From 25c7eb865a0680d60847b4c1e596e995658b7f9f Mon Sep 17 00:00:00 2001 From: cy Date: Thu, 13 Mar 2025 13:43:35 -0400 Subject: [PATCH 1/7] workflow: use attic --- .../workflows/build-machines-and-homes.yml | 83 +++++++++++++++---- .github/workflows/build-packages.yml | 40 +++++++-- 2 files changed, 98 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-machines-and-homes.yml b/.github/workflows/build-machines-and-homes.yml index 413b892..429a454 100644 --- a/.github/workflows/build-machines-and-homes.yml +++ b/.github/workflows/build-machines-and-homes.yml @@ -3,6 +3,17 @@ on: workflow_dispatch: push: pull_request: +env: + ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} + NIX_CONFIG: | + show-trace = true + extra-substituters = https://cache.cy7.sh/main + extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0= + experimental-features = nix-command flakes + extra-experimental-features = nix-command flakes + accept-flake-config = true + TERM: ansi + jobs: build-machines: strategy: @@ -26,21 +37,15 @@ jobs: remove-codeql: 'true' remove-docker-images: 'true' build-mount-path: /nix + - name: Install Nix - uses: cachix/install-nix-action@v30 - with: - install_url: https://releases.nixos.org/nix/nix-2.25.4/install - extra_nix_config: 'accept-flake-config = true' + uses: nixbuild/nix-quick-install-action@master + - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - - uses: cachix/cachix-action@v14 - with: - name: cything - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - useDaemon: false - installCommand: nix profile install nixpkgs#cachix + - name: Restore and cache Nix store uses: nix-community/cache-nix-action@v5.1.0 with: @@ -58,7 +63,30 @@ jobs: purge-primary-key: never # always save the cache save-always: true - - run: nix build -L .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel + + - name: setup attic + run: | + nix profile install github:zhaofengli/attic + attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" + + - name: build and cache + run: | + package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel" + nix build -L "$package" + derivation="$(nix path-info --derivation "$package")" + cache="$(nix-store --query --requisites --include-outputs "$derivation")" + attic push main --stdin <<< "$cache" + + - name: prepare tarball to upload + run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result + + - name: upload result + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.machine }}-${{ matrix.os }} + path: result.tar + if-no-files-found: error + build-homes: strategy: matrix: @@ -81,17 +109,14 @@ jobs: remove-codeql: 'true' remove-docker-images: 'true' build-mount-path: /nix + - uses: nixbuild/nix-quick-install-action@master + - name: Sync repository uses: actions/checkout@v4 with: persist-credentials: false - - uses: cachix/cachix-action@v14 - with: - name: cything - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - useDaemon: false - installCommand: nix profile install nixpkgs#cachix + - name: Restore and cache Nix store uses: nix-community/cache-nix-action@v5.1.0 with: @@ -109,4 +134,26 @@ jobs: purge-primary-key: never # always save the cache save-always: true - - run: nix build -L .#homeConfigurations."${{ matrix.home }}".activationPackage + + - name: setup attic + run: | + nix profile install github:zhaofengli/attic + attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" + + - name: build and cache + run: | + package=".#homeConfigurations."${{ matrix.home }}".activationPackage" + nix build -L "$package" + derivation="$(nix path-info --derivation "$package")" + cache="$(nix-store --query --requisites --include-outputs "$derivation")" + attic push main --stdin <<< "$cache" + + - name: prepare tarball to upload + run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result + + - name: upload result + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.home }}-${{ matrix.os }} + path: result.tar + if-no-files-found: error diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index 72fc72c..5bb8b29 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -6,6 +6,17 @@ on: description: "package to build" required: false type: string +env: + ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }} + NIX_CONFIG: | + show-trace = true + extra-substituters = https://cache.cy7.sh/main + extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0= + experimental-features = nix-command flakes + extra-experimental-features = nix-command flakes + accept-flake-config = true + TERM: ansi + jobs: build-packages: strategy: @@ -18,6 +29,7 @@ jobs: - ubuntu-24.04-arm - macos-latest - macos-13 + runs-on: ${{ matrix.os }} steps: - name: Install Nix @@ -27,12 +39,26 @@ jobs: uses: actions/checkout@v4 with: persist-credentials: false - - - uses: cachix/cachix-action@v14 - with: - name: cything - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - useDaemon: false - installCommand: nix profile install nixpkgs#cachix + + - name: setup attic + run: | + nix profile install github:zhaofengli/attic + attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN" - run: nix build -L ${{ matrix.package }} + + - name: cache result + run: | + derivation="$(nix path-info --derivation "${{ matrix.package }}")" + cache="$(nix-store --query --requisites --include-outputs "$derivation")" + attic push main --stdin <<< "$cache" + + - name: prepare tarball to upload + run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result + + - name: upload result + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.os }} + path: result.tar + if-no-files-found: error From 386cf05f4246c4b5f74836dd9f0f657b943979e4 Mon Sep 17 00:00:00 2001 From: cy Date: Thu, 13 Mar 2025 21:09:04 -0400 Subject: [PATCH 2/7] overlay garage --- flake.lock | 33 +++++++++++++++++++++++++++++++++ flake.nix | 12 ++++++++++++ overlay/default.nix | 5 ++++- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index e40aeed..bd1a4e5 100644 --- a/flake.lock +++ b/flake.lock @@ -342,6 +342,38 @@ "type": "github" } }, + "garage": { + "inputs": { + "crane": [ + "crane" + ], + "flake-compat": [ + "flake-compat" + ], + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": [ + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1741360584, + "narHash": "sha256-5UkuvKllBRhU943imyc0jHDXQDVhIFx5WWUr3qrLEWQ=", + "owner": "deuxfleurs-org", + "repo": "garage", + "rev": "c96be1a9a8aa3b51075678888b80c2414ead2909", + "type": "github" + }, + "original": { + "owner": "deuxfleurs-org", + "repo": "garage", + "type": "github" + } + }, "git-hooks": { "inputs": { "flake-compat": [ @@ -1002,6 +1034,7 @@ "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_2", "flake-utils": "flake-utils", + "garage": "garage", "home-manager": "home-manager", "lanzaboote": "lanzaboote", "lix": "lix", diff --git a/flake.nix b/flake.nix index a07ce00..494ce4f 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,16 @@ crane.follows = "crane"; }; }; + garage = { + url = "github:deuxfleurs-org/garage"; + inputs = { + nixpkgs.follows = "nixpkgs"; + rust-overlay.follows = "rust-overlay"; + crane.follows = "crane"; + flake-compat.follows = "flake-compat"; + flake-utils.follows = "flake-utils"; + }; + }; nvim-github-theme = { url = "github:projekt0n/github-nvim-theme"; @@ -105,11 +115,13 @@ "https://nix-community.cachix.org" "https://cache.garnix.io" "https://cything.cachix.org" + "https://cache.cy7.sh/main" ]; extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI=" + "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" ]; builders-use-substitutes = true; }; diff --git a/overlay/default.nix b/overlay/default.nix index b3cdb56..1df98bd 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -19,7 +19,10 @@ in pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher"; attic-server = pkgFrom inputs.attic "attic-server"; attic = pkgFrom inputs.attic "attic"; + garage = ((pkgFrom inputs.garage "default").overrideAttrs { + meta.mainProgram = "garage"; + }); } ) ] -++ importedOverlays \ No newline at end of file +++ importedOverlays From 60727812b81ea956b6c323979ef3df0fc8ae6d03 Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 14 Mar 2025 00:55:53 -0400 Subject: [PATCH 3/7] rm tor and update firewall stuff --- hosts/chunk/default.nix | 15 +++++---------- hosts/chunk/tor.nix | 16 ---------------- 2 files changed, 5 insertions(+), 26 deletions(-) delete mode 100644 hosts/chunk/tor.nix diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 2fee98c..9a621c4 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -22,7 +22,6 @@ ./forgejo.nix ./garage.nix ./tailscale.nix - ./tor.nix ]; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; @@ -101,22 +100,18 @@ ${tc} qdisc del dev ens18 root || true # create HTB hierarchy - ${tc} qdisc add dev ens18 root handle 1: htb default 30 + ${tc} qdisc add dev ens18 root handle 1: htb default 10 ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% - # tailscale - ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100% - # caddy - ${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100% # rest + ${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100% + # caddy ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% # mark traffic - iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1 - iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2 + iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3 # route marked packets - ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10 - ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20 + ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30 ''; }; interfaces.ens18 = { diff --git a/hosts/chunk/tor.nix b/hosts/chunk/tor.nix deleted file mode 100644 index 2ad4a89..0000000 --- a/hosts/chunk/tor.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - services.tor = { - enable = true; - openFirewall = true; - relay = { - enable = true; - role = "relay"; - }; - settings = { - ORPort = 9001; - Nickname = "chunk"; - # MaxAdvertisedBandwidth = "20MBytes"; - }; - }; -} From 1f3b9983d63f8896932f268d12b24167e962494a Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 14 Mar 2025 00:56:29 -0400 Subject: [PATCH 4/7] vscode: add toml and go --- home/codium.nix | 2 ++ home/yt/ytnix.nix | 1 + 2 files changed, 3 insertions(+) diff --git a/home/codium.nix b/home/codium.nix index 2d7bb9d..dcdf4ea 100644 --- a/home/codium.nix +++ b/home/codium.nix @@ -21,6 +21,8 @@ tomrijndorp.find-it-faster streetsidesoftware.code-spell-checker emilast.logfilehighlighter + tamasfe.even-better-toml + golang.go ]; userSettings = let diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index 9b20a66..5d60a6d 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -102,6 +102,7 @@ pixelflasher element-desktop freetube + gopls ]; home.sessionVariables = { From f1e4d7834f3799bb041fae3b32c7edfcadf9572b Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 14 Mar 2025 00:57:10 -0400 Subject: [PATCH 5/7] better docker support --- modules/containerization.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/containerization.nix b/modules/containerization.nix index 416d2bf..fd39da9 100644 --- a/modules/containerization.nix +++ b/modules/containerization.nix @@ -28,8 +28,11 @@ in dns_enabled = true; ipv6_enabled = true; }; + # answer on /var/run/docker.sock + dockerSocket.enable = true; }; - oci-containers.backend = lib.mkIf cfg.usePodman "podman"; + docker.enable = lib.mkIf (!cfg.usePodman) true; + oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker"; }; }; } From fcd42883eab918036b22e85c40701edc1034f726 Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 14 Mar 2025 00:57:38 -0400 Subject: [PATCH 6/7] add attic cache to nix.conf --- hosts/common.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/common.nix b/hosts/common.nix index feafd17..0fb2fc6 100644 --- a/hosts/common.nix +++ b/hosts/common.nix @@ -14,12 +14,14 @@ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI=" + "main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=" ]; substituters = [ "https://niri.cachix.org" "https://nix-community.cachix.org" "https://cache.garnix.io" "https://cything.cachix.org" + "https://cache.cy7.sh/main" ]; }; channel.enable = false; From 5dd8b87f38049f3ee6ffd60a8fc76e4da6654771 Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 14 Mar 2025 00:58:59 -0400 Subject: [PATCH 7/7] ytnix: disable nix sandbox --- hosts/ytnix/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/ytnix/default.nix b/hosts/ytnix/default.nix index c185991..15ccf21 100644 --- a/hosts/ytnix/default.nix +++ b/hosts/ytnix/default.nix @@ -144,6 +144,7 @@ "docker" "disk" "adbusers" + "podman" ]; environment.systemPackages = with pkgs; lib.flatten [ @@ -384,4 +385,5 @@ programs.ccache.enable = true; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; programs.fuse.userAllowOther = true; + nix.settings.sandbox = false; }