fix: password errors that popped up

we write the contents of the hashedPasswordFile into a string to prevent issues with paths that are used from the host and are invalid on the deployment target
feat: add minimal dummy hardware config (to be replaced)
2025-04-24 18:00:06 +02:00 · 2025-04-24 17:59:48 +02:00 · 2025-04-24 17:23:51 +02:00 · 2025-04-24 17:21:13 +02:00
12 changed files with 287 additions and 189 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,6 +62,3 @@ $RECYCLE.BIN/
 *.lnk

 # End of https://www.toptal.com/developers/gitignore/api/visualstudiocode,windows,linux
-
-
-*.pw
--- a/colmena.nix
+++ b/colmena.nix
@ -1,33 +0,0 @@
-{
-    inputs = {
-        nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
-    };
-    outputs = { nixpkgs, ... }: {
-        colmena = {
-            meta = {
-                nixpkgs = import nixpkgs {
-                    system = "x86_64-linux";
-                    overlays = [];
-                };
-            };
-
-            # needed ?
-            #
-            # deployment = {
-            #   targetHost = "somehost.tld";
-            #   targetPort = 1234;
-            #   targetUser = "luser";
-            # };
-
-            git-system = { name, nodes, pkgs, ... }: {
-                import = "git_system.nix";
-            };
-            runner-system = { name, nodes, pkgs, ... }: {
-                import = "runner_system.nix";
-            };
-            dev-system = { name, nodes, pkgs, ... }: {
-                import = "dev_system.nix";
-            };
-        };
-    };
-}
--- a/dev_system.nix
+++ b/dev_system.nix
@ -5,27 +5,35 @@
 # NixOS-WSL specific options are documented on the NixOS-WSL repository:
 # https://github.com/nix-community/NixOS-WSL

-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-    cfg = config.services.forgejo;
-    srv = cfg.settings.server;
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
 in
 {
-    imports = [
-        "shared/system.nix"
-        "shared/dev_user.nix"
-        "shared/docker.nix"
-        "shared/ssh.nix"
-    ];
+  imports = [
+    ./shared/system.nix
+    ./shared/dev_user.nix
+    ./shared/docker.nix
+    ./shared/ssh.nix

-    users.users = {
-        # connection only via ssh key
-        pipeline = {
-            isNormalUser = true;
-            home = "/home/pipeline";
-            description = "User used by forgejo runners to connect to this system";
-            extraGroups = [ "docker" ];
-            openssh.authorizedKeys.keys = [ "TODO" ];
-        };
+    ./dummy-hardware.nix
+  ];
+
+  users.users = {
+    # connection only via ssh key
+    pipeline = {
+      isNormalUser = true;
+      home = "/home/pipeline";
+      description = "User used by forgejo runners to connect to this system";
+      extraGroups = [ "docker" ];
+      openssh.authorizedKeys.keys = [ "TODO" ];
    };
-}
+  };
+}
+
--- a/dev_user_password.pw
+++ b/dev_user_password.pw
--- a/dummy-hardware.nix
+++ b/dummy-hardware.nix
@ -0,0 +1,14 @@
+# TODO: Copy paste after install nixos, this should include `hardware-configuration.nix`s contents
+{
+  boot.loader.systemd-boot.enable = true;
+
+  fileSystems."/" = {
+    device = "/dev/disk/bazqux";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/foobar";
+    fsType = "vfat";
+  };
+}
--- a/execute.sh
+++ b/execute.sh
@ -2,4 +2,4 @@

 openssl passwd -6 $1 > dev_user_password.pw

-colmena apply -f colmena.nix
+colmena apply
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1745279238,
+        "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,54 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+  };
+
+  outputs =
+    { nixpkgs, ... }:
+    {
+      colmena = {
+        meta = {
+          nixpkgs = import nixpkgs {
+            system = "x86_64-linux";
+            overlays = [ ];
+          };
+        };
+
+        git-system =
+          {
+            name,
+            nodes,
+            pkgs,
+            ...
+          }:
+          {
+            deployment = {
+              targetHost = "somehost.tld";
+              targetPort = 1234;
+              targetUser = "luser";
+            };
+            imports = [ ./git_system.nix ];
+          };
+        runner-system =
+          {
+            name,
+            nodes,
+            pkgs,
+            ...
+          }:
+          {
+            imports = [ ./runner_system.nix ];
+          };
+        dev-system =
+          {
+            name,
+            nodes,
+            pkgs,
+            ...
+          }:
+          {
+            imports = [ ./dev_system.nix ];
+          };
+      };
+    };
+}
--- a/git_system.nix
+++ b/git_system.nix
@ -5,99 +5,105 @@
 # NixOS-WSL specific options are documented on the NixOS-WSL repository:
 # https://github.com/nix-community/NixOS-WSL

-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-    cfg = config.services.forgejo;
-    srv = cfg.settings.server;
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
 in
 {
-    imports = [
-        "shared/system.nix"
-        "shared/dev_user.nix"
-        "shared/docker.nix"
-        "shared/ssh.nix"
-    ];
+  imports = [
+    ./shared/system.nix
+    ./shared/dev_user.nix
+    ./shared/docker.nix
+    ./shared/ssh.nix
+  ];

-    programs = {
-        msmtp = {
-            enable = true;
-            defaults = {
-                tls = true;
-            };
-            accounts = {
-                default = {
-                    auth = true;
-                    host = "TODO: e.g. smtp.strato.de";
-                    port = 587;
-                    tls_starttls = true;
-                    from = "TODO: email";
-                    user = "TODO: email";
-                    password = "TODO";
-                };
-            };
+  programs = {
+    msmtp = {
+      enable = true;
+      defaults = {
+        tls = true;
+      };
+      accounts = {
+        default = {
+          auth = true;
+          host = "TODO: e.g. smtp.strato.de";
+          port = 587;
+          tls_starttls = true;
+          from = "TODO: email";
+          user = "TODO: email";
+          password = "TODO";
        };
+      };
+    };
+  };
+
+  security.acme = {
+    defaults.email = "michael.huebner@ptspaper.de";
+    acceptTerms = true;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts.${srv.DOMAIN} = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+        locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+      };
    };

-    security.acme = {
-        defaults.email = "michael.huebner@ptspaper.de";
-        acceptTerms = true;
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "localhost";
+          ROOT_URL = "https://${srv.DOMAIN}";
+          HTTP_PORT = 3000;
+          SSH_PORT = 62;
+        };
+        service.DISABLE_REGISTRATION = true;
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+      };
    };

-    services = {
-        nginx = {
-            enable = true;
-            virtualHosts.${srv.DOMAIN} = {
-                forceSSL = true;
-                enableACME = true;
-                extraConfig = ''
-                client_max_body_size 512M;
-                '';
-                locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
-            };
-        };
-
-        forgejo = {
-            enable = true;
-            database.type = "postgres";
-            lfs.enable = true;
-            settings = {
-                server = {
-                    DOMAIN = "localhost";
-                    ROOT_URL = "https://${srv.DOMAIN}";
-                    HTTP_PORT = 3000;
-                    SSH_PORT = 62;
-                };
-                service.DISABLE_REGISTRATION = true;
-                actions = {
-                    ENABLED = true;
-                    DEFAULT_ACTIONS_URL = "github";
-                };
-            };
-        };
-
-        renovate = {
-            enable = true;
-            schedule = "TODO";
-            credentials = {
-                RENOVATE_TOKEN = "/etc/renovate/token";
-            };
-            settings = {
-            endpoint = "http://<TODO>.de/api/v1/";
-            persistRepoData = true;
-            platform = "forgejo";
-            autodiscover = true;
-            onboardingConfig= {
-                extends= ["config:recommended"];
-            };
-            prCommitsPerRunLimit= 0;
-            };
-        };
-
-        cron = {
-            enable = true;
-            systemCronJobs = [
-                "00 03 * * * forgejo sh backup_forgejo.sh -d /var/lib/forgejo -u TODO -s TODO -p TODO"
-            ];
+    renovate = {
+      enable = true;
+      schedule = "TODO";
+      credentials = {
+        RENOVATE_TOKEN = "/etc/renovate/token";
+      };
+      settings = {
+        endpoint = "http://<TODO>.de/api/v1/";
+        persistRepoData = true;
+        platform = "forgejo";
+        autodiscover = true;
+        onboardingConfig = {
+          extends = [ "config:recommended" ];
        };
+        prCommitsPerRunLimit = 0;
+      };
    };
-}
+
+    cron = {
+      enable = true;
+      systemCronJobs = [
+        "00 03 * * * forgejo sh backup_forgejo.sh -d /var/lib/forgejo -u TODO -s TODO -p TODO"
+      ];
+    };
+  };
+}
+
--- a/runner_system.nix
+++ b/runner_system.nix
@ -5,34 +5,40 @@
 # NixOS-WSL specific options are documented on the NixOS-WSL repository:
 # https://github.com/nix-community/NixOS-WSL

-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-    cfg = config.services.forgejo;
-    srv = cfg.settings.server;
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
 in
 {
-    imports = [
-        "shared/system.nix"
-        "shared/dev_user.nix"
-        "shared/docker.nix"
-        "shared/ssh.nix"
-    ];
+  imports = [
+    ./shared/system.nix
+    ./shared/dev_user.nix
+    ./shared/docker.nix
+    ./shared/ssh.nix
+  ];

-    services = {
-        # TODO: forgejo runner
-        gitea-actions-runner = {
-        package = pkgs.forgejo-actions-runner;
-        instances.default = {
-            enable = true;
-            name = "default-runner";
-            url = "TODO";
-            tokenFile = config.age.secrets.forgejo-runner-token.path;
-            labels = [
-                "ubuntu-latest:docker://node:16-bullseye"
-                "ubuntu-22.04:docker://node:16-bullseye"
-                "ubuntu-20.04:docker://node:16-bullseye"
-                ];
-            }
-        }
+  services = {
+    # TODO: forgejo runner
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "default-runner";
+        url = "TODO";
+        tokenFile = config.age.secrets.forgejo-runner-token.path;
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+          "ubuntu-22.04:docker://node:16-bullseye"
+          "ubuntu-20.04:docker://node:16-bullseye"
+        ];
+      };
    };
-}
+  };
+}
+
--- a/shared/dev_user.nix
+++ b/shared/dev_user.nix
@ -1,13 +1,23 @@
-{ config, lib, pkgs, modulesPath, ... }:
 {
-    users.users = {
-        # connection only via hashed password;
-        dev = {
-            isNormalUser = true;
-            home = "/home/dev";
-            description = "User used to manually connect to this system (e.g. for maintenance)";
-            extraGroups = [ "docker" "wheel" ];
-            hashedPasswordFile = "dev_user_password.pw";
-        }
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  users.users = {
+    # connection only via hashed password;
+    dev = {
+      isNormalUser = true;
+      home = "/home/dev";
+      description = "User used to manually connect to this system (e.g. for maintenance)";
+      extraGroups = [
+        "docker"
+        "wheel"
+      ];
+      hashedPassword = "${builtins.readFile ./../dev_user_password.pw}";
    };
-}
+  };
+}
+
--- a/shared/system.nix
+++ b/shared/system.nix
@ -1,15 +1,24 @@
-{ config, lib, pkgs, modulesPath, ... }:
 {
-    system = "x86_64-linux";
-    system.stateVersion = "24.11";
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  system.stateVersion = "24.11";

-    nix = {
-        settings = {
-            experimental-features = [ "nix-command" "flakes" ];
-        };
+  nix = {
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    git
+  ];
+}

-    environment.systemPackages = with pkgs; [
-        git
-    ];
-}
Author	SHA1	Message	Date
aviac	58e1796853	fix: password errors that popped up we write the contents of the hashedPasswordFile into a string to prevent issues with paths that are used from the host and are invalid on the deployment target	2025-04-24 18:00:06 +02:00
aviac	cdd41f9979	feat: add minimal dummy hardware config (to be replaced)	2025-04-24 17:59:48 +02:00
aviac	7600b36484	feat: fix things mentioned by statix (nix linter)	2025-04-24 17:23:51 +02:00
aviac	e0f3e2fe79	feat: move colmena.nix to flake.nix and create flake.lock This also includes some little syntactical fixes. The commit is needed since colmena works mostly with nix' flake experiemental feature. It attempts to find a locked version of nixpkgs, which wasn't there yet. By using the standard name "flake.nix", nix automatically picks up the file and generates a `flake.lock` if it doesn't exist yet. This brings us one step closer to a buildable system.	2025-04-24 17:21:13 +02:00