf (submodule serviceModule); - default = { }; - }; - - __extraHostConfigs = lib.mkOption { - type = with lib.types; attrsOf deferredModule; - readOnly = true; - }; - }; - - config.__extraHostConfigs = - let - duplicatePorts = lib.pipe config.services [ - lib.attrValues - (map (cfg: cfg.ports)) - lib.flatten - (lib.groupBy' (cnt: _: cnt + 1) 0 toString) - (lib.filterAttrs (_: cnt: cnt > 1)) - lib.attrNames - ]; - assertMsg = - let - plural = lib.length duplicatePorts > 1; - in - "\nBad service config:\nThe following port${if plural then "s" else ""} ${ - if plural then "were" else "was" - } declared multiple times: ${lib.concatStringsSep ", " duplicatePorts}"; - # Here I collect all the services..config into a flat - # __extraHostConfigs..imports = [ - # ... - # ] - # so that I can easily import them in hosts/default.nix - hostConfigs = lib.pipe config.services [ - lib.attrValues - (lib.foldl' ( - acc: cfg: - acc - // lib.mapAttrs (host: c: { - imports = c.imports ++ (maybeGetPreviousConfigs acc host); - }) (moduleToHostConfigs cfg) - ) { }) - ]; - in - if duplicatePorts != [ ] then throw assertMsg else hostConfigs; -} diff --git a/modules/home/default.nix b/modules/home/default.nix index f11fcaa..550d089 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -10,7 +10,7 @@ let # TODO: Conditionally define based on whether we're in a system configuration or not fishOverlayModule = lib.mkIf (!args ? osConfig) { - # See modules/system/settei/default.nix for reasoning. + # See modules/system/common/default.nix for reasoning. nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ]; }; in @@ -21,10 +21,8 @@ in ./desktop fishOverlayModule ./xdg.nix - ./unfree.nix ]; - programs.home-manager.enable = true; programs.fish.enable = true; programs.nix-index.enable = true; programs.ssh = { diff --git a/modules/home/desktop/default.nix b/modules/home/desktop/default.nix index 825d69c..eb76412 100644 --- a/modules/home/desktop/default.nix +++ b/modules/home/desktop/default.nix @@ -11,11 +11,11 @@ imports = [ ./zellij.nix ]; - options.settei.desktop = { + options.common.desktop = { enable = lib.mkEnableOption "Common configuration for desktop machines"; }; - config = lib.mkIf config.settei.desktop.enable { + config = lib.mkIf config.common.desktop.enable { home.packages = with pkgs; [ inputs'.settei.packages.wezterm nerd-fonts.iosevka @@ -23,7 +23,6 @@ fontconfig signal-desktop ]; - settei.unfree.allowedPackages = [ "signal-desktop" ]; fonts.fontconfig.enable = true; diff --git a/modules/system/default.nix b/modules/system/default.nix index 4b82bd1..bca0a95 100644 --- a/modules/system/default.nix +++ b/modules/system/default.nix @@ -1,48 +1,21 @@ +{ config, lib, ... }: { - perInput, - # TODO: Figure out a nicer way of doing this without infrec? - isLinux, -}: -{ - config, - lib, - pkgs, - inputs', - username, - ... -}: -{ - _file = ./default.nix; - - imports = [ - (import ./sane-defaults.nix { inherit isLinux; }) - (import ./flake-qol.nix { inherit perInput; }) - ./user.nix - (import ./programs { inherit isLinux; }) - (import ./tailscale.nix { inherit isLinux; }) - (import ./containers.nix { inherit isLinux; }) - ./unfree.nix - (import ./hercules.nix { inherit isLinux; }) - (import ./github-runner.nix { inherit isLinux; }) - (import ./incus.nix { inherit isLinux; }) - (import ./monitoring.nix { inherit isLinux; }) - ]; - - options.settei = with lib; { - username = mkOption { - type = types.str; - default = "niko"; - }; - }; - - config = { - programs.fish.enable = true; - users.users.${username}.shell = pkgs.fish; - - time.timeZone = lib.mkDefault "Europe/Warsaw"; - - # NixOS' fish module doesn't allow setting what package to use for fish, - # so I need to override the fish package. - nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ]; - }; + flake = + lib.genAttrs + [ + "nixosModules" + "darwinModules" + ] + ( + attr: + let + isLinux = lib.hasPrefix "nixos" attr; + in + { + settei = import ./settei { + inherit (config) perInput; + inherit isLinux; + }; + } + ); } diff --git a/modules/system/hercules.nix b/modules/system/hercules.nix deleted file mode 100644 index a5fba52..0000000 --- a/modules/system/hercules.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ isLinux }: -{ - config, - lib, - ... -}: -let - options = { - settei.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; - }; - - herculesUser = - if isLinux then - config.systemd.services.hercules-ci-agent.serviceConfig.User - else - config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName; -in -{ - _file = ./hercules.nix; - - inherit options; - - config = lib.mkIf config.settei.hercules.enable { - age.secrets.hercules-token = { - file = ../../../secrets/hercules-token.age; - owner = herculesUser; - }; - age.secrets.hercules-cache = { - file = ../../../secrets/hercules-cache.age; - owner = herculesUser; - }; - age.secrets.hercules-secrets = { - file = ../../../secrets/hercules-secrets.age; - owner = herculesUser; - }; - - services.hercules-ci-agent = { - enable = true; - settings = { - clusterJoinTokenPath = config.age.secrets.hercules-token.path; - concurrentTasks = lib.mkDefault 4; - binaryCachesPath = config.age.secrets.hercules-cache.path; - secretsJsonPath = config.age.secrets.hercules-secrets.path; - }; - }; - }; -} diff --git a/modules/system/containers.nix b/modules/system/settei/containers.nix similarity index 100% rename from modules/system/containers.nix rename to modules/system/settei/containers.nix diff --git a/modules/system/settei/default.nix b/modules/system/settei/default.nix new file mode 100644 index 0000000..a352333 --- /dev/null +++ b/modules/system/settei/default.nix @@ -0,0 +1,50 @@ +{ + perInput, + # TODO: Figure out a nicer way of doing this without infrec? + isLinux, +}: +{ + config, + configurationName, + lib, + pkgs, + inputs, + inputs', + username, + ... +}: +{ + _file = ./default.nix; + + imports = [ + (import ./sane-defaults.nix { inherit isLinux; }) + (import ./flake-qol.nix { inherit perInput; }) + ./user.nix + (import ./programs { inherit isLinux; }) + (import ./tailscale.nix { inherit isLinux; }) + (import ./containers.nix { inherit isLinux; }) + ./unfree.nix + (import ./hercules.nix { inherit isLinux; }) + (import ./github-runner.nix { inherit isLinux; }) + (import ./incus.nix { inherit isLinux; }) + (import ./monitoring.nix { inherit isLinux; }) + ]; + + options.settei = with lib; { + username = mkOption { + type = types.str; + default = "niko"; + }; + }; + + config = { + programs.fish.enable = true; + users.users.${username}.shell = pkgs.fish; + + time.timeZone = lib.mkDefault "Europe/Warsaw"; + + # NixOS' fish module doesn't allow setting what package to use for fish, + # so I need to override the fish package. + nixpkgs.overlays = [ (_: _: { inherit (inputs'.settei.packages) fish; }) ]; + }; +} diff --git a/modules/system/flake-qol.nix b/modules/system/settei/flake-qol.nix similarity index 100% rename from modules/system/flake-qol.nix rename to modules/system/settei/flake-qol.nix diff --git a/modules/system/github-runner.nix b/modules/system/settei/github-runner.nix similarity index 93% rename from modules/system/github-runner.nix rename to modules/system/settei/github-runner.nix index 890c5f9..5af703e 100644 --- a/modules/system/github-runner.nix +++ b/modules/system/settei/github-runner.nix @@ -8,7 +8,7 @@ let inherit (lib) mkOption types; github-runner-user = "github-runner"; - cfg = config.settei.github-runner; + cfg = config.common.github-runner; sharedConfig = { age.secrets.github-token = { @@ -50,13 +50,13 @@ let }; darwinConfig = lib.optionalAttrs (!isLinux) { - warnings = lib.singleton "settei.github-runner doesn't do anything on darwin yet"; + warnings = lib.singleton "common.github-runner doesn't do anything on darwin yet"; }; in { _file = ./github-runner.nix; - options.settei.github-runner = { + options.common.github-runner = { enable = lib.mkEnableOption "using this machine as a self-hosted github runner"; runners = mkOption { type = diff --git a/modules/system/settei/hercules.nix b/modules/system/settei/hercules.nix new file mode 100644 index 0000000..9762094 --- /dev/null +++ b/modules/system/settei/hercules.nix @@ -0,0 +1,50 @@ +{ isLinux }: +{ + config, + lib, + ... +}: +let + options = { + common.hercules.enable = lib.mkEnableOption "Enables hercules-ci-agent with my configuration"; + }; + + herculesUser = + if isLinux then + config.systemd.services.hercules-ci-agent.serviceConfig.User + else + config.launchd.daemons.hercules-ci-agent.serviceConfig.UserName; +in +{ + _file = ./hercules.nix; + + inherit options; + + config = + lib.mkIf false + # config.common.hercules.enable + { + age.secrets.hercules-token = { + file = ../../../secrets/hercules-token.age; + owner = herculesUser; + }; + age.secrets.hercules-cache = { + file = ../../../secrets/hercules-cache.age; + owner = herculesUser; + }; + age.secrets.hercules-secrets = { + file = ../../../secrets/hercules-secrets.age; + owner = herculesUser; + }; + + services.hercules-ci-agent = { + enable = true; + settings = { + clusterJoinTokenPath = config.age.secrets.hercules-token.path; + concurrentTasks = lib.mkDefault 4; + binaryCachesPath = config.age.secrets.hercules-cache.path; + secretsJsonPath = config.age.secrets.hercules-secrets.path; + }; + }; + }; +} diff --git a/modules/system/incus.nix b/modules/system/settei/incus.nix similarity index 94% rename from modules/system/incus.nix rename to modules/system/settei/incus.nix index 4313573..6a0ee35 100644 --- a/modules/system/incus.nix +++ b/modules/system/settei/incus.nix @@ -9,7 +9,7 @@ let inherit (lib) mkOption types; - cfg = config.settei.incus; + cfg = config.common.incus; sharedConfig = { environment.systemPackages = [ @@ -71,7 +71,7 @@ in { _file = ./incus.nix; - options.settei.incus = { + options.common.incus = { enable = lib.mkEnableOption "incus, the VM and container manager"; clientOnly = mkOption { type = types.bool; @@ -81,7 +81,7 @@ in clientPackage = lib.mkOption { type = types.package; default = cfg.package.client; - defaultText = lib.literalExpression "config.settei.incus.package.client"; + defaultText = lib.literalExpression "config.common.incus.package.client"; description = "The incus client package to use. This package is added to PATH."; }; }; diff --git a/modules/system/monitoring.nix b/modules/system/settei/monitoring.nix similarity index 100% rename from modules/system/monitoring.nix rename to modules/system/settei/monitoring.nix diff --git a/modules/system/programs/default.nix b/modules/system/settei/programs/default.nix similarity index 100% rename from modules/system/programs/default.nix rename to modules/system/settei/programs/default.nix diff --git a/modules/system/sane-defaults.nix b/modules/system/settei/sane-defaults.nix similarity index 98% rename from modules/system/sane-defaults.nix rename to modules/system/settei/sane-defaults.nix index fcd1cde..3c44e89 100644 --- a/modules/system/sane-defaults.nix +++ b/modules/system/settei/sane-defaults.nix @@ -38,6 +38,7 @@ let # Flakes are unusable without git present so pull it into the environment by default settei.user.config.programs.git.enable = lib.mkDefault true; + # FIXME: Move to common users.users.${username}.openssh.authorizedKeys.keys = let configName' = @@ -108,8 +109,6 @@ let i18n.defaultLocale = lib.mkDefault "en_US.UTF-8"; boot.kernel.sysctl."kernel.yama.ptrace_scope" = 0; - - settei.user.config.services.ssh-agent.enable = true; }; darwinConfig = lib.optionalAttrs (!isLinux) { diff --git a/modules/system/tailscale.nix b/modules/system/settei/tailscale.nix similarity index 100% rename from modules/system/tailscale.nix rename to modules/system/settei/tailscale.nix diff --git a/modules/home/unfree.nix b/modules/system/settei/unfree.nix similarity index 84% rename from modules/home/unfree.nix rename to modules/system/settei/unfree.nix index cd2060c..a82f946 100644 --- a/modules/home/unfree.nix +++ b/modules/system/settei/unfree.nix @@ -1,9 +1,9 @@ -# Copy of modules/system/unfree.nix { config, lib, ... }: { _file = ./unfree.nix; options = { + # TODO(maybe?): Allow other types and more customizability settei.unfree.allowedPackages = with lib; mkOption { diff --git a/modules/system/user.nix b/modules/system/settei/user.nix similarity index 94% rename from modules/system/user.nix rename to modules/system/settei/user.nix index da80a4e..7d0637a 100644 --- a/modules/system/user.nix +++ b/modules/system/settei/user.nix @@ -51,6 +51,9 @@ in homeDirectory = config.users.users.${username}.home; stateVersion = "22.05"; }; + + programs.home-manager.enable = true; + services.ssh-agent.enable = true; }; }; in diff --git a/modules/system/unfree.nix b/modules/system/unfree.nix deleted file mode 100644 index 06b5d58..0000000 --- a/modules/system/unfree.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - lib, - username, - ... -}: -let - # TODO: Maybe eventually support multi-user - userAllowedPackages = - lib.optionals config.settei.user.enable - config.home-manager.users.${username}.settei.unfree.allowedPackages; -in -{ - _file = ./unfree.nix; - - options = { - # TODO(maybe?): Allow other types and more customizability - settei.unfree.allowedPackages = - with lib; - mkOption { - type = types.listOf types.str; - default = [ ]; - }; - }; - - config = { - nixpkgs.config.allowUnfreePredicate = lib.mkForce ( - pkg: builtins.elem (lib.getName pkg) (config.settei.unfree.allowedPackages ++ userAllowedPackages) - ); - }; -} diff --git a/services/attic.nix b/services/attic.nix deleted file mode 100644 index 91d675f..0000000 --- a/services/attic.nix +++ /dev/null @@ -1,122 +0,0 @@ -{ - services.attic = - let - atticPort = 9476; - in - { - host = "kazuki"; - ports = [ atticPort ]; - config = - { config, ... }: - { - age.secrets.attic-creds = { - file = ../secrets/attic-creds.age; - owner = config.services.atticd.user; - }; - age.secrets.nrab-lol-cf = { - file = ../secrets/nrab-lol-cf.age; - owner = config.services.nginx.user; - }; - - services.atticd = { - enable = true; - environmentFile = config.age.secrets.attic-creds.path; - settings = { - listen = "[::]:${toString atticPort}"; - storage = { - type = "local"; - path = "/storage-box"; - }; - compression.type = "none"; - chunking = { - nar-size-threshold = 0; - min-size = 0; - avg-size = 0; - max-size = 0; - }; - api-endpoint = "https://attic.nrab.lol/"; - }; - }; - - users = { - users.atticd = { - uid = 990; - isSystemUser = true; - group = "atticd"; - home = "/var/lib/atticd"; - createHome = true; - }; - groups.atticd = { - gid = 988; - }; - }; - - systemd.services.atticd = { - after = [ "storage\\x2dbox.mount" ]; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "nikodem@rabulinski.com"; - }; - - users.users.nginx.extraGroups = [ "acme" ]; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - virtualHosts."attic.nrab.lol" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://attic"; - }; - extraConfig = '' - client_max_body_size 24G; - ''; - }; - virtualHosts."cache.nrab.lol" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://attic/public$request_uri"; - }; - extraConfig = '' - proxy_cache nixstore; - proxy_cache_use_stale error timeout http_500 http_502; - proxy_cache_lock on; - proxy_cache_key $request_uri; - proxy_cache_valid 200 24h; - ''; - }; - - upstreams."attic".servers = { - "localhost:${toString atticPort}" = { }; - }; - - appendHttpConfig = '' - proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off; - ''; - }; - - security.acme.certs."attic.nrab.lol" = { - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.nrab-lol-cf.path; - }; - - security.acme.certs."cache.nrab.lol" = { - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.nrab-lol-cf.path; - }; - }; - }; -} diff --git a/services/default.nix b/services/default.nix deleted file mode 100644 index d588ede..0000000 --- a/services/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./attic.nix - ]; -} diff --git a/wrappers/wezterm/config.lua b/wrappers/wezterm/config.lua index 7890eed..c47dbab 100644 --- a/wrappers/wezterm/config.lua +++ b/wrappers/wezterm/config.lua @@ -1,22 +1,22 @@ -local wezterm = require("wezterm") +local wezterm = require 'wezterm' local cfg = { - color_scheme = "Default Dark (base16)", - enable_tab_bar = false, - font = wezterm.font("IosevkaTerm Nerd Font"), - window_decorations = "TITLE | RESIZE", - font_size = 10.5, - native_macos_fullscreen_mode = true, - hide_mouse_cursor_when_typing = false, - keys = { - { key = "Enter", mods = "CTRL", action = wezterm.action({ SendString = "\x1b[13;5u" }) }, - { key = "Enter", mods = "SHIFT", action = wezterm.action({ SendString = "\x1b[13;2u" }) }, - }, + color_scheme = 'Default Dark (base16)', + enable_tab_bar = false, + font = wezterm.font('IosevkaTerm Nerd Font'), + window_decorations = 'TITLE | RESIZE', + font_size = 10.5, + native_macos_fullscreen_mode = true, + hide_mouse_cursor_when_typing = false, + keys = { + { key = "Enter", mods = "CTRL", action = wezterm.action { SendString = "\x1b[13;5u" } }, + { key = "Enter", mods = "SHIFT", action = wezterm.action { SendString = "\x1b[13;2u" } }, + }, } if string.find(wezterm.target_triple, "darwin") then - cfg.font_size = 14.0 - cfg.window_decorations = "RESIZE" + cfg.font_size = 14.0 + cfg.window_decorations = 'RESIZE' end return cfg