From 2c8f822b831c14fc50de74d56a80d57d3a829114 Mon Sep 17 00:00:00 2001 From: blahai Date: Sun, 26 Jan 2025 20:11:01 +0200 Subject: [PATCH] a lot of shit also baibai home manager, hello hjem --- flake.lock | 129 +++---- flake.nix | 20 +- home/base/default.nix | 5 + .../base}/programs/default.nix | 3 +- .../base}/programs/defaults.nix | 6 +- home/base/programs/shells.nix | 16 + home/base/programs/top-level.nix | 32 ++ home/default.nix | 31 +- home/pingu/default.nix | 4 +- home/pingu/packages/cli/shell/fish.nix | 4 +- modules/base/default.nix | 1 + modules/base/nix/nix.nix | 12 +- modules/base/options/default.nix | 2 +- modules/base/options/meta.nix | 50 +++ modules/base/options/programs/shells.nix | 26 -- modules/base/programs.nix | 16 +- modules/base/secrets.nix | 20 ++ modules/base/users/mkuser.nix | 10 +- modules/flake/default.nix | 1 + modules/flake/lib/default.nix | 55 +++ modules/flake/lib/helpers.nix | 320 ++++++++++++++++++ modules/flake/lib/programs.nix | 15 + modules/flake/lib/secrets.nix | 99 ++++++ modules/flake/lib/services.nix | 65 ++++ modules/flake/lib/template/default.nix | 35 ++ modules/flake/lib/template/xdg.nix | 100 ++++++ modules/flake/lib/validators.nix | 128 +++++++ modules/nixos/remote-modules.nix | 7 +- modules/nixos/services/default.nix | 2 +- modules/nixos/services/hosted/caddy.nix | 1 - modules/nixos/services/hosted/forgejo.nix | 138 +++++++- secrets/default.nix | 7 + systems/default.nix | 3 +- systems/theia/default.nix | 1 + systems/theia/networking.nix | 69 +++- systems/theia/services.nix | 7 +- systems/theia/users.nix | 5 + 37 files changed, 1277 insertions(+), 168 deletions(-) create mode 100644 home/base/default.nix rename {modules/base/options => home/base}/programs/default.nix (74%) rename {modules/base/options => home/base}/programs/defaults.nix (93%) create mode 100644 home/base/programs/shells.nix create mode 100644 home/base/programs/top-level.nix create mode 100644 modules/base/options/meta.nix delete mode 100644 modules/base/options/programs/shells.nix create mode 100644 modules/base/secrets.nix create mode 100644 modules/flake/lib/default.nix create mode 100644 modules/flake/lib/helpers.nix create mode 100644 modules/flake/lib/programs.nix create mode 100644 modules/flake/lib/secrets.nix create mode 100644 modules/flake/lib/services.nix create mode 100644 modules/flake/lib/template/default.nix create mode 100644 modules/flake/lib/template/xdg.nix create mode 100644 modules/flake/lib/validators.nix create mode 100644 secrets/default.nix create mode 100644 systems/theia/users.nix diff --git a/flake.lock b/flake.lock index 78c42ba..6065ac8 100644 --- a/flake.lock +++ b/flake.lock @@ -653,11 +653,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1737764118, - "narHash": "sha256-+elvcDCY9iRqahLLV8Z7LQsk8gAHCXPAudfQtFclgvI=", + "lastModified": 1737850542, + "narHash": "sha256-TurdJgZWHT8F54qK1r6Dtolp8OAKlwodvcEeY649tv4=", "owner": "blahai", "repo": "haivim", - "rev": "3cd7a2f023b24b74ce89e415aed143d795e884ca", + "rev": "413477b21b460ab20b027008acebc5da9c9e5e04", "type": "github" }, "original": { @@ -683,6 +683,49 @@ "type": "github" } }, + "hjem": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737619027, + "narHash": "sha256-jEzZs9dHdmVP5X9HCC/7jrv08aWFfqZV5cZ+cZWYGA4=", + "owner": "feel-co", + "repo": "hjem", + "rev": "48cfa21987672a31a358b7e4d582fc174556e633", + "type": "github" + }, + "original": { + "owner": "feel-co", + "repo": "hjem", + "type": "github" + } + }, + "hjem-rum": { + "inputs": { + "hjem": [ + "hjem" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737833942, + "narHash": "sha256-7e9FxJkQwtiy9YhNOwLNhb4p2xFsaPAGiHMfTw+jGWk=", + "owner": "the-unnamed-nug", + "repo": "hjem-rum", + "rev": "81e8ff969415cbb3ad66c365eed40d9f1c2e2489", + "type": "github" + }, + "original": { + "owner": "the-unnamed-nug", + "repo": "hjem-rum", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -733,26 +776,6 @@ "nixpkgs" ] }, - "locked": { - "lastModified": 1737704314, - "narHash": "sha256-zta8jvOQ2wRCZmiwFEnS5iCulWAh8e+fLUlQxrgOBjM=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a0428685572b134f6594e7d7f5db5e1febbab2d7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_4": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, "locked": { "lastModified": 1737762889, "narHash": "sha256-5HGG09bh/Yx0JA8wtBMAzt0HMCL1bYZ93x4IqzVExio=", @@ -861,11 +884,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1737842278, - "narHash": "sha256-5N0ExKra/jw3HI/0EEIzmeJKHN9RIBV7ceR/sxQR11s=", + "lastModified": 1737907229, + "narHash": "sha256-0onbAHBZQhdnIEl1lOxjp4VKNy69GR1K5K6hvxww4rs=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "8b1d6e3009c540457068e23e6c2bc201d20ce4d1", + "rev": "bb5b09def0645838456eb7eb1f52b471441acba1", "type": "github" }, "original": { @@ -1371,11 +1394,11 @@ }, "nixpkgs-smol": { "locked": { - "lastModified": 1737795611, - "narHash": "sha256-0kGPO515JdDt6gPcR25QTGyNJnT1UFtH1tdkR2QdLAY=", + "lastModified": 1737873842, + "narHash": "sha256-3SAvSPxkeOgECitk8fImL0gz+xa2m1I4mmwam6mymOM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ed45d51fb4c860e70760a042dd9ff99bd016497e", + "rev": "42143ec28c329664fd1337579067c156230beaf7", "type": "github" }, "original": { @@ -1403,11 +1426,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1737622296, - "narHash": "sha256-GWHH9ljsR0LR29IEruJnKVVk6veeQpo7kfolyDyCVGQ=", + "lastModified": 1737717945, + "narHash": "sha256-ET91TMkab3PmOZnqiJQYOtSGvSTvGeHoegAv4zcTefM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "055c50feaa548eadca66407630961b77f3ebb750", + "rev": "ecd26a469ac56357fd333946a99086e992452b6a", "type": "github" }, "original": { @@ -1494,11 +1517,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1737747541, - "narHash": "sha256-dA54OnUCUtVZfnSuD1dAEcosZzx/tch9KvtDz/Y3FIo=", + "lastModified": 1737832569, + "narHash": "sha256-VkK73VRVgvSQOPw9qx9HzvbulvUM9Ae4nNd3xNP+pkI=", "owner": "nix-community", "repo": "nixvim", - "rev": "5fda6e093da13f37c63a5577888a668c38f30dc7", + "rev": "d7df58321110d3b0e12a829bbd110db31ccd34b1", "type": "github" }, "original": { @@ -1514,11 +1537,11 @@ "treefmt-nix": "treefmt-nix_3" }, "locked": { - "lastModified": 1737841565, - "narHash": "sha256-W2dAa+2c7UOKLDop9240ShxosBiWRRaYgGfswN/jz9o=", + "lastModified": 1737910157, + "narHash": "sha256-dCwM306WYNSEn70cy3AXSgWQzWWe4HpYV9JvkDTB6vg=", "owner": "nix-community", "repo": "NUR", - "rev": "83b5a10fa785f0924fae431ffdea2b12de23e789", + "rev": "72076a2a2ab1764183d9ff9dd0e137882e424359", "type": "github" }, "original": { @@ -1603,14 +1626,14 @@ "flake-utils": "flake-utils", "git-hooks": "git-hooks", "haivim": "haivim", - "home-manager": "home-manager_4", + "hjem": "hjem", + "hjem-rum": "hjem-rum", "hydra": "hydra", "hyprland": "hyprland", "lix-module": "lix-module", "nixpkgs": "nixpkgs_5", "nixpkgs-smol": "nixpkgs-smol", "nur": "nur", - "sops-nix": "sops-nix", "spicetify-nix": "spicetify-nix", "systems": "systems_8", "treefmt-nix": "treefmt-nix_4", @@ -1655,26 +1678,6 @@ "type": "github" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737411508, - "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, "spicetify-nix": { "inputs": { "flake-compat": "flake-compat_4", @@ -1683,11 +1686,11 @@ ] }, "locked": { - "lastModified": 1737778506, - "narHash": "sha256-kdqwOnk0jFb3E01HFqUFAW+NQuBp39uwrpWSXmFAKGs=", + "lastModified": 1737864911, + "narHash": "sha256-yQGyYTEDJreafvnHQvTvCHxmmqy77mrUyzJV1zr3XN0=", "owner": "Gerg-L", "repo": "spicetify-nix", - "rev": "aeaa9b2fad9d658e8982a140327e345feffe8850", + "rev": "b65b84d6b8e9cd59af6524f05a1972fbe6fecce5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b1623e7..87fe99e 100644 --- a/flake.nix +++ b/flake.nix @@ -46,11 +46,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - systems = { url = "github:nix-systems/default"; }; @@ -73,6 +68,16 @@ url = "github:tgirlcloud/easy-hosts"; }; + hjem = { + url = "github:feel-co/hjem"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + hjem-rum = { + url = "github:the-unnamed-nug/hjem-rum"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.hjem.follows = "hjem"; + }; + deploy-rs = { url = "github:serokell/deploy-rs"; inputs = { @@ -89,10 +94,5 @@ flake-compat.follows = ""; }; }; - - home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; }; } diff --git a/home/base/default.nix b/home/base/default.nix new file mode 100644 index 0000000..5d85a74 --- /dev/null +++ b/home/base/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./programs + ]; +} diff --git a/modules/base/options/programs/default.nix b/home/base/programs/default.nix similarity index 74% rename from modules/base/options/programs/default.nix rename to home/base/programs/default.nix index c103831..b55304e 100644 --- a/modules/base/options/programs/default.nix +++ b/home/base/programs/default.nix @@ -1,6 +1,7 @@ { imports = [ - ./shells.nix ./defaults.nix + ./shells.nix + ./top-level.nix ]; } diff --git a/modules/base/options/programs/defaults.nix b/home/base/programs/defaults.nix similarity index 93% rename from modules/base/options/programs/defaults.nix rename to home/base/programs/defaults.nix index d3a76ff..876c4bb 100644 --- a/modules/base/options/programs/defaults.nix +++ b/home/base/programs/defaults.nix @@ -6,7 +6,6 @@ in { shell = mkOption { type = enum [ "bash" - "zsh" "fish" ]; default = "bash"; @@ -28,8 +27,9 @@ in { "thunar" "dolphin" "nemo" + "nautilus" ]; - default = "cosmic-files"; + default = "nautilus"; }; browser = mkOption { @@ -75,7 +75,7 @@ in { ]); default = "hyprlock"; description = '' - The lockscreen module to be loaded by home-manager. + The lockscreen module to be loaded by hjem. ''; }; diff --git a/home/base/programs/shells.nix b/home/base/programs/shells.nix new file mode 100644 index 0000000..2c3816e --- /dev/null +++ b/home/base/programs/shells.nix @@ -0,0 +1,16 @@ +{ + lib, + pkgs, + ... +}: let + inherit (lib.programs) mkProgram; +in { + options.olympus.programs = { + bash = mkProgram pkgs "bash" { + enable.default = true; + package.default = pkgs.bashInteractive; + }; + + fish = mkProgram pkgs "fish" {}; + }; +} diff --git a/home/base/programs/top-level.nix b/home/base/programs/top-level.nix new file mode 100644 index 0000000..856f043 --- /dev/null +++ b/home/base/programs/top-level.nix @@ -0,0 +1,32 @@ +{ + lib, + config, + ... +}: let + inherit (lib.options) mkEnableOption; + + cfg = config.olympus.programs; +in { + # these are options that will cause a mass rebuild by enabling multiple packages + options.olympus.programs = { + cli = { + enable = + mkEnableOption "Enable CLI programs" + // { + default = true; + }; + modernShell.enable = mkEnableOption "Enable programs for a more modern shell"; + }; + + tui.enable = + mkEnableOption "Enable TUI programs" + // { + default = cfg.cli.enable; + }; + + gui.enable = mkEnableOption "Enable GUI programs"; + + pentesting.enable = mkEnableOption "Enable packages designed for pentesting"; + notes.enable = mkEnableOption "Enable note-taking programs"; + }; +} diff --git a/home/default.nix b/home/default.nix index d41ae6d..52f2a38 100644 --- a/home/default.nix +++ b/home/default.nix @@ -9,37 +9,10 @@ }: let inherit (lib.modules) mkDefault; inherit (lib.attrsets) genAttrs; - inherit (config.olympus.programs) defaults; in { - home-manager = { - verbose = true; - useUserPackages = true; - useGlobalPkgs = true; - backupFileExtension = "bak"; - - extraSpecialArgs = { - inherit - inputs - self - inputs' - self' - defaults - ; - }; - + hjem = { users = genAttrs config.olympus.system.users (name: ./${name}); - # we should define grauntied common modules here - sharedModules = [ - { - home.stateVersion = config.system.stateVersion; - - # reload system units when changing configs - systemd.user.startServices = mkDefault "sd-switch"; # or "legacy" if "sd-switch" breaks again - - # let HM manage itself when in standalone mode - programs.home-manager.enable = true; - } - ]; + clobberByDefault = true; }; } diff --git a/home/pingu/default.nix b/home/pingu/default.nix index 02380b8..577c1f0 100644 --- a/home/pingu/default.nix +++ b/home/pingu/default.nix @@ -1,6 +1,6 @@ { imports = [ - ./packages - ./system + #./packages + #./system ]; } diff --git a/home/pingu/packages/cli/shell/fish.nix b/home/pingu/packages/cli/shell/fish.nix index 7cb0120..031ec92 100644 --- a/home/pingu/packages/cli/shell/fish.nix +++ b/home/pingu/packages/cli/shell/fish.nix @@ -1,5 +1,5 @@ { - osConfig, + config, lib, pkgs, ... @@ -9,7 +9,7 @@ in { home.packages = with pkgs; [ neofetch ]; - programs = mkIf osConfig.olympus.programs.fish.enable { + programs = mkIf config.olympus.programs.fish.enable { fish = { enable = true; diff --git a/modules/base/default.nix b/modules/base/default.nix index 1813e3d..a2296fb 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -4,5 +4,6 @@ ./options ./users ./programs.nix + ./secrets.nix ]; } diff --git a/modules/base/nix/nix.nix b/modules/base/nix/nix.nix index 8d68efe..52acd0c 100644 --- a/modules/base/nix/nix.nix +++ b/modules/base/nix/nix.nix @@ -21,6 +21,8 @@ in { options = "--delete-older-than 3d"; }; + channel.enable = false; + # https://docs.lix.systems/manual/lix/nightly/command-ref/conf-file.html settings = { # Free up to 20GiB whenever there is less than 5GB left. @@ -41,10 +43,7 @@ in { # we don't want to track the registry, but we do want to allow the usage # of the `flake:` references, so we need to enable use-registries use-registries = true; - flake-registry = pkgs.writers.writeJSON "flakes-empty.json" { - flakes = []; - version = 2; - }; + flake-registry = ""; # let the system decide the number of max jobs max-jobs = "auto"; @@ -70,7 +69,7 @@ in { log-lines = 30; # https://docs.lix.systems/manual/lix/nightly/contributing/experimental-features.html - extra-experimental-features = [ + experimental-features = [ # enables flakes, needed for this config "flakes" @@ -103,6 +102,9 @@ in { # dependencies in derivations on the outputs of derivations that are themselves derivations outputs. "dynamic-derivations" + + # allow parsing TOML timestamps via builtins.fromTOML + "parse-toml-timestamps" ]; # don't warn me if the current working tree is dirty diff --git a/modules/base/options/default.nix b/modules/base/options/default.nix index 9680e46..62218c5 100644 --- a/modules/base/options/default.nix +++ b/modules/base/options/default.nix @@ -1,6 +1,6 @@ { imports = [ ./device.nix - ./programs + ./meta.nix ]; } diff --git a/modules/base/options/meta.nix b/modules/base/options/meta.nix new file mode 100644 index 0000000..f9e9112 --- /dev/null +++ b/modules/base/options/meta.nix @@ -0,0 +1,50 @@ +{ + lib, + config, + ... +}: let + inherit (lib.trivial) id; + inherit (lib.options) mkOption; + inherit (lib.validators) anyHome; + inherit (lib.strings) concatStringsSep; + + mkMetaOption = path: + mkOption { + default = anyHome config id path; + example = true; + description = "Does ${concatStringsSep "." path} meet the requirements"; + type = lib.types.bool; + }; +in { + options.olympus.meta = { + fish = mkMetaOption [ + "olympus" + "programs" + "fish" + "enable" + ]; + thunar = mkMetaOption [ + "olympus" + "programs" + "thunar" + "enable" + ]; + gui = mkMetaOption [ + "olympus" + "programs" + "gui" + "enable" + ]; + + isWayland = mkMetaOption [ + "olympus" + "meta" + "isWayland" + ]; + isWM = mkMetaOption [ + "olympus" + "meta" + "isWM" + ]; + }; +} diff --git a/modules/base/options/programs/shells.nix b/modules/base/options/programs/shells.nix deleted file mode 100644 index a6d6745..0000000 --- a/modules/base/options/programs/shells.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - lib, - pkgs, - ... -}: let - inherit (lib.options) mkEnableOption mkPackageOption; - inherit (lib.attrsets) recursiveUpdate; - - mkProgram = pkgs: name: extraConfig: - recursiveUpdate { - enable = mkEnableOption "Enable ${name}"; - package = mkPackageOption pkgs name {}; - } - extraConfig; -in { - options.olympus.programs = { - bash = mkProgram pkgs "bash" { - enable.default = true; - package.default = pkgs.bashInteractive; - }; - - zsh = mkProgram pkgs "zsh" {}; - - fish = mkProgram pkgs "fish" {}; - }; -} diff --git a/modules/base/programs.nix b/modules/base/programs.nix index eb97ce4..217275c 100644 --- a/modules/base/programs.nix +++ b/modules/base/programs.nix @@ -1,18 +1,6 @@ -{ - lib, - pkgs, - config, - ... -}: let - inherit (lib.meta) getExe; - - bashPrompt = '' - eval "$(${getExe pkgs.starship} init bash)" - ''; -in { +{config, ...}: { # home-manager is so strange and needs these declared multiple times programs = { - fish.enable = config.olympus.programs.fish.enable; - zsh.enable = config.olympus.programs.zsh.enable; + #fish.enable = config.olympus.meta.fish; }; } diff --git a/modules/base/secrets.nix b/modules/base/secrets.nix new file mode 100644 index 0000000..53354e1 --- /dev/null +++ b/modules/base/secrets.nix @@ -0,0 +1,20 @@ +{ + config, + inputs, + ... +}: let + inherit (config.olympus.system) mainUser; + #homeDir = config.home-manager.users.${mainUser}.home.homeDirectory; + homeDir = config.hjem.users.${mainUser}.directory; + sshDir = homeDir + "/.ssh"; +in { + imports = [inputs.agenix.nixosModules.default]; + age = { + # check the main users ssh key and the system key to see if it is safe + # to decrypt the secrets + identityPaths = [ + "/etc/ssh/ssh_host_ed25519_key" + "${sshDir}/id_ed25519" + ]; + }; +} diff --git a/modules/base/users/mkuser.nix b/modules/base/users/mkuser.nix index dbc17c3..72cd407 100644 --- a/modules/base/users/mkuser.nix +++ b/modules/base/users/mkuser.nix @@ -5,13 +5,12 @@ }: let inherit (lib.modules) mkDefault; inherit (lib.attrsets) genAttrs; - inherit (builtins) filter hasAttr; - ifTheyExist = config: groups: filter (group: hasAttr group config.users.groups) groups; + inherit (lib.validators) ifTheyExist; in { users.users = genAttrs config.olympus.system.users ( name: { home = "/home/" + name; - shell = config.olympus.programs.${config.olympus.programs.defaults.shell}.package; + # shell = config.olympus.programs.${config.olympus.programs.defaults.shell}.package; uid = mkDefault 1000; isNormalUser = true; @@ -28,14 +27,17 @@ in { "networkmanager" "systemd-journal" "audio" - "pipewire" + "pipewire" # this give us access to the rt limits "video" "input" "plugdev" + "lp" "tss" "power" + "wireshark" "mysql" "docker" + "podman" "git" "libvirtd" "cloudflared" diff --git a/modules/flake/default.nix b/modules/flake/default.nix index 5295a4d..df19df2 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -2,6 +2,7 @@ imports = [ ../../systems ./programs + ./lib ./args.nix ./overlays.nix diff --git a/modules/flake/lib/default.nix b/modules/flake/lib/default.nix new file mode 100644 index 0000000..709c7e9 --- /dev/null +++ b/modules/flake/lib/default.nix @@ -0,0 +1,55 @@ +# following https://github.com/NixOS/nixpkgs/blob/77ee426a4da240c1df7e11f48ac6243e0890f03e/lib/default.nix +# as a rough template we can create our own extensible lib and expose it to the flake +# we can then use that elsewhere like our hosts +{inputs, ...}: let + lib0 = inputs.nixpkgs.lib; + + olympusLib = lib0.makeExtensible ( + self: let + lib = self; + in { + template = import ./template; # templates, selections of code that are repeated + helpers = import ./helpers.nix {inherit lib;}; + programs = import ./programs.nix {inherit lib;}; + secrets = import ./secrets.nix {inherit inputs;}; + services = import ./services.nix {inherit lib;}; + validators = import ./validators.nix {inherit lib;}; + + # we have to rexport the functions we want to use, but don't want to refer to the whole lib + # "path". e.g. lib.hardware.isx86Linux can be shortened to lib.isx86Linux + # NOTE: never rexport templates + inherit (self.builders) mkSystems; + inherit + (self.helpers) + mkPubs + giturl + filterNixFiles + importNixFiles + importNixFilesAndDirs + boolToNum + containsStrings + indexOf + intListToStringList + ; + inherit (self.programs) mkProgram; + inherit (self.secrets) mkSecret mkSecretWithPath; + inherit (self.services) mkGraphicalService mkHyprlandService mkServiceOption; + inherit + (self.validators) + ifTheyExist + isAcceptedDevice + isWayland + ifOneEnabled + isModernShell + anyHome + ; + } + ); + + # we need to extend olympusLib with the nixpkgs lib to get the full set of functions + # if we do it the otherway around we will get errors saying mkMerge and so on don't exist + finalLib = olympusLib.extend (_: _: lib0); +in { + flake.lib = finalLib; + perSystem._module.args.lib = finalLib; +} diff --git a/modules/flake/lib/helpers.nix b/modules/flake/lib/helpers.nix new file mode 100644 index 0000000..710a4f1 --- /dev/null +++ b/modules/flake/lib/helpers.nix @@ -0,0 +1,320 @@ +{ lib }: +let + inherit (lib.lists) forEach filter; + inherit (lib.attrsets) filterAttrs mapAttrsToList; + inherit (lib.filesystem) listFilesRecursive; + inherit (lib.strings) hasSuffix; + + /** + filter files for the .nix suffix + + # Arguments + + - [k] they key, which is the file name + - [v] the value, which is the type of the file + + # Type + + ``` + filterNixFiles :: String -> String -> Bool + ``` + + # Example + + ```nix + filterNixFiles "default.nix" "regular" + => true + ``` + */ + filterNixFiles = k: v: v == "regular" && hasSuffix ".nix" k; + + /** + Import all file that filterNixFiles allows for + + # Arguments + + - [path] the path to the directory + + # Type + + ``` + importNixFiles :: String -> List + ``` + + # Example + + ```nix + importNixFiles ./. + => [ {...} ] + ``` + */ + importNixFiles = + path: + (forEach ( + mapAttrsToList (name: _: path + ("/" + name)) (filterAttrs filterNixFiles (builtins.readDir path)) + )) + import; + + /** + import all nix files and directories + + # Arguments + + - [dir] the directory to search for nix files + + # Type + + ``` + importNixFilesAndDirs :: String -> List + ``` + + # Example + + ```nix + importNixFilesAndDirs ./. + => [ "flake.nix" ] + ``` + */ + importNixFilesAndDirs = dir: filter (f: f != "default.nix") (listFilesRecursive dir); + + /** + return an int based on boolean value + + # Arguments + + - [bool] the boolean value + + # Type + + ``` + boolToNum :: Bool -> Int + ``` + + # Example + + ```nix + boolToNum true + => 1 + ``` + */ + boolToNum = bool: if bool then 1 else 0; + + /** + convert a list of integers to a list of string + + # Arguments + + - [list] the list of integers + + # Type + + ``` + intListToStringList :: List -> List + ``` + + # Example + + ```nix + intListToStringList [1 2 3] + => ["1" "2" "3"] + ``` + */ + intListToStringList = list: map (toString list); + + /** + a function that returns the index of an element in a list + + # Arguments + + - [list] the list to search in + - [elem] the element to search for + + # Type + + ``` + indexOf :: List -> Any -> Int + ``` + + # Example + + ```nix + indexOf [1 2 3] 2 + => 1 + ``` + */ + indexOf = + list: elem: + let + f = + f: i: + if i == (builtins.length list) then + null + else if (builtins.elemAt list i) == elem then + i + else + f f (i + 1); + in + f f 0; + + /** + a function that checks if a list contains a list of given strings + + # Arguments + + - [list] the list to search in + - [targetStrings] the list of strings to search for + + # Type + + ``` + containsStrings :: List -> List -> Bool + ``` + + # Example + + ```nix + containsStrings ["a" "b" "c"] ["a" "b"] + => true + ``` + */ + containsStrings = + list: targetStrings: builtins.all (s: builtins.any (x: x == s) list) targetStrings; + + /** + Create git url aliases for a given domain + + # Arguments + + - [domain] the domain to create the alias for + - [alias] the alias to use + - [user] the user to use, this defaults to "git" + - [port] the port to use, this is optional + + # Type + + ``` + giturl :: (String -> String -> String -> Int) -> AttrSet + ``` + + # Example + + ```nix + giturl { domain = "github.com"; alias = "gh"; } + => { + "https://github.com/".insteadOf = "gh:"; + "ssh://git@github.com/".pushInsteadOf = "gh:"; + } + ``` + */ + giturl = + { + domain, + alias, + user ? "git", + port ? null, + ... + }: + { + "https://${domain}/".insteadOf = "${alias}:"; + "ssh://${user}@${domain}${ + if (builtins.isNull port) then + "" + else if (builtins.isInt port) then + ":" + (builtins.toString port) + else + ":" + port + }/".pushInsteadOf = + "${alias}:"; + }; + + /** + Create a public key for a given host + + # Arguments + + - [host] the host to create the public key for + - [key] this is a attrset with the key type and key + + # Type + + ``` + mkPub :: (String -> AttrSet -> AttrSet) -> String -> AttrSet -> AttrSet + ``` + + # Example + + ```nix + mkPub "github.com" { + type = "rsa"; + key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + } + => { + "github.com-rsa" = { + hostNames = [ "github.com" ]; + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; + } + ``` + */ + mkPub = host: key: { + "${host}-${key.type}" = { + hostNames = [ host ]; + publicKey = "ssh-${key.type} ${key.key}"; + }; + }; + + /** + Create public keys for a given host + + # Arguments + + - [host] the host to create the public keys for + - [keys] the list of keys to create + + # Type + + ``` + mkPubs :: (String -> List) -> String -> List -> AttrSet + ``` + + # Example + + ```nix + mkPubs "github.com" [ + { + type = "rsa"; + key = "AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + } + { + type = "ed25519"; + key = "AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + } + ] + => { + "github.com-ed25519" = { + hostNames = [ "github.com" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; + }; + "github.com-rsa" = { + hostNames = [ "github.com" ]; + publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; + }; + } + ``` + */ + mkPubs = host: keys: lib.foldl' (acc: key: acc // mkPub host key) { } keys; +in +{ + inherit + mkPub + mkPubs + giturl + filterNixFiles + importNixFiles + importNixFilesAndDirs + boolToNum + containsStrings + indexOf + intListToStringList + ; +} diff --git a/modules/flake/lib/programs.nix b/modules/flake/lib/programs.nix new file mode 100644 index 0000000..aa2bbb9 --- /dev/null +++ b/modules/flake/lib/programs.nix @@ -0,0 +1,15 @@ +{ lib }: +let + inherit (lib.options) mkEnableOption mkPackageOption; + inherit (lib.attrsets) recursiveUpdate; + + mkProgram = + pkgs: name: extraConfig: + recursiveUpdate { + enable = mkEnableOption "Enable ${name}"; + package = mkPackageOption pkgs name { }; + } extraConfig; +in +{ + inherit mkProgram; +} diff --git a/modules/flake/lib/secrets.nix b/modules/flake/lib/secrets.nix new file mode 100644 index 0000000..28d8b5e --- /dev/null +++ b/modules/flake/lib/secrets.nix @@ -0,0 +1,99 @@ +{ inputs }: +let + inherit (inputs) self; + + /** + Create secrets for use with `agenix`. + + # Arguments + + - [file] the age file to use for the secret + - [owner] the owner of the secret, this defaults to "root" + - [group] the group of the secret, this defaults to "root" + - [mode] the permissions of the secret, this defaults to "400" + + # Type + + ``` + mkSecret :: (String -> String -> String -> String) -> AttrSet + ``` + + # Example + + ```nix + mkSecret { file = "./my-secret.age"; } + => { + file = "./my-secret.age"; + owner = "root"; + group = "root"; + mode = "400"; + } + ``` + */ + mkSecret = + { + file, + owner ? "root", + group ? "root", + mode ? "400", + ... + }: + { + file = "${self}/secrets/${file}.age"; + inherit owner group mode; + }; + + /** + A light wrapper around mkSecret that allows you to specify the output path + + # Arguments + + - [file] the age file to use for the secret + - [owner] the owner of the secret, this defaults to "root" + - [group] the group of the secret, this defaults to "root" + - [mode] the permissions of the secret, this defaults to "400" + - [path] the path to output the secret to + + # Type + + ``` + mkSecretWithPath :: (String -> String -> String -> String -> String) -> AttrSet + ``` + + # Example + + ```nix + mkSecret { file = "./my-secret.age"; path = "/etc/my-secret"; } + => { + file = "./my-secret.age"; + path = "/etc/my-secret"; + owner = "root"; + group = "root"; + mode = "400"; + } + ``` + */ + mkSecretWithPath = + { + file, + path, + owner ? "root", + group ? "root", + mode ? "400", + ... + }: + mkSecret { + inherit + file + owner + group + mode + ; + } + // { + inherit path; + }; +in +{ + inherit mkSecret mkSecretWithPath; +} diff --git a/modules/flake/lib/services.nix b/modules/flake/lib/services.nix new file mode 100644 index 0000000..3cd0b72 --- /dev/null +++ b/modules/flake/lib/services.nix @@ -0,0 +1,65 @@ +{ lib }: +let + inherit (lib.types) str; + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.attrsets) recursiveUpdate; + + mkGraphicalService = recursiveUpdate { + Unit.PartOf = [ "graphical-session.target" ]; + Unit.After = [ "graphical-session.target" ]; + Install.WantedBy = [ "graphical-session.target" ]; + }; + + mkHyprlandService = recursiveUpdate { + Unit.PartOf = [ "graphical-session.target" ]; + Unit.After = [ "graphical-session.target" ]; + Install.WantedBy = [ "hyprland-session.target" ]; + }; + + /** + A quick way to use my services abstraction + + # Arguments + + - [name]: The name of the service + + # Type + + ``` + mkServiceOption :: String -> (Int -> String -> String -> AttrSet) -> AttrSet + ``` + */ + mkServiceOption = + name: + { + port ? 0, + host ? "127.0.0.1", + domain ? "", + extraConfig ? { }, + }: + { + enable = mkEnableOption "Enable the ${name} service"; + + host = mkOption { + type = str; + default = host; + description = "The host for ${name} service"; + }; + + port = mkOption { + type = lib.types.port; + default = port; + description = "The port for ${name} service"; + }; + + domain = mkOption { + type = str; + default = domain; + description = "Domain name for the ${name} service"; + }; + } + // extraConfig; +in +{ + inherit mkGraphicalService mkHyprlandService mkServiceOption; +} diff --git a/modules/flake/lib/template/default.nix b/modules/flake/lib/template/default.nix new file mode 100644 index 0000000..65eae99 --- /dev/null +++ b/modules/flake/lib/template/default.nix @@ -0,0 +1,35 @@ +let + # this is a forced SSL template for Nginx + # returns the attribute set with our desired settings + systemd = { + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictNamespaces = "uts ipc pid user cgroup"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = ["@system-service"]; + UMask = "0077"; + }; + + xdg = import ./xdg.nix; +in { + inherit + systemd + xdg + ; +} diff --git a/modules/flake/lib/template/xdg.nix b/modules/flake/lib/template/xdg.nix new file mode 100644 index 0000000..f84857b --- /dev/null +++ b/modules/flake/lib/template/xdg.nix @@ -0,0 +1,100 @@ +# You can generate something like this using xdg-ninja +let + XDG_CONFIG_HOME = "$HOME/.config"; + XDG_CACHE_HOME = "$HOME/.cache"; + XDG_DATA_HOME = "$HOME/.local/share"; + XDG_STATE_HOME = "$HOME/.local/state"; + XDG_BIN_HOME = "$HOME/.local/bin"; + XDG_RUNTIME_DIR = "/run/user/$UID"; +in +{ + # global env + glEnv = { + inherit + XDG_CONFIG_HOME + XDG_CACHE_HOME + XDG_DATA_HOME + XDG_STATE_HOME + XDG_BIN_HOME + XDG_RUNTIME_DIR + ; + PATH = [ "$XDG_BIN_HOME" ]; + }; + + sysEnv = { + # desktop + KDEHOME = "${XDG_CONFIG_HOME}/kde"; + XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; + ERRFILE = "${XDG_CACHE_HOME}/X11/xsession-errors"; + WINEPREFIX = "${XDG_DATA_HOME}/wine"; + + # programs + GNUPGHOME = "${XDG_DATA_HOME}/gnupg"; + LESSHISTFILE = "${XDG_DATA_HOME}/less/history"; + CUDA_CACHE_PATH = "${XDG_CACHE_HOME}/nv"; + STEPPATH = "${XDG_DATA_HOME}/step"; + WAKATIME_HOME = "${XDG_CONFIG_HOME}/wakatime"; + INPUTRC = "${XDG_CONFIG_HOME}/readline/inputrc"; + PLATFORMIO_CORE_DIR = "${XDG_DATA_HOME}/platformio"; + DOTNET_CLI_HOME = "${XDG_DATA_HOME}/dotnet"; + MPLAYER_HOME = "${XDG_CONFIG_HOME}/mplayer"; + SQLITE_HISTORY = "${XDG_CACHE_HOME}/sqlite_history"; + + # programming + ANDROID_HOME = "${XDG_DATA_HOME}/android"; + ANDROID_USER_HOME = "${XDG_DATA_HOME}/android"; + GRADLE_USER_HOME = "${XDG_DATA_HOME}/gradle"; + IPYTHONDIR = "${XDG_CONFIG_HOME}/ipython"; + JUPYTER_CONFIG_DIR = "${XDG_CONFIG_HOME}/jupyter"; + GOPATH = "${XDG_DATA_HOME}/go"; + M2_HOME = "${XDG_DATA_HOME}/m2"; + CARGO_HOME = "${XDG_DATA_HOME}/cargo"; + RUSTUP_HOME = "${XDG_DATA_HOME}/rustup"; + STACK_ROOT = "${XDG_DATA_HOME}/stack"; + STACK_XDG = 1; + NODE_REPL_HISTORY = "${XDG_DATA_HOME}/node_repl_history"; + NPM_CONFIG_CACHE = "${XDG_CACHE_HOME}/npm"; + NPM_CONFIG_TMP = "${XDG_RUNTIME_DIR}/npm"; + NPM_CONFIG_USERCONFIG = "${XDG_CONFIG_HOME}/npm/config"; + }; + + npmrc.text = '' + prefix=''${XDG_DATA_HOME}/npm + cache=''${XDG_CACHE_HOME}/npm + init-module=''${XDG_CONFIG_HOME}/npm/config/npm-init.js + ''; + + pythonrc.text = '' + import os + import atexit + import readline + from pathlib import Path + + if readline.get_current_history_length() == 0: + + state_home = os.environ.get("XDG_STATE_HOME") + if state_home is None: + state_home = Path.home() / ".local" / "state" + else: + state_home = Path(state_home) + + history_path = state_home / "python_history" + if history_path.is_dir(): + raise OSError(f"'{history_path}' cannot be a directory") + + history = str(history_path) + + try: + readline.read_history_file(history) + except OSError: # Non existent + pass + + def write_history(): + try: + readline.write_history_file(history) + except OSError: + pass + + atexit.register(write_history) + ''; +} diff --git a/modules/flake/lib/validators.nix b/modules/flake/lib/validators.nix new file mode 100644 index 0000000..d40e8fd --- /dev/null +++ b/modules/flake/lib/validators.nix @@ -0,0 +1,128 @@ +{lib, ...}: let + inherit (lib.attrsets) getAttrFromPath; + inherit + (builtins) + elem + filter + hasAttr + any + ; + /* + * + a function that will append a list of groups if they exist in config.users.groups + + # Arguments + + - [config] the configuration that nixosConfigurations provides + - [groups] a list of groups to check for + + # Type + + ``` + ifTheyExist :: AttrSet -> List -> List + ``` + + # Example + + ```nix + ifTheyExist config ["wheel" "users"] + => ["wheel"] + ``` + */ + ifTheyExist = config: groups: filter (group: hasAttr group config.users.groups) groups; + + /* + * + convenience function check if the declared device type is of an accepted type + + # Arguments + + - [config] the configuration that nixosConfigurations provides + - [list] a list of devices that will be accepted + + # Type + + ``` + isAcceptedDevice :: AttrSet -> List -> Bool + ``` + + # Example + + ```nix + isAcceptedDevice osConfig ["foo" "bar"] + => false + ``` + */ + isAcceptedDevice = conf: list: elem conf.olympus.device.type list; + + /* + * + check if the device is wayland-ready + + # Arguments + + - [config] the configuration that nixosConfigurations provides + + # Type + + ``` + isWayland :: AttrSet -> Bool + ``` + + # Example + + ```nix + isWayland osConfig + => true + ``` + */ + isWayland = conf: conf.olympus.meta.isWayland; + + /* + * + check if the device is modernShell-ready + + # Arguments + + - [config] the configuration that nixosConfigurations provides + + # Type + + ``` + isModernShell :: AttrSet -> Bool + ``` + + # Example + + ```nix + isModernShell osConfig + => true + ``` + */ + isModernShell = conf: conf.olympus.programs.cli.enable && conf.olympus.programs.cli.modernShell.enable; + + anyHome = conf: cond: path: let + list = + map ( + user: + getAttrFromPath ( + [ + "users" + user + ] + ++ path + ) + conf + ) + conf.olympus.system.users; + in + any cond list; +in { + inherit + ifTheyExist + isAcceptedDevice + isWayland + isModernShell + anyHome + ; +} diff --git a/modules/nixos/remote-modules.nix b/modules/nixos/remote-modules.nix index 3f9dd59..c996834 100644 --- a/modules/nixos/remote-modules.nix +++ b/modules/nixos/remote-modules.nix @@ -1,6 +1,11 @@ {inputs, ...}: { imports = [ - inputs.home-manager.nixosModules.home-manager + # home manager has been a pia to work with and + # gives really hard to debug errors so I just + # gave up with it so hjem it is + # inputs.home-manager.nixosModules.home-manager + inputs.hjem.nixosModules.default + inputs.hjem-rum.nixosModules.default inputs.lix-module.nixosModules.default ]; } diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index 3534588..18e5c33 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -1,6 +1,6 @@ { imports = [ - #./hosted + ./hosted ./system ]; } diff --git a/modules/nixos/services/hosted/caddy.nix b/modules/nixos/services/hosted/caddy.nix index 4bcd9e6..237b770 100644 --- a/modules/nixos/services/hosted/caddy.nix +++ b/modules/nixos/services/hosted/caddy.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, ... }: let diff --git a/modules/nixos/services/hosted/forgejo.nix b/modules/nixos/services/hosted/forgejo.nix index 0967ef4..becd2a3 100644 --- a/modules/nixos/services/hosted/forgejo.nix +++ b/modules/nixos/services/hosted/forgejo.nix @@ -1 +1,137 @@ -{} +{ + lib, + config, + pkgs, + ... +}: let + inherit (lib.modules) mkIf mkAfter; + inherit (lib.services) mkServiceOption; + inherit (lib.strings) removePrefix removeSuffix; + inherit (lib.secrets) mkSecret; + + rdomain = config.networking.domain; + cfg = config.olympus.services.forgejo; + + # stole this from https://github.com/isabelroses/dotfiles/blob/main/modules/nixos/services/selfhosted/forgejo.nix who + # stole this from https://git.winston.sh/winston/deployment-flake/src/branch/main/config/services/gitea.nix who + # stole it from https://github.com/getchoo + theme = pkgs.fetchzip { + url = "https://github.com/catppuccin/gitea/releases/download/v1.0.0/catppuccin-gitea.tar.gz"; + hash = "sha256-UsYJJ1j9erMih4OlFon604g1LvkZI/UiLgMgdvnyvyA="; + stripRoot = false; + }; +in { + options.olympus.services.forgejo = mkServiceOption "forgejo" { + port = 3000; + domain = "git.${rdomain}"; + }; + + config = mkIf cfg.enable { + age.secrets.forgejo-runner-token = mkSecret { + file = "forgejo-runner-token"; + owner = "forgejo"; + group = "forgejo"; + }; + + olympus.services = { + caddy.enable = true; + }; + + systemd.services = { + forgejo = { + preStart = let + inherit (config.services.forgejo) stateDir; + in + mkAfter '' + rm -rf ${stateDir}/custom/public/assets + mkdir -p ${stateDir}/custom/public/assets + ln -sf ${theme} ${stateDir}/custom/public/assets/css + ''; + }; + }; + + users = { + groups.git = {}; + + users.git = { + isSystemUser = true; + createHome = false; + group = "git"; + }; + }; + + services = { + forgejo = { + package = pkgs.forgejo; + enable = true; + lfs.enable = true; + settings = { + DEFAULT.APP_NAME = "haigit"; + federation.ENABLED = true; + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + }; + server = { + ROOT_URL = "https://${cfg.domain}"; + DOMAIN = "${cfg.domain}"; + + SSH_PORT = 22; + SSH_LISTEN_PORT = 22; + BUILTIN_SSH_SERVER_USER = "git"; + }; + + ui = { + DEFAULT_THEME = "catppuccin-mocha-pink"; + THEMES = builtins.concatStringsSep "," ( + ["auto,forgejo-auto,forgejo-dark,forgejo-light,arc-gree,gitea"] + ++ (map (name: removePrefix "theme-" (removeSuffix ".css" name)) ( + # IFD, https://github.com/catppuccin/nix/pull/179 + builtins.attrNames (builtins.readDir theme) + )) + ); + }; + + "ui.meta" = { + AUTHOR = "Elissa"; + DESCRIPTION = "My own selfhosted git place for random stuff :3"; + }; + + session = { + COOKIE_SECURE = true; + # Sessions last for a month + SESSION_LIFE_TIME = 86400 * 30; + }; + }; + }; + + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "Theia"; + url = cfg.domain; + # token = "KQA3LtLj5s5PGUfVAxVJ2OCcnySDWdgjlsSaGbOJ"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:22-bookworm" + ]; + }; + }; + + caddy.virtualHosts.${cfg.domain} = { + extraConfig = '' + reverse_proxy localhost:3000 + ''; + }; + }; + # for forgejo runner + virtualisation.docker = { + enable = true; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + }; +} diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..e4af4b4 --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,7 @@ +let + pingu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPbmiNqoyeKXk/VopFm2cFfEnV4cKCFBhbhyYB69Fuu"; + elissa = ""; + users = [pingu elissa]; +in { + "forgejo-runner-token.age".publicKeys = [pingu]; +} diff --git a/systems/default.nix b/systems/default.nix index 2e56a15..7e8ccfa 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -1,10 +1,9 @@ { self, inputs, - lib, ... }: let - # inherit (self) lib; + inherit (self) lib; inherit (lib.lists) optionals; profilesPath = ../modules/profiles; diff --git a/systems/theia/default.nix b/systems/theia/default.nix index 965c738..21c8583 100644 --- a/systems/theia/default.nix +++ b/systems/theia/default.nix @@ -4,6 +4,7 @@ ./networking.nix ./overrides.nix ./services.nix + ./users.nix ]; olympus = { diff --git a/systems/theia/networking.nix b/systems/theia/networking.nix index 0967ef4..4daf9c2 100644 --- a/systems/theia/networking.nix +++ b/systems/theia/networking.nix @@ -1 +1,68 @@ -{} +{lib, ...}: let + inherit (lib.modules) mkForce; +in { + networking = { + enableIPv6 = true; + firewall = { + allowedTCPPorts = [ + 80 # HTTP + 443 # HTTPS + 25565 # minecraft + 25566 # minecraft + 25567 # minecraft + ]; + allowedUDPPorts = [ + 25565 # minecraft + 25566 # minecraft + 25567 # minecraft + ]; + }; + hostName = "theia"; + nameservers = ["1.1.1.1" "8.8.8.8" "9.9.9.9"]; + domain = "blahai.gay"; + useDHCP = mkForce false; + defaultGateway = { + address = "178.63.247.183"; + interface = "ens3"; + }; + defaultGateway6 = { + address = " 2a01:4f8:2201:f900:2::2"; + interface = "ens3"; + }; + + interfaces = { + ens3 = { + ipv4 = { + addresses = [ + { + address = "178.63.118.252"; + prefixLength = 32; + } + ]; + + routes = [ + { + address = "178.63.247.183"; + prefixLength = 32; + } + ]; + }; + ipv6 = { + addresses = [ + { + address = "2a01:4f8:2201:f912::a"; + prefixLength = 64; + } + ]; + + routes = [ + { + address = "fe80::1"; + prefixLength = 128; + } + ]; + }; + }; + }; + }; +} diff --git a/systems/theia/services.nix b/systems/theia/services.nix index 0967ef4..bbc1c81 100644 --- a/systems/theia/services.nix +++ b/systems/theia/services.nix @@ -1 +1,6 @@ -{} +{ + olympus.services = { + caddy.enable = true; + forgejo.enable = true; + }; +} diff --git a/systems/theia/users.nix b/systems/theia/users.nix new file mode 100644 index 0000000..cf908bc --- /dev/null +++ b/systems/theia/users.nix @@ -0,0 +1,5 @@ +{ + olympus.system = { + mainUser = "pingu"; + }; +}