ahuston-0/nix-dotfiles
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Compare commits

base: ahuston-0:22c44a97054e0613bfb8cde2b5477b448f448d4b
Branches Tags
ahuston-0:main ahuston-0:update-flake-lock ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes
..
compare: ahuston-0:feature/build-cache
Branches Tags
ahuston-0:update-flake-lock ahuston-0:main ahuston-0:feature/add-parthenon ahuston-0:ahuston-0-patch-2 ahuston-0:feature/add-pc ahuston-0:feature/add-jessica ahuston-0:feature/gitea-minio ahuston-0:feature/ftb-app ahuston-0:feature/hetzner-bridge ahuston-0:feature/setting-up-greylog ahuston-0:feature/build-cache ahuston-0:hotfix/zfs-import ahuston-0:feature/add-unpackerr ahuston-0:feature/pscsd-yubikey ahuston-0:feature/overseerr ahuston-0:feature/onboarding-kubernetes

6 Commits
22c44a9705 ... feature/bu

Author SHA1 Message Date
ahuston-0
474184baa7 add sqlite for restores 
Signed-off-by: ahuston-0 <aliceghuston@gmail.com>
 2025-03-10 12:33:33 -04:00
ahuston-0
fd826be6da add token to cache-merge
Some checks failed
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 14s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
2025-03-10 09:49:19 -04:00
ahuston-0
ea16a83c2e add token to cache-merge 2025-03-10 09:48:44 -04:00
ahuston-0
050b4c9b2f reorder oops
All checks were successful
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 27s
Details
Check Nix formatting / Perform Nix format checks (pull_request) Successful in 2m51s
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Successful in 7m59s
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Successful in 2h16m35s
Details
2025-03-10 01:23:20 -04:00
ahuston-0
ea5616416a remove cache max limit 2025-03-10 01:06:56 -04:00
ahuston-0
2a0fe0b106 fix os matrix?
Some checks failed
Check flake.lock / Check health of `flake.lock` (pull_request) Successful in 10s
Details
Check Nix flake / Perform Nix flake checks (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix flake / Build nix outputs (ubuntu-latest) (pull_request) Has been cancelled
Details
Check Nix formatting / Perform Nix format checks (pull_request) Has been cancelled
Details
2025-03-10 00:48:57 -04:00
49 changed files with 958 additions and 975 deletions
Expand all files Collapse all files

331
.github/settings.yml vendored
View File

@@ -1,173 +1,204 @@
# Have borrowed this config from nix-community/infra
repository:
# See https://developer.github.com/v3/repos/#edit for all available settings.
# See https://developer.github.com/v3/repos/#edit for all available settings.
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# The name of the repository. Changing this will rename the repository
name: nix-dotfiles
# A short description of the repository that will show up on GitHub
description: RAD-Dev Infra
# A URL with more information about the repository
# homepage: "https://nix-community.org"
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# A comma-separated list of topics to set on the repository
topics: "nixos"
# Either `true` to make the repository private, or `false` to make it public.
private: false
# Either `true` to enable issues for this repository, `false` to disable them.
has_issues: true
# Either `true` to enable projects for this repository, or `false` to disable them.
# If projects are disabled for the organization, passing `true` will cause an API error.
has_projects: true
# Either `true` to enable the wiki for this repository, `false` to disable it.
has_wiki: false
# Either `true` to enable downloads for this repository, `false` to disable them.
has_downloads: false
# Updates the default branch for this repository.
default_branch: main
# Either `true` to allow squash-merging pull requests, or `false` to prevent
# squash-merging.
allow_squash_merge: true
# Either `true` to allow merging pull requests with a merge commit, or `false`
# to prevent merging pull requests with merge commits.
allow_merge_commit: false
# Either `true` to allow rebase-merging pull requests, or `false` to prevent
# rebase-merging.
allow_rebase_merge: true
# Either `true` to enable automatic deletion of branches on merge, or `false` to disable
delete_branch_on_merge: true
# Either `true` to enable automated security fixes, or `false` to disable
# automated security fixes.
enable_automated_security_fixes: true
# Either `true` to enable vulnerability alerts, or `false` to disable
# vulnerability alerts.
enable_vulnerability_alerts: true
allow_auto_merge: true
# Labels: define labels for Issues and Pull Requests
#
labels:
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
- name: bug
color: '#d73a4a'
description: Something isn't working
- name: CI/CD
# If including a `#`, make sure to wrap it with quotes!
color: '#0e8a16'
description: Related to GH Actions or Hydra
- name: documentation
color: '#0075ca'
description: Improvements or additions to documentation
- name: duplicate
color: '#cfd3d7'
description: This issue or pull request already exists
- name: enhancement
color: '#a2eeef'
description: New feature or request
- name: good first issue
color: '#7057ff'
description: Good for newcomers
- name: help wanted
color: '#008672'
description: Extra attention is needed
- name: high priority
color: '#BF480A'
description: A major vurnability was detected
- name: invalid
color: '#e4e669'
description: This doesn't seem right
- name: new user
color: '#C302A1'
description: A new user was added to the Flake
- name: question
color: '#d876e3'
description: Further information is requested
- name: wontfix
color: '#ffffff'
description: This will not be worked on
- name: dependencies
color: '#cb4ed5'
description: Used for PR's related to flake.lock updates
- name: automated
color: '#42b528'
description: PR was automatically generated (through a bot or CI/CD)
# Milestones: define milestones for Issues and Pull Requests
milestones:
- title: Go-Live
description: >-
All requirements for official go-live: - Automated testing via Hydra/Actions - Automated deployments via Hydra/Actions - 90+% testing coverage - Functional formatter with custom rules - palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves - Quadro GPU support - Multi-GPU support - Plex support - Docker support - ZFS support
- title: Go-Live
description: >-
All requirements for official go-live:
- Automated testing via Hydra/Actions
- Automated deployments via Hydra/Actions
- 90+% testing coverage
- Functional formatter with custom rules
- palatine-hill is fully stable, enough so that jeeves can be migrated
# The state of the milestone. Either `open` or `closed`
state: open
- title: Jeeves Migration
description: >-
Test common use-cases for Jeeves
- Quadro GPU support
- Multi-GPU support
- Plex support
- Docker support
- ZFS support
# Collaborators: give specific users access to this repository.
# See https://docs.github.com/en/rest/reference/repos#add-a-repository-collaborator for available options
collaborators:
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# - username: numtide-bot
# Note: `permission` is only valid on organization-owned repositories.
# The permission to grant the collaborator. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: push
# See https://docs.github.com/en/rest/reference/teams#add-or-update-team-repository-permissions for available options
teams:
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
# - name: admin
# The permission to grant the team. Can be one of:
# * `pull` - can pull, but not push to or administer this repository.
# * `push` - can pull and push, but not administer this repository.
# * `admin` - can pull, push and administer this repository.
# * `maintain` - Recommended for project managers who need to manage the repository without access to sensitive or destructive actions.
# * `triage` - Recommended for contributors who need to proactively manage issues and pull requests without write access.
# permission: admin
branches:
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/nix-community/infra/branches/master/protection
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# not available in the api yet
# `Require merge queue`: true
# `Merge method`: Rebase and merge
# `Maximum pull requests to build`: 1
# `Maximum pull requests to merge`: 1
# defaults:
# `Maximum pull requests to build`: 5
# `Minimum pull requests to merge`: 1 or 5 minutes
# `Maximum pull requests to merge`: 5
# `Only merge non-failing pull requests`: true
# `Consider check failed after`: 60 minutes
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
- name: main
# https://docs.github.com/en/rest/reference/repos#update-branch-protection
# Branch Protection settings. Set to null to disable
protection:
# Required. Require at least one approving review on a pull request, before merging. Set to null to disable.
# these settings are the same as manually enabling "Require a pull request before merging" but not setting any other restrictions
required_pull_request_reviews:
# # The number of approvals required. (1-6)
required_approving_review_count: 1
# # Dismiss approved reviews automatically when a new commit is pushed.
dismiss_stale_reviews: true
# # Blocks merge until code owners have reviewed.
require_code_owner_reviews: false
# # Specify which users and teams can dismiss pull request reviews. Pass an empty dismissal_restrictions object to disable. User and team dismissal_restrictions are only available for organization-owned repositories. Omit this parameter for personal repositories.
# dismissal_restrictions:
# users: []
# teams: []
require_last_push_approval: false
# Required. Require status checks to pass before merging. Set to null to disable
# required_status_checks:
# Required. Require branches to be up to date before merging.
# strict: false
# Required. The list of status checks to require in order to merge into this branch
# contexts:
# - buildbot/nix-eval
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []
# Required. Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
enforce_admins: true
# Disabled for bors to work
required_linear_history: true
# Required. Restrict who can push to this branch. Team and user restrictions are only available for organization-owned repositories. Set to null to disable.
restrictions:
apps: []
# TODO: make a buildbot instance
# users: ["nix-infra-bot"]
teams: []

90
.github/workflows/cache-merge.yml vendored Normal file
View File

@@ -0,0 +1,90 @@
name: Nix CI
on:
push:
# don't run on tags, run on commits
# https://github.com/orgs/community/discussions/25615
tags-ignore:
- "**"
branches:
- main
merge_group:
schedule:
- cron: 0 0 * * *
workflow_dispatch:
jobs:
# Merge similar `individual` caches
# Purge `individual` caches and old `common` caches
# Save new `common` caches
merge-similar-caches:
name: Merge similar caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- uses: nix-community/cache-nix-action@v6
name: create and purge common cache
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-common-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
- uses: nix-community/cache-nix-action@v6
name: purge some individual caches
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}
# if no hit on the primary key, restore individual caches that match `ci.yaml`
restore-prefixes-all-matches: |
similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge old versions of the `common` cache and any versions of individual caches
purge-prefixes: |
similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 259200
# except the version with the `primary-key`, if it exists
purge-primary-key: never
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
# Check that the `common` cache is restored correctly
merge-similar-caches-check:
name: Check a `common` cache is restored correctly
needs: merge-similar-caches
strategy:
matrix:
os: [ubuntu-latest]
runs-on: ${{ matrix.os }}
steps:
- name: Checkout this repo
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
uses: nix-community/cache-nix-action@v6
with:
primary-key: similar-cache-${{ matrix.os }}-common-${{ hashFiles('flake.lock') }}

129
.github/workflows/flake-health-checks.yml vendored
View File

@@ -1,41 +1,94 @@
name: "Check Nix flake"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix flake checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
# build-checks:
# name: "Build nix outputs"
# runs-on: ubuntu-latest
# steps:
# - uses: DeterminateSystems/nix-installer-action@main
# - name: Setup Attic cache
# uses: ryanccn/attic-action@v0
# with:
# endpoint: ${{ secrets.ATTIC_ENDPOINT }}
# cache: ${{ secrets.ATTIC_CACHE }}
# token: ${{ secrets.ATTIC_TOKEN }}
# skip-push: "true"
# - uses: actions/checkout@v4
# - name: Build all outputs
# run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
# - name: Push to Attic
# run: nix ./utils/attic-push.bash
# continue-on-error: true
health-check:
name: "Perform Nix flake checks"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: actions/checkout@v4
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- run: nix flake check --accept-flake-config
- run: nix ./utils/attic-push.bash
build-checks:
name: "Build nix outputs"
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: actions/checkout@v4
- run: nix profile install nixpkgs#sqlite
- name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Build all outputs
run: nix run git+https://nayeonie.com/ahuston-0/flake-update-diff -- --build .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
if: steps.restore.outputs.hit == 'false'
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never

245
.github/workflows/flake-update.yml vendored
View File

@@ -1,112 +1,155 @@
name: "Update flakes"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 12 * * *"
jobs:
update_lockfile:
runs-on: ubuntu-latest
#if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
update_lockfile:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' # ensure workflow_dispatch only runs on main
steps:
- name: Checkout repository
uses: actions/checkout@v4
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
- name: Install nix
uses: https://github.com/DeterminateSystems/nix-installer-action@main
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read file contents
id: read_file
uses: guibranco/github-file-reader-action-v2@latest
with:
path: "post-diff"
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
- run: nix profile install nixpkgs#sqlite
```
${{ env.UPDATE_LOG }}
```
- name: Restore Nix store
id: restore
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# otherwise, restore a common cache if and only if it matches the current `ci.yaml`
restore-prefixes-first-match: similar-cache-${{ matrix.os }}-common-
```
${{ steps.read_file.outputs.contents }}
```
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
- name: Get pre-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh pre
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
- name: Update flake.lock
id: update
run: |
nix flake update 2> >(tee /dev/stderr) | awk '
/^• Updated input/ {in_update = 1; print; next}
in_update && !/^warning:/ {print}
/^$/ {in_update = 0}
' > update.log
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
echo "UPDATE_LOG<<EOF" >> $GITHUB_ENV
cat update.log >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
rm update.log
- name: Get post-snapshot of evaluations
run: nix ./utils/eval-to-drv.sh post
- name: Calculate diff
run: nix ./utils/diff-evals.sh
- name: Read diff into environment
run: |
delimiter="$(openssl rand -hex 8)"
{
echo "POSTDIFF<<${delimiter}"
cat post-diff
echo "${delimiter}"
} >> $GITHUB_ENV
- name: Write PR body template
uses: https://github.com/DamianReeves/write-file-action@v1.3
with:
path: pr_body.template
contents: |
- The following Nix Flake inputs were updated:
```
${{ env.UPDATE_LOG }}
```
```
{{ env.POSTDIFF }}
```
Auto-generated by [update.yml][1] with the help of
[create-pull-request][2].
[1]: https://nayeonie.com/ahuston-0/nix-dotfiles/src/branch/main/.github/workflows/flake-update.yml
[2]: https://forgejo.stefka.eu/jiriks74/create-pull-request
- name: Generate PR body
uses: pedrolamas/handlebars-action@v2.4.0 # v2.4.0
with:
files: "pr_body.template"
output-filename: "pr_body.md"
- name: Save PR body
id: pr_body
uses: juliangruber/read-file-action@v1
with:
path: "pr_body.md"
- name: Remove temporary files
run: |
rm pr_body.template
rm pr_body.md
rm pre.json
rm post.json
rm post-diff
- name: Create Pull Request
id: create-pull-request
# uses: https://forgejo.stefka.eu/jiriks74/create-pull-request@7174d368c2e4450dea17b297819eb28ae93ee645
uses: https://nayeonie.com/ahuston-0/create-pull-request@main
with:
token: ${{ secrets.GH_TOKEN_FOR_UPDATES }}
body: ${{ steps.pr_body.outputs.content }}
author: '"github-actions[bot]" <github-actions[bot]@users.noreply.github.com>'
title: 'automated: Update `flake.lock`'
commit-message: |
automated: Update `flake.lock`
${{ steps.pr_body.outputs.content }}
branch: update-flake-lock
delete-branch: true
pr-labels: | # Labels to be set on the PR
dependencies
automated
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
- name: Save Nix store
uses: nix-community/cache-nix-action@v6
with:
# save a new cache every time `ci.yaml` changes
primary-key: similar-cache-${{ matrix.os }}-individual-${{ hashFiles('flake.lock', '*.nix') }}
# do purge caches
purge: true
# purge all versions of the individual cache
purge-prefixes: similar-cache-${{ matrix.os }}-individual-
# created more than 0 seconds ago relative to the start of the `Post Restore` phase
purge-created: 0
# except the version with the `primary-key`, if it exists
purge-primary-key: never
- name: Print PR number
run: |
echo "Pull request number is ${{ steps.create-pull-request.outputs.pull-request-number }}."
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
permissions:
pull-requests: write
contents: write
pull-requests: write
contents: write

27
.github/workflows/lock-health-checks.yml vendored
View File

@@ -1,16 +1,17 @@
name: "Check flake.lock"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true
health-check:
name: "Check health of `flake.lock`"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/flake-checker-action@main
with:
fail-mode: true

45
.github/workflows/nix-fmt.yml vendored
View File

@@ -1,25 +1,26 @@
name: "Check Nix formatting"
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
push:
branches: ["main"]
pull_request:
branches: ["main"]
merge_group:
jobs:
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true
health-check:
name: "Perform Nix format checks"
runs-on: ubuntu-latest
steps:
- uses: DeterminateSystems/nix-installer-action@main
- name: Setup Attic cache
uses: ryanccn/attic-action@v0
with:
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
cache: ${{ secrets.ATTIC_CACHE }}
token: ${{ secrets.ATTIC_TOKEN }}
skip-push: "true"
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- name: Push to Attic
run: nix ./utils/attic-push.bash
continue-on-error: true

79
.sops.yaml
View File

@@ -1,46 +1,51 @@
keys:
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
# The PGP keys in keys/
- &admin_alice 5EFFB75F7C9B74EAA5C4637547940175096C1330
# Generate AGE keys from SSH keys with:
# ssh-keygen -A
# nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
# cspell:disable
- &artemision age1jd2dcpykagz20kpk2kkchte3augqncwfn6nywursx0dkfyze6feqdzxkq2
- &artemision-home age1t29a6z6cfy8m3cnc8uva0ey833vhcppue8psyumts7mtyf0zufcqvfshuc
#- &palatine-hill age1z8q02wdp0a2ep5uuffgfeqlfam4ztl95frhw5qhnn6knn0rrmcnqk5evej
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
- &palatine-hill age1qw5k8h72k3fjg5gmlxx8q8gwlc2k6n6u08d8hdzpm2pk9r0fnfxsmw33nh
# cspell:enable
servers: &servers
- *palatine-hill
- *palatine-hill
# add new users by executing: sops users/<user>/secrets.yaml
# then have someone already in the repo run the below
#
# update keys by executing: sops updatekeys secrets.yaml
# note: add .* before \.yaml if you'd like to use the mergetool config
creation_rules:
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: users/alice/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- *artemision
- *artemision-home
- path_regex: systems/palatine-hill/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill
- path_regex: systems/artemision/secrets.*\.yaml$
key_groups:
- pgp:
- *admin_alice
age:
- *artemision
- path_regex: systems/palatine-hill/docker/wg/.*\.conf$
key_groups:
- pgp:
- *admin_alice
age:
- *palatine-hill

4
.vscode/settings.json vendored
View File

@@ -1,7 +1,5 @@
{
"cSpell.enableFiletypes": [
"nix"
],
"cSpell.enableFiletypes": ["nix"],
"cSpell.words": [
"aarch",
"abmlevel",

18
docs/CONTRIBUTING.md
View File

@@ -40,12 +40,12 @@ and will eventually trip a check when merging to main.
| Branch Name | Use Case |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| main | protected branch which all machines pull from, do not try to push directly |
| feature/\<item> | \<item> is a new feature added to the repo, for personal or common use |
| fixup/\<item> | \<item> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item> | \<item> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item> | \<item> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item> | \<item> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
| feature/\<item\> | \<item\> is a new feature added to the repo, for personal or common use |
| fixup/\<item\> | \<item\> is a non-urgent bug, PRs merging from these branches should be merged when possible, but are not considered mission-critical |
| hotfix/\<item\> | \<item\> is a mission-critical bug, either affecting all users or a breaking change on a user's machines. These PRs should be reviewed ASAP. This is automatically subject to the [Critical Issues](#critical-issues) process |
| urgent/\<item\> | Accepted as an alias for the above, due to dev's coming from multiple standards and the criticality of these issues |
| exp/\<item\> | \<item\> is a non-critical experiment. This is used for shipping around potential new features or fixes to multiple branches |
| merge/\<item\> | \<item\> is a temporary branch and should never be merged directly to main. This is solely used for addressing merge conflicts which are too complex to be merged directly on branch |
### Review Process
@@ -94,11 +94,11 @@ rules.
PR has been tested on at least one machine
- Issues which bypass the quorum process must have a second reviewer tagged
- All critical issues which bypass the approval process must have an RCA issue
opened and the RCA logged into the `inc/` folder
opened and the RCA logged into the `inc/` folder
- The second reviewer has 2 weeks to retroactively review and approve the PR
- If the retro does not happen in the given window, an issue shall be opened
to either re-review the PR or to revert and replace the fix with a
permanent solution
to either re-review the PR or to revert and replace the fix with a
permanent solution
- Critical issues must be tagged to `Nix Flake Features` project, and must have
a priority of `High` and an estimate tagged. Start and end date are not needed

118
docs/sample-setup.sh
View File

@@ -1,9 +1,9 @@
#!/usr/bin/env nix
#! nix shell nixpkgs#bash nixpkgs#git --command bash
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
set -o errexit # abort on nonzero exitstatus
set -o nounset # abort on unbound variable
set -o pipefail # don't hide errors within pipes
PROCEED="N"
@@ -50,58 +50,60 @@ GITBASE="systems"
FEATUREBRANCH="feature/adding-$MACHINENAME"
if [ $PROCEED != "Y" ]; then
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
echo "PROCEED is not set correctly, please validate the below partitions and update the script accordingly"
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
if [ $CREATEPARTS = "Y" ]; then
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create partition table
sudo parted "/dev/$DRIVE" -- mklabel gpt
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create boot part
sudo parted "/dev/$DRIVE" -- mkpart ESP fat32 1MB 1024MB
sudo parted "/dev/$DRIVE" -- set 1 esp on
sudo mkfs.fat -F 32 -n NIXBOOT "/dev/${DRIVE}1"
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
# Create luks part
sudo parted "/dev/$DRIVE" -- mkpart primary ext4 1024MB 100%
sudo parted "/dev/$DRIVE" -- set 2 lvm on
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
LUKSPART="nixos-pv"
sudo cryptsetup luksFormat "/dev/${DRIVE}p2"
sudo cryptsetup luksOpen "/dev/${DRIVE}p2" "$LUKSPART"
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create lvm part
sudo pvcreate "/dev/mapper/$LUKSPART"
sudo pvresize "/dev/mapper/$LUKSPART"
sudo pvdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create volume group
sudo vgcreate "$VOLGROUP" "/dev/mapper/$LUKSPART"
sudo vgchange -a y "$VOLGROUP"
sudo vgdisplay
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create swap part on LVM
if [ $SWAPSIZE != 0 ]; then
sudo lvcreate -L "$SWAPSIZE" "$VOLGROUP" -n swap
sudo mkswap -L NIXSWAP -c "$SWAPPATH"
fi
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create home part on LVM, leaving plenty of room for snapshots
sudo lvcreate -l 50%FREE "$VOLGROUP" -n home
sudo mkfs.ext4 -L NIXHOME -c "$HOMEPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create root part on LVM, keeping in mind most data will be on /home or /nix
sudo lvcreate -L 5G "$VOLGROUP" -n root
sudo mkfs.ext4 -L NIXROOT -c "$ROOTPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
# Create nix part on LVM
sudo lvcreate -L 100G "$VOLGROUP" -n nix-store
sudo mkfs.ext4 -L NIXSTORE -c "$NIXSTOREPATH"
sudo lvdisplay
sudo lvdisplay
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
lsblk -ao NAME,FSTYPE,FSSIZE,FSUSED,SIZE,MOUNTPOINT
fi
# Mount partitions
@@ -114,7 +116,7 @@ sudo mount $BOOTPART /mnt/boot
# Enable swap if SWAPSIZE is non-zero
if [ $SWAPSIZE != 0 ]; then
sudo swapon "/dev/$VOLGROUP/swap"
sudo swapon "/dev/$VOLGROUP/swap"
fi
# Clone the repo
@@ -133,31 +135,31 @@ read -r -p "get this into github so you can check everything in, then hit enter
cat "$DOTS/id_ed25519_ghdeploy.pub"
if [ $SOPS == "Y" ]; then
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Create ssh host-keys
sudo ssh-keygen -A
sudo mkdir -p /mnt/etc/ssh
sudo cp "/etc/ssh/ssh_host_*" /mnt/etc/ssh
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Get line where AGE comment is and insert new AGE key two lines down
AGELINE=$(grep "Generate AGE keys from SSH keys with" "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+2)}')
AGEKEY=$(nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age')
sudo sed -i "${AGELINE}i\\ - &${MACHINENAME} $AGEKEY\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add server name
SERVERLINE=$(grep 'servers: &servers' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
sudo sed -i "${SERVERLINE}i\\ - *${MACHINENAME}\\" "$DOTS/.sops.yaml"
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
# Add creation rules
CREATIONLINE=$(grep 'creation_rules' "$DOTS/.sops.yaml" -n | awk -F ':' '{print ($1+1)}')
# TODO: below was not working when last attempted
read -r -d '' PATHRULE <<-EOF
- path_regex: $GITBASE/$MACHINENAME/secrets\.yaml$
key_groups:
- pgp: *$OWNERORADMINS
age:
- *$MACHINENAME
EOF
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
sudo sed -i "${CREATIONLINE}i\\${PATHRULE}\\" "$DOTS/.sops.yaml"
fi
read -r -p "press enter to continue"

208
flake.lock generated
View File

@@ -78,11 +78,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1742773104,
"narHash": "sha256-dAhrL+gEjNN5U/Sosy7IrX0Y0qPA0U7Gp9TBhqEliNU=",
"lastModified": 1740974607,
"narHash": "sha256-YbAnhXYYOjG8OHX7v4BGj/tDQiFgkwe4JsqCjbFYjB0=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "d74460da63a8c08a69a1f143b04f2ab1a6b2f5c2",
"rev": "093c063a23aa38f31082a554f03899127750aee3",
"type": "gitlab"
},
"original": {
@@ -95,11 +95,11 @@
"firefox-gnome-theme": {
"flake": false,
"locked": {
"lastModified": 1741628778,
"narHash": "sha256-RsvHGNTmO2e/eVfgYK7g+eYEdwwh7SbZa+gZkT24MEA=",
"lastModified": 1739223196,
"narHash": "sha256-vAxN2f3rvl5q62gQQjZGVSvF93nAsOxntuFz+e/655w=",
"owner": "rafaelmardojai",
"repo": "firefox-gnome-theme",
"rev": "5a81d390bb64afd4e81221749ec4bffcbeb5fa80",
"rev": "a89108e6272426f4eddd93ba17d0ea101c34fb21",
"type": "github"
},
"original": {
@@ -127,11 +127,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1741352980,
"narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"lastModified": 1740872218,
"narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"rev": "3876f6b87db82f33775b1ef5ea343986105db764",
"type": "github"
},
"original": {
@@ -232,11 +232,11 @@
]
},
"locked": {
"lastModified": 1741379162,
"narHash": "sha256-srpAbmJapkaqGRE3ytf3bj4XshspVR5964OX5LfjDWc=",
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "b5a62751225b2f62ff3147d0a334055ebadcd5cc",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github"
},
"original": {
@@ -312,11 +312,11 @@
]
},
"locked": {
"lastModified": 1742957044,
"narHash": "sha256-gwW0tBIA77g6qq45y220drTy0DmThF3fJMwVFUtYV9c=",
"lastModified": 1740845322,
"narHash": "sha256-AXEgFj3C0YJhu9k1OhbRhiA6FnDr81dQZ65U3DhaWpw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ce287a5cd3ef78203bc78021447f937a988d9f6f",
"rev": "fcac3d6d88302a5e64f6cb8014ac785e08874c8d",
"type": "github"
},
"original": {
@@ -325,29 +325,6 @@
"type": "github"
}
},
"hydra": {
"inputs": {
"nix": "nix",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740884653,
"narHash": "sha256-L0eN/hFRH1JSDvmuBOXBfETU07WckA7b3UFxHRVdp3M=",
"owner": "fx-chun",
"repo": "hydra",
"rev": "99e3ad325cb829ff10a024659fd1b62316c06a1f",
"type": "github"
},
"original": {
"owner": "fx-chun",
"ref": "add-gitea-pulls",
"repo": "hydra",
"type": "github"
}
},
"hyprland-contrib": {
"inputs": {
"nixpkgs": [
@@ -355,11 +332,11 @@
]
},
"locked": {
"lastModified": 1742213523,
"narHash": "sha256-I8JVdQRu8eWvY5W8XWYZkdd5pojDHkxeqQV7mMIsbhs=",
"lastModified": 1740923452,
"narHash": "sha256-iQNkVG0368H3kiwSYSs1N6sU7GhHSmx0b9y+Z+eO1+c=",
"owner": "hyprwm",
"repo": "contrib",
"rev": "bd81329944be53b0ffb99e05864804b95f1d7c65",
"rev": "6f0d5e16c534aeda47d99b4d20bb2a22bfc60c23",
"type": "github"
},
"original": {
@@ -368,59 +345,6 @@
"type": "github"
}
},
"nix": {
"inputs": {
"flake-compat": [
"hydra"
],
"flake-parts": [
"hydra"
],
"git-hooks-nix": [
"hydra"
],
"nixpkgs": [
"hydra",
"nixpkgs"
],
"nixpkgs-23-11": [
"hydra"
],
"nixpkgs-regression": [
"hydra"
]
},
"locked": {
"lastModified": 1742919147,
"narHash": "sha256-I6Oekogi6tkSrtyAbBMzjx9iKi4x0o21fdOQqVf49Qc=",
"owner": "NixOS",
"repo": "nix",
"rev": "ceec04f1e24ca34deaca26e7c9d8cd90ba38f81c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.26-maintenance",
"repo": "nix",
"type": "github"
}
},
"nix-eval-jobs": {
"flake": false,
"locked": {
"lastModified": 1739500569,
"narHash": "sha256-3wIReAqdTALv39gkWXLMZQvHyBOc3yPkWT2ZsItxedY=",
"owner": "nix-community",
"repo": "nix-eval-jobs",
"rev": "4b392b284877d203ae262e16af269f702df036bc",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-eval-jobs",
"type": "github"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
@@ -428,11 +352,11 @@
]
},
"locked": {
"lastModified": 1742701275,
"narHash": "sha256-AulwPVrS9859t+eJ61v24wH/nfBEIDSXYxlRo3fL/SA=",
"lastModified": 1740886574,
"narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "36dc43cb50d5d20f90a28d53abb33a32b0a2aae6",
"rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
"type": "github"
},
"original": {
@@ -464,11 +388,11 @@
]
},
"locked": {
"lastModified": 1742568034,
"narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
"lastModified": 1740947705,
"narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
"rev": "507911df8c35939050ae324caccc7cf4ffb76565",
"type": "github"
},
"original": {
@@ -479,11 +403,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1742806253,
"narHash": "sha256-zvQ4GsCJT6MTOzPKLmlFyM+lxo0JGQ0cSFaZSACmWfY=",
"lastModified": 1740646007,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "ecaa2d911e77c265c2a5bac8b583c40b0f151726",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github"
},
"original": {
@@ -502,11 +426,11 @@
]
},
"locked": {
"lastModified": 1742933600,
"narHash": "sha256-CkFIV8hyXq6q6p4rksQtlFoNyrtwXyUrY7ilCyDgEmo=",
"lastModified": 1741017582,
"narHash": "sha256-2tscHztx6UxqeQTK0U1kLM74+6mSzROMNYJpKRDLMPM=",
"owner": "SuperSandro2000",
"repo": "nixos-modules",
"rev": "6d1da83b2352ae4c72960b10154290434f5bd779",
"rev": "c7c9219eb6ff26c203d22ba733e9e988499290f0",
"type": "github"
},
"original": {
@@ -517,11 +441,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1742919349,
"narHash": "sha256-V3jQhu3s48mgGClvKkWhYM1+cSTFGFm4ztDkK7S69JY=",
"lastModified": 1740981371,
"narHash": "sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6ea2759c633a3e25f3b4e2f52fb6bf9d6a01c532",
"rev": "1d2fe0135f360c970aee1d57a53f816f3c9bddae",
"type": "github"
},
"original": {
@@ -533,31 +457,28 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1740877520,
"narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
"type": "github"
"lastModified": 1740872140,
"narHash": "sha256-3wHafybyRfpUCLoE8M+uPVZinImg3xX+Nm6gEfN3G8I=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/6d3702243441165a03f699f64416f635220f4f15.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1742751704,
"narHash": "sha256-rBfc+H1dDBUQ2mgVITMGBPI1PGuCznf9rcWX/XIULyE=",
"lastModified": 1735563628,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f0946fa5f1fb876a9dc2e1850d9d3a4e3f914092",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
@@ -572,11 +493,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1741693509,
"narHash": "sha256-emkxnsZstiJWmGACimyAYqIKz2Qz5We5h1oBVDyQjLw=",
"lastModified": 1740408283,
"narHash": "sha256-2xECnhgF3MU9YjmvOkrRp8wRFo2OjjewgCtlfckhL5s=",
"owner": "nix-community",
"repo": "NUR",
"rev": "5479646b2574837f1899da78bdf9a48b75a9fb27",
"rev": "496a4a11162bdffb9a7b258942de138873f019f7",
"type": "github"
},
"original": {
@@ -596,11 +517,11 @@
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"lastModified": 1740915799,
"narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
"type": "github"
},
"original": {
@@ -616,7 +537,6 @@
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"hydra": "hydra",
"hyprland-contrib": "hyprland-contrib",
"nix-index-database": "nix-index-database",
"nixos-generators": "nixos-generators",
@@ -639,11 +559,11 @@
]
},
"locked": {
"lastModified": 1742956365,
"narHash": "sha256-Slrqmt6kJ/M7Z/ce4ebQWsz2aeEodrX56CsupOEPoz0=",
"lastModified": 1740969088,
"narHash": "sha256-BajboqzFnDhxVT0SXTDKVJCKtFP96lZXccBlT/43mao=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a0e3395c63cdbc9c1ec17915f8328c077c79c4a1",
"rev": "20fdb02098fdda9a25a2939b975abdd7bc03f62d",
"type": "github"
},
"original": {
@@ -659,11 +579,11 @@
]
},
"locked": {
"lastModified": 1742700801,
"narHash": "sha256-ZGlpUDsuBdeZeTNgoMv+aw0ByXT2J3wkYw9kJwkAS4M=",
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "67566fe68a8bed2a7b1175fdfb0697ed22ae8852",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github"
},
"original": {
@@ -700,11 +620,11 @@
"tinted-zed": "tinted-zed"
},
"locked": {
"lastModified": 1742926290,
"narHash": "sha256-63joFDrDekkI8papsDPwObKCCYSZ7t/1t94M398BxLY=",
"lastModified": 1740959323,
"narHash": "sha256-UtSKsLCWwA4wPFm7mgl33qeu8sj0on9Hyt3YhDWWkAM=",
"owner": "danth",
"repo": "stylix",
"rev": "61a5f77f2202f3a79797089752713e16b1ab5b10",
"rev": "489833b201a84488c6b4371a261fdbcafa6abcb6",
"type": "github"
},
"original": {
@@ -780,11 +700,11 @@
"tinted-schemes": {
"flake": false,
"locked": {
"lastModified": 1741468895,
"narHash": "sha256-YKM1RJbL68Yp2vESBqeZQBjTETXo8mCTTzLZyckCfZk=",
"lastModified": 1740351358,
"narHash": "sha256-Hdk850xgAd3DL8KX0AbyU7tC834d3Lej1jOo3duWiOA=",
"owner": "tinted-theming",
"repo": "schemes",
"rev": "47c8c7726e98069cade5827e5fb2bfee02ce6991",
"rev": "a1bc2bd89e693e7e3f5764cfe8114e2ae150e184",
"type": "github"
},
"original": {
@@ -796,11 +716,11 @@
"tinted-tmux": {
"flake": false,
"locked": {
"lastModified": 1740877430,
"narHash": "sha256-zWcCXgdC4/owfH/eEXx26y5BLzTrefjtSLFHWVD5KxU=",
"lastModified": 1740272597,
"narHash": "sha256-/etfUV3HzAaLW3RSJVwUaW8ULbMn3v6wbTlXSKbcoWQ=",
"owner": "tinted-theming",
"repo": "tinted-tmux",
"rev": "d48ee86394cbe45b112ba23ab63e33656090edb4",
"rev": "b6c7f46c8718cc484f2db8b485b06e2a98304cd0",
"type": "github"
},
"original": {

13
flake.nix
View File

@@ -18,7 +18,6 @@
"nix-cache:trR+y5nwpQHR4hystoogubFmp97cewkjWeqqbygRQRs="
];
trusted-users = [ "root" ];
allow-import-from-derivation = true;
};
inputs = {
@@ -27,8 +26,7 @@
nixos-hardware.url = "github:NixOS/nixos-hardware";
#nixpkgs.url = "github:nuschtos/nuschtpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable-small";
#nixpkgs.url = "github:nixos/nixpkgs/1d2fe0135f360c970aee1d57a53f816f3c9bddae?narHash=sha256-Up7YlXIupmT7fEtC4Oj676M91INg0HAoamiswAsA3rc%3D";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.05";
systems.url = "github:nix-systems/default";
# attic = {
@@ -59,13 +57,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
hydra = {
url = "github:fx-chun/hydra/add-gitea-pulls";
inputs = {
nixpkgs.follows = "nixpkgs";
};
};
hyprland-contrib = {
url = "github:hyprwm/contrib";
inputs.nixpkgs.follows = "nixpkgs";
@@ -158,7 +149,7 @@
rec {
inherit lib; # for allowing use of custom functions in nix repl
hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
#hydraJobs = import ./hydra/jobs.nix { inherit inputs outputs systems; };
formatter = forEachSystem (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
nixosConfigurations = genSystems inputs outputs src (src + "/systems");

43
hydra/jobsets.nix
View File

@@ -1,4 +1,4 @@
{ pulls, ... }:
{ pulls, branches, ... }:
let
# create the json spec for the jobset
makeSpec =
@@ -18,7 +18,8 @@ let
};
prs = readJSONFile pulls;
# refs = readJSONFile branches;
refs = readJSONFile branches;
repo = "RAD-Development/nix-dotfiles";
# template for creating a job
makeJob =
@@ -27,7 +28,6 @@ let
keepnr ? 3,
description,
flake,
enabled ? 1,
}:
{
inherit
@@ -35,8 +35,8 @@ let
flake
schedulingshares
keepnr
enabled
;
enabled = 1;
type = 1;
hidden = false;
checkinterval = 300; # every 5 minutes
@@ -44,28 +44,27 @@ let
emailoverride = "";
};
# # Create a hydra job for a branch
# jobOfRef =
# name:
# { ref, ... }:
# if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
# null
# else
# {
# name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
# value = makeJob {
# description = "Branch ${name}";
# flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
# };
# };
# Create a hydra job for a branch
jobOfRef =
name:
{ ref, ... }:
if ((builtins.match "^refs/heads/(.*)$" ref) == null) then
null
else
{
name = builtins.replaceStrings [ "/" ] [ "-" ] "branch-${name}";
value = makeJob {
description = "Branch ${name}";
flake = "git+ssh://git@github.com/${repo}?ref=${ref}";
};
};
# Create a hydra job for a PR
jobOfPR = id: info: {
name = if info.draft then "draft-${id}" else "pr-${id}";
value = makeJob {
description = "PR ${id}: ${info.title}";
flake = "git+ssh://gitea@nayeonie.com:2222/${info.head.repo.full_name}?ref=${info.head.ref}";
enabled = if info.state == "open" then 1 else 0;
flake = "git+ssh://git@github.com/${info.head.repo.full_name}?ref=${info.head.ref}";
};
};
@@ -75,12 +74,12 @@ let
# wrapper function for reading json from file
readJSONFile = f: builtins.fromJSON (builtins.readFile f);
# remove null values from a set, in-case of branches that don't exist
# mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
mapFilter = f: l: builtins.filter (x: (x != null)) (map f l);
# Create job set from PRs and branches
jobs = makeSpec (
builtins.listToAttrs (map ({ name, value }: jobOfPR name value) (attrsToList prs))
# // builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
// builtins.listToAttrs (mapFilter ({ name, value }: jobOfRef name value) (attrsToList refs))
);
in
{

13
hydra/spec.json
View File

@@ -1,7 +1,7 @@
{
"enabled": 1,
"hidden": false,
"description": "ahuston-0's personal server infra",
"description": "RAD Development infrastructure",
"nixexprinput": "nixexpr",
"nixexprpath": "hydra/jobsets.nix",
"checkinterval": 60,
@@ -12,7 +12,7 @@
"type": 0,
"inputs": {
"nixexpr": {
"value": "ssh://gitea@nayeonie.com:2222/ahuston-0/nix-dotfiles.git main",
"value": "https://github.com/RAD-Development/nix-dotfiles main",
"type": "git",
"emailresponsible": false
},
@@ -22,8 +22,13 @@
"emailresponsible": false
},
"pulls": {
"type": "giteapulls",
"value": "nayeonie.com ahuston-0 nix-dotfiles https",
"type": "githubpulls",
"value": "RAD-Development nix-dotfiles",
"emailresponsible": false
},
"branches": {
"type": "github_refs",
"value": "RAD-Development nix-dotfiles heads -",
"emailresponsible": false
}
}

4
modules/update.nix
View File

@@ -10,10 +10,10 @@
};
system.autoUpgrade = {
enable = lib.mkDefault true;
enable = lib.mkDefault false;
flags = [ "--accept-flake-config" ];
randomizedDelaySec = "1h";
persistent = true;
flake = "git+ssh://nayeonie.com/ahuston-0/nix-dotfiles.git";
flake = "github:RAD-Development/nix-dotfiles";
};
}

4
shell.nix
View File

@@ -45,10 +45,6 @@ forEachSystem (
treefmt
statix
nixfmt-rfc-style
jsonfmt
mdformat
shfmt
yamlfmt
];
};
in

7
systems/artemision/configuration.nix
View File

@@ -32,7 +32,7 @@
};
boot = {
#kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
kernelPackages = lib.mkForce pkgs.linuxPackages_6_6;
useSystemdBoot = true;
default = true;
};
@@ -83,14 +83,11 @@
users.users.alice.extraGroups = [ "calibre-web" ];
system.autoUpgrade.enable = false;
system.stateVersion = "24.05";
programs.adb.enable = true;
environment.variables = {
"KWIN_DRM_NO_DIRECT_SCANOUT" = "1";
};
sops = {
defaultSopsFile = ./secrets.yaml;
#secrets = {

1
systems/artemision/desktop.nix
View File

@@ -7,7 +7,6 @@
hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
hyprlock.enable = true;
gnupg.agent = {

3
systems/artemision/programs.nix
View File

@@ -18,6 +18,8 @@
croc
deadnix
direnv
discord
discord-canary
easyeffects
eza
fanficfare
@@ -42,7 +44,6 @@
kitty
kubectl
kubernetes-helm
libreoffice-fresh
libtool
lsof
lynis

4
systems/palatine-hill/attic/sync-attic.bash
View File

@@ -2,9 +2,9 @@
#! nix shell nixpkgs#bash nixpkgs#findutils nixpkgs#attic-client --command bash
sync_directories=(
/ZFS/ZFS-primary/hydra
/ZFS/ZFS-primary/hydra
)
for dir in "${sync_directories[@]}"; do
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
find "$dir" -regex ".*\.drv$" -exec attic push cache-nix-dot '{}' \;
done

2
systems/palatine-hill/configuration.nix
View File

@@ -17,8 +17,8 @@
./minio.nix
./networking.nix
./nextcloud.nix
./postgresql.nix
./samba.nix
./postgresql.nix
./zfs.nix
];

75
systems/palatine-hill/docker/act-runner.nix
View File

@@ -6,7 +6,6 @@
let
vars = import ../vars.nix;
act_path = vars.primary_act;
act_config_path = ./act_config.yaml;
in
{
virtualisation.oci-containers.containers = {
@@ -21,7 +20,7 @@ in
};
ports = [ "8088:8088" ];
volumes = [
"${act_config_path}:/config.yaml"
"${act_path}/stable-latest-main/config.yaml:/config.yaml"
"${act_path}/stable-latest-main/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
@@ -43,7 +42,7 @@ in
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${./act_config.yaml}:/config.yaml"
"${act_path}/stable-latest-1/config.yaml:/config.yaml"
"${act_path}/stable-latest-1/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
@@ -65,7 +64,7 @@ in
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_config_path}:/config.yaml"
"${act_path}/stable-latest-2/config.yaml:/config.yaml"
"${act_path}/stable-latest-2/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
@@ -76,6 +75,72 @@ in
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-3 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-3/config.yaml:/config.yaml"
"${act_path}/stable-latest-3/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-3";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-4 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-4/config.yaml:/config.yaml"
"${act_path}/stable-latest-4/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-4";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
act-stable-latest-5 = {
image = "gitea/act_runner:latest";
extraOptions = [
"--stop-signal=SIGINT"
];
labels = {
"com.centurylinklabs.watchtower.enable" = "true";
"com.centurylinklabs.watchtower.scope" = "act-runner";
};
volumes = [
"${act_path}/stable-latest-5/config.yaml:/config.yaml"
"${act_path}/stable-latest-5/data:/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
CONFIG_FILE = "/config.yaml";
GITEA_RUNNER_NAME = "stable-latest-5";
};
environmentFiles = [ config.sops.secrets."docker/act-runner".path ];
log-driver = "local";
};
};
systemd = {
@@ -103,9 +168,7 @@ in
"docker/act-runner" = {
owner = "root";
restartUnits = [
"docker-act-stable-latest-main.service"
"docker-act-stable-latest-1.service"
"docker-act-stable-latest-2.service"
];
};
};

95
systems/palatine-hill/docker/act_config.yaml
View File

@@ -1,95 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: debug
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 1
# Extra environment variables to run jobs.
envs:
A_TEST_ENV_NAME_1: a_test_env_value_1
A_TEST_ENV_NAME_2: a_test_env_value_2
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 3h
# The timeout for the runner to wait for running jobs to finish when shutting down.
# Any running jobs that haven't finished after this timeout will be cancelled.
shutdown_timeout: 30m
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
# Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file.
labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
#cache:
# Enable cache server to use actions/cache.
#enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
#dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
#host: ""
# The port of the cache server.
# 0 means to use a random available port.
#port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
#external_server: ""
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: ""
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options:
# The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed.
# For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes: []
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
# Rebuild docker image(s) even if already present
force_rebuild: false
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

22
systems/palatine-hill/docker/default.nix
View File

@@ -31,47 +31,47 @@
default-address-pools = [
{
base = "169.254.2.0/23";
size = 28;
size = "28";
}
{
base = "169.254.4.0/22";
size = 28;
size = "28";
}
{
base = "169.254.8.0/21";
size = 28;
size = "28";
}
{
base = "169.254.16.0/20";
size = 28;
size = "28";
}
{
base = "169.254.32.0/19";
size = 28;
size = "28";
}
{
base = "169.254.64.0/18";
size = 28;
size = "28";
}
{
base = "169.254.128.0/18";
size = 28;
size = "28";
}
{
base = "169.254.192.0/19";
size = 28;
size = "28";
}
{
base = "169.254.224.0/20";
size = 28;
size = "28";
}
{
base = "169.254.240.0/21";
size = 28;
size = "28";
}
{
base = "169.254.248.0/22";
size = 28;
size = "28";
}
];
mtu = 9000;

74
systems/palatine-hill/docker/minecraft.nix
View File

@@ -9,31 +9,31 @@ let
divinejourney = "dj.alicehuston.xyz";
rlcraft = "rlcraft.alicehuston.xyz";
arcanum-institute = "arcanum.alicehuston.xyz";
# bcg-plus = "bcg.alicehuston.xyz";
bcg-plus = "bcg.alicehuston.xyz";
};
defaultServer = "rlcraft";
# defaultEnv = {
# EULA = "true";
# TYPE = "AUTO_CURSEFORGE";
# STOP_SERVER_ANNOUNCE_DELAY = "120";
# STOP_DURATION = "600";
# SYNC_CHUNK_WRITES = "false";
# USE_AIKAR_FLAGS = "true";
# MEMORY = "8GB";
# ALLOW_FLIGHT = "true";
# MAX_TICK_TIME = "-1";
# };
defaultEnv = {
EULA = "true";
TYPE = "AUTO_CURSEFORGE";
STOP_SERVER_ANNOUNCE_DELAY = "120";
STOP_DURATION = "600";
SYNC_CHUNK_WRITES = "false";
USE_AIKAR_FLAGS = "true";
MEMORY = "8GB";
ALLOW_FLIGHT = "true";
MAX_TICK_TIME = "-1";
};
# defaultOptions = [
# "--stop-signal=SIGTERM"
# "--stop-timeout=1800"
# "--network=minecraft-net"
# ];
defaultOptions = [
"--stop-signal=SIGTERM"
"--stop-timeout=1800"
"--network=minecraft-net"
];
# vars = import ../vars.nix;
# minecraft_path = "${vars.primary_games}/minecraft";
vars = import ../vars.nix;
minecraft_path = "${vars.primary_games}/minecraft";
in
{
virtualisation.oci-containers.containers = {
@@ -67,24 +67,24 @@ in
# log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# };
# bcg-plus = {
# image = "itzg/minecraft-server:java17";
# volumes = [
# "${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
# "${minecraft_path}/bcg-plus/data:/data"
# ];
# hostname = "bcg-plus";
# environment = defaultEnv // {
# VERSION = "1.17";
# CF_SLUG = "bcg";
# DIFFICULTY = "normal";
# DEBUG = "true";
# # ENABLE_COMMAND_BLOCK = "true";
# };
# extraOptions = defaultOptions;
# log-driver = "local";
# environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
# };
bcg-plus = {
image = "itzg/minecraft-server:java17";
volumes = [
"${minecraft_path}/bcg-plus/modpacks:/modpacks:ro"
"${minecraft_path}/bcg-plus/data:/data"
];
hostname = "bcg-plus";
environment = defaultEnv // {
VERSION = "1.17";
CF_SLUG = "bcg";
DIFFICULTY = "normal";
DEBUG = "true";
# ENABLE_COMMAND_BLOCK = "true";
};
extraOptions = defaultOptions;
log-driver = "local";
environmentFiles = [ config.sops.secrets."docker/minecraft".path ];
};
};
sops = {

2
systems/palatine-hill/docker/nextcloud.nix
View File

@@ -100,7 +100,7 @@ in
};
"docker/collabora" = {
owner = "www-data";
restartUnits = [ "docker-collabora-code.service" ];
restartUnits = [ "docker-collabora.service" ];
};
};
};

4
systems/palatine-hill/docker/watchtower.bash
View File

@@ -6,8 +6,8 @@ outdated_msg="Project code is out of date and needs to be upgraded. To remedy th
label="$1"
label_val="$2"
if (($# != 2)); then
echo "usage: $0 label label_value"
if (( $# != 2 )); then
echo "usage: $0 label label_value"
fi
containers=$(docker ps --format '{{.Names}}' -f "label=${label}=${label_val}")

4
systems/palatine-hill/hydra.nix
View File

@@ -1,6 +1,7 @@
{
config,
inputs,
lib,
pkgs,
...
}:
let
@@ -42,7 +43,6 @@ in
services = {
hydra = {
enable = true;
package = inputs.hydra.packages.x86_64-linux.hydra;
hydraURL = "https://hydra.alicehuston.xyz";
smtpHost = "alicehuston.xyz";
notificationSender = "hydra@alicehuston.xyz";

6
systems/palatine-hill/secrets.yaml
View File

@@ -27,8 +27,6 @@ acme:
dnsimple: ENC[AES256_GCM,data:37FKyBibFtXZgI4EduJQ0z8F+shBc5Q6YlLa3YkVPh9XuJVS20eybi75bfJxiozcZ9d+YRaqcbkBQCSdFOCotDU=,iv:oq3JjqbfAm2C4jcL1lvUb2EOmnwlR07vPoO8H0BmydQ=,tag:E3NO/jMElL6Q817666gIyg==,type:str]
server-validation:
webhook: ENC[AES256_GCM,data:Lwqy4UhyFutpXjai7EJPKp8MDlI+ayDna4T8jluvC6qkeJ7o1UaaDCOsgLy4Fw7LC77tXhJtkcmep9w37JaiHp2CoDOfy2iAaq8o9CCSi/a0zqMJx+HdZYZNemvmpc6E/be0K+JDrFZLbjr3unSpCidQ3whccC6XyY013R12swN3bFZIu1gtzXCgUZ4U,iv:pVbrRwH3ziu4+R5BfimPV7N71QmyerJEc9M5K4eofOc=,tag:zNrCXrIioQWPEPVz/wMDpQ==,type:str]
typhon:
hashedPassword: ENC[AES256_GCM,data:gMyY8gxUn3HzycQRu2cminqRFWghqWcjzZzTxAQZ5PJqn604iSwDiVdr7icHB7drJfCAfsE7L4oKRJgxaIAE32043oOkb2T7DDH8y2jxMzqmZCfbvrfMI4wdfRTHGqzxb6X/aZ5ai2rr1Q==,iv:4EsTo/lQld0o9iktDX9gobMlPUCitx1i9wn8EL16sIs=,tag:FgVDRHk2glDwpC/mprrPqQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -44,8 +42,8 @@ sops:
cXNZWmZqd0R0SmhINExscHBKWmxvblUKEFEQvt/zQFARba4S8vHz/1SoKdKg69At
LZ58XQGOmlGbBhPr7EzYQ2XSY4flWbnnD174cmCR8DNFm15DsNA5fw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-26T05:47:58Z"
mac: ENC[AES256_GCM,data:ZP9HglMmn9FDv6/vtQAxz/qP76QniPqM6bzMQVvVU/OhDmjuneGKZY7d1Es7LC9o5qmJ+T3Dh3/bkmuRdgdnd2TO6iuvM++DEPxwnoHis+0lbMxv5a6ibzvoXXm2CrL4HPETqLKbLahGJRmDNgnkCEWxAs16zrqe5kgDpD53R5c=,iv:DcCXNGyb41ToV9uSnrnrl0dWiw2pvykM8z86Yk814P4=,tag:T9PFl48qABwBSy7vIhSmLA==,type:str]
lastmodified: "2025-03-04T04:53:14Z"
mac: ENC[AES256_GCM,data:MCucwVPGRMA/hGYS7mwSppkZAQ3wjHJnyeSvSI8YOOD0Xq7mvkMSvKctFHl6h4Cx3ubRvVHf5j35/NQxb+/VhhCPAHWDbqq9O2N0aWhAeybCu0IjruKrJhs76KsXJnNZ9REQQnS1/TNquuvj9FCoqDnrQcFs7M0KJ5m3eUU2h2k=,iv:ZJGJ8CTA8K5FnoKtbogleksB8wDcZtknO07M07Dmpsc=,tag:GMUXJD4U8KQgy9rvzEAMuw==,type:str]
pgp:
- created_at: "2024-11-28T18:56:39Z"
enc: |-

17
systems/palatine-hill/typhon.nix
View File

@@ -1,17 +0,0 @@
{ config, ... }:
let
vars = import ./vars.nix;
typhon_path = vars.primary_typhon;
in
{
services.typhon = {
enable = true;
hashedPasswordFile = config.sops.secrets."typhon/hashedPassword".path;
home = typhon_path;
};
sops.secrets = {
"typhon/hashedPassword".owner = "root";
};
}

18
treefmt.toml
View File

@@ -12,21 +12,3 @@ command = "nixfmt"
#options = []
# Glob pattern of files to include
includes = [ "*.nix" ]
[formatter.jsonfmt]
command = "jsonfmt"
excludes = []
includes = ["*.json"]
options = ["-w"]
[formatter.shfmt]
command = "shfmt"
excludes = []
includes = ["*.sh", "*.bash", "*.envrc", "*.envrc.*"]
options = ["-i", "2", "-s", "-w"]
[formatter.yamlfmt]
command = "yamlfmt"
excludes = []
includes = ["*.yaml", "*.yml"]
options = ["-formatter","indent=4"]

1
users/alice/home.nix
View File

@@ -16,7 +16,6 @@
./home/gammastep.nix
./home/doom
./home/hypr
./home/waybar.nix
./non-server.nix
];

1
users/alice/home/hypr/default.nix
View File

@@ -8,7 +8,6 @@
{
xdg.configFile = {
"hypr/hyprland.conf".source = ./hyprland.conf;
"hypr/show-hide.sh".source = ./show-hide.sh;
};
imports = [

8
users/alice/home/hypr/hypridle.nix
View File

@@ -18,14 +18,14 @@
listener = [
{
timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -r"; # monitor backlight restore.
on-timeout = "brightnessctl -s set 1"; # set monitor backlight to minimum, avoid 0 on OLED monitor.
on-resume = "brightnessctl -r"; # monitor backlight restore.
}
# turn off keyboard backlight, comment out this section if you dont have a keyboard backlight.
{
timeout = 150; # 2.5min.
on-timeout = "${pkgs.brightnessctl}/bin/brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "${pkgs.brightnessctl}/bin/brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
on-timeout = "brightnessctl -sd rgb:kbd_backlight set 0"; # turn off keyboard backlight.
on-resume = "brightnessctl -rd rgb:kbd_backlight"; # turn on keyboard backlight.
}
{
timeout = 300; # 5min

7
users/alice/home/hypr/hyprland.conf
View File

@@ -22,9 +22,6 @@ monitor=,preferred,auto,auto
# exec-once = waybar & hyprpaper & firefox
exec-once = wired &
exec-once = wired
exec-once = systemctl --user start polkit-gnome-authentication-agent-1.service
# Source a file (multi-file configs)
# source = ~/.config/hypr/myColors.conf
@@ -210,7 +207,3 @@ bind = $mainMod, P, exec, bwm
# lock screen
bind = $mainMod, L, exec, loginctl lock-session
# hide active window
bind = $mainMod,H,exec,/home/alice/config/hypr/hide_unhide_window.sh h
# show hide window
bind = $mainMod,I,exec,/home/alice/config/hypr/hide_unhide_window.sh s

9
users/alice/home/hypr/hyprlock.nix
View File

@@ -11,8 +11,7 @@
settings = {
general = {
immediate_render = true;
# disabling as config doesn't exist
#no_fade_in = true;
no_fade_in = true;
};
background = {
monitor = "";
@@ -55,8 +54,7 @@
dots_spacing = 0.15; # Scale of dots' absolute size, -1.0 - 1.0
dots_center = false;
dots_rounding = -1; # -1 default circle, -2 follow input-field rounding
# disabling as config doesn't exist
# dots_fade_time = 200; # Milliseconds until a dot fully fades in
dots_fade_time = 200; # Milliseconds until a dot fully fades in
dots_text_format = ""; # Text character used for the input indicator. Leave empty for a rectangle that will be rounded via dots_rounding (default).
# disabling due to stylix
# outer_color = "rgb(151515)";
@@ -72,8 +70,7 @@
#fail_color = "rgb(204, 34, 34)"; # if authentication failed, changes outer_color and fail message color
fail_text = "<i>$FAIL <b>($ATTEMPTS)</b></i>"; # can be set to empty
fail_timeout = 2000; # milliseconds before fail_text and fail_color disappears
# disabling as config doesn't exist
#fail_transition = 300; # transition time in ms between normal outer_color and fail_color
fail_transition = 300; # transition time in ms between normal outer_color and fail_color
capslock_color = -1;
numlock_color = -1;
bothlock_color = -1; # when both locks are active. -1 means don't change outer color (same for above)

25
users/alice/home/hypr/show-hide.sh
View File

@@ -1,25 +0,0 @@
#!/usr/bin/env bash
stack_file="/tmp/hide_window_pid_stack.txt"
function hide_window() {
pid=$(hyprctl activewindow -j | jq '.pid')
hyprctl dispatch movetoworkspacesilent "88,pid:$pid"
echo "$pid" >>$stack_file
}
function show_window() {
pid=$(tail -1 $stack_file && sed -i '$d' $stack_file)
[ -z "$pid" ] && exit
current_workspace=$(hyprctl activeworkspace -j | jq '.id')
hyprctl dispatch movetoworkspacesilent "$current_workspace,pid:$pid"
}
if [ -n "$1" ]; then
if [ "$1" == "h" ]; then
hide_window >>/dev/null
else
show_window >>/dev/null
fi
fi

40
users/alice/home/waybar.json
View File

@@ -1,40 +0,0 @@
[
{
"height": 20,
"layer": "top",
"position": "top",
"output": [
"eDP-2",
"eDP-1",
"HDMI-0",
"DP-0"
],
"hyprland/workspaces": {
"active-only": true,
"all-outputs": false,
"show-special": true,
"move-to-monitor": true,
"format": "{icon} {windows}",
"format-window-separator": " ",
"format-icons": {
"1": "󰎤",
"2": "󰎧",
"3": "󰎪",
"default": "",
"empty": "󱓼",
"urgent": "󱨇"
},
"persistent-workspaces": {
"1": "HDMI-0"
},
"on-scroll-down": "hyprctl dispatch workspace e-1",
"on-scroll-up": "hyprctl dispatch workspace e+1",
"window-rewrite": {
"title<Steam>": ""
},
"window-rewrite-default": "",
"window-rewrite-separator": " ",
"sort-by": "number"
}
}
]

2
users/alice/home/waybar.nix
View File

@@ -2,6 +2,6 @@
lib.mkIf (!machineConfig.server) {
programs.waybar = {
enable = true;
settings = builtins.fromJSON (builtins.readFile ./waybar.json);
#settings = builtins.fromJSON (import ./waybar.json);
};
}

1
users/alice/home/zsh.nix
View File

@@ -4,6 +4,7 @@
programs.zsh = {
enable = true;
# autosuggestion.enable = true;
oh-my-zsh = {
enable = true;
plugins = [

1
users/alice/non-server.nix
View File

@@ -64,6 +64,5 @@
zathura
obsidian
libreoffice-qt-fresh
wlr-randr
];
}

9
users/alice/secrets.yaml
View File

@@ -2,13 +2,12 @@ alice:
user-password: ENC[AES256_GCM,data:+cM85X1vapqfQdJ+Dv6YvT5qHlvsmaXPRbvKRHtCkPT3wdw4f7tLHLFmvWnak7CRezI00PxVEtCZL5mqLyN2HaU4OqIk/9fgqczIzemwBlMGJt+ndwG4oqBqE0ymtzmy8MA59wonRqoxzYKQfAGQsprdCIovrg==,iv:BtSDBgvQeZdTY1KUClnt9V8qHcS/gouaaQw342tk4Sg=,tag:T7tzyKuCo83s78ca7f4KDQ==,type:str]
#ENC[AES256_GCM,data:6+dLs8opC27IrHJCPfL2c7KiLbaQTqI6oRKpIZLR4+P9gTupziAhCm/G7RY01gVPSgxdBpJ6L4xVbcMEg9hDKBMI4naF9arNrFsV6WXNc+LA5BYyT9L9G1nDea8fPFYDSF2537eLgLqWNE1WSsUOrz/WOxbE6g==,iv:AxsdKmGz6qEYlWY08q/2hqsm0EXaqodwD/7OJg4FAIY=,tag:EgfL3I1VBXtFgIdTOW5eBA==,type:comment]
#ENC[AES256_GCM,data:vUMcowHjlQA0RWflfaQhZKkalO39epYi6N9PPW8=,iv:6DFqHlQR+mi+ZkfMUhlhwvpMwnxXNfQV6+sYgPzSj4I=,tag:Pz1zJayscGckPO8Q2ZVb4g==,type:comment]
gha-hydra-token: ENC[AES256_GCM,data:CXdOiW9oYaVj4oqfiXSz9O9xIsB5ZyUac2WFSFD1ankZpnmQpv9TwolJxb6h8r+UM7Q9QzCCWk7KHe80lolZhpHa79bpcj+wt9v51ydj0Zy+3sufHS+JnGwmqBbw6dVqJ2uBr4nW2NADzHEbG8N367uKYEq2vazB4y02JiopXL8DHsYcx+Z4u7GJC/gYbpm9vnt8OVdYmfYRQ9BGSiaJOghDzpmCisEZdLpCLXM3cULn8yVUXIFWx8yF/6JrWN+myeoZiUFCL2sZmeSIswFg9kwBKXIsjBrz+EDXZzDCEr88UrEJ0j2+egsrG9BNlstVwC8oscYdbXWmYUdsCBNVxK3xjJYm9gDdSyo0DfSvTzK1t+/s9L1zC8uqj2TXYdVd6QyH2TRXxiPeNLYClRHT2UljymSpIVXOn/Okuo7dte+ZZqZVndT1lwK//2y8V3Hng+5wixfFFsQAd5oJzfraRSnM+RLZtjI3TMoyc5no3pVwV6zsCqRd2nvr7gieXUMWtSLb6YrM6tvhRpeiieYUqQ8NwHV0Avqco0I838o5yywVGSnUflGxnwYoGQIX70qoTcxNPGuiiiqSynh64e3nrlC9xN6EWuFpUNVfkBibZNRi+EyDAhK7LKwiPbL2z919N54vyzzoWA1KUFqxow+JsX+Q8rpnfJtag44F5qFt3/Be5PIMYVU7acXTiVJvM3cKPMQIBPXpQFX5OshwGhttGFuB53aWPHCzlhT4NDQbcZ/rLQ3bcytVpnH55WWze0Oe0zUZYGFc/rV9Fc4QjhR7/8pAi9kGUlKy2MYBamjmnCWlOnHPIQQLpPs/oiW+,iv:KL2P3O8Fnbn56hLX8PWIrigoPTBfIvMUpizKy3C3RIA=,tag:G0M/9iT9IWUSJ5ktUc/g5A==,type:str]
gha-hydra-token: ENC[AES256_GCM,data:rYDYIn7MAF4pSZQj+Nln2z9J+AxvuSzumthL86njpKETutArrw+9iX2hHJt5t513NHH03tMtZOFqM60/pzWg4YXVQOSpQmq8QOelD7qCdfCr4Z2QSeOHqXqwKy21iWtoVbxOXWunVxLzkWMJrpHkpVsiBA75Nv66ftKEjN80QNGik6xQE1iPsCB2JHeqYNIr8gtPkCr7H5Pt4yBBO/1rsyONrbNlwmzVX78eqXxmc43XOiNVjEsk8ekJxJ9mn5S6JcPNehBcnZA0kWAIxvtDIPYKnz4YBIXoilBbjgytXL8nw3PkEX27x5yeg9KfxPxO/4CGoi5wfKsYuEynBdWbHtj6a3H0AvA9KIZzktTRNJFU3ZW8UveSCXY4YHl0NREJ8kbIUgkkE7PWeyzGenGFTPMahTA0rKSa+tWPQ1c00lvo9VS3/7pfeJfZEKS7R2xBaEDZrfffHyB5PLTQOGpWl5y40wTn4HdBlyQwoREvobOaKVZEyWtVvJcUeHDPepgEHGVDzwyTelX8Btb6ZNA0Fur8xvpkLZcLmMhbvCdkjq84ztJ36nQQ5JZthecyqcZTWPyfWtPeoUPVIaxn31oLjwsriDwdQmID6twTjC9PT8nBZD/u0JebOCdeYf8fm9q49SaN2w/ZMdSRWucHUsRXeN9O149vYoOqR28H+8v/tYJdqofJpHKrIBs=,iv:GcEV6f4rqkrpCafeaLNMqqU/vBNE0xHbqokL2gMXHYw=,tag:sCHvUgq1w8npedjIAninrA==,type:str]
wakatime-api-key: ENC[AES256_GCM,data:ITu5pRySYGCJ6q9IQ35NfpGX2FyIJRYHGDeBiq0btzIrqitxcFox1Vc=,iv:HsXpyFHV7dG5qORk26BtD+kFo4Jdq2c4fozMpoqyDfU=,tag:uaQoXvvYqNfmRXVDVH8AoQ==,type:str]
attic-nix-cache-creator: ENC[AES256_GCM,data:P0iBdy4IYrxcq7v4wTgwwZvAfVdRFo08pi0zvpY9cP9BDCwbBnp+3qDKWL29rC7OxsaLtmRkvPmbkF3ZX3Yu5OaptwVg2Xi0vNqhk3gu5Fdj8ygPigB0ZtimkfWv1QkctoVoXKXuLv6Xd4XKPCWOOIekWlJsBRcyfyzkyFURkU9tBBkXyEAWItho/J8hJr6r00eA3EN4rTe8Ge+PGpfTfpZVpnoGrC35xPnGLq19+b44DectHDTkMZrZKxiCaVIgKUZDLaFgi6a6PsX+L1HQAIZukXJu3m4BPdvzzby+zgX24pVJOYjAUB2BwO9jUlMS6+7qo0p6k01uLicryfKx/ajdAHcy39tFHX7naA4JriC2/FgI2HlFGp0Lc+g0pfdCYwLs5QBfRaOHyrbFWUDG,iv:OBrgnewqBaug00ygAXs0eFs3LqcHqo1EW96N5I38A0o=,tag:V+Gn47O6AH1RwL9qJLpAkw==,type:str]
attic-nix-cache-reader: ENC[AES256_GCM,data:DWIkRri3lHJOVXIAbHWJL7cCV4FHjB91bbpPAib/5ZDKap3xjnxUjwswc7wjO1hCoV3+gmep1a64kma6MJts4bcAug5bPyrrPy//rVpCYvSbSmbPz5k4sW5GLU/Sf4NyBevsQo9KRrphpoSUQEFQB27vabYDjjkB051/qJo1B9B7nqmrSyd3np4YdyHAgUiMyJt0oqx8nXySz3XZU+DIM8/OhMZILpnEWIgyP2K7j8JNNpZZJ5sD/icUy6Vba/4LcKjtmYtfQ+HO1soyF6aMiQSjhp7fzJHktwa9kgB3oDzIg3KyCJYS2RNW7mW9Dd1T,iv:fvhGFU22KgknMpJbOkA3v29bKzRVX6hi7V7xJgSUjPg=,tag:TjGSUl0XXS7jlhP/NG4cvQ==,type:str]
attic-nix-cache-writer: ENC[AES256_GCM,data:vxSeys7EJDyatZFpeyxeDzaKGqDtm3atpVly6+BPHUFTrlLaVl86roGZjpBB9wwOMuP007qJNva0HQcTONbSyNw/snUU5JpaFWLT87Eu81V8gdulzHwm61caQ4A/e1ylKkdtwalNymBSyWi9b+SOWXTgralrg9L3OHw+nVuZaAi8QXF2ImLoZ2vXl7MGNXParflV2KK2uqfRatDZMbSSFipT0tQpkNTBTA6l8woILK3BKrHdYq+D8n4EmRowSuMWuN1uknyctb4+Ap3AeBITvyJjKejocQ9qK9plP6CChiC4Z1mmt/HOrfXYXiJO+Va64rOYRywMga8=,iv:bAx7iR24dpIOudkiFOc/xmIG73rcaMDdhWjiBO4BsBM=,tag:gtTyldhdRV97YJREG5lPjA==,type:str]
attic-nix-cache-admin: ENC[AES256_GCM,data:OP02nJTo0cx8M9cR+P7cpI1gEXCKqXWehlaL+dYGwGSUnQ6iSC25vpdZ5SSnjyhiBZe+VnYld+b5PO+OOt7NMGxVvQ0zcuvrG7qfhEpIfGrbx9S9cEV2eAMchG/Hua609MUTbFYKvpwWw6tFZD2dYYQv2gXI7mYSeN0Tw4i2x1f/+cKDtV+ak+UHRgEe/f5OdE8v5I6dRXUQGVOBSRAQkfYDFuI2JUz4oNJsz66YkdMtgudhqWi4mekODD3v2Gcg/zAv1PogaHaIH1BHNvLQ/DsNVcvLsnTb6inM3cTCyPpHcx+VwPO7g9kYNV8xcCRkAIvX6aFzRVT0tJcEXFWStMnKS8nr8HoKFQ==,iv:ftmN3jK5qa6SwrSyhhL3PZls2hTG6xGa0LW7ycdkYxQ=,tag:TQCELzJQjsMfAJseZ7tB4w==,type:str]
gitea-actions-token: ENC[AES256_GCM,data:QTEPMAh1RWWJ/O3yhkQkEBTdVL8XhIRGCDbiM0lLjfILKF4SpSJ2sA==,iv:mBaaB1JHb2KVc9n2pdeX4pSMvb7q5z3joMT7rR5Whgs=,tag:ef+58SI4AUeqUsk3RVDsRQ==,type:str]
sops:
kms: []
gcp_kms: []
@@ -42,8 +41,8 @@ sops:
ZERFTlFyNjhOb3VCaW43ZXFHT1Vxc0UK7YV+BU7dCEOZxpqkQA394eDsnthvorj6
7bqrCdeU+6DU7DmFs6++BrNO2tx8vvOa1im+ZGrM/gZAJdv/7R2d6Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-26T15:28:13Z"
mac: ENC[AES256_GCM,data:BfEahKHAcnLc/PSagENBIVwxufJrjpMSC6U4hkkxNwcEJYDNAlrF0w00aiexLeX+UfVGIw19+SrNL5zuecEf+GaYzYNy9RE3c66KUM2B/cpuBuzkiwLaBCTfcWr7k8dW11BGFCmugRSG4w6wXKG5B/LyEKB6Vcvp0JRbCYSqZSY=,iv:97UzvdvQCtTLaLDrg6VEwiofHtSPGtaxuPLHfTAyIFA=,tag:r4r45OaV9ZRDzd56RGLFZw==,type:str]
lastmodified: "2025-01-26T04:17:36Z"
mac: ENC[AES256_GCM,data:BJ5d3iqdIBwqtnYOYfmsFqnJDXz67uzJ4UKWrjVUEgr4Nc95tE8mEyV40poZk/wAJGJMSDdRhsPmZI4H1xztkjkTsUCUJ2rR+SZ6gP1VhSEXu7bSvv63+bnajZQi9kZrfN0EZN8TLzzVHVvSVHcNEfbq9STWkZq6zCk9E2cUfhk=,iv:MQ/lQkNi/S3bfz1PegcVfwy06RsxdQwZIU6sdOjkhgU=,tag:l5tK1SUwjTolliPkbfNDHg==,type:str]
pgp:
- created_at: "2024-09-05T06:10:22Z"
enc: |-
@@ -58,4 +57,4 @@ sops:
-----END PGP MESSAGE-----
fp: 5EFFB75F7C9B74EAA5C4637547940175096C1330
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.9.3

14
utils/attic-push.bash
View File

@@ -11,16 +11,18 @@ set -e
# | jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
# retrieve all paths
nix_paths=$(nix path-info --json --all --closure-size |
jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' |
jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
nix_paths=$(nix path-info --json --all --closure-size \
| jq 'map_values(.closureSize | select(true)) | to_entries | sort_by(.value)' \
| jq 'map(.key) | join("\n")' | sed -E -e 's/\\n/\n/g;s/^"//g;s/"$//g')
readarray -t nix_path_array < <(echo "$nix_paths")
batchsize=1000
for ((i = 0; i < ${#nix_path_array[@]}; i += batchsize)); do
part=("${nix_path_array[@]:i:batchsize}")
for((i=0; i < ${#nix_path_array[@]}; i+=batchsize))
do
part=( "${nix_path_array[@]:i:batchsize}" )
attic push nix-cache "${part[@]}"
attic push nix-cache "${part[@]}"
done

52
utils/attic-token.bash
View File

@@ -1,8 +1,8 @@
#!/usr/bin/env bash
if (($# != 3)); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
if (( $# != 3 )); then
echo "usage: $0 <cache/cache group> <cache pattern> <token type>"
exit 1
fi
cache="$1"
@@ -10,27 +10,27 @@ cache_pattern="$2"
token_type="$3"
case $token_type in
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1
;;
"cache-creator")
atticd-atticadm make-token --sub "$cache-cache-creator" --validity "1y" \
--pull "$cache_pattern" --push "$cache_pattern" --delete "$cache_pattern" \
--create-cache "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern" --destroy-cache "$cache_pattern"
;;
"admin")
atticd-atticadm make-token --sub "$cache-admin" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern" --configure-cache "$cache_pattern" \
--configure-cache-retention "$cache_pattern"
;;
"writer")
atticd-atticadm make-token --sub "$cache-writer" --validity "1y" --pull "$cache_pattern" \
--push "$cache_pattern"
;;
"reader")
atticd-atticadm make-token --sub "$cache-reader" --validity "1y" --pull "$cache_pattern"
;;
*)
echo "invalid token type: $token_type"
echo "available options: cache-creator, admin, writer, reader"
exit 1
;;
esac

4
utils/eval-to-drv.sh
View File

@@ -8,8 +8,8 @@ set -v
set -e
if [ "$#" -ne 1 ]; then
echo "$0 (pre|post)"
exit 1
echo "$0 (pre|post)"
exit 1
fi
script_path=$(dirname "$(readlink -f $0)")

8
utils/fetch-docker.sh
View File

@@ -14,10 +14,10 @@ parent_path=$(dirname "$script_path")
# relpath is the relative path to the parent_path where you want the file written
# format: <image name>,<image tag>,<image architecture>,<os>,<relpath>
images=(
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
"nextcloud,apache,amd64,linux,/systems/palatine-hill/docker/nextcloud-image/nextcloud-apache.nix"
)
IFS=","
while read -r name tag arch os relpath; do
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet >"$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done <<<"${images[@]}"
nix-prefetch-docker --image-name "$name" --image-tag "$tag" --arch "$arch" --os "$os" --quiet > "$parent_path/$relpath"
git --no-pager diff "$parent_path/$relpath"
done<<< "${images[@]}"

20
utils/sops-mergetool-new.sh
View File

@@ -2,10 +2,7 @@
# Rename CLI parameters to friendlier names
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
base="$1"; local_="$2"; remote="$3"; merged="$4"
# Load the mergetool scripts
TOOL_MODE=merge
@@ -23,7 +20,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
handle_trap_exit () {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@@ -33,12 +30,12 @@ handle_trap_exit() {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
cp "$merged_decrypted" "$backup_decrypted"
# Set up variables for the mergetool
@@ -51,7 +48,7 @@ MERGED="$merged_decrypted"
BACKUP="$backup_decrypted"
# Override `check_unchanged` with a custom script
check_unchanged() {
check_unchanged () {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@@ -64,4 +61,5 @@ check_unchanged() {
run_merge_tool "${mergetool}" true
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"
sops --encrypt "$merged_decrypted" > "$merged"

22
utils/sops-mergetool.sh
View File

@@ -6,10 +6,7 @@ set -x
# Rename our variables to friendlier equivalents
# https://git-scm.com/docs/gitattributes#_defining_a_custom_merge_driver
base="$1"
local_="$2"
remote="$3"
merged="$4"
base="$1"; local_="$2"; remote="$3"; merged="$4"
echo "$base"
echo "$local_"
@@ -21,7 +18,7 @@ echo "$merged"
mergetool="$(git config --get merge.tool)"
GIT_DIR="$(git --exec-path)"
if test "$mergetool" = ""; then
echo 'No default `merge.tool` was set for `git`. Please set one via `git config --set merge.tool <tool>`' 1>&2
echo "No default \`merge.tool\` was set for \`git\`. Please set one via \`git config --set merge.tool <tool>\`" 1>&2
exit 1
fi
@@ -35,7 +32,7 @@ merged_decrypted="${base_decrypted/_BASE_/_MERGED_}"
backup_decrypted="${base_decrypted/_BASE_/_BACKUP_}"
# If anything goes wrong, then delete our decrypted files
handle_trap_exit() {
handle_trap_exit () {
rm $base_decrypted || true
rm $local_decrypted || true
rm $remote_decrypted || true
@@ -45,13 +42,13 @@ handle_trap_exit() {
trap handle_trap_exit EXIT
# Decrypt our file contents
sops --decrypt --show-master-keys "$base" >"$base_decrypted"
sops --decrypt --show-master-keys "$local_" >"$local_decrypted"
sops --decrypt --show-master-keys "$remote" >"$remote_decrypted"
sops --decrypt --show-master-keys "$base" > "$base_decrypted"
sops --decrypt --show-master-keys "$local_" > "$local_decrypted"
sops --decrypt --show-master-keys "$remote" > "$remote_decrypted"
# Create a merge-diff to compare against
set +e
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" >"$merged_decrypted"
git merge-file -p "$local_decrypted" "$base_decrypted" "$remote_decrypted" > "$merged_decrypted"
set -e
cp "$merged_decrypted" "$backup_decrypted"
@@ -69,7 +66,7 @@ source "$GIT_DIR/git-mergetool--lib"
source "$GIT_DIR/mergetools/$mergetool"
# Override `check_unchanged` with a custom script
check_unchanged() {
check_unchanged () {
# If the contents haven't changed, then fail
if test "$MERGED" -nt "$BACKUP"; then
return 0
@@ -85,4 +82,5 @@ merge_cmd
set -eu
# Re-encrypt content
sops --encrypt "$merged_decrypted" >"$merged"
sops --encrypt "$merged_decrypted" > "$merged"