emily/nixfiles
emily/nixfiles
1
0
Fork 1
Code Issues Pull requests Activity

added binary cache and some fixes

Browse source
This commit is contained in:
emily 2024-05-11 16:02:39 +02:00
parent 50d39392f8
commit c4ae99d484
Signed by: emily
GPG key ID: F6F4C66207FCF995
11 changed files with 77 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
config/common/default.nix
View file

@ -56,8 +56,12 @@ with lib; {
type = "path"; type = "path";
path = pkgs.path; path = pkgs.path;
}; };
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings = {
nix.settings.trusted-users = [ "root" "@wheel" ]; experimental-features = [ "nix-command" "flakes" ];
trusted-users = [ "root" "@wheel" ];
substituters = [ "https://cache.kyouma.net" ];
trusted-public-keys = [ "cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg=" ];
};
nix.extraOptions = '' nix.extraOptions = ''
builders-use-substitutes = true builders-use-substitutes = true
''; '';

1
config/hosts/lain/configuration.nix
View file

@ -1,7 +1,6 @@
{ config, inputs, lib, pkgs, ... }: { { config, inputs, lib, pkgs, ... }: {
imports = [ imports = [
../../common ../../common
../../profiles/remote-build.nix
../../profiles/rpi.nix ../../profiles/rpi.nix
../../profiles/headless.nix ../../profiles/headless.nix
]; ];

2
config/hosts/ryuuko/configuration.nix
View file

@ -3,12 +3,10 @@
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme-gen4 inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x1-extreme-gen4
../../common ../../common
../../profiles/graphical ../../profiles/graphical
../../profiles/remote-build.nix
./hardware-configuration.nix ./hardware-configuration.nix
./disko.nix ./disko.nix
]; ];
#boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
options i915 enable_guc=3 options i915 enable_guc=3
''; '';

2
config/hosts/seras/configuration.nix
View file

@ -6,7 +6,7 @@
../../profiles/kartoffel.nix ../../profiles/kartoffel.nix
../../profiles/lxc.nix ../../profiles/lxc.nix
../../services/nginx.nix ../../services/nginx.nix
../../services/hydra.nix ../../services/hydra
]; ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

9
config/hosts/web-dus/configuration.nix
View file

@ -44,6 +44,7 @@
}; };
}; };
}; };
kyouma.nginx.defaultForbidden = "kyouma.net";
kyouma.nginx.virtualHosts = let kyouma.nginx.virtualHosts = let
kyouma-www = inputs.kyouma-www.packages.${config.nixpkgs.hostPlatform.system}; kyouma-www = inputs.kyouma-www.packages.${config.nixpkgs.hostPlatform.system};
autoIndex = '' autoIndex = ''
@ -60,14 +61,6 @@
"www.emily.cat" = { redirectTo = "kyouma.net"; }; "www.emily.cat" = { redirectTo = "kyouma.net"; };
"www.cocaine.trade" = { redirectTo = "cocaine.trade"; }; "www.cocaine.trade" = { redirectTo = "cocaine.trade"; };
"redirect" = {
default = true;
reuseport = true;
useACMEHost = "kyouma.net";
extraConfig = ''
return 403;
'';
};
"cocaine.trade" = { "cocaine.trade" = {
root = "/var/www/basti/cocaine.trade"; root = "/var/www/basti/cocaine.trade";
extraConfig = ''error_page 404 /404.html;''; extraConfig = ''error_page 404 /404.html;'';

4
config/profiles/graphical/scripts.nix
View file

@ -27,7 +27,7 @@
notify-send = "${pkgs.libnotify}/bin/notify-send"; notify-send = "${pkgs.libnotify}/bin/notify-send";
paplay = "${pkgs.pulseaudio}/bin/paplay"; paplay = "${pkgs.pulseaudio}/bin/paplay";
slurp = "${pkgs.slurp}/bin/slurp"; slurp = "${pkgs.slurp}/bin/slurp";
image-roll = "${pkgs.image-roll}/bin/image-roll"; imv = "${pkgs.imv}/bin/imv";
wl-copy = "${pkgs.wl-clipboard}/bin/wl-copy"; wl-copy = "${pkgs.wl-clipboard}/bin/wl-copy";
in { in {
enable = true; enable = true;
@ -43,7 +43,7 @@
notify_view () { notify_view () {
''${notify_cmd_shot} "Copied to clipboard." ''${notify_cmd_shot} "Copied to clipboard."
${paplay} /usr/share/sounds/freedesktop/stereo/screen-capture.oga &>/dev/null & ${paplay} /usr/share/sounds/freedesktop/stereo/screen-capture.oga &>/dev/null &
${image-roll} "''${dir}/$file" ${imv} "''${dir}/$file"
if [[ -e "$dir/$file" ]]; then if [[ -e "$dir/$file" ]]; then
''${notify_cmd_shot} "Screenshot Saved." ''${notify_cmd_shot} "Screenshot Saved."
else else

27
config/profiles/remote-build.nix
View file

@ -1,27 +0,0 @@
{config, lib, pkgs, ... }: {
nix.buildMachines = [
{
hostName = "seras.kyouma.net";
sshUser = "build";
maxJobs = 40;
speedFactor = 40;
systems = [ "x86_64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
{
hostName = "integra.kyouma.net";
sshUser = "build";
maxJobs = 4;
speedFactor = 8;
systems = [ "aarch64-linux" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
nix.distributedBuilds = true;
programs.ssh = {
knownHosts = {
"seras.kyouma.net".publicKey = "sh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPNVavo3YHVsrYwXRVISu7kDoknn+5inFGySn4azlB8P";
"integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
};
};
}

37
config/services/hydra.nix → config/services/hydra/default.nix
View file

@ -1,4 +1,7 @@
{ config, ... }: { { config, ... }: {
imports = [
./nix-config.nix
];
sops.secrets."services/hydra/signKey" = { sops.secrets."services/hydra/signKey" = {
owner = "hydra-queue-runner"; owner = "hydra-queue-runner";
sopsFile = ../../secrets/services/hydra.yaml; sopsFile = ../../secrets/services/hydra.yaml;
@ -17,36 +20,7 @@
binary_cache_public_uri = https://cache.kyouma.net binary_cache_public_uri = https://cache.kyouma.net
''; '';
}; };
nix.buildMachines = [ kyouma.nginx.defaultForbidden = "hydra.kyouma.net";
{
hostName = "localhost";
sshUser = "build";
maxJobs = 40;
speedFactor = 40;
systems = [ "x86_64-linux" "x86_64-darwin" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
sshKey = "/var/lib/hydra/id_ed25519";
}
{
hostName = "integra.kyouma.net";
sshUser = "build";
maxJobs = 4;
speedFactor = 8;
systems = [ "aarch64-linux" "aarch64-darwin" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
sshKey = "/var/lib/hydra/id_ed25519";
}
];
nix.settings = {
allowed-uris = [
"github:"
"git+https://"
"git+ssh://"
];
};
programs.ssh = {
knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
};
kyouma.nginx.virtualHosts = { kyouma.nginx.virtualHosts = {
"hydra.kyouma.net" = { "hydra.kyouma.net" = {
locations."/" = { locations."/" = {
@ -64,6 +38,5 @@
}; };
}; };
}; };
security.acme.certs."cache.kyouma.net" = {}; security.acme.certs."hydra.kyouma.net".extraDomainNames = [ "cache.kyouma.net" ];
security.acme.certs."hydra.kyouma.net" = {};
} }

32
config/services/hydra/nix-config.nix Normal file
View file

@ -0,0 +1,32 @@
{ ... }: {
nix.buildMachines = [
{
hostName = "localhost";
#sshUser = "build";
maxJobs = 40;
speedFactor = 40;
systems = [ "x86_64-linux" "x86_64-darwin" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
#sshKey = "/var/lib/hydra/id_ed25519";
}
{
hostName = "integra.kyouma.net";
sshUser = "build";
maxJobs = 4;
speedFactor = 8;
systems = [ "aarch64-linux" "aarch64-darwin" ];
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
sshKey = "/var/lib/hydra/id_ed25519";
}
];
nix.settings = {
allowed-uris = [
"github:"
"git+https://"
"git+ssh://"
];
};
programs.ssh = {
knownHosts."integra.kyouma.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBwEQiSfaDrUAwgul4mktusBPcIVxI4pLNDh9DPopVU";
};
}

6
flake.nix
View file

@ -52,6 +52,12 @@
}; };
nixConfig = { nixConfig = {
extra-substituters = [
"https://cache.kyouma.net"
];
extra-trusted-public-keys = [
"cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg="
];
builders-use-substitutes = true; builders-use-substitutes = true;
builders = '' builders = ''
ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm ssh://build@seras.kyouma.net x86_64-linux - 40 40 nixos-test,benchmark,big-parallel,kvm

29
modules/nginx/default.nix
View file

@ -1,4 +1,5 @@
{ config, lib, ... }: let { config, lib, ... }: let
cfg = config.kyouma.nginx;
extraConfig = '' extraConfig = ''
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
@ -13,13 +14,16 @@
#kTLS = true; #kTLS = true;
#http3 = true; #http3 = true;
#quic = true; #quic = true;
} // lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { } //
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) {
enableACME = true; enableACME = true;
} // lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { } //
lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) {
enableACME = false; enableACME = false;
useACMEHost = vhostCfg.redirectTo; useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo;
} // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); } //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]);
in { in {
options = { options = {
@ -27,9 +31,24 @@ in {
type = with lib.types; nullOr anything; type = with lib.types; nullOr anything;
default = null; default = null;
}; };
kyouma.nginx.defaultForbidden = lib.mkOption {
type = with lib.types; nullOr str;
default = null;
};
}; };
config = { config = {
services.nginx.virtualHosts = lib.mkIf (config.kyouma.nginx.virtualHosts != null) ( services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
builtins.mapAttrs (createHost) config.kyouma.nginx.virtualHosts); builtins.mapAttrs (createHost) cfg.virtualHosts) //
lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = {
default = true;
forceSSL = true;
reuseport = true;
useACMEHost = cfg.defaultForbidden;
extraConfig = ''
return 403;
'';
};
};
}; };
} }