aires/nix-configuration
aires/nix-configuration
1
0
Fork 0
Code Actions Activity

General: cleanup

Browse source
This commit is contained in:
Aires 2024-10-16 16:12:40 -04:00
parent 445b0a9344
commit f1c7298327
10 changed files with 5 additions and 778 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

226
hosts/Dimaga/default.nix
View file

@ -1,226 +0,0 @@
{ config, pkgs, ... }:
let
# Do not change this value! This tracks when NixOS was installed on your system.
stateVersion = "24.11";
hostName = "Dimaga";
# Where to store service files
services-root = "/storage/services";
# Script to start services
start-services = pkgs.writeShellScriptBin "start-services" (builtins.readFile ./start-services.sh);
# Credentials for interacting with the Namecheap API
namecheapCredentials = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user}
''}";
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
${config.secrets.networking.namecheap.api.key}
''}";
};
# List of subdomains to add to the TLS certificate
subdomains = [
config.secrets.services.deluge.url
config.secrets.services.forgejo.url
config.secrets.services.gremlin-lab.url
config.secrets.services.jellyfin.url
config.secrets.services.netdata.url
];
in
{
imports = [ ./hardware-configuration.nix ];
system.stateVersion = stateVersion;
networking.hostName = hostName;
###*** Configure your system below this line. ***###
# Set your time zone.
# To see all available timezones, run `timedatectl list-timezones`.
time.timeZone = "America/New_York";
# Build Nix packages for other hosts.
# Runs every day at 4 AM
systemd = {
services."build-hosts" = {
serviceConfig = {
Type = "oneshot";
User = "root";
};
path = config.aux.system.corePackages;
script = ''
cd ${config.secrets.nixConfigFolder}
nixos-rebuild build --flake .#Khanda
'';
};
timers."build-hosts" = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "04:00";
Persistent = true;
Unit = "build-hosts.service";
};
};
};
# Configure the system.
aux.system = {
# Enable to allow unfree (e.g. closed source) packages.
# Some settings may override this (e.g. enabling Nvidia GPU support).
# https://nixos.org/manual/nixpkgs/stable/#sec-allow-unfree
allowUnfree = true;
# Enable Secure Boot support.
bootloader = {
enable = true;
secureboot.enable = true;
tpm2.enable = true;
};
# Change the default text editor. Options are "emacs", "nano", or "vim".
editor = "nano";
# Enable GPU support.
gpu = {
intel.enable = true;
nvidia = {
enable = true;
hybrid = {
enable = true;
busIDs.nvidia = "PCI:3:0:0";
busIDs.intel = "PCI:0:2:0";
};
};
};
packages = [ start-services ];
# Enable support for primary RAID array
raid.storage.enable = true;
# Change how long old generations are kept for.
retentionPeriod = "30d";
services = {
acme = {
enable = true;
defaultEmail = config.secrets.users.aires.email;
certs = {
"${config.secrets.networking.domains.primary}" = {
dnsProvider = "namecheap";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials;
};
"${config.secrets.networking.domains.blog}" = {
dnsProvider = "namecheap";
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials;
};
};
};
apcupsd = {
enable = true;
configText = builtins.readFile ./etc/apcupsd.conf;
};
autoUpgrade = {
enable = false; # Don't update the system...
pushUpdates = true; # ...but do push updates remotely.
configDir = config.secrets.nixConfigFolder;
onCalendar = "daily";
user = config.users.users.aires.name;
};
boinc.enable = true;
deluge = {
enable = true;
home = "${services-root}/deluge";
url = config.secrets.services.deluge.url;
};
duplicacy-web = {
enable = true;
home = "/storage/backups/settings/Haven";
};
forgejo = {
enable = true;
home = "${services-root}/forgejo";
url = config.secrets.services.forgejo.url;
actions = {
enable = true;
token = config.secrets.services.forgejo.runner-token;
};
};
jellyfin = {
enable = true;
home = "${services-root}/jellyfin";
url = config.secrets.services.jellyfin.url;
};
msmtp.enable = true;
netdata = {
enable = true;
type = "parent";
url = config.secrets.services.netdata.url;
auth = {
user = config.users.users.aires.name;
password = config.secrets.services.netdata.password;
apiKey = config.secrets.services.netdata.apiKey;
};
};
nginx = {
enable = true;
virtualHosts = {
"${config.secrets.networking.domains.primary}" = {
default = true;
enableACME = true; # Enable Let's Encrypt
locations."/" = {
# Catchall vhost, will redirect users to Forgejo
return = "301 https://${config.secrets.services.forgejo.url}";
};
};
"${config.secrets.networking.domains.blog}" = {
useACMEHost = config.secrets.networking.domains.blog;
forceSSL = true;
root = "${services-root}/nginx/sites/${config.secrets.networking.domains.blog}";
};
"${config.secrets.services.gremlin-lab.url}" = {
useACMEHost = config.secrets.networking.domains.primary;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
proxyWebsockets = true;
extraConfig = "proxy_ssl_server_name on;";
};
};
};
};
ssh = {
enable = true;
ports = [ config.secrets.hosts.dimaga.ssh.port ];
};
virtualization.host = {
enable = true;
user = "aires";
vmBuilds = {
enable = true;
cores = 3;
ram = 3072;
};
};
};
# Install Gnome
ui.desktops.gnome.enable = true;
users.aires = {
enable = true;
services = {
syncthing = {
enable = true;
home = "${services-root}/syncthing/aires";
};
};
};
};
}

333
hosts/Dimaga/etc/apcupsd.conf
View file

@ -1,333 +0,0 @@
## apcupsd.conf v1.1 ##
#
# for apcupsd release 3.14.12 (29 March 2014) - debian
#
# "apcupsd" POSIX config file
#
# ========= General configuration parameters ============
#
# UPSNAME xxx
# Use this to give your UPS a name in log files and such. This
# is particulary useful if you have multiple UPSes. This does not
# set the EEPROM. It should be 8 characters or less.
#UPSNAME
# UPSCABLE <cable>
# Defines the type of cable connecting the UPS to your computer.
#
# Possible generic choices for <cable> are:
# simple, smart, ether, usb
#
# Or a specific cable model number may be used:
# 940-0119A, 940-0127A, 940-0128A, 940-0020B,
# 940-0020C, 940-0023A, 940-0024B, 940-0024C,
# 940-1524C, 940-0024G, 940-0095A, 940-0095B,
# 940-0095C, 940-0625A, M-04-02-2000
#
UPSCABLE usb
# To get apcupsd to work, in addition to defining the cable
# above, you must also define a UPSTYPE, which corresponds to
# the type of UPS you have (see the Description for more details).
# You must also specify a DEVICE, sometimes referred to as a port.
# For USB UPSes, please leave the DEVICE directive blank. For
# other UPS types, you must specify an appropriate port or address.
#
# UPSTYPE DEVICE Description
# apcsmart /dev/tty** Newer serial character device, appropriate for
# SmartUPS models using a serial cable (not USB).
#
# usb <BLANK> Most new UPSes are USB. A blank DEVICE
# setting enables autodetection, which is
# the best choice for most installations.
#
# net hostname:port Network link to a master apcupsd through apcupsd's
# Network Information Server. This is used if the
# UPS powering your computer is connected to a
# different computer for monitoring.
#
# snmp hostname:port:vendor:community
# SNMP network link to an SNMP-enabled UPS device.
# Hostname is the ip address or hostname of the UPS
# on the network. Vendor can be can be "APC" or
# "APC_NOTRAP". "APC_NOTRAP" will disable SNMP trap
# catching; you usually want "APC". Port is usually
# 161. Community is usually "private".
#
# netsnmp hostname:port:vendor:community
# OBSOLETE
# Same as SNMP above but requires use of the
# net-snmp library. Unless you have a specific need
# for this old driver, you should use 'snmp' instead.
#
# dumb /dev/tty** Old serial character device for use with
# simple-signaling UPSes.
#
# pcnet ipaddr:username:passphrase:port
# PowerChute Network Shutdown protocol which can be
# used as an alternative to SNMP with the AP9617
# family of smart slot cards. ipaddr is the IP
# address of the UPS management card. username and
# passphrase are the credentials for which the card
# has been configured. port is the port number on
# which to listen for messages from the UPS, normally
# 3052. If this parameter is empty or missing, the
# default of 3052 will be used.
#
# modbus /dev/tty** Serial device for use with newest SmartUPS models
# supporting the MODBUS protocol.
#
UPSTYPE usb
DEVICE
# POLLTIME <int>
# Interval (in seconds) at which apcupsd polls the UPS for status. This
# setting applies both to directly-attached UPSes (UPSTYPE apcsmart, usb,
# dumb) and networked UPSes (UPSTYPE net, snmp). Lowering this setting
# will improve apcupsd's responsiveness to certain events at the cost of
# higher CPU utilization. The default of 60 is appropriate for most
# situations.
#POLLTIME 60
# LOCKFILE <path to lockfile>
# Path for device lock file. Not used on Win32.
LOCKFILE /var/lock
# SCRIPTDIR <path to script directory>
# Directory in which apccontrol and event scripts are located.
SCRIPTDIR /etc/apcupsd
# PWRFAILDIR <path to powerfail directory>
# Directory in which to write the powerfail flag file. This file
# is created when apcupsd initiates a system shutdown and is
# checked in the OS halt scripts to determine if a killpower
# (turning off UPS output power) is required.
PWRFAILDIR /etc/apcupsd
# NOLOGINDIR <path to nologin directory>
# Directory in which to write the nologin file. The existence
# of this flag file tells the OS to disallow new logins.
NOLOGINDIR /etc
#
# ======== Configuration parameters used during power failures ==========
#
# The ONBATTERYDELAY is the time in seconds from when a power failure
# is detected until we react to it with an onbattery event.
#
# This means that, apccontrol will be called with the powerout argument
# immediately when a power failure is detected. However, the
# onbattery argument is passed to apccontrol only after the
# ONBATTERYDELAY time. If you don't want to be annoyed by short
# powerfailures, make sure that apccontrol powerout does nothing
# i.e. comment out the wall.
ONBATTERYDELAY 6
#
# Note: BATTERYLEVEL, MINUTES, and TIMEOUT work in conjunction, so
# the first that occurs will cause the initation of a shutdown.
#
# If during a power failure, the remaining battery percentage
# (as reported by the UPS) is below or equal to BATTERYLEVEL,
# apcupsd will initiate a system shutdown.
BATTERYLEVEL 5
# If during a power failure, the remaining runtime in minutes
# (as calculated internally by the UPS) is below or equal to MINUTES,
# apcupsd, will initiate a system shutdown.
MINUTES 5
# If during a power failure, the UPS has run on batteries for TIMEOUT
# many seconds or longer, apcupsd will initiate a system shutdown.
# A value of 0 disables this timer.
#
# Note, if you have a Smart UPS, you will most likely want to disable
# this timer by setting it to zero. That way, you UPS will continue
# on batteries until either the % charge remaing drops to or below BATTERYLEVEL,
# or the remaining battery runtime drops to or below MINUTES. Of course,
# if you are testing, setting this to 60 causes a quick system shutdown
# if you pull the power plug.
# If you have an older dumb UPS, you will want to set this to less than
# the time you know you can run on batteries.
TIMEOUT 0
# Time in seconds between annoying users to signoff prior to
# system shutdown. 0 disables.
ANNOY 300
# Initial delay after power failure before warning users to get
# off the system.
ANNOYDELAY 60
# The condition which determines when users are prevented from
# logging in during a power failure.
# NOLOGON <string> [ disable | timeout | percent | minutes | always ]
NOLOGON disable
# If KILLDELAY is non-zero, apcupsd will continue running after a
# shutdown has been requested, and after the specified time in
# seconds attempt to kill the power. This is for use on systems
# where apcupsd cannot regain control after a shutdown.
# KILLDELAY <seconds> 0 disables
KILLDELAY 0
#
# ==== Configuration statements for Network Information Server ====
#
# NETSERVER [ on | off ] on enables, off disables the network
# information server. If netstatus is on, a network information
# server process will be started for serving the STATUS and
# EVENT data over the network (used by CGI programs).
NETSERVER on
# NISIP <dotted notation ip address>
# IP address on which NIS server will listen for incoming connections.
# This is useful if your server is multi-homed (has more than one
# network interface and IP address). Default value is 0.0.0.0 which
# means any incoming request will be serviced. Alternatively, you can
# configure this setting to any specific IP address of your server and
# NIS will listen for connections only on that interface. Use the
# loopback address (127.0.0.1) to accept connections only from the
# local machine.
NISIP 127.0.0.1
# NISPORT <port> default is 3551 as registered with the IANA
# port to use for sending STATUS and EVENTS data over the network.
# It is not used unless NETSERVER is on. If you change this port,
# you will need to change the corresponding value in the cgi directory
# and rebuild the cgi programs.
NISPORT 3551
# If you want the last few EVENTS to be available over the network
# by the network information server, you must define an EVENTSFILE.
EVENTSFILE /var/log/apcupsd.events
# EVENTSFILEMAX <kilobytes>
# By default, the size of the EVENTSFILE will be not be allowed to exceed
# 10 kilobytes. When the file grows beyond this limit, older EVENTS will
# be removed from the beginning of the file (first in first out). The
# parameter EVENTSFILEMAX can be set to a different kilobyte value, or set
# to zero to allow the EVENTSFILE to grow without limit.
EVENTSFILEMAX 10
#
# ========== Configuration statements used if sharing =============
# a UPS with more than one machine
#
# Remaining items are for ShareUPS (APC expansion card) ONLY
#
# UPSCLASS [ standalone | shareslave | sharemaster ]
# Normally standalone unless you share an UPS using an APC ShareUPS
# card.
UPSCLASS standalone
# UPSMODE [ disable | share ]
# Normally disable unless you share an UPS using an APC ShareUPS card.
UPSMODE disable
#
# ===== Configuration statements to control apcupsd system logging ========
#
# Time interval in seconds between writing the STATUS file; 0 disables
STATTIME 0
# Location of STATUS file (written to only if STATTIME is non-zero)
STATFILE /var/log/apcupsd.status
# LOGSTATS [ on | off ] on enables, off disables
# Note! This generates a lot of output, so if
# you turn this on, be sure that the
# file defined in syslog.conf for LOG_NOTICE is a named pipe.
# You probably do not want this on.
LOGSTATS off
# Time interval in seconds between writing the DATA records to
# the log file. 0 disables.
DATATIME 0
# FACILITY defines the logging facility (class) for logging to syslog.
# If not specified, it defaults to "daemon". This is useful
# if you want to separate the data logged by apcupsd from other
# programs.
#FACILITY DAEMON
#
# ========== Configuration statements used in updating the UPS EPROM =========
#
#
# These statements are used only by apctest when choosing "Set EEPROM with conf
# file values" from the EEPROM menu. THESE STATEMENTS HAVE NO EFFECT ON APCUPSD.
#
# UPS name, max 8 characters
#UPSNAME UPS_IDEN
# Battery date - 8 characters
#BATTDATE mm/dd/yy
BATTDATE 07/08/19
# Sensitivity to line voltage quality (H cause faster transfer to batteries)
# SENSITIVITY H M L (default = H)
#SENSITIVITY H
# UPS delay after power return (seconds)
# WAKEUP 000 060 180 300 (default = 0)
#WAKEUP 60
# UPS Grace period after request to power off (seconds)
# SLEEP 020 180 300 600 (default = 20)
#SLEEP 180
# Low line voltage causing transfer to batteries
# The permitted values depend on your model as defined by last letter
# of FIRMWARE or APCMODEL. Some representative values are:
# D 106 103 100 097
# M 177 172 168 182
# A 092 090 088 086
# I 208 204 200 196 (default = 0 => not valid)
#LOTRANSFER 208
# High line voltage causing transfer to batteries
# The permitted values depend on your model as defined by last letter
# of FIRMWARE or APCMODEL. Some representative values are:
# D 127 130 133 136
# M 229 234 239 224
# A 108 110 112 114
# I 253 257 261 265 (default = 0 => not valid)
#HITRANSFER 253
# Battery charge needed to restore power
# RETURNCHARGE 00 15 50 90 (default = 15)
#RETURNCHARGE 15
# Alarm delay
# 0 = zero delay after pwr fail, T = power fail + 30 sec, L = low battery, N = never
# BEEPSTATE 0 T L N (default = 0)
BEEPSTATE N
# Low battery warning delay in minutes
# LOWBATT 02 05 07 10 (default = 02)
#LOWBATT 2
# UPS Output voltage when running on batteries
# The permitted values depend on your model as defined by last letter
# of FIRMWARE or APCMODEL. Some representative values are:
# D 115
# M 208
# A 100
# I 230 240 220 225 (default = 0 => not valid)
#OUTPUTVOLTS 230
# Self test interval in hours 336=2 weeks, 168=1 week, ON=at power on
# SELFTEST 336 168 ON OFF (default = 336)
#SELFTEST 336

102
hosts/Dimaga/hardware-configuration.nix
View file

@ -1,102 +0,0 @@
{
config,
lib,
modulesPath,
...
}:
let
bootUUID = "FC20-D155"; # The UUID of the boot partition.
luksUUID = "9fdc521b-a037-4070-af47-f54da03675e4"; # The UUID of the locked LUKS partition.
in
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
# Enable antenna aggregation
extraModprobeConfig = ''
options iwlwifi 11n_disable=8
'';
initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
# Enable support for building ARM64 packages
binfmt.emulatedSystems = [ "aarch64-linux" ];
};
# Configure the main filesystem.
aux.system.filesystem = {
enable = true;
partitions = {
boot = "/dev/disk/by-uuid/${bootUUID}";
luks = "/dev/disk/by-uuid/${luksUUID}";
};
swapFile = {
enable = true;
size = 16384;
};
};
# Automatically scrub the RAID array monthly
systemd.services."raid-scrub" = {
description = "Periodically scrub RAID volumes for errors.";
serviceConfig = {
Type = "oneshot";
User = "root";
};
script = "echo check > /sys/block/md127/md/sync_action";
};
systemd.timers."raid-scrub" = {
description = "Periodically scrub RAID volumes for errors.";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "monthly";
Persistent = true;
Unit = "raid-scrub.service";
};
};
# Disable suspend
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
services = {
xserver.displayManager.gdm.autoSuspend = lib.mkIf config.aux.system.ui.desktops.gnome.enable false;
logind = {
lidSwitch = "lock";
lidSwitchDocked = "lock";
};
};
services.upower.ignoreLid = true;
# Enable CPU microde updates
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Detect keyboard as "internal" so we can automatically disable the touchpad while typing
# If this doesn't work, try changing "MatchName" to "AT Raw Set 2 keyboard"
environment.etc."libinput/keyboard-touchpard.quirks" = {
mode = "0600";
text = ''
[Microsoft Surface Type Cover Touchpad]
MatchUdevType=touchpad
MatchName=*Microsoft Surface Type Cover Touchpad
AttrKeyboardIntegration=internal
[Microsoft Surface Type Cover Keyboard]
MatchUdevType=keyboard
MatchName=*Microsoft Surface Type Cover Keyboard
AttrKeyboardIntegration=internal
'';
};
}

26
hosts/Dimaga/start-services.sh
View file

@ -1,26 +0,0 @@
#!/bin/sh
# Script to unlock the /storage partition and start up services that depend on it.
# check if the current user is root
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Unlock and mount storage directory if we haven't already
if [ -e "/dev/mapper/storage" ]; then
echo "Storage partition already mounted."
else
echo "Unlocking storage partition..."
cryptsetup luksOpen /dev/md/Sapana storage
mount /dev/mapper/storage /storage
echo "Storage partition mounted."
fi
echo "Starting services..."
systemctl restart deluged.service delugeweb.service duplicacy-web.service forgejo.service jellyfin.service
systemctl --machine aires@.host --user start syncthing.service
systemctl restart nginx.service
echo "Services started. $(hostname) is ready to go!"
exit 0

3
hosts/Hevana/default.nix
View file

@ -70,9 +70,6 @@ in
}; };
}; };
# Disable NetworkManager
networking.networkmanager.enable = lib.mkForce false;
# Configure the system. # Configure the system.
aux.system = { aux.system = {
# Enable to allow unfree (e.g. closed source) packages. # Enable to allow unfree (e.g. closed source) packages.

2
hosts/Shura/default.nix
View file

@ -72,7 +72,7 @@ in
user = config.users.users.aires.name; user = config.users.users.aires.name;
}; };
netdata = { netdata = {
# Disabled until I get Nginx configured to provide a streaming endpoint # FIXME: Disabled until I get Nginx configured to provide a streaming endpoint
enable = false; enable = false;
type = "child"; type = "child";
url = config.secrets.services.netdata.url; url = config.secrets.services.netdata.url;

12
hosts/Shura/hardware-configuration.nix
View file

@ -40,18 +40,6 @@ in
}; };
}; };
# Detect keyboard as "internal" so we can automatically disable the touchpad while typing
# If this doesn't work, try changing "MatchName" to "AT Raw Set 2 keyboard"
environment.etc."libinput/keyboard-touchpard.quirks" = {
mode = "0600";
text = ''
[Serial Keyboards]
MatchUdevType=keyboard
MatchName=ITE Tech. Inc. ITE Device(8258) Keyboard
AttrKeyboardIntegration=internal
'';
};
# Limit the number of cores Nix can use # Limit the number of cores Nix can use
nix.settings.cores = 12; nix.settings.cores = 12;
} }

68
modules/services/forgejo.nix
View file

@ -6,20 +6,6 @@
}: }:
let let
cfg = config.aux.system.services.forgejo; cfg = config.aux.system.services.forgejo;
cli-cfg = config.services.forgejo;
forgejo-cli = pkgs.writeScriptBin "forgejo-cli" ''
#!${pkgs.runtimeShell}
cd ${cli-cfg.stateDir}
sudo=exec
if [[ "$USER" != forgejo ]]; then
sudo='exec /run/wrappers/bin/sudo -u ${cli-cfg.user} -g ${cli-cfg.group} --preserve-env=GITEA_WORK_DIR --preserve-env=GITEA_CUSTOM'
fi
# Note that these variable names will change
export GITEA_WORK_DIR=${cli-cfg.stateDir}
export GITEA_CUSTOM=${cli-cfg.customDir}
$sudo ${lib.getExe cli-cfg.package} "$@"
'';
in in
{ {
options = { options = {
@ -37,22 +23,10 @@ in
description = "The complete URL where Forgejo is hosted."; description = "The complete URL where Forgejo is hosted.";
example = "https://forgejo.example.com"; example = "https://forgejo.example.com";
}; };
actions = {
enable = lib.mkEnableOption "Enables a local Forgejo Actions runner.";
token = lib.mkOption {
default = "";
type = lib.types.str;
description = "Token used to authenticate the runner with Forgejo.";
};
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [
forgejo-cli
pkgs.podman-tui
];
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;
@ -76,48 +50,6 @@ in
extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
}; };
}; };
# Enable runner for CI actions
gitea-actions-runner = lib.mkIf cfg.actions.enable {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = config.networking.hostName;
url = "https://${cfg.url}";
token = cfg.actions.token;
labels = [
"nix:docker://nixos/nix" # Shoutout to Icewind 1991 for this syntax: https://icewind.nl/entry/gitea-actions-nix/
"debian:docker://node:20-bullseye"
"ubuntu-latest:docker://ubuntu:latest"
];
settings = {
# For an example of configuring in Nix: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
# For an example of the different options available: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
container.options = "-v /nix:/nix";
container.validVolumes = [ "/nix" ];
};
};
};
};
# Enable Podman for running...uh, runners.
virtualisation = lib.mkIf cfg.actions.enable {
containers.enable = true;
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
# Allow containers to make DNS queries (https://www.reddit.com/r/NixOS/comments/199f16j/why_dont_my_podman_containers_have_internet_access/)
networking.firewall.interfaces.podman4 = lib.mkIf cfg.actions.enable {
allowedTCPPorts = [ 53 ];
allowedUDPPorts = [ 53 ];
}; };
systemd.services = { systemd.services = {

6
modules/services/virtualization.nix
View file

@ -47,8 +47,10 @@ in
qemu = { qemu = {
package = pkgs.qemu_kvm; package = pkgs.qemu_kvm;
swtpm.enable = true; swtpm.enable = true;
ovmf.enable = true; ovmf = {
ovmf.packages = [ pkgs.OVMFFull.fd ]; enable = true;
packages = [ pkgs.OVMFFull.fd ];
};
}; };
}; };
spiceUSBRedirection.enable = true; spiceUSBRedirection.enable = true;

5
modules/system/nix.nix
View file

@ -69,11 +69,6 @@ in
# Configure NixOS to use the same software channel as Flakes # Configure NixOS to use the same software channel as Flakes
registry.nixpkgs.flake = inputs.nixpkgs; registry.nixpkgs.flake = inputs.nixpkgs;
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
# When using a builder, use its package store
extraOptions = ''
builders-use-substitutes = true
'';
}; };
# Support for standard, dynamically-linked executables # Support for standard, dynamically-linked executables