diff --git a/config/hosts/integra/configuration.nix b/config/hosts/integra/configuration.nix index 61c69b4..fa437d0 100644 --- a/config/hosts/integra/configuration.nix +++ b/config/hosts/integra/configuration.nix @@ -3,8 +3,6 @@ ../../common ../../profiles/builder.nix ../../profiles/headless.nix - ../../services/forgejo.nix - ../../services/nginx.nix ./hardware-configuration.nix ./disko.nix ]; diff --git a/config/hosts/seras/configuration.nix b/config/hosts/seras/configuration.nix index 92d8d5f..9d0191b 100644 --- a/config/hosts/seras/configuration.nix +++ b/config/hosts/seras/configuration.nix @@ -5,11 +5,15 @@ ../../profiles/headless.nix ../../profiles/kartoffel.nix ../../profiles/lxc.nix + ../../services/nginx.nix + ../../services/attic.nix + ../../services/hydra.nix ]; boot.binfmt.emulatedSystems = ["aarch64-linux"]; networking = { hostName = "seras"; + firewall.allowedTCPPorts = [ 80 443 ]; }; systemd.network.networks."98-eth-default" = { address = [ diff --git a/config/services/attic.nix b/config/services/attic.nix new file mode 100644 index 0000000..5e32524 --- /dev/null +++ b/config/services/attic.nix @@ -0,0 +1,44 @@ +{ config, inputs, ... }: { + imports = [ + inputs.attic.nixosModules.atticd + ]; + sops.secrets."services/attic/credentialsFile" = { + sopsFile = ../../secrets/services/attic.yaml; + }; + services.atticd = { + enable = true; + credentialsFile = config.sops.secrets."services/attic/credentialsFile".path; + settings = { + listen = "[::1]:8080"; + allowed-hosts = [ "cache.kyouma.net" ]; + api-endpoint = "https://cache.kyouma.net/"; + chunking = { + nar-size-threshold = 1024 * 128; + min-size = 1024 * 64; + avg-size = 1024 * 128; + max-size = 1024 * 256; + }; + database.url = "postgresql:///atticd?host=/run/postgresql"; + garbage-collection = { + interval = "12 hours"; + default-retention-period = "3 months"; + }; + }; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ "atticd" ]; + ensureUsers = [ + { + name = "atticd"; + ensureDBOwnership = true; + } + ]; + }; + kyouma.nginx.virtualHosts."cache.kyouma.net" = { + locations."/" = { + proxyPass = "http://[::1]:8080"; + }; + }; + security.acme.certs."cache.kyouma.net" = {}; +} diff --git a/config/services/hydra.nix b/config/services/hydra.nix new file mode 100644 index 0000000..f584d71 --- /dev/null +++ b/config/services/hydra.nix @@ -0,0 +1,41 @@ +{ config, ... }: { + services.hydra = { + enable = true; + hydraURL = "https://hydra.kyouma.net"; + listenHost = "localhost"; + notificationSender = "hydra@hydra.kyouma.net"; + minimumDiskFree = 2; + useSubstitutes = true; + }; + nix.buildMachines = [ + { + hostName = "localhost"; + maxJobs = 40; + speedFactor = 40; + systems = [ "x86_64-linux" "x86_64-darwin" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + } + { + hostName = "integra.kyouma.net"; + sshUser = "build"; + maxJobs = 4; + speedFactor = 8; + systems = [ "aarch64-linux" "aarch64-darwin" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + } + ]; + nix.settings.allowed-uris = [ + "github:" + "git+https://" + "git+ssh://" + ]; + programs.ssh = { + knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; + }; + kyouma.nginx.virtualHosts."hydra.kyouma.net" = { + locations."/" = { + proxyPass = "http://localhost:3000"; + }; + }; + security.acme.certs."hydra.kyouma.net" = {}; +} diff --git a/flake.lock b/flake.lock index 37e9311..c6aef59 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,31 @@ { "nodes": { + "attic": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1711742460, + "narHash": "sha256-0O4v6e4a1toxXZ2gf5INhg4WPE5C5T+SVvsBt+45Mcc=", + "owner": "zhaofengli", + "repo": "attic", + "rev": "4dbdbee45728d8ce5788db6461aaaa89d98081f0", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "attic", + "type": "github" + } + }, "base16": { "inputs": { "fromYaml": "fromYaml" @@ -163,6 +189,27 @@ "type": "github" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "attic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702918879, + "narHash": "sha256-tWJqzajIvYcaRWxn+cLUB9L9Pv4dQ3Bfit/YjU5ze3g=", + "owner": "ipetkov", + "repo": "crane", + "rev": "7195c00c272fdd92fc74e7d5a0a2844b9fadb2fb", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "devshell": { "inputs": { "flake-utils": "flake-utils_2", @@ -251,6 +298,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "locked": { "lastModified": 1696426674, "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", @@ -264,7 +327,7 @@ "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1696426674, @@ -280,7 +343,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1673956053, @@ -522,6 +585,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1711460390, + "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "44733514b72e732bd49f5511bd0203dea9b9a434", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1711819797, "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=", @@ -556,7 +635,7 @@ "nixvim": { "inputs": { "devshell": "devshell", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", "home-manager": [ "home-manager" @@ -583,7 +662,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-utils": "flake-utils_3", "gitignore": "gitignore", "nixpkgs": [ @@ -611,6 +690,7 @@ }, "root": { "inputs": { + "attic": "attic", "disko": "disko", "dns": "dns", "fernglas": "fernglas", @@ -629,7 +709,7 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1711855048, @@ -656,7 +736,7 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "gnome-shell": "gnome-shell", "home-manager": [ "home-manager" diff --git a/flake.nix b/flake.nix index 5363666..9652f6a 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,11 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware"; flake-utils.url = "github:numtide/flake-utils"; + attic = { + url = "github:zhaofengli/attic"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/secrets/services/attic.yaml b/secrets/services/attic.yaml new file mode 100644 index 0000000..119bf84 --- /dev/null +++ b/secrets/services/attic.yaml @@ -0,0 +1,34 @@ +services: + attic: + credentialsFile: ENC[AES256_GCM,data:9w+wf4g2DJLzbZOXIy3Gjz9iaFuP5q7F5Up91WgnU8djueFEDOWcIeyGvxEXNUG/lQvLuYwnGzIQ875NaHd5FyaGOCOrkBfleBg4Z/zBwAiHqAb1yI88AZ1VpE7aaoQVk8Ddo2JEi2WvNC5N1U1uJaIrVOVS6nMB8vcZP6YUqff0,iv:0wk2qObmHteJzEChE4Ay/E+SBwvtXXyblsRCOUYiYhE=,tag:Qtom826Rm92+oBRQ3TVbIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bUIyN0FmWjBhWlh5a3dO + NGFtdE5hWUtEdXE5SDhGRFRib3lwRzhyWkJvCm16dGx3eEJwYzBkaURCK2U2QmpV + Qmpqb3RYT1hWTmJ2djJaL0haeWxhcTgKLS0tIGQ3bjZ0a0FBam8yM1lwRi9xSGtS + Q29GdXMvSDhrak5aNVpJaEZjYmozdFEKyHO/0mD5Kj715WwekkbcCG0x0fpWUIxf + 80epOEma+/osKWej3bQHyltMM6x6sqobotoOYV7s/GiPINMN6yc26A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-04-20T18:41:53Z" + mac: ENC[AES256_GCM,data:iuy5JcShAVYbSe5tEWfNZI7sLzrBdu/UWtYLKCPgxKP3aCNHMjPUErlsn/w73KrKVRxi/BogvMi1XHjxx7oYVKQMIQufmLZDXF9eMyv7/I/YsvZ6nmlYRJQ9uOKMJwTaZb4ywBF/m1nOMahBNeMl4rZDBHdsPKT+jPMzkfpnc8I=,iv:h08X9FYnnRPao/joFX5zqmQtcctgJUUg2GxMHUWzeMU=,tag:zUbrCyZ1uEG+WzjnhrRvIQ==,type:str] + pgp: + - created_at: "2024-04-20T18:39:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdAn2OOgqkcyShSUKYNBkO6guqEHVAhFyb1q9jdPIq/VmUw + 5EZjRVp7K88/vvoUGKD7fdcBwYWMgy+L8b0dlRE4jCR6frrVByiNeCTlnboM0rXP + 0l4B8OPnSgPPOWzUKK8fl20zGRoFFcWx4FeRtNdKfX3LCqA7wcFUOwH+ibtCIBcF + JO9KifMFSFnFUN1Ce6DCoNXeKhPtI5xeXDaWhR5YQpIYwjhrv040nFFGn2u7xuA4 + =HrNg + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.8.1