cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: cy:f4c7243b69d0855e6a4b73db8275cae21ca84519
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence
...
compare: cy:5dd8b87f38049f3ee6ffd60a8fc76e4da6654771
Branches Tags
cy:main
cy:update
cy:2025-04-14
cy:2025-04-07
cy:2025-04-05
cy:2025-04-04
cy:staging
cy:dogfood-nixcp
cy:no-follows
cy:workflow-test
cy:update_flake_lock_action
cy:caddy-s3
cy:workflow-copy
cy:workflow-lix
cy:test-s3-cache
cy:temp
cy:attic
cy:helix
cy:test
cy:lix-test
cy:bitwarden-patch
cy:chromium
cy:new-attic
cy:canary
cy:downgrade-kernel
cy:soju
cy:kde
cy:shiori
cy:caddy-module
cy:anki-overlay
cy:nixpkgs-master
cy:lix
cy:pan-home
cy:pi
cy:pancake
cy:pancake-sd-image
cy:arm
cy:lix-404
cy:customize-kernel
cy:blueprint
cy:flake-utils
cy:conduwuit-flake
cy:ghostty
cy:zen
cy:lact-fix-test
cy:alvr-test
cy:workflow-refactor
cy:bump-conduwuit
cy:gollum
cy:build
cy:nginx
cy:iso
cy:flake-parts
cy:codespace
cy:sway
cy:minio
cy:garage-module
cy:garage-test
cy:vscode
cy:purge
cy:create-pull-request/patch
cy:garage
cy:harmonia
cy:impermanence

7 commits
f4c7243b69 ... 5dd8b87f38

Author SHA1 Message Date
cy
5dd8b87f38
ytnix: disable nix sandbox 2025-03-14 00:58:59 -04:00
cy
fcd42883ea
add attic cache to nix.conf 2025-03-14 00:57:38 -04:00
cy
f1e4d7834f
better docker support 2025-03-14 00:57:10 -04:00
cy
1f3b9983d6
vscode: add toml and go 2025-03-14 00:56:29 -04:00
cy
60727812b8
rm tor and update firewall stuff 2025-03-14 00:55:53 -04:00
cy
386cf05f42
overlay garage 2025-03-14 00:55:00 -04:00
cy
25c7eb865a
workflow: use attic 2025-03-14 00:54:58 -04:00
12 changed files with 163 additions and 53 deletions
Download patch file Download diff file Expand all files Collapse all files

83
.github/workflows/build-machines-and-homes.yml vendored
View file

@ -3,6 +3,17 @@ on:
workflow_dispatch: workflow_dispatch:
push: push:
pull_request: pull_request:
env:
ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
NIX_CONFIG: |
show-trace = true
extra-substituters = https://cache.cy7.sh/main
extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=
experimental-features = nix-command flakes
extra-experimental-features = nix-command flakes
accept-flake-config = true
TERM: ansi
jobs: jobs:
build-machines: build-machines:
strategy: strategy:
@ -26,21 +37,15 @@ jobs:
remove-codeql: 'true' remove-codeql: 'true'
remove-docker-images: 'true' remove-docker-images: 'true'
build-mount-path: /nix build-mount-path: /nix
- name: Install Nix - name: Install Nix
uses: cachix/install-nix-action@v30 uses: nixbuild/nix-quick-install-action@master
with:
install_url: https://releases.nixos.org/nix/nix-2.25.4/install
extra_nix_config: 'accept-flake-config = true'
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- uses: cachix/cachix-action@v14
with:
name: cything
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -58,7 +63,30 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- run: nix build -L .#nixosConfigurations.${{ matrix.machine }}.config.system.build.toplevel
- name: setup attic
run: |
nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build and cache
run: |
package=".#nixosConfigurations."${{ matrix.machine }}".config.system.build.toplevel"
nix build -L "$package"
derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
attic push main --stdin <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.machine }}-${{ matrix.os }}
path: result.tar
if-no-files-found: error
build-homes: build-homes:
strategy: strategy:
matrix: matrix:
@ -81,17 +109,14 @@ jobs:
remove-codeql: 'true' remove-codeql: 'true'
remove-docker-images: 'true' remove-docker-images: 'true'
build-mount-path: /nix build-mount-path: /nix
- uses: nixbuild/nix-quick-install-action@master - uses: nixbuild/nix-quick-install-action@master
- name: Sync repository - name: Sync repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
persist-credentials: false persist-credentials: false
- uses: cachix/cachix-action@v14
with:
name: cything
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- name: Restore and cache Nix store - name: Restore and cache Nix store
uses: nix-community/cache-nix-action@v5.1.0 uses: nix-community/cache-nix-action@v5.1.0
with: with:
@ -109,4 +134,26 @@ jobs:
purge-primary-key: never purge-primary-key: never
# always save the cache # always save the cache
save-always: true save-always: true
- run: nix build -L .#homeConfigurations."${{ matrix.home }}".activationPackage
- name: setup attic
run: |
nix profile install github:zhaofengli/attic
attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
- name: build and cache
run: |
package=".#homeConfigurations."${{ matrix.home }}".activationPackage"
nix build -L "$package"
derivation="$(nix path-info --derivation "$package")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
attic push main --stdin <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.home }}-${{ matrix.os }}
path: result.tar
if-no-files-found: error

38
.github/workflows/build-packages.yml vendored
View file

@ -6,6 +6,17 @@ on:
description: "package to build" description: "package to build"
required: false required: false
type: string type: string
env:
ATTIC_TOKEN: ${{ secrets.ATTIC_TOKEN }}
NIX_CONFIG: |
show-trace = true
extra-substituters = https://cache.cy7.sh/main
extra-trusted-public-keys = main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0=
experimental-features = nix-command flakes
extra-experimental-features = nix-command flakes
accept-flake-config = true
TERM: ansi
jobs: jobs:
build-packages: build-packages:
strategy: strategy:
@ -18,6 +29,7 @@ jobs:
- ubuntu-24.04-arm - ubuntu-24.04-arm
- macos-latest - macos-latest
- macos-13 - macos-13
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- name: Install Nix - name: Install Nix
@ -28,11 +40,25 @@ jobs:
with: with:
persist-credentials: false persist-credentials: false
- uses: cachix/cachix-action@v14 - name: setup attic
with: run: |
name: cything nix profile install github:zhaofengli/attic
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' attic login cy7 https://cache.cy7.sh "$ATTIC_TOKEN"
useDaemon: false
installCommand: nix profile install nixpkgs#cachix
- run: nix build -L ${{ matrix.package }} - run: nix build -L ${{ matrix.package }}
- name: cache result
run: |
derivation="$(nix path-info --derivation "${{ matrix.package }}")"
cache="$(nix-store --query --requisites --include-outputs "$derivation")"
attic push main --stdin <<< "$cache"
- name: prepare tarball to upload
run: nix run github:nixos/nixpkgs#gnutar hcvf result.tar result
- name: upload result
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}
path: result.tar
if-no-files-found: error

33
flake.lock generated
View file

@ -342,6 +342,38 @@
"type": "github" "type": "github"
} }
}, },
"garage": {
"inputs": {
"crane": [
"crane"
],
"flake-compat": [
"flake-compat"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1741360584,
"narHash": "sha256-5UkuvKllBRhU943imyc0jHDXQDVhIFx5WWUr3qrLEWQ=",
"owner": "deuxfleurs-org",
"repo": "garage",
"rev": "c96be1a9a8aa3b51075678888b80c2414ead2909",
"type": "github"
},
"original": {
"owner": "deuxfleurs-org",
"repo": "garage",
"type": "github"
}
},
"git-hooks": { "git-hooks": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -1002,6 +1034,7 @@
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"garage": "garage",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"lix": "lix", "lix": "lix",

12
flake.nix
View file

@ -88,6 +88,16 @@
crane.follows = "crane"; crane.follows = "crane";
}; };
}; };
garage = {
url = "github:deuxfleurs-org/garage";
inputs = {
nixpkgs.follows = "nixpkgs";
rust-overlay.follows = "rust-overlay";
crane.follows = "crane";
flake-compat.follows = "flake-compat";
flake-utils.follows = "flake-utils";
};
};
nvim-github-theme = { nvim-github-theme = {
url = "github:projekt0n/github-nvim-theme"; url = "github:projekt0n/github-nvim-theme";
@ -105,11 +115,13 @@
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io" "https://cache.garnix.io"
"https://cything.cachix.org" "https://cything.cachix.org"
"https://cache.cy7.sh/main"
]; ];
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI=" "cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
"main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0="
]; ];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };

2
home/codium.nix
View file

@ -21,6 +21,8 @@
tomrijndorp.find-it-faster tomrijndorp.find-it-faster
streetsidesoftware.code-spell-checker streetsidesoftware.code-spell-checker
emilast.logfilehighlighter emilast.logfilehighlighter
tamasfe.even-better-toml
golang.go
]; ];
userSettings = userSettings =
let let

1
home/yt/ytnix.nix
View file

@ -102,6 +102,7 @@
pixelflasher pixelflasher
element-desktop element-desktop
freetube freetube
gopls
]; ];
home.sessionVariables = { home.sessionVariables = {

15
hosts/chunk/default.nix
View file

@ -22,7 +22,6 @@
./forgejo.nix ./forgejo.nix
./garage.nix ./garage.nix
./tailscale.nix ./tailscale.nix
./tor.nix
]; ];
sops.age.keyFile = "/root/.config/sops/age/keys.txt"; sops.age.keyFile = "/root/.config/sops/age/keys.txt";
@ -101,22 +100,18 @@
${tc} qdisc del dev ens18 root || true ${tc} qdisc del dev ens18 root || true
# create HTB hierarchy # create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 30 ${tc} qdisc add dev ens18 root handle 1: htb default 10
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100% ${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# tailscale
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
# rest # rest
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 60% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100% ${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic # mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 3
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
# route marked packets # route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10 ${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 3 fw flowid 1:30
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
''; '';
}; };
interfaces.ens18 = { interfaces.ens18 = {

16
hosts/chunk/tor.nix
View file

@ -1,16 +0,0 @@
{ ... }:
{
services.tor = {
enable = true;
openFirewall = true;
relay = {
enable = true;
role = "relay";
};
settings = {
ORPort = 9001;
Nickname = "chunk";
# MaxAdvertisedBandwidth = "20MBytes";
};
};
}

2
hosts/common.nix
View file

@ -14,12 +14,14 @@
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
"cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI=" "cything.cachix.org-1:xqW1W5NNL+wrM9wfSELb0MLj/harD2ZyB4HbdaMyvPI="
"main:Ku31HoEWcBtfggge2VGj+QTkVrQuIwRIMGyfV/5VQP0="
]; ];
substituters = [ substituters = [
"https://niri.cachix.org" "https://niri.cachix.org"
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://cache.garnix.io" "https://cache.garnix.io"
"https://cything.cachix.org" "https://cything.cachix.org"
"https://cache.cy7.sh/main"
]; ];
}; };
channel.enable = false; channel.enable = false;

2
hosts/ytnix/default.nix
View file

@ -144,6 +144,7 @@
"docker" "docker"
"disk" "disk"
"adbusers" "adbusers"
"podman"
]; ];
environment.systemPackages = with pkgs; lib.flatten [ environment.systemPackages = with pkgs; lib.flatten [
@ -384,4 +385,5 @@
programs.ccache.enable = true; programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ]; nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
programs.fuse.userAllowOther = true; programs.fuse.userAllowOther = true;
nix.settings.sandbox = false;
} }

5
modules/containerization.nix
View file

@ -28,8 +28,11 @@ in
dns_enabled = true; dns_enabled = true;
ipv6_enabled = true; ipv6_enabled = true;
}; };
# answer on /var/run/docker.sock
dockerSocket.enable = true;
}; };
oci-containers.backend = lib.mkIf cfg.usePodman "podman"; docker.enable = lib.mkIf (!cfg.usePodman) true;
oci-containers.backend = lib.mkIf (!cfg.usePodman) "docker";
}; };
}; };
} }

3
overlay/default.nix
View file

@ -19,6 +19,9 @@ in
pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher"; pixelflasher = nixpkgsFrom inputs.pixelflasher "pixelflasher";
attic-server = pkgFrom inputs.attic "attic-server"; attic-server = pkgFrom inputs.attic "attic-server";
attic = pkgFrom inputs.attic "attic"; attic = pkgFrom inputs.attic "attic";
garage = ((pkgFrom inputs.garage "default").overrideAttrs {
meta.mainProgram = "garage";
});
} }
) )
] ]