diff --git a/configs/ci.nix b/configs/ci.nix new file mode 100644 index 0000000..8c6d22e --- /dev/null +++ b/configs/ci.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, inputs, ... }: +with lib; { + options = { + xinCI = { + enable = mkEnableOption "Configure host as a xin CI host."; + user = mkOption { + type = types.str; + default = "root"; + description = '' + User who will own the private key. + ''; + }; + }; + }; + + config = mkIf config.xinCI.enable { + imports = [ ../../modules/ts-rev-prox.nix ]; + sops.defaultSopsFile = config.xin-secrets.ci; + sops.secrets = { + ci_ed25519_key = { + mode = "400"; + owner = config.xinCI.user; + }; + ci_ed25519_pub = { + mode = "444"; + owner = config.xinCI.user; + }; + bin_cache_priv_key = { + mode = "400"; + owner = "root"; + group = "wheel"; + }; + bin_cache_pub_key = { + mode = "444"; + owner = "root"; + group = "wheel"; + }; + ts_proxy_env = { + mode = "400"; + owner = config.services.tsrevprox.user; + }; + }; + environment.systemPackages = [ inputs.po.packages.${pkgs.system}.po ]; + + nix = { + settings.allowed-users = [ "root" config.xinCI.user "nix-serve" ]; + }; + services = { + tsrevprox = { + enable = true; + reverseName = "nix-binary-cache"; + envFile = config.sops.secrets.ts_proxy_env.path; + }; + nix-serve = { + package = pkgs.nix-serve.override { + nix = + inputs.unstable.legacyPackages.x86_64-linux.nixVersions.nix_2_13; + }; + enable = true; + secretKeyFile = config.sops.secrets.bin_cache_priv_key.path; + bindAddress = "127.0.0.1"; + }; + }; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + }; +} diff --git a/modules/ts-rev-prox.nix b/modules/ts-rev-prox.nix new file mode 100644 index 0000000..0f7838f --- /dev/null +++ b/modules/ts-rev-prox.nix @@ -0,0 +1,99 @@ +{ lib, config, pkgs, inputs, ... }: +let cfg = config.services.tsrevprox; +in { + options = with lib; { + services.tsrevprox = { + enable = lib.mkEnableOption "Enable tsrevprox"; + + reversePort = mkOption { + type = types.int; + default = 5000; + description = '' + Port to forward connections to. + ''; + }; + + reverseIP = mkOption { + type = types.str; + default = "127.0.0.1"; + description = '' + IP to forward connections to. + ''; + }; + + reverseName = mkOption { + type = types.str; + default = "tsrevprox"; + description = '' + Name used in for the front facing http server (will be a tailscale name). + ''; + }; + + user = mkOption { + type = with types; oneOf [ str int ]; + default = "tsrevprox"; + description = '' + The user the service will use. + ''; + }; + + group = mkOption { + type = with types; oneOf [ str int ]; + default = "tsrevprox"; + description = '' + The group the service will use. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/tsrevprox"; + description = "Path tsrevprox home directory"; + }; + + package = mkOption { + type = types.package; + default = pkgs.ts-reverse-proxy; + defaultText = literalExpression "pkgs.ts-reverse-proxy"; + description = "The package to use for ts-reverse-proxy"; + }; + + envFile = mkOption { + type = types.path; + default = "/run/secrets/ts_proxy_env"; + description = '' + Path to a file containing the ts-reverse-proxy token information + ''; + }; + }; + }; + + config = lib.mkIf (cfg.enable) { + users.groups.${cfg.group} = { }; + users.users.${cfg.user} = { + description = "tsrevprox service user"; + isSystemUser = true; + home = "${cfg.dataDir}"; + createHome = true; + group = "${cfg.group}"; + }; + + systemd.services.tsrevprox = { + enable = true; + description = "tsrevprox server"; + wantedBy = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + environment = { HOME = "${cfg.dataDir}"; }; + + serviceConfig = { + User = cfg.user; + Group = cfg.group; + + ExecStart = + "${cfg.package}/bin/ts-reverse-proxy -name ${cfg.reverseName} -port ${toString cfg.reversePort} -ip ${cfg.reverseIP}"; + EnvironmentFile = cfg.envFile; + }; + }; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index 9e831bf..7d4cd47 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -19,6 +19,25 @@ let }); }; }; + matrix-synapse = self: super: { + matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec { + version = "1.76.0"; + pname = "matrix-synapse"; + + src = super.fetchFromGitHub { + owner = "matrix-org"; + repo = "synapse"; + rev = "v${version}"; + hash = "sha256-kPc6T8yLe1TDxPKLnK/TcU+RUxAVIq8qsr5JQXCXyjM="; + }; + + cargoDeps = super.rustPlatform.fetchCargoTarball { + inherit src; + name = "${pname}-${version}"; + hash = "sha256-tXtnVYH9uWu0nHHx53PgML92NWl3qcAcnFKhiijvQBc="; + }; + }); + }; in { nixpkgs.overlays = if isUnstable then [ tailscale @@ -82,19 +101,10 @@ in { }); }) - (self: super: { - aerc = super.aerc.overrideAttrs (old: { - patches = [ - (pkgs.fetchurl { - url = - "https://lists.sr.ht/~rjarry/aerc-devel/%3C20221218160541.680374-1-moritz%40poldrack.dev%3E/raw"; - sha256 = "sha256-qPRMOuPs5Pxiu2p08vGxsoO057Y1rVltPyBMbJXsH1s="; - }) - ]; - }); - }) - ] else - [ tailscale ]; + ] else [ + tailscale + matrix-synapse + ]; } # Example Python dep overlay