workflow: disable fail-fast when building machines

unpin vscode-extensions
run immich-ml from ytnix and add tailscale0 to trustedInterfaces
2025-03-11 12:21:38 -04:00 · 2025-03-11 11:18:21 -04:00 · 2025-03-09 22:23:58 -04:00 · 2025-03-08 20:39:56 -05:00 · 2025-03-08 20:39:17 -05:00
9 changed files with 130 additions and 89 deletions
--- a/.github/workflows/build-machines-and-homes.yml
+++ b/.github/workflows/build-machines-and-homes.yml
@ -6,6 +6,7 @@ on:
 jobs:
  build-machines:
    strategy:
+      fail-fast: false
      matrix:
        machine:
          - chunk
--- a/flake.lock
+++ b/flake.lock
@ -157,11 +157,11 @@
    },
    "crane_2": {
      "locked": {
-        "lastModified": 1741021986,
-        "narHash": "sha256-VX8M6arxQU05mipDmLjk0TJVRNzu+VQx3w1gVmyPkO4=",
+        "lastModified": 1741396358,
+        "narHash": "sha256-js4c6tqxluo4Fysn8gloLnlZ6ZjQkuWMgGjHN8+WssE=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "5245473d6638a96da540e44372da96eebb97735a",
+        "rev": "aaebfb7ce7e13c691aea178aff7621906f466662",
        "type": "github"
      },
      "original": {
@ -327,11 +327,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740872218,
-        "narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
+        "lastModified": 1741352980,
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3876f6b87db82f33775b1ef5ea343986105db764",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -472,11 +472,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741056285,
-        "narHash": "sha256-/JKDMVqq8PIqcGonBVKbKq1SooV3kzGmv+cp3rKAgPA=",
+        "lastModified": 1741461731,
+        "narHash": "sha256-BBQfGvO3GWOV+5tmqH14gNcZrRaQ7Q3tQx31Frzoip8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "70fbbf05a5594b0a72124ab211bff1d502c89e3f",
+        "rev": "7f4c60a3d6e548dbc13666565c22cb3f8dcdad44",
        "type": "github"
      },
      "original": {
@ -533,11 +533,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741001137,
-        "narHash": "sha256-XxWib5eI3rgMPA4VzDHOx89WT76IN/ZNb+votz5gakw=",
+        "lastModified": 1741442524,
+        "narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "cc9786aa8158437facead0d8e21ac0c03be91dc8",
+        "rev": "d8099586d9a84308ffedac07880e7f07a0180ff4",
        "type": "github"
      },
      "original": {
@ -593,11 +593,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1741082941,
-        "narHash": "sha256-mxMbmNSXLZ0G+4uPEXCodjRJffqh/Jq4X5pgFuQFZB0=",
+        "lastModified": 1741358751,
+        "narHash": "sha256-cDPg74UirjlGcVjB9qI/8ImkdEJ9p2y8Y2FQBfU8KzY=",
        "ref": "refs/heads/main",
-        "rev": "ca89e431a31527a014bfd0d529da2a8099027a5f",
-        "revCount": 17577,
+        "rev": "93c3ca4e92b8cd1a129498f4c3f4c48558032d46",
+        "revCount": 17620,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/lix"
      },
@ -646,11 +646,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1732053863,
-        "narHash": "sha256-DCIVdlb81Fct2uwzbtnawLBC/U03U2hqx8trqTJB7WA=",
+        "lastModified": 1741118843,
+        "narHash": "sha256-ggXU3RHv6NgWw+vc+HO4/9n0GPufhTIUjVuLci8Za8c=",
        "owner": "oxalica",
        "repo": "nil",
-        "rev": "2e24c9834e3bb5aa2a3701d3713b43a6fb106362",
+        "rev": "577d160da311cc7f5042038456a0713e9863d09e",
        "type": "github"
      },
      "original": {
@ -745,11 +745,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740886574,
-        "narHash": "sha256-jN6kJ41B6jUVDTebIWeebTvrKP6YiLd1/wMej4uq4Sk=",
+        "lastModified": 1741446546,
+        "narHash": "sha256-0z0GiUsUhjhZWa24bcAxqmlI3Ch8QvEeh42wghc6oVw=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "26a0f969549cf4d56f6e9046b9e0418b3f3b94a5",
+        "rev": "eeaf10849c3a0435323216885c0df7569dc95cb9",
        "type": "github"
      },
      "original": {
@ -860,11 +860,11 @@
    },
    "nixpkgs-stable_3": {
      "locked": {
-        "lastModified": 1740932899,
-        "narHash": "sha256-F0qDu2egq18M3edJwEOAE+D+VQ+yESK6YWPRQBfOqq8=",
+        "lastModified": 1741332913,
+        "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "1546c45c538633ae40b93e2d14e0bb6fd8f13347",
+        "rev": "20755fa05115c84be00b04690630cb38f0a203ad",
        "type": "github"
      },
      "original": {
@ -924,11 +924,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1741073343,
-        "narHash": "sha256-8qmLpDUmaiBGLZkFfVyK5/T5fyTXXGdzCRdqAtO0gf4=",
+        "lastModified": 1741455743,
+        "narHash": "sha256-raXtjhD9mmNrVdCoJkYoUo0X2lhEyIZYQ6M7uUp/Uuc=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "72bccb2960235fd31de456566789c324a251f297",
+        "rev": "c1ee2620296430ac1e3ee72583ad0191463a9d60",
        "type": "github"
      },
      "original": {
@ -1046,11 +1046,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737465171,
-        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "lastModified": 1740915799,
+        "narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
        "type": "github"
      },
      "original": {
@ -1125,11 +1125,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1741055476,
-        "narHash": "sha256-52vwEV0oS2lCnx3c/alOFGglujZTLmObit7K8VblnS8=",
+        "lastModified": 1741400194,
+        "narHash": "sha256-tEpgT+q5KlGjHSm8MnINgTPErEl8YDzX3Eps8PVc09g=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "aefb7017d710f150970299685e8d8b549d653649",
+        "rev": "16b6045a232fea0e9e4c69e55a6e269607dd8e3f",
        "type": "github"
      },
      "original": {
@ -1210,9 +1210,6 @@
    },
    "vscode-extensions": {
      "inputs": {
-        "flake-compat": [
-          "flake-compat"
-        ],
        "flake-utils": [
          "flake-utils"
        ],
@ -1221,17 +1218,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1740924345,
-        "narHash": "sha256-TO8Ttb+7PeKBkUe8vUrBt6Vxg3RMeQp4ARmlWQfcWrs=",
+        "lastModified": 1741693734,
+        "narHash": "sha256-Df0jzarVCkwJttnITExjsbSN20FOOuenGhpKvOj49hk=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e",
+        "rev": "6d444be7edf281b8df98235d911d176beaa31510",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "1fc267a10f46200e32f0850caa396bd1ba4ba08e",
        "type": "github"
      }
    }
--- a/flake.nix
+++ b/flake.nix
@ -68,11 +68,9 @@
      inputs.flake-utils.follows = "flake-utils";
    };
    vscode-extensions = {
-      # https://github.com/nix-community/nix-vscode-extensions/issues/102
-      url = "github:nix-community/nix-vscode-extensions/1fc267a10f46200e32f0850caa396bd1ba4ba08e";
+      url = "github:nix-community/nix-vscode-extensions/";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
-      inputs.flake-compat.follows = "flake-compat";
    };
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
--- a/home/yt/ytnix.nix
+++ b/home/yt/ytnix.nix
@ -101,27 +101,9 @@
      wl-clipboard-rs
      pixelflasher
      element-desktop
+      freetube
    ];

-  programs.feh.enable = true;
-
-  xdg.configFile = {
-    mpv.source = ../mpv;
-  };
-
-  programs.direnv = {
-    enable = true;
-    nix-direnv.enable = true;
-  };
-
-  programs.git.extraConfig = {
-    user = {
-      signingKey = "~/.ssh/id_ed25519";
-    };
-    gpg.format = "ssh";
-    commit.gpgsign = true;
-  };
-
  home.sessionVariables = {
    # to make ghidra work on xwayland
    _JAVA_AWT_WM_NONREPARENTING = 1;
@ -144,5 +126,29 @@
    SSH_AUTH_SOCK = "$HOME/.bitwarden-ssh-agent.sock";
  };

+  home.sessionPath = [
+    "$HOME/.cargo/bin"
+    "$HOME/go/bin"
+  ];
+
+  programs.feh.enable = true;
+
+  xdg.configFile = {
+    mpv.source = ../mpv;
+  };
+
+  programs.direnv = {
+    enable = true;
+    nix-direnv.enable = true;
+  };
+
+  programs.git.extraConfig = {
+    user = {
+      signingKey = "~/.ssh/id_ed25519";
+    };
+    gpg.format = "ssh";
+    commit.gpgsign = true;
+  };
+
  programs.nix-index-database.comma.enable = true;
 }
--- a/hosts/chunk/default.nix
+++ b/hosts/chunk/default.nix
@ -79,6 +79,7 @@
    networkmanager.enable = true;
    firewall = {
      enable = true;
+      trustedInterfaces = [ "tailscale0" ];
      allowedTCPPorts = [
        22
        80
@ -86,8 +87,6 @@
      ];
      allowedUDPPorts = [
        443
-        53
-        853
      ];
      extraCommands =
        let
--- a/hosts/chunk/immich.nix
+++ b/hosts/chunk/immich.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }:
 let
@ -67,21 +68,9 @@ in
      ];
      networks = [ "immich-net" ];
    };
-
-    # immich-ml = {
-    #   image = "ghcr.io/immich-app/immich-machine-learning:release";
-    #   autoStart = true;
-    #   pull = "newer";
-    #   environment = {
-    #     REDIS_HOSTNAME = "immich-redis";
-    #     DB_HOSTNAME = "immich-db";
-    #   };
-    #   volumes = [ "${modelCache}:/cache" ];
-    #   networks = [ "immich-net" ];
-    # };
  };

-  systemd.services.create-immich-net = {
+  systemd.services.create-immich-net = rec {
    serviceConfig.Type = "oneshot";
    requiredBy = with config.virtualisation.oci-containers; [
      "${backend}-immich.service"
@ -89,10 +78,10 @@ in
      "${backend}-immich-redis.service"
      # "${backend}-immich-ml.service"
    ];
-    before = config.systemd.services.create-immich-net.requiredBy;
+    before = requiredBy;
    script = ''
-      ${pkgs.podman}/bin/podman network exists immich-net || \
-      ${pkgs.podman}/bin/podman network create immich-net
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
    '';
  };

--- a/hosts/ytnix/containers.nix
+++ b/hosts/ytnix/containers.nix
@ -0,0 +1,36 @@
+{ 
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers = {
+    immich-ml = let
+      modelCache = "/opt/immich-ml";
+    in {
+      image = "ghcr.io/immich-app/immich-machine-learning:release";
+      autoStart = true;
+      pull = "newer";
+      ports = [ "3003:3003" ];
+      environment = {
+        REDIS_HOSTNAME = "immich-redis";
+        DB_HOSTNAME = "immich-db";
+      };
+      volumes = [ "${modelCache}:/cache" ];
+      networks = [ "immich-net" ];
+    };
+  };
+
+  systemd.services.create-immich-net = rec {
+    serviceConfig.Type = "oneshot";
+    requiredBy = with config.virtualisation.oci-containers; [
+      "${backend}-immich-ml.service"
+    ];
+    before = requiredBy;
+    script = ''
+      ${lib.getExe pkgs.podman} network exists immich-net || \
+      ${lib.getExe pkgs.podman} network create immich-net
+    '';
+  };
+}
--- a/hosts/ytnix/default.nix
+++ b/hosts/ytnix/default.nix
@ -10,6 +10,7 @@
    ../common.nix
    ../zsh.nix
    ./tailscale.nix
+    ./containers.nix
  ];

  sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -86,10 +87,12 @@
    resolvconf.enable = true;
    firewall = {
      enable = true;
-      allowedTCPPorts = [
-        8080 # mitmproxy
-        22000 # syncthing
-      ];
+      trustedInterfaces = [ "tailscale0" ];
+      # allowedTCPPorts = [
+      #   8080 # mitmproxy
+      #   22000 # syncthing
+      #   3003 # immich-ml
+      # ];
    };
  };
  programs.nm-applet.enable = true;
@ -252,11 +255,11 @@
  xdg.mime.defaultApplications = {
    "application/pdf" = "okular.desktop";
    "image/*" = "gwenview.desktop";
-    "*/html" = "chromium-browser.desktop";
  };

-  virtualisation = {
-    libvirtd.enable = true;
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.vhostUserPackages = with pkgs; [ virtiofsd ];
  };
  programs.virt-manager.enable = true;
  my.containerization.enable = true;
@ -380,4 +383,5 @@

  programs.ccache.enable = true;
  nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
+  programs.fuse.userAllowOther = true;
 }
--- a/modules/searx.nix
+++ b/modules/searx.nix
@ -5,7 +5,6 @@
 }:
 let
  cfg = config.my.searx;
-  sockPath = "/run/searx/searx.sock";
 in
 {
  options.my.searx = {
@ -25,6 +24,19 @@ in
        server.secret_key = "@SEARX_SECRET_KEY@";
      };
      environmentFile = config.sops.secrets."searx/env".path;
+      redisCreateLocally = true; # required for limiter
+      limiterSettings = {
+        real_ip = {
+          x_for = 1;
+          ipv4_prefix = 32;
+          ipv6_prefix = 56;
+        };
+        botdetection.ip_lists.pass_ip = [
+          "100.121.152.86"
+          "100.66.32.54"
+        ];
+        link_token = true;
+      };
    };

    services.caddy.virtualHosts."x.cy7.sh".extraConfig = ''
Author	SHA1	Message	Date
cy	8406723988	workflow: disable fail-fast when building machines	2025-03-11 12:21:38 -04:00
cy	ab0dfe08c7	unpin vscode-extensions	2025-03-11 11:18:21 -04:00
cy	553a07f0a9	run immich-ml from ytnix and add tailscale0 to trustedInterfaces	2025-03-09 22:23:58 -04:00
cy	59de12e892	flake update Signed-off-by: cy <cy@cy7.sh>	2025-03-08 20:39:56 -05:00
cy	2f7429a2c8	searx: use limiter	2025-03-08 20:39:17 -05:00