zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

Compare commits

base: zuckerberg:123f53cf91cd9c82e768398825fcc169f5756261
Branches Tags
zuckerberg:master zuckerberg:stage zuckerberg:pia-vpn-v2 zuckerberg:kexec_luks2
..
compare: zuckerberg:dd0a89d5cddb341161acaba1120feb6baf4f23ac
Branches Tags
zuckerberg:stage zuckerberg:pia-vpn-v2 zuckerberg:master zuckerberg:kexec_luks2

4 Commits
123f53cf91 ... dd0a89d5cd

Author SHA1 Message Date
Zuckerberg
dd0a89d5cd trim
Some checks failed
Check Flake / check-flake (push) Has been cancelled
Details
2026-02-20 21:03:58 -08:00
Zuckerberg
63da381813 try again
Some checks are pending
Check Flake / check-flake (push) Waiting to run
Details
2026-02-19 22:39:52 -08:00
Zuckerberg
fa5be20f39 All systems
Some checks failed
Check Flake / check-flake (push) Failing after 2m47s
Details
2026-02-19 22:35:25 -08:00
Zuckerberg
09f461123f Add Attic binary cache and containerize gitea runner
All checks were successful
Check Flake / check-flake (push) Successful in 2m32s
Details 
Replace nix-serve-only setup with Attic for managed binary caching with
upstream filtering and GC. Move gitea actions runner from host into an
isolated NixOS container with private networking. nix-serve kept alongside
Attic during migration.
 2026-02-19 22:22:29 -08:00
3 changed files with 15 additions and 54 deletions
Expand all files Collapse all files

9
.gitea/workflows/check-flake.yaml
View File

@@ -5,7 +5,6 @@ on: [push]
env: env:
DEBIAN_FRONTEND: noninteractive DEBIAN_FRONTEND: noninteractive
PATH: /run/current-system/sw/bin/ PATH: /run/current-system/sw/bin/
XDG_CONFIG_HOME: ${{ runner.temp }}/.config
jobs: jobs:
check-flake: check-flake:
@@ -16,11 +15,6 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Configure Attic cache
run: |
attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
attic use local:nixos
- name: Check Flake - name: Check Flake
run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
@@ -31,8 +25,11 @@ jobs:
| xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw | xargs -I{} nix build ".#nixosConfigurations.{}.config.system.build.toplevel" --no-link --print-build-logs --log-format raw
- name: Push to cache - name: Push to cache
env:
XDG_CONFIG_HOME: ${{ runner.temp }}/.config
run: | run: |
set -euo pipefail set -euo pipefail
attic login local "${{ vars.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
# Get all system toplevel store paths # Get all system toplevel store paths
toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]') toplevels=$(nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json | jq -r '.[]')
echo "Found $(echo "$toplevels" | wc -l) system toplevels" echo "Found $(echo "$toplevels" | wc -l) system toplevels"

52
common/server/atticd.nix
View File

@@ -7,55 +7,25 @@
environmentFile = config.age.secrets.atticd-credentials.path; environmentFile = config.age.secrets.atticd-credentials.path;
settings = { settings = {
listen = "[::]:28338"; listen = "[::]:28338";
database.url = "postgresql:///atticd?host=/run/postgresql";
require-proof-of-possession = false;
# Disable chunking — the dedup savings don't justify the CPU/IO
# overhead for local storage, especially on ZFS which already
# does block-level compression.
chunking = { chunking = {
nar-size-threshold = 0; nar-size-threshold = 64 * 1024; # 64 KiB
min-size = 16 * 1024;
avg-size = 64 * 1024; # The preferred minimum size of a chunk, in bytes
max-size = 256 * 1024; min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
}; };
# Let ZFS handle compression instead of double-compressing. compression.type = "zstd";
compression.type = "none";
garbage-collection.default-retention-period = "6 months"; garbage-collection.default-retention-period = "6 months";
}; };
}; };
# PostgreSQL for atticd
services.postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [{
name = "atticd";
ensureDBOwnership = true;
}];
};
# Use a static user so the ZFS mountpoint at /var/lib/atticd works
# (DynamicUser conflicts with ZFS mountpoints)
users.users.atticd = {
isSystemUser = true;
group = "atticd";
home = "/var/lib/atticd";
};
users.groups.atticd = { };
systemd.services.atticd = {
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "atticd";
Group = "atticd";
};
};
age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age; age.secrets.atticd-credentials.file = ../../secrets/atticd-credentials.age;
}; };
} }

8
machines/storage/s0/hardware-configuration.nix
View File

@@ -45,12 +45,6 @@
fsType = "zfs"; fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ]; options = [ "zfsutil" "X-mount.mkdir" ];
}; };
fileSystems."/var/lib/atticd" =
{
device = "rpool/nixos/var/lib/atticd";
fsType = "zfs";
options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/var/log" = fileSystems."/var/log" =
{ {
device = "rpool/nixos/var/log"; device = "rpool/nixos/var/log";
@@ -78,5 +72,5 @@
}; };
}; };
powerManagement.cpuFreqGovernor = "schedutil"; powerManagement.cpuFreqGovernor = "powersave";
} }