Flake check gitea action

Add mail user
Move s0 to systemd-boot
2023-04-29 19:20:48 -06:00 · 2023-04-29 18:24:20 -06:00 · 2023-04-25 23:41:08 -06:00 · 2023-04-24 20:52:17 -06:00
13 changed files with 72 additions and 68 deletions
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@ -0,0 +1,38 @@
 name: Check Flake
 on: [push]
 env:
  DEBIAN_FRONTEND: noninteractive
  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
 # defaults:
 #   run:
 #     shell: nix shell nixpkgs#nodejs-18_x
 jobs:
  check-flake:
    runs-on: nixos
    steps:
      # - run: node --version
      # - name: Install basic dependencies
      #   run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
      # - name: Install Nix
      #   uses: https://github.com/cachix/install-nix-action@v20
      #   with:
      #     github_access_token: ${{ secrets.__GITHUB_TOKEN }}
      - name: Install dependencies
        run: nix profile install nixpkgs#nodejs-18_x
      - name: Checkout the repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      # - name: Get ENV var names
      #   run: printenv | cut -d'=' -f1
      - name: Check Flake
        run: nix flake check --show-trace
--- a/common/server/gitea-runner.nix
+++ b/common/server/gitea-runner.nix
@ -11,12 +11,6 @@ in
      type = lib.types.str;
      description = lib.mdDoc "gitea runner data directory.";
    };
    instanceUrl = lib.mkOption {
      type = lib.types.str;
    };
    registrationTokenFile = lib.mkOption {
      type = lib.types.path;
    };
  };
  config = lib.mkIf cfg.enable {
@ -35,13 +29,6 @@ in
    };
    users.groups.gitea-runner = { };
    # registration token
    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
    age.secrets.gitea-runner-registration-token = {
      file = ../../secrets/gitea-runner-registration-token.age;
      owner = "gitea-runner";
    };
    systemd.services.gitea-runner = {
      description = "Gitea Runner";
@ -57,40 +44,7 @@ in
      path = with pkgs; [ gitea-actions-runner ];
      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
      script = ''
        . ${cfg.registrationTokenFile}
        if [[ ! -s .runner ]]; then
          try=$((try + 1))
          success=0
          LOGFILE="$(mktemp)"
          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
          # the context of a single docker-compose, something similar could be done via healthchecks, but
          # this is more flexible.
          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
            act_runner register \
              --instance "${cfg.instanceUrl}" \
              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
              --name     "${config.networking.hostName}" \
              --no-interactive > $LOGFILE 2>&1
            cat $LOGFILE
            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
            if [[ $? -eq 0 ]]; then
              echo "SUCCESS"
              success=1
            else
              echo "Waiting to retry ..."
              sleep 5
            fi
          done
        fi
        exec act_runner daemon
      '';
    };
--- a/common/server/mailserver.nix
+++ b/common/server/mailserver.nix
@ -37,6 +37,10 @@ in
          # catchall for all domains
          aliases = map (domain: "@${domain}") domains;
        };
        "cris@runyan.org" = {
          hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
          aliases = [ "chris@runyan.org" ];
        };
        "robot@runyan.org" = {
          aliases = [
            "no-reply@neet.dev"
@ -55,6 +59,7 @@ in
      certificateScheme = 3; # use let's encrypt for certs
    };
    age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
    age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
    # sendmail to use xxx@domain instead of xxx@mail.domain
--- a/flake.nix
+++ b/flake.nix
@ -55,7 +55,7 @@
    {
      nixosConfigurations =
        let
-          modules = system: with inputs; [
+          modules = system: hostname: with inputs; [
            ./common
            simple-nixos-mailserver.nixosModule
            agenix.nixosModules.default
@ -63,9 +63,13 @@
            archivebox.nixosModule
            nix-index-database.nixosModules.nix-index
            ({ lib, ... }: {
-              config.environment.systemPackages = [
+              config = {
-                agenix.packages.${system}.agenix
+                environment.systemPackages = [
-              ];
+                  agenix.packages.${system}.agenix
                ];
                networking.hostName = hostname;
              };
              # because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
              options.inputs = lib.mkOption { default = inputs; };
@ -73,9 +77,9 @@
            })
          ];
-          mkSystem = system: nixpkgs: path:
+          mkSystem = system: nixpkgs: path: hostname:
            let
-              allModules = modules system;
+              allModules = modules system hostname;
              # allow patching nixpkgs, remove this hack once this is solved: https://github.com/NixOS/nix/issues/3920
              patchedNixpkgsSrc = nixpkgs.legacyPackages.${system}.applyPatches {
@ -99,7 +103,7 @@
        in
        nixpkgs.lib.mapAttrs
          (hostname: cfg:
-            mkSystem cfg.arch nixpkgs cfg.configurationPath)
+            mkSystem cfg.arch nixpkgs cfg.configurationPath hostname)
          machines;
      packages =
--- a/machines/phil/default.nix
+++ b/machines/phil/default.nix
@ -6,8 +6,5 @@
  ];
  networking.hostName = "phil";
-  services.gitea-runner = {
+  services.gitea-runner.enable = true;
    enable = true;
    instanceUrl = "https://git.neet.dev";
  };
 }
--- a/machines/ponyo/default.nix
+++ b/machines/ponyo/default.nix
@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];
  networking.hostName = "ponyo";
  system.autoUpgrade.enable = true;
  # p2p mesh network
--- a/machines/ray/default.nix
+++ b/machines/ray/default.nix
@ -5,8 +5,6 @@
    ./hardware-configuration.nix
  ];
  networking.hostName = "ray";
  # for luks onlock over tor
  services.tor.enable = true;
  services.tor.client.enable = true;
--- a/machines/router/default.nix
+++ b/machines/router/default.nix
@ -11,8 +11,6 @@
  # https://github.com/skogsbrus/os/blob/master/sys/router.nix
  # http://trac.gateworks.com/wiki/wireless/wifi 
  networking.hostName = "router";
  system.autoUpgrade.enable = true;
  services.tailscale.exitNode = true;
--- a/machines/storage/s0/default.nix
+++ b/machines/storage/s0/default.nix
@ -7,7 +7,12 @@
  networking.hostName = "s0";
-  system.autoUpgrade.enable = true;
+  # system.autoUpgrade.enable = true;
  # gitea runner and allow it to build ARM derivations
  services.gitea-runner.enable = true;
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
  services.iperf3.enable = true;
  services.iperf3.openFirewall = true;
--- a/machines/storage/s0/hardware-configuration.nix
+++ b/machines/storage/s0/hardware-configuration.nix
@ -7,7 +7,7 @@
    ];
  # boot
-  efi.enable = true;
+  boot.loader.systemd-boot.enable = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "uas" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
--- a/secrets/cris-hashed-email-pw.age
+++ b/secrets/cris-hashed-email-pw.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 6AT2/g q8AlvC9Dt+b8320A4BP92FghOoPyKttivfrsxqG6DGM
 GWz2QJY3QFc748DjHrybNxyAS/BmDgzIU8yoRFGbLjA
 -> ssh-ed25519 dMQYog i/6mNjO8XZGAxnN1SxJGr5uD+hzCIrh28+N7cvvXZGA
 hC+J+F9hVs8HZjLhCQ6RnGAHRE45G+p1oBPnwB+nBtE
 -> ]d^>n#.%-grease Qe6&35Kb ,",Wb`% 0SRX@d
 yXZqn1+E675gpQyFGk/c15Sc1/iwjI/6VrOE1RTcp0gJcsbtVv4kgYCkY+mK
 --- ykoio7g3wxV3VDvo2d3p/Y39NCh+cWPh7uL+Go30BLY
 i“˜Q+€hnïI¼_MßGrrf¯EE~µ(fFyâÿé&Èƒ>sÀX<C380>›ú¤9~<7E>ä*Ç~ŽBãÕ4R¯ü=;’Â{Ý´+^<5E>P…¨ûrFza·Cä¢žî4V’
--- a/secrets/gitea-runner-registration-token.age
+++ b/secrets/gitea-runner-registration-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,13 +14,11 @@ with roles;
 {
  # email
  "hashed-email-pw.age".publicKeys = email-server;
  "cris-hashed-email-pw.age".publicKeys = email-server;
  "sasl_relay_passwd.age".publicKeys = email-server;
  "hashed-robots-email-pw.age".publicKeys = email-server;
  "robots-email-pw.age".publicKeys = gitea;
  # gitea
  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
  # vpn
  "iodine.age".publicKeys = iodine;
  "pia-login.age".publicKeys = pia;
Author	SHA1	Message	Date
Zuckerberg	0efcf8f3fc	Flake check gitea action All checks were successful Check Flake / check-flake (push) Successful in 1m28s Details	2023-04-29 19:20:48 -06:00
Zuckerberg	2009180827	Add mail user	2023-04-29 18:24:20 -06:00
Zuckerberg	306ce8bc3f	Move s0 to systemd-boot	2023-04-25 23:41:08 -06:00
Zuckerberg	b5dd983ba3	Automatically set machine hostname	2023-04-24 20:52:17 -06:00