Add config for forgejo machine, justfile for quality of life.

This commit is contained in:
DS 2025-02-23 18:57:51 -08:00
parent 98c77311fd
commit 9f66f0b37b
7 changed files with 403 additions and 31 deletions

5
.gitignore vendored
View file

@ -20,10 +20,9 @@ build/Release
.env.test.local
.env.production.local
.env.local
# wrangler project
.dev.vars
.wrangler/
# Others
.direnv/
# Template rendering artifacts
public/*.html
# Nix build result
result

View file

@ -1,3 +1,15 @@
# Nixifying a new host
If you have a bunch of SSH keys in your SSH agent and get errors when trying to SSH into a fresh host, you may need to temporarily add the following config to your SSH config (obviously change the details for your case).
The key is the line "IdentitiesOnly yes" along with an identity file.
```
Host 188.245.194.78
User root
IdentityFile ~/.ssh/hetzner_personal_root.pub
IdentitiesOnly yes
```
# Adding yourself to the webring
(Please only follow this if you're an Epesooj insider. Random PRs will be closed for now.)

168
code_server.nix Normal file
View file

@ -0,0 +1,168 @@
{ self, moduleWithSystem, ... }: {
flake.nixosModules.code-server = moduleWithSystem (
{ ... }: # Note: only explicit parameters are passed to this.
{ pkgs, modulesPath, lib, ... }: {
imports = [
self.inputs.disko.nixosModules.disko
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/headless.nix")
(modulesPath + "/profiles/minimal.nix")
(modulesPath + "/profiles/qemu-guest.nix")
./code_server_disk.nix
];
system.stateVersion = "24.11";
boot.kernelParams = [ "zfs.zfs_arc_max=536870912" ];
boot.zfs.extraPools = [ "zroot" ];
boot.initrd.postMountCommands = lib.mkAfter ''
zfs rollback -r zroot/root@blank
'';
services.zfs.autoScrub.enable = true;
boot.loader.grub = {
enable = true;
# No need to set devices, disko will add all devices that have an EF02 partition to the list already.
# devices = [];
efiSupport = true;
efiInstallAsRemovable = true;
};
fileSystems = {
"/var/lib/systemd" = {
device = "/persisted/var/lib/systemd";
options = [ "bind" ];
};
"/var/lib/forgejo" = {
device = "/persisted/var/lib/forgejo";
options = [ "bind" ];
};
};
networking.hostId = "9f1dfd86"; # Required by ZFS.
networking.useNetworkd = true;
networking.firewall.logRefusedConnections = false;
nix.gc.automatic = true;
nix.gc.dates = "02:15";
services.cloud-init = {
enable = true;
network.enable = true;
settings = {
datasource_list = [ "Hetzner" ];
# The NixOS cloud-init settings declares the entire `system_info` with `lib.mkDefault`, so we need to copy the defaults from it here and make the changes we want to make.
system_info = {
paths = {
cloud_dir = "/persisted/var/lib/cloud";
};
distro = "nixos";
network = {
renderers = [ "networkd" ];
activators = [ "networkd" ];
};
};
cloud_init_modules = [
"migrator"
"seed_random"
"bootcmd"
];
cloud_config_modules = [
"ssh-import-id"
"timezone"
"runcmd"
"ssh"
];
cloud_final_modules = [
"keys-to-console"
"final-message"
"power-state-change"
];
};
};
services.openssh = {
enable = true;
hostKeys = [
{
path = "/persisted/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
settings = {
PasswordAuthentication = false;
};
};
users.users.root = {
home = lib.mkForce "/persisted/root";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# UDP allowed for HTTP/3.
networking.firewall.allowedUDPPorts = [ 80 443 ];
services.caddy = {
enable = true;
globalConfig = ''
# Comment this if building the prod image. The following is only useful for testing.
local_certs
skip_install_trust
'';
virtualHosts."code.akols.com".extraConfig = ''
encode zstd gzip
reverse_proxy http://127.0.0.1:3000
# @exclude_lfs not path *.git/info/lfs*
# basic_auth @exclude_lfs {
# boardgamers $2a$14$Tni1.M8JUU4EXyWlVTL2jetDlWPamXtXZlYZizm2DtU.cwyLetbCm
# }
'';
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
lfs.enable = true;
settings = {
service = {
DISABLE_REGISTRATION = true;
};
database = {
SQLITE_JOURNAL_MODE = "WAL";
};
cache = {
ADAPTER = "twoqueue";
HOST = "{\"size\":100,\"recent_ratio\":0.25,\"ghost_ratio\":0.5}";
};
server = {
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
DOMAIN = "code.akols.com";
ROOT_URL = "https://code.akols.com";
};
session = {
COOKIE_SECURE = true;
};
security = {
LOGIN_REMEMBER_DAYS = 365;
};
};
};
}
);
}

89
code_server_disk.nix Normal file
View file

@ -0,0 +1,89 @@
{ lib, ... }:
{
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
priority = 1;
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
zfs = {
name = "zfs";
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
mode = "";
# May cause issues if we end up adding any pools that will be imported before boot, but at the time this was added, we only had a "zroot" pool that was always imported at boot via `boot.zfs.extraPools`, so this was fine.
options.cachefile = "none";
rootFsOptions = {
compression = "zstd";
"com.sun:auto-snapshot" = "false";
canmount = "off";
};
mountpoint = null;
postCreateHook = ''
zfs list -t snapshot -H -o name | grep -E '^zroot/root@blank$' || zfs snapshot zroot/root@blank
'';
postMountHook = ''
mkdir -p /mnt/persisted/var/lib/systemd
mkdir -p /mnt/persisted/etc/ssh
mkdir -p /mnt/persisted/secrets
mkdir -p /mnt/persisted/root
'';
datasets = {
root = {
type = "zfs_fs";
mountpoint = "/";
options.canmount = "on";
};
nix = {
type = "zfs_fs";
mountpoint = "/nix";
options.canmount = "on";
};
replicated = {
type = "zfs_fs";
mountpoint = null;
options.canmount = "off";
};
"replicated/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.canmount = "on";
};
"replicated/persisted" = {
type = "zfs_fs";
mountpoint = "/persisted";
options.canmount = "on";
};
};
};
};
};
}

76
flake.lock generated
View file

@ -1,15 +1,53 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1739841949,
"narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
"owner": "nix-community",
"repo": "disko",
"rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@ -27,11 +65,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1726716330,
"narHash": "sha256-mIuOP4I51eFLquRaxMKx67pHmhatZrcVPjfHL98v/M8=",
"lastModified": 1732053863,
"narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=",
"owner": "oxalica",
"repo": "nil",
"rev": "c8e8ce72442a164d89d3fdeaae0bcc405f8c015a",
"rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362",
"type": "github"
},
"original": {
@ -42,11 +80,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1727348695,
"narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=",
"lastModified": 1740126099,
"narHash": "sha256-ozoOtE2hGsqh4XkTJFsrTkNxkRgShxpQxDynaPZUGxk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784",
"rev": "32fb99ba93fea2798be0e997ea331dd78167f814",
"type": "github"
},
"original": {
@ -56,8 +94,22 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1738452942,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
}
},
"root": {
"inputs": {
"disko": "disko",
"flake-parts": "flake-parts",
"nil": "nil",
"nixpkgs": "nixpkgs"
}
@ -70,11 +122,11 @@
]
},
"locked": {
"lastModified": 1726453838,
"narHash": "sha256-pupsow4L79SBfNwT6vh/5RAbVZuhngIA0RTCZksXmZY=",
"lastModified": 1731983527,
"narHash": "sha256-JECaBgC0pQ91Hq3W4unH6K9to8s2Zl2sPNu7bLOv4ek=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "ca2e79cd22625d214b8437c2c4080ce79bd9f7d2",
"rev": "71287228d96e9568e1e70c6bbfa3f992d145947b",
"type": "github"
},
"original": {

View file

@ -1,8 +1,14 @@
{
description = "Epesooj webring.";
description = "Epesooj webring and machine.";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-parts.url = "github:hercules-ci/flake-parts";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
nil = {
url = "github:oxalica/nil";
@ -10,23 +16,61 @@
};
};
outputs = { self, nixpkgs, nil, ... }:
let
pkgs = import nixpkgs {
system = "x86_64-linux";
};
in
{
devShells.x86_64-linux = {
default = pkgs.mkShell {
packages = with pkgs; [
nodePackages_latest.nodejs
outputs = inputs@{ flake-parts, nil, ... }:
flake-parts.lib.mkFlake { inherit inputs; } ({ config, getSystem, ... }: {
systems = [ "x86_64-linux" ];
# Both of these used with VSCode.
nixpkgs-fmt
nil.packages.${system}.default
imports = [
./code_server.nix
];
flake =
let
codeServerModules = [
config.flake.nixosModules.code-server
{
networking.hostName = "epesooj-code-0001";
}
];
in
{
nixosConfigurations = {
code = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = codeServerModules;
};
};
colmena = {
meta.nixpkgs = import inputs.nixpkgs {
system = "x86_64-linux";
};
code = {
deployment = {
targetHost = "epesooj-code-0001"; # Requires an SSH config with information for this host.
};
imports = codeServerModules;
};
};
};
perSystem = { system, pkgs, ... }: {
devShells = {
default = pkgs.mkShell {
packages = with pkgs; [
just
nodePackages_latest.nodejs
colmena
# Both of these used with VSCode.
nixpkgs-fmt
nil.packages.${system}.default
];
};
};
};
};
});
}

8
justfile Normal file
View file

@ -0,0 +1,8 @@
default:
@just --list --justfile {{justfile()}}
build_nixos_config host_type="code":
nix build .#nixosConfigurations.{{host_type}}.config.system.build.toplevel
nixify_host hostname host_type="code":
nix run github:nix-community/nixos-anywhere -- --flake .#{{host_type}} --target-host root@{{hostname}}