From e011b893e0299c446849f352a048e8252577263e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:09:02 +0200 Subject: [PATCH 01/96] add forgejo --- .../services/development/forgejo/default.nix | 44 +++++++++++++++++++ .../{nextcloud.nix => nextcloud/default.nix} | 0 .../media/{nfs.nix => nfs/default.nix} | 0 systems/x86_64-linux/ulmo/default.nix | 7 +++ 4 files changed, 51 insertions(+) create mode 100644 modules/nixos/services/development/forgejo/default.nix rename modules/nixos/services/media/{nextcloud.nix => nextcloud/default.nix} (100%) rename modules/nixos/services/media/{nfs.nix => nfs/default.nix} (100%) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix new file mode 100644 index 0000000..be71064 --- /dev/null +++ b/modules/nixos/services/development/forgejo/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.development.forgejo; + svr = cfg.settings.server; +in +{ + options.${namespace}.services.development.forgejo = { + enable = mkEnableOption "Forgejo"; + }; + + config = mkIf cfg.enable { + services = { + forgejo = { + enable = true; + database.type = "postgres"; + + settings = { + server = { + # DOMAIN = ""; + HTTP_PORT = 5002; + }; + + service.DISABLE_REGISTRATION = true; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "forgejo"; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts = { + "git.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/nextcloud.nix b/modules/nixos/services/media/nextcloud/default.nix similarity index 100% rename from modules/nixos/services/media/nextcloud.nix rename to modules/nixos/services/media/nextcloud/default.nix diff --git a/modules/nixos/services/media/nfs.nix b/modules/nixos/services/media/nfs/default.nix similarity index 100% rename from modules/nixos/services/media/nfs.nix rename to modules/nixos/services/media/nfs/default.nix diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7a2540f..f47c580 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,8 +7,15 @@ sneeuwvlok = { services = { + authentication.authelia.enable = true; + authentication.zitadel.enable = true; + networking.ssh.enable = true; + media.enable = true; + media.nfs.enable = true; + + development.forgejo.enable = true; }; editor = { From 043eded2497049b3592b2efef2f135a9dfa40346 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:12:16 +0200 Subject: [PATCH 02/96] fix --- .../services/development/forgejo/default.nix | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index be71064..99b3a28 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -31,7 +31,26 @@ in }; }; - services.caddy = { + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.kruining.eu"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "native:host" + ]; + }; + }; + + caddy = { enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' From f289c3663a436230042cfede11adf50f76d5b08d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 15:04:12 +0200 Subject: [PATCH 03/96] switch flaresolverr to systemd service --- modules/nixos/services/media/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 7d76794..3909cd9 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,6 +78,7 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; + flaresolverr = serviceConf; jellyseerr = { enable = true; @@ -135,11 +136,11 @@ in backend = "podman"; containers = { - flaresolverr = { - image = "flaresolverr/flaresolverr"; - autoStart = true; - ports = [ "127.0.0.1:8191:8191" ]; - }; + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; reiverr = { image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; From f1ffa339766de95ebb61e47d074e580993b8dd03 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 09:49:06 +0200 Subject: [PATCH 04/96] kaas --- .../nixos/services/authentication/authelia.nix | 17 +++++++++++++++++ .../services/development/forgejo/default.nix | 12 +++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 99b3a28..a773249 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -22,12 +22,20 @@ in HTTP_PORT = 5002; }; - service.DISABLE_REGISTRATION = true; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + SHOW_REGISTRATION_BUTTON = false; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "forgejo"; }; + + session = { + COOKIE_SECURE = true; + }; }; }; @@ -54,6 +62,8 @@ in enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' + import auth + reverse_proxy http://127.0.0.1:5002 ''; }; From 30f17f692c3b58cea67b653a129a0ac246da50b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 13 Aug 2025 08:50:26 +0200 Subject: [PATCH 05/96] fix various bugs --- .../{authelia.nix => authelia/default.nix} | 0 .../nixos/services/authentication/default.nix | 1 - .../default.nix} | 0 .../{zitadel.nix => zitadel/default.nix} | 3 +- .../services/development/forgejo/default.nix | 51 ++++++++++--------- modules/nixos/services/media/default.nix | 6 ++- .../services/media/nextcloud/default.nix | 4 +- modules/nixos/services/media/nfs/default.nix | 4 +- .../nixos/system/security/sops/default.nix | 2 +- .../nixos/system/security/sudo/default.nix | 5 +- 10 files changed, 40 insertions(+), 36 deletions(-) rename modules/nixos/services/authentication/{authelia.nix => authelia/default.nix} (100%) delete mode 100644 modules/nixos/services/authentication/default.nix rename modules/nixos/services/authentication/{himmelblau.nix => himmelblau/default.nix} (100%) rename modules/nixos/services/authentication/{zitadel.nix => zitadel/default.nix} (93%) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia/default.nix similarity index 100% rename from modules/nixos/services/authentication/authelia.nix rename to modules/nixos/services/authentication/authelia/default.nix diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix deleted file mode 100644 index c157af7..0000000 --- a/modules/nixos/services/authentication/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau.nix b/modules/nixos/services/authentication/himmelblau/default.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau.nix rename to modules/nixos/services/authentication/himmelblau/default.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel/default.nix similarity index 93% rename from modules/nixos/services/authentication/zitadel.nix rename to modules/nixos/services/authentication/zitadel/default.nix index 6142857..1422b4f 100644 --- a/modules/nixos/services/authentication/zitadel.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -21,7 +21,8 @@ in zitadel = { enable = true; openFirewall = true; - masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + masterKeyFile = "/var/lib/zitadel/master_key"; tlsMode = "external"; settings = { Port = 9092; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index a773249..baa70cb 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - svr = cfg.settings.server; + domain = "git.kruining.eu"; in { options.${namespace}.services.development.forgejo = { @@ -18,7 +18,8 @@ in settings = { server = { - # DOMAIN = ""; + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; @@ -28,10 +29,10 @@ in SHOW_REGISTRATION_BUTTON = false; }; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "forgejo"; - }; + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "forgejo"; + # }; session = { COOKIE_SECURE = true; @@ -39,29 +40,29 @@ in }; }; - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "monolith"; - url = "https://git.kruining.eu"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ - "ubuntu-latest:docker://node:16-bullseye" - "ubuntu-22.04:docker://node:16-bullseye" - "ubuntu-20.04:docker://node:16-bullseye" - "ubuntu-18.04:docker://node:16-buster" - "native:host" - ]; - }; - }; + # gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.kruining.eu"; + # # Obtaining the path to the runner token file may differ + # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # "native:host" + # ]; + # }; + # }; caddy = { enable = true; virtualHosts = { - "git.kruining.eu".extraConfig = '' + ${domain}.extraConfig = '' import auth reverse_proxy http://127.0.0.1:5002 diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 3909cd9..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,7 +78,11 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; - flaresolverr = serviceConf; + + flaresolverr = { + enable = true; + openFirewall = true; + }; jellyseerr = { enable = true; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 658a5b4..14d6863 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.modules.services.nextcloud = { + options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - webserver = "caddy"; + # webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs/default.nix index 7674e69..54b58e7 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.media.nfs; + cfg = config.${namespace}.services.media.nfs; in { - options.${namespace}.media.nfs = { + options.${namespace}.services.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,7 +13,7 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../secrets/secrets.yaml; + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index 6dedf50..b79efbc 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,9 +14,8 @@ in sudo-rs = { enable = true; - extraConfig = '' - Defaults env_keep += "EDITOR PATH DISPLAY" - ''; + execWheelOnly = true; + extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; }; }; }; From d305bf6cee32904ca24e09ddd27516e12a8118a4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 08:28:55 +0200 Subject: [PATCH 06/96] more zitadel work --- .../authentication/zitadel/default.nix | 66 +++++++++++++++---- 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 1422b4f..812e819 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkForce; cfg = config.${namespace}.services.authentication.zitadel; @@ -26,26 +26,59 @@ in tlsMode = "external"; settings = { Port = 9092; - Database = { - Host = "/run/postgresql"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User.Username = db_user; - }; - }; - steps = { - TestInstance = { - InstanceName = "Zitadel test"; + ExternalDomain = "kruining.eu"; + ExternalPort = 443; + + DefaultInstance = { + LoginPolicy.AllowRegister = false; Org = { - Name = "Kruining.eu"; + Name = "Zitadel"; Human = { UserName = "admin"; + FirstName = "Ad"; + LastName = "Min"; + Email = { + Address = "admin@kaas.nl"; + Verified = true; + }; Password = "kaas"; }; }; }; + + Database.postgres = { + Host = "localhost"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User = { + Username = db_user; + SSL.Mode = "disable"; + }; + Admin = { + Username = "postgres"; + SSL.Mode = "disable"; + }; + }; }; + # steps = { + # FirstInstance = { + # InstanceName = "Zitadel"; + # Org = { + # Name = "Zitadel"; + # Human = { + # UserName = "admin@zitadel.kruining.eu"; + # FirstName = "Ad"; + # LastName = "Min"; + # Email = { + # Address = "admin@kaas.nl"; + # Verified = true; + # }; + # Password = "kaas"; + # }; + # }; + # }; + # }; }; postgresql = { @@ -57,6 +90,13 @@ in ensureDBOwnership = true; } ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; caddy = { From 7c6c566798ed878d2d2130aae445b6a89f65b523 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 09:38:43 +0200 Subject: [PATCH 07/96] FINALLY, I'm in! --- .../authentication/zitadel/default.nix | 56 +++++++------------ 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 812e819..94915e1 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,25 +26,9 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "kruining.eu"; + ExternalDomain = "auth-z.kruining.eu"; ExternalPort = 443; - - DefaultInstance = { - LoginPolicy.AllowRegister = false; - Org = { - Name = "Zitadel"; - Human = { - UserName = "admin"; - FirstName = "Ad"; - LastName = "Min"; - Email = { - Address = "admin@kaas.nl"; - Verified = true; - }; - Password = "kaas"; - }; - }; - }; + ExternalSecure = true; Database.postgres = { Host = "localhost"; @@ -61,24 +45,24 @@ in }; }; }; - # steps = { - # FirstInstance = { - # InstanceName = "Zitadel"; - # Org = { - # Name = "Zitadel"; - # Human = { - # UserName = "admin@zitadel.kruining.eu"; - # FirstName = "Ad"; - # LastName = "Min"; - # Email = { - # Address = "admin@kaas.nl"; - # Verified = true; - # }; - # Password = "kaas"; - # }; - # }; - # }; - # }; + steps = { + FirstInstance = { + InstanceName = "auth-z.kruining.eu"; + Org = { + Name = "Default"; + Human = { + UserName = "chris"; + FirstName = "Chris"; + LastName = "Kruining"; + Email = { + Address = "chris@kruining.eu"; + Verified = true; + }; + Password = "KaasIsAwesome1!"; + }; + }; + }; + }; }; postgresql = { From 06ad805206e5af2deb0dca62a954902fa76efd63 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 15:33:27 +0200 Subject: [PATCH 08/96] got zitadel and forgejo mostly up and running --- .../authentication/zitadel/default.nix | 16 +++++----- .../services/development/forgejo/default.nix | 31 +++++++++++++++++-- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 94915e1..aa1a0dd 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -90,14 +90,14 @@ in reverse_proxy h2c://127.0.0.1:9092 ''; }; - # extraConfig = '' - # (auth) { - # forward_auth h2c://127.0.0.1:9092 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # } - # ''; + extraConfig = '' + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index baa70cb..5342b56 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,24 +11,47 @@ in }; config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ forgejo ]; + services = { forgejo = { enable = true; + useWizard = false; database.type = "postgres"; settings = { + DEFAULT = { + APP_NAME = "Chris' Forge"; + }; + server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; + security = { + PASSWORD_HASH_ALGO = "argon2"; + }; + service = { + REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything DISABLE_REGISTRATION = true; - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "https://auth-z.kruining.eu"; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + }; + # actions = { # ENABLED = true; # DEFAULT_ACTIONS_URL = "forgejo"; @@ -63,7 +86,11 @@ in enable = true; virtualHosts = { ${domain}.extraConfig = '' - import auth + # import auth-z + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; From 4320acc0fb8629ee390b4dface0669372beb9b98 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 10:28:12 +0200 Subject: [PATCH 09/96] add test workflow --- .forgejo/workflows/action.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .forgejo/workflows/action.yml diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml new file mode 100644 index 0000000..1119f37 --- /dev/null +++ b/.forgejo/workflows/action.yml @@ -0,0 +1,16 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +jobs: + hello: + name: Print hello world + runs-on: ubuntu-latest + steps: + - name: Echo + run: | + echo "Hello, world!" \ No newline at end of file From ba05f561e7d5a73998c179f5a070dfb1c99ef40c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 12:42:55 +0200 Subject: [PATCH 10/96] update deps --- flake.lock | 132 ++++++++++++++++++++++++++--------------------------- 1 file changed, 66 insertions(+), 66 deletions(-) diff --git a/flake.lock b/flake.lock index 1935971..27521bd 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1753879613, - "narHash": "sha256-oYhCJSAIZiu3maM2q6JBzh0+MYd4KTaq5eNFIstUurE=", + "lastModified": 1755108317, + "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "0ad38bd182cd737f0f4b878ea04cb3676ecd4000", + "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1753944209, - "narHash": "sha256-dcGdqxhRRGoA/S38BsWOrwIiLYEBOqXKauHdFwKR310=", + "lastModified": 1755153894, + "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", "owner": "nix-community", "repo": "fenix", - "rev": "5ef8607d6e8a08cfb3946aaacaa0494792adf4ae", + "rev": "f6874c6e512bc69d881d979a45379b988b80a338", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1753960679, - "narHash": "sha256-q82/pjksNMev2AJqK1v38BcK29kB2f7yB2GTEsrlR2M=", + "lastModified": 1755083788, + "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "c709bb72ee604949ff54df9519dc6cb0c6040007", + "rev": "523078b104590da5850a61dfe291650a6b49809c", "type": "github" }, "original": { @@ -230,11 +230,11 @@ ] }, "locked": { - "lastModified": 1753121425, - "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=", + "lastModified": 1754487366, + "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e", + "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1753279958, - "narHash": "sha256-EJ1udnwKYgWeAJzncAccbLPtbSWiuIANryXTGI9nY6w=", + "lastModified": 1755072091, + "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "6c26f99622cb1c705b3fe2dbe1eb88521096b25a", + "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1753902883, - "narHash": "sha256-F7IUdBe//PDtcztUdu3XYxzJuKbYip6TwIRWLdrftO0=", + "lastModified": 1754593854, + "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "d01709bf0100183045927c03b90db78fb8e40bda", + "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1753943136, - "narHash": "sha256-eiEE5SabVcIlGSTRcRyBjmJMaYAV95SJnjy8YSsVeW4=", + "lastModified": 1755121891, + "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd82507edd860c453471c46957cbbe3c9fd01b5c", + "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1753938227, - "narHash": "sha256-KzjI9khMC2tOL5FClh3sHq8Gax1O5Rw0bH1hvJ3FU3E=", + "lastModified": 1755151620, + "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "8d1f0004594e0eddc00159ad7666e669a6bcb711", + "rev": "16e12d22754d97064867006acae6e16da7a142a6", "type": "github" }, "original": { @@ -492,11 +492,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1753618592, - "narHash": "sha256-9sDACkrSbZOA1srKWQzvbkBFHZeXvHW8EYpWrVZPxDg=", + "lastModified": 1754828166, + "narHash": "sha256-i7c+fpXVsnvj2+63Gl3YfU1hVyxbLeqeFj55ZBZACWI=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "81b2f78680ca3864bfdc0d4cbc3444af3e1ff271", + "rev": "f01c8d121a3100230612be96e4ac668e15eafb77", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1753928630, - "narHash": "sha256-ASqyvmJ2EEUCyDJGMHRQ1ZqWnCd4SiVd7hi7dGBuSvw=", + "lastModified": 1755137329, + "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "30af81148ee29a4a13c938c25d3e68877b1b27fb", + "rev": "d9330bc35048238597880e89fb173799de9db5e9", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1753704990, - "narHash": "sha256-5E14xuNWy2Un1nFR55k68hgbnD8U2x/rE5DXJtYKusw=", + "lastModified": 1755171343, + "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "58c814cc6d4a789191f9c12e18277107144b0c91", + "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", "type": "github" }, "original": { @@ -636,11 +636,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1751186460, - "narHash": "sha256-tSnI50oYaXOi/SFUmJC+gZ2xE9pAhTnV0D2/3JoKL7g=", + "lastModified": 1754002724, + "narHash": "sha256-1NBby4k2UU9FR7a9ioXtCOpv8jYO0tZAGarMsxN8sz8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dd5540905b1a13176efa13fa2f8dac776bcb275a", + "rev": "8271ed4b2e366339dd622f329151e45745ade121", "type": "github" }, "original": { @@ -652,11 +652,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1753579242, - "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=", + "lastModified": 1754788789, + "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e", + "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1753948617, - "narHash": "sha256-68ounbeMLJTO/Igq0rEqjldNReb/r2gR9zgLU2qiH7A=", + "lastModified": 1755061300, + "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4f1a1d0af135001efc1a58c8f31ede7bb1045874", + "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1753965693, - "narHash": "sha256-ks84bo0xIjUdRJGqLHQTyXR5OGb+8zUQg+XarbSEtrw=", + "lastModified": 1755178357, + "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "113bb8d5ca48dc31c62835b5fafed82092d87a91", + "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1753694789, - "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=", + "lastModified": 1755027561, + "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727", + "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", "type": "github" }, "original": { @@ -763,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1753432016, - "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", + "lastModified": 1755049066, + "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", + "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1753878721, - "narHash": "sha256-Y+Kr6FTHggnZ31nhaiOhIboIi+dhnLmQ9p0xf0wwnDc=", + "lastModified": 1755115677, + "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", "owner": "notashelf", "repo": "nvf", - "rev": "e35a74c44a35b28fd09f136dd3c0dbe9f300258f", + "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1748196248, - "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", + "lastModified": 1754501628, + "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b7697abe89967839b273a863a3805345ea54ab56", + "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1753838657, - "narHash": "sha256-4FA7NTmrAqW5yt4A3hhzgDmAFD0LbGRMGKhb1LBSItI=", + "lastModified": 1755004716, + "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "8611b714597c89b092f3d4874f14acd3f72f44fd", + "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", "type": "github" }, "original": { @@ -946,11 +946,11 @@ "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1753919664, - "narHash": "sha256-U7Ts8VbVD4Z6n67gFx00dkpQJu27fMu173IUopX3pNI=", + "lastModified": 1755027820, + "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", "owner": "nix-community", "repo": "stylix", - "rev": "30f5022236cf8dd257941cb0f910e198e7e464c7", + "rev": "c592717e9f713bbae5f718c784013d541346363d", "type": "github" }, "original": { From 3994f1fb98fc1cf44e8349e7e92938fcc2dbb367 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 18 Aug 2025 12:43:21 +0200 Subject: [PATCH 11/96] woot, got actions working! --- .forgejo/workflows/action.yml | 2 +- .../services/development/forgejo/default.nix | 57 ++++++++++++------- 2 files changed, 36 insertions(+), 23 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 1119f37..4aac00e 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -9,7 +9,7 @@ on: jobs: hello: name: Print hello world - runs-on: ubuntu-latest + runs-on: default steps: - name: Echo run: | diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 5342b56..84b8ba6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,6 +11,8 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.virtualisation.podman.enable = true; + environment.systemPackages = with pkgs; [ forgejo ]; services = { @@ -52,35 +54,46 @@ in UPDATE_AVATAR = true; }; - # actions = { - # ENABLED = true; - # DEFAULT_ACTIONS_URL = "forgejo"; - # }; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://git.kruining.eu"; + }; session = { COOKIE_SECURE = true; }; + + mailer = { + ENABLED = true; + SMTP_ADDR = "smpts://smtp.black-mail.nl"; + FROM = "noreply@kruining.eu"; + USER = "noreply@kruining.eu"; + }; }; + + mailerPasswordFile = "/var/lib/forgejo/custom/mail_password"; }; - # gitea-actions-runner = { - # package = pkgs.forgejo-actions-runner; - # instances.default = { - # enable = true; - # name = "monolith"; - # url = "https://git.kruining.eu"; - # # Obtaining the path to the runner token file may differ - # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - # tokenFile = config.age.secrets.forgejo-runner-token.path; - # labels = [ - # "ubuntu-latest:docker://node:16-bullseye" - # "ubuntu-22.04:docker://node:16-bullseye" - # "ubuntu-20.04:docker://node:16-bullseye" - # "ubuntu-18.04:docker://node:16-buster" - # "native:host" - # ]; - # }; - # }; + openssh.settings.AllowUsers = [ "forgejo" ]; + + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.kruining.eu"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; + labels = [ + "default:docker://node:22-bullseye" + ]; + settings = { + + }; + }; + }; caddy = { enable = true; From a3cb9796b1d4c2acb45c6b4b6ab084a13120de83 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 19 Aug 2025 11:05:54 +0200 Subject: [PATCH 12/96] expand forgejo setup --- .../services/development/forgejo/default.nix | 53 +++++++++++++++++-- 1 file changed, 49 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 84b8ba6..9945691 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -30,17 +30,49 @@ in DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; + LANDING_PAGE = "explore"; + }; + + cors = { + ENABLED = true; + ALLOW_DOMAIN = "https://*.kruining.eu"; }; security = { + INSTALL_LOCK = true; PASSWORD_HASH_ALGO = "argon2"; + DISABLE_WEBHOOKS = true; + }; + + ui = { + EXPLORE_PAGING_NUM = 50; + ISSUE_PAGING_NUM = 50; + MEMBERS_PAGING_NUM = 50; + }; + + "ui.meta" = { + AUTHOR = "Where code is forged!"; + DESCRIPTION = "Self-hosted solution for git, because FOSS is the anvil of the future"; + }; + + admin = { + USER_DISABLED_FEATURES = "manage_gpg_keys"; + EXTERNAL_USER_DISABLE_FEATURES = "manage_gpg_keys"; }; service = { - REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything + # Auth + ENABLE_BASIC_AUTHENTICATION = false; DISABLE_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; + + # Privacy + DEFAULT_KEEP_EMAIL_PRIVATE = true; + DEFAULT_USER_VISIBILITY = "private"; + DEFAULT_ORG_VISIBILITY = "private"; + + # Common sense + VALID_SITE_URL_SCHEMES = "https"; }; openid = { @@ -56,10 +88,23 @@ in actions = { ENABLED = true; - DEFAULT_ACTIONS_URL = "https://git.kruining.eu"; + }; + + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + + api = { + ENABLE_SWAGGER = false; + }; + + mirror = { + ENABLED = false; }; session = { + PROVIDER = "db"; COOKIE_SECURE = true; }; @@ -80,7 +125,7 @@ in package = pkgs.forgejo-actions-runner; instances.default = { enable = true; - name = "monolith"; + name = "default"; url = "https://git.kruining.eu"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd From 6511e513a3cd9eef4ff3139cf9b75ae2f7baf1b7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 19 Aug 2025 15:01:22 +0200 Subject: [PATCH 13/96] initial observability setup --- .../services/development/forgejo/default.nix | 3 +- .../grafana/dashboards/default.json | 7 ++ .../observability/grafana/default.nix | 100 ++++++++++++++++++ .../services/observability/loki/default.nix | 49 +++++++++ .../observability/prometheus/default.nix | 32 ++++++ .../observability/promtail/default.nix | 56 ++++++++++ systems/x86_64-linux/ulmo/default.nix | 9 +- 7 files changed, 253 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/services/observability/grafana/dashboards/default.json create mode 100644 modules/nixos/services/observability/grafana/default.nix create mode 100644 modules/nixos/services/observability/loki/default.nix create mode 100644 modules/nixos/services/observability/prometheus/default.nix create mode 100644 modules/nixos/services/observability/promtail/default.nix diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 9945691..22c3123 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -113,10 +113,9 @@ in SMTP_ADDR = "smpts://smtp.black-mail.nl"; FROM = "noreply@kruining.eu"; USER = "noreply@kruining.eu"; + PASSWD = "/var/lib/forgejo/custom/mail_password"; }; }; - - mailerPasswordFile = "/var/lib/forgejo/custom/mail_password"; }; openssh.settings.AllowUsers = [ "forgejo" ]; diff --git a/modules/nixos/services/observability/grafana/dashboards/default.json b/modules/nixos/services/observability/grafana/dashboards/default.json new file mode 100644 index 0000000..f8ea8dc --- /dev/null +++ b/modules/nixos/services/observability/grafana/dashboards/default.json @@ -0,0 +1,7 @@ +{ + "title": "Default Dash", + "description": "The default dashboard", + "timezone": "browser", + "editable": false, + "panels": [] +} diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix new file mode 100644 index 0000000..1747330 --- /dev/null +++ b/modules/nixos/services/observability/grafana/default.nix @@ -0,0 +1,100 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.grafana; + + db_user = "grafana"; + db_name = "grafana"; +in +{ + options.${namespace}.services.observability.grafana = { + enable = mkEnableOption "enable Grafana"; + }; + + config = mkIf cfg.enable { + services.grafana = { + enable = true; + openFirewall = true; + + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + }; + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9002"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; + } + ]; + }; + }; + + services.postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ + { + name = db_user; + ensureDBOwnership = true; + } + ]; + }; + + environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; + }; +} diff --git a/modules/nixos/services/observability/loki/default.nix b/modules/nixos/services/observability/loki/default.nix new file mode 100644 index 0000000..8f6e0e3 --- /dev/null +++ b/modules/nixos/services/observability/loki/default.nix @@ -0,0 +1,49 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.loki; +in +{ + options.${namespace}.services.observability.loki = { + enable = mkEnableOption "enable Grafana Loki"; + }; + + config = mkIf cfg.enable { + services.loki = { + enable = true; + configuration = { + auth_enabled = false; + + server = { + http_listen_port = 9003; + }; + + common = { + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmmemory"; + }; + replication_factor = 1; + path_prefix = "/tmp/loki"; + }; + + schema_config.configs = [ + { + from = "2025-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9003 ]; + }; +} diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix new file mode 100644 index 0000000..666a356 --- /dev/null +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -0,0 +1,32 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.prometheus; +in +{ + options.${namespace}.services.observability.prometheus = { + enable = mkEnableOption "enable Prometheus"; + }; + + config = mkIf cfg.enable { + services.prometheus = { + enable = true; + port = 9002; + + globalConfig.scrape_interval = "15s"; + + scrapeConfigs = [ + { + job_name = "prometheus"; + static_configs = [ + { targets = [ "localhost:9002" ]; } + ]; + } + ]; + }; + + networking.firewall.allowedTCPPorts = [ 9002 ]; + }; +} diff --git a/modules/nixos/services/observability/promtail/default.nix b/modules/nixos/services/observability/promtail/default.nix new file mode 100644 index 0000000..1f32adc --- /dev/null +++ b/modules/nixos/services/observability/promtail/default.nix @@ -0,0 +1,56 @@ +{ pkgs, config, lib, namespace, ... }: +let + inherit (lib.modules) mkIf; + inherit (lib.options) mkEnableOption; + + cfg = config.${namespace}.services.observability.promtail; +in +{ + options.${namespace}.services.observability.promtail = { + enable = mkEnableOption "enable Grafana Promtail"; + }; + + config = mkIf cfg.enable { + services.promtail = { + enable = true; + + # Ensures proper permissions + extraFlags = [ + "-config.expand-env=true" + ]; + + configuration = { + server = { + http_listen_port = 9004; + grpc_listen_port = 0; + }; + + positions = { + filename = "filename"; + }; + + clients = { + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }; + + scrape_configs = [ + { + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "ulmo"; + }; + }; + relabel_configs = [ + { source_labels = [ "__journal__systemd_unit" ]; target_label = "unit"; } + ]; + } + ]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 9004 ]; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index f47c580..e191367 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,12 +10,19 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; + development.forgejo.enable = true; + networking.ssh.enable = true; media.enable = true; media.nfs.enable = true; - development.forgejo.enable = true; + observability = { + grafana.enable = true; + prometheus.enable = true; + loki.enable = true; + promtail.enable = true; + }; }; editor = { From 995fdaeb1d000332278b51568dfc18f3a98b9d03 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 20 Aug 2025 15:15:03 +0200 Subject: [PATCH 14/96] working on grafana oidc and introduced new domain for hosting --- .../authentication/zitadel/default.nix | 8 +- .../services/development/forgejo/default.nix | 16 +- .../observability/grafana/default.nix | 166 +++++++++++------- .../observability/prometheus/default.nix | 20 ++- 4 files changed, 129 insertions(+), 81 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index aa1a0dd..a8cb4e6 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,7 +26,7 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "auth-z.kruining.eu"; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; @@ -47,9 +47,9 @@ in }; steps = { FirstInstance = { - InstanceName = "auth-z.kruining.eu"; + InstanceName = "auth.amarth.cloud"; Org = { - Name = "Default"; + Name = "Amarth"; Human = { UserName = "chris"; FirstName = "Chris"; @@ -86,7 +86,7 @@ in caddy = { enable = true; virtualHosts = { - "auth-z.kruining.eu".extraConfig = '' + "auth.amarth.cloud".extraConfig = '' reverse_proxy h2c://127.0.0.1:9092 ''; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 22c3123..87882b6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - domain = "git.kruining.eu"; + domain = "git.amarth.cloud"; in { options.${namespace}.services.development.forgejo = { @@ -35,7 +35,7 @@ in cors = { ENABLED = true; - ALLOW_DOMAIN = "https://*.kruining.eu"; + ALLOW_DOMAIN = "https://*.amarth.cloud"; }; security = { @@ -63,8 +63,9 @@ in service = { # Auth ENABLE_BASIC_AUTHENTICATION = false; - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; # Privacy DEFAULT_KEEP_EMAIL_PRIVATE = true; @@ -78,12 +79,13 @@ in openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; - WHITELISTED_URIS = "https://auth-z.kruining.eu"; + WHITELISTED_URIS = "https://auth.amarth.cloud"; }; oauth2_client = { ENABLE_AUTO_REGISTRATION = true; UPDATE_AVATAR = true; + ACCOUNT_LINKING = "auto"; }; actions = { @@ -111,8 +113,8 @@ in mailer = { ENABLED = true; SMTP_ADDR = "smpts://smtp.black-mail.nl"; - FROM = "noreply@kruining.eu"; - USER = "noreply@kruining.eu"; + FROM = "info@amarth.cloud"; + USER = "amarth"; PASSWD = "/var/lib/forgejo/custom/mail_password"; }; }; @@ -125,7 +127,7 @@ in instances.default = { enable = true; name = "default"; - url = "https://git.kruining.eu"; + url = "https://git.amarth.cloud"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd # tokenFile = config.age.secrets.forgejo-runner-token.path; diff --git a/modules/nixos/services/observability/grafana/default.nix b/modules/nixos/services/observability/grafana/default.nix index 1747330..c399729 100644 --- a/modules/nixos/services/observability/grafana/default.nix +++ b/modules/nixos/services/observability/grafana/default.nix @@ -14,87 +14,117 @@ in }; config = mkIf cfg.enable { - services.grafana = { - enable = true; - openFirewall = true; - - settings = { - server = { - http_port = 9001; - http_addr = "0.0.0.0"; - }; - database = { - type = "postgres"; - host = "/var/run/postgresql:5432"; - name = db_name; - user = db_user; - ssl_mode = "disable"; - }; - - users = { - allow_sign_up = false; - allow_org_create = false; - viewers_can_edit = false; - - default_theme = "system"; - }; - - analytics = { - reporting_enabled = false; - check_for_updates = false; - check_for_plugin_updates = false; - feedback_links_enabled = false; - }; - }; - - provision = { + services = { + grafana = { enable = true; + openFirewall = true; - dashboards.settings = { - apiVersion = 1; - providers = [ + settings = { + server = { + http_port = 9001; + http_addr = "0.0.0.0"; + domain = "ulmo"; + }; + + auth = { + disable_login_form = false; + oauth_auto_login = true; + }; + + "auth.basic".enable = false; + "auth.generic_oauth" = { + enable = true; + name = "Zitadel"; + client_id = "334170712283611395"; + client_secret = "AFjypmURdladmQn1gz2Ke0Ta5LQXapnuKkALVZ43riCL4qWicgV2Z6RlwpoWBZg1"; + scopes = "openid email profile offline_access urn:zitadel:iam:org:project:roles"; + email_attribute_path = "email"; + login_attribute_path = "username"; + name_attribute_path = "full_name"; + role_attribute_path = "contains(urn:zitadel:iam:org:project:roles[*], 'owner') && 'GrafanaAdmin' || contains(urn:zitadel:iam:org:project:roles[*], 'contributer') && 'Editor' || 'Viewer'"; + auth_url = "https://auth.amarth.cloud/oauth/v2/authorize"; + token_url = "https://auth.amarth.cloud/oauth/v2/token"; + api_url = "https://auth.amarth.cloud/oidc/v1/userinfo"; + allow_sign_up = true; + auto_login = true; + use_pkce = true; + usr_refresh_token = true; + allow_assign_grafana_admin = true; + }; + + database = { + type = "postgres"; + host = "/var/run/postgresql:5432"; + name = db_name; + user = db_user; + ssl_mode = "disable"; + }; + + users = { + allow_sign_up = false; + allow_org_create = false; + viewers_can_edit = false; + + default_theme = "system"; + }; + + analytics = { + reporting_enabled = false; + check_for_updates = false; + check_for_plugin_updates = false; + feedback_links_enabled = false; + }; + }; + + provision = { + enable = true; + + dashboards.settings = { + apiVersion = 1; + providers = [ + { + name = "Default Dashboard"; + disableDeletion = true; + allowUiUpdates = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = true; + }; + } + ]; + }; + + datasources.settings.datasources = [ { - name = "Default Dashboard"; - disableDeletion = true; - allowUiUpdates = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = true; - }; + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9005"; + isDefault = true; + editable = false; + } + + { + name = "Loki"; + type = "loki"; + url = "http://localhost:9003"; + editable = false; } ]; }; + }; - datasources.settings.datasources = [ + postgresql = { + enable = true; + ensureDatabases = [ db_name ]; + ensureUsers = [ { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9002"; - isDefault = true; - editable = false; - } - - { - name = "Loki"; - type = "loki"; - url = "http://localhost:9003"; - editable = false; + name = db_user; + ensureDBOwnership = true; } ]; }; }; - services.postgresql = { - enable = true; - ensureDatabases = [ db_name ]; - ensureUsers = [ - { - name = db_user; - ensureDBOwnership = true; - } - ]; - }; - environment.etc."/grafana/dashboards/default.json".source = ./dashboards/default.json; }; } diff --git a/modules/nixos/services/observability/prometheus/default.nix b/modules/nixos/services/observability/prometheus/default.nix index 666a356..af5ee9d 100644 --- a/modules/nixos/services/observability/prometheus/default.nix +++ b/modules/nixos/services/observability/prometheus/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.observability.prometheus; in @@ -24,7 +24,23 @@ in { targets = [ "localhost:9002" ]; } ]; } + + { + job_name = "node"; + static_configs = [ + { targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; } + ]; + } ]; + + exporters = { + node = { + enable = true; + port = 9005; + enabledCollectors = [ "systemd" ]; + openFirewall = true; + }; + }; }; networking.firewall.allowedTCPPorts = [ 9002 ]; From f4ff383d283fb5d6cdd669ec252dee66097976ed Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 21 Aug 2025 14:53:28 +0200 Subject: [PATCH 15/96] improve forgejo and zitadel configs --- .../authentication/zitadel/default.nix | 36 +++++++++++++++++++ .../services/development/forgejo/default.nix | 11 +++--- 2 files changed, 43 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index a8cb4e6..a95d849 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,10 +26,46 @@ in tlsMode = "external"; settings = { Port = 9092; + ExternalDomain = "auth.amarth.cloud"; ExternalPort = 443; ExternalSecure = true; + Metrics.Type = "otel"; + Tracing.Type = "otel"; + Telemetry.Enabled = true; + + SystemDefaults = { + PasswordHasher.Hasher.Algorithm = "argon2id"; + SecretHasher.Hasher.Algorithm = "argon2id"; + }; + + DefaultInstance = { + PasswordComplexityPolicy = { + MinLength = 20; + HasLowercase = false; + HasUppercase = false; + HasNumber = false; + HasSymbol = false; + }; + LoginPolicy = { + AllowRegister = false; + ForceMFA = true; + }; + LockoutPolicy = { + MaxPasswordAttempts = 5; + MaxOTPAttempts = 10; + }; + SMTPConfiguration = { + SMTP = { + Host = "black-mail.nl:587"; + User = "info@amarth.cloud"; + Password = "__TODO_USE_SOPS__"; + }; + FromName = "Amarth Zitadel"; + }; + }; + Database.postgres = { Host = "localhost"; # Zitadel will report error if port is not set diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 87882b6..bdabbd6 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -23,7 +23,8 @@ in settings = { DEFAULT = { - APP_NAME = "Chris' Forge"; + APP_NAME = "Tamin Amarth"; + APP_SLOGAN = "Where code is forged"; }; server = { @@ -112,10 +113,12 @@ in mailer = { ENABLED = true; - SMTP_ADDR = "smpts://smtp.black-mail.nl"; + PROTOCOL = "smtp+starttls"; + SMTP_ADDR = "black-mail.nl"; + SMTP_PORT = 587; FROM = "info@amarth.cloud"; - USER = "amarth"; - PASSWD = "/var/lib/forgejo/custom/mail_password"; + USER = "info@amarth.cloud"; + PASSWD = "__TODO_USE_SOPS__"; }; }; }; From 9a37316d9e810de22bc69eaf31f8696b048d0ecc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 27 Aug 2025 15:24:12 +0200 Subject: [PATCH 16/96] add vaultwarden --- .../services/security/vaultwarden/default.nix | 80 ++++++++++++++++--- packages/vaultwarden/default.nix | 29 +++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 3 files changed, 100 insertions(+), 11 deletions(-) create mode 100644 packages/vaultwarden/default.nix diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 6870606..0bb05f7 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, namespace, ... }: let - inherit (lib.modules) mkIf; - inherit (lib.options) mkEnableOption; + inherit (builtins) toString; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.security.vaultwarden; in @@ -11,18 +11,76 @@ in }; config = mkIf cfg.enable { - environment.systemPackages = with pkgs; [ - vaultwarden - vaultwarden-postgresql + systemd.tmpfiles.rules = [ + "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -" ]; - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; - config = { - SIGNUPS_ALLOWED = false; - DOMAIN = "https://passwords.kruining.eu"; + package = pkgs.${namespace}.vaultwarden; + + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://vault.kruining.eu"; + + ADMIN_TOKEN = ""; + + DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable"; + + WEB_VAULT_ENABLED = true; + + SSO_ENABLED = true; + SSO_ONLY = true; + SSO_PKCE = true; + SSO_AUTH_ONLY_NOT_SESSION = false; + SSO_ROLES_ENABLED = true; + SSO_ORGANIZATIONS_ENABLED = true; + SSO_ORGANIZATIONS_REVOCATION = true; + SSO_AUTHORITY = "https://auth.amarth.cloud/"; + SSO_SCOPES = "email profile offline_access"; + SSO_AUDIENCE_TRUSTED = "^333297815511892227$"; + SSO_CLIENT_ID = "335178854421299459"; + SSO_CLIENT_SECRET = ""; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + + SMTP_HOST = "black-mail.nl"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + SMTP_USERNAME = "info@amarth.cloud"; + SMTP_PASSWORD = ""; + SMTP_FROM = "info@amarth.cloud"; + SMTP_FROM_NAME = "Chris' Vaultwarden"; + }; + }; + + postgresql = { + enable = true; + ensureDatabases = [ "vaultwarden" ]; + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + }; + + caddy = { + enable = true; + virtualHosts = { + "vault.kruining.eu".extraConfig = '' + encode zstd gzip + + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + } + ''; + }; }; }; }; diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix new file mode 100644 index 0000000..243288b --- /dev/null +++ b/packages/vaultwarden/default.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }: +rustPlatform.buildRustPackage rec { + pname = "vaultwarden"; + version = "1.34.3"; + + src = fetchFromGitHub { + owner = "Timshel"; + repo = "vaultwarden"; + rev = "1.34.3"; + hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0="; + }; + + cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE="; + + # used for "Server Installed" version in admin panel + env.VW_VERSION = version; + + nativeBuildInputs = [ pkg-config ]; + buildInputs = + [ openssl ] + ++ lib.optional (dbBackend == "postgresql") postgresql; + + buildFeatures = dbBackend; + + meta = with lib; { + license = licenses.agpl3Only; + mainProgram = "vaultwarden"; + }; +} \ No newline at end of file diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index e191367..9876768 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -23,6 +23,8 @@ loki.enable = true; promtail.enable = true; }; + + security.vaultwarden.enable = true; }; editor = { From 39253ca0803ba43f0ced8035a218da70c71093e2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 31 Aug 2025 17:30:45 +0200 Subject: [PATCH 17/96] update deps --- flake.lock | 108 ++++++++++++++++++++++++++--------------------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/flake.lock b/flake.lock index 27521bd..d422094 100644 --- a/flake.lock +++ b/flake.lock @@ -73,11 +73,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1755108317, - "narHash": "sha256-j7RGK7nyoHuJzQjVFBngpsVowIn4DAtprn66UyAFNRQ=", + "lastModified": 1756593129, + "narHash": "sha256-xpdGBk57lErbo03ZJS8uDDF5cZjoza7kzr7X+y0wj2g=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "5aa322a6e586a2b46af65ab6c9a3d6042a95ff2e", + "rev": "f28776c49ddb4d34abc01092009fba0cd96836bd", "type": "github" }, "original": { @@ -94,11 +94,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1755153894, - "narHash": "sha256-DEKeIg3MQy5GMFiFRUzcx1hGGBN2ypUPTo0jrMAdmH4=", + "lastModified": 1756622179, + "narHash": "sha256-K3CimrAcMhdDYkErd3oiWPZNaoyaGZEuvGrFuDPFMZY=", "owner": "nix-community", "repo": "fenix", - "rev": "f6874c6e512bc69d881d979a45379b988b80a338", + "rev": "0abcb15ae6279dcb40a8ae7c1ed980705245cb79", "type": "github" }, "original": { @@ -114,11 +114,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1755083788, - "narHash": "sha256-CXiS6gfw0NH+luSpNhtRZjy4NqVFrmsYpoetu3N/fMk=", + "lastModified": 1756643456, + "narHash": "sha256-SbRGlArZnspW/xd/vnMPSyuZGXSVtxyJEoXpvpzDpSE=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "523078b104590da5850a61dfe291650a6b49809c", + "rev": "6772a49573fc08b3e05502cccd90a8f5a82ee42e", "type": "github" }, "original": { @@ -411,11 +411,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1755072091, - "narHash": "sha256-FCkbELHIFXlVREaopW13QFMzwLPr/otjucmyNLQQXeg=", + "lastModified": 1756381920, + "narHash": "sha256-h6FZq485lEhkTICK779ZQ2kUWe3BieUqIKuJ2jef7SI=", "owner": "vinceliuice", "repo": "grub2-themes", - "rev": "03d8c9cf0d1bcf67765ac5fa35263f1b08c584fa", + "rev": "8f30385f556a92ecbcc0c1800521730187da1cd7", "type": "github" }, "original": { @@ -432,11 +432,11 @@ ] }, "locked": { - "lastModified": 1754593854, - "narHash": "sha256-fiWzQKZP92+2nm9wGBa/UYuEdVJkshHqNpCFfklas8k=", + "lastModified": 1756413980, + "narHash": "sha256-pxTwEjWZ1GohJeTEpxoZRHRoLDZjDw9CarGqxE5e908=", "owner": "himmelblau-idm", "repo": "himmelblau", - "rev": "e0b9a3efdcf0c6c59ed3352ffb2b003ab6aa2fed", + "rev": "0c12a2b5862cd673307bbe191c1f7b52cf0f091a", "type": "github" }, "original": { @@ -452,11 +452,11 @@ ] }, "locked": { - "lastModified": 1755121891, - "narHash": "sha256-UtYkukiGnPRJ5rpd4W/wFVrLMh8fqtNkqHTPgHEtrqU=", + "lastModified": 1756650373, + "narHash": "sha256-Iz0dNCNvLLxVGjOOF1/TJvZ4iKXE96BTgKDObCs9u+M=", "owner": "nix-community", "repo": "home-manager", - "rev": "279ca5addcdcfa31ac852b3ecb39fc372684f426", + "rev": "e44549074a574d8bda612945a88e4a1fd3c456a8", "type": "github" }, "original": { @@ -473,11 +473,11 @@ ] }, "locked": { - "lastModified": 1755151620, - "narHash": "sha256-fVMalQZ+tRXR8oue2SdWu4CdlsS2NII+++rI40XQ8rU=", + "lastModified": 1756638688, + "narHash": "sha256-ddxbPTnIchM6tgxb6fRrCvytlPE2KLifckTnde/irVQ=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "16e12d22754d97064867006acae6e16da7a142a6", + "rev": "e7b8679cba79f4167199f018b05c82169249f654", "type": "github" }, "original": { @@ -507,11 +507,11 @@ }, "mnw": { "locked": { - "lastModified": 1748710831, - "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=", + "lastModified": 1756580127, + "narHash": "sha256-XK+ZQWjnd96Uko73jY1dc23ksnuWnF/Myc4rT/LQOmc=", "owner": "Gerg-L", "repo": "mnw", - "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d", + "rev": "ecdb5ba1b08ac198d9e9bfbf9de3b234fb1eb252", "type": "github" }, "original": { @@ -549,11 +549,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1755137329, - "narHash": "sha256-9MxuOLH7jk58IVUUDWwLeqk9U4ATE6X37955Ld+4/zw=", + "lastModified": 1756518625, + "narHash": "sha256-Mxh2wumeSsb968dSDksblubQqHTTdRTC5lH0gmhq9jI=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "d9330bc35048238597880e89fb173799de9db5e9", + "rev": "92654796f8f6c3279e4b7d409a3e5b43b0539a19", "type": "github" }, "original": { @@ -621,11 +621,11 @@ ] }, "locked": { - "lastModified": 1755171343, - "narHash": "sha256-h6bbfhqWcHlx9tcyYa7dhaEiNpusLCcFYkJ/AnltLW8=", + "lastModified": 1755261305, + "narHash": "sha256-EOqCupB5X5WoGVHVcfOZcqy0SbKWNuY3kq+lj1wHdu8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "e37cfef071466a9ca649f6899aff05226ce17e9e", + "rev": "203a7b463f307c60026136dd1191d9001c43457f", "type": "github" }, "original": { @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1755061300, - "narHash": "sha256-eov82CkCrpiECJa3dyQ2da1sPGnAP3HK0UEra5eupaM=", + "lastModified": 1756578978, + "narHash": "sha256-dLgwMLIMyHlSeIDsoT2OcZBkuruIbjhIAv1sGANwtes=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d4df8d6cc1ccfd3e4349a1d54e4fb1171e7ec1f5", + "rev": "a85a50bef870537a9705f64ed75e54d1f4bf9c23", "type": "github" }, "original": { @@ -715,11 +715,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1755178357, - "narHash": "sha256-rzgUmlO5/pt7uPAlY6E70clNjg9JmrgBxalEj2zKq08=", + "lastModified": 1756653691, + "narHash": "sha256-tx6C07uPiAzq57mfb4EWDqPRV4BZVqvrlvDfibzL67U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6eac4364f979ef460fb6ebd17ca65b8dae03cba4", + "rev": "7a1057ff3f7636bc71f58671c3a1210742149f3b", "type": "github" }, "original": { @@ -747,11 +747,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1755027561, - "narHash": "sha256-IVft239Bc8p8Dtvf7UAACMG5P3ZV+3/aO28gXpGtMXI=", + "lastModified": 1756542300, + "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "005433b926e16227259a1843015b5b2b7f7d1fc3", + "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "type": "github" }, "original": { @@ -763,11 +763,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1755049066, - "narHash": "sha256-ANrc15FSoOAdNbfKHxqEJjZLftIwIsenJGRb/04K41s=", + "lastModified": 1756536218, + "narHash": "sha256-ynQxPVN2FIPheUgTFhv01gYLbaiSOS7NgWJPm9LF9D0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e45f8f193029378d0aaee5431ba098dc80054e9a", + "rev": "a918bb3594dd243c2f8534b3be01b3cb4ed35fd1", "type": "github" }, "original": { @@ -843,11 +843,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1755115677, - "narHash": "sha256-98Ad2F5w1xW94KymQiBohNBYpFqMa0K28v9S1SzyTY8=", + "lastModified": 1756646417, + "narHash": "sha256-1dU+BRKjczVnsTznKGaM0xrWzg2+MGQqWlde0Id9JnI=", "owner": "notashelf", "repo": "nvf", - "rev": "c5dc7192496a1fad38134e54f8b4fca8ac51a9fe", + "rev": "939fb8cfc630190cd5607526f81693525e3d593b", "type": "github" }, "original": { @@ -866,11 +866,11 @@ ] }, "locked": { - "lastModified": 1754501628, - "narHash": "sha256-FExJ54tVB5iu7Dh2tLcyCSWpaV+lmUzzWKZUkemwXvo=", + "lastModified": 1756632588, + "narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "cca090f8115c4172b9aef6c5299ae784bdd5e133", + "rev": "d47428e5390d6a5a8f764808a4db15929347cd77", "type": "github" }, "original": { @@ -905,11 +905,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1755004716, - "narHash": "sha256-TbhPR5Fqw5LjAeI3/FOPhNNFQCF3cieKCJWWupeZmiA=", + "lastModified": 1756597274, + "narHash": "sha256-wfaKRKsEVQDB7pQtAt04vRgFphkVscGRpSx3wG1l50E=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "b2a58b8c6eff3c3a2c8b5c70dbf69ead78284194", + "rev": "21614ed2d3279a9aa1f15c88d293e65a98991b30", "type": "github" }, "original": { @@ -978,11 +978,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1755027820, - "narHash": "sha256-hBSU7BEhd05y/pC9tliYjkFp8AblkbNEkPei229+0Pg=", + "lastModified": 1755997543, + "narHash": "sha256-/fejmCQ7AWa655YxyPxRDbhdU7c5+wYsFSjmEMXoBCM=", "owner": "nix-community", "repo": "stylix", - "rev": "c592717e9f713bbae5f718c784013d541346363d", + "rev": "f47c0edcf71e802378b1b7725fa57bb44fe85ee8", "type": "github" }, "original": { From 5ddcaf35f638be39ecf9ecf96b3304d98e65036d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 10:32:38 +0200 Subject: [PATCH 18/96] fix zen --- flake.lock | 32 ++++++++++++++++++++---- flake.nix | 6 +++-- modules/home/application/zen/default.nix | 28 ++++++++++++++++++--- 3 files changed, 55 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index d422094..51907f8 100644 --- a/flake.lock +++ b/flake.lock @@ -465,6 +465,27 @@ "type": "github" } }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "zen-browser", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1756842514, + "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "jovian": { "inputs": { "nix-github-actions": "nix-github-actions", @@ -1164,18 +1185,19 @@ }, "zen-browser": { "inputs": { + "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1727721329, - "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=", - "owner": "MarceColl", + "lastModified": 1756876659, + "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=", + "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc", + "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529", "type": "github" }, "original": { - "owner": "MarceColl", + "owner": "0xc000022070", "repo": "zen-browser-flake", "type": "github" } diff --git a/flake.nix b/flake.nix index d696f4b..0712e81 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - zen-browser.url = "github:MarceColl/zen-browser-flake"; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; @@ -95,6 +95,7 @@ permittedInsecurePackages = [ "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + "qtwebengine-5.15.19" ]; }; @@ -106,7 +107,8 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - plasma-manager.homeManagerModules.plasma-manager + zen-browser.homeModules.default + plasma-manager.homeModules.plasma-manager ]; }; } diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index ad4cb92..86fc3b6 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -10,8 +10,6 @@ in }; config = mkIf cfg.enable { - home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ]; - home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; @@ -20,20 +18,42 @@ in policies = { AutofillAddressEnabled = true; AutofillCreditCardEnabled = false; + + AppAutoUpdate = false; DisableAppUpdate = true; + ManualAppUpdateOnly = true; + DisableFeedbackCommands = true; DisableFirefoxStudies = true; DisablePocket = true; DisableTelemetry = true; - # DontCheckDefaultBrowser = false; + + DontCheckDefaultBrowser = false; NoDefaultBookmarks = true; - # OfferToSaveLogins = false; + OfferToSaveLogins = false; EnableTrackingProtection = { Value = true; Locked = true; Cryptomining = true; Fingerprinting = true; }; + + HttpAllowlist = [ + "http://ulmo" + ]; + }; + + policies.ExtensionSettings = let + mkExtension = id: { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi"; + installation_mode = "force_installed"; + }; + in + { + ublock_origin = 4531307; + ghostry = 4562168; + bitwarden = 4562769; + sponsorblock = 4541835; }; }; }; From a29b75753016bbe5132d8d00192337c954261348 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:30 +0200 Subject: [PATCH 19/96] restructure media services --- modules/nixos/services/media/default.nix | 137 +++++++++++++++-------- 1 file changed, 88 insertions(+), 49 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index f76e4ae..bc41fb4 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -66,38 +66,73 @@ in # Services #========================================================================= services = let - serviceConf = { + arrService = { + enable = true; + openFirewall = true; + + settings = { + auth.AuthenticationMethod = "External"; + + # postgres = { + # PostgresHost = "localhost"; + # PostgresPort = "5432"; + # PostgresUser = "media"; + # }; + }; + }; + + withPort = port: service: service // { settings.server.Port = builtins.toString port; }; + + withUserAndGroup = service: service // { + user = cfg.user; + group = cfg.group; + }; + in { + radarr = + arrService + |> withPort 2001 + |> withUserAndGroup; + + sonarr = + arrService + |> withPort 2002 + |> withUserAndGroup; + + lidarr = + arrService + |> withPort 2003 + |> withUserAndGroup; + + prowlarr = + arrService + |> withPort 2004; + + bazarr = { + enable = true; + openFirewall = true; + user = cfg.user; + group = cfg.group; + listenPort = 2005; + }; + + # port is harcoded in nixpkgs module + jellyfin = { enable = true; openFirewall = true; user = cfg.user; group = cfg.group; }; - in { - jellyfin = serviceConf; - radarr = serviceConf; - sonarr = serviceConf; - bazarr = serviceConf; - lidarr = serviceConf; flaresolverr = { enable = true; openFirewall = true; - }; - - jellyseerr = { - enable = true; - openFirewall = true; - }; - - prowlarr = { - enable = true; - openFirewall = true; + port = 2007; }; qbittorrent = { enable = true; openFirewall = true; - webuiPort = 5000; + webuiPort = 2008; serverConfig = { LegalNotice.Accepted = true; @@ -107,6 +142,7 @@ in group = cfg.group; }; + # port is harcoded in nixpkgs module sabnzbd = { enable = true; openFirewall = true; @@ -116,46 +152,49 @@ in group = cfg.group; }; + # postgresql = { + # enable = true; + # ensureDatabases = [ + # "radarr-main" "radarr-log" + # "sonarr-main" "sonarr-log" + # "lidarr-main" "lidarr-log" + # "prowlarr-main" "prowlarr-log" + # ]; + # identMap = '' + # media media radarr-main + # media media radarr-log + # media media sonarr-main + # media media sonarr-log + # media media lidarr-main + # media media lidarr-log + # media media prowlarr-main + # media media prowlarr-log + # ''; + # ensureUsers = [ + # { name = "radarr-main"; ensureDBOwnership = true; } + # { name = "radarr-log"; ensureDBOwnership = true; } + + # { name = "sonarr-main"; ensureDBOwnership = true; } + # { name = "sonarr-log"; ensureDBOwnership = true; } + + # { name = "lidarr-main"; ensureDBOwnership = true; } + # { name = "lidarr-log"; ensureDBOwnership = true; } + + # { name = "prowlarr-main"; ensureDBOwnership = true; } + # { name = "prowlarr-log"; ensureDBOwnership = true; } + # ]; + # }; + caddy = { enable = true; virtualHosts = { - "media.kruining.eu".extraConfig = '' - import auth - - reverse_proxy http://127.0.0.1:9494 - ''; "jellyfin.kruining.eu".extraConfig = '' - reverse_proxy http://127.0.0.1:8096 + reverse_proxy http://[::1]:8096 ''; }; }; }; systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL"; - - ${namespace}.services.virtualisation.podman.enable = true; - - virtualisation = { - oci-containers = { - backend = "podman"; - - containers = { - # flaresolverr = { - # image = "flaresolverr/flaresolverr"; - # autoStart = true; - # ports = [ "127.0.0.1:8191:8191" ]; - # }; - - reiverr = { - image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; - autoStart = true; - ports = [ "127.0.0.1:9494:9494" ]; - volumes = [ "${cfg.path}/reiverr/config:/config" ]; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 6969 ]; }; } From 77588062829c85f58e9cff7d383adc1fcd7b4b0b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 15:12:41 +0200 Subject: [PATCH 20/96] add homer dashboard --- .../nixos/services/media/homer/default.nix | 73 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 1 + 2 files changed, 74 insertions(+) create mode 100644 modules/nixos/services/media/homer/default.nix diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix new file mode 100644 index 0000000..263af83 --- /dev/null +++ b/modules/nixos/services/media/homer/default.nix @@ -0,0 +1,73 @@ +{ config, lib, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.media.homer; +in +{ + options.${namespace}.services.media.homer = { + enable = mkEnableOption "Enable homer"; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 2000 ]; + + services = { + homer = { + enable = true; + + virtualHost = { + caddy.enable = true; + domain = "http://:2000"; + }; + + settings = { + title = "Ulmo dashboard"; + + columns = 4; + connectivityCheck = true; + + links = [ + { + name = "Git"; + icon = "fab fa-forgejo"; + url = "https://git.amarth.cloud"; + + } + ]; + + services = [ + { + name = "Services"; + items = [ + { + name = "Zitadel"; + tag = "authentication"; + keywords = "auth"; + url = "https://auth.amarth.cloud"; + } + ]; + } + + { + name = "Media"; + items = [ + { + name = "Radarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + } + + { + name = "Sonarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + } + ]; + } + ]; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 9876768..4108dc9 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -15,6 +15,7 @@ networking.ssh.enable = true; media.enable = true; + media.homer.enable = true; media.nfs.enable = true; observability = { From 6379b5e2de250d8203750727ecb9fe7934bca62b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:20 +0200 Subject: [PATCH 21/96] improve zen config --- flake.nix | 4 +++- modules/home/application/zen/default.nix | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0712e81..07479a7 100644 --- a/flake.nix +++ b/flake.nix @@ -93,8 +93,11 @@ channels-config = { allowUnfree = true; permittedInsecurePackages = [ + # Due to *arr stack "dotnet-sdk-6.0.428" "aspnetcore-runtime-6.0.36" + + # I think this is because of zen "qtwebengine-5.15.19" ]; }; @@ -107,7 +110,6 @@ homes.modules = with inputs; [ stylix.homeModules.stylix - zen-browser.homeModules.default plasma-manager.homeModules.plasma-manager ]; }; diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 86fc3b6..4995216 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -5,6 +5,10 @@ let cfg = config.${namespace}.application.zen; in { + imports = [ + inputs.zen-browser.homeModules.default + ]; + options.${namespace}.application.zen = { enable = mkEnableOption "enable zen"; }; From 44e7a6fa0fd33ad37905a882149c9a39cdebf370 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 16:45:32 +0200 Subject: [PATCH 22/96] harden vaultwarden --- modules/nixos/services/security/vaultwarden/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index 0bb05f7..db8e162 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -76,6 +76,12 @@ in "vault.kruining.eu".extraConfig = '' encode zstd gzip + handle_path /admin { + respond 401 { + close + } + } + reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} { header_up X-Real-IP {remote_host} } From 7c75cab11b86e33fd72f934bfffaa5bed864faa7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:27 +0200 Subject: [PATCH 23/96] improve podman config --- modules/nixos/services/virtualisation/podman/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/virtualisation/podman/default.nix b/modules/nixos/services/virtualisation/podman/default.nix index 9b9dc89..0faf8ce 100644 --- a/modules/nixos/services/virtualisation/podman/default.nix +++ b/modules/nixos/services/virtualisation/podman/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { virtualisation = { containers.enable = true; + oci-containers.backend = "podman"; podman = { enable = true; From 6d7867b45c24ed8b41ae1061f318af673bb393e6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:24:43 +0200 Subject: [PATCH 24/96] update fogejo runner image --- modules/nixos/services/development/forgejo/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index bdabbd6..4b98b9c 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -136,10 +136,10 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:22-bullseye" + "default:docker://node:24-bookworm" ]; settings = { - + log.level = "info"; }; }; }; From a91afd3b0a90db865ced5116fab0ece99e1acd1f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:01 +0200 Subject: [PATCH 25/96] expand homer --- .../nixos/services/media/homer/default.nix | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index 263af83..c683e8b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -52,6 +52,12 @@ in { name = "Media"; items = [ + { + name = "Jellyfin"; + tag = "app"; + url = "http://${config.networking.hostName}:8096"; + } + { name = "Radarr"; tag = "app"; @@ -63,6 +69,25 @@ in tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; } + + { + name = "Lidarr"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + } + + { + name = "qBitTorrent"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + } + + { + name = "SabNZB"; + tag = "app"; + url = "http://${config.networking.hostName}:8080"; + } + ]; } ]; From b8b8e015c5e601654fbd9075cf95ea429d8c5efd Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:44:19 +0200 Subject: [PATCH 26/96] add pipe-operator nix feature --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 7d1f069..14060bf 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes"; + extraOptions = "experimental-features = nix-command flakes pipe-operator"; settings = { - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From fa81dbdcf6fdd19b634c25791de96125c67eb92c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 3 Sep 2025 17:47:38 +0200 Subject: [PATCH 27/96] even more homer --- .../nixos/services/media/homer/default.nix | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index c683e8b..dd5e13b 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -42,10 +42,32 @@ in items = [ { name = "Zitadel"; - tag = "authentication"; - keywords = "auth"; + tag = "app"; url = "https://auth.amarth.cloud"; } + + { + name = "Forgejo"; + tag = "app"; + url = "https://git.amarth.cloud"; + } + + { + name = "Vaultwarden"; + tag = "app"; + url = "https://vault.kruining.eu"; + } + ]; + } + + { + name = "Observability"; + items = [ + { + name = "Grafana"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + } ]; } From 41a4fde9f21fd5b606f7a13628a60f462e7aeeec Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:08:59 +0200 Subject: [PATCH 28/96] first attempt to push an image --- .forgejo/workflows/runner-image.yml | 34 +++++++++++++++++++ .../development/forgejo/Dockerfile.default | 5 +++ .../services/development/forgejo/default.nix | 4 ++- 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 .forgejo/workflows/runner-image.yml create mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml new file mode 100644 index 0000000..ed38be2 --- /dev/null +++ b/.forgejo/workflows/runner-image.yml @@ -0,0 +1,34 @@ +name: Test action + +on: + workflow_dispatch: + push: + branches: + - main + +env: + registry: git.amarth.cloud + owner: chris + image: default + tag: latest + +jobs: + hello: + name: Print hello world + runs-on: default + steps: + - name: Pull dependencies + run: >- + git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + && cd sneeuwvlok + + - name: Log into registry + run: docker login ${{ registry }} + + - name: Build image + run: >- + docker build + -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + + - name: Push image + run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default new file mode 100644 index 0000000..799cd67 --- /dev/null +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -0,0 +1,5 @@ +FROM nixos/nix:latest + +RUN nix-env -iA nixpkgs.nodejs_24 + +CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 4b98b9c..d7f170e 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -91,6 +91,7 @@ in actions = { ENABLED = true; + # DEFAULT_ACTIONS_URL = "https://data.forgejo.org"; }; other = { @@ -136,7 +137,8 @@ in # tokenFile = config.age.secrets.forgejo-runner-token.path; token = "ZBetud1F0IQ9VjVFpZ9bu0FXgx9zcsy1x25yvjhw"; labels = [ - "default:docker://node:24-bookworm" + "default:docker://nixos/nix:latest" + "ubuntu:docker://ubuntu:24-bookworm" ]; settings = { log.level = "info"; From 9ed5cbded0902b9e7e4ca5d81ad7e82058b8d70e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:09:08 +0200 Subject: [PATCH 29/96] update homer --- .../nixos/services/media/homer/default.nix | 65 +++++++++++++++---- 1 file changed, 53 insertions(+), 12 deletions(-) diff --git a/modules/nixos/services/media/homer/default.nix b/modules/nixos/services/media/homer/default.nix index dd5e13b..8fd0ac6 100644 --- a/modules/nixos/services/media/homer/default.nix +++ b/modules/nixos/services/media/homer/default.nix @@ -27,14 +27,7 @@ in columns = 4; connectivityCheck = true; - links = [ - { - name = "Git"; - icon = "fab fa-forgejo"; - url = "https://git.amarth.cloud"; - - } - ]; + links = []; services = [ { @@ -42,20 +35,28 @@ in items = [ { name = "Zitadel"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/zitadel.svg"; tag = "app"; url = "https://auth.amarth.cloud"; + target = "_blank"; } { name = "Forgejo"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/forgejo.svg"; tag = "app"; + type = "Gitea"; url = "https://git.amarth.cloud"; + target = "_blank"; } { name = "Vaultwarden"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/vaultwarden.svg"; + type = "Vaultwarden"; tag = "app"; url = "https://vault.kruining.eu"; + target = "_blank"; } ]; } @@ -65,8 +66,20 @@ in items = [ { name = "Grafana"; + type = "Grafana"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/grafana.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.grafana.settings.server.http_port}"; + target = "_blank"; + } + + { + name = "Prometheus"; + type = "Prometheus"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prometheus.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prometheus.port}"; + target = "_blank"; } ]; } @@ -75,41 +88,69 @@ in name = "Media"; items = [ { - name = "Jellyfin"; + name = "Jellyfin (Movies)"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/jellyfin.svg"; tag = "app"; + type = "Emby"; url = "http://${config.networking.hostName}:8096"; + apikey = "e3ceed943eeb409ba8342738db7cc1f5"; + libraryType = "movies"; + target = "_blank"; } { name = "Radarr"; + type = "Radarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/radarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}"; + target = "_blank"; } { name = "Sonarr"; + type = "Sonarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sonarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}"; + target = "_blank"; } { name = "Lidarr"; + type = "Lidarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/lidarr.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.lidarr.settings.server.port}"; + target = "_blank"; } { - name = "qBitTorrent"; + name = "Prowlarr"; + type = "Prowlarr"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/prowlarr.svg"; + tag = "app"; + url = "http://${config.networking.hostName}:${builtins.toString config.services.prowlarr.settings.server.port}"; + target = "_blank"; + } + + { + name = "qBittorrent"; + type = "qBittorrent"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/qbittorrent.svg"; tag = "app"; url = "http://${config.networking.hostName}:${builtins.toString config.services.qbittorrent.webuiPort}"; + target = "_blank"; } { - name = "SabNZB"; + name = "SABnzbd"; + type = "SABnzbd"; + logo = "https://cdn.jsdelivr.net/gh/selfhst/icons/svg/sabnzdb-light.svg"; tag = "app"; url = "http://${config.networking.hostName}:8080"; + target = "_blank"; } - ]; } ]; From 0b23548559a3dfb84ec54187421e7a77029b8728 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:11:59 +0200 Subject: [PATCH 30/96] whoopsie --- .forgejo/workflows/runner-image.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ed38be2..e41a197 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,16 +19,16 @@ jobs: steps: - name: Pull dependencies run: >- - git clone https://${{ registry }}/${{ owner }}/sneeuwvlok.git + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok - name: Log into registry - run: docker login ${{ registry }} + run: docker login ${{ env.registry }} - name: Build image run: >- docker build - -t ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{registry}}/${{ owner }}/${{ image }}:${{ tag }} \ No newline at end of file + run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 2b887f188c1a3fdecd429c79016c06fea64e0dcf Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:06 +0200 Subject: [PATCH 31/96] aaaaaiiii --- .forgejo/workflows/runner-image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e41a197..879ec36 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -22,6 +22,12 @@ jobs: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git && cd sneeuwvlok + - name: Install docker + run: nix-env -iA nixos.podman + + - name: __DEBUG__ + run: which podman + - name: Log into registry run: docker login ${{ env.registry }} From 95f6b2b8d3d7c19ebbe8b264f5ea2e69ebfce743 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:14:44 +0200 Subject: [PATCH 32/96] nixpkgs instead???? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 879ec36..a0a26ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: && cd sneeuwvlok - name: Install docker - run: nix-env -iA nixos.podman + run: nix-env -iA nixpkgs.podman - name: __DEBUG__ run: which podman From 863956c38b33a38c1fb9940cb4e58ae1b7576f8e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:17:08 +0200 Subject: [PATCH 33/96] oooooh, closer --- .forgejo/workflows/runner-image.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a0a26ac..33889dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -28,13 +28,16 @@ jobs: - name: __DEBUG__ run: which podman + - name: __DEBUG__ + run: podman --version + - name: Log into registry - run: docker login ${{ env.registry }} + run: podman login ${{ env.registry }} - name: Build image run: >- - docker build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image - run: docker push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e048ada01ff0dcd0bdd3a4041b819098089c1fbc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:38:46 +0200 Subject: [PATCH 34/96] whoops --- modules/nixos/nix/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/nix/default.nix b/modules/nixos/nix/default.nix index 14060bf..3104ecd 100644 --- a/modules/nixos/nix/default.nix +++ b/modules/nixos/nix/default.nix @@ -15,10 +15,10 @@ in nix = { package = pkgs.nixVersions.latest; - extraOptions = "experimental-features = nix-command flakes pipe-operator"; + extraOptions = "experimental-features = nix-command flakes pipe-operators"; settings = { - experimental-features = [ "nix-command" "flakes" "pipe-operator" ]; + experimental-features = [ "nix-command" "flakes" "pipe-operators" ]; allowed-users = [ "@wheel" ]; trusted-users = [ "@wheel" ]; From 0d6fb5aab6b0ea7021ad9468ae06fa2d5746dc46 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 10:39:31 +0200 Subject: [PATCH 35/96] update default runner dockerfile --- modules/nixos/services/development/forgejo/Dockerfile.default | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 799cd67..b252554 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,5 +1,6 @@ FROM nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 +RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf CMD ["/bin/bash"] \ No newline at end of file From fa0a4917a212227c95d63f38e29ec2be391150b5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:04:13 +0200 Subject: [PATCH 36/96] cool shizzle --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 33889dd..2603866 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: git.amarth.cloud + registry: ${{ forge.server_url }} owner: chris image: default tag: latest @@ -32,7 +32,7 @@ jobs: run: podman --version - name: Log into registry - run: podman login ${{ env.registry }} + run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- From 4762d4189e471f496cdeffbbb08533b7cd66d27b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:06:57 +0200 Subject: [PATCH 37/96] right. obviously... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2603866..3cc9a79 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -7,7 +7,7 @@ on: - main env: - registry: ${{ forge.server_url }} + registry: git.amarth.cloud owner: chris image: default tag: latest From da1a4d42eddc50d5c7b2a2599e8e251dde913cf9 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:07:58 +0200 Subject: [PATCH 38/96] woooot, more success!!! --- .forgejo/workflows/runner-image.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3cc9a79..7a7e41d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -26,10 +26,7 @@ jobs: run: nix-env -iA nixpkgs.podman - name: __DEBUG__ - run: which podman - - - name: __DEBUG__ - run: podman --version + run: ls -al - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} From fdf1bc34e834fc9ee2808a51b8b0076537f44ab5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:11:06 +0200 Subject: [PATCH 39/96] . --- .forgejo/workflows/runner-image.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 7a7e41d..89427fd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,9 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: >- + run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - && cd sneeuwvlok + cd sneeuwvlok + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman From 4a26a4ad11dd3f2fc367743eaa41739237a7b846 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:13:15 +0200 Subject: [PATCH 40/96] . --- .forgejo/workflows/runner-image.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 89427fd..a70dd09 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,24 +18,18 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - cd sneeuwvlok - ls -al + run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git - name: Install docker run: nix-env -iA nixpkgs.podman - - name: __DEBUG__ - run: ls -al - - name: Log into registry run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} ./modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 8b07f55593f09c526bbbd58b0ff9756b2d491228 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:14:41 +0200 Subject: [PATCH 41/96] . --- .forgejo/workflows/runner-image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a70dd09..526550f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -18,7 +18,10 @@ jobs: runs-on: default steps: - name: Pull dependencies - run: git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git + run: | + ls -al + git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + ls -al - name: Install docker run: nix-env -iA nixpkgs.podman @@ -29,7 +32,7 @@ jobs: - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} sneeuwvlok/modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default - name: Push image run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From b3a9ea605761f5cd53fea1afd3468d92c1ec8e2f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:19:43 +0200 Subject: [PATCH 42/96] . --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 526550f..b09ac1d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,6 +21,7 @@ jobs: run: | ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + echo "$PWD" ls -al - name: Install docker From f9328cd72eeaf57fc229693c6d535c3eee04919f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:22:59 +0200 Subject: [PATCH 43/96] I am an idiot, as proven once more... --- .forgejo/workflows/runner-image.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b09ac1d..c07ca95 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -19,21 +19,23 @@ jobs: steps: - name: Pull dependencies run: | - ls -al git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - echo "$PWD" - ls -al - name: Install docker - run: nix-env -iA nixpkgs.podman + run: | + nix-env -iA nixpkgs.podman - name: Log into registry - run: podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} modules/nixos/services/development/forgejo/Dockerfile.default + -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + -f Dockerfile.default + modules/nixos/services/development/forgejo - name: Push image - run: podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + run: | + podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 4d4f4e67e032139115d43ef07f6e71be2572242e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 11:23:50 +0200 Subject: [PATCH 44/96] add registry? --- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index b252554..ce4bbac 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,4 +1,4 @@ -FROM nixos/nix:latest +FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf From a42446985c2eafa3b8ef92f5a1344d20652535e4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:02:40 +0200 Subject: [PATCH 45/96] another attempt --- .forgejo/workflows/runner-image.yml | 3 +++ modules/nixos/services/development/forgejo/Dockerfile.default | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index c07ca95..285c5ac 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry run: | @@ -35,6 +36,8 @@ jobs: -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo + env: + DOCKER_BUILDKIT: 1 - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index ce4bbac..d26212c 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,8 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman + RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf +RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 68f662038399e6c74d38029411ef4dfc3990cfd7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:03:26 +0200 Subject: [PATCH 46/96] right --- .forgejo/workflows/runner-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 285c5ac..f0b89ee 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,6 +24,7 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman + mkdir -p /etc/containers echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json - name: Log into registry From 9ea18b18d554d102c95480fbc334a35697e3985c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:04:28 +0200 Subject: [PATCH 47/96] . --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f0b89ee..361f842 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,8 +24,8 @@ jobs: - name: Install docker run: | nix-env -iA nixpkgs.podman - mkdir -p /etc/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > /etc/containers/policy.json + mkdir -p ~/.config/containers + echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | From efd98d4b44e44316c64773dd65ea15070ae85a34 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:05:12 +0200 Subject: [PATCH 48/96] gotta love the typos... --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 361f842..f37b598 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -25,7 +25,7 @@ jobs: run: | nix-env -iA nixpkgs.podman mkdir -p ~/.config/containers - echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - name: Log into registry run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d26212c..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -3,6 +3,6 @@ FROM docker.io/nixos/nix:latest RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "defult": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json +RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json CMD ["/bin/bash"] \ No newline at end of file From 55d5ea483940d8e81c8dda9185e3cd6915a50597 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:08:38 +0200 Subject: [PATCH 49/96] is it a missing dep???? --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f37b598..5ce46d8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.libfuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d9ff5f8..15a65a4 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 833f4ce5e692d60be619b3d745ab8983b8d9da9c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 12:09:44 +0200 Subject: [PATCH 50/96] just fuse, got it --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/Dockerfile.default | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 5ce46d8..8893fd5 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -23,7 +23,7 @@ jobs: - name: Install docker run: | - nix-env -iA nixpkgs.podman nixpkgs.libfuse + nix-env -iA nixpkgs.podman nixpkgs.fuse mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index 15a65a4..d632617 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.libfuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From 25ae5ea1accd0f79c19e561bac3ac981c006f694 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:09:31 +0200 Subject: [PATCH 51/96] next round --- .forgejo/workflows/runner-image.yml | 18 ++++++++++++++++-- .../development/forgejo/Dockerfile.default | 2 +- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8893fd5..1490afa 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -21,11 +21,24 @@ jobs: run: | git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . - - name: Install docker + - name: Prepare podman run: | - nix-env -iA nixpkgs.podman nixpkgs.fuse + # configure container policy to accept insecure registry + nix-env -iA nixpkgs.podman + + # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + + # ensure all required directories exist with proper permissions + mkdir -p /tmp/podman /var/tmp ~/.local/share/containers + chmod 755 /tmp/podman /var/tmp || true + + # set multiple environment variables for skopeo temporary directories + export TMPDIR=/tmp/podman + export TMP=/tmp/podman + export TEMP=/tmp/podman + export XDG_RUNTIME_DIR=/tmp/podman - name: Log into registry run: | @@ -34,6 +47,7 @@ jobs: - name: Build image run: >- podman build + --privileged -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default index d632617..d9ff5f8 100644 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ b/modules/nixos/services/development/forgejo/Dockerfile.default @@ -1,6 +1,6 @@ FROM docker.io/nixos/nix:latest -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman nixpkgs.fuse +RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json From b2cb74657ef0f1addb520f6bda09997b138a92b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:11:35 +0200 Subject: [PATCH 52/96] ahhh shit, here we go again --- .forgejo/workflows/runner-image.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1490afa..e24ef25 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -46,8 +46,7 @@ jobs: - name: Build image run: >- - podman build - --privileged + sudo podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo From c7f3ed7cd667ea96ca7b78e5d99a8378d7e75ca0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:21:05 +0200 Subject: [PATCH 53/96] . --- .forgejo/workflows/runner-image.yml | 4 +- .../nixos/services/development/forgejo/temp | 80 +++++++++++++++++++ 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/services/development/forgejo/temp diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e24ef25..4b94a2f 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -40,13 +40,15 @@ jobs: export TEMP=/tmp/podman export XDG_RUNTIME_DIR=/tmp/podman + modprobe fuse + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image run: >- - sudo podman build + podman build -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} -f Dockerfile.default modules/nixos/services/development/forgejo diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp new file mode 100644 index 0000000..33a7313 --- /dev/null +++ b/modules/nixos/services/development/forgejo/temp @@ -0,0 +1,80 @@ +Error: mounting new container: + mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": + creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, + mount_data=" + lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 + :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A + :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ + :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K + :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND + :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP + :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH + :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC + :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH + :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC + :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO + :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 + :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 + :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH + :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS + :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 + :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O + :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 + :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI + :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA + :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 + :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC + :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK + :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF + :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ + :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 + :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN + :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR + :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML + :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C + :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D + :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI + :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ + :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV + :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G + :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 + :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O + :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD + :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS + :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK + :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR + :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET + :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU + :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY + :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC + :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE + :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 + :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS + :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 + :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 + :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL + :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB + :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY + :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR + :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M + :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ + :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC + :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 + :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM + :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 + :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S + :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 + :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB + :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY + :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M + :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N + :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY + :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR + :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS + :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, + upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, + workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, + volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime + +fuse: device not found, try 'modprobe fuse' first +fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file From 7d7c3aa53ada12f5155337aa0339b2a3ccc60c3b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:22:43 +0200 Subject: [PATCH 54/96] . --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 4b94a2f..8979d94 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds # configure container policy to accept insecure registry mkdir -p ~/.config/containers From 33f9a7fbd8c741a331ddb122039e9d61c88c5482 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:24:37 +0200 Subject: [PATCH 55/96] fix package conflict? --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 8979d94..61200dd 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.u-root-cmds + nix-env -iA nixpkgs.podman nixpkgs.kmod # configure container policy to accept insecure registry mkdir -p ~/.config/containers From b8e43fedba72b129d8d94b535a13abea7f63f0cc Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:47:02 +0200 Subject: [PATCH 56/96] lets try another avenue... --- .forgejo/workflows/runner-image.yml | 32 +++++++------------ .../development/forgejo/Dockerfile.default | 8 ----- .../development/forgejo/runners/default.nix | 11 +++++++ 3 files changed, 23 insertions(+), 28 deletions(-) delete mode 100644 modules/nixos/services/development/forgejo/Dockerfile.default create mode 100644 modules/nixos/services/development/forgejo/runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 61200dd..47737cc 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,36 +24,28 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kmod + nix-env -iA nixpkgs.podman # configure container policy to accept insecure registry mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - # ensure all required directories exist with proper permissions - mkdir -p /tmp/podman /var/tmp ~/.local/share/containers - chmod 755 /tmp/podman /var/tmp || true - - # set multiple environment variables for skopeo temporary directories - export TMPDIR=/tmp/podman - export TMP=/tmp/podman - export TEMP=/tmp/podman - export XDG_RUNTIME_DIR=/tmp/podman - - modprobe fuse - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - name: Build image - run: >- - podman build - -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - -f Dockerfile.default - modules/nixos/services/development/forgejo - env: - DOCKER_BUILDKIT: 1 + run: nix-build modules/nixos/services/development/forgejo/runners/default.nix + # run: >- + # podman build + # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} + # -f Dockerfile.default + # modules/nixos/services/development/forgejo + + - name: __DEBUG__ + run: | + ls -al result + podman load < result - name: Push image run: | diff --git a/modules/nixos/services/development/forgejo/Dockerfile.default b/modules/nixos/services/development/forgejo/Dockerfile.default deleted file mode 100644 index d9ff5f8..0000000 --- a/modules/nixos/services/development/forgejo/Dockerfile.default +++ /dev/null @@ -1,8 +0,0 @@ -FROM docker.io/nixos/nix:latest - -RUN nix-env -iA nixpkgs.nodejs_24 nixpkgs.podman - -RUN echo "experimental-features = nix-command flakes pipe-operators" >> /etc/nix/nix.conf -RUN echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' >> /etc/containers/policy.json - -CMD ["/bin/bash"] \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix new file mode 100644 index 0000000..af44418 --- /dev/null +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -0,0 +1,11 @@ +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +pkgs.dockerTools.buildImage { + name = "default"; + config = { + Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + }; +} \ No newline at end of file From d917f93a9f1242b0beb308e3de6724b13b74bae5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:55:13 +0200 Subject: [PATCH 57/96] finally some more success????? --- .forgejo/workflows/runner-image.yml | 4 ++-- .../nixos/services/development/forgejo/runners/default.nix | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 47737cc..2a4311a 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -45,8 +45,8 @@ jobs: - name: __DEBUG__ run: | ls -al result - podman load < result - name: Push image run: | - podman push ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + podman load < result + podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index af44418..8b9355e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -5,6 +5,8 @@ pkgs.dockerTools.buildImage { name = "default"; + tag = "latest"; + config = { Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; }; From 9c048aca0577b00324270433a1f5a777e0d27d48 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:56:16 +0200 Subject: [PATCH 58/96] hmmmm --- .forgejo/workflows/runner-image.yml | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 2a4311a..507e2a1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,23 +30,11 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - name: Build image run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - # run: >- - # podman build - # -t ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} - # -f Dockerfile.default - # modules/nixos/services/development/forgejo - - - name: __DEBUG__ - run: | - ls -al result - name: Push image run: | + podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} podman load < result podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From e4843997ea7fe2aa07bcb8b70609eeb8e3ad4ff7 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 13:58:51 +0200 Subject: [PATCH 59/96] add credentials, but then why do I need to log in???? --- .forgejo/workflows/runner-image.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 507e2a1..a72601d 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,11 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - name: Build image - run: nix-build modules/nixos/services/development/forgejo/runners/default.nix - - - name: Push image + - name: Log into registry run: | podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} + + - name: Create image + run: | + nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result - podman push localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file + + - name: Push image + run: >- + podman push + --creds="${{ forge.actor }}:${{ forge.token }}" + localhost/default:latest + ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 716342d556fb524b0998aa11aeebf9cc86ae8725 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:02:34 +0200 Subject: [PATCH 60/96] . --- .forgejo/workflows/runner-image.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index a72601d..1694cd8 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -39,6 +39,11 @@ jobs: nix-build modules/nixos/services/development/forgejo/runners/default.nix podman load < result + - name: __DEBUG__ + run: | + cat ${XDG_RUNTIME_DIR}/containers/auth.json + cat ~/.docker/config.json + - name: Push image run: >- podman push From b158df262e8e53f99585e210ef43c2a9b1315260 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:07:06 +0200 Subject: [PATCH 61/96] ugh --- .forgejo/workflows/runner-image.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1694cd8..3aaa967 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,6 +30,18 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json + # Create authentication file for podman + mkdir -p ~/.docker + cat > ~/.docker/config.json <- From 09a5df6253e3dd5556800388e34f64b9ae234ba3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:53:50 +0200 Subject: [PATCH 62/96] fix? --- .forgejo/workflows/runner-image.yml | 1 + .../development/forgejo/runners/default.nix | 28 +++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 3aaa967..724b8f1 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,6 +59,7 @@ jobs: - name: Push image run: >- podman push + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 8b9355e..1308408 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,11 +3,35 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -pkgs.dockerTools.buildImage { +with pkgs; +dockerTools.buildImage { name = "default"; tag = "latest"; + contents = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + + runAsRoot = '' + #!${stdenv.shell} + ${dockerTools.shadowSetup} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; + config = { - Cmd = [ "${pkgs_linux.hello}/bin/hello" ]; + # User = "root"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + WorkingDir = "/data"; + Volumes = { + "/data" = {}; + }; }; } \ No newline at end of file From 101bf129093e46ff49651c5fa96b7f716c16ebd4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:55:37 +0200 Subject: [PATCH 63/96] fix warning --- .../development/forgejo/runners/default.nix | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 1308408..4dcdbc6 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,14 +8,18 @@ dockerTools.buildImage { name = "default"; tag = "latest"; - contents = [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; runAsRoot = '' #!${stdenv.shell} From 40cd9d3745c9f1c101ec21543d4a22735cacfba1 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:56:44 +0200 Subject: [PATCH 64/96] is it podman that needs the kvm? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 4dcdbc6..f2faae5 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -17,7 +17,7 @@ dockerTools.buildImage { bash nix nodejs - podman + # podman ]; }; From 22333b143bb4b70de6d5994287e455e29e564887 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 14:58:31 +0200 Subject: [PATCH 65/96] hmmmmm --- .../services/development/forgejo/runners/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f2faae5..5046b4d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,10 +13,10 @@ dockerTools.buildImage { pathsToLink = [ "/bin" ]; paths = [ coreutils - u-root-cmds + # u-root-cmds bash - nix - nodejs + # nix + # nodejs # podman ]; }; @@ -31,7 +31,7 @@ dockerTools.buildImage { ''; config = { - # User = "root"; + User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; WorkingDir = "/data"; Volumes = { From e0002d7254399adc5a47872c7137f4247069d571 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:00:37 +0200 Subject: [PATCH 66/96] shadowSetup than??? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5046b4d..dd71c4e 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -23,7 +23,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - ${dockerTools.shadowSetup} + # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 2653f3fc93108a67dc9802f4fcc39321be79327c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:05:40 +0200 Subject: [PATCH 67/96] sooooo lost right now.... --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 724b8f1..31bb238 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -24,7 +24,7 @@ jobs: - name: Prepare podman run: | # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman + nix-env -iA nixpkgs.podman nixpkgs.kvmtool # configure container policy to accept insecure registry mkdir -p ~/.config/containers From e0c37a10a59f4527d576f78222863560412f8d1e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:08:48 +0200 Subject: [PATCH 68/96] another attempt --- .../services/development/forgejo/runners/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index dd71c4e..2db69fc 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -4,9 +4,16 @@ }: with pkgs; +let + debian = dockerTools.pullImage { + imageName = "debian"; + sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + }; +in dockerTools.buildImage { name = "default"; tag = "latest"; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; @@ -23,7 +30,6 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} - # ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From 61505943f95d21b76f091bd175c090091c81236f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:09:34 +0200 Subject: [PATCH 69/96] add base image --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2db69fc..74660aa 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -13,7 +13,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; + fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 66e400e7c0d3753af0dc5fd205c5d72699c4b036 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:11:32 +0200 Subject: [PATCH 70/96] uuuuuugh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 74660aa..718e168 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -7,7 +7,7 @@ with pkgs; let debian = dockerTools.pullImage { imageName = "debian"; - sha256 = "1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; }; in dockerTools.buildImage { From 898cb6c5129fff1c0bf896c6d31abd19560a6294 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:17:49 +0200 Subject: [PATCH 71/96] local builds again --- modules/nixos/services/development/forgejo/runners/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 718e168..f959621 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -8,6 +8,8 @@ let debian = dockerTools.pullImage { imageName = "debian"; imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; + # hash = lib.fakeSha256; + sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; }; in dockerTools.buildImage { @@ -30,6 +32,7 @@ dockerTools.buildImage { runAsRoot = '' #!${stdenv.shell} + ${dockerTools.shadowSetup} groupadd -r runner useradd -r -g runner -d /data -M runner mkdir /data From a39cb0cf532863c9915b07e5d7851b48e78ca790 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:19:14 +0200 Subject: [PATCH 72/96] ? --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index f959621..5862f12 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -15,7 +15,7 @@ in dockerTools.buildImage { name = "default"; tag = "latest"; - fromImage = debian; + # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; From 3d02de9c6c7035b745939fd2e3ff5ab271defbe5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:20:38 +0200 Subject: [PATCH 73/96] I really don't get it anymore... --- .../development/forgejo/runners/default.nix | 35 +++++++------------ 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 5862f12..2f0332d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -3,41 +3,32 @@ pkgs_linux ? import { system = "x86_64-linux"; }, }: -with pkgs; -let - debian = dockerTools.pullImage { - imageName = "debian"; - imageDigest = "sha256:1e45698b8553ad4b2e074f59f14c579194aa9b003f5c7b4a3d8704087954909b"; - # hash = lib.fakeSha256; - sha256 = "sha256-GDxa0yegZDaagKfl3tS6prhQI0ECXduWrdPgr8uLClU="; - }; -in +with pkgs; dockerTools.buildImage { name = "default"; tag = "latest"; - # fromImage = debian; copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; paths = [ coreutils - # u-root-cmds + u-root-cmds bash - # nix - # nodejs - # podman + nix + nodejs + podman ]; }; - runAsRoot = '' - #!${stdenv.shell} - ${dockerTools.shadowSetup} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data - ''; + # runAsRoot = '' + # #!${stdenv.shell} + # ${dockerTools.shadowSetup} + # groupadd -r runner + # useradd -r -g runner -d /data -M runner + # mkdir /data + # chown runner:runner /data + # ''; config = { User = "runner"; From 3aaad47c2bdb1a32b708657b04e429783149f075 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:23:23 +0200 Subject: [PATCH 74/96] whoops --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 31bb238..b472489 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -59,7 +59,7 @@ jobs: - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json& + --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From a114f0a7f8b435d4f922ca98abefb8de42745088 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:26:18 +0200 Subject: [PATCH 75/96] . --- .forgejo/workflows/runner-image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index b472489..1d56b4e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,11 +55,12 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json + podman run localhost/default:latest 'nix --version' - name: Push image run: >- podman push - --auth-file=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=${XDG_RUNTIME_DIR}/containers/auth.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 237d208e930abaa5b419d8270ca78cc4bc056ad6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:28:59 +0200 Subject: [PATCH 76/96] siiiiigh --- .../development/forgejo/runners/default.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index 2f0332d..eb0759b 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,14 +21,13 @@ dockerTools.buildImage { ]; }; - # runAsRoot = '' - # #!${stdenv.shell} - # ${dockerTools.shadowSetup} - # groupadd -r runner - # useradd -r -g runner -d /data -M runner - # mkdir /data - # chown runner:runner /data - # ''; + runAsRoot = '' + #!${lib.getExe bashInteractive} + groupadd -r runner + useradd -r -g runner -d /data -M runner + mkdir /data + chown runner:runner /data + ''; config = { User = "runner"; From 1cbfb6b5c0c89e381e799825579745bbe45fe8f8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:34:40 +0200 Subject: [PATCH 77/96] . --- .../nixos/services/development/forgejo/runners/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index eb0759b..e656e2d 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -22,11 +22,7 @@ dockerTools.buildImage { }; runAsRoot = '' - #!${lib.getExe bashInteractive} - groupadd -r runner - useradd -r -g runner -d /data -M runner - mkdir /data - chown runner:runner /data + echo "je moeder!"; ''; config = { From 7070382596163aa7062a412e0c39f169da74339b Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:43:18 +0200 Subject: [PATCH 78/96] runAsRoot requires kvm... --- .../services/development/forgejo/runners/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index e656e2d..c4c9a92 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -21,16 +21,8 @@ dockerTools.buildImage { ]; }; - runAsRoot = '' - echo "je moeder!"; - ''; - config = { User = "runner"; Cmd = [ "${lib.getExe bashInteractive}" ]; - WorkingDir = "/data"; - Volumes = { - "/data" = {}; - }; }; } \ No newline at end of file From a0e2d8db7100f41812a4c61e27b559556628ed93 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:46:25 +0200 Subject: [PATCH 79/96] . --- .forgejo/workflows/runner-image.yml | 2 +- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1d56b4e..1b742b0 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,7 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - podman run localhost/default:latest 'nix --version' + # podman run localhost/default:latest 'nix --version' - name: Push image run: >- diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index c4c9a92..a7bc883 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = [ + paths = with pkgs_linux [ coreutils u-root-cmds bash From 8b9e1a14a8ad45f518e3b19941b188ec8b20bd79 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:10 +0200 Subject: [PATCH 80/96] ,... --- .forgejo/workflows/runner-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 1b742b0..f30be6e 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,7 +55,6 @@ jobs: run: | [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - # podman run localhost/default:latest 'nix --version' - name: Push image run: >- From 522041cbaed64b9cc9699e7feb82c2eceea81e6f Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:47:37 +0200 Subject: [PATCH 81/96] waaaaaaggh --- modules/nixos/services/development/forgejo/runners/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/modules/nixos/services/development/forgejo/runners/default.nix index a7bc883..608cc69 100644 --- a/modules/nixos/services/development/forgejo/runners/default.nix +++ b/modules/nixos/services/development/forgejo/runners/default.nix @@ -11,7 +11,7 @@ dockerTools.buildImage { copyToRoot = buildEnv { name = "image-root"; pathsToLink = [ "/bin" ]; - paths = with pkgs_linux [ + paths = with pkgs_linux; [ coreutils u-root-cmds bash From cd53e4c008478a58d09121e73b9ed2df8f8e9244 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:50:38 +0200 Subject: [PATCH 82/96] sdfasdfg --- .forgejo/workflows/runner-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index f30be6e..9a1c7a9 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -53,7 +53,10 @@ jobs: - name: __DEBUG__ run: | + echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json + + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image From f31317304e076e43425fdb7978a2c42c86120262 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:53:35 +0200 Subject: [PATCH 83/96] riiight, should've seen that one coming.... --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index 9a1c7a9..d8b7ebb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -55,14 +55,14 @@ jobs: run: | echo "${XDG_RUNTIME_DIR}/containers/auth.json" [ -r ${XDG_RUNTIME_DIR}/containers/auth.json ] && cat ${XDG_RUNTIME_DIR}/containers/auth.json - + echo "~/.docker/config.json" [ -r ~/.docker/config.json ] && cat ~/.docker/config.json - name: Push image run: >- podman push - --authfile=${XDG_RUNTIME_DIR}/containers/auth.json + --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 7ac547bd815a460017ba87bf4aecfa43a8ab87a3 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:55:38 +0200 Subject: [PATCH 84/96] parameterize git clone --- .forgejo/workflows/runner-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index d8b7ebb..e2bc6fb 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -17,9 +17,9 @@ jobs: name: Print hello world runs-on: default steps: - - name: Pull dependencies + - name: Checkout run: | - git clone https://${{ env.registry }}/${{ env.owner }}/sneeuwvlok.git . + git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - name: Prepare podman run: | From d3e7de5f5a7f76050bc630015bf625b3569be4d2 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 4 Sep 2025 15:57:29 +0200 Subject: [PATCH 85/96] asdf --- .forgejo/workflows/runner-image.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index e2bc6fb..ac05b21 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -30,18 +30,6 @@ jobs: mkdir -p ~/.config/containers echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - # Create authentication file for podman - mkdir -p ~/.docker - cat > ~/.docker/config.json <- podman push - --authfile=~/.docker/config.json --creds="${{ forge.actor }}:${{ forge.token }}" localhost/default:latest ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file From 98c9424db58bf94b9f0ee60a22ed5ba19575d0e5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 17:30:46 +0200 Subject: [PATCH 86/96] aaha, there is the code I forgot to commit... --- .../authentication/zitadel/default.nix | 11 +++----- .../services/development/forgejo/default.nix | 3 ++- .../persistance/postgesql/default.nix | 26 +++++++++++++++++++ 3 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 modules/nixos/services/persistance/postgesql/default.nix diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index a95d849..2f65f6f 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption mkForce; + inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.authentication.zitadel; @@ -13,6 +13,8 @@ in }; config = mkIf cfg.enable { + ${namespace}.services.persistance.postgresql.enable = true; + environment.systemPackages = with pkgs; [ zitadel ]; @@ -110,13 +112,6 @@ in ensureDBOwnership = true; } ]; - authentication = mkForce '' - # Generated file, do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; }; caddy = { diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index d7f170e..5c7d7aa 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -12,6 +12,7 @@ in config = mkIf cfg.enable { ${namespace}.services.virtualisation.podman.enable = true; + ${namespace}.services.persistance.postgresql.enable = true; environment.systemPackages = with pkgs; [ forgejo ]; @@ -154,7 +155,7 @@ in # stupid dumb way to prevent the login page and go to zitadel instead # be aware that this does not disable local login at all! - rewrite /user/login /user/oauth2/Zitadel + # rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 ''; diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix new file mode 100644 index 0000000..ce198a8 --- /dev/null +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.peristance.postgresql; +in +{ + options.${namespace}.services.peristance.postgresql = { + enable = mkEnableOption "Postgresql"; + }; + + config = mkIf cfg.enable { + services = { + postgresql = { + enable = true; + authentication = '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; + }; +} From 2ca6339fe60844664cfbe738158f4daf2846b4a8 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:11:36 +0200 Subject: [PATCH 87/96] fix typo --- modules/nixos/services/persistance/postgesql/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/persistance/postgesql/default.nix b/modules/nixos/services/persistance/postgesql/default.nix index ce198a8..dbd6604 100644 --- a/modules/nixos/services/persistance/postgesql/default.nix +++ b/modules/nixos/services/persistance/postgesql/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.services.peristance.postgresql; + cfg = config.${namespace}.services.persistance.postgresql; in { - options.${namespace}.services.peristance.postgresql = { + options.${namespace}.services.persistance.postgresql = { enable = mkEnableOption "Postgresql"; }; From 0689c338ac44bebdac34dbbcfb5c99bb4fcd4321 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 18:12:08 +0200 Subject: [PATCH 88/96] solve compilation errors --- modules/nixos/services/development/forgejo/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 5c7d7aa..f143b12 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,8 +11,10 @@ in }; config = mkIf cfg.enable { - ${namespace}.services.virtualisation.podman.enable = true; - ${namespace}.services.persistance.postgresql.enable = true; + ${namespace}.services = { + persistance.postgresql.enable = true; + virtualisation.podman.enable = true; + }; environment.systemPackages = with pkgs; [ forgejo ]; From 288e354edf03cfa0f4ba4b89f154748893d7e85c Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:06:56 +0200 Subject: [PATCH 89/96] add nheko --- flake.nix | 7 +++++-- homes/x86_64-linux/chris@manwe/default.nix | 1 + modules/home/application/nheko/default.nix | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 modules/home/application/nheko/default.nix diff --git a/flake.nix b/flake.nix index 07479a7..60e9853 100644 --- a/flake.nix +++ b/flake.nix @@ -63,11 +63,11 @@ url = "github:Jovian-Experiments/Jovian-NixOS"; inputs.nixpkgs.follows = "nixpkgs"; }; - + grub2-themes = { url = "github:vinceliuice/grub2-themes"; }; - + nixos-wsl = { url = "github:nix-community/nixos-wsl"; inputs = { @@ -99,6 +99,9 @@ # I think this is because of zen "qtwebengine-5.15.19" + + # For Nheko, the matrix client + "olm-3.2.16" ]; }; diff --git a/homes/x86_64-linux/chris@manwe/default.nix b/homes/x86_64-linux/chris@manwe/default.nix index cd6fa1a..abeb606 100644 --- a/homes/x86_64-linux/chris@manwe/default.nix +++ b/homes/x86_64-linux/chris@manwe/default.nix @@ -35,6 +35,7 @@ bitwarden.enable = true; discord.enable = true; ladybird.enable = true; + nheko.enable = true; obs.enable = true; onlyoffice.enable = true; signal.enable = true; diff --git a/modules/home/application/nheko/default.nix b/modules/home/application/nheko/default.nix new file mode 100644 index 0000000..b04b375 --- /dev/null +++ b/modules/home/application/nheko/default.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, namespace, osConfig ? {}, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.application.nheko; +in +{ + options.${namespace}.application.nheko = { + enable = mkEnableOption "enable nheko (matrix client)"; + }; + + config = mkIf cfg.enable { + home.packages = with pkgs; [ nheko ]; + }; +} From 7f6f1166a4a6a7d18cf67776c9527b039fddd800 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:34:37 +0200 Subject: [PATCH 90/96] add backup extension for home manager --- modules/home/home-manager/default.nix | 6 ++++-- modules/nixos/home-manager/default.nix | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 modules/nixos/home-manager/default.nix diff --git a/modules/home/home-manager/default.nix b/modules/home/home-manager/default.nix index 93bae2e..5f3be03 100644 --- a/modules/home/home-manager/default.nix +++ b/modules/home/home-manager/default.nix @@ -4,7 +4,9 @@ let in { systemd.user.startServices = "sd-switch"; - programs.home-manager.enable = true; + programs.home-manager = { + enable = true; + }; home.stateVersion = mkDefault (osConfig.system.stateVersion or "25.05"); -} \ No newline at end of file +} diff --git a/modules/nixos/home-manager/default.nix b/modules/nixos/home-manager/default.nix new file mode 100644 index 0000000..1a5a964 --- /dev/null +++ b/modules/nixos/home-manager/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + config = { + home-manager.backupFileExtension = "back"; + }; +} From ce7b147d0496f3ce80211197449df0cd62595756 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 20:47:45 +0200 Subject: [PATCH 91/96] move runner --- .../services/development/forgejo/runners => runners}/default.nix | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {modules/nixos/services/development/forgejo/runners => runners}/default.nix (100%) diff --git a/modules/nixos/services/development/forgejo/runners/default.nix b/runners/default.nix similarity index 100% rename from modules/nixos/services/development/forgejo/runners/default.nix rename to runners/default.nix From fe5cce0946fa4b2f65f9cfcbe5e7b0065b53d2a0 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 7 Sep 2025 22:26:09 +0200 Subject: [PATCH 92/96] initial conduit setup --- .../communication/conduit/default.nix | 56 +++++++++++++++++++ systems/x86_64-linux/ulmo/default.nix | 2 + 2 files changed, 58 insertions(+) create mode 100644 modules/nixos/services/communication/conduit/default.nix diff --git a/modules/nixos/services/communication/conduit/default.nix b/modules/nixos/services/communication/conduit/default.nix new file mode 100644 index 0000000..aa4d5c1 --- /dev/null +++ b/modules/nixos/services/communication/conduit/default.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.communication.conduit; + domain = "matrix.kruining.eu"; +in +{ + options.${namespace}.services.communication.conduit = { + enable = mkEnableOption "conduit (Matrix server)"; + }; + + config = mkIf cfg.enable { + # ${namespace}.services = { + # persistance.postgresql.enable = true; + # virtualisation.podman.enable = true; + # }; + + services = { + matrix-conduit = { + enable = true; + + settings.global = { + address = "::1"; + port = 4001; + + database_backend = "rocksdb"; + + server_name = "chris-matrix"; + }; + }; + + # postgresql = { + # enable = true; + # ensureDatabases = [ "conduit" ]; + # ensureUsers = [ + # { + # name = "conduit"; + # ensureDBOwnership = true; + # } + # ]; + # }; + + caddy = { + enable = true; + virtualHosts = { + ${domain}.extraConfig = '' + # import auth-z + + # reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 4108dc9..3b35750 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -10,6 +10,8 @@ authentication.authelia.enable = true; authentication.zitadel.enable = true; + communication.conduit.enable = true; + development.forgejo.enable = true; networking.ssh.enable = true; From ec827c4187adc39d10525b904e2ecc6e9a7af962 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 07:53:05 +0200 Subject: [PATCH 93/96] update pipeline --- .forgejo/workflows/runner-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml index ac05b21..19ba8ae 100644 --- a/.forgejo/workflows/runner-image.yml +++ b/.forgejo/workflows/runner-image.yml @@ -36,7 +36,7 @@ jobs: - name: Create image run: | - nix-build modules/nixos/services/development/forgejo/runners/default.nix + nix-build runners/default.nix podman load < result - name: Push image From 1d6f488ebd68f5f315e4c2077857b3b4cc8047ea Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:14:15 +0200 Subject: [PATCH 94/96] . --- runners/default.nix | 54 ++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/runners/default.nix b/runners/default.nix index 608cc69..9493d52 100644 --- a/runners/default.nix +++ b/runners/default.nix @@ -1,28 +1,28 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; +{ + pkgs ? import {}, + pkgs_linux ? import { system = "x86_64-linux"; }, +}: + +with pkgs; +dockerTools.buildImage { + name = "default"; + tag = "latest"; + + copyToRoot = buildEnv { + name = "image-root"; + pathsToLink = [ "/bin" ]; + paths = with pkgs_linux; [ + coreutils + u-root-cmds + bash + nix + nodejs + podman + ]; + }; + + config = { + User = "runner"; + Cmd = [ "${lib.getExe bashInteractive}" ]; + }; } \ No newline at end of file From 2a79a4eb63bd5e7010d88df2d9a803f287fc6967 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:18:02 +0200 Subject: [PATCH 95/96] next iteration for forgejo runners --- .forgejo/workflows/runner-image.yml | 47 ----------- .gitignore | 8 +- .../services/development/forgejo/default.nix | 1 + .../nixos/services/development/forgejo/temp | 80 ------------------- runners/default.nix | 28 ------- 5 files changed, 8 insertions(+), 156 deletions(-) delete mode 100644 .forgejo/workflows/runner-image.yml delete mode 100644 modules/nixos/services/development/forgejo/temp delete mode 100644 runners/default.nix diff --git a/.forgejo/workflows/runner-image.yml b/.forgejo/workflows/runner-image.yml deleted file mode 100644 index 19ba8ae..0000000 --- a/.forgejo/workflows/runner-image.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: Test action - -on: - workflow_dispatch: - push: - branches: - - main - -env: - registry: git.amarth.cloud - owner: chris - image: default - tag: latest - -jobs: - hello: - name: Print hello world - runs-on: default - steps: - - name: Checkout - run: | - git clone ${{ forge.server_url }}/${{ forge.repository }}.git . - - - name: Prepare podman - run: | - # configure container policy to accept insecure registry - nix-env -iA nixpkgs.podman nixpkgs.kvmtool - - # configure container policy to accept insecure registry - mkdir -p ~/.config/containers - echo '{ "default": [ {"type":"insecureAcceptAnything"} ] }' > ~/.config/containers/policy.json - - - name: Log into registry - run: | - podman login --username "${{ forge.actor }}" --password "${{ forge.token }}" ${{ env.registry }} - - - name: Create image - run: | - nix-build runners/default.nix - podman load < result - - - name: Push image - run: >- - podman push - --creds="${{ forge.actor }}:${{ forge.token }}" - localhost/default:latest - ${{ env.registry }}/${{ env.owner }}/${{ env.image }}:${{ env.tag }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index 87a3018..3cb44c3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,8 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command result -*.qcow2 +result-* + +# Ignore automatically generated direnv output +.direnv + diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index f143b12..46e0995 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -142,6 +142,7 @@ in labels = [ "default:docker://nixos/nix:latest" "ubuntu:docker://ubuntu:24-bookworm" + "nix:docker://git.amarth.cloud/amarth/runners/default:latest" ]; settings = { log.level = "info"; diff --git a/modules/nixos/services/development/forgejo/temp b/modules/nixos/services/development/forgejo/temp deleted file mode 100644 index 33a7313..0000000 --- a/modules/nixos/services/development/forgejo/temp +++ /dev/null @@ -1,80 +0,0 @@ -Error: mounting new container: - mounting build container "a1c1da9d2422b5d6571a79559039f60ba8771e4a05b9b2f8cae814a8f64bb8e3": - creating overlay mount to /var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/merged, - mount_data=" - lowerdir=/var/lib/containers/storage/overlay/l/XSOABRIRTTFZPQI37OU77T3XP6 - :/var/lib/containers/storage/overlay/l/F3M2D6K25OPTUC4ID73P2NIJ3A - :/var/lib/containers/storage/overlay/l/Q53OUMURARX52AYNVQGFGNVUMQ - :/var/lib/containers/storage/overlay/l/NHNXRY3S7TPPYSGNG6BFA7756K - :/var/lib/containers/storage/overlay/l/XWANZP5SNP5QFXQ7RPR2SN3GND - :/var/lib/containers/storage/overlay/l/QUS3NWAGIVW5KOT7EBHCH2THSP - :/var/lib/containers/storage/overlay/l/P24JFYKBFJWRZF4QCI65JNYDSH - :/var/lib/containers/storage/overlay/l/5U53LA6AULMQOF5JAVLNDQMETC - :/var/lib/containers/storage/overlay/l/SWCKHLKQYKOUWBHWGJ5VPBJ7RH - :/var/lib/containers/storage/overlay/l/KLPPEZB6CRL3I6R6LBCJWMKWPC - :/var/lib/containers/storage/overlay/l/RAI54LOZXCFNWNF54D5YLSZJZO - :/var/lib/containers/storage/overlay/l/NLXXIPBMH7EAMNSOZBGBYXWGV5 - :/var/lib/containers/storage/overlay/l/HP5E2J4HRMO6XYJANMEB4KT7F5 - :/var/lib/containers/storage/overlay/l/JZ3QIR7Y7HTWYCCZRNFZCMQSHH - :/var/lib/containers/storage/overlay/l/IYGILU3HMTXZLIKNELEPBOZXWS - :/var/lib/containers/storage/overlay/l/K52NCFVUIEMQALGI4CTKSORFQ6 - :/var/lib/containers/storage/overlay/l/DM5R63KXPSUHMGXMXGHV2Z7L6O - :/var/lib/containers/storage/overlay/l/3BJ5A4CHITM36J3WL7DUJN7HI5 - :/var/lib/containers/storage/overlay/l/3KY56KPCGUTAOCABRQOPB5E7KI - :/var/lib/containers/storage/overlay/l/4ISDZ7Y23WWZAZ6TISWAVXAKTA - :/var/lib/containers/storage/overlay/l/7WFY6347EYETD2DSHOWWGORMY7 - :/var/lib/containers/storage/overlay/l/RBDQUQQAQ4M3DNDP7JQDSTFPDC - :/var/lib/containers/storage/overlay/l/CZPS35AEHSSOCX2SETGG5RWAWK - :/var/lib/containers/storage/overlay/l/VTV4IYIPIMV7HUVW3YUCEZGVIF - :/var/lib/containers/storage/overlay/l/LOGNN4O7UYRJDINC3EU6MCK2JQ - :/var/lib/containers/storage/overlay/l/XCTPWOKP4A3NITB5YJEGDOYP53 - :/var/lib/containers/storage/overlay/l/57WPQF43V53AQIH5AJAFS2ZJLN - :/var/lib/containers/storage/overlay/l/BURD55A3XF6AHWWN5NFYVKHLFR - :/var/lib/containers/storage/overlay/l/SJBWDEB4R6KHHUWYVWHVFXZUML - :/var/lib/containers/storage/overlay/l/EFH5DWZ6VD7XHRBJI3MSGCSL5C - :/var/lib/containers/storage/overlay/l/LNJD656RHN73JQIOG5QP72XH6D - :/var/lib/containers/storage/overlay/l/BYKGR5QA32CNM3PNW7OJZGL7PI - :/var/lib/containers/storage/overlay/l/KEBZ34OPOPZSF56MMUIYJC62VQ - :/var/lib/containers/storage/overlay/l/AXUJ2DTXCFUNLLHVBNZT7HOOHV - :/var/lib/containers/storage/overlay/l/W2GQPDXQWNE4PJ2FK242CNBP3G - :/var/lib/containers/storage/overlay/l/HSHTMFX2BNZ6MN3YKZNP5GACK3 - :/var/lib/containers/storage/overlay/l/5EV6E33HXQTMDYA55D2KVDQN6O - :/var/lib/containers/storage/overlay/l/5YXUGLZ3U5V2GABHAGMOQQLZYD - :/var/lib/containers/storage/overlay/l/WNM6BFUABXRYMF3QXGOWIMSFGS - :/var/lib/containers/storage/overlay/l/EM6L4BR3WMU427KN3WHNXLPXLK - :/var/lib/containers/storage/overlay/l/WKG62FRJYJHG4PIYLUWPOIGIFR - :/var/lib/containers/storage/overlay/l/EIT5DRSEKJFGSXHNDISGIBHEET - :/var/lib/containers/storage/overlay/l/PW2HEYGQKHNXSSQFCTQ3RTW3RU - :/var/lib/containers/storage/overlay/l/LYCJF4GBFFSP5MCC6TGBDGWXLY - :/var/lib/containers/storage/overlay/l/3YXKKFLTDRPWC6Y3VW3A5HCHPC - :/var/lib/containers/storage/overlay/l/RJTCZEVFZ4GZ4WT36ZHWVQPHBE - :/var/lib/containers/storage/overlay/l/AT3GLGCW22SPL4FDEMUHM7SEC3 - :/var/lib/containers/storage/overlay/l/VPT2VRWXG6F5UOROWNVZJUYIXS - :/var/lib/containers/storage/overlay/l/IHIXWAURUCUAYZEWBQU6N37UL5 - :/var/lib/containers/storage/overlay/l/IGMNOUI3RRH3KFAOSHZUJJAYA6 - :/var/lib/containers/storage/overlay/l/KQTWTENKAQ7WIMPQO5HY4SQKSL - :/var/lib/containers/storage/overlay/l/7GQIS3UWTUQESKJI6NQ5A63FMB - :/var/lib/containers/storage/overlay/l/MXGQVTYACLV4M7PRZRGGXNOLCY - :/var/lib/containers/storage/overlay/l/6T6MXUMJ74EIDYDFZJU6642WDR - :/var/lib/containers/storage/overlay/l/QG53GGUJAUZLLCRGHLDVNBIG5M - :/var/lib/containers/storage/overlay/l/CWKPW6SM2HIEROK4XOFGURSEYZ - :/var/lib/containers/storage/overlay/l/EFAHS5T2ZS5ZVCY4WGZ4WW45WC - :/var/lib/containers/storage/overlay/l/CRT42BUU43KSCBUDTOB55WVML2 - :/var/lib/containers/storage/overlay/l/KA53IG4NUWMJM5GBFUKDSUP7WM - :/var/lib/containers/storage/overlay/l/DELTO3DZAGCCUKFOKYU5POUVO5 - :/var/lib/containers/storage/overlay/l/KM7KLUMSMCIUGMOUZHCCJVNY3S - :/var/lib/containers/storage/overlay/l/IAXMV7ZFALQU4XFQFLLXXUKBX7 - :/var/lib/containers/storage/overlay/l/6VVTPVXHDYPHOT42CWJXOL6SMB - :/var/lib/containers/storage/overlay/l/OHO5IA7AJ2EOGAFUPT3MPJMZSY - :/var/lib/containers/storage/overlay/l/Q3ZXKGFN6Q2APXQKRXMNE6YR4M - :/var/lib/containers/storage/overlay/l/FSGYM4J5NR6AY3LUWZ2WTBQG3N - :/var/lib/containers/storage/overlay/l/M44HLHAQGLWFYVTS4J55CDEDLY - :/var/lib/containers/storage/overlay/l/36CIGRUHNNFDCBWSEN3KXUQAZR - :/var/lib/containers/storage/overlay/l/5QE5JTSJB23BDSXCGYPXTTJUSS - :/var/lib/containers/storage/overlay/l/DREIPLSBGAK4XBL57M3NJAT5XA, - upperdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/diff, - workdir=/var/lib/containers/storage/overlay/4f2debd33eeab2b4e01fb9e5df7c7057041d57cee97634d14b9ccf512e34ec7c/work, - volatile": using mount program /nix/store/mr0jx11v1z2sfjlndisw7v3jrk57x7l3-fuse-overlayfs-1.14/bin/fuse-overlayfs: unknown argument ignored: lazytime - -fuse: device not found, try 'modprobe fuse' first -fuse-overlayfs: cannot mount: No such file or directory \ No newline at end of file diff --git a/runners/default.nix b/runners/default.nix deleted file mode 100644 index 9493d52..0000000 --- a/runners/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - pkgs ? import {}, - pkgs_linux ? import { system = "x86_64-linux"; }, -}: - -with pkgs; -dockerTools.buildImage { - name = "default"; - tag = "latest"; - - copyToRoot = buildEnv { - name = "image-root"; - pathsToLink = [ "/bin" ]; - paths = with pkgs_linux; [ - coreutils - u-root-cmds - bash - nix - nodejs - podman - ]; - }; - - config = { - User = "runner"; - Cmd = [ "${lib.getExe bashInteractive}" ]; - }; -} \ No newline at end of file From 9ebe4fd4e706c30babeb32df1abb6e2ad0d071fe Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 8 Sep 2025 16:24:36 +0200 Subject: [PATCH 96/96] alright, time to try it --- .forgejo/workflows/action.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.forgejo/workflows/action.yml b/.forgejo/workflows/action.yml index 4aac00e..684cfad 100644 --- a/.forgejo/workflows/action.yml +++ b/.forgejo/workflows/action.yml @@ -7,10 +7,9 @@ on: - main jobs: - hello: - name: Print hello world - runs-on: default + kaas: + runs-on: nix steps: - name: Echo run: | - echo "Hello, world!" \ No newline at end of file + nix --version \ No newline at end of file