Add Zoidberg

Flake lock file updates:

• Updated input 'nix-index-database':
    'github:Mic92/nix-index-database/68ec961c51f48768f72d2bbdb396ce65a316677e' (2023-04-15)
  → 'github:Mic92/nix-index-database/e3e320b19c192f40a5b98e8776e3870df62dee8a' (2023-04-25)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8' (2023-04-22)
  → 'github:NixOS/nixpkgs/297187b30a19f147ef260abb5abd93b0706af238' (2023-04-30)

.gitea/workflows/check-flake.yaml

@@ -0,0 +1,38 @@
+name: Check Flake
+
+on: [push]
+
+env:
+  DEBIAN_FRONTEND: noninteractive
+  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
+
+# defaults:
+#   run:
+#     shell: nix shell nixpkgs#nodejs-18_x
+
+jobs:
+  check-flake:
+    runs-on: nixos
+    steps:
+      # - run: node --version
+      # - name: Install basic dependencies
+      #   run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
+
+      # - name: Install Nix
+      #   uses: https://github.com/cachix/install-nix-action@v20
+      #   with:
+      #     github_access_token: ${{ secrets.__GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: nix profile install nixpkgs#nodejs-18_x
+
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # - name: Get ENV var names
+      #   run: printenv | cut -d'=' -f1
+
+      - name: Check Flake
+        run: nix flake check --show-trace

common/binary-cache.nix

@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+{
+  nix = {
+    settings = {
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        "http://s0.koi-bebop.ts.net:5000"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU="
+      ];
+    };
+  };
+}

common/default.nix

@@ -3,6 +3,7 @@
 {
   imports = [
     ./backups.nix
+    ./binary-cache.nix
     ./flakes.nix
     ./auto-update.nix
     ./shell.nix
@@ -11,6 +12,7 @@
     ./server
     ./pc
     ./machine-info
+    ./nix-builder.nix
     ./ssh.nix
   ];
 

common/nix-builder.nix

@@ -0,0 +1,60 @@
+{ config, lib, ... }:
+
+let
+  builderRole = "nix-builder";
+  builderUserName = "nix-builder";
+
+  machinesByRole = role: lib.filterAttrs (hostname: cfg: builtins.elem role cfg.systemRoles) config.machines.hosts;
+  otherMachinesByRole = role: lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) (machinesByRole role);
+  thisMachineHasRole = role: builtins.hasAttr config.networking.hostName (machinesByRole role);
+
+  builders = machinesByRole builderRole;
+  thisMachineIsABuilder = thisMachineHasRole builderRole;
+
+  # builders don't include themselves as a remote builder
+  otherBuilders = lib.filterAttrs (hostname: cfg: hostname != config.networking.hostName) builders;
+in
+lib.mkMerge [
+  # configure builder
+  (lib.mkIf thisMachineIsABuilder {
+    users.users.${builderUserName} = {
+      description = "Distributed Nix Build User";
+      group = builderUserName;
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/nix-builder";
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = builtins.map
+        (builderCfg: builderCfg.hostKey)
+        (builtins.attrValues config.machines.hosts);
+    };
+    users.groups.${builderUserName} = { };
+
+    nix.settings.trusted-users = [
+      builderUserName
+    ];
+  })
+
+  # use each builder
+  {
+    nix.distributedBuilds = true;
+
+    nix.buildMachines = builtins.map
+      (builderCfg: {
+        hostName = builtins.elemAt builderCfg.hostNames 0;
+        system = builderCfg.arch;
+        protocol = "ssh-ng";
+        sshUser = builderUserName;
+        sshKey = "/etc/ssh/ssh_host_ed25519_key";
+        maxJobs = 3;
+        speedFactor = 10;
+        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+      })
+      (builtins.attrValues otherBuilders);
+
+    # It is very likely that the builder's internet is faster or just as fast
+    nix.extraOptions = ''
+      builders-use-substitutes = true
+    '';
+  }
+]

common/pc/chromium.nix

@@ -17,38 +17,6 @@ let
       "PREFIX=$(out)"
     ];
   };
-
-  nvidia-vaapi-driver = pkgs.stdenv.mkDerivation rec {
-    pname = "nvidia-vaapi-driver";
-    version = "0.0.5";
-
-    src = pkgs.fetchFromGitHub {
-      owner = "elFarto";
-      repo = pname;
-      rev = "v${version}";
-      sha256 = "2bycqKolVoaHK64XYcReteuaON9TjzrFhaG5kty28YY=";
-    };
-
-    patches = [
-      ./use-meson-v57.patch
-    ];
-
-    nativeBuildInputs = with pkgs; [
-      meson
-      cmake
-      ninja
-      pkg-config
-    ];
-
-    buildInputs = with pkgs; [
-      nv-codec-headers-11-1-5-1
-      libva
-      gst_all_1.gstreamer
-      gst_all_1.gst-plugins-bad
-      libglvnd
-    ];
-  };
-
 in
 {
   config = lib.mkIf cfg.enable {

common/pc/default.nix

@@ -37,7 +37,6 @@ in
       mumble
       tigervnc
       bluez-tools
-      vscodium
       element-desktop
       mpv
       nextcloud-client

common/pc/vscodium.nix

@@ -4,8 +4,20 @@ let
   cfg = config.de;
 
   extensions = with pkgs.vscode-extensions; [
-    #    bbenoist.Nix # nix syntax support
+    bbenoist.nix # nix syntax support
-    #    arrterian.nix-env-selector  # nix dev envs
+    arrterian.nix-env-selector # nix dev envs
+    dart-code.dart-code
+    dart-code.flutter
+    golang.go
+    jnoortheen.nix-ide
+    ms-vscode.cpptools
+  ] ++ pkgs.vscode-utils.extensionsFromVscodeMarketplace [
+    {
+      name = "platformio-ide";
+      publisher = "platformio";
+      version = "3.1.1";
+      sha256 = "g9yTG3DjVUS2w9eHGAai5LoIfEGus+FPhqDnCi4e90Q=";
+    }
   ];
 
   vscodium-with-extensions = pkgs.vscode-with-extensions.override {

common/server/gitea-runner.nix

@@ -11,12 +11,6 @@ in
       type = lib.types.str;
       description = lib.mdDoc "gitea runner data directory.";
     };
-    instanceUrl = lib.mkOption {
-      type = lib.types.str;
-    };
-    registrationTokenFile = lib.mkOption {
-      type = lib.types.path;
-    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -35,13 +29,6 @@ in
     };
     users.groups.gitea-runner = { };
 
-    # registration token
-    services.gitea-runner.registrationTokenFile = "/run/agenix/gitea-runner-registration-token";
-    age.secrets.gitea-runner-registration-token = {
-      file = ../../secrets/gitea-runner-registration-token.age;
-      owner = "gitea-runner";
-    };
-
     systemd.services.gitea-runner = {
       description = "Gitea Runner";
 
@@ -57,40 +44,7 @@ in
 
       path = with pkgs; [ gitea-actions-runner ];
 
-      # based on https://gitea.com/gitea/act_runner/src/branch/main/run.sh
       script = ''
-        . ${cfg.registrationTokenFile}
-
-        if [[ ! -s .runner ]]; then
-          try=$((try + 1))
-          success=0
-
-          LOGFILE="$(mktemp)"
-
-          # The point of this loop is to make it simple, when running both act_runner and gitea in docker,
-          # for the act_runner to wait a moment for gitea to become available before erroring out.  Within
-          # the context of a single docker-compose, something similar could be done via healthchecks, but
-          # this is more flexible.
-          while [[ $success -eq 0 ]] && [[ $try -lt ''${10:-10} ]]; do
-            act_runner register \
-              --instance "${cfg.instanceUrl}" \
-              --token    "$GITEA_RUNNER_REGISTRATION_TOKEN" \
-              --name     "${config.networking.hostName}" \
-              --no-interactive > $LOGFILE 2>&1
-
-            cat $LOGFILE
-
-            cat $LOGFILE | grep 'Runner registered successfully' > /dev/null
-            if [[ $? -eq 0 ]]; then
-              echo "SUCCESS"
-              success=1
-            else
-              echo "Waiting to retry ..."
-              sleep 5
-            fi
-          done
-        fi
-
         exec act_runner daemon
       '';
     };

common/server/mailserver.nix

@@ -37,6 +37,10 @@ in
           # catchall for all domains
           aliases = map (domain: "@${domain}") domains;
         };
+        "cris@runyan.org" = {
+          hashedPasswordFile = "/run/agenix/cris-hashed-email-pw";
+          aliases = [ "chris@runyan.org" ];
+        };
         "robot@runyan.org" = {
           aliases = [
             "no-reply@neet.dev"
@@ -52,9 +56,16 @@ in
         "damon@runyan.org"
         "jonas@runyan.org"
       ];
+      forwards = {
+        "amazon@runyan.org" = [
+          "jeremy@runyan.org"
+          "cris@runyan.org"
+        ];
+      };
       certificateScheme = 3; # use let's encrypt for certs
     };
     age.secrets.hashed-email-pw.file = ../../secrets/hashed-email-pw.age;
+    age.secrets.cris-hashed-email-pw.file = ../../secrets/cris-hashed-email-pw.age;
     age.secrets.hashed-robots-email-pw.file = ../../secrets/hashed-robots-email-pw.age;
 
     # sendmail to use xxx@domain instead of xxx@mail.domain

flake.lock

@@ -171,11 +171,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1681591833,
+        "lastModified": 1682417654,
-        "narHash": "sha256-lW+xOELafAs29yw56FG4MzNOFkh8VHC/X/tRs1wsGn8=",
+        "narHash": "sha256-XtUhq1GTRzV7QebHkxjd7Z58E6lVEk6Iv1/pF/GnBB4=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "68ec961c51f48768f72d2bbdb396ce65a316677e",
+        "rev": "e3e320b19c192f40a5b98e8776e3870df62dee8a",
         "type": "github"
       },
       "original": {
@@ -186,11 +186,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1682133240,
+        "lastModified": 1682818264,
-        "narHash": "sha256-s6yRsI/7V+k/+rckp0+/2cs/UXnea3SEfMpy95QiGcc=",
+        "narHash": "sha256-EPr900C3WaYulOdWRF3BMQrjF2Ao5Jf8xUOnFvZDTXE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8dafae7c03d6aa8c2ae0a0612fbcb47e994e3fb8",
+        "rev": "297187b30a19f147ef260abb5abd93b0706af238",
         "type": "github"
       },
       "original": {
@@ -215,18 +215,6 @@
         "type": "indirect"
       }
     },
-    "nixpkgs-hostapd-pr": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-1rGQKcB1jeRPc1n021ulyOVkA6L6xmNYKmeqQ94+iRc=",
-        "type": "file",
-        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
-      },
-      "original": {
-        "type": "file",
-        "url": "https://github.com/NixOS/nixpkgs/pull/222536.patch"
-      }
-    },
     "radio": {
       "inputs": {
         "flake-utils": [
@@ -277,7 +265,6 @@
         "flake-utils": "flake-utils",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-hostapd-pr": "nixpkgs-hostapd-pr",
         "radio": "radio",
         "radio-web": "radio-web",
         "simple-nixos-mailserver": "simple-nixos-mailserver"

flake.nix

@@ -1,8 +1,6 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/master";
-    # nixpkgs-patch-howdy.url = "https://github.com/NixOS/nixpkgs/pull/216245.diff";
-    # nixpkgs-patch-howdy.flake = false;
 
     flake-utils.url = "github:numtide/flake-utils";
 
@@ -39,9 +37,6 @@
     # prebuilt nix-index database
     nix-index-database.url = "github:Mic92/nix-index-database";
     nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
-
-    nixpkgs-hostapd-pr.url = "https://github.com/NixOS/nixpkgs/pull/222536.patch";
-    nixpkgs-hostapd-pr.flake = false;
   };
 
   outputs = { self, nixpkgs, ... }@inputs:
@@ -86,7 +81,7 @@
                 name = "nixpkgs-patched";
                 src = nixpkgs;
                 patches = [
-                  inputs.nixpkgs-hostapd-pr
+                  # no patches to nixpkgs at this time
                 ];
               };
               patchedNixpkgs = nixpkgs.lib.fix (self: (import "${patchedNixpkgsSrc}/flake.nix").outputs { self = nixpkgs; });

machines/phil/default.nix

@@ -5,8 +5,6 @@
     ./hardware-configuration.nix
   ];
 
-  services.gitea-runner = {
+  networking.hostName = "phil";
-    enable = true;
+  services.gitea-runner.enable = true;
-    instanceUrl = "https://git.neet.dev";
-  };
 }

machines/phil/properties.nix

@@ -9,6 +9,7 @@
   systemRoles = [
     "server"
     "gitea-runner"
+    "nix-builder"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";

machines/ray/default.nix

@@ -9,6 +9,9 @@
   services.tor.enable = true;
   services.tor.client.enable = true;
 
+  # don't use remote builders
+  nix.distributedBuilds = lib.mkForce false;
+
   # services.howdy.enable = true;
 
   hardware.openrazer.enable = true;
@@ -27,6 +30,7 @@
     # Wally Flashing rules for the Moonlander and Planck EZ
     SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
   '';
+  services.udev.packages = [ pkgs.platformio ];
   users.groups.plugdev = {
     members = [ "googlebot" ];
   };

machines/storage/s0/default.nix

@@ -5,7 +5,22 @@
     ./hardware-configuration.nix
   ];
 
-  system.autoUpgrade.enable = true;
+  networking.hostName = "s0";
+
+  # system.autoUpgrade.enable = true;
+
+  # gitea runner and allow it to build ARM derivations
+  services.gitea-runner.enable = true;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+  nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
+
+  # binary cache
+  services.nix-serve = {
+    enable = true;
+    openFirewall = true;
+    secretKeyFile = "/run/agenix/binary-cache-private-key";
+  };
+  age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
 
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;

machines/storage/s0/properties.nix

@@ -9,6 +9,7 @@
     "storage"
     "server"
     "pia"
+    "binary-cache"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

machines/zoidberg/default.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  # services.spotifyd.enable = true;
+
+  # services.mount-samba.enable = true;
+
+  boot.loader.timeout = 15;
+
+  de.enable = true;
+  services.xserver.desktopManager.kodi.enable = true;
+
+  # virt-manager
+  virtualisation.libvirtd.enable = true;
+  programs.dconf.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+  environment.systemPackages = with pkgs; [ virt-manager ];
+  users.users.googlebot.extraGroups = [ "libvirtd" ];
+}

machines/zoidberg/hardware-configuration.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  # boot
+  efi.enable = true;
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+
+  # kernel
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  # disks
+  remoteLuksUnlock.enable = true;
+  boot.initrd.luks.devices."enc-pv" = {
+    device = "/dev/disk/by-uuid/04231c41-2f13-49c0-8fce-0357eea67990";
+    allowDiscards = true;
+
+    # Fetch key from USB drive
+    keyFileSize = 4096;
+    keyFile = "/dev/disk/by-id/usb-USB_Flash_Disk_10622352-0:0";
+    fallbackToPassword = true;
+  };
+  fileSystems."/" =
+    {
+      device = "/dev/disk/by-uuid/39ee326c-a42f-49f3-84d9-f10091a903cd";
+      fsType = "btrfs";
+    };
+  fileSystems."/boot" =
+    {
+      device = "/dev/disk/by-uuid/954B-AB3E";
+      fsType = "vfat";
+    };
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/44e36954-9f1c-49ae-af07-72b240f93a95"; }];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

machines/zoidberg/properties.nix

@@ -0,0 +1,14 @@
+{
+  hostNames = [
+    "zoidberg"
+  ];
+
+  arch = "x86_64-linux";
+
+  systemRoles = [
+    "personal"
+    "media-center"
+  ];
+
+  hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvdC1EiLqSNVmk5L1p7cWRIrrlelbK+NMj6tEBrwqIq";
+}

secrets/binary-cache-private-key.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPp1nw 4fyRGsaEo25EOj/VwPsF0tayghF0URctont4/re6OmY
+rs09DCSb2bd/v45a7ABxfLo+Sz3OPLkRzfnP5Tmgi0g
+-> ssh-ed25519 dMQYog seRjdySBF1GISaSUWqZNvoW4INDUCxvBKJOgvGeyX1Q
+fe6JE5f9A48ujVtuc0QZ7e7pWW+Tu0yyQEyexTvQWAQ
+-> Uqf![<-grease O}' _h*Y~ .@=$H,~W
+jDlO5MEGPDjJ44cAWuJaTeADbG+wz5PTqq9Pw75QV3Exrsb8/PNGOrUZKuSTCCl3
+g/z3ZHelBBqHp16ZTc+LSxDYgvnEfWMPZKo4mxgu
+--- GTBCzHJYUKbpcgq7+0HzBpqvo0F7TNSPjFKqdRDUYDk
+ÈÚú¡T+ñ—êtµ(פÉF	ÆS<C386>/R±+¢¼Š¯‘âLÃÝcÁ‰·‹1

secrets/cris-hashed-email-pw.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 6AT2/g q8AlvC9Dt+b8320A4BP92FghOoPyKttivfrsxqG6DGM
+GWz2QJY3QFc748DjHrybNxyAS/BmDgzIU8yoRFGbLjA
+-> ssh-ed25519 dMQYog i/6mNjO8XZGAxnN1SxJGr5uD+hzCIrh28+N7cvvXZGA
+hC+J+F9hVs8HZjLhCQ6RnGAHRE45G+p1oBPnwB+nBtE
+-> ]d^>n#.%-grease Qe6&35Kb ,",Wb`% 0SRX@d
+yXZqn1+E675gpQyFGk/c15Sc1/iwjI/6VrOE1RTcp0gJcsbtVv4kgYCkY+mK
+--- ykoio7g3wxV3VDvo2d3p/Y39NCh+cWPh7uL+Go30BLY
+i“˜Q+€hnïI¼_MßGrrf¯EE~µ(fFyâÿé&ȃ>sÀX<C380>›ú¤9~<7E>ä*Ç~ŽBãÕ4R¯ü=;’Â{Ý´+^<5E>P…¨ûrFza·C䢞î4V’

secrets/secrets.nix

@@ -14,12 +14,14 @@ with roles;
 {
   # email
   "hashed-email-pw.age".publicKeys = email-server;
+  "cris-hashed-email-pw.age".publicKeys = email-server;
   "sasl_relay_passwd.age".publicKeys = email-server;
   "hashed-robots-email-pw.age".publicKeys = email-server;
   "robots-email-pw.age".publicKeys = gitea;
 
-  # gitea
+  # nix binary cache
-  "gitea-runner-registration-token.age".publicKeys = gitea-runner;
+  # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+  "binary-cache-private-key.age".publicKeys = binary-cache;
 
   # vpn
   "iodine.age".publicKeys = iodine;