diff --git a/colmena.nix b/colmena.nix new file mode 100644 index 00000000..04d5300c --- /dev/null +++ b/colmena.nix @@ -0,0 +1,38 @@ +{ + inputs, + systems, + lib, + ... +}: rec { + colmenaHive = inputs.colmena.lib.makeHive colmena; + colmena = let + inherit (lib.attrsets) mapAttrs filterAttrs; + colmenaBase = { + meta = { + description = "Kat's Infrastructure"; + nodeSpecialArgs = mapAttrs (_k: v: v._module.specialArgs) systems.nixosConfigurations; + nodeNixpkgs = mapAttrs (_k: v: v.config.pkgs) systems.systems; + nixpkgs = import inputs.nixpkgs { + # this upsets me deeply. + system = "x86_64-linux"; + overlays = []; + }; + }; + }; + colmenaHosts = mapAttrs (_k: v: { + config, + lib, + ... + }: let + inherit (lib.modules) mkDefault; + in { + imports = v.config.modules; + deployment = + { + targetPort = mkDefault (builtins.head config.services.openssh.ports); + } + // v.config.colmena; + }) (filterAttrs (_k: v: v.config.folder == "nixos") systems.systems); + in + colmenaBase // colmenaHosts; +} diff --git a/common/nix.nix b/common/nix.nix index 73de974b..e62b8cb8 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -17,8 +17,8 @@ in { package = pkgs.lixPackageSets.stable.lix; settings = { experimental-features = list.optional (versionAtLeast config.nix.package.version "2.4") "nix-command flakes"; - substituters = ["https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-gaming.cachix.org" "https://nix-community.cachix.org"]; - trusted-public-keys = ["arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="]; + substituters = ["https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-gaming.cachix.org" "https://nix-community.cachix.org" "https://colmena.cachix.org"]; + trusted-public-keys = ["arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg="]; auto-optimise-store = true; trusted-users = ["root" "@wheel"]; }; diff --git a/flake.lock b/flake.lock index 6890d525..80995bfe 100644 --- a/flake.lock +++ b/flake.lock @@ -201,6 +201,28 @@ "type": "github" } }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": "nixpkgs_3", + "stable": "stable" + }, + "locked": { + "lastModified": 1755272288, + "narHash": "sha256-ypTPb2eKcOBbOoyvPV0j4ZOXs4kayo73/2KI456QnE0=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "5bf4ce6a24adba74a5184f4a9bef01d545a09473", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1731098351, @@ -334,6 +356,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1733328505, @@ -383,17 +421,12 @@ } }, "flake-utils": { - "inputs": { - "systems": [ - "systems" - ] - }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", "type": "github" }, "original": { @@ -422,6 +455,26 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": [ + "systems" + ] + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flakelib": { "inputs": { "fl-config": "fl-config", @@ -1017,7 +1070,7 @@ "flake-parts": [ "flake-parts" ], - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1759801625, @@ -1056,6 +1109,27 @@ "type": "github" } }, + "nix-github-actions_2": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -1239,6 +1313,22 @@ } }, "nixpkgs_3": { + "locked": { + "lastModified": 1750134718, + "narHash": "sha256-v263g4GbxXv87hMXMCpjkIxd/viIF7p3JpJrwgKdNiI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9e83b64f727c88a7711a2c463a7b16eedb69a84c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { "locked": { "lastModified": 1759536663, "narHash": "sha256-hhM8SUI6kQMei5TImFdNQy9EDT8g2hAD161DUtbfAy0=", @@ -1436,12 +1526,13 @@ "chaotic": "chaotic", "ci": "ci", "clipboard-sync": "clipboard-sync", + "colmena": "colmena", "darwin": "darwin", "deploy-rs": "deploy-rs", "empty": "empty", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-parts": "flake-parts", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "flake-utils-plus": "flake-utils-plus", "flakelib": "flakelib", "git-hooks": "git-hooks", @@ -1655,6 +1746,22 @@ "type": "github" } }, + "stable": { + "locked": { + "lastModified": 1750133334, + "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "36ab78dab7da2e4e27911007033713bab534187b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "std": { "inputs": { "nix-std": [ diff --git a/flake.nix b/flake.nix index a4fca2cb..39332caa 100644 --- a/flake.nix +++ b/flake.nix @@ -224,6 +224,7 @@ utils.follows = "flake-utils"; }; }; + colmena.url = "github:zhaofengli/colmena"; # self-explanatory home-manager = { url = "github:nix-community/home-manager/master"; diff --git a/modules/system/colmena.nix b/modules/system/colmena.nix new file mode 100644 index 00000000..1fe6139a --- /dev/null +++ b/modules/system/colmena.nix @@ -0,0 +1,44 @@ +{ + name, + config, + lib, + inputs, + ... +}: let + inherit (lib.modules) mkIf mkOptionDefault mkDefault; +in { + options = let + inherit (lib.types) nullOr; + inherit (lib.options) mkOption; + in { + colmena = mkOption { + type = nullOr inputs.arcexprs.lib.json.types.attrs; + }; + }; + config = { + colmena = { + targetHost = mkDefault config.deploy.hostname; + targetUser = mkDefault config.deploy.sshUser; + tags = mkOptionDefault [ + "all" + ]; + }; + deploy = let + nixos = config.built; + in { + sshUser = mkOptionDefault "deploy"; + user = mkOptionDefault "root"; + sshOpts = mkIf (config.type == "NixOS") ( + mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"] + ); + autoRollback = mkOptionDefault true; + magicRollback = mkOptionDefault true; + fastConnection = mkOptionDefault false; + hostname = mkOptionDefault "${name}.devices.inskip.me"; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.${config.system}.activate.nixos inputs.self.nixosConfigurations.${name}; + }; + }; + }; +} diff --git a/modules/system/host.nix b/modules/system/host.nix index fbd82d64..1dfd504c 100644 --- a/modules/system/host.nix +++ b/modules/system/host.nix @@ -47,6 +47,10 @@ in { type = attrs; internal = true; }; + pkgs = mkOption { + type = unspecified; + internal = true; + }; builder = mkOption { type = unspecified; internal = true; @@ -148,6 +152,7 @@ in { inherit (config) system modules specialArgs; }) config.builder); + pkgs = pkgs.${config.system}; specialArgs = { inherit name inputs std tree; systemType = config.folder; diff --git a/outputs.nix b/outputs.nix index 69d987e5..394634a1 100644 --- a/outputs.nix +++ b/outputs.nix @@ -6,6 +6,7 @@ systems = import ./systems {inherit inputs tree lib std pkgs;}; shells = import ./shells {inherit inputs tree lib std pkgs checks;}; inherit (import ./pkgs.nix {inherit inputs tree overlay;}) pkgs; + colmena = import ./colmena.nix {inherit inputs systems lib;}; formatting = import ./formatting.nix {inherit inputs pkgs;}; inherit (std) set; forAllSystems = lib.genAttrs inputs.flake-utils.lib.defaultSystems; @@ -37,6 +38,7 @@ in legacyPackages = pkgs; #packages = set.merge [pkgs wrappers.packages]; inherit (formatting) formatter; + inherit (colmena) colmenaHive colmena; } // systems // shells diff --git a/overlays.nix b/overlays.nix index 806dbaa7..cfebdb59 100644 --- a/overlays.nix +++ b/overlays.nix @@ -13,7 +13,12 @@ colmena ; }) + inputs.colmena.overlays.default inputs.ida-pro-overlay.overlays.default + # To get this not to garbage collect, make sure to create a gcroot by manually + # building the package with an output (anywhere you want, really). You can't + # then delete that output, however, or rename or move it. So place it somewhere + # you're ok with it being. (final: prev: { ida-pro-kat = prev.callPackage final.ida-pro { runfile = final.requireFile { diff --git a/shells/repo.nix b/shells/repo.nix index 0f7cf11c..89395adf 100644 --- a/shells/repo.nix +++ b/shells/repo.nix @@ -8,6 +8,7 @@ with pkgs; let git-hooks = systemless-git-hooks pkgs.system; repoShell = mkShell { nativeBuildInputs = [ + colmena opentofu nf-build-system nf-update diff --git a/systems/daiyousei.nix b/systems/daiyousei.nix index 928694b8..73d4545d 100644 --- a/systems/daiyousei.nix +++ b/systems/daiyousei.nix @@ -52,8 +52,12 @@ _: let }; in { arch = "aarch64"; - deploy.hostname = "daiyousei.inskip.me"; type = "NixOS"; + deploy.hostname = "daiyousei.inskip.me"; + colmena.tags = [ + "server" + "oci" + ]; modules = [ hostConfig ]; diff --git a/systems/goliath.nix b/systems/goliath.nix index 51bfe99e..379b45b1 100644 --- a/systems/goliath.nix +++ b/systems/goliath.nix @@ -250,6 +250,9 @@ _: let in { arch = "x86_64"; type = "NixOS"; + colmena.tags = [ + "personal" + ]; ci.enable = false; # Closure too large modules = [ hostConfig diff --git a/systems/koishi.nix b/systems/koishi.nix index f7e629d5..9761d3af 100644 --- a/systems/koishi.nix +++ b/systems/koishi.nix @@ -166,6 +166,9 @@ _: let in { arch = "x86_64"; deploy.hostname = "10.1.1.171"; + colmena.tags = [ + "personal" + ]; ci.enable = false; # Closure too large type = "NixOS"; modules = [ diff --git a/systems/mai.nix b/systems/mai.nix index 19a8619d..7af95708 100644 --- a/systems/mai.nix +++ b/systems/mai.nix @@ -22,6 +22,10 @@ _: let in { arch = "x86_64"; type = "NixOS"; + colmena.tags = [ + "server" + "oci" + ]; modules = [ hostConfig ]; diff --git a/systems/mei.nix b/systems/mei.nix index aa95fd71..15d3bb74 100644 --- a/systems/mei.nix +++ b/systems/mei.nix @@ -20,6 +20,10 @@ _: let in { arch = "x86_64"; type = "NixOS"; + colmena.tags = [ + "server" + "oci" + ]; modules = [ hostConfig ]; diff --git a/systems/renko.nix b/systems/renko.nix deleted file mode 100644 index b42cb4c7..00000000 --- a/systems/renko.nix +++ /dev/null @@ -1,108 +0,0 @@ -_: let - hostConfig = { - lib, - pkgs, - inputs, - ... - }: let - inherit (lib.modules) mkDefault mkForce; - in { - imports = [ - "${inputs.nixpkgs}/nixos/modules/virtualisation/lxc-container.nix" - ]; - - nix.extraOptions = "extra-platforms = x86_64-linux i686-linux"; - - networking = { - nftables.enable = mkForce false; - firewall.enable = mkForce false; - useDHCP = false; - interfaces.eth0.useDHCP = true; - }; - - nixpkgs.hostPlatform = mkDefault "aarch64-linux"; - - boot.kernelPackages = pkgs.linuxPackages_6_3; - - environment.systemPackages = with pkgs; [ - awscli2 - kubectl - ]; - - system.stateVersion = "22.11"; - - security.sudo.extraRules = [ - { - users = ["kat"]; - commands = [ - { - command = "ALL"; - options = ["NOPASSWD"]; - } - ]; - } - ]; - - # add OrbStack CLI tools to PATH - environment.shellInit = '' - . /opt/orbstack-guest/etc/profile-early - - # add your customizations here - - . /opt/orbstack-guest/etc/profile-late - export PATH="/opt/homebrew/opt/ruby/bin:$PATH" - export LDFLAGS="-L/opt/homebrew/opt/ruby/lib" - export CPPFLAGS="-I/opt/homebrew/opt/ruby/include" - ''; - - # faster DHCP - OrbStack uses SLAAC exclusively - networking.dhcpcd.extraConfig = '' - noarp - noipv6 - ''; - - # disable sshd - services.openssh.enable = true; - - # systemd - systemd.services = { - "systemd-oomd".serviceConfig.WatchdogSec = 0; - "systemd-resolved".serviceConfig.WatchdogSec = 0; - "systemd-userdbd".serviceConfig.WatchdogSec = 0; - "systemd-udevd".serviceConfig.WatchdogSec = 0; - "systemd-timesyncd".serviceConfig.WatchdogSec = 0; - "systemd-timedated".serviceConfig.WatchdogSec = 0; - "systemd-portabled".serviceConfig.WatchdogSec = 0; - "systemd-nspawn@".serviceConfig.WatchdogSec = 0; - "systemd-networkd".serviceConfig.WatchdogSec = 0; - "systemd-machined".serviceConfig.WatchdogSec = 0; - "systemd-localed".serviceConfig.WatchdogSec = 0; - "systemd-logind".serviceConfig.WatchdogSec = 0; - "systemd-journald@".serviceConfig.WatchdogSec = 0; - "systemd-journald".serviceConfig.WatchdogSec = 0; - "systemd-journal-remote".serviceConfig.WatchdogSec = 0; - "systemd-journal-upload".serviceConfig.WatchdogSec = 0; - "systemd-importd".serviceConfig.WatchdogSec = 0; - "systemd-hostnamed".serviceConfig.WatchdogSec = 0; - "systemd-homed".serviceConfig.WatchdogSec = 0; - }; - - # package installation: not needed - - # ssh config - programs.ssh.extraConfig = '' - Include /opt/orbstack-guest/etc/ssh_config - ''; - - # extra certificates - security.pki.certificateFiles = [ - "/opt/orbstack-guest/run/extra-certs.crt" - ]; - }; -in { - arch = "aarch64"; - type = "NixOS"; - modules = [ - hostConfig - ]; -}