Merge pull request 'test workflow' (#1) from workflows into main

Reviewed-on: #1

.github/workflows/deploy.yml

@@ -0,0 +1,11 @@
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix develop
+      - run: colmena build -v --on @fili

.github/workflows/lint.yml

@@ -0,0 +1,7 @@
+on: [push]
+jobs:
+  lint:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix fmt -- --check .

fili/configuration.nix

@@ -16,7 +16,6 @@ _: {
     networkmanager.enable = true;
   };
 
-
   nix.settings = {
     # users that can interact with nix
     trusted-users = [

fili/lib/auth.nix

@@ -1,4 +1,5 @@
-{ baseUrl, clientId }: {
+{ baseUrl, clientId }:
+{
   inherit clientId;
 
   userAuthUrl = "${baseUrl}/ui/oauth2";

fili/services/auth/kanidm.nix

@@ -1,9 +1,11 @@
-{pkgs, config, ...}: let
+{ pkgs, config, ... }:
+let
   lib = pkgs.lib;
   domain = "auth.donsz.nl";
   port = 3013;
   backupsDir = "/var/lib/kanidm/backup";
-in {
+in
+{
   services.kanidm.enableServer = true;
   services.kanidm.package = pkgs.kanidm_1_6;
   services.kanidm.serverSettings = {
@@ -26,12 +28,11 @@ in {
       mkdir -p "${backupsDir}"
     '';
     serviceConfig = {
-      SupplementaryGroups =
+      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
-        [ config.security.acme.certs.${domain}.group ];
     };
   };
 
-  environment.systemPackages = [pkgs.kanidm];
+  environment.systemPackages = [ pkgs.kanidm ];
 
   services.nginx.virtualHosts.${domain} = {
     forceSSL = true;

fili/services/auth/oauth2-proxy.nix

@@ -1,45 +1,50 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
   sops.secrets.oauth2-proxy = {
     sopsFile = ../../../secrets/oauth2-proxy.env;
   };
 
   services.oauth2-proxy =
     let
-      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
+      auth = import ../../lib/auth.nix {
-    in {
+        baseUrl = "https://auth.donsz.nl";
-    enable = true;
+        clientId = "homeserver";
+      };
+    in
+    {
+      enable = true;
 
-    provider = "oidc";
+      provider = "oidc";
-    clientID = "${auth.clientId}";
+      clientID = "${auth.clientId}";
-    oidcIssuerUrl = auth.oidcIssuerUri;
+      oidcIssuerUrl = auth.oidcIssuerUri;
 
-    proxyPrefix = "/oauth2";
+      proxyPrefix = "/oauth2";
-    reverseProxy = true;
+      reverseProxy = true;
 
-    keyFile = config.sops.secrets.oauth2-proxy.path;
+      keyFile = config.sops.secrets.oauth2-proxy.path;
 
-    loginURL = auth.apiAuthUrl;
+      loginURL = auth.apiAuthUrl;
-    redeemURL = auth.tokenUrl;
+      redeemURL = auth.tokenUrl;
-    validateURL = auth.rfc7662TokenIntrospectionUrl;
+      validateURL = auth.rfc7662TokenIntrospectionUrl;
-    profileURL = auth.oidcUserInfo;
+      profileURL = auth.oidcUserInfo;
 
-    scope = "openid profile email";
+      scope = "openid profile email";
 
-    email.domains = [ "*" ];
+      email.domains = [ "*" ];
 
-    cookie = {
+      cookie = {
-      domain = "donsz.nl";
+        domain = "donsz.nl";
-      refresh = "1h";
+        refresh = "1h";
-      secure = true;
+        secure = true;
+      };
+
+      extraConfig = {
+        whitelist-domain = [ "*.donsz.nl" ];
+      };
+
+      nginx.domain = "oauth2.donsz.nl";
     };
 
-    extraConfig = {
-      whitelist-domain = ["*.donsz.nl"];
-    };
-
-    nginx.domain = "oauth2.donsz.nl";
-  };
-
   services.nginx.virtualHosts."oauth2.donsz.nl" = {
     forceSSL = true;
     http2 = true;

fili/services/forgejo.nix

@@ -1,4 +1,9 @@
-{ lib, pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 let
   cfg = config.services.forgejo;
   srv = cfg.settings.server;
@@ -6,7 +11,7 @@ in
 {
   sops.secrets.forgejo = {
     sopsFile = ../../secrets/forgejo.yaml;
-    key="email_password";
+    key = "email_password";
     format = "yaml";
   };
 
@@ -33,7 +38,7 @@ in
     lfs.enable = true;
     user = "forgejo";
     group = "forgejo";
-    repositoryRoot="/storage/storage/git";
+    repositoryRoot = "/storage/storage/git";
 
     database = {
       type = "postgres";
@@ -43,8 +48,8 @@ in
 
     settings = {
       DEFAULT = {
-        APP_NAME="jana's git server";
+        APP_NAME = "jana's git server";
-        APP_SLOGAN="meow!";
+        APP_SLOGAN = "meow!";
       };
       server = {
         DOMAIN = "git.donsz.nl";
@@ -62,7 +67,7 @@ in
         DEFAULT_ACTIONS_URL = "github";
       };
       repository = {
-        DEFAULT_PRIVATE="private";
+        DEFAULT_PRIVATE = "private";
       };
       mailer = {
         ENABLED = true;
@@ -73,4 +78,56 @@ in
     };
     mailerPasswordFile = config.sops.secrets.forgejo.path;
   };
+
+  users.groups.forgejo-runner = { };
+  users.users.forgejo-runner = {
+    isSystemUser = true;
+    group = "forgejo-runner";
+  };
+
+  sops.secrets.forgejo-runner = {
+    sopsFile = ../../secrets/forgejo-runner.env;
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.fili = {
+      enable = true;
+      name = "forgejo-runner-01";
+      tokenFile = config.sops.secrets.forgejo-runner.path;
+      url = "https://git.donsz.nl/";
+      labels = [
+        "nix:host"
+        "docker:docker://node:16-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
+      ];
+      settings = { };
+
+      hostPackages = with pkgs; [
+        # default ones
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+
+        # used in deployments
+        lix
+        openssh
+      ];
+    };
+  };
+
+  virtualisation.docker = {
+    daemon.settings = {
+      fixed-cidr-v6 = "fd00::/80";
+      ipv6 = true;
+    };
+  };
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
 }

fili/services/nginx.nix

@@ -1,4 +1,5 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
   services.nginx = {
     enable = true;
     statusPage = true;

fili/services/websites/homepage.nix

@@ -1,4 +1,5 @@
-{flakes, pkgs, ...}: {
+{ flakes, pkgs, ... }:
+{
   services.nginx = {
     virtualHosts."donsz.nl" = {
       forceSSL = true;

fili/services/websites/mapf.nix

@@ -1,4 +1,5 @@
-{flakes,...}: {
+{ flakes, ... }:
+{
   # imports = [
   #   flakes.mapf.nixosModules.default
   # ];

fili/services/websites/totpal.nix

@@ -1,8 +1,6 @@
-{ flakes, pkgs,... }:
+{ flakes, pkgs, ... }:
 let
-  totpal =
+  totpal = flakes.totpal.packages.${pkgs.system}.default;
-    flakes.totpal.packages.${pkgs.system}.default
-  ;
 in
 {
   services.nginx = {
@@ -17,12 +15,11 @@ in
     };
   };
 
-  systemd.services.totpal =
+  systemd.services.totpal = {
-    {
+    description = "totpal";
-      description = "totpal";
+    serviceConfig = {
-      serviceConfig = {
+      Type = "simple";
-        Type = "simple";
+      ExecStart = "${totpal}/bin/totpal";
-        ExecStart = "${totpal}/bin/totpal";
-      };
     };
+  };
 }

secrets/forgejo-runner.env

@@ -0,0 +1,7 @@
+TOKEN=ENC[AES256_GCM,data:5WnyyafhDtizIzL4VjXYsMFxLTKikS4Lg6rNGoeVbMqXbquutotfcQ==,iv:2QknXqH8eHft9NHy6K17uv2WvSfvDE8HJsaBDfzUlws=,tag:jw0ffCsfhBNBy++W7cyJsg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaTZNTmxkMVVuWER0dTZN\nL3N0cDF2bHdpZUNLQWdJMHVjVk5LbnY1OGlVClpya1VhcHdRUW0yUW5CL21mSUJN\nMDU5cFZ1QUppaHZ2dXkwUjgrVFloS3cKLS0tIGNzRWUxSFlXUnR5eFhEQkNOWmRY\nV0dNWWRXVnJCU0duU2dGcWZRWFhMUm8K9dsrIrABcLRZ4pfduYrIaSiEVF+e2OA0\nOGY2eYWAxbgtqBXEX+vLn0eNtoAptpQi2WgOWwVPr1M1+07w7jExBA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
+sops_lastmodified=2025-08-20T10:03:18Z
+sops_mac=ENC[AES256_GCM,data:Su4KI/pxc1hqNzEYoA1iPU2a5Fp9o/SEf2DW+hx0T5sNL8UvUFDELqYUoGvNNuz1/59ZR8cEmNWhao9euBoF0eVoUAVuS6ADKkX8EjXXJY8qR3M7aseweYxRYXADcWLTlrXsK4xWU6z+NKwmdvYzir9N1XEeR+w3fJLBBNPBnZI=,iv:z3e0kJuJsCLrBGDXZZiYERA48bdvxTxCsPnSdUFgtT8=,tag:rW0zsoEKnKRTpJN8pkJ4/A==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2

users/users.nix

@@ -17,43 +17,43 @@
   };
 
   users.extraUsers.jonathan = {
-      isNormalUser = true;
+    isNormalUser = true;
-      shell = pkgs.fish;
+    shell = pkgs.fish;
-      openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = [
-        # ori (lenovo laptop/desktop)
+      # ori (lenovo laptop/desktop)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori"
 
-        # bastion (arch server)
+      # bastion (arch server)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion"
 
-        # fili (server)
+      # fili (server)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili"
 
-        # kili (tudelft laptop)
+      # kili (tudelft laptop)
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili"
 
-        # nori hp tudelft laptop
+      # nori hp tudelft laptop
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori"
 
-        # oneplus 5 phone
+      # oneplus 5 phone
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost"
 
-        # git deploy key
+      # git deploy key
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy"
-      ];
+    ];
-      # Make me admin
+    # Make me admin
-      extraGroups = [
+    extraGroups = [
-        "systemd-journal"
+      "systemd-journal"
-        "wheel"
+      "wheel"
-        "networkmanager"
+      "networkmanager"
-        "libvirtd"
+      "libvirtd"
-        "dialout"
+      "dialout"
-        "storage"
+      "storage"
-        "syncthing"
+      "syncthing"
-        "jellyfin"
+      "jellyfin"
-        "media"
+      "media"
-      ];
+    ];
-    };
+  };
 
   users.extraUsers.jana = {
     isNormalUser = true;