From 74ad2b8425036c4cec88f0926a7367cf2bedc5f8 Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Mon, 11 Sep 2023 12:20:32 +0000 Subject: [PATCH 1/9] Add gitea service --- flake.lock | 245 +++++++++++++++---- flake.nix | 26 +- machines/massicot/default.nix | 9 +- machines/massicot/hardware-configuration.nix | 47 +--- machines/massicot/networking.nix | 5 +- machines/massicot/services.nix | 69 ++++++ 6 files changed, 308 insertions(+), 93 deletions(-) create mode 100644 machines/massicot/services.nix diff --git a/flake.lock b/flake.lock index 62d175d..e4691a0 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,78 @@ { "nodes": { + "conduit": { + "inputs": { + "crane": "crane", + "fenix": "fenix", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1691686916, + "narHash": "sha256-TpNssMHvSKcxJMas5lQNWEbIv09u4/niBN2C27Mp0JY=", + "owner": "famedly", + "repo": "conduit", + "rev": "0c2cfda3ae923d9e922d5edf379e4d8976a52d4e", + "type": "gitlab" + }, + "original": { + "owner": "famedly", + "ref": "v0.6.0", + "repo": "conduit", + "type": "gitlab" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "conduit", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1688772518, + "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "conduit", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1689488573, + "narHash": "sha256-diVASflKCCryTYv0djvMnP2444mFsIG0ge5pa7ahauQ=", + "owner": "nix-community", + "repo": "fenix", + "rev": "39096fe3f379036ff4a5fa198950b8e79defe939", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -16,6 +89,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -38,6 +127,24 @@ "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -52,7 +159,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "locked": { "lastModified": 1638122382, "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", @@ -74,11 +181,11 @@ ] }, "locked": { - "lastModified": 1689891262, - "narHash": "sha256-Pc4wDczbdgd6QXKJIXprgxe7L9AVDsoAkMnvm5vmpUU=", + "lastModified": 1694375657, + "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", "owner": "nix-community", "repo": "home-manager", - "rev": "ee5673246de0254186e469935909e821b8f4ec15", + "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", "type": "github" }, "original": { @@ -89,16 +196,16 @@ }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_3", "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1689903271, - "narHash": "sha256-t3CPQ3afi5fUbY/I4nldZgsUMO9/17UwIC9XPiD0ybs=", + "lastModified": 1694395166, + "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "2064829219ef11822e539664ba975fdf443bbe7b", + "rev": "e6c8e1659000d07804526e42b99fa5f15190c324", "type": "github" }, "original": { @@ -109,7 +216,7 @@ }, "nixos-cn": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] @@ -130,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1689320556, - "narHash": "sha256-vODUkZLWFVCvo1KPK3dC2CbXjxa9antEn5ozwlcTr48=", + "lastModified": 1693718952, + "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d4ea64f2063820120c05f6ba93ee02e6d4671d6b", + "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", "type": "github" }, "original": { @@ -162,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1689885880, - "narHash": "sha256-2ikAcvHKkKh8J/eUrwMA+wy1poscC+oL1RkN1V3RmT8=", + "lastModified": 1694304580, + "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa793b06f56896b7d1909e4b69977c7bf842b2f0", + "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", "type": "github" }, "original": { @@ -178,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1689473667, - "narHash": "sha256-41ePf1ylHMTogSPAiufqvBbBos+gtB6zjQlYFSEKFMM=", + "lastModified": 1693675694, + "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13231eccfa1da771afa5c0807fdd73e05a1ec4e6", + "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", "type": "github" }, "original": { @@ -194,11 +301,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1689940971, - "narHash": "sha256-397xShPnFqPC59Bmpo3lS+/Aw0yoDRMACGo1+h2VJMo=", + "lastModified": 1694183432, + "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9ca785644d067445a4aa749902b29ccef61f7476", + "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", "type": "github" }, "original": { @@ -208,29 +315,13 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1689413807, - "narHash": "sha256-exuzOvOhGAEKWQKwDuZAL4N8a1I837hH5eocaTcIbLc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "46ed466081b9cad1125b11f11a2af5cc40b942c7", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nur": { "locked": { - "lastModified": 1689986542, - "narHash": "sha256-nfAoJhHAeOM+G2E4qzE3E8vtt5VH14bq9u7a9wxTR1c=", + "lastModified": 1694400936, + "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=", "owner": "nix-community", "repo": "NUR", - "rev": "3d51c81356bd84bfa7b5b2ccb11c36b58b9f5cde", + "rev": "1850109f159c735841f7f6a51100b05d5b055113", "type": "github" }, "original": { @@ -241,7 +332,8 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", + "conduit": "conduit", + "flake-utils": "flake-utils_2", "home-manager": "home-manager", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-cn": "nixos-cn", @@ -252,17 +344,63 @@ "sops-nix": "sops-nix" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1689441253, + "narHash": "sha256-4MSDZaFI4DOfsLIZYPMBl0snzWhX1/OqR/QHir382CY=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "996e054f1eb1dbfc8455ecabff0f6ff22ba7f7c8", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "conduit", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "conduit", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": [ + "nixpkgs" + ], "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1689534977, - "narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=", + "lastModified": 1693898833, + "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81", + "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", "type": "github" }, "original": { @@ -300,6 +438,21 @@ "repo": "default", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 02117ee..d84f120 100644 --- a/flake.nix +++ b/flake.nix @@ -9,9 +9,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nur.url = "github:nix-community/NUR"; + nur = { + url = "github:nix-community/NUR"; + }; - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + }; nixos-cn = { url = "github:nixos-cn/flakes"; @@ -19,11 +23,19 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix.url = "github:Mic92/sops-nix"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + conduit.url = "gitlab:famedly/conduit/v0.6.0"; + conduit.inputs.nixpkgs.follows = "nixpkgs"; nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - flake-utils.url = "github:numtide/flake-utils"; + flake-utils = { + url = "github:numtide/flake-utils"; + }; }; @@ -67,9 +79,9 @@ system = "aarch64-linux"; modules = [ machines/massicot - (mkHome "xin" "gold") - ] - } + (mkHome "xin" "raspite") + ]; + }; nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 81fd528..8dd59d5 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -4,6 +4,7 @@ imports = [ ./hardware-configuration.nix ./networking.nix + ./services.nix ]; boot.loader.efi.canTouchEfiVariables = true; @@ -11,7 +12,6 @@ boot.loader.grub = { enable = true; efiSupport = true; - device = "/dev/sda"; }; environment.systemPackages = with pkgs; [ @@ -24,11 +24,13 @@ networking = { hostName = "massicot"; - useDHCP = false; }; services.openssh = { enable = true; + settings = { + PasswordAuthentication = false; + }; }; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; @@ -39,8 +41,9 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A" ]; hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; -} \ No newline at end of file +} diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix index 5d6574a..89358f7 100644 --- a/machines/massicot/hardware-configuration.nix +++ b/machines/massicot/hardware-configuration.nix @@ -1,36 +1,13 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/934bc9cd-c80f-4af0-a446-e92c3b21ad9e"; - fsType = "ext4"; - }; - - fileSystems."/boot/efi" = - { device = "/dev/disk/by-uuid/06F4-7777"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} \ No newline at end of file + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/AC27-D9D6"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix index fd5bf27..4aadb44 100644 --- a/machines/massicot/networking.nix +++ b/machines/massicot/networking.nix @@ -1,6 +1,7 @@ { networking = { interfaces = { + eth0.useDHCP = true; eth0.ipv6.addresses = [{ address = "2a01:4f8:c17:345f::1"; prefixLength = 64; @@ -10,6 +11,6 @@ address = "fe80::1"; interface = "eth0"; }; - nameservers = [ "2a00:1098:2b::1" "2a00:1098:2c::1" "2a01:4f9:c010:3f02::1"]; + nameservers = [ ]; }; -} \ No newline at end of file +} diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix new file mode 100644 index 0000000..161b83b --- /dev/null +++ b/machines/massicot/services.nix @@ -0,0 +1,69 @@ +{ config, pkgs, inputs, ... }: +{ + services.matrix-conduit = { + enable = true; + # package = inputs.conduit.packages.${pkgs.system}.default; + package = pkgs.matrix-conduit; + settings.global = { + server_name = "xinyang.life"; + port = 6167; + # database_path = "/var/lib/matrix-conduit/"; + database_backend = "rocksdb"; + allow_registration = false; + }; + }; + + services.gotosocial = { + enable = true; + settings = { + log-level = "debug"; + host = "xinyang.life"; + letsencrypt-enabled = false; + bind-address = "localhost"; + landing-page-user = "me"; + instance-expose-public-timeline = true; + }; + }; + + services.gitea = { + enable = true; + package = pkgs.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server = { + ROOT_URL = "https://git.xinyang.life/"; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts."xinyang.life:443".extraConfig = '' + tls internal + encode zstd gzip + reverse_proxy /_matrix/* localhost:6167 + handle_path /.well-known/matrix/client { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + header Content-Disposition attachment; filename="client" + respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` + } + handle_path /.well-known/matrix/server { + header Content-Type "application/json" + header Access-Control-Allow-Origin "*" + respond `{"m.server": "xinyang.life:443"}` + } + + reverse_proxy * http://localhost:8080 { + flush_interval -1 + } + ''; + virtualHosts."git.xinyang.life:443".extraConfig = '' + tls internal + reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; + networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; +} From b3744b41ceb96bea7c880cedd26ec1610797f2e1 Mon Sep 17 00:00:00 2001 From: Xinyang Li Date: Thu, 28 Sep 2023 10:58:29 +0000 Subject: [PATCH 2/9] massicot: add kanidm service --- flake.lock | 58 ++++++++++++++++------------------ flake.nix | 3 +- machines/massicot/services.nix | 50 +++++++++++++++++++++++++++-- 3 files changed, 76 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index e4691a0..44f32e4 100644 --- a/flake.lock +++ b/flake.lock @@ -128,11 +128,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1692799911, - "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694375657, - "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", + "lastModified": 1694469544, + "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", "owner": "nix-community", "repo": "home-manager", - "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", + "rev": "5171f5ef654425e09d9c2100f856d887da595437", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694395166, - "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=", + "lastModified": 1694481387, + "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e6c8e1659000d07804526e42b99fa5f15190c324", + "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1693718952, - "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", + "lastModified": 1694432324, + "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", + "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694304580, - "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", + "lastModified": 1694426803, + "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", + "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", "type": "github" }, "original": { @@ -301,27 +301,23 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694183432, - "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", - "type": "github" + "lastModified": 1694538145, + "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", + "path": "/home/xin/nixpkgs", + "type": "path" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "path": "/home/xin/nixpkgs", + "type": "path" } }, "nur": { "locked": { - "lastModified": 1694400936, - "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=", + "lastModified": 1694533535, + "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", "owner": "nix-community", "repo": "NUR", - "rev": "1850109f159c735841f7f6a51100b05d5b055113", + "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", "type": "github" }, "original": { @@ -396,11 +392,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1693898833, - "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", + "lastModified": 1694495315, + "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", + "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d84f120..a6be7dc 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,8 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "path:/home/xin/nixpkgs"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 161b83b..3fee0e6 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,5 +1,27 @@ { config, pkgs, inputs, ... }: +let + kanidm_listen_port = 5324; +in { + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + services.kanidm = { + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; services.matrix-conduit = { enable = true; # package = inputs.conduit.packages.${pkgs.system}.default; @@ -20,8 +42,13 @@ host = "xinyang.life"; letsencrypt-enabled = false; bind-address = "localhost"; - landing-page-user = "me"; instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; + oidc-link-existing = true; }; }; @@ -53,15 +80,32 @@ header Access-Control-Allow-Origin "*" respond `{"m.server": "xinyang.life:443"}` } - reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; virtualHosts."git.xinyang.life:443".extraConfig = '' - tls internal reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; + + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + route { + reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first + abort + } + ''; + virtualHosts."https://auth.xinyang.life:443".extraConfig = '' + reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + # + # respond `Hello World` + }; networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; From 7bc160d20a5524f40ed84e21d4513e455b26df55 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:52:54 +0800 Subject: [PATCH 3/9] massicot: update kanidm to 1.1.0-rc.14-dev --- flake.lock | 58 ++++++++++++++++++++----------------- flake.nix | 29 +++++++++++++++++-- home/xin/common/default.nix | 2 -- 3 files changed, 58 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 44f32e4..5fcba7d 100644 --- a/flake.lock +++ b/flake.lock @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694469544, - "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", + "lastModified": 1695984718, + "narHash": "sha256-LQwKgaaaFOkIcxarf0xQXeDJFwZ5BZWcgmPeo3xp2CM=", "owner": "nix-community", "repo": "home-manager", - "rev": "5171f5ef654425e09d9c2100f856d887da595437", + "rev": "4f02e35f9d150573e1a710afa338846c2f6d850c", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694481387, - "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", + "lastModified": 1696036838, + "narHash": "sha256-GmzS2RWWG98Lw/NsXlBpVxBfH9deP6UtyB/IKj/vKUw=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", + "rev": "d9c11ddc1817497981466faba1fc7b8d1ea4f865", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1694432324, - "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", + "lastModified": 1695887975, + "narHash": "sha256-u3+5FR12dI305jCMb0fJNQx2qwoQ54lv1tPoEWp0hmg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", + "rev": "adcfd6aa860d1d129055039696bc457af7d50d0e", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694426803, - "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", + "lastModified": 1695825837, + "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", + "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1693675694, - "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", + "lastModified": 1694908564, + "narHash": "sha256-ducA98AuWWJu5oUElIzN24Q22WlO8bOfixGzBgzYdVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", + "rev": "596611941a74be176b98aeba9328aa9d01b8b322", "type": "github" }, "original": { @@ -301,23 +301,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694538145, - "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", - "path": "/home/xin/nixpkgs", - "type": "path" + "dirtyRev": "5b78f2a4b69d95016f8dd9f2e931cbf83d4dab07-dirty", + "dirtyShortRev": "5b78f2a4-dirty", + "lastModified": 1695994956, + "narHash": "sha256-cFTJutLWWzMhidPHVDgBjdr4BtarTshnbAnvGbGvfOg=", + "shallow": true, + "type": "git", + "url": "file:///home/xin/repo/GitHub/xinyangli/nixpkgs" }, "original": { - "path": "/home/xin/nixpkgs", - "type": "path" + "shallow": true, + "type": "git", + "url": "file:///home/xin/repo/GitHub/xinyangli/nixpkgs" } }, "nur": { "locked": { - "lastModified": 1694533535, - "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", + "lastModified": 1696042552, + "narHash": "sha256-/n20VRUYywPiV5MS9eUoFMbuvX8m0gM3pHdKHW8Ah64=", "owner": "nix-community", "repo": "NUR", - "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", + "rev": "33b3ce67676a10b875dc58d187120b47e61b90a3", "type": "github" }, "original": { @@ -392,11 +396,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1694495315, - "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", + "lastModified": 1695284550, + "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", + "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a6be7dc..0a388ab 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,7 @@ { inputs = { - # Pin nixpkgs to a specific commit # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "path:/home/xin/nixpkgs"; + nixpkgs.url = "/home/xin/repo/GitHub/xinyangli/nixpkgs"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { @@ -67,6 +66,25 @@ nixosModules = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + machinesFile = ./nixbuild.net; + }; + + massicot = { name, nodes, pkgs, ... }: with inputs; { + deployment.targetHost = "***REMOVED***"; + deployment.targetUser = "root"; + + imports = [ + { nixpkgs.system = "aarch64-linux"; } + machines/massicot + ]; + }; + }; + nixosConfigurations.calcite = mkNixos { system = "x86_64-linux"; modules = [ @@ -84,6 +102,13 @@ ]; }; + nixosConfigurations.dolomite = mkNixos { + system = "x86_64-linux"; + modules = [ + machines/dolomite + ]; + }; + nixosConfigurations.raspite = mkNixos { system = "aarch64-linux"; modules = [ diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index da76694..3c665c6 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -9,8 +9,6 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; }; From 243de7213b2c777a88ec3de5db7fc914ee7b30c3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:53:16 +0800 Subject: [PATCH 4/9] massicot: gitea -> forgejo --- machines/massicot/services.nix | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 3fee0e6..c81fe41 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -52,14 +52,31 @@ in }; }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; settings = { service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + service = { + ENABLE_BASIC_AUTHENTICATION = false; + }; + oauth2 = { + ENABLE = false; # Disable forgejo as oauth2 provider + }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + OPENID_CONNECT_SCOPES = "openid profile email"; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; }; }; @@ -98,6 +115,7 @@ in virtualHosts."https://auth.xinyang.life:443".extraConfig = '' reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" transport http { tls_server_name ${config.services.kanidm.serverSettings.domain} } From 3168385c71abab905b3a6a925aa0aacca5a8fa6f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 3 Oct 2023 11:53:31 +0800 Subject: [PATCH 5/9] massicot: add mosh --- machines/massicot/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 8dd59d5..9d48c08 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -32,6 +32,7 @@ PasswordAuthentication = false; }; }; + programs.mosh.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; From add25d866dba39d997502ecd6df66141ca89dd39 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 15 Nov 2023 07:50:26 +0000 Subject: [PATCH 6/9] bump version --- flake.lock | 58 ++++++++++++++++-------------- flake.nix | 3 +- home/xin/common/default.nix | 3 -- machines/calcite/configuration.nix | 1 - machines/clash.nix | 34 ------------------ machines/raspite/configuration.nix | 4 +-- 6 files changed, 33 insertions(+), 70 deletions(-) delete mode 100644 machines/clash.nix diff --git a/flake.lock b/flake.lock index 44f32e4..801872b 100644 --- a/flake.lock +++ b/flake.lock @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694469544, - "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", + "lastModified": 1699783872, + "narHash": "sha256-4zTwLT2LL45Nmo6iwKB3ls3hWodVP9DiSWxki/oewWE=", "owner": "nix-community", "repo": "home-manager", - "rev": "5171f5ef654425e09d9c2100f856d887da595437", + "rev": "280721186ab75a76537713ec310306f0eba3e407", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694481387, - "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", + "lastModified": 1700011274, + "narHash": "sha256-NtZqLNEjgaCGowT2+HEeOoZsXqVSAZMA/vk2t0jikN0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", + "rev": "a8c236477b4251ba739463de7e863a07b124fdd3", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1694432324, - "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", + "lastModified": 1699997707, + "narHash": "sha256-ugb+1TGoOqqiy3axyEZpfF6T4DQUGjfWZ3Htry1EfvI=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", + "rev": "5689f3ebf899f644a1aabe8774d4f37eb2f6c2f9", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694426803, - "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", + "lastModified": 1699596684, + "narHash": "sha256-XSXP8zjBZJBVvpNb2WmY0eW8O2ce+sVyj1T0/iBRIvg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", + "rev": "da4024d0ead5d7820f6bd15147d3fe2a0c0cec73", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1693675694, - "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", + "lastModified": 1699756042, + "narHash": "sha256-bHHjQQBsEPOxLL+klYU2lYshDnnWY12SewzQ7n5ab2M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", + "rev": "9502d0245983bb233da8083b55d60d96fd3c29ff", "type": "github" }, "original": { @@ -301,23 +301,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694538145, - "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", - "path": "/home/xin/nixpkgs", - "type": "path" + "lastModified": 1699781429, + "narHash": "sha256-UYefjidASiLORAjIvVsUHG6WBtRhM67kTjEY4XfZOFs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e44462d6021bfe23dfb24b775cc7c390844f773d", + "type": "github" }, "original": { - "path": "/home/xin/nixpkgs", - "type": "path" + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" } }, "nur": { "locked": { - "lastModified": 1694533535, - "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", + "lastModified": 1700012630, + "narHash": "sha256-m+FOsAtH3He/QoiPqJ/MuF9aw0P/+47vZ3H24pB9MaI=", "owner": "nix-community", "repo": "NUR", - "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", + "rev": "89fdcae74a069abd30b4d26ed043853b338ba88c", "type": "github" }, "original": { @@ -392,11 +396,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1694495315, - "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", + "lastModified": 1699951338, + "narHash": "sha256-1GeczM7XfgHcYGYiYNcdwSFu3E62vmh4d7mffWZvyzE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", + "rev": "0e3a94167dcd10a47b89141f35b2ff9e04b34c46", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a6be7dc..d84f120 100644 --- a/flake.nix +++ b/flake.nix @@ -1,8 +1,7 @@ { inputs = { # Pin nixpkgs to a specific commit - # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "path:/home/xin/nixpkgs"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index da76694..088d6a6 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -9,8 +9,6 @@ nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; - substituters = "https://cache.nixos.org https://mirrors.ustc.edu.cn/nix-channels/store https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store https://cache.nixos.org/ https://cuda-maintainers.cachix.org"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="; }; @@ -28,7 +26,6 @@ tealdeer neofetch rclone - clash inetutils ]; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a5d45f8..ffc1a28 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -7,7 +7,6 @@ ./hardware-configuration.nix ./network.nix ../sops.nix - ../clash.nix ]; # Bootloader. diff --git a/machines/clash.nix b/machines/clash.nix deleted file mode 100644 index e6c76ca..0000000 --- a/machines/clash.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - sops = { - secrets.clash_subscription_link = { - owner = "xin"; - }; - }; - - systemd.timers."clash-config-update" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnUnitActiveSec = "1d"; - Unit = "clash-config-update.service"; - }; - }; - - systemd.services."clash-config-update" = { - script = '' - ${pkgs.curl}/bin/curl $(${pkgs.coreutils}/bin/cat ${config.sops.secrets.clash_subscription_link.path}) > /tmp/config.yaml && mv /tmp/config.yaml /home/xin/.config/clash/ - ''; - serviceConfig = { - Type = "oneshot"; - User= "xin"; - }; - }; - - systemd.services.clash = { - enable = true; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.clash}/bin/clash -d /home/xin/.config/clash"; - }; - -} diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index b178e9e..72b7978 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -10,13 +10,11 @@ ]; imports = [ - ../clash.nix ../sops.nix ]; environment.systemPackages = with pkgs; [ git - clash ]; # Use mirror for binary cache @@ -59,4 +57,4 @@ hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; -} \ No newline at end of file +} From 56e67018d618ad69b6be95380c9dde4136d827da Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 15 Nov 2023 08:10:35 +0000 Subject: [PATCH 7/9] massicot: passwordless sudo for user xin --- machines/massicot/default.nix | 6 ++++++ machines/massicot/services.nix | 3 +-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 8dd59d5..c502312 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -45,5 +45,11 @@ ]; hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7"; }; + + security.sudo.extraRules = [ + { users = [ "xin" ]; + commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; + } + ]; } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 3fee0e6..6574466 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -52,9 +52,8 @@ in }; }; - services.gitea = { + services.forgejo = { enable = true; - package = pkgs.forgejo; settings = { service.DISABLE_REGISTRATION = true; server = { From fecdda70d7fac93bde719fe38b7a4121e9c5adad Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Dec 2023 00:00:30 +0800 Subject: [PATCH 8/9] massicot: add ssh to forgejo --- machines/massicot/services.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index c81fe41..84322c1 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -58,6 +58,10 @@ in service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; + START_SSH_SERVER = true; + BUILTIN_SSH_SERVER_USER = "git"; + SSH_DOMAIN = "ssh.xinyang.life"; + SSH_PORT = 2222; }; repository = { ENABLE_PUSH_CREATE_USER = true; @@ -126,6 +130,6 @@ in }; - networking.firewall.allowedTCPPorts = [ 80 443 8448 ]; + networking.firewall.allowedTCPPorts = [ 80 443 2222 8448 ]; networking.firewall.allowedUDPPorts = [ 80 443 8448 ]; } From dd1e8193292d7a9728cef5daa513af0b3e2321ff Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Dec 2023 00:00:43 +0800 Subject: [PATCH 9/9] massicot: turn on optimise --- machines/massicot/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 955d647..9b1dcd7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -19,6 +19,14 @@ ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + nix.optimise.automatic = true; + nix.settings.auto-optimise-store = true; + system.stateVersion = "22.11"; @@ -32,7 +40,6 @@ PasswordAuthentication = false; }; }; - programs.mosh.enable = true; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];