From 00db3ff9748714ff4080f5fe5d073d60c0ee1ca4 Mon Sep 17 00:00:00 2001 From: hodasemi Date: Thu, 3 Apr 2025 11:48:30 +0200 Subject: [PATCH] Split into flakes + common colmena file --- colmena.nix | 33 ++++++++++ dev_system.nix | 64 +++++------------- git_system.nix | 156 ++++++++++++++++++-------------------------- runner_system.nix | 79 +++++++--------------- shared/dev_user.nix | 13 ++++ shared/docker.nix | 6 ++ shared/ssh.nix | 14 ++++ shared/system.nix | 15 +++++ 8 files changed, 185 insertions(+), 195 deletions(-) create mode 100644 colmena.nix create mode 100644 shared/dev_user.nix create mode 100644 shared/docker.nix create mode 100644 shared/ssh.nix create mode 100644 shared/system.nix diff --git a/colmena.nix b/colmena.nix new file mode 100644 index 0000000..3879af2 --- /dev/null +++ b/colmena.nix @@ -0,0 +1,33 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + }; + outputs = { nixpkgs, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; + }; + }; + + # needed ? + # + # deployment = { + # targetHost = "somehost.tld"; + # targetPort = 1234; + # targetUser = "luser"; + # }; + + git-system = { name, nodes, pkgs, ... }: { + import = "git_system.nix"; + }; + runner-system = { name, nodes, pkgs, ... }: { + import = "runner_system.nix"; + }; + dev-system = { name, nodes, pkgs, ... }: { + import = "dev_system.nix"; + }; + }; + }; +} \ No newline at end of file diff --git a/dev_system.nix b/dev_system.nix index ea1d19b..94091d4 100644 --- a/dev_system.nix +++ b/dev_system.nix @@ -7,55 +7,25 @@ { config, lib, pkgs, ... }: let - cfg = config.services.forgejo; - srv = cfg.settings.server; + cfg = config.services.forgejo; + srv = cfg.settings.server; in { - system.stateVersion = "24.11"; + imports = [ + "shared/system.nix" + "shared/dev_user.nix" + "shared/docker.nix" + "shared/ssh.nix" + ]; - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; + users.users = { + # connection only via ssh key + pipeline = { + isNormalUser = true; + home = "/home/pipeline"; + description = "User used by forgejo runners to connect to this system"; + extraGroups = [ "docker" ]; + openssh.authorizedKeys.keys = [ "TODO" ]; + }; }; - }; - - users.users = { - # connection only via ssh key - pipeline = { - isNormalUser = true; - home = "/home/pipeline"; - description = "User used by forgejo runners to connect to this system"; - extraGroups = [ "docker" ]; - openssh.authorizedKeys.keys = [ "TODO" ]; - }; - - # connection only via hashed password; - dev = { - isNormalUser = true; - home = "/home/dev"; - description = "User used to manually connect to this system (e.g. for maintenance)"; - extraGroups = [ "docker" "wheel" ]; - hashesPassword = "TODO"; - } - }; - - environment.systemPackages = with pkgs; [ - git - ]; - - virtualisation.docker = { - enable = true; - }; - - services = { - endlessh = { - enable = true; - port = 22; - }; - - openssh = { - enable = true; - ports = [ 23 ]; - }; - }; } \ No newline at end of file diff --git a/git_system.nix b/git_system.nix index fe59903..771451a 100644 --- a/git_system.nix +++ b/git_system.nix @@ -7,107 +7,77 @@ { config, lib, pkgs, ... }: let - cfg = config.services.forgejo; - srv = cfg.settings.server; + cfg = config.services.forgejo; + srv = cfg.settings.server; in { - system.stateVersion = "24.11"; + imports = [ + "shared/system.nix" + "shared/dev_user.nix" + "shared/docker.nix" + "shared/ssh.nix" + ]; - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; - }; - }; - - environment.systemPackages = with pkgs; [ - git - ]; - - users.users = { - # connection only via hashed password; - dev = { - isNormalUser = true; - home = "/home/dev"; - description = "User used to manually connect to this system (e.g. for maintenance)"; - extraGroups = [ "docker" "wheel" ]; - hashesPassword = "TODO"; - } - }; - - virtualisation.docker = { - enable = true; - }; - - security.acme = { - defaults.email = "michael.huebner@ptspaper.de"; - acceptTerms = true; - }; - - services = { - endlessh = { - enable = true; - port = 22; + security.acme = { + defaults.email = "michael.huebner@ptspaper.de"; + acceptTerms = true; }; - openssh = { - enable = true; - ports = [ 23 ]; - }; - - nginx = { - enable = true; - virtualHosts.${srv.DOMAIN} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; - }; - }; - - forgejo = { - enable = true; - database.type = "postgres"; - lfs.enable = true; - settings = { - server = { - DOMAIN = "localhost"; - ROOT_URL = "https://${srv.DOMAIN}"; - HTTP_PORT = 3000; - SSH_PORT = 62; + services = { + nginx = { + enable = true; + virtualHosts.${srv.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}"; + }; }; - service.DISABLE_REGISTRATION = true; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - }; - }; - renovate = { - enable = true; - schedule = "TODO"; - credentials = { - RENOVATE_TOKEN = "/etc/renovate/token"; - }; - settings = { - endpoint = "http://.de/api/v1/"; - persistRepoData = true; - platform = "forgejo"; - autodiscover = true; - onboardingConfig= { - extends= ["config:recommended"]; + forgejo = { + enable = true; + database.type = "postgres"; + lfs.enable = true; + settings = { + server = { + DOMAIN = "localhost"; + ROOT_URL = "https://${srv.DOMAIN}"; + HTTP_PORT = 3000; + SSH_PORT = 62; + }; + service.DISABLE_REGISTRATION = true; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; }; - prCommitsPerRunLimit= 0; - }; - }; - cron = { - enable = true; - systemCronJobs = [ - "00 03 * * * forgejo sh backup_forgejo.sh -d /var/lib/forgejo -u TODO -s TODO -p TODO" - ]; + renovate = { + enable = true; + schedule = "TODO"; + credentials = { + RENOVATE_TOKEN = "/etc/renovate/token"; + }; + settings = { + endpoint = "http://.de/api/v1/"; + persistRepoData = true; + platform = "forgejo"; + autodiscover = true; + onboardingConfig= { + extends= ["config:recommended"]; + }; + prCommitsPerRunLimit= 0; + }; + }; + + cron = { + enable = true; + systemCronJobs = [ + "00 03 * * * forgejo sh backup_forgejo.sh -d /var/lib/forgejo -u TODO -s TODO -p TODO" + ]; + }; }; - }; } \ No newline at end of file diff --git a/runner_system.nix b/runner_system.nix index 0f5fb1f..c6e300a 100644 --- a/runner_system.nix +++ b/runner_system.nix @@ -7,63 +7,32 @@ { config, lib, pkgs, ... }: let - cfg = config.services.forgejo; - srv = cfg.settings.server; + cfg = config.services.forgejo; + srv = cfg.settings.server; in { - system.stateVersion = "24.11"; + imports = [ + "shared/system.nix" + "shared/dev_user.nix" + "shared/docker.nix" + "shared/ssh.nix" + ]; - nix = { - settings = { - experimental-features = [ "nix-command" "flakes" ]; + services = { + # TODO: forgejo runner + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "default-runner"; + url = "TODO"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + ]; + } + } }; - }; - - environment.systemPackages = with pkgs; [ - git - forgejo-runner - ]; - - users.users = { - # connection only via hashed password; - dev = { - isNormalUser = true; - home = "/home/dev"; - description = "User used to manually connect to this system (e.g. for maintenance)"; - extraGroups = [ "docker" "wheel" ]; - hashesPassword = "TODO"; - } - }; - - virtualisation.docker = { - enable = true; - }; - - services = { - endlessh = { - enable = true; - port = 22; - }; - - openssh = { - enable = true; - ports = [ 23 ]; - }; - - # TODO: forgejo runner - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "default-runner"; - url = "TODO"; - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ - "ubuntu-latest:docker://node:16-bullseye" - "ubuntu-22.04:docker://node:16-bullseye" - "ubuntu-20.04:docker://node:16-bullseye" - ]; - } - } - }; } \ No newline at end of file diff --git a/shared/dev_user.nix b/shared/dev_user.nix new file mode 100644 index 0000000..1313afa --- /dev/null +++ b/shared/dev_user.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + users.users = { + # connection only via hashed password; + dev = { + isNormalUser = true; + home = "/home/dev"; + description = "User used to manually connect to this system (e.g. for maintenance)"; + extraGroups = [ "docker" "wheel" ]; + hashesPassword = "TODO"; + } + }; +} \ No newline at end of file diff --git a/shared/docker.nix b/shared/docker.nix new file mode 100644 index 0000000..7ff71c1 --- /dev/null +++ b/shared/docker.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + virtualisation.docker = { + enable = true; + }; +} \ No newline at end of file diff --git a/shared/ssh.nix b/shared/ssh.nix new file mode 100644 index 0000000..b8be40f --- /dev/null +++ b/shared/ssh.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + services = { + endlessh = { + enable = true; + port = 22; + }; + + openssh = { + enable = true; + ports = [ 23 ]; + }; + }; +} \ No newline at end of file diff --git a/shared/system.nix b/shared/system.nix new file mode 100644 index 0000000..31a4229 --- /dev/null +++ b/shared/system.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + system = "x86_64-linux"; + system.stateVersion = "24.11"; + + nix = { + settings = { + experimental-features = [ "nix-command" "flakes" ]; + }; + }; + + environment.systemPackages = with pkgs; [ + git + ]; +} \ No newline at end of file