commit 981186a787ff7a664e81f656d8705dae9e8ab573 · nekomimi.pet/nixcfg

+190

flake.lock

···

       1
       +
       {

     

       2
       +
         "nodes": {

     

       3
       +
           "agenix": {

     

       4
       +
             "inputs": {

     

       5
       +
               "darwin": "darwin",

     

       6
       +
               "home-manager": "home-manager",

     

       7
       +
               "nixpkgs": "nixpkgs",

     

       8
       +
               "systems": "systems"

     

       9
       +
             },

     

       10
       +
             "locked": {

     

       11
       +
               "lastModified": 1747575206,

     

       12
       +
               "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",

     

       13
       +
               "owner": "ryantm",

     

       14
       +
               "repo": "agenix",

     

       15
       +
               "rev": "4835b1dc898959d8547a871ef484930675cb47f1",

     

       16
       +
               "type": "github"

     

       17
       +
             },

     

       18
       +
             "original": {

     

       19
       +
               "owner": "ryantm",

     

       20
       +
               "repo": "agenix",

     

       21
       +
               "type": "github"

     

       22
       +
             }

     

       23
       +
           },

     

       24
       +
           "darwin": {

     

       25
       +
             "inputs": {

     

       26
       +
               "nixpkgs": [

     

       27
       +
                 "agenix",

     

       28
       +
                 "nixpkgs"

     

       29
       +
               ]

     

       30
       +
             },

     

       31
       +
             "locked": {

     

       32
       +
               "lastModified": 1744478979,

     

       33
       +
               "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",

     

       34
       +
               "owner": "lnl7",

     

       35
       +
               "repo": "nix-darwin",

     

       36
       +
               "rev": "43975d782b418ebf4969e9ccba82466728c2851b",

     

       37
       +
               "type": "github"

     

       38
       +
             },

     

       39
       +
             "original": {

     

       40
       +
               "owner": "lnl7",

     

       41
       +
               "ref": "master",

     

       42
       +
               "repo": "nix-darwin",

     

       43
       +
               "type": "github"

     

       44
       +
             }

     

       45
       +
           },

     

       46
       +
           "flake-utils": {

     

       47
       +
             "inputs": {

     

       48
       +
               "systems": "systems_2"

     

       49
       +
             },

     

       50
       +
             "locked": {

     

       51
       +
               "lastModified": 1681202837,

     

       52
       +
               "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",

     

       53
       +
               "owner": "numtide",

     

       54
       +
               "repo": "flake-utils",

     

       55
       +
               "rev": "cfacdce06f30d2b68473a46042957675eebb3401",

     

       56
       +
               "type": "github"

     

       57
       +
             },

     

       58
       +
             "original": {

     

       59
       +
               "owner": "numtide",

     

       60
       +
               "repo": "flake-utils",

     

       61
       +
               "type": "github"

     

       62
       +
             }

     

       63
       +
           },

     

       64
       +
           "home-manager": {

     

       65
       +
             "inputs": {

     

       66
       +
               "nixpkgs": [

     

       67
       +
                 "agenix",

     

       68
       +
                 "nixpkgs"

     

       69
       +
               ]

     

       70
       +
             },

     

       71
       +
             "locked": {

     

       72
       +
               "lastModified": 1745494811,

     

       73
       +
               "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",

     

       74
       +
               "owner": "nix-community",

     

       75
       +
               "repo": "home-manager",

     

       76
       +
               "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",

     

       77
       +
               "type": "github"

     

       78
       +
             },

     

       79
       +
             "original": {

     

       80
       +
               "owner": "nix-community",

     

       81
       +
               "repo": "home-manager",

     

       82
       +
               "type": "github"

     

       83
       +
             }

     

       84
       +
           },

     

       85
       +
           "nixpkgs": {

     

       86
       +
             "locked": {

     

       87
       +
               "lastModified": 1745391562,

     

       88
       +
               "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=",

     

       89
       +
               "owner": "NixOS",

     

       90
       +
               "repo": "nixpkgs",

     

       91
       +
               "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7",

     

       92
       +
               "type": "github"

     

       93
       +
             },

     

       94
       +
             "original": {

     

       95
       +
               "owner": "NixOS",

     

       96
       +
               "ref": "nixos-unstable",

     

       97
       +
               "repo": "nixpkgs",

     

       98
       +
               "type": "github"

     

       99
       +
             }

     

       100
       +
           },

     

       101
       +
           "nixpkgs_2": {

     

       102
       +
             "locked": {

     

       103
       +
               "lastModified": 1748162331,

     

       104
       +
               "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=",

     

       105
       +
               "owner": "nixos",

     

       106
       +
               "repo": "nixpkgs",

     

       107
       +
               "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334",

     

       108
       +
               "type": "github"

     

       109
       +
             },

     

       110
       +
             "original": {

     

       111
       +
               "owner": "nixos",

     

       112
       +
               "ref": "nixos-25.05",

     

       113
       +
               "repo": "nixpkgs",

     

       114
       +
               "type": "github"

     

       115
       +
             }

     

       116
       +
           },

     

       117
       +
           "nixpkgs_3": {

     

       118
       +
             "locked": {

     

       119
       +
               "lastModified": 1682134069,

     

       120
       +
               "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",

     

       121
       +
               "owner": "NixOS",

     

       122
       +
               "repo": "nixpkgs",

     

       123
       +
               "rev": "fd901ef4bf93499374c5af385b2943f5801c0833",

     

       124
       +
               "type": "github"

     

       125
       +
             },

     

       126
       +
             "original": {

     

       127
       +
               "id": "nixpkgs",

     

       128
       +
               "type": "indirect"

     

       129
       +
             }

     

       130
       +
           },

     

       131
       +
           "root": {

     

       132
       +
             "inputs": {

     

       133
       +
               "agenix": "agenix",

     

       134
       +
               "nixpkgs": "nixpkgs_2",

     

       135
       +
               "vscode-server": "vscode-server"

     

       136
       +
             }

     

       137
       +
           },

     

       138
       +
           "systems": {

     

       139
       +
             "locked": {

     

       140
       +
               "lastModified": 1681028828,

     

       141
       +
               "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

     

       142
       +
               "owner": "nix-systems",

     

       143
       +
               "repo": "default",

     

       144
       +
               "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

     

       145
       +
               "type": "github"

     

       146
       +
             },

     

       147
       +
             "original": {

     

       148
       +
               "owner": "nix-systems",

     

       149
       +
               "repo": "default",

     

       150
       +
               "type": "github"

     

       151
       +
             }

     

       152
       +
           },

     

       153
       +
           "systems_2": {

     

       154
       +
             "locked": {

     

       155
       +
               "lastModified": 1681028828,

     

       156
       +
               "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

     

       157
       +
               "owner": "nix-systems",

     

       158
       +
               "repo": "default",

     

       159
       +
               "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

     

       160
       +
               "type": "github"

     

       161
       +
             },

     

       162
       +
             "original": {

     

       163
       +
               "owner": "nix-systems",

     

       164
       +
               "repo": "default",

     

       165
       +
               "type": "github"

     

       166
       +
             }

     

       167
       +
           },

     

       168
       +
           "vscode-server": {

     

       169
       +
             "inputs": {

     

       170
       +
               "flake-utils": "flake-utils",

     

       171
       +
               "nixpkgs": "nixpkgs_3"

     

       172
       +
             },

     

       173
       +
             "locked": {

     

       174
       +
               "lastModified": 1729422940,

     

       175
       +
               "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",

     

       176
       +
               "owner": "nix-community",

     

       177
       +
               "repo": "nixos-vscode-server",

     

       178
       +
               "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",

     

       179
       +
               "type": "github"

     

       180
       +
             },

     

       181
       +
             "original": {

     

       182
       +
               "owner": "nix-community",

     

       183
       +
               "repo": "nixos-vscode-server",

     

       184
       +
               "type": "github"

     

       185
       +
             }

     

       186
       +
           }

     

       187
       +
         },

     

       188
       +
         "root": "root",

     

       189
       +
         "version": 7

     

       190
       +
       }

+40

flake.nix

···

       1
       +
       # flake.nix

     

       2
       +
       {

     

       3
       +
         inputs = {

     

       4
       +
           nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

     

       5
       +
           vscode-server.url = "github:nix-community/nixos-vscode-server";

     

       6
       +
           agenix.url = "github:ryantm/agenix";

     

       7
       +
         };

     

       8
       +
       

     

       9
       +
         outputs = { self, nixpkgs, vscode-server, agenix }: {

     

       10
       +
           nixosConfigurations = {

     

       11
       +
             valefar = nixpkgs.lib.nixosSystem {

     

       12
       +
               system = "x86_64-linux";

     

       13
       +
               modules = [

     

       14
       +
                 ./hosts/valefar  # imports configuration.nix automatically

     

       15
       +
                 

     

       16
       +
                 # External modules

     

       17
       +
                 vscode-server.nixosModules.default

     

       18
       +
                 agenix.nixosModules.default

     

       19
       +
                 

     

       20
       +
                 # Global external module config

     

       21
       +
                 ({ config, pkgs, ... }: {

     

       22
       +
                   services.vscode-server.enable = true;

     

       23
       +
                   services.vscode-server.nodejsPackage = pkgs.nodejs_20;

     

       24
       +
                   environment.systemPackages = [ agenix.packages.x86_64-linux.default ];

     

       25
       +
                 })

     

       26
       +
               ];

     

       27
       +
             };

     

       28
       +
             

     

       29
       +
             # Easy to add more hosts

     

       30
       +
             /*server2 = nixpkgs.lib.nixosSystem {

     

       31
       +
               system = "x86_64-linux";

     

       32
       +
               modules = [

     

       33
       +
                 ./hosts/server2

     

       34
       +
                 agenix.nixosModules.default

     

       35
       +
                 # different services for server2

     

       36
       +
               ];

     

       37
       +
             };*/

     

       38
       +
           };

     

       39
       +
         };

     

       40
       +
       }

+35

host-secrets.nix

···

       1
       +
       {

     

       2
       +
         users.users.garage = {

     

       3
       +
           isSystemUser = true;

     

       4
       +
           group = "garage";

     

       5
       +
           home = "/var/lib/garage";

     

       6
       +
           description = "Garage service user";

     

       7
       +
         };

     

       8
       +
         

     

       9
       +
         users.groups.garage = {};

     

       10
       +
         

     

       11
       +
         age.secrets = {

     

       12
       +
           "build-token".file = ./secrets/build-token.age;

     

       13
       +
           

     

       14
       +
           "garage-rpc-secret" = {

     

       15
       +
             file = ./secrets/garage-rpc-secret.age;

     

       16
       +
             owner = "garage";

     

       17
       +
             group = "garage";

     

       18
       +
             mode = "0400";

     

       19
       +
           };

     

       20
       +
         

     

       21
       +
           "garage-admin-token" = {

     

       22
       +
             file = ./secrets/garage-admin-token.age;

     

       23
       +
             owner = "garage";

     

       24
       +
             group = "garage"; 

     

       25
       +
             mode = "0400";

     

       26
       +
           };

     

       27
       +
         

     

       28
       +
           "garage-metrics-token" = {

     

       29
       +
             file = ./secrets/garage-metrics-token.age;

     

       30
       +
             owner = "garage";

     

       31
       +
             group = "garage";

     

       32
       +
             mode = "0400";

     

       33
       +
           };

     

       34
       +
         };

     

       35
       +
       }

+33

hosts/valefar/default.nix

···

       1
       +
       # hosts/valefar/configuration.nix (or default.nix)

     

       2
       +
       { config, lib, pkgs, modulesPath, ... }:

     

       3
       +
       

     

       4
       +
       {

     

       5
       +
         imports = [

     

       6
       +
           # Host-specific hardware

     

       7
       +
           ./hardware.nix

     

       8
       +
           ./secrets.nix

     

       9
       +
           

     

       10
       +
           # Common modules shared across hosts

     

       11
       +
           ../../modules/common/system.nix

     

       12
       +
           ../../modules/common/users.nix

     

       13
       +
           ../../modules/common/services.nix

     

       14
       +
           

     

       15
       +
           # Services specific to this host

     

       16
       +
           ../../services/garage.nix

     

       17
       +
           ../../services/forgejo.nix

     

       18
       +
       

     

       19
       +
           # Common secrets

     

       20
       +
           ../../host-secrets.nix

     

       21
       +
         ];

     

       22
       +
       

     

       23
       +
         # pin host platform & microcode

     

       24
       +
         nixpkgs.hostPlatform               = lib.mkDefault "x86_64-linux";

     

       25
       +
         hardware.cpu.intel.updateMicrocode = lib.mkDefault

     

       26
       +
           config.hardware.enableRedistributableFirmware;

     

       27
       +
       

     

       28
       +
         networking.hostName = "valefar";

     

       29
       +
         networking.hostId = "2a07da90";

     

       30
       +
         

     

       31
       +
         boot.supportedFilesystems = [ "zfs" ];

     

       32
       +
         boot.kernelModules = [ "nct6775" "coretemp" ];

     

       33
       +
       }

+45

hosts/valefar/hardware.nix

···

       1
       +
       # Do not modify this file!  It was generated by ‘nixos-generate-config’

     

       2
       +
       # and may be overwritten by future invocations.  Please make changes

     

       3
       +
       # to /etc/nixos/configuration.nix instead.

     

       4
       +
       { config, lib, pkgs, modulesPath, ... }:

     

       5
       +
       

     

       6
       +
       {

     

       7
       +
         imports =

     

       8
       +
           [ (modulesPath + "/installer/scan/not-detected.nix")

     

       9
       +
           ];

     

       10
       +
       

     

       11
       +
         boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "uas" "sd_mod" ];

     

       12
       +
         boot.initrd.kernelModules = [ ];

     

       13
       +
         boot.kernelModules = [ "kvm-intel" ];

     

       14
       +
         boot.extraModulePackages = [ ];

     

       15
       +
       

     

       16
       +
         fileSystems."/" = { 

     

       17
       +
           device = "/dev/disk/by-uuid/17b399da-2210-4493-9ae3-c65b20b992a0";

     

       18
       +
           fsType = "ext4";

     

       19
       +
         };

     

       20
       +
       

     

       21
       +
         fileSystems."/boot" =

     

       22
       +
           { device = "/dev/disk/by-uuid/6340-211B";

     

       23
       +
             fsType = "vfat";

     

       24
       +
             options = [ "fmask=0022" "dmask=0022" ];

     

       25
       +
           };

     

       26
       +
       

     

       27
       +
         fileSystems."/garage" = {

     

       28
       +
           device = "garage";

     

       29
       +
           fsType = "zfs";

     

       30
       +
         };

     

       31
       +
       

     

       32
       +
         fileSystems."/storage" = {

     

       33
       +
           device = "storage";

     

       34
       +
           fsType = "zfs";

     

       35
       +
         };

     

       36
       +
       

     

       37
       +
         swapDevices = [ ];

     

       38
       +
       

     

       39
       +
         # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

     

       40
       +
         # (the default) this is the recommended approach. When using systemd-networkd it's

     

       41
       +
         # still possible to use this option, but it's recommended to use it in conjunction

     

       42
       +
         # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.

     

       43
       +
         networking.useDHCP = lib.mkDefault true;

     

       44
       +
         # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;

     

       45
       +
       }

hosts/valefar/secrets.nix

+32

modules/common/services.nix

···

       1
       +
       { config, pkgs, ... }:

     

       2
       +
       {

     

       3
       +
         # system packages + services

     

       4
       +
         environment.systemPackages = with pkgs; [

     

       5
       +
           vim 

     

       6
       +
           wget

     

       7
       +
           fastfetch

     

       8
       +
           lsof

     

       9
       +
           btop

     

       10
       +
           git

     

       11
       +
           openssl

     

       12
       +
           stdenv

     

       13
       +
           gnumake

     

       14
       +
           parted

     

       15
       +
           zfs

     

       16
       +
       

     

       17
       +
           code-server

     

       18
       +
         ];

     

       19
       +
       

     

       20
       +
         virtualisation.docker = {

     

       21
       +
           enable = true;

     

       22
       +
           enableOnBoot = true;

     

       23
       +
           package = pkgs.docker.override {

     

       24
       +
             buildGoModule = pkgs.buildGo123Module;

     

       25
       +
           };

     

       26
       +
         };

     

       27
       +
       

     

       28
       +
         services.openssh.enable         = true;

     

       29
       +
         services.printing.enable        = true;

     

       30
       +
         services.tailscale.enable       = true;

     

       31
       +
         services.tailscale.useRoutingFeatures = "both";

     

       32
       +
       }

+51

modules/common/system.nix

···

       1
       +
       { pkgs, config, ... }:

     

       2
       +
       {

     

       3
       +
         # boot, networking, locale, stateVersion

     

       4
       +
         boot.loader.systemd-boot.enable     = true;

     

       5
       +
         boot.loader.efi.canTouchEfiVariables = true;

     

       6
       +
         boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

     

       7
       +
         boot.supportedFilesystems = [ "zfs" ];

     

       8
       +
         fileSystems."/boot".options = [ "umask=0077" ];

     

       9
       +
       

     

       10
       +
         nix.settings.experimental-features = [ "nix-command" "flakes" ];

     

       11
       +
         

     

       12
       +
       

     

       13
       +
         services.zfs.autoScrub.enable = true;

     

       14
       +
         services.zfs.trim.enable = true;

     

       15
       +
       

     

       16
       +
         networking = {

     

       17
       +
           firewall.enable = false;

     

       18
       +
           firewall.trustedInterfaces = [

     

       19
       +
       	    "tailscale0"

     

       20
       +
           ];

     

       21
       +
           nameservers   = [ "192.168.4.3" "1.1.1.1" ];

     

       22
       +
           useDHCP       = true;

     

       23
       +
           firewall.allowedTCPPorts = [22 80 443 2456 2457 9000 9001 9002]; 

     

       24
       +
         };

     

       25
       +
       

     

       26
       +
         services.resolved = {

     

       27
       +
           enable      = true;

     

       28
       +
           dnssec      = "true";

     

       29
       +
           domains     = [ "~." ];

     

       30
       +
           fallbackDns = [ "192.168.4.3" "1.0.0.1#one.one.one.one" ];

     

       31
       +
           dnsovertls  = "true";

     

       32
       +
         };

     

       33
       +
       

     

       34
       +
         systemd.services.fancontrol = {

     

       35
       +
           enable = true;

     

       36
       +
           description = "Fan speed control";

     

       37
       +
           serviceConfig = {

     

       38
       +
             ExecStart = "${pkgs.lm_sensors}/bin/fancontrol";

     

       39
       +
             Restart = "always";

     

       40
       +
           };

     

       41
       +
           wantedBy = [ "multi-user.target" ];

     

       42
       +
         };

     

       43
       +
       

     

       44
       +
         environment.variables.EDITOR = "neovim";

     

       45
       +
       

     

       46
       +
         time.timeZone     = "America/New_York";

     

       47
       +
         i18n.defaultLocale = "en_US.UTF-8";

     

       48
       +
       

     

       49
       +
         system.stateVersion = "24.11";

     

       50
       +
       }

     

       51
       +

+12

modules/common/users.nix

···

       1
       +
       { config, pkgs, ... }:

     

       2
       +
       {

     

       3
       +
         users.users.regent = {

     

       4
       +
           isNormalUser    = true;

     

       5
       +
           extraGroups     = [ "docker" "wheel" ];

     

       6
       +
           packages        = with pkgs; [ tree ];

     

       7
       +
         };

     

       8
       +
       

     

       9
       +
         security.sudo.enable             = true;

     

       10
       +
         security.sudo.wheelNeedsPassword = false;

     

       11
       +
       }

     

       12
       +

secrets/build-token.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 i9wBeA VasuCf7L03zsABerLELUSNGcI3QLxaE+nvN+5XwLk18

     

       3
       +
       Vzdd3tKTL3DJpWe1XNRPSt2YhWxATljyBK6bDUiMai4

     

       4
       +
       -> ssh-ed25519 UbxDgg S0b5rEN5xbcZ12Sjx+gI7cyTyMv/PPoHpzfHVGOlMgA

     

       5
       +
       Z0n4Qxq8NwQGNpJH8ES90bBt4MuAF/m8V8xNkEWMfPQ

     

       6
       +
       --- 1mqOAP0OMMkMkWUcCE/cXqjRr/aZuLDcn6HEC9X2hR4

     

       7
       +
       Mz�_H2��կ̰Fq�~�۸'�ftT�5�n�aۯ^n��^�^i�=c�N�L(�ٜB�Ђo�h�O)��u�e�`4[M��u��nM�Z�I�6�9���"�q��F���@!n�K�,�Mkl

secrets/garage-admin-token.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 i9wBeA 7XwEZNaAWzH5QgPXBW/S7HHSAFO0UgFF0MP+o6Z8ymo

     

       3
       +
       hmw36GBOfv/AvT++JpBNRLydL2j3mASS/JrLROG1ifs

     

       4
       +
       -> ssh-ed25519 UbxDgg cvcbnv9O2OHt3F4K+0g0ux4sq1MCrZnaLnTNM+5lJho

     

       5
       +
       efNO6FWLKj1l2eZx4mk8TucMtE12Y3Hf+JHl/FxodSo

     

       6
       +
       --- I7BjJid4vdH0bN0V6aFnFnq86XQNFO/JJLfD4rqE+9Y

     

       7
       +
       :<ģT�U��n���Zn�\�#�*񐚐��h�=k���%٨�x��K��d<v�"M$�wB�#*�S�{7}f�C�

secrets/garage-metrics-token.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 i9wBeA FmWklgH5yY/8itKCgiitrzMRCBp64zgOytDLQE2akgk

     

       3
       +
       sfJIlVzowBTLsIHFDmC+SdTb9Ks6wIMQyY9HfewMpNU

     

       4
       +
       -> ssh-ed25519 UbxDgg PL+q7o31Gr2dYGZGc/aVdLvDGtB8wVPkMO0MdCXgcDA

     

       5
       +
       AgjVKXt23x1wYSOWaS+prfsEEpX6BKimR0KGPrG6bko

     

       6
       +
       --- EvOF9JjHYoml+j3tMDfU09+GfHyMS56ZbqkmTZCQHSw

     

       7
       +
       V��\[���'������+���&�b
��T�߯8fo��p����ct)h>��v����b����CWi�o`LR�	�F

secrets/garage-rpc-secret.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 i9wBeA j+jwToOHaeIOAEuPB7qzlJofOVPQO2mI16HspjKSxAM

     

       3
       +
       XXv1+ZQQSgcPNMVD5PjrSj67+7NWgUbWV3fSWG93r90

     

       4
       +
       -> ssh-ed25519 UbxDgg DR+Q+abB52OEE1ELl7rSjHT8ObJTD6rY9v94H1YriQQ

     

       5
       +
       vA31Tw0ItQAgY649sQogIQPvqJppmDYQ4MVPTGerFhE

     

       6
       +
       --- ttD8bkuH/5MXyipRWBb2UbxIwyFftPki50NP0BiJQok

     

       7
       +
       	g]��S(h�v�����M<*��*e��ɉ��h��´ՌgyH6��n�M�����J2W/�������ـB߸ؽ���U��k*�8��E�!A.&�

+14

secrets/secrets.nix

···

       1
       +
       let

     

       2
       +
         regent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb regent@orobas.local";

     

       3
       +
         users = [ regent ];

     

       4
       +
       

     

       5
       +
         valefar = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJlXq2lSfiWwRwIxsxhffW5FDGmjt0QKYN+BaikmRR71";

     

       6
       +
         systems = [ valefar ];

     

       7
       +
       in

     

       8
       +
       {

     

       9
       +
         #"secret1.age".publicKeys = [ user1 system1 ];

     

       10
       +
         "build-token.age".publicKeys = users ++ systems;

     

       11
       +
         "garage-rpc-secret.age".publicKeys = users ++ systems;

     

       12
       +
         "garage-admin-token.age".publicKeys = users ++ systems;

     

       13
       +
         "garage-metrics-token.age".publicKeys = users ++ systems;

     

       14
       +
       }

+29

services/forgejo.nix

···

       1
       +
       {lib, pkgs, config, ...}:

     

       2
       +
       

     

       3
       +
       let

     

       4
       +
         cfg = config.services.forgejo;

     

       5
       +
         srv = cfg.settings.server;

     

       6
       +
       in

     

       7
       +
       {

     

       8
       +
         services.forgejo = {

     

       9
       +
           enable = true;

     

       10
       +
           database = {

     

       11
       +
             type = "sqlite3";

     

       12
       +
             path = "/var/lib/forgejo/forgejo.db";

     

       13
       +
           };

     

       14
       +
           lfs.enable = true;

     

       15
       +
           settings = {

     

       16
       +
             server = {

     

       17
       +
               domain = "git.nekomimi.pet";

     

       18
       +
               ROOT_URL = "https://git.nekomimi.pet";

     

       19
       +
               LANDING_PAGE = "explore";

     

       20
       +
               HTTP_PORT = 5000;

     

       21
       +
             };

     

       22
       +
             # service.DISABLE_REGISTRATION = true; 

     

       23
       +
             actions = {

     

       24
       +
               ENABLED = true;

     

       25
       +
               DEFAULT_ACTIONS_URL = "github";

     

       26
       +
             };

     

       27
       +
           };

     

       28
       +
         };

     

       29
       +
       }

+32

services/garage.nix

···

       1
       +
       { config, lib, pkgs, ... }:

     

       2
       +
       

     

       3
       +
       {

     

       4
       +
         services.garage = {

     

       5
       +
           enable = true;

     

       6
       +
           package = pkgs.garage;

     

       7
       +
           settings = {

     

       8
       +
             metadata_dir = "/garage/metadata";

     

       9
       +
             data_dir = "/garage/data";

     

       10
       +
             db_engine = "lmdb";

     

       11
       +
             replication_mode = "none";

     

       12
       +
             rpc_bind_addr = "[::]:3901";

     

       13
       +
             rpc_public_addr = "[::]:3901";

     

       14
       +
             rpc_secret_file = config.age.secrets."garage-rpc-secret".path;

     

       15
       +
             s3_api = {

     

       16
       +
               s3_region = "garage";

     

       17
       +
               api_bind_addr = "[::]:3900";

     

       18
       +
               root_domain = ".s3.nekomimi.pet";

     

       19
       +
             };

     

       20
       +
             s3_web = {

     

       21
       +
               bind_addr = "[::]:3902";

     

       22
       +
               root_domain = ".web.nekomimi.pet";

     

       23
       +
               index = "index.html";

     

       24
       +
             };

     

       25
       +
             admin = {

     

       26
       +
               api_bind_addr = "[::]:3903";

     

       27
       +
               admin_token_file = config.age.secrets."garage-admin-token".path;

     

       28
       +
               metrics_token_file = config.age.secrets."garage-metrics-token".path;

     

       29
       +
             };

     

       30
       +
           };

     

       31
       +
         };

     

       32
       +
       }

+35

services/github-runners.nix

···

       1
       +
       { lib, pkgs, ... }:

     

       2
       +
       

     

       3
       +
       let extraPackages = 

     

       4
       +
         let gtar = pkgs.runCommandNoCC "gtar" { } ''

     

       5
       +
           mkdir -p $out/bin

     

       6
       +
           ln -s ${lib.getExe pkgs.gnutar} $out/bin/gtar

     

       7
       +
         '';

     

       8
       +
         in

     

       9
       +
         with pkgs; [

     

       10
       +
           nix

     

       11
       +
           nixci

     

       12
       +
           cachix

     

       13
       +
           coreutils

     

       14
       +
           which

     

       15
       +
           jq

     

       16
       +
           gtar

     

       17
       +
           docker

     

       18
       +
           curl

     

       19
       +
         ];

     

       20
       +
       

     

       21
       +
       in

     

       22
       +
       {

     

       23
       +
         services.github-runners = {

     

       24
       +
           simplelink = {

     

       25
       +
             enable     = true;

     

       26
       +
             name       = "simplelink";

     

       27
       +
             url        = "https://github.com/waveringana/simplelink";

     

       28
       +
             token  = config.age.secrets."build-token".path;

     

       29
       +
             user = "regent";

     

       30
       +
             group = "docker";

     

       31
       +
             extraPackages = extraPackages;

     

       32
       +
            };

     

       33
       +
         };

     

       34
       +
       }

     

       35
       +