From c4ae99d48419f7b25bb4efc7a80d467fecbd12fa Mon Sep 17 00:00:00 2001 From: emily Date: Sat, 11 May 2024 16:02:39 +0200 Subject: [PATCH] added binary cache and some fixes --- config/common/default.nix | 8 +++- config/hosts/lain/configuration.nix | 1 - config/hosts/ryuuko/configuration.nix | 2 - config/hosts/seras/configuration.nix | 2 +- config/hosts/web-dus/configuration.nix | 9 +---- config/profiles/graphical/scripts.nix | 4 +- config/profiles/remote-build.nix | 27 -------------- .../services/{hydra.nix => hydra/default.nix} | 37 +++---------------- config/services/hydra/nix-config.nix | 32 ++++++++++++++++ flake.nix | 6 +++ modules/nginx/default.nix | 29 ++++++++++++--- 11 files changed, 77 insertions(+), 80 deletions(-) delete mode 100644 config/profiles/remote-build.nix rename config/services/{hydra.nix => hydra/default.nix} (55%) create mode 100644 config/services/hydra/nix-config.nix diff --git a/config/common/default.nix b/config/common/default.nix index 6dc974a..b0185d8 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -56,8 +56,12 @@ with lib; { type = "path"; path = pkgs.path; }; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - nix.settings.trusted-users = [ "root" "@wheel" ]; + nix.settings = { + experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "root" "@wheel" ]; + substituters = [ "https://cache.kyouma.net" ]; + trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ]; + }; nix.extraOptions = '' builders-use-substitutes = true ''; diff --git a/config/hosts/lain/configuration.nix b/config/hosts/lain/configuration.nix index 2c4bc0d..f5ab462 100644 --- a/config/hosts/lain/configuration.nix +++ b/config/hosts/lain/configuration.nix @@ -1,7 +1,6 @@ { config, inputs, lib, pkgs, ... }: { imports = [ ../../common - ../../profiles/remote-build.nix ../../profiles/rpi.nix ../../profiles/headless.nix ]; diff --git a/config/hosts/ryuuko/configuration.nix b/config/hosts/ryuuko/configuration.nix index 7367520..b094514 100644 --- a/config/hosts/ryuuko/configuration.nix +++ b/config/hosts/ryuuko/configuration.nix @@ -3,12 +3,10 @@ inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme-gen4 ../../common ../../profiles/graphical - ../../profiles/remote-build.nix ./hardware-configuration.nix ./disko.nix ]; - #boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.extraModprobeConfig = '' options i915 enable_guc=3 ''; diff --git a/config/hosts/seras/configuration.nix b/config/hosts/seras/configuration.nix index 968ec5d..9dbad99 100644 --- a/config/hosts/seras/configuration.nix +++ b/config/hosts/seras/configuration.nix @@ -6,7 +6,7 @@ ../../profiles/kartoffel.nix ../../profiles/lxc.nix ../../services/nginx.nix - ../../services/hydra.nix + ../../services/hydra ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/config/hosts/web-dus/configuration.nix b/config/hosts/web-dus/configuration.nix index 9fa5b67..0dcce37 100644 --- a/config/hosts/web-dus/configuration.nix +++ b/config/hosts/web-dus/configuration.nix @@ -44,6 +44,7 @@ }; }; }; + kyouma.nginx.defaultForbidden = "kyouma.net"; kyouma.nginx.virtualHosts = let kyouma-www = inputs.kyouma-www.packages.${config.nixpkgs.hostPlatform.system}; autoIndex = '' @@ -60,14 +61,6 @@ "www.emily.cat" = { redirectTo = "kyouma.net"; }; "www.cocaine.trade" = { redirectTo = "cocaine.trade"; }; - "redirect" = { - default = true; - reuseport = true; - useACMEHost = "kyouma.net"; - extraConfig = '' - return 403; - ''; - }; "cocaine.trade" = { root = "/var/www/basti/cocaine.trade"; extraConfig = ''error_page 404 /404.html;''; diff --git a/config/profiles/graphical/scripts.nix b/config/profiles/graphical/scripts.nix index 35244df..2b43b2d 100644 --- a/config/profiles/graphical/scripts.nix +++ b/config/profiles/graphical/scripts.nix @@ -27,7 +27,7 @@ notify-send = "${pkgs.libnotify}/bin/notify-send"; paplay = "${pkgs.pulseaudio}/bin/paplay"; slurp = "${pkgs.slurp}/bin/slurp"; - image-roll = "${pkgs.image-roll}/bin/image-roll"; + imv = "${pkgs.imv}/bin/imv"; wl-copy = "${pkgs.wl-clipboard}/bin/wl-copy"; in { enable = true; @@ -43,7 +43,7 @@ notify_view () { ''${notify_cmd_shot} "Copied to clipboard." ${paplay} /usr/share/sounds/freedesktop/stereo/screen-capture.oga &>/dev/null & - ${image-roll} "''${dir}/$file" + ${imv} "''${dir}/$file" if [[ -e "$dir/$file" ]]; then ''${notify_cmd_shot} "Screenshot Saved." else diff --git a/config/profiles/remote-build.nix b/config/profiles/remote-build.nix deleted file mode 100644 index 3f1821d..0000000 --- a/config/profiles/remote-build.nix +++ /dev/null @@ -1,27 +0,0 @@ -{config, lib, pkgs, ... }: { - nix.buildMachines = [ - { - hostName = "seras.kyouma.net"; - sshUser = "build"; - maxJobs = 40; - speedFactor = 40; - systems = [ "x86_64-linux" ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - } - { - hostName = "integra.kyouma.net"; - sshUser = "build"; - maxJobs = 4; - speedFactor = 8; - systems = [ "aarch64-linux" ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - } - ]; - nix.distributedBuilds = true; - programs.ssh = { - knownHosts = { - "seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P"; - "integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; - }; - }; -} diff --git a/config/services/hydra.nix b/config/services/hydra/default.nix similarity index 55% rename from config/services/hydra.nix rename to config/services/hydra/default.nix index 4b1df22..9a60c2a 100644 --- a/config/services/hydra.nix +++ b/config/services/hydra/default.nix @@ -1,4 +1,7 @@ { config, ... }: { + imports = [ + ./nix-config.nix + ]; sops.secrets."services/hydra/signKey" = { owner = "hydra-queue-runner"; sopsFile = ../../secrets/services/hydra.yaml; @@ -17,36 +20,7 @@ binary_cache_public_uri = https://cache.kyouma.net ''; }; - nix.buildMachines = [ - { - hostName = "localhost"; - sshUser = "build"; - maxJobs = 40; - speedFactor = 40; - systems = [ "x86_64-linux" "x86_64-darwin" ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - sshKey = "/var/lib/hydra/id_ed25519"; - } - { - hostName = "integra.kyouma.net"; - sshUser = "build"; - maxJobs = 4; - speedFactor = 8; - systems = [ "aarch64-linux" "aarch64-darwin" ]; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - sshKey = "/var/lib/hydra/id_ed25519"; - } - ]; - nix.settings = { - allowed-uris = [ - "github:" - "git+https://" - "git+ssh://" - ]; - }; - programs.ssh = { - knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; - }; + kyouma.nginx.defaultForbidden = "hydra.kyouma.net"; kyouma.nginx.virtualHosts = { "hydra.kyouma.net" = { locations."/" = { @@ -64,6 +38,5 @@ }; }; }; - security.acme.certs."cache.kyouma.net" = {}; - security.acme.certs."hydra.kyouma.net" = {}; + security.acme.certs."hydra.kyouma.net".extraDomainNames = [ "cache.kyouma.net" ]; } diff --git a/config/services/hydra/nix-config.nix b/config/services/hydra/nix-config.nix new file mode 100644 index 0000000..54eb4bd --- /dev/null +++ b/config/services/hydra/nix-config.nix @@ -0,0 +1,32 @@ +{ ... }: { + nix.buildMachines = [ + { + hostName = "localhost"; + #sshUser = "build"; + maxJobs = 40; + speedFactor = 40; + systems = [ "x86_64-linux" "x86_64-darwin" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + #sshKey = "/var/lib/hydra/id_ed25519"; + } + { + hostName = "integra.kyouma.net"; + sshUser = "build"; + maxJobs = 4; + speedFactor = 8; + systems = [ "aarch64-linux" "aarch64-darwin" ]; + supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + sshKey = "/var/lib/hydra/id_ed25519"; + } + ]; + nix.settings = { + allowed-uris = [ + "github:" + "git+https://" + "git+ssh://" + ]; + }; + programs.ssh = { + knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU"; + }; +} diff --git a/flake.nix b/flake.nix index 8e1ce22..b410c97 100644 --- a/flake.nix +++ b/flake.nix @@ -52,6 +52,12 @@ }; nixConfig = { + extra-substituters = [ + "https://cache.kyouma.net" + ]; + extra-trusted-public-keys = [ + "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" + ]; builders-use-substitutes = true; builders = '' ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index d00b432..44b3783 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -1,4 +1,5 @@ { config, lib, ... }: let + cfg = config.kyouma.nginx; extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; @@ -13,13 +14,16 @@ #kTLS = true; #http3 = true; #quic = true; - } // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { + } // + lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { enableACME = true; - } // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { + } // + lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { enableACME = false; useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; - } // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); + } // + (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); in { options = { @@ -27,9 +31,24 @@ in { type = with lib.types; nullOr anything; default = null; }; + kyouma.nginx.defaultForbidden = lib.mkOption { + type = with lib.types; nullOr str; + default = null; + }; }; config = { - services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) ( - builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts); + services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) ( + builtins.mapAttrs (createHost) cfg.virtualHosts) // + lib.optionalAttrs (cfg.defaultForbidden != null) { + "redirect" = { + default = true; + forceSSL = true; + reuseport = true; + useACMEHost = cfg.defaultForbidden; + extraConfig = '' + return 403; + ''; + }; + }; }; }