Compare commits

...

160 commits

Author SHA1 Message Date
Fiscal Velvet Poet
7e88a39c6e
trajto(reciproka-web): konverti al floko 2024-10-29 23:41:03 +10:00
Fiscal Velvet Poet
a900b37202
trajto(hollows): komenca transigi 2024-10-29 23:07:33 +10:00
Fiscal Velvet Poet
c963d41c67
feature(hakyll-skeleton): switch to flake 2024-10-29 00:44:14 +10:00
Fiscal Velvet Poet
b52f777884
chore(nixos): bumped to HEAD of 24.05 2024-10-27 23:27:37 +10:00
Fiscal Velvet Poet
3a294f84ff
chore(forgejo): move rego to correct stanza 2024-10-24 23:31:12 +10:00
Fiscal Velvet Poet
d5d3fd21ca
chore(nixos): bumped to HEAD of 24.05 2024-10-21 18:43:21 +10:00
Fiscal Velvet Poet
02be2527e3
chore(nixos): bumped to HEAD of 24.05 2024-10-14 14:42:34 +10:00
Fiscal Velvet Poet
92a664df68
chore(nix): move ragenix module to defaults 2024-10-09 18:16:21 +10:00
Fiscal Velvet Poet
d21da35c5f
chore(nixos): bumped to HEAD of 24.05 2024-10-08 16:14:47 +10:00
Fiscal Velvet Poet
afd8e99472
chore(nixpkgsUnstable): bumped to HEAD of master 2024-10-08 16:13:34 +10:00
Fiscal Velvet Poet
5eec3924c6
chore(nix): bumped to v2.24.6 2024-10-08 16:11:49 +10:00
Fiscal Velvet Poet
503ed02aa2
chore(nixos): bumped to HEAD of 24.05 2024-09-30 17:30:48 +10:00
Fiscal Velvet Poet
d3a90a962c
chore(nixos): bumped to HEAD of 24.05 2024-09-23 09:49:32 +10:00
Fiscal Velvet Poet
af2f1754e5
feature(pi3): set boot configuration limit 2024-09-11 23:57:46 +10:00
Fiscal Velvet Poet
4c96950ca4
chore(nixos): bumped to HEAD of 24.05 2024-09-10 23:32:37 +10:00
Fiscal Velvet Poet
f2c768a6d1
chore(nixos): bumped to HEAD of nixpkgsUnstable 2024-09-03 12:05:53 +10:00
Fiscal Velvet Poet
4a456a108c
chore(nixos): bumped to HEAD of 24.05 2024-09-03 12:03:44 +10:00
Fiscal Velvet Poet
c44133152c
chore(nixos): bumped to HEAD of 24.05 2024-09-03 11:49:09 +10:00
Fiscal Velvet Poet
c0f9d26343
chore(nixos): bumped to HEAD of 24.05 2024-08-12 11:07:16 +10:00
Fiscal Velvet Poet
89f74905cd
chore(nixos): bumped to HEAD of nixpkgsUnstable 2024-08-06 13:14:13 +10:00
Fiscal Velvet Poet
13cf063ca9
nixos: bumped to HEAD of 24.05 2024-08-06 13:06:15 +10:00
Fiscal Velvet Poet
c15ba2bce7
nixos: bumped to HEAD of 24.05 2024-07-29 16:22:01 +10:00
Fiscal Velvet Poet
94b0caeacf
nixos: bumped to HEAD of 24.05 2024-07-22 17:07:26 +10:00
Fiscal Velvet Poet
1310965b48
nixos: bumped to HEAD of 24.05 2024-07-09 20:40:35 +10:00
Fiscal Velvet Poet
8759b9c9f6
feat(nix): adds pred to secrets 2024-07-03 15:07:10 +10:00
Fiscal Velvet Poet
960816cee5
fix(bug): patches CVE-2024-6387
resolves 
2024-07-03 14:53:05 +10:00
Fiscal Velvet Poet
311481deb6
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2024-07-01 09:51:19 +10:00
Fiscal Velvet Poet
de9516cc86
nixos: bumped to HEAD of 24.05 2024-07-01 09:49:26 +10:00
Fiscal Velvet Poet
66746d3257
nixos: bumped to HEAD of 24.05 2024-06-25 12:02:54 +10:00
Fiscal Velvet Poet
eadae376a7
Merge branch 'nixos-24.05' into consensus 2024-06-05 23:08:27 +10:00
Fiscal Velvet Poet
fcabd95e7e
forgejo: updated deprecated psql setting to DEFAULT.APP_NAME 2024-06-05 23:07:10 +10:00
Fiscal Velvet Poet
3662f9f588
forgejo: updated deprecated setting to ensureDBOwnership 2024-06-05 22:14:54 +10:00
Fiscal Velvet Poet
1fb99ab958
pi3: remove deprecated uboot setting 2024-06-05 22:00:46 +10:00
Fiscal Velvet Poet
5fd853e234
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2024-06-05 21:53:37 +10:00
Fiscal Velvet Poet
f20358789f
nixos: bumped to HEAD of 24.05 2024-06-05 21:51:48 +10:00
Fiscal Velvet Poet
6e924f3ba4
nixos: bumped to HEAD of 23.11 2024-05-29 00:29:55 +10:00
Fiscal Velvet Poet
fb5c10f3e1
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2024-05-22 15:14:52 +10:00
Fiscal Velvet Poet
7fbb4f3080
nixos: bumped to HEAD of 23.11 2024-05-22 15:13:24 +10:00
Fiscal Velvet Poet
af8990ec90
nixos: bumped to HEAD of 23.11 2024-04-09 14:24:13 +10:00
Fiscal Velvet Poet
ac83dfc605
nixos: bumped to HEAD of 23.11 2024-04-02 12:41:09 +10:00
Fiscal Velvet Poet
1aa6641b01
nixos: bumped to HEAD of 23.11 2024-03-26 15:31:43 +10:00
Fiscal Velvet Poet
3c306ccda6
nixos: bumped to HEAD of 23.11 2024-03-21 20:49:11 +10:00
Fiscal Velvet Poet
9d6523abf5
pred: initial commit of new host 2024-03-05 23:05:20 +10:00
Fiscal Velvet Poet
11669558ce
nixos: bumped to HEAD of 23.11 2024-03-05 15:47:38 +10:00
Fiscal Velvet Poet
8fe2f766d6
console: corrected font 2024-03-01 03:21:55 +10:00
Fiscal Velvet Poet
e52897cd14
flemming: initial commit 2024-03-01 03:18:54 +10:00
Fiscal Velvet Poet
58e12507d2
reciproka-web: removed github refs
and updated weclome
2024-01-24 23:05:49 +10:00
Fiscal Velvet Poet
fe21e0bef9
reciproka-web: corrected collective name 2024-01-11 17:34:40 +10:00
Fiscal Velvet Poet
c3823d0cfb
Correct grammar in the collective's name
You know that moment when you're learning a languaged and getting the
grammar all wrong? No? Niether do I.

resolves 
2024-01-10 01:28:40 +10:00
Fiscal Velvet Poet
7a263df6d2
hakyll-skeleton: migrated to Reciproka kolectiva
resolves 
2024-01-09 15:43:29 +10:00
Fiscal Velvet Poet
84b38568f2
hakyll-skeleton: bumped copyright years
resolves 
2024-01-09 14:57:52 +10:00
Fiscal Velvet Poet
abc2f41ff0
voc-web: deploy copyright update for 2024
resolves 
2024-01-08 23:21:17 +10:00
Fiscal Velvet Poet
e3fc68d806
reciproka-web: bumped to 2024 2024-01-08 17:26:20 +10:00
Fiscal Velvet Poet
eeea217eb2
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2024-01-08 10:21:25 +10:00
Fiscal Velvet Poet
f5b9083a11
nixos: bumped to HEAD of 23.11 2024-01-08 10:14:58 +10:00
Fiscal Velvet Poet
56e8832606
forgejo: switched to pandoc for rendering RST 2023-12-20 23:56:11 +10:00
Fiscal Velvet Poet
befaeac9ce
forgejo: switched to new service available in 23.11 2023-12-20 00:35:09 +10:00
Fiscal Velvet Poet
df0f6a4a41
forgejo: add postgresBackup 2023-12-19 22:39:11 +10:00
Fiscal Velvet Poet
1d394b6177
forgejo: re-add so-called deprecated options 2023-12-04 19:06:30 +10:00
Fiscal Velvet Poet
8b426775d0
Merge branch '23.11' into consensus 2023-12-04 18:52:54 +10:00
Fiscal Velvet Poet
a8dadc39a1
nix-direnv: disable as something is broken upstream 2023-12-04 18:52:15 +10:00
Fiscal Velvet Poet
beda9d4167
forgejo: remove deprecated options 2023-12-04 18:50:48 +10:00
Fiscal Velvet Poet
49906ecad7
postgres: migrated to ensureDBOwnership 2023-12-04 17:52:04 +10:00
Fiscal Velvet Poet
53f7767233
users: migrate to hashedPasswdFile 2023-12-04 17:50:31 +10:00
Fiscal Velvet Poet
ed41aa92c2
fonts: migrated to new option names 2023-12-04 17:48:30 +10:00
Fiscal Velvet Poet
62bf0c9262
nixos: upgraded to 23.11 2023-12-04 11:07:21 +10:00
Fiscal Velvet Poet
de6487da57
nixos: bumped to HEAD of 23.05 2023-12-04 09:46:26 +10:00
Fiscal Velvet Poet
6cb31fbe9b
nixos: bumped to HEAD of 23.05 2023-11-21 11:15:37 +10:00
Fiscal Velvet Poet
e763fb28fc
toscano: updated bio 2023-10-31 18:32:10 +10:00
Fiscal Velvet Poet
77598e1272
nixos: bumped to HEAD of 23.05 2023-10-16 10:45:20 +10:00
Fiscal Velvet Poet
483b45b5d5
nixos: bumped to HEAD of 23.05 2023-10-10 09:20:14 +10:00
Fiscal Velvet Poet
1789d3ca65
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-10-03 09:25:24 +10:00
Fiscal Velvet Poet
c85b22ac14
nixos: bumped to HEAD of 23.05 2023-10-03 09:22:35 +10:00
Fiscal Velvet Poet
7c14230b9e
nixos: bumped to HEAD of 23.05 2023-09-25 10:35:55 +10:00
Fiscal Velvet Poet
b1dff55731
nixos: bumped to HEAD of 23.05 2023-09-18 14:43:04 +10:00
Fiscal Velvet Poet
65e0367c16
nixos: bumped to HEAD of 23.05 2023-09-18 13:49:32 +10:00
Fiscal Velvet Poet
1360b7f371
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-09-05 10:41:57 +10:00
Fiscal Velvet Poet
f40abe42cc
nixos: bumped to HEAD of 23.05 2023-09-05 10:40:35 +10:00
Fiscal Velvet Poet
91f250f228
nixos: bumped to HEAD of 23.05 2023-08-28 11:21:23 +10:00
Fiscal Velvet Poet
06f8c4f2d5
reciproka-web: bumped to HEAD of 23.05 2023-08-28 10:55:40 +10:00
Fiscal Velvet Poet
61eb14309b
reciproka-web: bumped to HEAD of 22.11 2023-08-24 18:09:39 +10:00
Fiscal Velvet Poet
83f6fef51e
nixos: bumped to HEAD of 23.05 2023-08-21 12:53:13 +10:00
Fiscal Velvet Poet
8cc5afa12e
nixos: bumped to HEAD of 23.05 2023-08-21 12:24:16 +10:00
Fiscal Velvet Poet
a027737475
forgejo: upgraded to v1.19.4-0
resolves 
2023-08-07 11:54:12 +10:00
Fiscal Velvet Poet
e05354e291
nixos: bumped to HEAD of 23.05 2023-08-07 10:40:11 +10:00
Fiscal Velvet Poet
26ad5717da
nixos: bumped to HEAD of 23.05 2023-08-07 10:08:41 +10:00
Fiscal Velvet Poet
a296cd5a47
nixos: bumped to HEAD of 23.05 2023-07-18 11:47:14 +10:00
Fiscal Velvet Poet
ad98b0cea6
nixos: bumped to HEAD of 23.05 2023-07-11 10:50:18 +10:00
Fiscal Velvet Poet
e9477c3d53
nixos: bumped to HEAD of 23.05 2023-07-05 10:07:52 +10:00
Fiscal Velvet Poet
42f08a9514
nixos: bumped to HEAD of 23.05 2023-06-26 11:25:54 +10:00
Fiscal Velvet Poet
454ecc3d9f
nixos: bumped to HEAD of 23.05 2023-06-21 14:16:24 +10:00
Fiscal Velvet Poet
5ddc78e076
nixos: bumped to HEAD of 23.05 2023-06-05 11:05:22 +10:00
Fiscal Velvet Poet
4e85326392
forgejo: re-added deprecated settings
The new settings do not appear to work yet.
2023-06-02 10:35:18 +10:00
Fiscal Velvet Poet
16a2ea357a
Merge branch '23.05' into consensus
resolves 
2023-06-02 10:08:33 +10:00
Fiscal Velvet Poet
72ea288abb
base: updated boot.tmp.cleanOnBoot
progresses 
2023-06-02 10:04:41 +10:00
Fiscal Velvet Poet
b08e13c2a0
openssh: upgrade to v9.3p1
progresses 
2023-06-02 10:00:45 +10:00
Fiscal Velvet Poet
63b9735106
forgejo: updgrade to v1.19.3-0
progresses 
2023-06-02 09:49:31 +10:00
Fiscal Velvet Poet
4cdbdac8e0
nixos: upgrade to 23.05
progresses 
2023-06-02 09:29:20 +10:00
Fiscal Velvet Poet
7a3c72e4bd
nixos: bumped to HEAD of 22.11 2023-05-30 10:41:50 +10:00
Fiscal Velvet Poet
d4409e7892
license: bump the year 2023-05-26 12:00:18 +10:00
Fiscal Velvet Poet
e1a10f9971
nixos: cleaner import of qemu-quest module 2023-05-25 09:56:56 +10:00
Fiscal Velvet Poet
0de194df16
nixos: bumped to HEAD of 22.11 2023-05-22 10:04:49 +10:00
Fiscal Velvet Poet
6cabd62238
removed all references to deprecated tool NixOps 2023-05-15 09:25:48 +10:00
Fiscal Velvet Poet
c47b35f619
nixos: bumped to HEAD of 22.11 2023-05-15 09:02:05 +10:00
Fiscal Velvet Poet
8aa2357df5
reciproka: rename project to Reciproka Ops
resolves 
2023-05-09 23:54:45 +10:00
Fiscal Velvet Poet
b5fc3737da
forgejo: migrate to reciproka.dev
resolves 
2023-05-09 23:04:57 +10:00
Fiscal Velvet Poet
61b5205569
nixos: bumped to HEAD of 22.11 2023-05-08 09:44:20 +10:00
Fiscal Velvet Poet
55a83742de
nix: renamed trustedUsers
resolves 
2023-05-02 11:32:17 +10:00
Fiscal Velvet Poet
35d48eb4a6
nix: rename nix.maxJobs
resolves 
2023-05-02 11:28:11 +10:00
Fiscal Velvet Poet
710902b5ff
nix: rename nix.autoOptimiseStore
resolves 
2023-05-02 11:22:46 +10:00
Fiscal Velvet Poet
51bd881112
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-05-02 08:26:33 +10:00
Fiscal Velvet Poet
b4e7f09447
nixos: bumped to HEAD of 22.11 2023-05-02 07:51:44 +10:00
Fiscal Velvet Poet
6af966a0fd
forgejo: update renamed disable registration 2023-04-30 00:15:25 +10:00
Fiscal Velvet Poet
410932c8f8
Merge branch 'colmena' into consensus
resolves 
2023-04-30 00:05:58 +10:00
Fiscal Velvet Poet
40aeb8a1cf
colmena: migrate tmate
progresses 
2023-04-30 00:01:42 +10:00
Fiscal Velvet Poet
1933c157a5
colmena: migrate voc-web
progresses 
2023-04-29 23:55:06 +10:00
Fiscal Velvet Poet
4e08f6c774
colmena: migrate resrok-web
progresses 
2023-04-29 23:51:31 +10:00
Fiscal Velvet Poet
849f91fa35
colmena: migrate jfdic-web
progresses 
2023-04-29 23:47:25 +10:00
Fiscal Velvet Poet
1d7ed0c1ea
colmena: migrate hakyll-skeleton
progresses 
2023-04-29 23:42:43 +10:00
Fiscal Velvet Poet
8723cbec53
ragenix: migrate forgejo to agenix for secrets
progresses 
resolves 
2023-04-29 23:34:16 +10:00
Fiscal Velvet Poet
b91295b36f
ragenix: set RULES via direnv
resolves 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
27454a11e4
ragenix: add initial user secrets
progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
4a6e51a9a7
ragenix: prepped basic secrets
progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
b141d4a90f
ragenix: replaced agenix with ragenix
progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
ace344f27e
agenix: remove secrets from .gitignore
Moving from out-of-band to encrypted secrets

Progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
cdb41cb22a
devShell: add agenix to the devShell
Progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
66fb43735c
nixos: corrected nixpkgs flake in this branch
Progresses 
2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
6a59bf94d0
colmena: updated to v0.3.2 2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
68b747d9f5
colmena: added host toscano 2023-04-24 09:24:00 +10:00
Fiscal Velvet Poet
a8b9f9a12d
colmena: initial commit 2023-04-24 09:23:42 +10:00
Fiscal Velvet Poet
813214d706
nixos: bumped to HEAD of 22.11 2023-04-24 09:10:14 +10:00
Fiscal Velvet Poet
fd2fb7b6d5
nixos: bumped to HEAD of 22.11 2023-04-17 22:27:48 +10:00
Fiscal Velvet Poet
29c8149294
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-04-03 07:51:18 +10:00
Fiscal Velvet Poet
6eb0977d99
nixos: bumped to HEAD of 22.11 2023-04-03 07:48:50 +10:00
Fiscal Velvet Poet
afee38521f
shell: add tea to devShell
resolves 
2023-03-28 12:17:47 +10:00
Fiscal Velvet Poet
2ef3d6a4aa
forgejo: replace gitea with forgejo
resolves 
2023-03-28 12:14:35 +10:00
Fiscal Velvet Poet
026aaf8deb
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-03-28 11:56:40 +10:00
Fiscal Velvet Poet
9e4e10a4b3
nixos: bumped to HEAD of 22.11 2023-03-28 11:53:24 +10:00
Fiscal Velvet Poet
049cd1f1a0
nixos: bumped to HEAD of 22.11 2023-02-21 10:09:22 +10:00
Fiscal Velvet Poet
64186b83bd
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2023-02-06 09:54:10 +10:00
Fiscal Velvet Poet
3ca1d077fe
nixos: bumped to HEAD of 22.11 2023-02-06 09:53:11 +10:00
Fiscal Velvet Poet
2c90bd38c8
nixos: bumped to HEAD of 22.11 2023-01-31 11:08:30 +10:00
Fiscal Velvet Poet
406835cd39
nixos: bumped to HEAD of 22.11 2023-01-25 14:23:17 +10:00
Fiscal Velvet Poet
675e9c65a3
nixos: bumped to HEAD of 22.11 2023-01-19 13:51:02 +10:00
Fiscal Velvet Poet
93205656de
nixos: bumped to HEAD of 22.11 2023-01-09 15:20:02 +10:00
Fiscal Velvet Poet
295e22511c
nixos: upgraded to 22.11 2022-12-02 09:44:05 +10:00
Fiscal Velvet Poet
381a5328ed
nixos: bumped to HEAD of 22.05 2022-12-02 08:31:00 +10:00
Fiscal Velvet Poet
7c7dc2c337
nixos: bumped to HEAD of 22.05 2022-11-15 11:36:28 +10:00
Fiscal Velvet Poet
932e3ca2a4
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2022-11-09 13:36:20 +10:00
Fiscal Velvet Poet
44d897a6e0
nixos: bumped to HEAD of 22.05 2022-11-09 13:30:14 +10:00
Fiscal Velvet Poet
3b459b6514
nixos: bumped to HEAD of 22.05 2022-11-01 13:12:17 +10:00
Fiscal Velvet Poet
1c2ad165a2
nixos: bumped to HEAD of 22.05 2022-10-25 11:59:16 +10:00
Fiscal Velvet Poet
2f827cbd8e
nixos: bumped to HEAD of 22.05 2022-10-18 10:03:04 +10:00
Fiscal Velvet Poet
f774d1177b
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2022-10-10 07:56:57 +10:00
Fiscal Velvet Poet
f25dddec5e
nixos: bumped to HEAD of 22.05 2022-10-10 07:50:52 +10:00
Fiscal Velvet Poet
7e3673046c
nixos: bumped to HEAD of 22.05 2022-09-26 12:17:10 +10:00
Fiscal Velvet Poet
4022037f5f
nixos: bumped to HEAD of 22.05 2022-09-12 17:11:41 +10:00
Fiscal Velvet Poet
2cc697f5a0
nixpkgsUnstable: bumped to HEAD of nixos-unstable 2022-09-06 08:55:41 +10:00
Fiscal Velvet Poet
d9a0bc9d53
nixos: bumped to HEAD of 22.05 2022-09-06 08:53:52 +10:00
Fiscal Velvet Poet
03da753a6a
nixos: bumped to HEAD of 22.05 2022-08-28 20:04:40 +10:00
44 changed files with 2585 additions and 304 deletions

3
.envrc
View file

@ -1,4 +1,5 @@
use flake use flake
watch_file flake.nix watch_file flake.nix
export NIXOPS_DEPLOYMENT=jfdic-ops # Allow ragenix to find it's configuration
export RULES=$(realpath ./secrets/secrets.nix)

1
.gitignore vendored
View file

@ -1,2 +1 @@
.direnv .direnv
secrets

View file

@ -1,7 +1,7 @@
ANARCHIST LICENSE ANARCHIST LICENSE
Version 1.0, 1 May, 2021 Version 1.0, 1 May, 2021
Copyright © 2021 JFDI Collective Copyright © 2024 Reciproka Kolektivo
This is Anarchist software, released for free use by individuals and This is Anarchist software, released for free use by individuals and
organizations that do not operate by capitalist principles. organizations that do not operate by capitalist principles.

View file

@ -1,10 +1,21 @@
JFDIC Ops Reciproka Kolektivo Ops
========= =======================
NixOps_ deployment configuration for `JFDI Collective`_ services. Colmena_ deployment configuration for services hosted by `Reciproka Kolektivo`_ services.
The canonical home for this repo is The canonical home for this repo is
https://source.jfdic.org/jfdic/jfdic-ops https://reciproka.dev/reciproka/reciproka-ops
.. _NixOps: https://nixos.org/nixops .. _Colmena: https://colmena.cli.rs/
.. _JFDI Collective: https://jfdic.org/ .. _Reciproka Kolektivo: https://reciproka.co/
.. toctree::
Building for aarch64 Targets
----------------------------
If you don't have your own ``aarch64`` build server, you can apply to use the
`aarch64 build box`_ provided by the `Nix Community`_.
.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box
.. _Nix Community: https://github.com/nix-community

18
default.nix Normal file
View file

@ -0,0 +1,18 @@
{
sources ? import ./nix/sources.nix,
system ? builtins.currentSystem,
crossSystem ? null,
config ? {},
alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra,
} @ args:
with import ./nix args; {
shell = mkShell {
buildInputs = [
alejandraUnstable # The Uncompromising Nix Code Formatter
colmena
niv
treefmt # one CLI to format the code tree
];
NIX_PATH = "nixpkgs=${sources.nixpkgs}";
};
}

1825
flake.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,27 +1,28 @@
{ {
description = "jfdic-ops deployment"; description = "reciproka-ops deployment";
inputs = { inputs = {
colmena.url = "github:zhaofengli/colmena/?ref=v0.4.0";
ragenix = {
url = "github:yaxitech/ragenix";
inputs.nixpkgs.follows = "nixpkgs";
};
hakyll-skeleton = { hakyll-skeleton = {
flake = false; url = "git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus";
url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus; inputs.nixpkgs.follows = "nixpkgs";
};
jfdic-web = {
flake = false;
url = git+https://source.jfdic.org/JFDIC/jfdic-web/?ref=consensus;
}; };
reciproka-web.url = "git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus";
resrok-web = { resrok-web = {
flake = false; flake = false;
url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus; url = git+https://reciproka.dev/resrok/resrok-web/?ref=consensus;
}; };
nix.url = "github:NixOS/nix/?ref=2.10.3"; nix.url = github:NixOS/nix/?ref=2.24.6;
nixops.url = github:NixOS/nixops/?ref=master; nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.05;
nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable; nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
utils.url = "github:numtide/flake-utils"; utils.url = "github:numtide/flake-utils";
voc-web = { voc-web = {
flake = false; flake = false;
url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus; url = git+https://reciproka.dev/voc/voc-web/?ref=consensus;
}; };
}; };

View file

@ -0,0 +1,51 @@
# Configuration common to all Reciproka Kolektivo Binary Lane VMs
{
config,
pkgs,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix") # Import the NixOS Qemu guest settings
../profiles/host_common.nix
../profiles/server_common.nix
];
boot = {
initrd = {
availableKernelModules = ["ata_piix" "sr_mod" "uhci_hcd" "virtio_blk" "virtio_pci"];
};
loader = {
grub = {
enable = true;
device = "/dev/vda";
};
};
};
# File systems configuration for the Linode VMs
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
swapDevices = [
{
device = "/dev/disk/by-label/swap";
}
];
nix.settings.max-jobs = lib.mkDefault 4;
networking = {
domain = "reciproka.co";
useDHCP = lib.mkDefault true;
firewall = {
enable = true;
trustedInterfaces = ["lo"];
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

View file

@ -1,13 +1,14 @@
# Configuration common to all JFDIC Linode VMs # Configuration common to all Reciproka Kolektivo Linode VMs
{ {
config, config,
pkgs, pkgs,
lib, lib,
modulesPath,
... ...
}: { }: {
imports = [ imports = [
# Import the NixOS Qemu guest settings # Import the NixOS Qemu guest settings
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> (modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = ["virtio_pci" "ahci" "sd_mod"]; boot.initrd.availableKernelModules = ["virtio_pci" "ahci" "sd_mod"];
@ -39,5 +40,5 @@
} }
]; ];
nix.maxJobs = lib.mkDefault 4; nix.settings.max-jobs = lib.mkDefault 4;
} }

80
hardware/pi3B.nix Normal file
View file

@ -0,0 +1,80 @@
# Configuration common to all Raspberry Pi 3 Model B devices
{
config,
pkgs,
lib,
...
}: {
boot = {
initrd = {
availableKernelModules = [
"bcm2835_dma" # Allows early (earlier) mode setting
"i2c_bcm2835" # Allows early (earlier) mode setting
"usbhid"
"usb_storage"
"vc4" # Allows early (earlier) mode setting
];
};
kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
kernelParams = [
"cma=32M" # Needed for the virtual console to work on the RPi 3
"console=ttyS0,115200n8" # Enable the serial console
"console=tty0"
];
loader = {
generic-extlinux-compatible = {
enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
};
grub = {
enable = false; # NixOS wants to enable GRUB by default.
};
raspberryPi = {
enable = false;
version = 3;
uboot.enable = true;
firmwareConfig = ''
arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel
hdmi_force_hotplug=1 # Enable headless booting
'';
};
};
};
# File systems configuration for using the installer's partition layout
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
"/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
# Alternatively, this could be removed from the configuration.
# The filesystem is not needed at runtime, it could be treated
# as an opaque blob instead of a discrete FAT32 filesystem.
options = ["nofail" "noauto"];
};
};
# !!! Adding a swap file is optional, but strongly recommended!
swapDevices = [
{
device = "/swapfile";
size = 1024;
}
];
hardware = {
enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
};
networking = {
enableB43Firmware = true; # If true, enable Pi wireless firmware
};
nixpkgs.config.allowUnfree = true; # required by B34Firmare above
environment.systemPackages = with pkgs; [
libraspberrypi # Userland tools for the Raspberry Pi board
];
}

View file

@ -0,0 +1,86 @@
# Configuration common to all Raspberry Pi 3 Model B devices
{
config,
pkgs,
lib,
...
}: {
boot = {
initrd = {
availableKernelModules = [
"bcm2835_dma" # Allows early (earlier) mode setting
"i2c_bcm2835" # Allows early (earlier) mode setting
"usbhid"
"usb_storage"
"vc4" # Allows early (earlier) mode setting
];
};
kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
kernelParams = [
"cma=320M" # Needed for the virtual console to work on the RPi 3
"console=ttyS0,115200n8" # Enable the serial console
"console=tty0"
];
loader = {
generic-extlinux-compatible = {
enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
configurationLimit = 5;
};
grub = {
enable = false; # NixOS wants to enable GRUB by default.
};
raspberryPi = {
enable = false;
version = 3;
firmwareConfig = ''
arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel
display_auto_detect=1 # Enable auto detection of screen resolution
gpu_mem=128
hdmi_force_hotplug=1 # Enable headless booting
'';
};
};
};
# File systems configuration for using the installer's partition layout
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
"/boot/firmware" = {
device = "/dev/disk/by-label/FIRMWARE";
fsType = "vfat";
# Alternatively, this could be removed from the configuration.
# The filesystem is not needed at runtime, it could be treated
# as an opaque blob instead of a discrete FAT32 filesystem.
options = ["nofail" "noauto"];
};
#"/var" = {
# device = "/dev/disk/by-label/var";
# fsType = "ext4";
#};
};
# !!! Adding a swap file is optional, but strongly recommended!
swapDevices = [
{
device = "/swapfile";
size = 1024;
}
];
hardware = {
enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
};
networking = {
enableB43Firmware = true; # If true, enable Pi wireless firmware
};
nixpkgs.config.allowUnfree = true; # required by B34Firmare above
environment.systemPackages = with pkgs; [
libraspberrypi # Userland tools for the Raspberry Pi board
];
}

View file

@ -1,26 +0,0 @@
# NixOps configuration for toscano
#
# https://en.wikipedia.org/wiki/Joseph_Toscano
{
config,
pkgs,
lib,
...
}: {
imports = [
../networks/linode.nix
../profiles/gitea.nix
../profiles/hakyll-skeleton.nix
../profiles/jfdic-web.nix
../profiles/resrok-web.nix
../profiles/tmateServer.nix
../profiles/voc-web.nix
../secrets/gitea.nix
];
deployment.targetHost = "45.79.236.198";
networking.hostName = "toscano";
system.stateVersion = "21.05"; # The version of NixOS originally installed
}

View file

@ -0,0 +1,14 @@
# Configuration common to all my servers
{
config,
pkgs,
lib,
...
}: {
environment = {
# Set the system-wide environment
systemPackages = with pkgs; [
usbutils # Tools for working with USB devices, such as lsusb
];
};
}

View file

@ -1,4 +1,4 @@
# NixOps configuration common to Linode VMs # NixOS configuration common to Linode VMs
{ {
config, config,
pkgs, pkgs,
@ -26,7 +26,7 @@
# Configure firewall defaults: # Configure firewall defaults:
networking = { networking = {
usePredictableInterfaceNames = false; # As per Linode's networking guidlines usePredictableInterfaceNames = false; # As per Linode's networking guidlines
domain = "jfdic.org"; domain = "reciproka.co";
interfaces.eth0.useDHCP = true; interfaces.eth0.useDHCP = true;
firewall = { firewall = {
enable = true; enable = true;

View file

@ -1,4 +1,4 @@
# NixOps configuration for the Linode VMs # Nix configuration for the Linode VMs
{ {
config, config,
pkgs, pkgs,

26
networks/pi3B_rack.nix Normal file
View file

@ -0,0 +1,26 @@
# NixOps configuration for the Raspberry Pi 3B Rack
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
../hardware/raspberry_pi_3_model_B.nix
../profiles/host_common.nix
../profiles/server_common.nix
];
# Ensure the right package architecture is used
nixpkgs.localSystem = {
system = "aarch64-linux";
config = "aarch64-unknown-linux-gnu";
allowUnfree = true;
};
systemd.network.networks.eth0.ipv6SendRAConfig = {
EmitDNS = true;
Managed = true;
OtherInformation = true;
};
documentation = {
nixos.enable = false; # Save some space by disabling the manual
};
}

32
nixos/configurations.nix Normal file
View file

@ -0,0 +1,32 @@
{
self,
nixpkgs,
inputs,
...
}: let
nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
customModules = import ../modules/modules-list.nix;
baseModules = [
# make flake inputs accessiable in NixOS
{_module.args.inputs = inputs;}
{
imports = [
({pkgs, ...}: {
nix.nixPath = [
"nixpkgs=${pkgs.path}"
];
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
documentation.info.enable = false;
})
];
}
];
defaultModules = baseModules ++ customModules;
deployment = {
allowLocalDeployment = true;
};
in {
#toscano = import ./hosts/toscano/configuration.nix;
}

View file

@ -0,0 +1,26 @@
# NixOS configuration for flemming
#
# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
# grave diggers in Australia
#
# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
# https://slackbastard.anarchobase.com/
# https://www.3cr.org.au/yeahnahpasaran
{
config,
pkgs,
lib,
...
}: {
imports = [
../../../networks/pi3B_rack.nix
../../../profiles/hakyll-skeleton.nix
];
# Comment out deployment when building the SD Image.
deployment.targetHost = "10.42.0.202";
networking.hostName = "flemming"; # Define your hostname.
system.stateVersion = "23.11"; # The version of NixOS originally installed
}

View file

@ -0,0 +1,25 @@
# NixOS configuration for flemming
#
# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
# grave diggers in Australia
#
# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
# https://slackbastard.anarchobase.com/
# https://www.3cr.org.au/yeahnahpasaran
{
config,
pkgs,
lib,
...
}: {
imports = [
../../../networks/pi3B_rack.nix
];
# Comment out deployment when building the SD Image.
deployment.targetHost = "10.42.0.203";
networking.hostName = "hollows"; # Define your hostname.
system.stateVersion = "22.05"; # The version of NixOS originally installed
}

View file

@ -0,0 +1,33 @@
# NixOS configuration for pred
#
# <predator>, AKA Michael Carlton or just "pred", was an Australian
# anarcho-sydnicalist who helped set up Catalyst, a radical community activist
# tech collective in Sydney, Australia. They went on to provide information
# technology services for a wide range of activist and commmunity based
# organisations around both Sydney and Australia. In the process, knowledge was
# shared, skills were learned and taught - from building and maintaining
# hardware to writing computer code. It was from this original initiative that
# an open-posting model of web publishing was developed for the J18 protest
# that occured worldwide in 1999. The codebase was named 'Active' and went on
# to power the first Indymedia site. As they say, "the rest is history."
#
# Rest in Power, Pred, we miss ya.
#
# https://archive.org/stream/PredTxt/Pred-txt_djvu.txt
# https://indymedia.org.au/2012/04/25/interview-with-pred-predaor-mike-carlton.html
# https://www.youtube.com/watch?v=Cfe3ExZivdQ
{
config,
pkgs,
...
}: {
imports = [
../../../hardware/binaryLane_vm.nix
];
# Comment out deployment when building the SD Image.
deployment.targetHost = "203.57.51.158";
networking.hostName = "pred"; # Define your hostname.
system.stateVersion = "23.11"; # The version of NixOS originally installed
}

View file

@ -0,0 +1,39 @@
# Nix configuration for toscano
#
# Dr Joseph Toscano has presented an anarchist analysis on local, national and
# international news and events that has been distributed nationally on the
# Community Radio Network since 1977.
#
# https://en.wikipedia.org/wiki/Joseph_Toscano
{
config,
pkgs,
lib,
...
}: {
imports = [
../../../networks/linode.nix
../../../profiles/reciproka-web.nix
../../../profiles/reciproka-forgejo.nix
../../../profiles/resrok-web.nix
../../../profiles/tmateServer.nix
../../../profiles/voc-web.nix
];
age.secrets = {
forgejo = {
file = ../../../secrets/forgejo.age;
owner = "forgejo";
group = "forgejo";
};
};
deployment = {
tags = ["infra"];
targetHost = "45.79.236.198";
};
networking.hostName = "toscano";
system.stateVersion = "21.05"; # The version of NixOS originally installed
}

View file

@ -1,9 +1,10 @@
{ {
self, self,
hakyll-skeleton, hakyll-skeleton,
jfdic-web, reciproka-web,
ragenix,
colmena,
nix, nix,
nixops,
nixpkgs, nixpkgs,
nixpkgsUnstable, nixpkgsUnstable,
resrok-web, resrok-web,
@ -12,32 +13,56 @@
... ...
} @ inputs: } @ inputs:
(utils.lib.eachDefaultSystem (system: let (utils.lib.eachDefaultSystem (system: let
pkgs = pkgs = nixpkgs.legacyPackages."${system}";
nixpkgs.legacyPackages."${system}";
in { in {
devShell = devShell =
pkgs.callPackage pkgs.callPackage
./shell.nix { ./shell.nix {
inherit (nix.packages."${pkgs.system}") nix; inherit (nix.packages."${pkgs.system}") nix;
inherit (ragenix.packages."${pkgs.system}") ragenix;
inherit (colmena.packages."${pkgs.system}") colmena;
inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra; inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
nixops = nixops.defaultPackage."${pkgs.system}";
}; };
})) }))
// { // {
nixopsConfigurations.default = { colmena = {
inherit nixpkgs; meta = {
network = { description = "NixOS deployment for Reciproka Kolektivo";
description = "jfdic-ops nodes"; name = "reciproka-ops";
enableRollback = true; nixpkgs = import nixpkgs {
storage.legacy = { system = "x86_64-linux";
databasefile = "~/.nixops/deployments.nixops"; overlays = [];
}; };
}; };
defaults = { defaults = {pkgs, ...}: {
system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps imports = [
_module.args.inputs = inputs; # make flake inputs accessiable in NixOS ragenix.nixosModules.default
imports = [./profiles/host_common.nix]; ];
};
flemming = {
imports = [
./nixos/hosts/flemming
];
};
hollows = {
imports = [
./nixos/hosts/hollows
];
};
pred = {
imports = [
./nixos/hosts/pred
];
};
toscano = {
imports = [
./nixos/hosts/toscano/configuration.nix
];
}; };
toscano = import ./hosts/toscano.nix;
}; };
# The below lines are in the wrong place
#nixosConfigurations = import ./nixos/configurations.nix (inputs
# // {
# inherit inputs;
# });
} }

View file

@ -1,4 +1,4 @@
# Configuration common to all JFDIC servers # Configuration common to all Reciproka Kolektivo servers
{config, ...}: { {config, ...}: {
# Program defaults for all hosts # Program defaults for all hosts
programs.bash = { programs.bash = {

View file

@ -1,4 +1,4 @@
# NixOps configuration for the hosts running a Chrony service # Nix configuration for the hosts running a Chrony service
{config, ...}: { {config, ...}: {
services.chrony = { services.chrony = {
enable = true; # Enable Chrony enable = true; # Enable Chrony

View file

@ -1,103 +0,0 @@
# NixOps configuration for the hosts running Gitea
{
config,
pkgs,
lib,
...
}: {
services.gitea = {
enable = true; # Enable Gitea
appName = "JFDI Collective: Gitea Service"; # Give the site a name
database = {
type = "postgres"; # Database type
passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
};
disableRegistration = true;
domain = "source.jfdic.org"; # Domain name
rootUrl = "https://source.jfdic.org/"; # Root web URL
httpPort = 3002; # Provided unique port
settings = let
docutils = pkgs.python37.withPackages (ps:
with ps; [
docutils # Provides rendering of ReStructured Text files
pygments # Provides syntax highlighting
]);
in {
mailer = {
ENABLED = true;
FROM = "source@jfdic.org";
};
repository = {
DEFAULT_BRANCH = "consensus";
};
service = {
REGISTER_EMAIL_CONFIRM = true;
};
"markup.restructuredtext" = {
ENABLED = true;
FILE_EXTENSIONS = ".rst";
RENDER_COMMAND = "${docutils}/bin/rst2html.py";
IS_INPUT_FILE = false;
};
ui = {
DEFAULT_THEME = "gitea"; # Set the default theme
};
};
};
systemd = {
services = {
gitea = {
# Ensure gitea starts after nixops keys are loaded
after = ["gitea-dbpass-key.service"];
wants = ["gitea-dbpass-key.service"];
};
};
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local gitea all ident map=gitea-users
'';
identMap =
# Map the gitea user to postgresql
''
gitea-users gitea gitea
'';
ensureDatabases = ["gitea"]; # Ensure the database persists
ensureUsers = [
{
name = "gitea"; # Ensure the database user persists
ensurePermissions = {
# Ensure the database permissions persist
"DATABASE gitea" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
};
}
];
};
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."source.jfdic.org" = {
# Gitea hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
};
};
security.acme = {
acceptTerms = true;
certs = {
"source.jfdic.org".email = "source@jfdic.org";
};
};
users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
}

View file

@ -1,13 +1,13 @@
# NixOps configuration for deploying the JFDIC website # NixOS configuration for deploying the Reciproka Kolektivo website
{ {
self, self,
config, config,
inputs,
pkgs, pkgs,
... ...
}: let }: let
hakyll-skeleton = import inputs.hakyll-skeleton {}; flake = builtins.getFlake (toString ../.);
webdomain = "skeleton.jfdic.org"; hakyll-skeleton = flake.inputs.hakyll-skeleton.packages."${pkgs.system}".default;
webdomain = "skeleton.reciproka.dev";
in { in {
environment.sessionVariables = { environment.sessionVariables = {
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";

View file

@ -1,4 +1,4 @@
# Configuration common to all JFDIC servers # Configuration common to all Reciproka Kolektivo servers
{ {
config, config,
pkgs, pkgs,
@ -17,9 +17,7 @@
]; ];
# Common boot settings # Common boot settings
boot = { boot.tmp.cleanOnBoot = true; # Clean /tmp on reboot ;
cleanTmpDir = true; # Clean /tmp on reboot
};
# Select internationalisation properties. # Select internationalisation properties.
i18n = { i18n = {
@ -29,7 +27,7 @@
# Set the defaul console properties # Set the defaul console properties
console = { console = {
keyMap = "us"; # Set the default console key map keyMap = "us"; # Set the default console key map
font = "ter-powerline-v16Rv"; # Set the default console font font = "ter-powerline-v32n"; # Set the default console font
}; };
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
@ -40,12 +38,14 @@
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
# Configure and install required fonts # Configure and install required fonts
fonts.enableDefaultFonts = true; fonts = {
fonts.fontDir.enable = true; enableDefaultPackages = true;
fonts.fonts = with pkgs; [ fontDir.enable = true;
powerline-fonts # Required for Powerline prompts packages = with pkgs; [
]; powerline-fonts # Required for Powerline prompts
fonts.fontconfig.includeUserConf = false; ];
fontconfig.includeUserConf = false;
};
# Adapted from gchristensen and clever # Adapted from gchristensen and clever
nix = { nix = {
@ -56,7 +56,7 @@
cfg = cfg =
pkgs.writeText "configuration.nix" pkgs.writeText "configuration.nix"
'' ''
assert builtins.trace "This system is managed by NixOps." false; assert builtins.trace "This system is managed by Colmena." false;
{} {}
''; '';
in "nixos-config=${cfg}") in "nixos-config=${cfg}")
@ -69,12 +69,14 @@
dates = "weekly"; dates = "weekly";
options = "--delete-older-than 90d"; options = "--delete-older-than 90d";
}; };
autoOptimiseStore = true;
extraOptions = '' extraOptions = ''
show-trace = true # Enable --show-trace by default for nix show-trace = true # Enable --show-trace by default for nix
builders-use-substitutes = true # Set builders to use caches builders-use-substitutes = true # Set builders to use caches
''; '';
trustedUsers = ["fiscalvelvetpoet"]; settings = {
auto-optimise-store = true;
trusted-users = ["fiscalvelvetpoet"];
};
}; };
system.extraSystemBuilderCmds = '' system.extraSystemBuilderCmds = ''
@ -106,6 +108,6 @@
]; ];
}; };
# Users common across JFDIC Ops: # Users common across Reciproka Ops:
users.mutableUsers = false; # Remove any users not defined in here users.mutableUsers = false; # Remove any users not defined in here
} }

View file

@ -1,4 +1,4 @@
# logrotate configuration for NixOS / NixOps # logrotate configuration for NixOS
{config, ...}: { {config, ...}: {
services.logrotate = { services.logrotate = {
enable = true; # Enable the logrotate service enable = true; # Enable the logrotate service

View file

@ -157,7 +157,7 @@
set undodir=/tmp/.vim-undo-dir set undodir=/tmp/.vim-undo-dir
set undofile set undofile
" JFDIC Markdown environment " Reciproka Kolektivo Markdown environment
function! MarkdownSettings() function! MarkdownSettings()
set textwidth=79 set textwidth=79
set spell spelllang=en_au set spell spelllang=en_au
@ -165,7 +165,7 @@
autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings() autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings()
autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings() autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings()
" JFDIC ReStructured Text environment " Reciproka Kolektivo ReStructured Text environment
function! ReStructuredSettings() function! ReStructuredSettings()
set textwidth=79 set textwidth=79
set spell spelllang=en_au set spell spelllang=en_au
@ -176,14 +176,14 @@
autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings() autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings()
autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings() autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings()
" JFDIC LaTeX environment: " Reciproka Kolektivo LaTeX environment:
function! LaTeXSettings() function! LaTeXSettings()
set textwidth=79 set textwidth=79
set spell spelllang=en_au set spell spelllang=en_au
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings() autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings()
" Settings for JFDIC Haskell environment: " Settings for Reciproka Kolektivo Haskell environment:
function! HaskellSettings() function! HaskellSettings()
set tabstop=2 set tabstop=2
set shiftwidth=2 set shiftwidth=2
@ -192,7 +192,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings() autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings()
" Settings for JFDIC Nix environment: " Settings for Reciproka Kolektivo Nix environment:
function! NixSettings() function! NixSettings()
set tabstop=2 set tabstop=2
set shiftwidth=2 set shiftwidth=2
@ -202,7 +202,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings() autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings()
" Settings for JFDIC Cue environment: " Settings for Reciproka Kolektivo Cue environment:
function! CueSettings() function! CueSettings()
set noexpandtab set noexpandtab
set tabstop=2 set tabstop=2
@ -212,7 +212,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings() autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings()
" Settings for JFDIC Rust environment: " Settings for Reciproka Kolektivo Rust environment:
function! RustSettings() function! RustSettings()
set tabstop=4 set tabstop=4
set shiftwidth=4 set shiftwidth=4
@ -222,7 +222,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings() autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings()
" Settings for JFDIC Crystal environment: " Settings for Reciproka Kolektivo Crystal environment:
function! CrystalSettings() function! CrystalSettings()
set tabstop=2 set tabstop=2
set shiftwidth=2 set shiftwidth=2
@ -232,7 +232,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings() autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings()
" Settings for JFDIC Golang environment: " Settings for Reciproka Kolektivo Golang environment:
function! GoSettings() function! GoSettings()
set tabstop=7 set tabstop=7
set shiftwidth=7 set shiftwidth=7
@ -240,7 +240,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings() autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings()
" Settings for JFDIC Python environment: " Settings for Reciproka Kolektivo Python environment:
function! PythonSettings() function! PythonSettings()
set tabstop=4 set tabstop=4
set shiftwidth=4 set shiftwidth=4
@ -250,7 +250,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings() autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings()
" JFDIC Mutt environment " Reciproka Kolektivo Mutt environment
function! MuttSettings() function! MuttSettings()
set textwidth=79 set textwidth=79
set spell spelllang=en_au set spell spelllang=en_au
@ -261,7 +261,7 @@
autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings() autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings()
autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings() autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings()
" Settings for JFDIC C environment: " Settings for Reciproka Kolektivo C environment:
function! CSettings() function! CSettings()
set tabstop=2 set tabstop=2
set shiftwidth=2 set shiftwidth=2
@ -270,7 +270,7 @@
endfunction endfunction
autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings() autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings()
" Settings for JFDIC YAML environment: " Settings for Reciproka Kolektivo YAML environment:
function! YAMLSettings() function! YAMLSettings()
set tabstop=2 set tabstop=2
set shiftwidth=2 set shiftwidth=2
@ -284,7 +284,7 @@
autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings() autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings()
autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings() autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings()
" Settings for JFDIC Bash environment: " Settings for Reciproka Kolektivo Bash environment:
function! BashSettings() function! BashSettings()
set tabstop=4 set tabstop=4
set shiftwidth=4 set shiftwidth=4

View file

@ -1,4 +1,4 @@
# NixOps configuration nix-direnv # Nix configuration nix-direnv
{ {
config, config,
pkgs, pkgs,
@ -16,11 +16,11 @@
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
direnv # A shell extension that manages your environment direnv # A shell extension that manages your environment
nix-direnv # A fast, persistent use_nix implementation for direnv #nix-direnv # A fast, persistent use_nix implementation for direnv
];
pathsToLink = [
"/share/nix-direnv"
]; ];
# pathsToLink = [
# "/share/nix-direnv"
# ];
}; };
nixpkgs.overlays = [ nixpkgs.overlays = [

View file

@ -7,9 +7,6 @@
}: { }: {
services.openssh = { services.openssh = {
enable = true; # Enable the OpenSSH daemon. enable = true; # Enable the OpenSSH daemon.
permitRootLogin = "prohibit-password";
kbdInteractiveAuthentication = false;
passwordAuthentication = false;
openFirewall = true; openFirewall = true;
hostKeys = [ hostKeys = [
{ {
@ -17,5 +14,10 @@
type = "ed25519"; type = "ed25519";
} }
]; ];
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
}; };
} }

View file

@ -0,0 +1,118 @@
# Nix configuration for the Reciproka Kolectivo Forgejo service
{
config,
pkgs,
lib,
...
}: let
flake = builtins.getFlake (toString ../.);
nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
in {
services.forgejo = {
enable = true; # Enable Forgejo
appName = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
database = {
type = "postgres"; # Database type
passwordFile = config.age.secrets.forgejo.path;
};
domain = "reciproka.dev"; # Domain name
httpPort = 3002; # Provided unique port
rootUrl = "https://reciproka.dev/"; # Root web URL
settings = let
DEFAULT.APP_NAME = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
server = {
DOMAIN = "reciproka.dev"; # Domain name
HTTP_PORT = 3002; # Provided unique port
ROOT_URL = "https://reciproka.dev/"; # Root web URL
};
in {
mailer = {
ENABLED = true;
FROM = "fonto@reciproka.dev";
};
repository = {
DEFAULT_BRANCH = "consensus";
};
service = {
DISABLE_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = true;
};
"markup.restructuredtext" = {
ENABLED = true;
FILE_EXTENSIONS = ".rst";
RENDER_COMMAND = "timeout 30s ${pkgs.pandoc}/bin/pandoc +RTS -M512M -RTS -f rst";
IS_INPUT_FILE = false;
};
ui = {
DEFAULT_THEME = "forgejo-auto"; # Set the default theme
THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,forgejo";
};
};
};
systemd = {
services = {
forgejo = {
# Ensure forgejo starts after keys are loaded
after = ["forgejo-dbpass-key.service"];
wants = ["forgejo-dbpass-key.service"];
};
};
};
services.postgresql = {
enable = true; # Ensure postgresql is enabled
authentication = ''
local forgejo all ident map=forgejo-users
'';
identMap =
# Map the forgejo user to postgresql
''
forgejo-users forgejo forgejo
'';
ensureDatabases = ["forgejo"]; # Ensure the database persists
ensureUsers = [
{
name = "forgejo"; # Ensure the database user persists
ensureDBOwnership = true;
}
];
package = pkgs.postgresql_16;
};
services.postgresqlBackup = {
enable = true;
compression = "zstd";
databases = ["forgejo"];
startAt = "*-*-* 15:00:00";
};
services.nginx = {
enable = true; # Enable Nginx
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."source.jfdic.org" = {
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/" = {
return = "301 https://reciproka.dev$request_uri";
};
};
virtualHosts."reciproka.dev" = {
# Forgejo hostname
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
};
};
security.acme = {
acceptTerms = true;
certs = {
"reciproka.dev".email = "admin@reciproka.co";
"source.jfdic.org".email = "admin@reciproka.co";
};
};
}

View file

@ -1,13 +1,13 @@
# NixOps configuration for deploying the JFDIC website # Nix configuration for deploying the Reciproka Kolektivo website
{ {
self, self,
config, config,
inputs,
pkgs, pkgs,
... ...
}: let }: let
jfdic-web = import inputs.jfdic-web {}; flake = builtins.getFlake (toString ../.);
webdomain = "jfdic.org"; reciproka-web = flake.inputs.reciproka-web.packages."${pkgs.system}".default;
webdomain = "reciproka.net";
in { in {
environment.sessionVariables = { environment.sessionVariables = {
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@ -24,11 +24,18 @@ in {
# website hostname # website hostname
enableACME = true; # Use ACME certs enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL forceSSL = true; # Force SSL
root = "${jfdic-web}"; # Wesbite root root = "${reciproka-web}"; # Wesbite root
}; };
"www.${webdomain}" = { "www.${webdomain}" = {
# Respect our elders :-) # Respect our elders :-)
locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;"; locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
};
"reciproka.co" = {
locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
enableACME = true; # Use ACME certs
forceSSL = true; # Force SSL
}; };
}; };
}; };
@ -36,10 +43,9 @@ in {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
certs = { certs = {
"${webdomain}" = { "${webdomain}" = {email = "admin@${webdomain}";};
email = "admin@${webdomain}"; "www.${webdomain}" = {email = "admin@${webdomain}";};
#group = "matrix-synapse"; "reciproka.co" = {email = "admin@${webdomain}";};
};
}; };
}; };

View file

@ -1,12 +1,12 @@
# NixOps configuration for deploying the JFDIC website # NixOS configuration for deploying the Resilient Rockhampton website
{ {
self, self,
config, config,
inputs,
pkgs, pkgs,
... ...
}: let }: let
resrok-web = import inputs.resrok-web {}; flake = builtins.getFlake (toString ../.);
resrok-web = import flake.inputs.resrok-web {};
webdomain = "resrok.org"; webdomain = "resrok.org";
in { in {
environment.sessionVariables = { environment.sessionVariables = {

View file

@ -1,4 +1,4 @@
# Configuration common to all JFDIC servers # Configuration common to all Reciproka Kolektivo servers
{ {
config, config,
pkgs, pkgs,
@ -7,8 +7,7 @@
}: { }: {
imports = [ imports = [
../profiles/openssh.nix ../profiles/openssh.nix
../secrets/user-fiscalvelvetpoet.nix ../profiles/users.nix
../secrets/user-root.nix
]; ];
programs.mosh = { programs.mosh = {

View file

@ -3,6 +3,6 @@
services.tmate = { services.tmate = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
sshHostname = "tmate.jfdic.org"; sshHostname = "tmate.reciproka.co";
}; };
} }

37
profiles/users.nix Normal file
View file

@ -0,0 +1,37 @@
# User configuration common to all Reciproka Kolektivo servers
{
config,
pkgs,
...
}: {
age.secrets = {
root.file = ../secrets/root.age;
fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age;
};
# Reciproka Ops groups:
users.groups.fiscalvelvetpoet.gid = 1000;
# Reciproka Ops Users
users.users.fiscalvelvetpoet = {
isNormalUser = true;
uid = 1000;
group = "fiscalvelvetpoet";
extraGroups = ["wheel"];
# fix this
hashedPasswordFile = config.age.secrets.fiscalvelvetpoet.path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
];
};
users.users.root = {
# fix this
hashedPasswordFile = config.age.secrets.root.path;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
];
};
}

View file

@ -1,12 +1,12 @@
# NixOps configuration for deploying the Voices of Capricornia website # Nix configuration for deploying the Voices of Capricornia website
{ {
self, self,
config, config,
inputs,
pkgs, pkgs,
... ...
}: let }: let
voc-web = import inputs.voc-web {}; flake = builtins.getFlake (toString ../.);
voc-web = import flake.inputs.voc-web {};
webdomain = "voicesofcapricornia.org"; webdomain = "voicesofcapricornia.org";
in { in {
environment.sessionVariables = { environment.sessionVariables = {

View file

@ -1,4 +1,4 @@
# Configuration common to all JFDIC servers # Configuration common to all Reciproka Kolektivo servers
{ {
config, config,
pkgs, pkgs,

View file

@ -0,0 +1,21 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBSMUhj
Zk9XdkxaZkpXYkF3K2lpbkR5dmZYYzJhUi9UanpBVEI1S2IvZXhNCnpyT09mZHNv
YktCcUd5Y2w1bnNNajFjaWl6Um9yWFpUTkFGdjRINnZFRW8KLT4gc3NoLWVkMjU1
MTkgUWQwZXBRIHE3RXdLUC82TVNJdHIvU2xnWGF1QktCZGkxbFhsT0dxVDRZZWgy
aVBUbDQKUkxqdTc5ZlhQaG5OOXhtSVBlR2FCR2c3ZGR2cnFUWnN0WkQxRDRlWlg1
YwotPiBzc2gtZWQyNTUxOSB1N1ozancgR2pTOVZ5cGpmdzMzT1ZYelAwTTI1TVpG
QUdlZ0xBZEo4NkpoZlZEVGlFTQpFelJDQ0RKaFFsVlRESERmMWJIQjZJcmh1QzBI
VFU3QmZGZ2JKcFMyNmJrCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBYSHdCdXJRTUVI
eDFJZHRHY2JhUTRha1JNRFg5c3ppbVo0OGdQSXdPOUdJCjBFSTVpd2JWd2xkTjZx
VDVuMlVHb1Z1aEhYU2kxWkpwV2hJUDZQRzNkckUKLT4gc3NoLWVkMjU1MTkgZjVU
aEFnIG1zay9zeUFtd3dkOTJQUFR6S0ZnUm9jbmQ0TkJQU2pJTTYrMmNEaE5KeTAK
WXN2OFM2anNYYXF6Wk9rUnFjQzNGSjdhTGFyVDhhd1dORWxRaUpuRG9XUQotPiBe
d3pXUTxFLWdyZWFzZSBvVT16IFw3Oz02IGQ/ZFVjQS4KVnBKTVc0YzR3SEhaOS80
bzE1NXMxaHh1QStNaXZ4eGZrbDdrV0k5YW5rQTdKbGJsbzZsRzFLMi9veTAKLS0t
IGdEblEzcTdkcWVFVURycTJsTUl5MHEySUdTRTJub1hMVnJNekMxQTAxTGcKot0G
3I1FgBm5Hw3MkQXfRdX6FgzAAEmH0t+v8R087u7vDbzVFVwVWGm4qQuHTwYNa1Yu
5gcM8LAg9N/ZV6Mc7+OlqKoKTs6S+VhphfbuDPrwJZUJT/OO30MgEdgemZ+JtQoA
O5str1O/0MBTQRyqJglcIjD2rPQcl9cZQupvJeaTOkdoLQ3Pv8aUrZBg3yHg6JX4
N5siGxgv/NfGcpCvkUM=
-----END AGE ENCRYPTED FILE-----

13
secrets/forgejo.age Normal file
View file

@ -0,0 +1,13 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBuMjdR
ZzN1QTRIend1TWhLSDZzQ0JQUG9tZFdGZUo4QUljV3pnaEdDR1VzCi9PRXFnTDlD
NFhtYW4reHphUFFqUVBDd2pxY2liOXgwRUlIZzcvZTdWWTAKLT4gc3NoLWVkMjU1
MTkgZjVUaEFnIGRvQUFSMzFzVmZLT0Z4SlczNmdicThCYklBbisvcmlzejI4b3Jm
ZVRTVmsKWDlKTkV6STJaSEVDL0tMVmMvcUt0L3pOS0xXU281bjRXSkJDSXloLzZE
OAotPiBVLWdyZWFzZSBCZTMgM01ZIEd0OWcKdnMvd0FJOEhmQTdTcElld0JsNXdD
bS9hWUtHam1PR0tyTmowck1rVEEzZXc0QjhWNjVNZVU0anRCS1lrMkRtVApQcVdV
djJORHppTEFib1VLOC9LbG5OdWhNdEZKWGJyQ3Z6dUFTOEw5WjZsT2E4SDRSSUlK
aEpWRUNYRlZTdwotLS0geFBJK21QRGZxd3lZRjZRanhDeFRDTTd6T1p2UGhiNXBm
NnhaWkptcDFsYwqWryUWy5DtJHpelFVJu9DnS2rUS9JVnjIHCj2MNYrs6f5cxzZP
4+CUjz1Agu+ODFUvsl/ccIvcaS0=
-----END AGE ENCRYPTED FILE-----

22
secrets/root.age Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBsWm9s
UzB6bzM2VU9IR3Y2MUcrdmtJTk1nM3h0VFV4WFNaaU9pZ0pHMWxBClpiRDZ3VVU1
VkE5SHhJZXc4RGJOenY3Qzc1eXN6Y1M2d1ZnU1dIbHFvQUUKLT4gc3NoLWVkMjU1
MTkgUWQwZXBRIGVCZURhelZkTFpoRldaVlZoZzVBenBjbEROUlIrTERnN2VpNmhP
dVFNSDQKNXNWNU5iOGRBV3ZMVzdSVXRPSTkvQzJpblVsbERJekM0VHdnbEwyd0tG
VQotPiBzc2gtZWQyNTUxOSB1N1ozancgY2pvTllQbytTbDBZaHlSbVFxa2ZYbmFt
OTlvYTQrMUcybVdJd2gxb2Jsbwo4RXBLMkdYSFY3aHYxSGZnS0h4S21ablBueFBz
L2JFaEhaYWR5VFFNQzhVCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBDZGNmblJIWGtx
QWhEeldzVGZmUWJ6anM4Y2hTT0tpUVNpNDVyRDJRQ240Clk2bmpCVlI4RWduRS80
cVRVWWwycDdtdVpFS25BSDAzOEh5YUcxdW9GclkKLT4gc3NoLWVkMjU1MTkgZjVU
aEFnIDZBbXVIQVdoaVl6TlZXR1FmeEtwL0hBNWc4c0lvSFlQTzZVc1VJZ09PMXcK
VnhFVVg4eTZiRU1YbUhxUzJrYXRUeWpVVFdOSWpUNHNvUWZCRXd1U3Y3VQotPiBB
IW9WfGMlLWdyZWFzZQo2WmhadWt6cFZ3S2FONDFIWUFPWWpMOXFRT1d2alNPajVI
aUJrdmVVT1J1OHA3Uy9LMjdadSs4RnhldGNxWGNtCitJSHhKSlhnMzI0UDdtSFBX
T0tuY0NvRkI5Q0F6YkJmSHI3aFlReHJORVNLL1RJMkI5QUt5NllmcGcKLS0tIGFQ
YXpDdDhnR05PaGQ0WEdVd2hMUURnRmtnbDVvWkt0ZDNtaVhxT0ZIbFUKcYbxjmgx
v7X82tsU3fuTUo9l2q3HmHECwKlvyqsXyyJst+/jJgANfE7/tHm0t6Dm4fPgBvdN
0AqTDx1p7PLvfQhMuhD2G9mHGLwcom3xUOI8h6JkMCv+bojWD9RCEB+wsAwfCzVV
pStMrMl6copsy1/E4yXkkm+kBgIMFeGzQvRyZ+UCri0rjzsGFQWEgUgD3fFcNJIq
HCYi0uW970YK2qI=
-----END AGE ENCRYPTED FILE-----

22
secrets/secrets.nix Normal file
View file

@ -0,0 +1,22 @@
# Used by ragenix nix only.
# Ensure that $RULES has been set via direnv
# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age`
# run `ragenix -r -i /path/to/your/key` after modifying any keys below
#
# Re-keying is required after adding new hosts or keys:
# run `ragenix -r -i /path/to/your/key`
let
fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
ops = [fiscalvelvetpoet];
users = [fiscalvelvetpoet];
flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
hollows = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGB8EUbqoarM4GmPgE2DBF4z/L6wVNc+lF27Z83XDUz";
pred = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMK5BOK1ldtZ+SV4QxfNm/PfOLOWv3/VHf/JbdMMoMzw";
toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
systems = [flemming hollows pred toscano];
in {
"root.age".publicKeys = ops ++ systems;
"fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
"forgejo.age".publicKeys = [fiscalvelvetpoet toscano];
}

View file

@ -1,16 +1,19 @@
{ {
pkgs ? import <nixpkgs> {}, pkgs ? import <nixpkgs> {},
ragenix,
alejandra, alejandra,
mkShell, mkShell,
nixops, colmena,
nix, nix,
}: }:
with pkgs; with pkgs;
mkShell { mkShell {
buildInputs = [ buildInputs = [
ragenix # CLI management of secrets encrypted via existing SSH keys
alejandra # The Uncompromising Nix Code Formatter alejandra # The Uncompromising Nix Code Formatter
nixops colmena # simple, stateless NixOS deployment tool
nix nix # Powerful package manager that makes package management reliable and reproducible
tea # Gitea official CLI client
treefmt # one CLI to format the code tree treefmt # one CLI to format the code tree
]; ];
} }