From a8b9f9a12dbe2b30fca1204e8f346ce562067a4d Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Tue, 19 Jul 2022 14:05:08 +1000 Subject: [PATCH 01/16] colmena: initial commit --- README.rst | 4 +- default.nix | 19 ++++++++ flake.lock | 98 ++++++++++++++++++++++++++-------------- flake.nix | 4 +- nixos/configurations.nix | 30 ++++++++++++ outputs.nix | 21 +++++++-- shell.nix | 6 +-- 7 files changed, 138 insertions(+), 44 deletions(-) create mode 100644 default.nix create mode 100644 nixos/configurations.nix diff --git a/README.rst b/README.rst index b7d2737..d0db2b9 100644 --- a/README.rst +++ b/README.rst @@ -1,10 +1,10 @@ JFDIC Ops ========= -NixOps_ deployment configuration for `JFDI Collective`_ services. +Colmena_ deployment configuration for `JFDI Collective`_ services. The canonical home for this repo is https://source.jfdic.org/jfdic/jfdic-ops -.. _NixOps: https://nixos.org/nixops +.. _Colmena: https://colmena.cli.rs/ .. _JFDI Collective: https://jfdic.org/ diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..bfce7af --- /dev/null +++ b/default.nix @@ -0,0 +1,19 @@ +{ + sources ? import ./nix/sources.nix, + system ? builtins.currentSystem, + crossSystem ? null, + config ? {}, + alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra, +} @ args: +with import ./nix args; { + shell = mkShell { + buildInputs = [ + alejandraUnstable # The Uncompromising Nix Code Formatter + colmena + niv + treefmt # one CLI to format the code tree + ]; + NIX_PATH = "nixpkgs=${sources.nixpkgs}"; + NIXOPS_DEPLOYMENT = "${globals.deploymentName}"; + }; +} diff --git a/flake.lock b/flake.lock index 7e85e9d..53eb01d 100644 --- a/flake.lock +++ b/flake.lock @@ -32,6 +32,42 @@ "ref": "consensus", "type": "git", "url": "https://source.jfdic.org/JFDIC/jfdic-web/" + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "stable": "stable", + "utils": "utils" + }, + "locked": { + "lastModified": 1651093858, + "narHash": "sha256-aGpMiY9pS2616AfAVWA87tULKatDYF2kCKxwYstK8V0=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "fbefc48d8951347b30ef87e223be6075769810ff", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "v0.3.0", + "repo": "colmena", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" } }, "lowdown-src": { @@ -53,7 +89,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -71,38 +107,18 @@ "type": "github" } }, - "nixops": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "utils": "utils" - }, - "locked": { - "lastModified": 1657388807, - "narHash": "sha256-MtTM5KUHIDqnY254chIOp00EmsbYsXR3mXrnbbY4wg0=", - "owner": "NixOS", - "repo": "nixops", - "rev": "dcafae5258773dc0fbdd31b425f1ad3fb59173fe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixops", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1657693803, - "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", + "lastModified": 1656372800, + "narHash": "sha256-1u9SDLXvKix/QejNb2sY2J2QZXnbe/14MnLtn+ln9j0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", + "rev": "020c74014b9e2fa905bb4059c979965816cd9118", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-22.05-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -141,16 +157,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1656753965, - "narHash": "sha256-BCrB3l0qpJokOnIVc3g2lHiGhnjUi0MoXiw6t1o8H1E=", + "lastModified": 1657693803, + "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0ea7a8f1b939d74e5df8af9a8f7342097cdf69eb", + "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-22.05-small", "repo": "nixpkgs", "type": "github" } @@ -192,8 +208,8 @@ "inputs": { "hakyll-skeleton": "hakyll-skeleton", "jfdic-web": "jfdic-web", + "colmena": "colmena", "nix": "nix", - "nixops": "nixops", "nixpkgs": "nixpkgs_3", "nixpkgsUnstable": "nixpkgsUnstable", "resrok-web": "resrok-web", @@ -201,13 +217,29 @@ "voc-web": "voc-web" } }, + "stable": { + "locked": { + "lastModified": 1656782578, + "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, "utils": { "locked": { - "lastModified": 1634851050, - "narHash": "sha256-N83GlSGPJJdcqhUxSCS/WwW5pksYf3VP1M13cDRTSVA=", + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "c91f3de5adaf1de973b797ef7485e441a65b8935", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 1cc7159..060246f 100644 --- a/flake.nix +++ b/flake.nix @@ -15,14 +15,14 @@ url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus; }; nix.url = "github:NixOS/nix/?ref=2.10.3"; - nixops.url = github:NixOS/nixops/?ref=master; - nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.11; + nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.05; nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable; utils.url = "github:numtide/flake-utils"; voc-web = { flake = false; url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus; }; + colmena.url = github:zhaofengli/colmena/?ref=v0.3.0; }; outputs = {...} @ args: import ./outputs.nix args; diff --git a/nixos/configurations.nix b/nixos/configurations.nix new file mode 100644 index 0000000..aadc46d --- /dev/null +++ b/nixos/configurations.nix @@ -0,0 +1,30 @@ +{ + self, + nixpkgs, + inputs, + nix, + ... +}: let + nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem; + customModules = import ../modules/modules-list.nix; + baseModules = [ + # make flake inputs accessiable in NixOS + {_module.args.inputs = inputs;} + { + imports = [ + ({pkgs, ...}: { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; + documentation.info.enable = false; + }) + ]; + } + ]; + defaultModules = baseModules ++ customModules; +in { + toscano = import ./hosts/toscano.nix; +} diff --git a/outputs.nix b/outputs.nix index d3be2f7..736c0af 100644 --- a/outputs.nix +++ b/outputs.nix @@ -2,8 +2,8 @@ self, hakyll-skeleton, jfdic-web, + colmena, nix, - nixops, nixpkgs, nixpkgsUnstable, resrok-web, @@ -12,15 +12,14 @@ ... } @ inputs: (utils.lib.eachDefaultSystem (system: let - pkgs = - nixpkgs.legacyPackages."${system}"; + pkgs = nixpkgs.legacyPackages."${system}"; in { devShell = pkgs.callPackage ./shell.nix { + inherit (colmena.packages."${pkgs.system}") colmena; inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; - nixops = nixops.defaultPackage."${pkgs.system}"; }; })) // { @@ -39,5 +38,19 @@ in { imports = [./profiles/host_common.nix]; }; toscano = import ./hosts/toscano.nix; + colmena = { + meta = { + description = "jfdic-ops deployment"; + name = "jfdic-ops"; + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; + }; + }; + nixosConfigurations = import ./nixos/configurations.nix (inputs + // { + inherit inputs; + }); + }; }; } diff --git a/shell.nix b/shell.nix index a6c2c48..0ba0b4e 100644 --- a/shell.nix +++ b/shell.nix @@ -2,15 +2,15 @@ pkgs ? import {}, alejandra, mkShell, - nixops, + colmena, nix, }: with pkgs; mkShell { buildInputs = [ alejandra # The Uncompromising Nix Code Formatter - nixops - nix + colmena # simple, stateless NixOS deployment tool + nix # Powerful package manager, makes packaging reliable & reproducible tea # Gitea official CLI client treefmt # one CLI to format the code tree ]; From 68b747d9f5429fa2bbd70540dfb3ded88c565494 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Wed, 20 Jul 2022 13:36:14 +1000 Subject: [PATCH 02/16] colmena: added host toscano --- nixos/configurations.nix | 5 ++- .../hosts/toscano/configuration.nix | 16 ++++---- outputs.nix | 39 ++++++------------- profiles/server_common.nix | 4 +- 4 files changed, 26 insertions(+), 38 deletions(-) rename hosts/toscano.nix => nixos/hosts/toscano/configuration.nix (51%) diff --git a/nixos/configurations.nix b/nixos/configurations.nix index aadc46d..50b1ea5 100644 --- a/nixos/configurations.nix +++ b/nixos/configurations.nix @@ -25,6 +25,9 @@ } ]; defaultModules = baseModules ++ customModules; + deployment = { + allowLocalDeployment = true; + }; in { - toscano = import ./hosts/toscano.nix; + #toscano = import ./hosts/toscano/configuration.nix; } diff --git a/hosts/toscano.nix b/nixos/hosts/toscano/configuration.nix similarity index 51% rename from hosts/toscano.nix rename to nixos/hosts/toscano/configuration.nix index 3811812..69eaedf 100644 --- a/hosts/toscano.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -8,14 +8,14 @@ ... }: { imports = [ - ../networks/linode.nix - ../profiles/forgejo.nix - ../profiles/hakyll-skeleton.nix - ../profiles/jfdic-web.nix - ../profiles/resrok-web.nix - ../profiles/tmateServer.nix - ../profiles/voc-web.nix - ../secrets/forgejo.nix + ../../../networks/linode.nix + ../../../profiles/gitea.nix + ../../../profiles/hakyll-skeleton.nix + ../../../profiles/jfdic-web.nix + ../../../profiles/resrok-web.nix + ../../../profiles/tmateServer.nix + ../../../profiles/voc-web.nix + ../../../secrets/gitea.nix ]; deployment.targetHost = "45.79.236.198"; diff --git a/outputs.nix b/outputs.nix index 736c0af..d4ab031 100644 --- a/outputs.nix +++ b/outputs.nix @@ -23,34 +23,19 @@ in { }; })) // { - nixopsConfigurations.default = { - inherit nixpkgs; - network = { - description = "jfdic-ops nodes"; - enableRollback = true; - storage.legacy = { - databasefile = "~/.nixops/deployments.nixops"; + colmena = { + meta = { + description = "jfdi collective's NixOS deployment"; + name = "jfdic-ops"; + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + overlays = []; }; }; - defaults = { - system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps - _module.args.inputs = inputs; # make flake inputs accessiable in NixOS - imports = [./profiles/host_common.nix]; - }; - toscano = import ./hosts/toscano.nix; - colmena = { - meta = { - description = "jfdic-ops deployment"; - name = "jfdic-ops"; - nixpkgs = import nixpkgs { - system = "x86_64-linux"; - overlays = []; - }; - }; - nixosConfigurations = import ./nixos/configurations.nix (inputs - // { - inherit inputs; - }); - }; + toscano = import ./nixos/hosts/toscano/configuration.nix; + nixosConfigurations = import ./nixos/configurations.nix (inputs + // { + inherit inputs; + }); }; } diff --git a/profiles/server_common.nix b/profiles/server_common.nix index cad1c54..75e240d 100644 --- a/profiles/server_common.nix +++ b/profiles/server_common.nix @@ -7,8 +7,8 @@ }: { imports = [ ../profiles/openssh.nix - ../secrets/user-fiscalvelvetpoet.nix - ../secrets/user-root.nix + ../nixos/secrets/user-fiscalvelvetpoet.nix + ../nixos/secrets/user-root.nix ]; programs.mosh = { From 6a59bf94d0486e3547a6ae50f5dd1d05198b24f2 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Wed, 19 Oct 2022 09:21:48 +1000 Subject: [PATCH 03/16] colmena: updated to v0.3.2 --- flake.lock | 94 ++++++++++++++++++++++++++++-------------------------- flake.nix | 2 +- 2 files changed, 49 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 53eb01d..3e6db45 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,43 @@ { "nodes": { + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "stable": "stable", + "utils": "utils" + }, + "locked": { + "lastModified": 1664434431, + "narHash": "sha256-F/Jl1GqSp08fw7PCHiv/ijn/pAP1YOStIhHws291s7A=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "7253d9b4bb1f0f031d926092cb5dae3b03f1e812", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "ref": "v0.3.2", + "repo": "colmena", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "hakyll-skeleton": { "flake": false, "locked": { @@ -32,42 +70,6 @@ "ref": "consensus", "type": "git", "url": "https://source.jfdic.org/JFDIC/jfdic-web/" - "colmena": { - "inputs": { - "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs", - "stable": "stable", - "utils": "utils" - }, - "locked": { - "lastModified": 1651093858, - "narHash": "sha256-aGpMiY9pS2616AfAVWA87tULKatDYF2kCKxwYstK8V0=", - "owner": "zhaofengli", - "repo": "colmena", - "rev": "fbefc48d8951347b30ef87e223be6075769810ff", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "ref": "v0.3.0", - "repo": "colmena", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" } }, "lowdown-src": { @@ -109,11 +111,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1656372800, - "narHash": "sha256-1u9SDLXvKix/QejNb2sY2J2QZXnbe/14MnLtn+ln9j0=", + "lastModified": 1653060744, + "narHash": "sha256-kfRusllRumpt33J1hPV+CeCCylCXEU7e0gn2/cIM7cY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "020c74014b9e2fa905bb4059c979965816cd9118", + "rev": "dfd82985c273aac6eced03625f454b334daae2e8", "type": "github" }, "original": { @@ -206,9 +208,9 @@ }, "root": { "inputs": { + "colmena": "colmena", "hakyll-skeleton": "hakyll-skeleton", "jfdic-web": "jfdic-web", - "colmena": "colmena", "nix": "nix", "nixpkgs": "nixpkgs_3", "nixpkgsUnstable": "nixpkgsUnstable", @@ -219,11 +221,11 @@ }, "stable": { "locked": { - "lastModified": 1656782578, - "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=", + "lastModified": 1653087707, + "narHash": "sha256-zfno3snrzZTWQ2B7K53QHrGZwrjnJLTRPalymrSsziU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b", + "rev": "cbd40c72b2603ab54e7208f99f9b35fc158bc009", "type": "github" }, "original": { @@ -235,11 +237,11 @@ }, "utils": { "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "lastModified": 1649676176, + "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 060246f..8b65ee3 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,7 @@ flake = false; url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus; }; - colmena.url = github:zhaofengli/colmena/?ref=v0.3.0; + colmena.url = "github:zhaofengli/colmena/?ref=v0.3.2"; }; outputs = {...} @ args: import ./outputs.nix args; From 66fb43735c6fadbe05efbda3dc3fa16f07bd8171 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Tue, 4 Apr 2023 19:14:38 +1000 Subject: [PATCH 04/16] nixos: corrected nixpkgs flake in this branch Progresses #1 --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 8b65ee3..fa8cd8a 100644 --- a/flake.nix +++ b/flake.nix @@ -15,7 +15,7 @@ url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus; }; nix.url = "github:NixOS/nix/?ref=2.10.3"; - nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.05; + nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.11; nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable; utils.url = "github:numtide/flake-utils"; voc-web = { From cdb41cb22a576d78c7671e78c9299e4ce452499d Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Wed, 5 Apr 2023 10:42:22 +1000 Subject: [PATCH 05/16] devShell: add agenix to the devShell Progresses #11 --- flake.lock | 22 ++++++++++++++++++++++ flake.nix | 5 +++++ outputs.nix | 11 +++++++---- shell.nix | 2 ++ 4 files changed, 36 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 3e6db45..7d0fd74 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680281360, + "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e64961977f60388dd0b49572bb0fc453b871f896", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -208,6 +229,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "colmena": "colmena", "hakyll-skeleton": "hakyll-skeleton", "jfdic-web": "jfdic-web", diff --git a/flake.nix b/flake.nix index fa8cd8a..b3e3744 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,11 @@ description = "jfdic-ops deployment"; inputs = { + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; # skip Darwin dependencies + }; hakyll-skeleton = { flake = false; url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus; diff --git a/outputs.nix b/outputs.nix index d4ab031..1419a3e 100644 --- a/outputs.nix +++ b/outputs.nix @@ -2,6 +2,7 @@ self, hakyll-skeleton, jfdic-web, + agenix, colmena, nix, nixpkgs, @@ -17,6 +18,7 @@ in { devShell = pkgs.callPackage ./shell.nix { + inherit (agenix.packages."${pkgs.system}") agenix; inherit (colmena.packages."${pkgs.system}") colmena; inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; @@ -33,9 +35,10 @@ in { }; }; toscano = import ./nixos/hosts/toscano/configuration.nix; - nixosConfigurations = import ./nixos/configurations.nix (inputs - // { - inherit inputs; - }); + # The below lines are in the wrong place + #nixosConfigurations = import ./nixos/configurations.nix (inputs + # // { + # inherit inputs; + # }); }; } diff --git a/shell.nix b/shell.nix index 0ba0b4e..c1e274f 100644 --- a/shell.nix +++ b/shell.nix @@ -1,5 +1,6 @@ { pkgs ? import {}, + agenix, alejandra, mkShell, colmena, @@ -8,6 +9,7 @@ with pkgs; mkShell { buildInputs = [ + agenix # CLI management of secrets encrypted via existing SSH keys alejandra # The Uncompromising Nix Code Formatter colmena # simple, stateless NixOS deployment tool nix # Powerful package manager, makes packaging reliable & reproducible From ace344f27e11f348c0ae3b66ecc492e1273f6423 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Wed, 5 Apr 2023 14:25:36 +1000 Subject: [PATCH 06/16] agenix: remove secrets from .gitignore Moving from out-of-band to encrypted secrets Progresses #11 --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index b72f980..92b2793 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ .direnv -secrets From b141d4a90f1cab4f46bd9aa45e129a70d1e2423f Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Wed, 5 Apr 2023 15:55:44 +1000 Subject: [PATCH 07/16] ragenix: replaced agenix with ragenix progresses #11 --- flake.lock | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++--- flake.nix | 5 ++- outputs.nix | 4 +-- shell.nix | 4 +-- 4 files changed, 98 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 7d0fd74..0a827df 100644 --- a/flake.lock +++ b/flake.lock @@ -2,17 +2,18 @@ "nodes": { "agenix": { "inputs": { - "darwin": [], + "darwin": "darwin", "nixpkgs": [ + "ragenix", "nixpkgs" ] }, "locked": { - "lastModified": 1680281360, - "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=", + "lastModified": 1677126346, + "narHash": "sha256-4s+PPGC1M07QsPyeye5drc2JLa1lhDnCV3XAsG8+pH4=", "owner": "ryantm", "repo": "agenix", - "rev": "e64961977f60388dd0b49572bb0fc453b871f896", + "rev": "c2a71c83c70844c5e31db69347e86af080bcdad0", "type": "github" }, "original": { @@ -43,6 +44,29 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "ragenix", + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -59,6 +83,21 @@ "type": "github" } }, + "flake-utils": { + "locked": { + "lastModified": 1676283394, + "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "hakyll-skeleton": { "flake": false, "locked": { @@ -210,6 +249,29 @@ "type": "github" } }, + "ragenix": { + "inputs": { + "agenix": "agenix", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1677625082, + "narHash": "sha256-62xmRPfjZgDn8AgEhb6eRoJrTxGeM8HfhfF+PkJokok=", + "owner": "yaxitech", + "repo": "ragenix", + "rev": "6f2dacf3d6af36228a8fad3b136990a6b6dfe30b", + "type": "github" + }, + "original": { + "owner": "yaxitech", + "repo": "ragenix", + "type": "github" + } + }, "resrok-web": { "flake": false, "locked": { @@ -229,18 +291,43 @@ }, "root": { "inputs": { - "agenix": "agenix", "colmena": "colmena", "hakyll-skeleton": "hakyll-skeleton", "jfdic-web": "jfdic-web", "nix": "nix", "nixpkgs": "nixpkgs_3", "nixpkgsUnstable": "nixpkgsUnstable", + "ragenix": "ragenix", "resrok-web": "resrok-web", "utils": "utils_2", "voc-web": "voc-web" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "ragenix", + "flake-utils" + ], + "nixpkgs": [ + "ragenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676687290, + "narHash": "sha256-DP0CJ7qtUXf+mmMglJL1yANizzV1O4UfQ9NrKgy7O04=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "bdccd5e973d45159f7d13f7c65a4271dc02cf6d4", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stable": { "locked": { "lastModified": 1653087707, diff --git a/flake.nix b/flake.nix index b3e3744..93c4f10 100644 --- a/flake.nix +++ b/flake.nix @@ -2,10 +2,9 @@ description = "jfdic-ops deployment"; inputs = { - agenix = { - url = "github:ryantm/agenix"; + ragenix = { + url = "github:yaxitech/ragenix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.darwin.follows = ""; # skip Darwin dependencies }; hakyll-skeleton = { flake = false; diff --git a/outputs.nix b/outputs.nix index 1419a3e..621f4aa 100644 --- a/outputs.nix +++ b/outputs.nix @@ -2,7 +2,7 @@ self, hakyll-skeleton, jfdic-web, - agenix, + ragenix, colmena, nix, nixpkgs, @@ -18,7 +18,7 @@ in { devShell = pkgs.callPackage ./shell.nix { - inherit (agenix.packages."${pkgs.system}") agenix; + inherit (ragenix.packages."${pkgs.system}") ragenix; inherit (colmena.packages."${pkgs.system}") colmena; inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; diff --git a/shell.nix b/shell.nix index c1e274f..15644ed 100644 --- a/shell.nix +++ b/shell.nix @@ -1,6 +1,6 @@ { pkgs ? import {}, - agenix, + ragenix, alejandra, mkShell, colmena, @@ -9,7 +9,7 @@ with pkgs; mkShell { buildInputs = [ - agenix # CLI management of secrets encrypted via existing SSH keys + ragenix # CLI management of secrets encrypted via existing SSH keys alejandra # The Uncompromising Nix Code Formatter colmena # simple, stateless NixOS deployment tool nix # Powerful package manager, makes packaging reliable & reproducible From 4a6e51a9a7f448482aae40ffb71c98b458d5f5f7 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Mon, 17 Apr 2023 20:14:19 +1000 Subject: [PATCH 08/16] ragenix: prepped basic secrets progresses #11 --- nixos/hosts/toscano/configuration.nix | 19 +++++++++------- outputs.nix | 6 +++++ profiles/server_common.nix | 3 +-- profiles/users.nix | 32 +++++++++++++++++++++++++++ secrets/fiscalvelvetpoet.age | 14 ++++++++++++ secrets/root.age | 15 +++++++++++++ secrets/secrets.nix | 11 +++++++++ 7 files changed, 90 insertions(+), 10 deletions(-) create mode 100644 profiles/users.nix create mode 100644 secrets/fiscalvelvetpoet.age create mode 100644 secrets/root.age create mode 100644 secrets/secrets.nix diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index 69eaedf..d04bc70 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -9,16 +9,19 @@ }: { imports = [ ../../../networks/linode.nix - ../../../profiles/gitea.nix - ../../../profiles/hakyll-skeleton.nix - ../../../profiles/jfdic-web.nix - ../../../profiles/resrok-web.nix - ../../../profiles/tmateServer.nix - ../../../profiles/voc-web.nix - ../../../secrets/gitea.nix + #../../../profiles/gitea.nix + #../../../profiles/hakyll-skeleton.nix + #../../../profiles/jfdic-web.nix + #../../../profiles/resrok-web.nix + #../../../profiles/tmateServer.nix + #../../../profiles/voc-web.nix + #../../../secrets/gitea.nix ]; - deployment.targetHost = "45.79.236.198"; + deployment = { + tags = ["infra"]; + targetHost = "45.79.236.198"; + }; networking.hostName = "toscano"; diff --git a/outputs.nix b/outputs.nix index 621f4aa..23ce213 100644 --- a/outputs.nix +++ b/outputs.nix @@ -23,6 +23,12 @@ in { inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; }; + nixosConfigurations = nixpkgs.lib.nixosSystem { + system = "${pkgs.system}"; + modules = [ + ragenix.nixosModules.default + ]; + }; })) // { colmena = { diff --git a/profiles/server_common.nix b/profiles/server_common.nix index 75e240d..2b900b4 100644 --- a/profiles/server_common.nix +++ b/profiles/server_common.nix @@ -7,8 +7,7 @@ }: { imports = [ ../profiles/openssh.nix - ../nixos/secrets/user-fiscalvelvetpoet.nix - ../nixos/secrets/user-root.nix + ../profiles/users.nix ]; programs.mosh = { diff --git a/profiles/users.nix b/profiles/users.nix new file mode 100644 index 0000000..f9b6cb3 --- /dev/null +++ b/profiles/users.nix @@ -0,0 +1,32 @@ +# Configuration common to all JFDIC servers +{ + config, + pkgs, + ... +}: { + # JFDIC Ops groups: + users.groups.fiscalvelvetpoet.gid = 1000; + + # JFDIC Ops Users + users.users.fiscalvelvetpoet = { + isNormalUser = true; + uid = 1000; + group = "fiscalvelvetpoet"; + extraGroups = ["wheel"]; + # fix this + #passwordFile = config.age.secrets.fiscalvelvetpoet.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; + + users.users.root = { + # fix this + #passwordFile = config.age.secrets.root.path; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" + ]; + }; +} diff --git a/secrets/fiscalvelvetpoet.age b/secrets/fiscalvelvetpoet.age new file mode 100644 index 0000000..df3c33a --- /dev/null +++ b/secrets/fiscalvelvetpoet.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl +K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY +VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x +Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR +MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4 +KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp +MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv +RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG +CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP +4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc +NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q== +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/root.age b/secrets/root.age new file mode 100644 index 0000000..f8653d1 --- /dev/null +++ b/secrets/root.age @@ -0,0 +1,15 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ +M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5 +SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR +UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD +NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy +Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz +Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW +d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG +WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0 +cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv +g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8 +QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..4770ebb --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; + ops = [fiscalvelvetpoet]; + users = [fiscalvelvetpoet]; + + toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE"; + systems = [toscano]; +in { + "root.age".publicKeys = ops ++ systems; + "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems; +} From 27454a11e44ea5ba15612849ef317a8e362835c7 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Thu, 20 Apr 2023 13:45:06 +1000 Subject: [PATCH 09/16] ragenix: add initial user secrets progresses #11 --- outputs.nix | 13 ++++++------- profiles/users.nix | 9 +++++++-- secrets/secrets.nix | 2 ++ 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/outputs.nix b/outputs.nix index 23ce213..6b6ba32 100644 --- a/outputs.nix +++ b/outputs.nix @@ -23,12 +23,6 @@ in { inherit (nix.packages."${pkgs.system}") nix; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; }; - nixosConfigurations = nixpkgs.lib.nixosSystem { - system = "${pkgs.system}"; - modules = [ - ragenix.nixosModules.default - ]; - }; })) // { colmena = { @@ -40,7 +34,12 @@ in { overlays = []; }; }; - toscano = import ./nixos/hosts/toscano/configuration.nix; + toscano = { + imports = [ + ./nixos/hosts/toscano/configuration.nix + ragenix.nixosModules.default + ]; + }; # The below lines are in the wrong place #nixosConfigurations = import ./nixos/configurations.nix (inputs # // { diff --git a/profiles/users.nix b/profiles/users.nix index f9b6cb3..6699a24 100644 --- a/profiles/users.nix +++ b/profiles/users.nix @@ -4,6 +4,11 @@ pkgs, ... }: { + age.secrets = { + root.file = ../secrets/root.age; + fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age; + }; + # JFDIC Ops groups: users.groups.fiscalvelvetpoet.gid = 1000; @@ -14,7 +19,7 @@ group = "fiscalvelvetpoet"; extraGroups = ["wheel"]; # fix this - #passwordFile = config.age.secrets.fiscalvelvetpoet.path; + passwordFile = config.age.secrets.fiscalvelvetpoet.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" @@ -23,7 +28,7 @@ users.users.root = { # fix this - #passwordFile = config.age.secrets.root.path; + passwordFile = config.age.secrets.root.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@jfdic.org" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair" diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4770ebb..26b29a2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,3 +1,5 @@ +# Used by ragenix nix only. +# Ensure that $RULES has been set let fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; ops = [fiscalvelvetpoet]; From b91295b36f82d507d51a0d46abc7ea8be70e417a Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Thu, 20 Apr 2023 14:03:03 +1000 Subject: [PATCH 10/16] ragenix: set RULES via direnv resolves #12 --- .envrc | 2 ++ secrets/secrets.nix | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.envrc b/.envrc index 1678f0e..461a3d0 100644 --- a/.envrc +++ b/.envrc @@ -1,4 +1,6 @@ use flake watch_file flake.nix +# Allow ragenix to find it's configuration +export RULES=$(realpath ./secrets/secrets.nix) export NIXOPS_DEPLOYMENT=jfdic-ops diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 26b29a2..e62d72e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,5 +1,5 @@ # Used by ragenix nix only. -# Ensure that $RULES has been set +# Ensure that $RULES has been set via direnv let fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so"; ops = [fiscalvelvetpoet]; From 8723cbec53d8a7e95062ab18406cbf3c93c49b93 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 21:31:49 +1000 Subject: [PATCH 11/16] ragenix: migrate forgejo to agenix for secrets progresses #1 resolves #11 --- nixos/hosts/toscano/configuration.nix | 13 ++++++++++--- outputs.nix | 10 +++++----- profiles/forgejo.nix | 11 +++++++---- secrets/forgejo.age | 11 +++++++++++ secrets/secrets.nix | 1 + 5 files changed, 34 insertions(+), 12 deletions(-) create mode 100644 secrets/forgejo.age diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index d04bc70..d7028c5 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -1,4 +1,4 @@ -# NixOps configuration for toscano +# NixOS configuration for toscano # # https://en.wikipedia.org/wiki/Joseph_Toscano { @@ -9,15 +9,22 @@ }: { imports = [ ../../../networks/linode.nix - #../../../profiles/gitea.nix + ../../../profiles/forgejo.nix #../../../profiles/hakyll-skeleton.nix #../../../profiles/jfdic-web.nix #../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix #../../../profiles/voc-web.nix - #../../../secrets/gitea.nix ]; + age.secrets = { + forgejo = { + file = ../../../secrets/forgejo.age; + owner = "gitea"; + group = "gitea"; + }; + }; + deployment = { tags = ["infra"]; targetHost = "45.79.236.198"; diff --git a/outputs.nix b/outputs.nix index 6b6ba32..9c6d144 100644 --- a/outputs.nix +++ b/outputs.nix @@ -40,10 +40,10 @@ in { ragenix.nixosModules.default ]; }; - # The below lines are in the wrong place - #nixosConfigurations = import ./nixos/configurations.nix (inputs - # // { - # inherit inputs; - # }); }; + # The below lines are in the wrong place + #nixosConfigurations = import ./nixos/configurations.nix (inputs + # // { + # inherit inputs; + # }); } diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix index 83e10c6..326e550 100644 --- a/profiles/forgejo.nix +++ b/profiles/forgejo.nix @@ -1,23 +1,26 @@ # NixOps configuration for the hosts running Forgejo { config, - inputs, pkgs, lib, ... - }: { +}: let + flake = builtins.getFlake (toString ../.); + nixpkgsUnstable = flake.inputs.nixpkgsUnstable; + forgejo = nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; +in { services.gitea = { enable = true; # Enable Forgejo appName = "JFDI Collective: Forgejo Service"; # Give the site a name database = { type = "postgres"; # Database type - passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password + passwordFile = config.age.secrets.forgejo.path; }; disableRegistration = true; domain = "source.jfdic.org"; # Domain name rootUrl = "https://source.jfdic.org/"; # Root web URL httpPort = 3002; # Provided unique port - package = inputs.nixpkgsUnstable.legacyPackages."${pkgs.system}".forgejo; # a soft fork of gitea + package = forgejo; # a soft fork of gitea settings = let docutils = pkgs.python37.withPackages (ps: with ps; [ diff --git a/secrets/forgejo.age b/secrets/forgejo.age new file mode 100644 index 0000000..7a5dfc2 --- /dev/null +++ b/secrets/forgejo.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC +eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu +Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1 +MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG +aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy +RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0 +d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG +d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM +0xrmCMh3IsOvPa60vuY= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e62d72e..05d04e4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,4 +10,5 @@ let in { "root.age".publicKeys = ops ++ systems; "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems; + "forgejo.age".publicKeys = [fiscalvelvetpoet toscano]; } From 1d7ed0c1ea5c49a69728c37fe8b2f2997234e4fa Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 23:42:43 +1000 Subject: [PATCH 12/16] colmena: migrate hakyll-skeleton progresses #1 --- nixos/hosts/toscano/configuration.nix | 2 +- profiles/hakyll-skeleton.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index d7028c5..6409999 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -10,7 +10,7 @@ imports = [ ../../../networks/linode.nix ../../../profiles/forgejo.nix - #../../../profiles/hakyll-skeleton.nix + ../../../profiles/hakyll-skeleton.nix #../../../profiles/jfdic-web.nix #../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix diff --git a/profiles/hakyll-skeleton.nix b/profiles/hakyll-skeleton.nix index 830ecbd..b9ec514 100644 --- a/profiles/hakyll-skeleton.nix +++ b/profiles/hakyll-skeleton.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - hakyll-skeleton = import inputs.hakyll-skeleton {}; + flake = builtins.getFlake (toString ../.); + hakyll-skeleton = import flake.inputs.hakyll-skeleton {}; webdomain = "skeleton.jfdic.org"; in { environment.sessionVariables = { From 849f91fa359e05b63a820fd30cd7cb996fb48245 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 23:47:25 +1000 Subject: [PATCH 13/16] colmena: migrate jfdic-web progresses #1 --- nixos/hosts/toscano/configuration.nix | 2 +- profiles/jfdic-web.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index 6409999..3e4a3c2 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -11,7 +11,7 @@ ../../../networks/linode.nix ../../../profiles/forgejo.nix ../../../profiles/hakyll-skeleton.nix - #../../../profiles/jfdic-web.nix + ../../../profiles/jfdic-web.nix #../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix #../../../profiles/voc-web.nix diff --git a/profiles/jfdic-web.nix b/profiles/jfdic-web.nix index e60fdec..947aeef 100644 --- a/profiles/jfdic-web.nix +++ b/profiles/jfdic-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - jfdic-web = import inputs.jfdic-web {}; + flake = builtins.getFlake (toString ../.); + jfdic-web = import flake.inputs.jfdic-web {}; webdomain = "jfdic.org"; in { environment.sessionVariables = { From 4e08f6c77424f1888fbbe2026740013137b4f39c Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 23:51:31 +1000 Subject: [PATCH 14/16] colmena: migrate resrok-web progresses #1 --- nixos/hosts/toscano/configuration.nix | 2 +- profiles/resrok-web.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index 3e4a3c2..b0bf521 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -12,7 +12,7 @@ ../../../profiles/forgejo.nix ../../../profiles/hakyll-skeleton.nix ../../../profiles/jfdic-web.nix - #../../../profiles/resrok-web.nix + ../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix #../../../profiles/voc-web.nix ]; diff --git a/profiles/resrok-web.nix b/profiles/resrok-web.nix index e0fa7b5..b7007b4 100644 --- a/profiles/resrok-web.nix +++ b/profiles/resrok-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - resrok-web = import inputs.resrok-web {}; + flake = builtins.getFlake (toString ../.); + resrok-web = import flake.inputs.resrok-web {}; webdomain = "resrok.org"; in { environment.sessionVariables = { From 1933c157a5e167db0d122d44f5a5f5dc59d2db56 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sat, 29 Apr 2023 23:55:06 +1000 Subject: [PATCH 15/16] colmena: migrate voc-web progresses #1 --- nixos/hosts/toscano/configuration.nix | 2 +- profiles/voc-web.nix | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index b0bf521..d77440e 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -14,7 +14,7 @@ ../../../profiles/jfdic-web.nix ../../../profiles/resrok-web.nix #../../../profiles/tmateServer.nix - #../../../profiles/voc-web.nix + ../../../profiles/voc-web.nix ]; age.secrets = { diff --git a/profiles/voc-web.nix b/profiles/voc-web.nix index dc61399..655dfa6 100644 --- a/profiles/voc-web.nix +++ b/profiles/voc-web.nix @@ -2,11 +2,11 @@ { self, config, - inputs, pkgs, ... }: let - voc-web = import inputs.voc-web {}; + flake = builtins.getFlake (toString ../.); + voc-web = import flake.inputs.voc-web {}; webdomain = "voicesofcapricornia.org"; in { environment.sessionVariables = { From 40aeb8a1cff86bcd37067ded0acd7c1ab6524471 Mon Sep 17 00:00:00 2001 From: Fiscal Velvet Poet Date: Sun, 30 Apr 2023 00:00:16 +1000 Subject: [PATCH 16/16] colmena: migrate tmate progresses #1 --- nixos/hosts/toscano/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/hosts/toscano/configuration.nix b/nixos/hosts/toscano/configuration.nix index d77440e..467beae 100644 --- a/nixos/hosts/toscano/configuration.nix +++ b/nixos/hosts/toscano/configuration.nix @@ -13,7 +13,7 @@ ../../../profiles/hakyll-skeleton.nix ../../../profiles/jfdic-web.nix ../../../profiles/resrok-web.nix - #../../../profiles/tmateServer.nix + ../../../profiles/tmateServer.nix ../../../profiles/voc-web.nix ];