linde: enable deployment via flake
8 files changed, 118 insertions(+), 366 deletions(-)
M flake.lock → flake.lock
@@ -132,11 +132,11 @@ "gomod2nix": "gomod2nix", "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1749531561, - "narHash": "sha256-zWsvOlC/u1K9L9VemiIhRGeChg0C2HtWoVh34MRT7uA=", + "lastModified": 1749764708, + "narHash": "sha256-/3J2OZt5JapjSW4RAFFAI2Q3VlCUl1vPWZOuh0vSWgU=", "ref": "refs/heads/main", - "rev": "dffc16df68df06151f177bc1702e7bb3eb190228", - "revCount": 211, + "rev": "c541f419c0283487d7244a74899fa2d023b12a07", + "revCount": 212, "type": "git", "url": "https://git.alin.ovh/elgit" },@@ -246,6 +246,27 @@ "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": {@@ -680,6 +701,28 @@ "repo": "nixvim", "type": "github" } }, + "nur": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1749756705, + "narHash": "sha256-aAVhMe2s7ZsrEHvIKF7bfL6BPdxn2wNwnd7/z3J/vHU=", + "owner": "nix-community", + "repo": "nur", + "rev": "248f53cb50c3d2bcc650977ae1570c4ffc7c4e0f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nur", + "type": "github" + } + }, "nuschtosSearch": { "inputs": { "flake-utils": "flake-utils_3",@@ -794,6 +837,7 @@ "srvos", "nixpkgs" ], "nixvim": "nixvim", + "nur": "nur", "searchix": "searchix", "srvos": "srvos", "utils": "utils_2"@@ -808,11 +852,11 @@ "pre-commit-hooks": "pre-commit-hooks", "simple-css": "simple-css" }, "locked": { - "lastModified": 1749499050, - "narHash": "sha256-rTwHdCsSb1j0oQeYa41zdxU9QASB/StiY+tG82/5RHY=", + "lastModified": 1749764594, + "narHash": "sha256-YW6mkQBwzgbNF2u/T/KcU3lVCZPYVDGrMKCW1KIHlUY=", "ref": "refs/heads/main", - "rev": "7b72c9cc5589f2fd1693e114220ac9176687d5e9", - "revCount": 450, + "rev": "6b2a0fdd4e56796db8a921f26d9838b4b66a455e", + "revCount": 470, "type": "git", "url": "https://git.alin.ovh/searchix" },@@ -999,6 +1043,27 @@ "narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=", "owner": "numtide", "repo": "treefmt-nix", "rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", "type": "github" }, "original": {
M flake.nix → flake.nix
@@ -5,6 +5,10 @@ nixpkgs.follows = "srvos/nixpkgs"; nixos-hardware.url = "github:NixOS/nixos-hardware"; nix-index-database.url = "github:Mic92/nix-index-database"; nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; + nur = { + url = "github:nix-community/nur"; + inputs.nixpkgs.follows = "nixpkgs"; + }; darwin.url = "github:lnl7/nix-darwin/master"; darwin.inputs.nixpkgs.follows = "nixpkgs"; emacs-overlay.url = "github:nix-community/emacs-overlay";@@ -36,6 +40,7 @@ , utils , srvos , nixpkgs , nixos-hardware + , nur , emacs-overlay , home-manager , darwin@@ -71,10 +76,6 @@ angrr.overlays.default emacs-overlay.overlays.default (self: super: { personal = import ./packages/overlay.nix self super; - enchant = super.enchant.override { - withHspell = false; - withAspell = false; - }; }) ]; };@@ -110,21 +111,35 @@ ./system/nano.nix ./system/nano-hardware.nix ]; }; - nixosConfigurations.linde = nixpkgs.lib.nixosSystem { - system = utils.lib.system.aarch64-linux; - specialArgs = { inherit inputs; }; - modules = [ - srvos.nixosModules.server - srvos.nixosModules.hardware-hetzner-cloud-arm - agenix.nixosModules.default - elgit.nixosModules.default - mycal.nixosModules.default - searchix.nixosModules.web - golink.nixosModules.default - ./packages/modules/nixos/laminar.nix - ./system/linde.nix - ]; - }; + nixosConfigurations.linde = + let + system = utils.lib.system.aarch64-linux; + in + nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + { + nixpkgs.overlays = (readOverlays ./overlays) ++ [ + nur.overlays.default + elgit.overlays.default + (final: prev: { + searchix = searchix.packages.${system}.default; + }) + ]; + } + srvos.nixosModules.server + srvos.nixosModules.hardware-hetzner-cloud-arm + agenix.nixosModules.default + elgit.nixosModules.elgit + mycal.nixosModules.mycal + searchix.nixosModules.web + golink.nixosModules.default + ./packages/modules/nixos/laminar.nix + ./system/linde.nix + ./private/calendar.nix + ]; + }; darwinConfigurations.marvin = darwin.lib.darwinSystem { system = utils.lib.system.aarch64-darwin; specialArgs = { inherit inputs; };@@ -165,6 +180,7 @@ system = utils.lib.system.aarch64-linux; modules = [ ./user/server.nix nix-index-database.hmModules.nix-index + nixvim.homeModules.nixvim ]; };@@ -208,7 +224,6 @@ devShells = { default = pkgs.mkShell { packages = with pkgs; [ home-manager - colmena deploy-rs.packages.${system}.default agenix.packages.${system}.default ];
D hive.nix
@@ -1,50 +0,0 @@ -let - inherit (builtins) getFlake; - - path = ./overlays; - content = builtins.readDir path; - overlays = map (n: import (path + ("/" + n))) - (builtins.filter - (n: - (builtins.match ".*\\.nix" n != null && - # ignore Emacs lock files (.#foo.nix) - builtins.match "\\.#.*" n == null) || - builtins.pathExists (path + ("/" + n + "/default.nix"))) - (builtins.attrNames content)); -in -{ - meta = { - nixpkgs = import <nixpkgs> { - inherit overlays; - }; - specialArgs = { - srvos = import <srvos>; - }; - }; - - defaults = { pkgs, ... }: { - deployment = { - buildOnTarget = true; - }; - }; - - linde = { name, nodes, srvos, ... }: { - deployment.allowLocalDeployment = true; - imports = [ - srvos.nixosModules.server - srvos.nixosModules.hardware-hetzner-cloud-arm - <agenix/modules/age.nix> - (getFlake (toString <searchix>)).nixosModules.web - (getFlake (toString <mycal>)).nixosModules.mycal - (getFlake (toString <golink>)).nixosModules.default - ./packages/modules/nixos/laminar.nix - ./private/calendar.nix - ./system/linde.nix - ]; - nixpkgs.overlays = [ - (final: prev: { - searchix = (getFlake (toString <searchix>)).packages.${prev.system}.default; - }) - ]; - }; -}
M overlays/personal.nix → overlays/personal.nix
@@ -1,11 +1,4 @@ -self: super: -let - personal = import <personal> { - pkgs = super; - }; -in -{ - inherit personal; +self: super: { enchant = super.enchant.override { withHspell = false; withAspell = false;
M system/linde.nix → system/linde.nix
@@ -27,7 +27,6 @@ ./linde-hardware.nix ./settings/configuration/nix-linux.nix ./settings/services/git-server.nix - ./settings/colmena-auto-upgrade.nix ]; age.secrets = { paperless =@@ -115,24 +114,16 @@ dates = [ "02:30" ]; }; }; - system.autoUpgrade.enable = lib.mkForce false; - services.colmenaAutoUpgrade = { - enable = true; - git = { - enable = true; - branch = "origin/main"; - }; - preUpgradeHook = '' - ${pkgs.npins}/bin/npins update searchix elgit nixpkgs mycal - ''; - useNixShell = true; - dates = "01:23"; + system.autoUpgrade = { + dates = "02:10"; + randomizedDelaySec = "59 min"; allowReboot = true; - randomizedDelaySec = "45 min"; - rebootWindow = { - lower = "01:20"; - upper = "03:00"; - }; + flake = "git+file://${config.services.gitolite.dataDir}/repositories/nixfiles.git?submodules=1"; + flags = [ + "--no-write-lock-file" + "--update-input" + "nixpkgs" + ]; }; services.nix-serve = {
D system/settings/colmena-auto-upgrade.nix
@@ -1,255 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.services.colmenaAutoUpgrade; - - mainScript = - let - colmena = "${pkgs.colmena}/bin/colmena"; - date = "${pkgs.coreutils}/bin/date"; - readlink = "${pkgs.coreutils}/bin/readlink"; - shutdown = "${config.systemd.package}/bin/shutdown"; - in - if cfg.allowReboot then - '' - ${colmena} apply-local boot - booted="$(${readlink} /run/booted-system/{initrd,kernel,kernel-modules})" - built="$(${readlink} /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})" - - ${lib.optionalString (cfg.rebootWindow != null) '' - current_time="$(${date} +%H:%M)" - - lower="${cfg.rebootWindow.lower}" - upper="${cfg.rebootWindow.upper}" - - if [[ "''${lower}" < "''${upper}" ]]; then - if [[ "''${current_time}" > "''${lower}" ]] && \ - [[ "''${current_time}" < "''${upper}" ]]; then - do_reboot="true" - else - do_reboot="false" - fi - else - # lower > upper, so we are crossing midnight (e.g. lower=23h, upper=6h) - # we want to reboot if cur > 23h or cur < 6h - if [[ "''${current_time}" < "''${upper}" ]] || \ - [[ "''${current_time}" > "''${lower}" ]]; then - do_reboot="true" - else - do_reboot="false" - fi - fi - ''} - - if [ "''${booted}" = "''${built}" ]; then - ${colmena} apply-local switch - ${lib.optionalString (cfg.rebootWindow != null) '' - elif [ "''${do_reboot}" != true ]; then - echo "Outside of configured reboot window, skipping." - ''} - else - ${shutdown} -r +1 - fi - '' - else - '' - ${colmena} apply-local switch - '' - ; -in -{ - options.services.colmenaAutoUpgrade = { - enable = lib.mkEnableOption { - default = false; - description = "Enable automatic upgrades for Colmena"; - }; - - git = lib.mkOption { - type = lib.types.submodule { - options = { - enable = lib.mkEnableOption "Whether to pull the latest changes from the Git repository before upgrading."; - - branch = lib.mkOption { - type = lib.types.str; - default = "origin/main"; - description = "Git branch to checkout after fetching"; - }; - }; - }; - }; - - preUpgradeHook = lib.mkOption { - type = lib.types.str; - default = ""; - description = "Commands to run before upgrade"; - example = lib.literalExpression '' - $${pkgs.npins}/bin/npins update - ''; - }; - - useNixShell = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Whether to run colmena in a nix-shell. - ''; - }; - - dates = lib.mkOption { - type = lib.types.str; - default = "04:40"; - example = "daily"; - description = '' - How often or when upgrade occurs. For most desktop and server systems - a sufficient upgrade frequency is once a day. - - The format is described in - {manpage}`systemd.time(7)`. - ''; - }; - - allowReboot = lib.mkOption { - default = false; - type = lib.types.bool; - description = '' - Reboot the system into the new generation instead of a switch - if the new generation uses a different kernel, kernel modules - or initrd than the booted system. - See {option}`rebootWindow` for configuring the times at which a reboot is allowed. - ''; - }; - - randomizedDelaySec = lib.mkOption { - default = "0"; - type = lib.types.str; - example = "45min"; - description = '' - Add a randomized delay before each automatic upgrade. - The delay will be chosen between zero and this value. - This value must be a time span in the format specified by - {manpage}`systemd.time(7)` - ''; - }; - - fixedRandomDelay = lib.mkOption { - default = false; - type = lib.types.bool; - example = true; - description = '' - Make the randomized delay consistent between runs. - This reduces the jitter between automatic upgrades. - See {option}`randomizedDelaySec` for configuring the randomized delay. - ''; - }; - - rebootWindow = lib.mkOption { - description = '' - Define a lower and upper time value (in HH:MM format) which - constitute a time window during which reboots are allowed after an upgrade. - This option only has an effect when {option}`allowReboot` is enabled. - The default value of `null` means that reboots are allowed at any time. - ''; - default = null; - example = { - lower = "01:00"; - upper = "05:00"; - }; - type = - with lib.types; - nullOr (submodule { - options = { - lower = lib.mkOption { - description = "Lower limit of the reboot window"; - type = lib.types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}"; - example = "01:00"; - }; - - upper = lib.mkOption { - description = "Upper limit of the reboot window"; - type = lib.types.strMatching "[[:digit:]]{2}:[[:digit:]]{2}"; - example = "05:00"; - }; - }; - }); - }; - - persistent = lib.mkOption { - default = true; - type = lib.types.bool; - example = false; - description = '' - Takes a boolean argument. If true, the time when the service - unit was last triggered is stored on disk. When the timer is - activated, the service unit is triggered immediately if it - would have been triggered at least once during the time when - the timer was inactive. Such triggering is nonetheless - subject to the delay imposed by RandomizedDelaySec=. This is - useful to catch up on missed runs of the service when the - system was powered down. - ''; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.colmena-auto-upgrade = { - description = "Upgrade nixos with colmena"; - - restartIfChanged = false; - unitConfig.X-StopOnRemoval = false; - - serviceConfig.Type = "oneshot"; - - environment = - config.nix.envVars - // { - inherit (config.environment.sessionVariables) NIX_PATH; - HOME = "/root"; - } - // config.networking.proxy.envVars; - - path = with pkgs; [ - coreutils - gnutar - xz.bin - gzip - gitMinimal - colmena - config.nix.package.out - config.programs.ssh.package - ]; - - serviceConfig.WorkingDirectory = "/etc/nixos"; - script = - let - git = "${pkgs.gitMinimal}/bin/git"; - nix-shell = "${pkgs.nix}/bin/nix-shell"; - in - '' - ${lib.optionalString cfg.git.enable - '' - ${git} fetch --prune - ${git} reset --hard ${cfg.git.branch} - '' - } - - ${cfg.preUpgradeHook} - - ${if cfg.useNixShell then '' - ${nix-shell} --run "${pkgs.writeShellScript "colmena-auto-upgrade" mainScript}" - '' - else mainScript - } - ''; - startAt = cfg.dates; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - }; - - systemd.timers.colmena-auto-upgrade = { - timerConfig = { - RandomizedDelaySec = cfg.randomizedDelaySec; - FixedRandomDelay = cfg.fixedRandomDelay; - Persistent = cfg.persistent; - }; - }; - }; -}
M system/settings/services/git-server.nix → system/settings/services/git-server.nix
@@ -72,10 +72,6 @@ mkMirrorWants = repo: map (target: "mirror-to-${target}@${repo}.path"); in { - imports = [ - <elgit> - ]; - services.gitolite = { enable = true; adminPubkey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYUyDdw92TNXguAxcmcmZmn/7ECGdRp6ckjxU+5zCw3BCnsS5+xEvHBVnnFdJRoH2XpfMeJjE+fi67zFVhlbn4= root@secretive.marvin";