diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 376fde6..24e1472 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -3,11 +3,11 @@ # - https://forgejo.org/docs/latest/user/actions/ # - https://docs.gitea.com/next/usage/actions/act-runner -{ config, pkgs, ... }: +{ config, pkgs-unstable, ... }: { services.gitea-actions-runner = { - package = pkgs.forgejo-runner; + package = pkgs-unstable.forgejo-actions-runner; instances.ccchh-forgejo-global-docker = { enable = true; name = "Global Docker Forgejo Actions Runner"; diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix new file mode 100644 index 0000000..a4c612e --- /dev/null +++ b/config/hosts/hydra/configuration.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + networking = { + hostName = "hydra"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix new file mode 100644 index 0000000..f621711 --- /dev/null +++ b/config/hosts/hydra/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./hydra.nix + ./networking.nix + ./nginx.nix + ./nix.nix + ]; +} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix new file mode 100644 index 0000000..f315710 --- /dev/null +++ b/config/hosts/hydra/hydra.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.hydra = { + enable = true; + listenHost = "localhost"; + port = 3000; + hydraURL = "https://hydra.hamburg.ccc.de/"; + # E-Mail configuration requires some work/investigation still. + notificationSender = "no-reply@hydra.hamburg.ccc.de"; + useSubstitutes = true; + minimumDiskFree = 8; + minimumDiskFreeEvaluator = 2; + }; +} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix new file mode 100644 index 0000000..82cec55 --- /dev/null +++ b/config/hosts/hydra/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.163"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:45:7C:D6"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix new file mode 100644 index 0000000..49ca2e1 --- /dev/null +++ b/config/hosts/hydra/nginx.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +let + domain = "hydra.hamburg.ccc.de"; +in +{ + services.nginx = { + enable = true; + + virtualHosts = { + "acme-${domain}" = { + default = true; + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + default = true; + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix new file mode 100644 index 0000000..b95e469 --- /dev/null +++ b/config/hosts/hydra/nix.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + # Allow Hydra to fetch flake inputs. + nix.settings.allowed-uris = [ + "github:" + "https://github.com/" + "https://git.hamburg.ccc.de/" + ]; +} diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix index 4d4693d..a441814 100644 --- a/config/hosts/mjolnir/networking.nix +++ b/config/hosts/mjolnir/networking.nix @@ -1,24 +1,18 @@ { ... }: { - networking.useDHCP = false; - - services.cloud-init = { - enable = true; - network.enable = true; - - # Version without ssh of: - # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145 - # So we don't get ssh hostkey regenerations. - settings.cloud_config_modules = [ - "disk_setup" - "mounts" - "ssh-import-id" - "set-passwords" - "timezone" - "disable-ec2-metadata" - "runcmd" + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.161"; + prefixLength = 25; + } ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 68c30c2..507b71a 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -6,6 +6,22 @@ { config, pkgs, ... }: { + services.nginx.streamConfig = '' + map $ssl_preread_server_name $address { + status.ccchh.net 10.31.206.15:8443; + status.hamburg.ccc.de 10.31.206.15:8443; + } + + # Listen on port 443 as a reverse proxy and use PROXY Protocol for the + # upstreams. + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; @@ -19,6 +35,7 @@ zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; + status.ccchh.net 10.31.206.15:31820; default ""; } ''; diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index b69e60b..9d0e173 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -1,12 +1,7 @@ { ... }: { - services.nginx = { - enable = true; - appendHttpConfig = '' - access_log off; - ''; - }; + services.nginx.enable = true; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedUDPPorts = [ 8443 ]; diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index 95f9b59..ff59fab 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -23,7 +23,7 @@ in { ]; }; - "www.${domain}" = { + "$www.${domain}" = { forceSSL = true; useACMEHost = "${domain}"; diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix deleted file mode 100644 index d2e779a..0000000 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ ... }: - -let - domain = "cpu.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "cpuccc-website-deploy"; -in -{ - security.acme.certs."cpu.ccc.de".extraDomainNames = [ - "lokal.ccc.de" - "local.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - index index.html; - default_type text/plain; - - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - port_in_redirect off; - ''; - - locations."/" = { - tryFiles = "$uri $uri/ =404"; - - extraConfig = '' - location /feed/ { - default_type application/rss+xml; - types { - text/xml application/rss+xml; - } - } - - location /rss { - default_type application/rss+xml; - } - ''; - }; - }; - - "lokal.ccc.de" = { - forceSSL = true; - useACMEHost = "cpu.ccc.de"; - serverAliases = [ - "local.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://cpu.ccc.de"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 3532c25..793829a 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,7 +4,6 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix - ./cpu.ccc.de.nix ./cryptoparty-hamburg.de.nix ./element-admin.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix index 20bb644..1ee6180 100644 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix @@ -22,10 +22,6 @@ in "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; - - locations."/shop" = { - return = "302 https://tickets.hamburg.ccc.de"; - }; listen = [ { diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 1c967c9..8277b5f 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -17,7 +17,6 @@ "hamburg.ccc.de" = { forceSSL = true; useACMEHost = "hamburg.ccc.de"; - default = true; listen = [ { diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix new file mode 100644 index 0000000..c36dc63 --- /dev/null +++ b/config/hosts/status/configuration.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + networking = { + hostName = "status"; + domain = "z9.ccchh.net"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix new file mode 100644 index 0000000..d8644c5 --- /dev/null +++ b/config/hosts/status/default.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./networking.nix + ./nginx.nix + ./uptime-kuma.nix + ]; +} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix new file mode 100644 index 0000000..0bff4b5 --- /dev/null +++ b/config/hosts/status/networking.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "10.31.206.15"; + prefixLength = 23; + } + ]; + ipv6.addresses = [ + { + address = "2a07:c481:1:ce::a"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "10.31.206.1"; + defaultGateway6 = "2a07:c481:1:ce::1"; + nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; + search = [ "z9.ccchh.net" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:79:D3:E1"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix new file mode 100644 index 0000000..8eff61c --- /dev/null +++ b/config/hosts/status/nginx.nix @@ -0,0 +1,149 @@ +# Sources for this configuration: +# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy + +{ config, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts = { + "status.hamburg.ccc.de" = { + forceSSL = true; + enableACME = true; + serverName = "status.hamburg.ccc.de"; + + listen = [ + { + addr = "[::]"; + port = 80; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + "status-proxyprotocol.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.31.206.11; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + "status.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.ccchh.net"; + + listen = [ + { + addr = "[::]"; + port = 80; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + }; + "status-proxyprotocol.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.31.206.11; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + "status.z9.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.z9.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "[::]"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + }; + }; + }; + + security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ + "status.ccchh.net" + "status.z9.ccchh.net" + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; +} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix new file mode 100644 index 0000000..02411f2 --- /dev/null +++ b/config/hosts/status/uptime-kuma.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + services.uptime-kuma = { + enable = true; + }; +} diff --git a/deployment_configuration.json b/deployment_configuration.json index 1bb46e7..9c2f99a 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -16,13 +16,16 @@ "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, "mjolnir": { - "targetHostname": "mjolnir.hosts.hamburg.ccc.de" + "targetHostname": "mjolnir-intern.hamburg.ccc.de" }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" + }, + "hydra": { + "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.lock b/flake.lock index 3230d75..3d624db 100644 --- a/flake.lock +++ b/flake.lock @@ -17,29 +17,63 @@ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys" } }, - "nixpkgs": { + "nixlib": { "locked": { - "lastModified": 1768621446, - "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-25.11", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1736657626, + "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1768661221, - "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", + "lastModified": 1761349956, + "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", + "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538", "type": "github" }, "original": { @@ -49,10 +83,27 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1761173472, + "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "authorizedKeysRepo": "authorizedKeysRepo", - "nixpkgs": "nixpkgs", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } @@ -64,11 +115,11 @@ ] }, "locked": { - "lastModified": 1768709255, - "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e976c25..3901c78 100644 --- a/flake.nix +++ b/flake.nix @@ -5,15 +5,15 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; - # # Add nixos-generators as an input. - # # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake - # nixos-generators = { - # url = "github:nix-community/nixos-generators"; - # #inputs.nixpkgs.follows = "nixpkgs"; - # }; + # Add nixos-generators as an input. + # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake + nixos-generators = { + url = "github:nix-community/nixos-generators"; + #inputs.nixpkgs.follows = "nixpkgs"; + }; # Add sops-nix as an input for secret management. # See here: https://github.com/Mic92/sops-nix?tab=readme-ov-file#flakes-current-recommendation @@ -28,7 +28,7 @@ }; }; - outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, authorizedKeysRepo, ... }: + outputs = { self, nixpkgs, nixos-generators, nixpkgs-unstable, sops-nix, authorizedKeysRepo, ... }: let specialArgs = { inherit authorizedKeysRepo; @@ -147,6 +147,7 @@ ]; specialArgs = { inherit authorizedKeysRepo; + inherit pkgs-unstable; }; }; @@ -200,6 +201,16 @@ ]; }; + status = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops + ./config/hosts/status + ]; + }; + penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ @@ -210,33 +221,48 @@ ./config/hosts/penpot ]; }; + + hydra = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter + ./config/hosts/hydra + ]; + }; }; - # packages.x86_64-linux = { - # proxmox-nixos-template = nixos-generators.nixosGenerate { - # inherit specialArgs; - # system = "x86_64-linux"; - # modules = [ - # ./config/nixos-generators/proxmox.nix - # self.nixosModules.common - # self.nixosModules.proxmox-vm - # ]; - # format = "proxmox"; - # }; + packages.x86_64-linux = { + proxmox-nixos-template = nixos-generators.nixosGenerate { + inherit specialArgs; + system = "x86_64-linux"; + modules = [ + ./config/nixos-generators/proxmox.nix + self.nixosModules.common + self.nixosModules.proxmox-vm + ]; + format = "proxmox"; + }; - # proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { - # inherit specialArgs; - # system = "x86_64-linux"; - # modules = [ - # ./config/nixos-generators/proxmox-chaosknoten.nix - # ./config/proxmox-chaosknoten-additional-initial-config.nix - # self.nixosModules.common - # self.nixosModules.proxmox-vm - # ]; - # format = "proxmox"; - # }; - # }; + proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { + inherit specialArgs; + system = "x86_64-linux"; + modules = [ + ./config/nixos-generators/proxmox-chaosknoten.nix + ./config/proxmox-chaosknoten-additional-initial-config.nix + self.nixosModules.common + self.nixosModules.proxmox-vm + ]; + format = "proxmox"; + }; + }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + + hydraJobs = { + inherit (self) packages; + nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; + }; }; } diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix index 43d1285..f02485f 100644 --- a/modules/services/audio/shairport-sync.nix +++ b/modules/services/audio/shairport-sync.nix @@ -18,47 +18,33 @@ in services.shairport-sync = { enable = true; package = pkgs.shairport-sync-airplay2; - arguments = "-o pw -v"; + settings = { + diagnostics = { + log_verbosity = 1; + }; + general = { + name = cfg.name; + output_backend = "pw"; + }; + metadata = { + enabled = "yes"; + include_cover_art = "yes"; + cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; + pipe_name = "/tmp/shairport-sync-metadata"; + pipe_timeout = 5000; + }; + mqtt = { + enabled = "yes"; + hostname = "mqtt.ccchh.net"; + port = 1883; + publish_parsed = "yes"; + publish_cover = "yes"; + }; + }; }; users.users.shairport.extraGroups = [ "pipewire" "audio" ]; - environment.etc.shairport-sync-config = { - enable = true; - text = '' - // Config for MQTT and metadata. - // For reference see: - // https://github.com/mikebrady/shairport-sync/blob/8c607e2d61ea5fde8ed0b48b2471a543840c31e6/scripts/shairport-sync.conf - // https://github.com/mikebrady/shairport-sync/blob/0f0f65b67649d4a25d06f13b56a6077a90b0f6cc/MQTT.md - general = - { - name = "${cfg.name}"; - } - - metadata = - { - enabled = "yes"; // set this to yes to get Shairport Sync to solicit metadata from the source and to pass it on via a pipe - include_cover_art = "yes"; // set to "yes" to get Shairport Sync to solicit cover art from the source and pass it via the pipe. You must also set "enabled" to "yes". - cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; // artwork will be stored in this directory if the dbus or MPRIS interfaces are enabled or if the MQTT client is in use. Set it to "" to prevent caching, which may be useful on some systems - pipe_name = "/tmp/shairport-sync-metadata"; - pipe_timeout = 5000; // wait for this number of milliseconds for a blocked pipe to unblock before giving up - }; - - - mqtt = - { - enabled = "yes"; // set this to yes to enable the mqtt-metadata-service - hostname = "mqtt.ccchh.net"; // Hostname of the MQTT Broker - port = 1883; // Port on the MQTT Broker to connect to - // publish_raw = "no"; //whether to publish all available metadata under the codes given in the 'metadata' docs. - publish_parsed = "yes"; //whether to publish a small (but useful) subset of metadata under human-understandable topics - publish_cover = "yes"; //whether to publish the cover over mqtt in binary form. This may lead to a bit of load on the broker - // enable_remote = "yes"; //whether to remote control via MQTT. RC is available under `topic`/remote. - }; - ''; - target = "shairport-sync.conf"; - }; - systemd.services.shairport-sync = { serviceConfig = { Restart = "on-failure";