.: microvm experiments + zorigami
parent
9a8c714890
commit
ba4aff00f2
123
flake.lock
123
flake.lock
|
@ -36,6 +36,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"crane": {
|
||||
"inputs": {
|
||||
"flake-compat": [
|
||||
|
@ -121,6 +137,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_3": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1668681692,
|
||||
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-parts": {
|
||||
"inputs": {
|
||||
"nixpkgs-lib": [
|
||||
|
@ -252,11 +284,11 @@
|
|||
"rust-overlay": "rust-overlay"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696410458,
|
||||
"narHash": "sha256-ohrrFywK7WIHEGWosBVRFZF5D2q2AeIGFGp9mMZRc40=",
|
||||
"lastModified": 1697139361,
|
||||
"narHash": "sha256-tH+QkHeLqEUV8EedLytnDNcwKASr/nOh3V3moft+Ujg=",
|
||||
"owner": "nix-community",
|
||||
"repo": "lanzaboote",
|
||||
"rev": "ac43ac3024f814fcf3a3bab41873019109521442",
|
||||
"rev": "c865873ff5f4372a6e4a42fb47e290db69c3cfd9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -271,11 +303,11 @@
|
|||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696981517,
|
||||
"narHash": "sha256-1VQt+o9hRdjiWBaN73HKchfltAHzszoIGt35ZT9JStE=",
|
||||
"lastModified": 1697132997,
|
||||
"narHash": "sha256-ihUImJsnszkSzxOd/iWkA/oorwsM8JaRFs6LS1831RM=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "2c28afc481d47c551ab71d96130d938cdde59933",
|
||||
"rev": "38e15eee892e1866f483467de51025dbef473306",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -357,6 +389,36 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-22_11": {
|
||||
"locked": {
|
||||
"lastModified": 1669558522,
|
||||
"narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-22.11",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-23_05": {
|
||||
"locked": {
|
||||
"lastModified": 1684782344,
|
||||
"narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8966c43feba2c701ed624302b6a935f97bcbdf88",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-23.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1694911725,
|
||||
|
@ -470,11 +532,11 @@
|
|||
},
|
||||
"nixpkgs_7": {
|
||||
"locked": {
|
||||
"lastModified": 1696879762,
|
||||
"narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
|
||||
"lastModified": 1697059129,
|
||||
"narHash": "sha256-9NJcFF9CEYPvHJ5ckE8kvINvI84SZZ87PvqMbH6pro0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
|
||||
"rev": "5e4c2ada4fcd54b99d56d7bd62f384511a7e2593",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -557,7 +619,8 @@
|
|||
"nix-colors": "nix-colors",
|
||||
"nix-formatter-pack": "nix-formatter-pack",
|
||||
"nix-index-database": "nix-index-database",
|
||||
"nixpkgs": "nixpkgs_7"
|
||||
"nixpkgs": "nixpkgs_7",
|
||||
"simple-nixos-mailserver": "simple-nixos-mailserver"
|
||||
}
|
||||
},
|
||||
"rust-overlay": {
|
||||
|
@ -585,6 +648,31 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"simple-nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": "flake-compat_3",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-22_11": "nixpkgs-22_11",
|
||||
"nixpkgs-23_05": "nixpkgs-23_05",
|
||||
"utils": "utils_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695910380,
|
||||
"narHash": "sha256-CyzeiXQGm8ceEOSK1dffBCfO7JNp8XhQeNkUiJ5HxgY=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "84783b661ecf33927c534b6476beb74ea3308968",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
|
@ -629,6 +717,21 @@
|
|||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils_2": {
|
||||
"locked": {
|
||||
"lastModified": 1605370193,
|
||||
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
56
flake.nix
56
flake.nix
|
@ -17,10 +17,14 @@
|
|||
url = "github:nix-community/lanzaboote";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
simple-nixos-mailserver = {
|
||||
url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs
|
||||
, agenix, lanzaboote, microvm, ... }:
|
||||
, agenix, lanzaboote, microvm, simple-nixos-mailserver, ... }:
|
||||
let
|
||||
forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
|
||||
pkgsForDeploy =
|
||||
|
@ -57,6 +61,8 @@
|
|||
};
|
||||
});
|
||||
|
||||
overlays = import ./overlays;
|
||||
|
||||
nixosModules = with self.nixosModules; {
|
||||
nibylandia-boot.imports = [ ./modules/boot.nix ];
|
||||
|
||||
|
@ -88,6 +94,7 @@
|
|||
nibylandia-boot
|
||||
|
||||
({ pkgs, ... }: {
|
||||
nixpkgs.overlays = [ self.overlays.nibylandia ];
|
||||
environment.systemPackages =
|
||||
[ agenix.packages.${pkgs.system}.default ];
|
||||
})
|
||||
|
@ -104,6 +111,8 @@
|
|||
nibylandia-laptop.imports = [ ./modules/laptop.nix ];
|
||||
|
||||
nibylandia-gaming.imports = [ ./modules/gaming.nix ];
|
||||
|
||||
nibylandia-monitoring.imports = [ ./modules/monitoring.nix ];
|
||||
};
|
||||
|
||||
nixosConfigurations = with self.nixosModules; {
|
||||
|
@ -140,6 +149,27 @@
|
|||
nibylandia-secureboot
|
||||
nibylandia-gaming
|
||||
|
||||
({ config, pkgs, lib, ... }: {
|
||||
boot.kernelPatches = with lib.kernel; [{
|
||||
name = "disable transparent hugepages for virtio-gpu";
|
||||
patch = null;
|
||||
extraStructuredConfig = {
|
||||
TRANSPARENT_HUGEPAGE = lib.mkForce no;
|
||||
};
|
||||
}];
|
||||
})
|
||||
|
||||
# appears to be broken for me for some reason
|
||||
{
|
||||
nixpkgs.overlays = [ microvm.overlay ];
|
||||
microvm.vms = {
|
||||
elementVm = {
|
||||
# pkgs = import nixpkgs { system = "x86_64-linux"; };
|
||||
config = import ./microvms/elementVm.nix;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
./nixos/khas
|
||||
];
|
||||
};
|
||||
|
@ -154,6 +184,18 @@
|
|||
./nixos/microlith
|
||||
];
|
||||
};
|
||||
|
||||
zorigami = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
nibylandia-common
|
||||
nibylandia-secureboot
|
||||
nibylandia-monitoring
|
||||
simple-nixos-mailserver.nixosModule
|
||||
|
||||
./nixos/zorigami
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
deploy.nodes.scylla = {
|
||||
|
@ -192,6 +234,18 @@
|
|||
};
|
||||
};
|
||||
|
||||
deploy.nodes.zorigami = {
|
||||
fastConnection = false;
|
||||
remoteBuild = true;
|
||||
hostname = "zorigami";
|
||||
profiles.system = {
|
||||
user = "root";
|
||||
sshUser = "root";
|
||||
path = deployPkgs.x86_64-linux.deploy-rs.lib.activate.nixos
|
||||
self.nixosConfigurations.zorigami;
|
||||
};
|
||||
};
|
||||
|
||||
checks = builtins.mapAttrs
|
||||
(system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
|
||||
};
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
microvm = {
|
||||
hypervisor = "cloud-hypervisor";
|
||||
graphics.enable = true;
|
||||
interfaces = [{
|
||||
id = "vm-element";
|
||||
type = "tap";
|
||||
mac = "00:00:00:00:00:02";
|
||||
}];
|
||||
storeDiskType = "erofs";
|
||||
writableStoreOverlay = "/nix/.rw-store";
|
||||
volumes = [{
|
||||
image = "nix-store-overlay.img";
|
||||
mountPoint = config.microvm.writableStoreOverlay;
|
||||
size = 2048;
|
||||
}];
|
||||
};
|
||||
|
||||
networking.hostName = "graphical-microvm";
|
||||
system.stateVersion = "23.11";
|
||||
|
||||
services.getty.autologinUser = "user";
|
||||
users.users.user = {
|
||||
password = "";
|
||||
group = "user";
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "video" ];
|
||||
};
|
||||
users.groups.user = { };
|
||||
security.sudo = {
|
||||
enable = true;
|
||||
wheelNeedsPassword = false;
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
WAYLAND_DISPLAY = "wayland-1";
|
||||
DISPLAY = ":0";
|
||||
QT_QPA_PLATFORM = "wayland"; # Qt Applications
|
||||
GDK_BACKEND = "wayland"; # GTK Applications
|
||||
XDG_SESSION_TYPE = "wayland"; # Electron Applications
|
||||
SDL_VIDEODRIVER = "wayland";
|
||||
CLUTTER_BACKEND = "wayland";
|
||||
MOZ_ENABLE_WAYLAND = "1";
|
||||
_JAVA_AWT_WM_NONREPARENTING = "1";
|
||||
ECORE_EVAS_ENGINE = "wayland-egl";
|
||||
ELM_ENGINE = "wayland_egl";
|
||||
NO_AT_BRIDGE = "1";
|
||||
BEMENU_BACKEND = "wayland";
|
||||
};
|
||||
|
||||
systemd.user.services.wayland-proxy = {
|
||||
enable = true;
|
||||
description = "Wayland Proxy";
|
||||
serviceConfig = with pkgs; {
|
||||
# Environment = "WAYLAND_DISPLAY=wayland-1";
|
||||
ExecStart =
|
||||
"${wayland-proxy-virtwl}/bin/wayland-proxy-virtwl --virtio-gpu --x-display=0 --xwayland-binary=${xwayland}/bin/Xwayland";
|
||||
Restart = "on-failure";
|
||||
RestartSec = 1;
|
||||
};
|
||||
wantedBy = [ "default.target" ];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs;
|
||||
[
|
||||
xdg-utils # Required
|
||||
] ++ [ element-desktop ];
|
||||
|
||||
hardware.opengl.enable = true;
|
||||
}
|
|
@ -40,13 +40,14 @@ in {
|
|||
extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
settings.trusted-users = [ "ar" ];
|
||||
};
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
nixpkgs.config.allowBroken = true;
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
deploy-rs
|
||||
mastodon-update-script
|
||||
file
|
||||
git
|
||||
go
|
||||
|
@ -128,4 +129,30 @@ in {
|
|||
];
|
||||
};
|
||||
time.timeZone = "Europe/Warsaw";
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
netdevs.virbr0.netdevConfig = {
|
||||
Kind = "bridge";
|
||||
Name = "virbr0";
|
||||
};
|
||||
networks.virbr0 = {
|
||||
matchConfig.Name = "virbr0";
|
||||
# Hand out IP addresses to MicroVMs.
|
||||
# Use `networkctl status virbr0` to see leases.
|
||||
networkConfig = {
|
||||
DHCPServer = true;
|
||||
IPv6SendRA = true;
|
||||
};
|
||||
addresses = [
|
||||
{ addressConfig.Address = "10.0.0.1/24"; }
|
||||
{ addressConfig.Address = "fd12:3456:789a::1/64"; }
|
||||
];
|
||||
ipv6Prefixes = [{ ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; }];
|
||||
};
|
||||
networks.microvm-eth0 = {
|
||||
matchConfig.Name = "vm-*";
|
||||
networkConfig.Bridge = "virbr0";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,102 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
cfg = config.nibylandia.monitoring-server;
|
||||
grafana = config.services.grafana.settings.server;
|
||||
filterValidPrometheus =
|
||||
filterAttrsListRecursive (n: v: !(n == "_module" || v == null));
|
||||
filterAttrsListRecursive = pred: x:
|
||||
if lib.isAttrs x then
|
||||
lib.listToAttrs (lib.concatMap (name:
|
||||
let v = x.${name};
|
||||
in if pred name v then
|
||||
[ (lib.nameValuePair name (filterAttrsListRecursive pred v)) ]
|
||||
else
|
||||
[ ]) (lib.attrNames x))
|
||||
else if lib.isList x then
|
||||
map (filterAttrsListRecursive pred) x
|
||||
else
|
||||
x;
|
||||
writePrettyJSON = name: x:
|
||||
pkgs.runCommandLocal name { } ''
|
||||
echo '${builtins.toJSON x}' | ${pkgs.jq}/bin/jq . > $out
|
||||
'';
|
||||
vmConfig = {
|
||||
scrape_configs =
|
||||
filterValidPrometheus config.services.prometheus.scrapeConfigs;
|
||||
};
|
||||
generatedPrometheusYml = writePrettyJSON "prometheus.yml" vmConfig;
|
||||
getEnabled = x:
|
||||
lib.concatMap (name:
|
||||
let v = x.${name};
|
||||
in if builtins.typeOf v == "set" && v.enable then [ v ] else [ ])
|
||||
(lib.attrNames x);
|
||||
# TODO: add some magic to configure endpoints for all the other exporters
|
||||
localExporterEndpoints =
|
||||
map (x: x.listenAddress + ":" + builtins.toString x.port)
|
||||
(getEnabled config.services.prometheus.exporters);
|
||||
in {
|
||||
options = {
|
||||
nibylandia.monitoring-server = {
|
||||
domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "External domain for monitoring services";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
services.victoriametrics = {
|
||||
enable = true;
|
||||
retentionPeriod = 12;
|
||||
listenAddress = "127.0.0.1:8428";
|
||||
extraOptions = [
|
||||
"-selfScrapeInterval=10s"
|
||||
"-promscrape.config=${generatedPrometheusYml}"
|
||||
];
|
||||
};
|
||||
|
||||
services.grafana.enable = true;
|
||||
|
||||
services.grafana.settings = {
|
||||
server = {
|
||||
http_addr = "127.0.0.1";
|
||||
inherit (cfg) domain;
|
||||
};
|
||||
database = {
|
||||
user = "grafana";
|
||||
type = "postgres";
|
||||
host = "/run/postgresql";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql.ensureDatabases = [ "grafana" ];
|
||||
services.postgresql.ensureUsers = [{
|
||||
name = "grafana";
|
||||
ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
|
||||
}];
|
||||
|
||||
services.prometheus.exporters = {
|
||||
node = {
|
||||
enable = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
enabledCollectors = [ "systemd" ];
|
||||
};
|
||||
};
|
||||
|
||||
services.prometheus.scrapeConfigs = [{
|
||||
job_name = "local_exporters";
|
||||
scrape_interval = "10s";
|
||||
static_configs = [{ targets = localExporterEndpoints; }];
|
||||
}];
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass =
|
||||
"http://${grafana.http_addr}:${builtins.toString grafana.http_port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,483 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./hardware.nix ];
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages;
|
||||
|
||||
age.secrets.cassAuth = {
|
||||
file = ../../secrets/cassAuth.age;
|
||||
group = "nginx";
|
||||
mode = "440";
|
||||
};
|
||||
age.secrets.minecraftRestic.file = ../../secrets/norkclubMinecraftRestic.age;
|
||||
age.secrets.nextCloudAdmin = {
|
||||
file = ../../secrets/nextCloudAdmin.age;
|
||||
group = "nextcloud";
|
||||
mode = "440";
|
||||
};
|
||||
age.secrets.wgNibylandia.file = ../../secrets/wg/nibylandia_zorigami.age;
|
||||
|
||||
age.secrets.arMail.file = ../../secrets/mail/ar.age;
|
||||
age.secrets.amieMail.file = ../../secrets/mail/amie.age;
|
||||
age.secrets.apoMail.file = ../../secrets/mail/apo.age;
|
||||
age.secrets.madargonMail.file = ../../secrets/mail/madargon.age;
|
||||
age.secrets.enkiMail.file = ../../secrets/mail/enki.age;
|
||||
age.secrets.matrixMail.file = ../../secrets/mail/matrix.age;
|
||||
age.secrets.mastodonMail.file = ../../secrets/mail/mastodon.age;
|
||||
age.secrets.mastodonPlainMail = {
|
||||
group = "mastodon";
|
||||
mode = "440";
|
||||
file = ../../secrets/mail/mastodonPlain.age;
|
||||
};
|
||||
age.secrets.vaultwardenMail.file = ../../secrets/mail/vaultwarden.age;
|
||||
age.secrets.vaultwardenPlainMail = {
|
||||
group = "vaultwarden";
|
||||
mode = "440";
|
||||
file = ../../secrets/mail/vaultwardenPlain.age;
|
||||
};
|
||||
|
||||
age.secrets.minifluxCredentials.file = ../../secrets/miniflux.age;
|
||||
age.secrets.keycloakDatabase = {
|
||||
file = ../../secrets/keycloakDatabase.age;
|
||||
mode = "440";
|
||||
};
|
||||
age.secrets.keycloak.file = ../../secrets/mail/keycloak.age;
|
||||
|
||||
age.secrets.notbotEnvironment.file = ../../secrets/notbotEnvironment.age;
|
||||
|
||||
age.secrets.synapseExtraConfig = {
|
||||
group = "matrix-synapse";
|
||||
mode = "440";
|
||||
file = ../../secrets/synapseExtraConfig.age;
|
||||
};
|
||||
|
||||
nibylandia.monitoring-server = { domain = "monitoring.is-a.cat"; };
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
clientMaxBodySize = "4096m";
|
||||
appendHttpConfig = ''
|
||||
disable_symlinks off;
|
||||
'';
|
||||
};
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "ar@is-a.cat";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ] ++ [ 25565 25566 ]
|
||||
++ [ 113 ];
|
||||
networking.firewall.allowedUDPPorts = [ 80 443 ]
|
||||
++ [ 19132 19133 25565 25566 ] ++ [ 51315 ];
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_13;
|
||||
};
|
||||
services.prometheus.exporters.postgres = {
|
||||
enable = true;
|
||||
runAsLocalSuperUser = true;
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
|
||||
systemd.services.notbot = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
description = "Notbot irc bot service";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "bot";
|
||||
EnvironmentFile = config.age.secrets.notbotEnvironment.path;
|
||||
ExecStart = ''
|
||||
${pkgs.notbot}/bin/notbot -nickname "notbot" -name "notbot" -user "bot" \
|
||||
-server "irc.libera.chat:6667" -password $NICKSERV_PASSWORD \
|
||||
-channels $CHANNELS -jitsi.channels $JITSI_CHANNELS -spaceapi.channels $SPACEAPI_CHANNELS
|
||||
'';
|
||||
};
|
||||
};
|
||||
users.users.bot = {
|
||||
isSystemUser = true;
|
||||
group = "bot";
|
||||
};
|
||||
users.groups.bot = { };
|
||||
|
||||
systemd.services.cass = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
description = "cass";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "ar";
|
||||
ExecStart = ''
|
||||
${pkgs.cass}/bin/cass -listen "127.0.0.1:8000" -file-store "/srv/www/arachnist.is-a.cat/c" -url-base "https://ar.is-a.cat/c/"'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.minecraft-overviewer = {
|
||||
script = ''
|
||||
${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 8 -c "/srv/minecraft-overviewer/survival/config.py"
|
||||
${pkgs.python3Packages.minecraft-overviewer}/bin/overviewer.py -p 8 -c "/srv/minecraft-overviewer/survival/config.py" --genpoi
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "minecraft";
|
||||
Group = "users";
|
||||
ProtectHome = "no";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.timers.minecraft-overviewer = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
timerConfig = { OnCalendar = "daily"; };
|
||||
};
|
||||
|
||||
users.users.minecraft = {
|
||||
isNormalUser = true;
|
||||
group = "users";
|
||||
openssh.authorizedKeys.keys =
|
||||
config.users.users.ar.openssh.authorizedKeys.keys ++ [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOHWPbzvwXTftY1r0dXcYZxT9QBnQkwepdMn8PCAPlYvYwUObEj3rgYrYRFrtCRWZVrKAdqBxnH9/6S9w631Zs7tgqEeDHJsotZNZV3qip7qGjn9IqUHXqF95MUDJV21AeBAqQ1xalefwCkwf/vYLFn8dSnsnlfO+mtlHZOuBED+SB2U1eNrWY2e45v8m7PqSyTCbCu0F3wVcHGwRFsxWA598wf85UBRVcSWVcUydE9F+PCS9sGETkXiRUDcHWnup8uygs4xLa9RADubhdGkUbQE6m6yOjvHJWZ4ov59zJh+hmpszCwfmUw/k39T2TM7tbwUWxgc68qDyaMGQr/Wzd x10a94@Celestia"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeJ+LSo3YXE6Jk6pGKL5om/VOi7XE5OvHA2U73V0pJXHa1bA4ityICeNqec2w8TSWSwTihJ4oAM7YLShkERNTcd1NWNHgUYova9nJ/nItFxrxDpTQsqK315u4d7nE+go09c85cyomHbDDcNVg9kJeCUjF+dr82N7JZfYVdQystOslOROYtl94GHuFHVOQyBRGeSztmakYvK1+3WV8dby6TfYG1l6uf6qLCg7q64zR4xDDP0KgfcrsusBQ6qYnKhop1fUTaW9NtEOQP/MhFLDp2YQmTsNJDiKAQpwwYLexWq4UcziXbnRfD56CHFHbW7Hu6Ltu35cHFKR2r9y4TBwTV crendgrim@gmx.de"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.minecraft-backup = {
|
||||
script = ''
|
||||
export PATH="/run/current-system/sw/bin"
|
||||
/home/minecraft/minecraft-backup/backup.sh -w rcon -i /home/minecraft/survival/world -r $BACKUP_DESTINATION -s $RCON_AUTH -m -1
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "minecraft";
|
||||
Group = "users";
|
||||
ProtectHome = "no";
|
||||
EnvironmentFile = config.age.secrets.minecraftRestic.path;
|
||||
};
|
||||
};
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = pkgs.nextcloud27;
|
||||
hostName = "cloud.is-a.cat";
|
||||
autoUpdateApps.enable = true;
|
||||
autoUpdateApps.startAt = "05:00:00";
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
adminuser = "admin";
|
||||
adminpassFile = config.age.secrets.nextCloudAdmin.path;
|
||||
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbname = "nextcloud";
|
||||
dbhost = "/run/postgresql";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql.ensureDatabases =
|
||||
[ "nextcloud" "matrix-synapse" "mastodon" ];
|
||||
services.postgresql.ensureUsers = [
|
||||
{
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
{
|
||||
name = "matrix-synapse";
|
||||
ensurePermissions."DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES";
|
||||
}
|
||||
{
|
||||
name = "mastodon";
|
||||
ensurePermissions."DATABASE mastodon" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = [ "postgresql.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
enable = true;
|
||||
fqdn = "is-a.cat";
|
||||
domains = [ "is-a.cat" "i.am-a.cat" "rsg.enterprises" ];
|
||||
certificateScheme = "acme-nginx";
|
||||
enableManageSieve = true;
|
||||
fullTextSearch = {
|
||||
enable = true;
|
||||
memoryLimit = 2000;
|
||||
};
|
||||
localDnsResolver = false;
|
||||
monitoring.enable = false;
|
||||
borgbackup.enable = false;
|
||||
backup.enable = false;
|
||||
messageSizeLimit = 41943040;
|
||||
loginAccounts = {
|
||||
"ar@is-a.cat" = {
|
||||
aliases = [
|
||||
"arachnist@is-a.cat"
|
||||
"letsencrypt@is-a.cat"
|
||||
"gustaw.weldon@is-a.cat"
|
||||
"@rsg.enterprises"
|
||||
"@i.am-a.cat"
|
||||
];
|
||||
|
||||
hashedPasswordFile = config.age.secrets.arMail.path;
|
||||
};
|
||||
"amie@is-a.cat".hashedPasswordFile = config.age.secrets.amieMail.path;
|
||||
"apo@is-a.cat".hashedPasswordFile = config.age.secrets.apoMail.path;
|
||||
"madargon@is-a.cat".hashedPasswordFile =
|
||||
config.age.secrets.madargonMail.path;
|
||||
"enkiusz@is-a.cat".hashedPasswordFile = config.age.secrets.enkiMail.path;
|
||||
"mastodon@is-a.cat".hashedPasswordFile =
|
||||
config.age.secrets.mastodonMail.path;
|
||||
"matrix@is-a.cat".hashedPasswordFile = config.age.secrets.matrixMail.path;
|
||||
"vaultwarden@is-a.cat".hashedPasswordFile =
|
||||
config.age.secrets.vaultwardenMail.path;
|
||||
};
|
||||
};
|
||||
|
||||
services.matrix-synapse = {
|
||||
enable = true;
|
||||
settings = {
|
||||
server_name = "is-a.cat";
|
||||
|
||||
registrations_require_3pid = [ "email" ];
|
||||
allowed_local_3pids = [{
|
||||
medium = "email";
|
||||
pattern = "^[^@]+@is-a.cat$";
|
||||
}];
|
||||
enable_registration = true;
|
||||
registration_requires_token = true;
|
||||
withJemalloc = true;
|
||||
};
|
||||
extraConfigFiles = [ config.age.secrets.synapseExtraConfig.path ];
|
||||
};
|
||||
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
webProcesses = 4;
|
||||
localDomain = "is-a.cat";
|
||||
configureNginx = true;
|
||||
smtp = {
|
||||
user = "mastodon@is-a.cat";
|
||||
passwordFile = config.age.secrets.mastodonPlainMail.path;
|
||||
fromAddress = "mastodon@is-a.cat";
|
||||
host = "is-a.cat";
|
||||
createLocally = false;
|
||||
authenticate = true;
|
||||
};
|
||||
extraConfig = {
|
||||
EMAIL_DOMAIN_ALLOWLIST = "is-a.cat";
|
||||
MAX_TOOT_CHARS = "20000";
|
||||
MAX_PINNED_TOOTS = "10";
|
||||
MAX_BIO_CHARS = "2000";
|
||||
MAX_PROFILE_FIELDS = "8";
|
||||
MAX_POLL_OPTIONS = "10";
|
||||
MAX_IMAGE_SIZE = "33554432";
|
||||
MAX_VIDEO_SIZE = "167772160";
|
||||
ALLOWED_PRIVATE_ADDRESSES = "127.1.33.7";
|
||||
GITHUB_REPOSITORY = "arachnist/mastodon/tree/meow";
|
||||
};
|
||||
package = pkgs.glitchSoc;
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
dbBackend = "postgresql";
|
||||
config = {
|
||||
DOMAIN = "https://vaultwarden.is-a.cat";
|
||||
ROCKET_PORT = "8222";
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
|
||||
|
||||
smtpHost = "is-a.cat";
|
||||
smtpFrom = "vaultwarden@is-a.cat";
|
||||
smtpUsername = "vaultwarden@is-a.cat";
|
||||
smtpSecurity = "force_tls";
|
||||
|
||||
signupsDomainsWhitelist = "is-a.cat";
|
||||
};
|
||||
environmentFile = config.age.secrets.vaultwardenPlainMail.path;
|
||||
};
|
||||
|
||||
# need to figure out something fancy about network configuration
|
||||
networking.hostName = "zorigami";
|
||||
systemd.network.wait-online.enable = false;
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.enp36s0f1.useDHCP = false;
|
||||
networking.interfaces.enp38s0.useDHCP = false;
|
||||
networking.interfaces.enp39s0.useDHCP = false;
|
||||
networking.interfaces.enp42s0f3u5u3c2.useDHCP = false;
|
||||
networking.tempAddresses = "disabled";
|
||||
networking.interfaces.enp36s0f0 = {
|
||||
useDHCP = false;
|
||||
ipv4 = {
|
||||
addresses = [{
|
||||
address = "185.236.240.137";
|
||||
prefixLength = 31;
|
||||
}];
|
||||
routes = [{
|
||||
address = "0.0.0.0";
|
||||
prefixLength = 0;
|
||||
via = "185.236.240.136";
|
||||
}];
|
||||
};
|
||||
ipv6 = {
|
||||
addresses = [{
|
||||
address = "2a0d:eb00:8007::10";
|
||||
prefixLength = 64;
|
||||
}];
|
||||
routes = [{
|
||||
address = "::";
|
||||
prefixLength = 0;
|
||||
via = "2a0d:eb00:8007::1";
|
||||
}];
|
||||
};
|
||||
};
|
||||
networking.nameservers = [
|
||||
"8.8.8.8"
|
||||
"8.8.4.4"
|
||||
"1.1.1.1"
|
||||
"2606:4700:4700::1111"
|
||||
"2606:4700:4700::1001"
|
||||
"2001:4860:4860::8888"
|
||||
];
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.all.accept_ra" = false;
|
||||
"net.ipv6.conf.default.accept_ra" = false;
|
||||
"net.ipv4.conf.all.forwarding" = true;
|
||||
};
|
||||
networking.wireguard.interfaces = {
|
||||
wg-nibylandia = {
|
||||
ips = [ "10.255.255.1/24" ];
|
||||
privateKeyFile = config.age.secrets.wgNibylandia.path;
|
||||
listenPort = 51315;
|
||||
|
||||
peers = [
|
||||
{
|
||||
publicKey = "g/XhdVYsegn7Pp58Y1HFNxp4jhmA8YjRDg8W8J6swCw=";
|
||||
endpoint = "i.am-a.cat:51315";
|
||||
allowedIPs =
|
||||
[ "10.255.255.2/32" "192.168.20.0/24" "192.168.24.0/24" ];
|
||||
persistentKeepalive = 15;
|
||||
}
|
||||
{
|
||||
publicKey = "ubxtr3zW9F/ofjaQFnj6XpYcrOvTdOSW5wv06+VEehU=";
|
||||
allowedIPs = [ "10.255.255.3/32" ];
|
||||
persistentKeepalive = 15;
|
||||
}
|
||||
{
|
||||
publicKey = "tVH3q1AJZKsitYmASdaogMCBwhMCd8oSuDY2POpiUiY=";
|
||||
allowedIPs = [ "10.255.255.4/32" ];
|
||||
persistentKeepalive = 15;
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"s.nork.club" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/srv/www/s.nork.club";
|
||||
};
|
||||
"ar.is-a.cat" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
|
||||
locations."/up" = {
|
||||
proxyPass = "http://127.0.0.1:8000";
|
||||
basicAuthFile = config.age.secrets.cassAuth.path;
|
||||
extraConfig = ''
|
||||
proxy_request_buffering off;
|
||||
proxy_send_timeout "9000s";
|
||||
proxy_read_timeout "9000s";
|
||||
'';
|
||||
};
|
||||
locations."/down" = {
|
||||
proxyPass = "http://127.0.0.1:8000";
|
||||
basicAuthFile = config.age.secrets.cassAuth.path;
|
||||
extraConfig = ''
|
||||
proxy_request_buffering off;
|
||||
proxy_send_timeout "9000s";
|
||||
proxy_read_timeout "9000s";
|
||||
'';
|
||||
};
|
||||
};
|
||||
"arachnist.is-a.cat" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = { root = "/srv/www/arachnist.is-a.cat"; };
|
||||
};
|
||||
"brata.zajeba.li" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = { root = "/srv/www/brata.zajeba.li"; };
|
||||
};
|
||||
"irc.is-a.cat" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."^~ /weechat" = {
|
||||
proxyPass = "http://127.0.0.1:9001";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."/" = { root = pkgs.glowing-bear; };
|
||||
};
|
||||
"cloud.is-a.cat" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
${config.services.matrix-synapse.settings.server_name} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/_matrix" = { proxyPass = "http://127.0.0.1:8008"; };
|
||||
|
||||
locations."/.well-known/matrix/server" = {
|
||||
return = ''
|
||||
200 "{\"m.server\":\"${config.services.matrix-synapse.settings.server_name}:443\",\"m.homeserver\":{\"base_url\":\"https://${config.services.matrix-synapse.settings.server_name}\"}}"'';
|
||||
};
|
||||
};
|
||||
"matrix.${config.services.matrix-synapse.settings.server_name}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
root = pkgs.cinny.override {
|
||||
conf = {
|
||||
homeserverList = [
|
||||
config.services.matrix-synapse.settings.server_name
|
||||
"matrix.hackerspace.pl"
|
||||
];
|
||||
allowCustomHomeservers = false;
|
||||
defaultHomeserver = 0;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.oidentd.enable = true;
|
||||
|
||||
programs.java = {
|
||||
enable = true;
|
||||
package = pkgs.openjdk17;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ john restic weechat ];
|
||||
|
||||
users.groups.erin = { gid = 1003; };
|
||||
users.users.erin = {
|
||||
isNormalUser = true;
|
||||
uid = 1003;
|
||||
group = "erin";
|
||||
extraGroups = [ "users" ];
|
||||
packages = with pkgs; [ borgbackup ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBebbJHzn1VmIO0GxUpERXSTvYVpGdnS4/3/JHp9NZa elia@boston-packets"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdILFDn3VgZfybppL5tbAGsv7KWgM+SoCBQHdtGR8zn elia@panzerbook"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules =
|
||||
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||
boot.zfs.extraPools = [ "tank" ];
|
||||
boot.zfs.enableUnstable = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
nibylandia-boot.ryzen.enable = true;
|
||||
|
||||
networking.hostId = "7999af7c";
|
||||
|
||||
fileSystems."/" = {
|
||||
device = "/dev/disk/by-uuid/2c034d00-d937-498c-85af-088616b8449c";
|
||||
fsType = "xfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" = {
|
||||
device = "/dev/disk/by-uuid/C1BA-34FE";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/home/minecraft/survival/world" = {
|
||||
device = "survivalworld";
|
||||
fsType = "tmpfs";
|
||||
options = [ "mode=755" "uid=1001" "gid=100" "size=40G" ];
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[{ device = "/dev/disk/by-uuid/86fee886-bdba-4f0b-8fe6-31c32e8232fa"; }];
|
||||
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
{ nibylandia = final: prev: (import ./nibylandia.nix) final prev; }
|
|
@ -0,0 +1,16 @@
|
|||
self: super: {
|
||||
cass = super.callPackage ../pkgs/cass.nix { };
|
||||
notbot = super.callPackage ../pkgs/notbot.nix { };
|
||||
glitchSoc = self.callPackage ../pkgs/glitch-soc { };
|
||||
mastodon-update-script = self.callPackage ../pkgs/mastodonUpdate.nix { };
|
||||
|
||||
python3 = super.python3.override {
|
||||
packageOverrides = self: super: {
|
||||
pillow-with-headers =
|
||||
self.callPackage ../pkgs/pillow-with-headers.nix { };
|
||||
minecraft-overviewer =
|
||||
self.callPackage ../pkgs/minecraft-overviewer.nix { };
|
||||
};
|
||||
};
|
||||
python3Packages = self.python3.pkgs;
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
{ fetchFromGitea, buildGoPackage, ... }:
|
||||
|
||||
buildGoPackage rec {
|
||||
pname = "cass";
|
||||
version = "0.0.1";
|
||||
|
||||
src = fetchFromGitea {
|
||||
domain = "codeberg.org";
|
||||
owner = "arachnist";
|
||||
repo = pname;
|
||||
rev = "00b3536c5b546bb5b929b2562c86fee2869885a4";
|
||||
sha256 = "+ZGO/ZoGN+LdcPGWHjjZ/wpayFxnfKvxiVMaS0iNYr0=";
|
||||
};
|
||||
|
||||
goPackagePath = "github.com/arachnist/cass";
|
||||
}
|
|
@ -0,0 +1,177 @@
|
|||
{ lib, stdenv, nodejs-slim, mkYarnPackage, fetchFromGitHub, bundlerEnv
|
||||
, nixosTests, yarn, callPackage, imagemagick, ffmpeg, file, ruby_3_0
|
||||
, writeShellScript, fetchYarnDeps, fixup_yarn_lock, brotli
|
||||
|
||||
# Allow building a fork or custom version of Mastodon:
|
||||
, pname ? "mastodon", version ? import ./version.nix, srcOverride ? null
|
||||
, dependenciesDir ? ./. # Should contain gemset.nix, yarn.nix and package.json.
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
inherit pname version;
|
||||
|
||||
# Using overrideAttrs on src does not build the gems and modules with the overridden src.
|
||||
# Putting the callPackage up in the arguments list also does not work.
|
||||
src =
|
||||
if srcOverride != null then srcOverride else callPackage ./source.nix { };
|
||||
|
||||
mastodonGems = bundlerEnv {
|
||||
name = "${pname}-gems-${version}";
|
||||
inherit version;
|
||||
ruby = ruby_3_0;
|
||||
gemdir = src;
|
||||
gemset = dependenciesDir + "/gemset.nix";
|
||||
# This fix (copied from https://github.com/NixOS/nixpkgs/pull/76765) replaces the gem
|
||||
# symlinks with directories, resolving this error when running rake:
|
||||
# /nix/store/451rhxkggw53h7253izpbq55nrhs7iv0-mastodon-gems-3.0.1/lib/ruby/gems/2.6.0/gems/bundler-1.17.3/lib/bundler/settings.rb:6:in `<module:Bundler>': uninitialized constant Bundler::Settings (NameError)
|
||||
postBuild = ''
|
||||
for gem in "$out"/lib/ruby/gems/*/gems/*; do
|
||||
cp -a "$gem/" "$gem.new"
|
||||
rm "$gem"
|
||||
# needed on macOS, otherwise the mv yields permission denied
|
||||
chmod +w "$gem.new"
|
||||
mv "$gem.new" "$gem"
|
||||
done
|
||||
'';
|
||||
};
|
||||
|
||||
mastodonModules = stdenv.mkDerivation {
|
||||
pname = "${pname}-modules";
|
||||
inherit src version;
|
||||
|
||||
yarnOfflineCache = fetchYarnDeps {
|
||||
yarnLock = "${src}/yarn.lock";
|
||||
#hash = "sha256-Qw33TB3fK6KrMZqti7p/yTFAoeIatm7O/AZ0DnQ76sA=";
|
||||
hash = "sha256-WsPNqV1PC2YjL37qnWfRTj8LaIBUI7+C0cWTfFd7HGo=";
|
||||
};
|
||||
|
||||
nativeBuildInputs = [
|
||||
fixup_yarn_lock
|
||||
nodejs-slim
|
||||
yarn
|
||||
mastodonGems
|
||||
mastodonGems.wrappedRuby
|
||||
brotli
|
||||
];
|
||||
|
||||
RAILS_ENV = "production";
|
||||
NODE_ENV = "production";
|
||||
|
||||
buildPhase = ''
|
||||
runHook preBuild
|
||||
|
||||
export HOME=$PWD
|
||||
# This option is needed for openssl-3 compatibility
|
||||
# Otherwise we encounter this upstream issue: https://github.com/mastodon/mastodon/issues/17924
|
||||
export NODE_OPTIONS=--openssl-legacy-provider
|
||||
fixup_yarn_lock ~/yarn.lock
|
||||
yarn config --offline set yarn-offline-mirror $yarnOfflineCache
|
||||
yarn install --offline --frozen-lockfile --ignore-engines --ignore-scripts --no-progress
|
||||
|
||||
patchShebangs ~/bin
|
||||
patchShebangs ~/node_modules
|
||||
|
||||
# skip running yarn install
|
||||
rm -rf ~/bin/yarn
|
||||
|
||||
OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder \
|
||||
rails assets:precompile
|
||||
yarn cache clean --offline
|
||||
rm -rf ~/node_modules/.cache
|
||||
|
||||
# Create missing static gzip and brotli files
|
||||
gzip --best --keep ~/public/assets/500.html
|
||||
gzip --best --keep ~/public/packs/report.html
|
||||
find ~/public/assets -maxdepth 1 -type f -name '.*.json' \
|
||||
-exec gzip --best --keep --force {} ';'
|
||||
brotli --best --keep ~/public/packs/report.html
|
||||
find ~/public/assets -type f -regextype posix-extended -iregex '.*\.(css|js|json|html)' \
|
||||
-exec brotli --best --keep {} ';'
|
||||
|
||||
runHook postBuild
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out/public
|
||||
cp -r node_modules $out/node_modules
|
||||
cp -r public/assets $out/public
|
||||
cp -r public/packs $out/public
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
};
|
||||
|
||||
propagatedBuildInputs = [ imagemagick ffmpeg file mastodonGems.wrappedRuby ];
|
||||
buildInputs = [ mastodonGems nodejs-slim ];
|
||||
|
||||
buildPhase = ''
|
||||
runHook preBuild
|
||||
|
||||
ln -s $mastodonModules/node_modules node_modules
|
||||
ln -s $mastodonModules/public/assets public/assets
|
||||
ln -s $mastodonModules/public/packs public/packs
|
||||
|
||||
patchShebangs bin/
|
||||
for b in $(ls $mastodonGems/bin/)
|
||||
do
|
||||
if [ ! -f bin/$b ]; then
|
||||
ln -s $mastodonGems/bin/$b bin/$b
|
||||
fi
|
||||
done
|
||||
|
||||
# Remove execute permissions
|
||||
chmod 0444 public/emoji/*.svg
|
||||
|
||||
# Create missing static gzip and brotli files
|
||||
find public -maxdepth 1 -type f -regextype posix-extended -iregex '.*\.(css|js|svg|txt|xml)' \
|
||||
-exec gzip --best --keep --force {} ';' \
|
||||
-exec brotli --best --keep {} ';'
|
||||
find public/emoji -type f -name '.*.svg' \
|
||||
-exec gzip --best --keep --force {} ';' \
|
||||
-exec brotli --best --keep {} ';'
|
||||
ln -s assets/500.html.gz public/500.html.gz
|
||||
ln -s assets/500.html.br public/500.html.br
|
||||
ln -s packs/sw.js.gz public/sw.js.gz
|
||||
ln -s packs/sw.js.br public/sw.js.br
|
||||
ln -s packs/sw.js.map.gz public/sw.js.map.gz
|
||||
ln -s packs/sw.js.map.br public/sw.js.map.br
|
||||
|
||||
rm -rf log
|
||||
ln -s /var/log/mastodon log
|
||||
ln -s /tmp tmp
|
||||
|
||||
runHook postBuild
|
||||
'';
|
||||
|
||||
installPhase = let
|
||||
run-streaming = writeShellScript "run-streaming.sh" ''
|
||||
# NixOS helper script to consistently use the same NodeJS version the package was built with.
|
||||
${nodejs-slim}/bin/node ./streaming
|
||||
'';
|
||||
in ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out
|
||||
cp -r * $out/
|
||||
ln -s ${run-streaming} $out/run-streaming.sh
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
tests.mastodon = nixosTests.mastodon;
|
||||
# run with: nix-shell ./maintainers/scripts/update.nix --argstr package mastodon
|
||||
updateScript = ./update.sh;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description =
|
||||
"Self-hosted, globally interconnected microblogging software based on ActivityPub";
|
||||
homepage = "https://joinmastodon.org";
|
||||
license = licenses.agpl3Plus;
|
||||
platforms = [ "x86_64-linux" "i686-linux" "aarch64-linux" ];
|
||||
maintainers = with maintainers; [ happy-river erictapen izorkin ghuntley ];
|
||||
};
|
||||
}
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,13 @@
|
|||
# This file was generated by pkgs.mastodon.updateScript.
|
||||
{ fetchFromGitHub, applyPatches }:
|
||||
let
|
||||
src = fetchFromGitHub {
|
||||
owner = "arachnist";
|
||||
repo = "mastodon";
|
||||
rev = "e4e18e4f9fc062cd347bb2faa719ad2f62660bfd";
|
||||
hash = "sha256-k5ZO+x7MzQaHShViBltmrCoy5wujKXIsQvPTpWgkvUk=";
|
||||
};
|
||||
in applyPatches {
|
||||
inherit src;
|
||||
patches = [ ./local-new-fixes.patch ];
|
||||
}
|
|
@ -0,0 +1,103 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p yarn2nix bundix coreutils diffutils nix-prefetch-github gnused jq
|
||||
set -e
|
||||
|
||||
OWNER=mastodon
|
||||
REPO=mastodon
|
||||
|
||||
POSITIONAL=()
|
||||
while [[ $# -gt 0 ]]; do
|
||||
key="$1"
|
||||
|
||||
case $key in
|
||||
--owner)
|
||||
OWNER="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--repo)
|
||||
REPO="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--ver)
|
||||
VERSION="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--rev)
|
||||
REVISION="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
--patches)
|
||||
PATCHES="$2"
|
||||
shift # past argument
|
||||
shift # past value
|
||||
;;
|
||||
*) # unknown option
|
||||
POSITIONAL+=("$1")
|
||||
shift # past argument
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ -n "$POSITIONAL" ]]; then
|
||||
echo "Usage: update.sh [--owner OWNER] [--repo REPO] [--ver VERSION] [--rev REVISION] [--patches PATCHES]"
|
||||
echo "OWNER and REPO must be paths on github."
|
||||
echo "If REVISION is not provided, the latest tag from github.com/mastodon/mastodon is fetched and VERSION is calculated from it."
|
||||
echo "If OWNER and REPO are not provided, it defaults they default to mastodon and mastodon."
|
||||
echo "PATCHES, if provided, should be one or more Nix expressions separated by spaces."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -z "$REVISION" ]]; then
|
||||
REVISION="$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} -s "https://api.github.com/repos/$OWNER/$REPO/releases" | jq -r 'map(select(.prerelease == false)) | .[0].tag_name')"
|
||||
VERSION="$(echo "$REVISION" | cut -c2-)"
|
||||
fi
|
||||
|
||||
rm -f gemset.nix version.nix source.nix
|
||||
cd "$(dirname "${BASH_SOURCE[0]}")" || exit 1
|
||||
|
||||
WORK_DIR=$(mktemp -d)
|
||||
|
||||
# Check that working directory was created.
|
||||
if [[ -z "$WORK_DIR" || ! -d "$WORK_DIR" ]]; then
|
||||
echo "Could not create temporary directory"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Delete the working directory on exit.
|
||||
function cleanup {
|
||||
# Report errors, if any, from nix-prefetch-git
|
||||
grep "fatal" $WORK_DIR/nix-prefetch-git.out >/dev/stderr || true
|
||||
rm -rf "$WORK_DIR"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
echo "Fetching source code $REVISION"
|
||||
JSON=$(nix-prefetch-github "$OWNER" "$REPO" --rev "$REVISION" 2> $WORK_DIR/nix-prefetch-git.out)
|
||||
HASH=$(echo "$JSON" | jq -r .hash)
|
||||
|
||||
echo "Creating version.nix"
|
||||
echo "\"$VERSION\"" | sed 's/^"v/"/' > version.nix
|
||||
|
||||
cat > source.nix << EOF
|
||||
# This file was generated by pkgs.mastodon.updateScript.
|
||||
{ fetchFromGitHub, applyPatches }: let
|
||||
src = fetchFromGitHub {
|
||||
owner = "$OWNER";
|
||||
repo = "$REPO";
|
||||
rev = "$REVISION";
|
||||
hash = "$HASH";
|
||||
};
|
||||
in applyPatches {
|
||||
inherit src;
|
||||
patches = [$PATCHES];
|
||||
}
|
||||
EOF
|
||||
SOURCE_DIR="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
|
||||
|
||||
echo "Creating gemset.nix"
|
||||
bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile"
|
||||
echo "" >> gemset.nix # Create trailing newline to please EditorConfig checks
|
|
@ -0,0 +1 @@
|
|||
"4+glitch+meow"
|
|
@ -0,0 +1,13 @@
|
|||
{ runtimeShell, writeScriptBin, mastodon, symlinkJoin }:
|
||||
|
||||
let
|
||||
name = "mastodon-update.sh";
|
||||
script = writeScriptBin name ''
|
||||
#!${runtimeShell}
|
||||
exec ${mastodon.updateScript} "$@"
|
||||
'';
|
||||
|
||||
in symlinkJoin {
|
||||
inherit name;
|
||||
paths = [ script ];
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
{ fetchFromGitHub, buildPythonPackage, python3Packages, python3, ... }:
|
||||
|
||||
buildPythonPackage rec {
|
||||
pname = "Minecraft-Overviewer";
|
||||
version = "2021-12-14";
|
||||
format = "other";
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
pillow-with-headers
|
||||
numpy
|
||||
networkx
|
||||
];
|
||||
|
||||
buildInputs = with python3Packages; [ setuptools ];
|
||||
|
||||
buildPhase = ''
|
||||
export CFLAGS="-I${python3Packages.pillow-with-headers}/include/libImaging"
|
||||
${python3.interpreter} setup.py build
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
${python3.interpreter} setup.py install --prefix=$out --install-lib=$out/${python3.sitePackages}
|
||||
'';
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "overviewer";
|
||||
repo = pname;
|
||||
rev = "7171af587399fee9140eb83fb9b066acd251f57a";
|
||||
sha256 = "sha256-iJv4mL1Zr6clL5iuUg1kHoIk9Kk3R4TOYsrldEVyfVo=";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
{ fetchFromGitea, buildGoModule, ... }:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "notbot";
|
||||
version = "0.0.3";
|
||||
|
||||
src = fetchFromGitea {
|
||||
domain = "codeberg.org";
|
||||
owner = "arachnist";
|
||||
repo = pname;
|
||||
rev = "195b12bdba2d579533e00de9c9dce52ece0bc562";
|
||||
sha256 = "cHy1TSUI2KfZyaZMXJibT4G/HwcBhPKQF6ftJpilRCQ=";
|
||||
};
|
||||
|
||||
vendorSha256 = "sha256-gi6mrJW65tfWYScwRlPSvBartqfvVlGbR9GWfj9G4xE=";
|
||||
proxyVendor = true;
|
||||
}
|
|
@ -0,0 +1,8 @@
|
|||
{ python3Packages, ... }:
|
||||
|
||||
python3Packages.pillow.overrideAttrs (_: {
|
||||
postInstall = ''
|
||||
mkdir -p $out/include/libImaging
|
||||
cp src/libImaging/*.h $out/include/libImaging
|
||||
'';
|
||||
})
|
|
@ -17,14 +17,17 @@ let
|
|||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDghNuH/3G+0BXwrBZWZXX0V3K0tfu/Q/AKokLXY5zTD";
|
||||
in {
|
||||
|
||||
"secrets/secureboot-key.age".publicKeys = ar ++ [ khas microlith ];
|
||||
"secrets/secureboot-cert.age".publicKeys = ar ++ [ khas microlith ];
|
||||
"secrets/secureboot-key.age".publicKeys = ar
|
||||
++ [ khas microlith zorigami scylla ];
|
||||
"secrets/secureboot-cert.age".publicKeys = ar
|
||||
++ [ khas microlith zorigami scylla ];
|
||||
"secrets/khas-ar.age".publicKeys = ar ++ [ khas ];
|
||||
"secrets/microlith-ar.age".publicKeys = ar ++ [ microlith ];
|
||||
"secrets/wg/nibylandia_scylla.age".publicKeys = ar ++ [ scylla ];
|
||||
"secrets/wg/dn42_w1kl4s_scylla.age".publicKeys = ar ++ [ scylla ];
|
||||
"secrets/lan/nibylandia-ddns-kea.age".publicKeys = ar ++ [ scylla ];
|
||||
"secrets/lan/nibylandia-ddns-bind.age".publicKeys = ar ++ [ scylla ];
|
||||
"secrets/notbotEnvironment.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/nextCloudAdmin.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/nextCloudExporter.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/norkclubMinecraftRestic.age".publicKeys = ar ++ [ zorigami ];
|
||||
|
@ -34,6 +37,7 @@ in {
|
|||
"secrets/wg/nibylandia_zorigami.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/ar.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/apo.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/amie.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/mastodon.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/mastodonPlain.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/madargon.age".publicKeys = ar ++ [ zorigami ];
|
||||
|
@ -44,6 +48,7 @@ in {
|
|||
"secrets/mail/keycloak.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ];
|
||||
"secrets/synapseExtraConfig.age".publicKeys = ar ++ [ zorigami ];
|
||||
|
||||
inherit ar;
|
||||
}
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue