diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index bce8860b..00000000 --- a/.drone.yml +++ /dev/null @@ -1,129 +0,0 @@ ---- -kind: pipeline -type: docker -name: update-flake - -steps: - - name: Update flake - image: nixos/nix - commands: - - echo "substituters = https://cache.nixos.org/ https://f000.backblazeb2.com/file/cache-chir-rs/" >> /etc/nix/nix.conf - - echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" >> /etc/nix/nix.conf - - echo "experimental-features = nix-command flakes ca-derivations" >> /etc/nix/nix.conf - - | - for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do - nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > ../old-$job.json - done - - nix flake update - - for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do - nix show-derivation -r ".#hydraJobs.$job.x86_64-linux" > ../new-$job.json - - nix-shell -p python3 --run "python scripts/diff-drvs.py ../old-$job.json ../new-$job.json" > ../report-$job.txt - cat ../report-$job.txt >> ../full-report.txt - done - if [ -s ../full-report.txt ]; then - echo "Automatic flake.lock update" > ../pr-message.txt - echo "" >> ../pr-message.txt - for job in nixos-8gb-fsn1-1 nutty-noon thinkrac installer nas; do - echo "## Changes for $job:" >> ../pr-message.txt - echo '```' >> ../pr-message.txt - cat ../report-$job.txt >> ../pr-message.txt - echo '```' >> ../pr-message.txt - done - else - touch ../pr-message.txt - fi - mv ../pr-message.txt . - - name: Push git - image: alpine:latest - commands: - - apk add git openssh git-lfs - - mkdir ~/.ssh - - echo "$SSH_KEY" > ~/.ssh/id_ed25519 - - chmod 600 ~/.ssh/id_ed25519 - - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts - - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts - - git remote set-url origin gitea@git.chir.rs:darkkirb/nixos-config.git - - git config --global 'user.email' 'gitea-bot@chir.rs' - - git config --global 'user.name' 'Gitea Bot' - - git add flake.lock - - git commit -m "Update flake" - - git push --force origin main:update-flake - environment: - SSH_KEY: - from_secret: SSH_KEY - - name: Create pull request - image: alpine:latest - commands: - - mv pr-message.txt .. - - apk add jq curl - - | - echo '{ "assignee": "DarkKirb", "base": "main", "head": "update-flake", "title": "Update flake" }' | jq '.body = $body' --arg body "$(cat ../pr-message.txt)" | curl -XPOST 'https://git.chir.rs/api/v1/repos/DarkKirb/nixos-config/pulls' -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer $AUTHORISATION" --data-binary @- - environment: - AUTHORISATION: - from_secret: GITEA_KEY -trigger: - event: - - cron - cron: - - updater ---- -kind: pipeline -type: docker -name: hydra-deploy - -steps: - - name: Wait for hydra job - image: alpine:latest - commands: - - apk add jq curl - - | - while true; do - if [[ $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq '[.statuses[] | select(.target_url | contains("https://hydra.chir.rs/"))] | length') != 0 ]]; then - exit 0 - fi - sleep 5 - done - - name: Wait for hydra jobs to finish - image: alpine:latest - commands: - - apk add jq curl - - | - while true; do - if [[ $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq '[.statuses[] | select(.target_url | contains("https://hydra.chir.rs/")) | select(.status == "pending") ] | length') == 0 ]]; then - exit 0 - fi - sleep 5 - done - - name: Deploy successful hydra jobs - image: alpine:latest - commands: - - apk add jq curl git openssh - - mkdir ~/.ssh - - echo "$SSH_KEY" > ~/.ssh/id_ed25519 - - chmod 600 ~/.ssh/id_ed25519 - - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts - - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts - - git remote set-url origin gitea@git.chir.rs:darkkirb/nixos-config.git - - | - for build in $(curl https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/commits/$DRONE_COMMIT/status | jq -r '.statuses[] | select(.target_url | contains("https://hydra.chir.rs/")) | select(.status == "success" ) | .target_url'); do - JOB_JSON=$(curl -H "Accept: application/json" $build) - PROJECT=$(echo "$JOB_JSON" | jq -r '.project') - JOBSET=$(echo "$JOB_JSON" | jq -r '.jobset' | sed 's/nixos-config-update/nixos-config/') - JOB=$(echo "$JOB_JSON" | jq -r '.job') - JOB_NAME="$PROJECT/$JOBSET/$JOB" - git branch $JOB_NAME || true - git checkout $JOB_NAME - git reset --hard $DRONE_COMMIT - git push --force -u origin $JOB_NAME - done - environment: - SSH_KEY: - from_secret: SSH_KEY -trigger: - event: - - push - branch: - - main diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml deleted file mode 100644 index 834760bc..00000000 --- a/.github/workflows/pr.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: Pull request diff -on: - pull_request: - branches: - - main -jobs: - diff-expr: - name: Diff nix expressions - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: cachix/install-nix-action@v17 - with: - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28= - experimental-features = nix-command flakes ca-derivations - post-build-hook = ${{ github.workspace }}/scripts/post-build-hook - substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs - - name: Download attic - run: nix build github:DarkKirb/nix-packages#attic-client - - name: Set up secrets - run: nix run github:DarkKirb/nix-packages#attic-client -- login attic-server https://attic-nocdn.chir.rs/ "$ATTIC_TOKEN" - env: - ATTIC_TOKEN: ${{secrets.ATTIC_TOKEN}} - - run: | - - for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do - nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json - done - - echo "Difference between this PR and main:" > review - echo "" >> review - - for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do - nix show-derivation -r ".#hydraJobs.$job" > new-$job.json - - echo "## Changes for $job:" >> review - echo '```' >> review - python scripts/diff-drvs.py old-$job.json new-$job.json >> review - echo '```' >> review - done - mv review .github/workflows - - uses: harupy/comment-on-pr@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - filename: review diff --git a/.github/workflows/tailscale.yml b/.github/workflows/tailscale.yml deleted file mode 100644 index ca2b2941..00000000 --- a/.github/workflows/tailscale.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Sync Tailscale ACLs - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -jobs: - acls: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Deploy ACL - if: github.event_name == 'push' - id: deploy-acl - uses: tailscale/gitops-acl-action@v1 - with: - api-key: ${{ secrets.TS_API_KEY }} - tailnet: ${{ secrets.TS_TAILNET }} - action: apply - policy-file: config/tailscale.hujson - - - name: Test ACL - if: github.event_name == 'pull_request' - id: test-acl - uses: tailscale/gitops-acl-action@v1 - with: - api-key: ${{ secrets.TS_API_KEY }} - tailnet: ${{ secrets.TS_TAILNET }} - action: test - policy-file: config/tailscale.hujson diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml deleted file mode 100644 index 8f267c01..00000000 --- a/.github/workflows/update.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: update -on: - workflow_dispatch: # allows manual triggering - schedule: - - cron: "49 7 * * *" -jobs: - flake-lock: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Install Nix - uses: cachix/install-nix-action@v18 - with: - nix_path: nixpkgs=channel:nixos-unstable - extra_nix_config: | - access-tokens = github.com=${{ secrets.GITHUB_TOKEN }} - trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28= - experimental-features = nix-command flakes ca-derivations - post-build-hook = ${{ github.workspace }}/scripts/post-build-hook - substituters = https://cache.nixos.org/ https://attic.chir.rs/chir-rs - substituters = https://cache.nixos.org/ - - name: Set up secrets - run: | - echo "$NIX_CACHE_KEY" > ~/cache.key - sudo mkdir /root/.aws - echo "$AWS_CREDENTIALS" | sudo tee /root/.aws/credentials > /dev/null - env: - NIX_CACHE_KEY: ${{secrets.NIX_CACHE_KEY}} - AWS_CREDENTIALS: ${{secrets.AWS_CREDENTIALS}} - - name: Update flake.lock - uses: DeterminateSystems/update-flake-lock@v14 - with: - token: ${{ secrets.GH_TOKEN }} diff --git a/.woodpecker/lint.yaml b/.woodpecker/lint.yaml new file mode 100644 index 00000000..6b22e482 --- /dev/null +++ b/.woodpecker/lint.yaml @@ -0,0 +1,5 @@ +pipeline: + check-format: + image: nixery.dev/shell/alejandra + commands: + - alejandra -c . diff --git a/.woodpecker/pr.yaml b/.woodpecker/pr.yaml new file mode 100644 index 00000000..45d10994 --- /dev/null +++ b/.woodpecker/pr.yaml @@ -0,0 +1,51 @@ +pipeline: + diff-pr: + image: nixos/nix + commands: + - mkdir -p /etc/nix + - | + cat > /etc/nix/nix.conf << EOF + # WARNING: this file is generated from the nix.* options in + # your NixOS configuration, typically + # /etc/nixos/configuration.nix. Do not edit it! + build-users-group = nixbld + allowed-users = * + auto-optimise-store = true + builders-use-substitutes = true + require-sigs = true + sandbox = false + substituters = https://hydra.int.chir.rs/ https://cache.nixos.org/ + system-features = big-parallel benchmark ca-derivations + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28= + trusted-substituters = + trusted-users = @wheel + experimental-features = nix-command flakes ca-derivations + EOF + - nix-env -i python3 + - | + for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do + nix show-derivation -r "github:DarkKirb/nixos-config/main#hydraJobs.$job" > old-$job.json + done + + echo "Difference between this PR and main:" > review + echo "" >> review + + for job in nixos-8gb-fsn1-1.x86_64-linux nutty-noon.x86_64-linux thinkrac.x86_64-linux nas.x86_64-linux instance-20221213-1915.aarch64-linux devterm.aarch64-linux; do + nix show-derivation -r ".#hydraJobs.$job" > new-$job.json + + echo "## Changes for $job:" >> review + echo '```' >> review + python scripts/diff-drvs.py old-$job.json new-$job.json >> review + echo '```' >> review + done + when: + - event: pull_request + post-review: + image: nixery.dev/shell/jq/curl + commands: + - | + echo '{}' | jq '.body = $body' --arg body "$(cat review)" | jq '.commit_id = $commit_id' --arg commit_id "$CI_COMMIT_SHA" | curl -XPOST "https://git.chir.rs/api/v1/repos/$CI_REPO_OWNER/$CI_REPO_NAME/pulls/$CI_COMMIT_PULL_REQUEST/reviews" -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: token $GITEA_TOKEN" --data-binary @- + secrets: + - gitea_token + when: + - event: pull_request diff --git a/.woodpecker/tailscale.yaml b/.woodpecker/tailscale.yaml new file mode 100644 index 00000000..d54b7a1d --- /dev/null +++ b/.woodpecker/tailscale.yaml @@ -0,0 +1,22 @@ +pipeline: + deploy-acl: + image: golang:1.18.4-alpine3.16 + commands: + - go install tailscale.com/cmd/gitops-pusher@gitops-1.30.0 + - /go/bin/gitops-pusher --policy-file=config/tailscale.hujson apply + when: + event: push + branch: main + secrets: + - ts_api_key + - ts_tailnet + test-acl: + image: golang:1.18.4-alpine3.16 + commands: + - go install tailscale.com/cmd/gitops-pusher@gitops-1.30.0 + - /go/bin/gitops-pusher --policy-file=config/tailscale.hujson test + when: + event: pull_request + secrets: + - ts_api_key + - ts_tailnet diff --git a/.woodpecker/update.yaml b/.woodpecker/update.yaml new file mode 100644 index 00000000..22d139a4 --- /dev/null +++ b/.woodpecker/update.yaml @@ -0,0 +1,62 @@ +pipeline: + flake-update: + image: nixpkgs/nix-unstable + commands: + - mkdir -p /etc/nix + - | + cat > /etc/nix/nix.conf << EOF + # WARNING: this file is generated from the nix.* options in + # your NixOS configuration, typically + # /etc/nixos/configuration.nix. Do not edit it! + build-users-group = nixbld + allowed-users = * + auto-optimise-store = true + builders-use-substitutes = true + require-sigs = true + sandbox = false + substituters = https://hydra.int.chir.rs/ https://cache.nixos.org/ + system-features = big-parallel benchmark ca-derivations + trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nixcache:8KKuGz95Pk4UJ5W/Ni+pN+v+LDTkMMFV4yrGmAYgkDg= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs= chir-rs:AnwyFacopHSkprD6aXY4/R3J9JYzTbV2rosJCBPaB28= + trusted-substituters = + trusted-users = @wheel + experimental-features = nix-command flakes ca-derivations + EOF + - nix flake update + when: + - event: cron + - event: manual + git-push: + image: nixery.dev/shell/openssh/gitfull/git-lfs/gnupg/shadow + commands: + - groupadd -g 0 root + - useradd -u 0 -g root -d $HOME root + - mkdir -p ~/.ssh + - echo "$SSH_KEY" > ~/.ssh/id_ed25519 + - chmod 600 ~/.ssh/id_ed25519 + - echo "git.chir.rs ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQ77jA9S5qXDFGPLZRsC++AtxiXXeF8gVbkLlglx0GQ" > ~/.ssh/known_hosts + - echo "git.chir.rs ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDY0pZzNTAqaVqqfC31gYFixFs5KySv0UqvlDEAzEXJMB/pBWkE5GAd5Ik1NxD4QiAVWc2UARdmJEBbYf8mk5JiAv6fjsodJdJVRau4Ax7FtIfbxdFyzBgFery/KUnNIr6cmAWU2Af8JhzrnpEbhe5U3LftYnkdE1lI+iVqaQRARp0qikdzoAl3uMUhbdTxp1/6rtfN6bP2XZCsUx3t3W5ZG1QTQz8l7nrbXZX1TT3pZ2vcUANcMtOxEAwO6lbL210GX63C8XEoE7+4lLxRrSiaq3SkVlG07VspozKEtrrcsqCRNLebiaapmNWVoEq9Wd9VGAEjja5efyU6/HUlRogAOo1WP73UwoQLv5LTFH+ECoHhKS14xfPeXeVG8dbYyh5+CnmiVe43dH1qZw+ceYuYel31f47cAgScbxFvNkct0spK9m9mivnoUmYcxwTc+VbFbmnJvSuZw3a+OEYn9biitP/tTkYFiLZVdPZTxDkvd1oOyuVH9d4RMXbVgNS92/lr2iKFZkyhWMJ61hFMc2tupwmkp5Us5ce42XA0zC/aVY3vYoih/c5Ib0eZF1AEJdB6Bt5dWqITVsB3mip3Jn/mqVBIPTGXT6+FnGSEuL68Dj2yKBD7kj8YO/1SWpkVMy+bfoLXY/usgcaLCxpUu8dDrdrcKExLigCVbi3rdRmg7w==" >> ~/.ssh/known_hosts + - git remote set-url origin gitea@git.chir.rs:darkkirb/nix-packages.git + - git config --global 'user.email' 'gitea-bot@chir.rs' + - git config --global 'user.name' 'Gitea Bot' + - echo "$GPG_KEY" | gpg --import + - git config --global "user.signingKey" "0x417A4BCCAB696E24" + - git config --global "commit.gpgSign" "true" + - git add . + - git commit -am "Update flake" + - git push --force origin main:update-flake + secrets: + - gpg_key + - ssh_key + when: + - event: cron + - event: manual + gitea-pr: + image: nixery.dev/shell/curl + commands: + - | + echo '{ "assignee": "darkkirb", "base": "main", "head": "update-flake, "title": "Update flake", "body": "" }' | curl -X POST -H "Authorization: token $GITEA_TOKEN" -H "Content-Type: application/json" --data-binary @- 'https://git.chir.rs/api/v1/repos/darkkirb/nix-packages/pulls' + secrets: + - gitea_token + when: + - event: cron + - event: manual diff --git a/config/nas.nix b/config/nas.nix index ce4bbd31..107d3da1 100644 --- a/config/nas.nix +++ b/config/nas.nix @@ -70,21 +70,21 @@ }; /* - swapDevices = [ - { - device = "/dev/disk/by-partuuid/3b652a7e-a550-4342-a0d7-d2ae47b3e9d1"; - randomEncryption = true; - } - { - device = "/dev/disk/by-partuuid/59de36d4-6613-4b50-9643-8824e9a9b1f9"; - randomEncryption = true; - } - { - device = "/dev/disk/by-partuuid/f6260d75-2b96-4f55-ba0f-050c58b84b78"; - randomEncryption = true; - } - ]; - */ + swapDevices = [ + { + device = "/dev/disk/by-partuuid/3b652a7e-a550-4342-a0d7-d2ae47b3e9d1"; + randomEncryption = true; + } + { + device = "/dev/disk/by-partuuid/59de36d4-6613-4b50-9643-8824e9a9b1f9"; + randomEncryption = true; + } + { + device = "/dev/disk/by-partuuid/f6260d75-2b96-4f55-ba0f-050c58b84b78"; + randomEncryption = true; + } + ]; + */ networking.interfaces.br0 = { ipv4 = { addresses = [ diff --git a/config/nix.nix b/config/nix.nix index 70f7bc41..01388f02 100644 --- a/config/nix.nix +++ b/config/nix.nix @@ -101,7 +101,7 @@ in { }; system.autoUpgrade = { enable = true; - flake = "github:DarkKirb/nixos-config"; + flake = "git+https://git.chir.rs/darkkirb/nixos-config?ref=main"; flags = [ "--no-write-lock-file" "-L" # print build logs diff --git a/config/tailscale.hujson b/config/tailscale.hujson index cae1e2ef..ebe85b8e 100644 --- a/config/tailscale.hujson +++ b/config/tailscale.hujson @@ -87,8 +87,7 @@ // Woodpecker agents { "action": "accept", - //"src": ["tag:woodpeckerRunner"], // todo: broken auth rn - "src": ["tag:nutty-noon", "tag:nas"], + "src": ["tag:woodpeckerRunner"], "dst": ["tag:nas:9000"] } ], diff --git a/hydra/jobsets.nix b/hydra/jobsets.nix index 2f20eb58..e59073a8 100644 --- a/hydra/jobsets.nix +++ b/hydra/jobsets.nix @@ -4,18 +4,18 @@ }: let pkgs = import nixpkgs {}; prs = builtins.fromJSON (builtins.readFile prsJSON); - jobsets = - (pkgs.lib.mapAttrs' ( - num: info: { - name = "pr${num}"; + (builtins.listToAttrs ( + map ( + info: { + name = "pr${toString info.number}"; value = { - enabled = 1; - hidden = false; - description = "PR ${num}: ${info.title}"; + enabled = info.state == "open"; + hidden = info.state != "open"; + description = "PR ${toString info.number}: ${info.title}"; nixexprinput = "nixos-config"; nixexprpath = "hydra/default.nix"; - checkinterval = 300; + checkinterval = 3600; schedulingshares = 100; enableemail = false; emailoverride = ""; @@ -23,14 +23,35 @@ inputs = { nixos-config = { type = "git"; - value = "https://github.com/${info.head.repo.owner.login}/${info.head.repo.name}.git ${info.head.ref}"; + value = "${info.head.repo.clone_url} ${info.head.ref}"; + emailresponsible = false; + }; + nixpkgs = { + type = "git"; + value = "https://github.com/NixOS/nixpkgs.git master"; + emailresponsible = false; + }; + gitea_status_repo = { + type = "string"; + value = "nixos-config"; + emailresponsible = false; + }; + gitea_repo_owner = { + type = "string"; + value = "${info.head.repo.owner.login}"; + emailresponsible = false; + }; + gitea_repo_name = { + type = "string"; + value = "${info.head.repo.name}"; emailresponsible = false; }; }; }; } ) - prs) + prs + )) // { nixos-config = { enabled = 1; @@ -38,7 +59,7 @@ description = "Current nixos config"; nixexprinput = "nixos-config"; nixexprpath = "hydra/default.nix"; - checkinterval = 300; + checkinterval = 0; schedulingshares = 100; enableemail = false; emailoverride = ""; @@ -46,7 +67,27 @@ inputs = { nixos-config = { type = "git"; - value = "https://github.com/DarkKirb/nixos-config.git main"; + value = "https://git.chir.rs/darkkirb/nixos-config main"; + emailresponsible = false; + }; + nixpkgs = { + type = "git"; + value = "https://github.com/NixOS/nixpkgs.git master"; + emailresponsible = false; + }; + gitea_status_repo = { + type = "string"; + value = "nixos-config"; + emailresponsible = false; + }; + gitea_repo_owner = { + type = "string"; + value = "darkkirb"; + emailresponsible = false; + }; + gitea_repo_name = { + type = "string"; + value = "nix-packages"; emailresponsible = false; }; }; diff --git a/hydra/spec.json b/hydra/spec.json index 497f2dee..4d089a3d 100644 --- a/hydra/spec.json +++ b/hydra/spec.json @@ -4,7 +4,7 @@ "description": "jobsets", "nixexprinput": "nixos-config", "nixexprpath": "hydra/jobsets.nix", - "checkinterval": 60, + "checkinterval": 3600, "schedulingshares": 100, "enableemail": false, "emailoverride": "", @@ -12,7 +12,7 @@ "inputs": { "nixos-config": { "type": "git", - "value": "https://github.com/DarkKirb/nixos-config main", + "value": "https://git.chir.rs/darkkirb/nixos-config.git switch-to-gitea", "emailresponsible": false }, "nixpkgs": { @@ -21,8 +21,8 @@ "emailresponsible": false }, "prsJSON": { - "type": "githubpulls", - "value": "DarkKirb nixos-config", + "type": "path", + "value": "https://git.chir.rs/api/v1/repos/darkkirb/nixos-config/pulls", "emailresponsible": false } } diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index 43aca284..6c031ce2 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -85,27 +85,27 @@ in { } ]; /* - subdomains = { - _tcp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - _udp.subdomains."*".TLSA = [ - { - certUsage = "dane-ee"; - selector = "spki"; - match = "sha256"; - certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; - ttl = zoneTTL; - } - ]; - }; - */ + subdomains = { + _tcp.subdomains."*".TLSA = [ + { + certUsage = "dane-ee"; + selector = "spki"; + match = "sha256"; + certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; + ttl = zoneTTL; + } + ]; + _udp.subdomains."*".TLSA = [ + { + certUsage = "dane-ee"; + selector = "spki"; + match = "sha256"; + certificate = "0b85bd8fd152ed8b29a25e7fd69c083138a7bd35d79aea62c111efcf17ede23f"; + ttl = zoneTTL; + } + ]; + }; + */ HTTPS = [ { svcPriority = 1;