flake.lock: Update

Flake lock file updates:

• Updated input 'deploy-rs':
    'github:serokell/deploy-rs/c2ea4e642dc50fd44b537e9860ec95867af30d39' (2023-04-21)
  → 'github:serokell/deploy-rs/64160276cd6569694131ed8864d4d35470a84ec3' (2023-05-08)
• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/e3e320b19c192f40a5b98e8776e3870df62dee8a' (2023-04-25)
  → 'github:Mic92/nix-index-database/219067a5e3cf4b9581c8b4fcfc59ecd5af953d07' (2023-05-09)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/297187b30a19f147ef260abb5abd93b0706af238' (2023-04-30)
  → 'github:NixOS/nixpkgs/f431ee4a85cb985075b4ed27596913e8087f4264' (2023-05-10)

.gitea/workflows/check-flake.yaml

@@ -0,0 +1,38 @@
+name: Check Flake
+
+on: [push]
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
+
+# defaults:
+#   run:
+#     shell: nix shell nixpkgs#nodejs-18_x
+
+jobs:
+  check-flake:
+    runs-on: nixos
+    steps:
+      # - run: node --version
+      # - name: Install basic dependencies
+      #   run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
+
+      # - name: Install Nix
+      #   uses: https://github.com/cachix/install-nix-action@v20
+      #   with:
+      #     github_access_token: ${{ secrets.__GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: nix profile install nixpkgs#nodejs-18_x
+
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # - name: Get ENV var names
+      #   run: printenv | cut -d'=' -f1
+
+      - name: Check Flake
+        run: nix flake check --show-trace

common/binary-cache.nix

@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+{
+  nix = {
+    settings = {
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        "http://s0.koi-bebop.ts.net:5000"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+      ];
+    };
+  };
+}

common/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./backups.nix
+    ./binary-cache.nix
     ./flakes.nix
     ./auto-update.nix
     ./shell.nix
@@ -11,6 +12,7 @@
     ./server
     ./pc
     ./machine-info
+    ./nix-builder.nix
     ./ssh.nix
   ];
 

common/nix-builder.nix

@@ -0,0 +1,60 @@
+{ config, lib, ... }:
+
+let
+  builderRole = "nix-builder";
+  builderUserName = "nix-builder";
+
+  machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
+  otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
+  thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
+
+  builders = machinesByRole builderRole;
+  thisMachineIsABuilder = thisMachineHasRole builderRole;
+
+  # builders don't include themselves as a remote builder
+  otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
+in
+lib.mkMerge [
+  # configure builder
+  (lib.mkIf thisMachineIsABuilder {
+    users.users.${builderUserName} = {
+      description = "Distributed Nix Build User";
+      group = builderUserName;
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/nix-builder";
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = builtins.map
+        (builderCfg: builderCfg.hostKey)
+        (builtins.attrValues config.machines.hosts);
+    };
+    users.groups.${builderUserName} = { };
+
+    nix.settings.trusted-users = [
+      builderUserName
+    ];
+  })
+
+  # use each builder
+  {
+    nix.distributedBuilds = true;
+
+    nix.buildMachines = builtins.map
+      (builderCfg: {
+        hostName = builtins.elemAt builderCfg.hostNames 0;
+        system = builderCfg.arch;
+        protocol = "ssh-ng";
+        sshUser = builderUserName;
+        sshKey = "/etc/ssh/ssh_host_ed25519_key";
+        maxJobs = 3;
+        speedFactor = 10;
+        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+      })
+      (builtins.attrValues otherBuilders);
+
+    # It is very likely that the builder's internet is faster or just as fast
+    nix.extraOptions = ''
+      builders-use-substitutes = true
+    '';
+  }
+]

common/pc/default.nix

@@ -37,7 +37,6 @@ in
       mumble
       tigervnc
       bluez-tools
-      vscodium
       element-desktop
       mpv
       nextcloud-client

common/pc/vscodium.nix

@@ -4,8 +4,19 @@ let
   cfg = config.de;
 
   extensions = with pkgs.vscode-extensions; [
-    #    bbenoist.Nix # nix syntax support
+    bbenoist.nix # nix syntax support
-    #    arrterian.nix-env-selector  # nix dev envs
+    arrterian.nix-env-selector # nix dev envs
+    dart-code.dart-code
+    dart-code.flutter
+    golang.go
+    jnoortheen.nix-ide
+  ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+    {
+      name = "platformio-ide";
+      publisher = "platformio";
+      version = "3.1.1";
+      sha256 = "fwEct7Tj8bfTOLRozSZJGWoLzWRSvYz/KxcnfpO8Usg=";
+    }
   ];
 
   vscodium-with-extensions = pkgs.vscode-with-extensions.override {

common/server/gitea-runner.nix

@@ -11,12 +11,6 @@ in
       type = lib.types.str;
       description = lib.mdDoc "gitea runner data directory.";
     };
-    instanceUrl = lib.mkOption {
-      type = lib.types.str;
-    };
-    registrationTokenFile = lib.mkOption {
-      type = lib.types.path;
-    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -35,13 +29,6 @@ in
     };
     users.groups.gitea-runner = { };
 
-    # registration token
-    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
-    age.secrets.gitea-runner-registration-token = {
-      file = ../../secrets/gitea-runner-registration-token.age;
-      owner = "gitea-runner";
-    };
-
     systemd.services.gitea-runner = {
       description = "Gitea Runner";
 
@@ -57,40 +44,7 @@ in
 
       path = with pkgs; [ gitea-actions-runner ];
 
-      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
       script = ''
-        . ${cfg.registrationTokenFile}
-
-        if [[ ! -s .runner ]]; then
-          try=$((try + 1))
-          success=0
-
-          LOGFILE="$(mktemp)"
-
-          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
-          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
-          # the context of a single docker-compose, something similar could be done via healthchecks, but
-          # this is more flexible.
-          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
-            act_runner register \
-              --instance "${cfg.instanceUrl}" \
-              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
-              --name     "${config.networking.hostName}" \
-              --no-interactive > $LOGFILE 2>&1
-
-            cat $LOGFILE
-
-            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
-            if [[ $? -eq 0 ]]; then
-              echo "SUCCESS"
-              success=1
-            else
-              echo "Waiting to retry ..."
-              sleep 5
-            fi
-          done
-        fi
-
         exec act_runner daemon
       '';
     };

common/server/mailserver.nix

@@ -37,6 +37,10 @@ in
           # catchall for all domains
           aliases = map (domain: "@${domain}") domains;
         };
+        "cris@runyan.org" = {
+          hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
+          aliases = [ "chris@runyan.org" ];
+        };
         "robot@runyan.org" = {
           aliases = [
             "no-reply@neet.dev"
@@ -52,9 +56,16 @@ in
         "damon@runyan.org"
         "jonas@runyan.org"
       ];
+      forwards = {
+        "amazon@runyan.org" = [
+          "jeremy@runyan.org"
+          "cris@runyan.org"
+        ];
+      };
       certificateScheme = 3; # use let's encrypt for certs
     };
     age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
+    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
     age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
 
     # sendmail to use xxx@domain instead of xxx@mail.domain

flake.lock

@@ -117,11 +117,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682063650,
+        "lastModified": 1683515103,
-        "narHash": "sha256-VaDHh2z6xlnTHaONlNVHP7qEMcK5rZ8Js3sT6mKb2XY=",
+        "narHash": "sha256-vWlnZ0twW+ekOC6JuAHDfupv+u4QNvWawG7+DaQJ4VA=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "c2ea4e642dc50fd44b537e9860ec95867af30d39",
+        "rev": "64160276cd6569694131ed8864d4d35470a84ec3",
         "type": "github"
       },
       "original": {
@@ -171,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1681591833,
+        "lastModified": 1683638468,
-        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
+        "narHash": "sha256-tQEaGZfZ2Hpw+XIVEHaJ8FaF1yNQyMDDhUyIQ7LTIEg=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
+        "rev": "219067a5e3cf4b9581c8b4fcfc59ecd5af953d07",
         "type": "github"
       },
       "original": {
@@ -186,11 +186,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1682133240,
+        "lastModified": 1683741689,
-        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
+        "narHash": "sha256-VY6gjqAFQe0Xyz+olc979zbsW9dC4VG+mINGffFKVEw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
+        "rev": "f431ee4a85cb985075b4ed27596913e8087f4264",
         "type": "github"
       },
       "original": {
@@ -218,7 +218,7 @@
     "nixpkgs-hostapd-pr": {
       "flake": false,
       "locked": {
-        "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
+        "narHash": "sha256-35+g1EJMcDFhb3UP15fyR1aD4AX1ifz2EqaYItITZ7U=",
         "type": "file",
         "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
       },

machines/phil/default.nix

@@ -5,8 +5,6 @@
     ./hardware-configuration.nix
   ];
 
-  services.gitea-runner = {
+  networking.hostName = "phil";
-    enable = true;
+  services.gitea-runner.enable = true;
-    instanceUrl = "https://git.neet.dev";
-  };
 }

machines/phil/properties.nix

@@ -9,6 +9,7 @@
   systemRoles = [
     "server"
     "gitea-runner"
+    "nix-builder"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";

machines/storage/s0/default.nix

@@ -5,7 +5,22 @@
     ./hardware-configuration.nix
   ];
 
-  system.autoUpgrade.enable = true;
+  networking.hostName = "s0";
+
+  # system.autoUpgrade.enable = true;
+
+  # gitea runner and allow it to build ARM derivations
+  services.gitea-runner.enable = true;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
+
+  # binary cache
+  services.nix-serve = {
+    enable = true;
+    openFirewall = true;
+    secretKeyFile = "/run/agenix/binary-cache-private-key";
+  };
+  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
 
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;

machines/storage/s0/properties.nix

@@ -9,6 +9,7 @@
     "storage"
     "server"
     "pia"
+    "binary-cache"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

secrets/binary-cache-private-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw 4fyRGsaEo25EOj/VwPsF0tayghF0URctont4/re6OmY
+rs09DCSb2bd/v45a7ABxfLo+Sz3OPLkRzfnP5Tmgi0g
+-> ssh-ed25519 dMQYog seRjdySBF1GISaSUWqZNvoW4INDUCxvBKJOgvGeyX1Q
+fe6JE5f9A48ujVtuc0QZ7e7pWW+Tu0yyQEyexTvQWAQ
+-> Uqf![<-grease O}' _h*Y~ .@=$H,~W
+jDlO5MEGPDjJ44cAWuJaTeADbG+wz5PTqq9Pw75QV3Exrsb8/PNGOrUZKuSTCCl3
+g/z3ZHelBBqHp16ZTc+LSxDYgvnEfWMPZKo4mxgu
+--- GTBCzHJYUKbpcgq7+0HzBpqvo0F7TNSPjFKqdRDUYDk
+ÈÚú¡T+ñ—êtµ(פÉF	ÆS<C386>/R±+¢¼Š¯‘âLÃÝcÁ‰·‹1

secrets/cris-hashed-email-pw.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g q8AlvC9Dt+b8320A4BP92FghOoPyKttivfrsxqG6DGM
+GWz2QJY3QFc748DjHrybNxyAS/BmDgzIU8yoRFGbLjA
+-> ssh-ed25519 dMQYog i/6mNjO8XZGAxnN1SxJGr5uD+hzCIrh28+N7cvvXZGA
+hC+J+F9hVs8HZjLhCQ6RnGAHRE45G+p1oBPnwB+nBtE
+-> ]d^>n#.%-grease Qe6&35Kb ,",Wb`% 0SRX@d
+yXZqn1+E675gpQyFGk/c15Sc1/iwjI/6VrOE1RTcp0gJcsbtVv4kgYCkY+mK
+--- ykoio7g3wxV3VDvo2d3p/Y39NCh+cWPh7uL+Go30BLY
+i“˜Q+€hnïI¼_MßGrrf¯EE~µ(fFyâÿé&ȃ>sÀX<C380>›ú¤9~<7E>ä*Ç~ŽBãÕ4R¯ü=;’Â{Ý´+^<5E>P…¨ûrFza·C䢞î4V’

secrets/secrets.nix

@@ -14,12 +14,14 @@ with roles;
 {
   # email
   "hashed-email-pw.age".publicKeys = email-server;
+  "cris-hashed-email-pw.age".publicKeys = email-server;
   "sasl_relay_passwd.age".publicKeys = email-server;
   "hashed-robots-email-pw.age".publicKeys = email-server;
   "robots-email-pw.age".publicKeys = gitea;
 
-  # gitea
+  # nix binary cache
-  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
+  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+  "binary-cache-private-key.age".publicKeys = binary-cache;
 
   # vpn
   "iodine.age".publicKeys = iodine;