From f1c729832712c13ddd31ae85fb7a9872bc44cdbc Mon Sep 17 00:00:00 2001 From: Andre Date: Wed, 16 Oct 2024 16:12:40 -0400 Subject: [PATCH] General: cleanup --- hosts/Dimaga/default.nix | 226 ---------------- hosts/Dimaga/etc/apcupsd.conf | 333 ------------------------ hosts/Dimaga/hardware-configuration.nix | 102 -------- hosts/Dimaga/start-services.sh | 26 -- hosts/Hevana/default.nix | 3 - hosts/Shura/default.nix | 2 +- hosts/Shura/hardware-configuration.nix | 12 - modules/services/forgejo.nix | 68 ----- modules/services/virtualization.nix | 6 +- modules/system/nix.nix | 5 - 10 files changed, 5 insertions(+), 778 deletions(-) delete mode 100644 hosts/Dimaga/default.nix delete mode 100644 hosts/Dimaga/etc/apcupsd.conf delete mode 100644 hosts/Dimaga/hardware-configuration.nix delete mode 100644 hosts/Dimaga/start-services.sh diff --git a/hosts/Dimaga/default.nix b/hosts/Dimaga/default.nix deleted file mode 100644 index df8f07c..0000000 --- a/hosts/Dimaga/default.nix +++ /dev/null @@ -1,226 +0,0 @@ -{ config, pkgs, ... }: - -let - # Do not change this value! This tracks when NixOS was installed on your system. - stateVersion = "24.11"; - hostName = "Dimaga"; - - # Where to store service files - services-root = "/storage/services"; - # Script to start services - start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh); - - # Credentials for interacting with the Namecheap API - namecheapCredentials = { - "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" '' - ${config.secrets.networking.namecheap.api.user} - ''}"; - "NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" '' - ${config.secrets.networking.namecheap.api.key} - ''}"; - }; - - # List of subdomains to add to the TLS certificate - subdomains = [ - config.secrets.services.deluge.url - config.secrets.services.forgejo.url - config.secrets.services.gremlin-lab.url - config.secrets.services.jellyfin.url - config.secrets.services.netdata.url - ]; -in -{ - imports = [ ./hardware-configuration.nix ]; - - system.stateVersion = stateVersion; - networking.hostName = hostName; - - ###*** Configure your system below this line. ***### - # Set your time zone. - # To see all available timezones, run `timedatectl list-timezones`. - time.timeZone = "America/New_York"; - - # Build Nix packages for other hosts. - # Runs every day at 4 AM - systemd = { - services."build-hosts" = { - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - path = config.aux.system.corePackages; - script = '' - cd ${config.secrets.nixConfigFolder} - nixos-rebuild build --flake .#Khanda - ''; - }; - timers."build-hosts" = { - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "04:00"; - Persistent = true; - Unit = "build-hosts.service"; - }; - }; - }; - - # Configure the system. - aux.system = { - # Enable to allow unfree (e.g. closed source) packages. - # Some settings may override this (e.g. enabling Nvidia GPU support). - # https://nixos.org/manual/nixpkgs/stable/#sec-allow-unfree - allowUnfree = true; - - # Enable Secure Boot support. - bootloader = { - enable = true; - secureboot.enable = true; - tpm2.enable = true; - }; - - # Change the default text editor. Options are "emacs", "nano", or "vim". - editor = "nano"; - - # Enable GPU support. - gpu = { - intel.enable = true; - nvidia = { - enable = true; - hybrid = { - enable = true; - busIDs.nvidia = "PCI:3:0:0"; - busIDs.intel = "PCI:0:2:0"; - }; - }; - }; - - packages = [ start-services ]; - - # Enable support for primary RAID array - raid.storage.enable = true; - - # Change how long old generations are kept for. - retentionPeriod = "30d"; - - services = { - acme = { - enable = true; - defaultEmail = config.secrets.users.aires.email; - certs = { - "${config.secrets.networking.domains.primary}" = { - dnsProvider = "namecheap"; - extraDomainNames = subdomains; - webroot = null; # Required in order to prevent a failed assertion - credentialFiles = namecheapCredentials; - }; - "${config.secrets.networking.domains.blog}" = { - dnsProvider = "namecheap"; - webroot = null; # Required in order to prevent a failed assertion - credentialFiles = namecheapCredentials; - }; - }; - }; - apcupsd = { - enable = true; - configText = builtins.readFile ./etc/apcupsd.conf; - }; - autoUpgrade = { - enable = false; # Don't update the system... - pushUpdates = true; # ...but do push updates remotely. - configDir = config.secrets.nixConfigFolder; - onCalendar = "daily"; - user = config.users.users.aires.name; - }; - boinc.enable = true; - deluge = { - enable = true; - home = "${services-root}/deluge"; - url = config.secrets.services.deluge.url; - }; - duplicacy-web = { - enable = true; - home = "/storage/backups/settings/Haven"; - }; - forgejo = { - enable = true; - home = "${services-root}/forgejo"; - url = config.secrets.services.forgejo.url; - actions = { - enable = true; - token = config.secrets.services.forgejo.runner-token; - }; - }; - jellyfin = { - enable = true; - home = "${services-root}/jellyfin"; - url = config.secrets.services.jellyfin.url; - }; - msmtp.enable = true; - netdata = { - enable = true; - type = "parent"; - url = config.secrets.services.netdata.url; - auth = { - user = config.users.users.aires.name; - password = config.secrets.services.netdata.password; - apiKey = config.secrets.services.netdata.apiKey; - }; - }; - nginx = { - enable = true; - virtualHosts = { - "${config.secrets.networking.domains.primary}" = { - default = true; - enableACME = true; # Enable Let's Encrypt - locations."/" = { - # Catchall vhost, will redirect users to Forgejo - return = "301 https://${config.secrets.services.forgejo.url}"; - }; - }; - "${config.secrets.networking.domains.blog}" = { - useACMEHost = config.secrets.networking.domains.blog; - forceSSL = true; - root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}"; - }; - "${config.secrets.services.gremlin-lab.url}" = { - useACMEHost = config.secrets.networking.domains.primary; - forceSSL = true; - locations."/" = { - proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; - proxyWebsockets = true; - extraConfig = "proxy_ssl_server_name on;"; - }; - }; - }; - }; - ssh = { - enable = true; - ports = [ config.secrets.hosts.dimaga.ssh.port ]; - }; - virtualization.host = { - enable = true; - user = "aires"; - vmBuilds = { - enable = true; - cores = 3; - ram = 3072; - }; - }; - }; - - # Install Gnome - ui.desktops.gnome.enable = true; - - users.aires = { - enable = true; - services = { - syncthing = { - enable = true; - home = "${services-root}/syncthing/aires"; - }; - }; - }; - }; -} diff --git a/hosts/Dimaga/etc/apcupsd.conf b/hosts/Dimaga/etc/apcupsd.conf deleted file mode 100644 index fd5b232..0000000 --- a/hosts/Dimaga/etc/apcupsd.conf +++ /dev/null @@ -1,333 +0,0 @@ -## apcupsd.conf v1.1 ## -# -# for apcupsd release 3.14.12 (29 March 2014) - debian -# -# "apcupsd" POSIX config file - -# -# ========= General configuration parameters ============ -# - -# UPSNAME xxx -# Use this to give your UPS a name in log files and such. This -# is particulary useful if you have multiple UPSes. This does not -# set the EEPROM. It should be 8 characters or less. -#UPSNAME - -# UPSCABLE -# Defines the type of cable connecting the UPS to your computer. -# -# Possible generic choices for are: -# simple, smart, ether, usb -# -# Or a specific cable model number may be used: -# 940-0119A, 940-0127A, 940-0128A, 940-0020B, -# 940-0020C, 940-0023A, 940-0024B, 940-0024C, -# 940-1524C, 940-0024G, 940-0095A, 940-0095B, -# 940-0095C, 940-0625A, M-04-02-2000 -# -UPSCABLE usb - -# To get apcupsd to work, in addition to defining the cable -# above, you must also define a UPSTYPE, which corresponds to -# the type of UPS you have (see the Description for more details). -# You must also specify a DEVICE, sometimes referred to as a port. -# For USB UPSes, please leave the DEVICE directive blank. For -# other UPS types, you must specify an appropriate port or address. -# -# UPSTYPE DEVICE Description -# apcsmart /dev/tty** Newer serial character device, appropriate for -# SmartUPS models using a serial cable (not USB). -# -# usb Most new UPSes are USB. A blank DEVICE -# setting enables autodetection, which is -# the best choice for most installations. -# -# net hostname:port Network link to a master apcupsd through apcupsd's -# Network Information Server. This is used if the -# UPS powering your computer is connected to a -# different computer for monitoring. -# -# snmp hostname:port:vendor:community -# SNMP network link to an SNMP-enabled UPS device. -# Hostname is the ip address or hostname of the UPS -# on the network. Vendor can be can be "APC" or -# "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap -# catching; you usually want "APC". Port is usually -# 161. Community is usually "private". -# -# netsnmp hostname:port:vendor:community -# OBSOLETE -# Same as SNMP above but requires use of the -# net-snmp library. Unless you have a specific need -# for this old driver, you should use 'snmp' instead. -# -# dumb /dev/tty** Old serial character device for use with -# simple-signaling UPSes. -# -# pcnet ipaddr:username:passphrase:port -# PowerChute Network Shutdown protocol which can be -# used as an alternative to SNMP with the AP9617 -# family of smart slot cards. ipaddr is the IP -# address of the UPS management card. username and -# passphrase are the credentials for which the card -# has been configured. port is the port number on -# which to listen for messages from the UPS, normally -# 3052. If this parameter is empty or missing, the -# default of 3052 will be used. -# -# modbus /dev/tty** Serial device for use with newest SmartUPS models -# supporting the MODBUS protocol. -# -UPSTYPE usb -DEVICE - -# POLLTIME -# Interval (in seconds) at which apcupsd polls the UPS for status. This -# setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb, -# dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting -# will improve apcupsd's responsiveness to certain events at the cost of -# higher CPU utilization. The default of 60 is appropriate for most -# situations. -#POLLTIME 60 - -# LOCKFILE -# Path for device lock file. Not used on Win32. -LOCKFILE /var/lock - -# SCRIPTDIR -# Directory in which apccontrol and event scripts are located. -SCRIPTDIR /etc/apcupsd - -# PWRFAILDIR -# Directory in which to write the powerfail flag file. This file -# is created when apcupsd initiates a system shutdown and is -# checked in the OS halt scripts to determine if a killpower -# (turning off UPS output power) is required. -PWRFAILDIR /etc/apcupsd - -# NOLOGINDIR -# Directory in which to write the nologin file. The existence -# of this flag file tells the OS to disallow new logins. -NOLOGINDIR /etc - - -# -# ======== Configuration parameters used during power failures ========== -# - -# The ONBATTERYDELAY is the time in seconds from when a power failure -# is detected until we react to it with an onbattery event. -# -# This means that, apccontrol will be called with the powerout argument -# immediately when a power failure is detected. However, the -# onbattery argument is passed to apccontrol only after the -# ONBATTERYDELAY time. If you don't want to be annoyed by short -# powerfailures, make sure that apccontrol powerout does nothing -# i.e. comment out the wall. -ONBATTERYDELAY 6 - -# -# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so -# the first that occurs will cause the initation of a shutdown. -# - -# If during a power failure, the remaining battery percentage -# (as reported by the UPS) is below or equal to BATTERYLEVEL, -# apcupsd will initiate a system shutdown. -BATTERYLEVEL 5 - -# If during a power failure, the remaining runtime in minutes -# (as calculated internally by the UPS) is below or equal to MINUTES, -# apcupsd, will initiate a system shutdown. -MINUTES 5 - -# If during a power failure, the UPS has run on batteries for TIMEOUT -# many seconds or longer, apcupsd will initiate a system shutdown. -# A value of 0 disables this timer. -# -# Note, if you have a Smart UPS, you will most likely want to disable -# this timer by setting it to zero. That way, you UPS will continue -# on batteries until either the % charge remaing drops to or below BATTERYLEVEL, -# or the remaining battery runtime drops to or below MINUTES. Of course, -# if you are testing, setting this to 60 causes a quick system shutdown -# if you pull the power plug. -# If you have an older dumb UPS, you will want to set this to less than -# the time you know you can run on batteries. -TIMEOUT 0 - -# Time in seconds between annoying users to signoff prior to -# system shutdown. 0 disables. -ANNOY 300 - -# Initial delay after power failure before warning users to get -# off the system. -ANNOYDELAY 60 - -# The condition which determines when users are prevented from -# logging in during a power failure. -# NOLOGON [ disable | timeout | percent | minutes | always ] -NOLOGON disable - -# If KILLDELAY is non-zero, apcupsd will continue running after a -# shutdown has been requested, and after the specified time in -# seconds attempt to kill the power. This is for use on systems -# where apcupsd cannot regain control after a shutdown. -# KILLDELAY 0 disables -KILLDELAY 0 - -# -# ==== Configuration statements for Network Information Server ==== -# - -# NETSERVER [ on | off ] on enables, off disables the network -# information server. If netstatus is on, a network information -# server process will be started for serving the STATUS and -# EVENT data over the network (used by CGI programs). -NETSERVER on - -# NISIP -# IP address on which NIS server will listen for incoming connections. -# This is useful if your server is multi-homed (has more than one -# network interface and IP address). Default value is 0.0.0.0 which -# means any incoming request will be serviced. Alternatively, you can -# configure this setting to any specific IP address of your server and -# NIS will listen for connections only on that interface. Use the -# loopback address (127.0.0.1) to accept connections only from the -# local machine. -NISIP 127.0.0.1 - -# NISPORT default is 3551 as registered with the IANA -# port to use for sending STATUS and EVENTS data over the network. -# It is not used unless NETSERVER is on. If you change this port, -# you will need to change the corresponding value in the cgi directory -# and rebuild the cgi programs. -NISPORT 3551 - -# If you want the last few EVENTS to be available over the network -# by the network information server, you must define an EVENTSFILE. -EVENTSFILE /var/log/apcupsd.events - -# EVENTSFILEMAX -# By default, the size of the EVENTSFILE will be not be allowed to exceed -# 10 kilobytes. When the file grows beyond this limit, older EVENTS will -# be removed from the beginning of the file (first in first out). The -# parameter EVENTSFILEMAX can be set to a different kilobyte value, or set -# to zero to allow the EVENTSFILE to grow without limit. -EVENTSFILEMAX 10 - -# -# ========== Configuration statements used if sharing ============= -# a UPS with more than one machine - -# -# Remaining items are for ShareUPS (APC expansion card) ONLY -# - -# UPSCLASS [ standalone | shareslave | sharemaster ] -# Normally standalone unless you share an UPS using an APC ShareUPS -# card. -UPSCLASS standalone - -# UPSMODE [ disable | share ] -# Normally disable unless you share an UPS using an APC ShareUPS card. -UPSMODE disable - -# -# ===== Configuration statements to control apcupsd system logging ======== -# - -# Time interval in seconds between writing the STATUS file; 0 disables -STATTIME 0 - -# Location of STATUS file (written to only if STATTIME is non-zero) -STATFILE /var/log/apcupsd.status - -# LOGSTATS [ on | off ] on enables, off disables -# Note! This generates a lot of output, so if -# you turn this on, be sure that the -# file defined in syslog.conf for LOG_NOTICE is a named pipe. -# You probably do not want this on. -LOGSTATS off - -# Time interval in seconds between writing the DATA records to -# the log file. 0 disables. -DATATIME 0 - -# FACILITY defines the logging facility (class) for logging to syslog. -# If not specified, it defaults to "daemon". This is useful -# if you want to separate the data logged by apcupsd from other -# programs. -#FACILITY DAEMON - -# -# ========== Configuration statements used in updating the UPS EPROM ========= -# - -# -# These statements are used only by apctest when choosing "Set EEPROM with conf -# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD. -# - -# UPS name, max 8 characters -#UPSNAME UPS_IDEN - -# Battery date - 8 characters -#BATTDATE mm/dd/yy -BATTDATE 07/08/19 - -# Sensitivity to line voltage quality (H cause faster transfer to batteries) -# SENSITIVITY H M L (default = H) -#SENSITIVITY H - -# UPS delay after power return (seconds) -# WAKEUP 000 060 180 300 (default = 0) -#WAKEUP 60 - -# UPS Grace period after request to power off (seconds) -# SLEEP 020 180 300 600 (default = 20) -#SLEEP 180 - -# Low line voltage causing transfer to batteries -# The permitted values depend on your model as defined by last letter -# of FIRMWARE or APCMODEL. Some representative values are: -# D 106 103 100 097 -# M 177 172 168 182 -# A 092 090 088 086 -# I 208 204 200 196 (default = 0 => not valid) -#LOTRANSFER 208 - -# High line voltage causing transfer to batteries -# The permitted values depend on your model as defined by last letter -# of FIRMWARE or APCMODEL. Some representative values are: -# D 127 130 133 136 -# M 229 234 239 224 -# A 108 110 112 114 -# I 253 257 261 265 (default = 0 => not valid) -#HITRANSFER 253 - -# Battery charge needed to restore power -# RETURNCHARGE 00 15 50 90 (default = 15) -#RETURNCHARGE 15 - -# Alarm delay -# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never -# BEEPSTATE 0 T L N (default = 0) -BEEPSTATE N - -# Low battery warning delay in minutes -# LOWBATT 02 05 07 10 (default = 02) -#LOWBATT 2 - -# UPS Output voltage when running on batteries -# The permitted values depend on your model as defined by last letter -# of FIRMWARE or APCMODEL. Some representative values are: -# D 115 -# M 208 -# A 100 -# I 230 240 220 225 (default = 0 => not valid) -#OUTPUTVOLTS 230 - -# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on -# SELFTEST 336 168 ON OFF (default = 336) -#SELFTEST 336 diff --git a/hosts/Dimaga/hardware-configuration.nix b/hosts/Dimaga/hardware-configuration.nix deleted file mode 100644 index 943f41e..0000000 --- a/hosts/Dimaga/hardware-configuration.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - config, - lib, - modulesPath, - ... -}: - -let - bootUUID = "FC20-D155"; # The UUID of the boot partition. - luksUUID = "9fdc521b-a037-4070-af47-f54da03675e4"; # The UUID of the locked LUKS partition. -in -{ - imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - - boot = { - # Enable antenna aggregation - extraModprobeConfig = '' - options iwlwifi 11n_disable=8 - ''; - - initrd.availableKernelModules = [ - "xhci_pci" - "nvme" - "usb_storage" - "sd_mod" - "sdhci_pci" - ]; - kernelModules = [ "kvm-intel" ]; - extraModulePackages = [ ]; - - # Enable support for building ARM64 packages - binfmt.emulatedSystems = [ "aarch64-linux" ]; - }; - - # Configure the main filesystem. - aux.system.filesystem = { - enable = true; - partitions = { - boot = "/dev/disk/by-uuid/${bootUUID}"; - luks = "/dev/disk/by-uuid/${luksUUID}"; - }; - swapFile = { - enable = true; - size = 16384; - }; - }; - - # Automatically scrub the RAID array monthly - systemd.services."raid-scrub" = { - description = "Periodically scrub RAID volumes for errors."; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - script = "echo check > /sys/block/md127/md/sync_action"; - }; - systemd.timers."raid-scrub" = { - description = "Periodically scrub RAID volumes for errors."; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "monthly"; - Persistent = true; - Unit = "raid-scrub.service"; - }; - }; - - # Disable suspend - systemd.targets = { - sleep.enable = false; - suspend.enable = false; - hibernate.enable = false; - hybrid-sleep.enable = false; - }; - services = { - xserver.displayManager.gdm.autoSuspend = lib.mkIf config.aux.system.ui.desktops.gnome.enable false; - logind = { - lidSwitch = "lock"; - lidSwitchDocked = "lock"; - }; - }; - services.upower.ignoreLid = true; - - # Enable CPU microde updates - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - # Detect keyboard as "internal" so we can automatically disable the touchpad while typing - # If this doesn't work, try changing "MatchName" to "AT Raw Set 2 keyboard" - environment.etc."libinput/keyboard-touchpard.quirks" = { - mode = "0600"; - text = '' - [Microsoft Surface Type Cover Touchpad] - MatchUdevType=touchpad - MatchName=*Microsoft Surface Type Cover Touchpad - AttrKeyboardIntegration=internal - - [Microsoft Surface Type Cover Keyboard] - MatchUdevType=keyboard - MatchName=*Microsoft Surface Type Cover Keyboard - AttrKeyboardIntegration=internal - ''; - }; -} diff --git a/hosts/Dimaga/start-services.sh b/hosts/Dimaga/start-services.sh deleted file mode 100644 index e80969a..0000000 --- a/hosts/Dimaga/start-services.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Script to unlock the /storage partition and start up services that depend on it. - -# check if the current user is root -if [ "$(id -u)" != "0" ]; then - echo "This script must be run as root" 1>&2 - exit 1 -fi - -# Unlock and mount storage directory if we haven't already -if [ -e "/dev/mapper/storage" ]; then - echo "Storage partition already mounted." -else - echo "Unlocking storage partition..." - cryptsetup luksOpen /dev/md/Sapana storage - mount /dev/mapper/storage /storage - echo "Storage partition mounted." -fi - -echo "Starting services..." -systemctl restart deluged.service delugeweb.service duplicacy-web.service forgejo.service jellyfin.service -systemctl --machine aires@.host --user start syncthing.service -systemctl restart nginx.service -echo "Services started. $(hostname) is ready to go!" - -exit 0 diff --git a/hosts/Hevana/default.nix b/hosts/Hevana/default.nix index 8a53cda..5d632b6 100644 --- a/hosts/Hevana/default.nix +++ b/hosts/Hevana/default.nix @@ -70,9 +70,6 @@ in }; }; - # Disable NetworkManager - networking.networkmanager.enable = lib.mkForce false; - # Configure the system. aux.system = { # Enable to allow unfree (e.g. closed source) packages. diff --git a/hosts/Shura/default.nix b/hosts/Shura/default.nix index 702c57d..c923313 100644 --- a/hosts/Shura/default.nix +++ b/hosts/Shura/default.nix @@ -72,7 +72,7 @@ in user = config.users.users.aires.name; }; netdata = { - # Disabled until I get Nginx configured to provide a streaming endpoint + # FIXME: Disabled until I get Nginx configured to provide a streaming endpoint enable = false; type = "child"; url = config.secrets.services.netdata.url; diff --git a/hosts/Shura/hardware-configuration.nix b/hosts/Shura/hardware-configuration.nix index 4fc8480..f97d1bc 100644 --- a/hosts/Shura/hardware-configuration.nix +++ b/hosts/Shura/hardware-configuration.nix @@ -40,18 +40,6 @@ in }; }; - # Detect keyboard as "internal" so we can automatically disable the touchpad while typing - # If this doesn't work, try changing "MatchName" to "AT Raw Set 2 keyboard" - environment.etc."libinput/keyboard-touchpard.quirks" = { - mode = "0600"; - text = '' - [Serial Keyboards] - MatchUdevType=keyboard - MatchName=ITE Tech. Inc. ITE Device(8258) Keyboard - AttrKeyboardIntegration=internal - ''; - }; - # Limit the number of cores Nix can use nix.settings.cores = 12; } diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index a31ae3f..a5527a4 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -6,20 +6,6 @@ }: let cfg = config.aux.system.services.forgejo; - cli-cfg = config.services.forgejo; - - forgejo-cli = pkgs.writeScriptBin "forgejo-cli" '' - #!${pkgs.runtimeShell} - cd ${cli-cfg.stateDir} - sudo=exec - if [[ "$USER" != forgejo ]]; then - sudo='exec /run/wrappers/bin/sudo -u ${cli-cfg.user} -g ${cli-cfg.group} --preserve-env=GITEA_WORK_DIR --preserve-env=GITEA_CUSTOM' - fi - # Note that these variable names will change - export GITEA_WORK_DIR=${cli-cfg.stateDir} - export GITEA_CUSTOM=${cli-cfg.customDir} - $sudo ${lib.getExe cli-cfg.package} "$@" - ''; in { options = { @@ -37,22 +23,10 @@ in description = "The complete URL where Forgejo is hosted."; example = "https://forgejo.example.com"; }; - actions = { - enable = lib.mkEnableOption "Enables a local Forgejo Actions runner."; - token = lib.mkOption { - default = ""; - type = lib.types.str; - description = "Token used to authenticate the runner with Forgejo."; - }; - }; }; }; config = lib.mkIf cfg.enable { - environment.systemPackages = [ - forgejo-cli - pkgs.podman-tui - ]; services = { forgejo = { enable = true; @@ -76,48 +50,6 @@ in extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts }; }; - - # Enable runner for CI actions - gitea-actions-runner = lib.mkIf cfg.actions.enable { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = config.networking.hostName; - url = "https://${cfg.url}"; - token = cfg.actions.token; - labels = [ - "nix:docker://nixos/nix" # Shoutout to Icewind 1991 for this syntax: https://icewind.nl/entry/gitea-actions-nix/ - "debian:docker://node:20-bullseye" - "ubuntu-latest:docker://ubuntu:latest" - ]; - settings = { - # For an example of configuring in Nix: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix - # For an example of the different options available: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml - container.options = "-v /nix:/nix"; - container.validVolumes = [ "/nix" ]; - }; - }; - }; - }; - - # Enable Podman for running...uh, runners. - virtualisation = lib.mkIf cfg.actions.enable { - containers.enable = true; - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # Required for containers under podman-compose to be able to talk to each other. - defaultNetwork.settings.dns_enabled = true; - }; - }; - - # Allow containers to make DNS queries (https://www.reddit.com/r/NixOS/comments/199f16j/why_dont_my_podman_containers_have_internet_access/) - networking.firewall.interfaces.podman4 = lib.mkIf cfg.actions.enable { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 ]; }; systemd.services = { diff --git a/modules/services/virtualization.nix b/modules/services/virtualization.nix index 318ad69..cd34e5c 100644 --- a/modules/services/virtualization.nix +++ b/modules/services/virtualization.nix @@ -47,8 +47,10 @@ in qemu = { package = pkgs.qemu_kvm; swtpm.enable = true; - ovmf.enable = true; - ovmf.packages = [ pkgs.OVMFFull.fd ]; + ovmf = { + enable = true; + packages = [ pkgs.OVMFFull.fd ]; + }; }; }; spiceUSBRedirection.enable = true; diff --git a/modules/system/nix.nix b/modules/system/nix.nix index 610ee69..b3ab9f0 100644 --- a/modules/system/nix.nix +++ b/modules/system/nix.nix @@ -69,11 +69,6 @@ in # Configure NixOS to use the same software channel as Flakes registry.nixpkgs.flake = inputs.nixpkgs; nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; - - # When using a builder, use its package store - extraOptions = '' - builders-use-substitutes = true - ''; }; # Support for standard, dynamically-linked executables