TODO.md

@@ -73,8 +73,6 @@
 - offsite backup yubikey, pw db, and ssh key with /secrets access
 
 ### Misc
-- for automated kernel upgrades on luks systems, need to kexec with initrd that contains luks key
-  - https://github.com/flowztul/keyexec/blob/master/etc/default/kexec-cryptroot
 - https://github.com/pop-os/system76-scheduler
 - improve email a little bit https://helloinbox.email
 - remap razer keys https://github.com/sezanzeb/input-remapper

common/pc/audio.nix

@@ -17,6 +17,45 @@ in
       alsa.support32Bit = true;
       pulse.enable = true;
       jack.enable = true;
+
+      # use the example session manager (no others are packaged yet so this is enabled by default,
+      # no need to redefine it in your config for now)
+      #media-session.enable = true;
+
+      config.pipewire = {
+        "context.objects" = [
+          {
+            # A default dummy driver. This handles nodes marked with the "node.always-driver"
+            # properyty when no other driver is currently active. JACK clients need this.
+            factory = "spa-node-factory";
+            args = {
+              "factory.name" = "support.node.driver";
+              "node.name" = "Dummy-Driver";
+              "priority.driver" = 8000;
+            };
+          }
+          {
+            factory = "adapter";
+            args = {
+              "factory.name" = "support.null-audio-sink";
+              "node.name" = "Microphone-Proxy";
+              "node.description" = "Microphone";
+              "media.class" = "Audio/Source/Virtual";
+              "audio.position" = "MONO";
+            };
+          }
+          {
+            factory = "adapter";
+            args = {
+              "factory.name" = "support.null-audio-sink";
+              "node.name" = "Main-Output-Proxy";
+              "node.description" = "Main Output";
+              "media.class" = "Audio/Sink";
+              "audio.position" = "FL,FR";
+            };
+          }
+        ];
+      };
     };
 
     users.users.googlebot.extraGroups = [ "audio" ];

common/server/default.nix

@@ -10,7 +10,6 @@
     ./matrix.nix
     ./zerobin.nix
     ./gitea.nix
-    ./gitea-runner.nix
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix

common/server/gitea-runner.nix

@@ -1,98 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-let
-  cfg = config.services.gitea-runner;
-in
-{
-  options.services.gitea-runner = {
-    enable = lib.mkEnableOption "Enables gitea runner";
-    dataDir = lib.mkOption {
-      default = "/var/lib/gitea-runner";
-      type = lib.types.str;
-      description = lib.mdDoc "gitea runner data directory.";
-    };
-    instanceUrl = lib.mkOption {
-      type = lib.types.str;
-    };
-    registrationTokenFile = lib.mkOption {
-      type = lib.types.path;
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    virtualisation.docker.enable = true;
-
-    users.users.gitea-runner = {
-      description = "Gitea Runner Service";
-      home = cfg.dataDir;
-      useDefaultShell = true;
-      group = "gitea-runner";
-      isSystemUser = true;
-      createHome = true;
-      extraGroups = [
-        "docker" # allow creating docker containers
-      ];
-    };
-    users.groups.gitea-runner = { };
-
-    # registration token
-    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
-    age.secrets.gitea-runner-registration-token = {
-      file = ../../secrets/gitea-runner-registration-token.age;
-      owner = "gitea-runner";
-    };
-
-    systemd.services.gitea-runner = {
-      description = "Gitea Runner";
-
-      serviceConfig = {
-        WorkingDirectory = cfg.dataDir;
-        User = "gitea-runner";
-        Group = "gitea-runner";
-      };
-
-      requires = [ "network-online.target" ];
-      after = [ "network.target" "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      path = with pkgs; [ gitea-actions-runner ];
-
-      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
-      script = ''
-        . ${cfg.registrationTokenFile}
-
-        if [[ ! -s .runner ]]; then
-          try=$((try + 1))
-          success=0
-
-          LOGFILE="$(mktemp)"
-
-          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
-          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
-          # the context of a single docker-compose, something similar could be done via healthchecks, but
-          # this is more flexible.
-          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
-            act_runner register \
-              --instance "${cfg.instanceUrl}" \
-              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
-              --name     "${config.networking.hostName}" \
-              --no-interactive > $LOGFILE 2>&1
-
-            cat $LOGFILE
-
-            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
-            if [[ $? -eq 0 ]]; then
-              echo "SUCCESS"
-              success=1
-            else
-              echo "Waiting to retry ..."
-              sleep 5
-            fi
-          done
-        fi
-
-        exec act_runner daemon
-      '';
-    };
-  };
-}

common/server/gitea.nix

@@ -39,9 +39,6 @@ in
           USER = "robot@runyan.org";
           FROM = "no-reply@neet.dev";
         };
-        actions = {
-          ENABLED = true;
-        };
       };
       mailerPasswordFile = "/run/agenix/robots-email-pw";
     };

machines/phil/default.nix

@@ -6,8 +6,4 @@
   ];
 
   networking.hostName = "phil";
-  services.gitea-runner = {
-    enable = true;
-    instanceUrl = "https://git.neet.dev";
-  };
 }

machines/phil/hardware-configuration.nix

@@ -21,24 +21,24 @@
   boot.extraModulePackages = [ ];
 
   boot.initrd.luks.devices."enc-pv" = {
-    device = "/dev/disk/by-uuid/d26c1820-4c39-4615-98c2-51442504e194";
+    device = "/dev/disk/by-uuid/9f1727c7-1e95-47b9-9807-8f38531eed47";
     allowDiscards = true;
   };
 
   fileSystems."/" =
     {
-      device = "/dev/disk/by-uuid/851bfde6-93cd-439e-9380-de28aa87eda9";
+      device = "/dev/mapper/vg-root";
       fsType = "btrfs";
     };
 
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/F185-C4E5";
+      device = "/dev/disk/by-uuid/EC6B-53AA";
       fsType = "vfat";
     };
 
   swapDevices =
-    [{ device = "/dev/disk/by-uuid/d809e3a1-3915-405a-a200-4429c5efdf87"; }];
+    [{ device = "/dev/disk/by-uuid/b916094f-cf2a-4be7-b8f1-674ba6473061"; }];
 
   networking.interfaces.enp0s6.useDHCP = lib.mkDefault true;
 

machines/phil/properties.nix

@@ -8,13 +8,12 @@
 
   systemRoles = [
     "server"
-    "gitea-runner"
   ];
 
-  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlOs6mTZCSJL/XM6NysHN0ZNQAyj2GEwBV2Ze6NxRmr";
 
   remoteUnlock = {
-    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0RodotOXLMy/w70aa096gaNqPBnfgiXR5ZAH4+wGzd";
+    hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqy9X/m67oXJBX+OMdIqpiLONYc5aQ2nHeEPAaj/vgN";
     clearnetHost = "unlock.phil.neet.dev";
   };
 }

machines/ray/hardware-configuration.nix

@@ -59,4 +59,7 @@
     };
   swapDevices =
     [{ device = "/dev/vg/swap"; }];
+
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
 }

secrets/secrets.nix

@@ -18,9 +18,6 @@ with roles;
   "hashed-robots-email-pw.age".publicKeys = email-server;
   "robots-email-pw.age".publicKeys = gitea;
 
-  # gitea
-  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
-
   # vpn
   "iodine.age".publicKeys = iodine;
   "pia-login.age".publicKeys = pia;