diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml new file mode 100644 index 0000000..4df6b59 --- /dev/null +++ b/.forgejo/workflows/main.yaml @@ -0,0 +1,7 @@ +on: [push] +jobs: + check: + runs-on: nix-latest + steps: + - uses: actions:checkout@v4 + - run: nix flake check diff --git a/.sops.yaml b/.sops.yaml index df4e573..bfcbbe1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,11 +2,13 @@ keys: - &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - - &oracle age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h + - &oracle1 age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h + - &oracle2 age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc creation_rules: - path_regex: secrets/[^/]+\.yaml$ key_groups: - age: - *t14 - *consensus - - *oracle + - *oracle1 + - *oracle2 diff --git a/flake.nix b/flake.nix index 97ad087..10b3019 100755 --- a/flake.nix +++ b/flake.nix @@ -97,13 +97,30 @@ path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus; }; }; - oracle = { - hostname = "oracle"; + oracle1 = { + hostname = "oracle1"; sshUser = "root"; + sshOpts = [ + "-p" + "2022" + ]; remoteBuild = false; profiles.system = { user = "root"; - path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle; + path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1; + }; + }; + oracle2 = { + hostname = "oracle2"; + sshUser = "root"; + sshOpts = [ + "-p" + "2022" + ]; + remoteBuild = false; + profiles.system = { + user = "root"; + path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle2; }; }; }; diff --git a/home-manager/t14/home.nix b/home-manager/t14/home.nix index 2cfb1fd..54f65dd 100755 --- a/home-manager/t14/home.nix +++ b/home-manager/t14/home.nix @@ -50,9 +50,16 @@ hostname = "consensus.tailc353f.ts.net"; identityFile = "/home/e/.ssh/id_ed25519"; }; - "oracle" = { + "oracle1" = { port = 2022; - hostname = "129.213.119.29"; + hostname = "oracle1"; + user = "root"; + identityFile = "/home/e/.ssh/id_ed25519"; + }; + "oracle2" = { + port = 2022; + hostname = "oracle2"; + user = "root"; identityFile = "/home/e/.ssh/id_ed25519"; }; "10110110.xyz" = { diff --git a/nixos/default.nix b/nixos/default.nix index 3d3b326..2e8068d 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -41,7 +41,7 @@ in ./consensus/configuration.nix ]; }; - oracle = inputs.nixpkgs.lib.nixosSystem { + oracle1 = inputs.nixpkgs.lib.nixosSystem { inherit pkgs; specialArgs = { inherit inputs system attrs; @@ -52,6 +52,21 @@ in }; modules = defaultModules ++ [ ./oracle/configuration.nix + ./oracle/forgejo.nix + ]; + }; + oracle2 = inputs.nixpkgs.lib.nixosSystem { + inherit pkgs; + specialArgs = { + inherit inputs system attrs; + host = { + hostName = "oracle2"; + inherit (attrs) username; + }; + }; + modules = defaultModules ++ [ + ./oracle/configuration.nix + ./oracle/forgejo-runner.nix ]; }; } diff --git a/nixos/oracle/configuration.nix b/nixos/oracle/configuration.nix index 3c3a21c..b3e8765 100644 --- a/nixos/oracle/configuration.nix +++ b/nixos/oracle/configuration.nix @@ -1,8 +1,7 @@ -{ ... }: +{ host, ... }: { imports = [ ./hardware-configuration.nix - ./forgejo.nix ]; boot.tmp.cleanOnBoot = true; boot.kernel.sysctl = { @@ -60,7 +59,7 @@ networking = { domain = ""; hostId = "81238132"; - hostName = "oracle1"; + hostName = host.hostName; firewall = { enable = true; allowedTCPPorts = [ diff --git a/nixos/oracle/forgejo-runner.nix b/nixos/oracle/forgejo-runner.nix new file mode 100644 index 0000000..f7ec768 --- /dev/null +++ b/nixos/oracle/forgejo-runner.nix @@ -0,0 +1,24 @@ +{ pkgs, config, ... }: +{ + sops = { + secrets = { + "forgejo-runner" = { + sopsFile = ../../secrets/forgejo-runner.yaml; + }; + }; + }; + virtualisation.docker.enable = true; + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "oracle-runner1"; + url = "https://git.10110110.xyz"; + tokenFile = config.sops.secrets."forgejo-runner".path; + labels = [ + "ubuntu-latest:docker://node:20-bullseye" + "nix-latest:docker://nixos/nix:latest" + ]; + }; + }; +} diff --git a/nixos/oracle/forgejo.nix b/nixos/oracle/forgejo.nix index 63442f4..becf866 100644 --- a/nixos/oracle/forgejo.nix +++ b/nixos/oracle/forgejo.nix @@ -39,6 +39,10 @@ in database.type = "sqlite3"; dump.enable = true; settings = { + DEFAULT = { + APP_NAME = "git.10110110.xyz"; + APP_SLOGAN = "No rice, no life."; + }; server = { DOMAIN = "git.10110110.xyz"; # You need to specify this to remove the port from URLs in the web UI. @@ -46,6 +50,10 @@ in HTTP_PORT = 3000; }; service.DISABLE_REGISTRATION = true; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + }; session.COOKIE_SECURE = true; actions = { ENABLED = true; diff --git a/secrets/cf-acme.yaml b/secrets/cf-acme.yaml index 53824cd..17b65c6 100644 --- a/secrets/cf-acme.yaml +++ b/secrets/cf-acme.yaml @@ -4,29 +4,38 @@ sops: - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITExOYlBkVlRKSHVpc2U2 - L3BJNUV1UER0M0JldzNMTm9qam1nWGIwa2pnCnptZ2I3SU5rV3pwQTcvV3E4YWVI - LzlQa1NxWVVDcHJma1lmSWt6ZUZuV3MKLS0tIFlXK3UzR2JDOEFOUmJYZFpkLzE1 - QVQ3MVpueENUTmdaNCtKcjhBVkRDUjAKSze6cNG0BfETuDylwUGZD02P/NL3O3O4 - LBIhQAyShgzAqqmus/aCoYPfVChuuH9sEspZHWFSQV8aTJL1kFX0yw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bEpKNEhOMVRYazNDSmhB + T0VadEhCdExkT2tXaklDcXFMcnNYTkx6ejJVCmJiRFUyVGRkU2tTalBCUFpYTWVk + WkZNSFVSSi9lMkQyOFU1bVM5WkFCSkUKLS0tIGo0c0QrRStRWEp3SE9vNFdMY0lP + dDNaTGprZVRlcmpwSzZmVzl3clZ3MzgK8y4ck9cgiPT6jDl23g0Da6mr7+KD7J+K + DflytAEkBZxWN8JLIeFSml6HS65xWeMuwjnQHVXQVQBlVAN9pl4fmg== -----END AGE ENCRYPTED FILE----- - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTUtpYzJYbU1oRDlTc295 - YVQySmdvbjhwK2pBaU5XRlFsVDNJSHl5blE0Cjh1bjNrY0wrMUdvVExpMXJSVTc1 - R1ZKRGpQSmE1N09nYzZNTXFHT1pqbmcKLS0tIDRYYys3WUhTQnJkS0hMT2lRS01o - bUt2RVdUZzdFZFVOTWNOOHBkSlZ4bmsK350/b+SL+0TT1ZJ6AIB9iDibf4L5ySpg - P9ZkCmiDd3Le7ehlxJRBP+ynQOq+B0+zsoAUrS2AAcCo7nSKLnfZ0A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNzZUdnVwUDBKRmo3Nm9s + Q0l1NXZOQXhvT1JIZStLK0YyWWhQbVNuazJVCnRDa21lcHJpczk4OWtsbkN3Z2tW + aXJGbnJGK1VvenJwa0ExWEFrZ3pFYjQKLS0tIGxBcUxlcnV4UEQyeE5sTWNDRU1l + bTVmbmxhZXk5RmlUV0h0dWFVZyszSnMKQ/DVB38i8a5d6LFJaftxChthRdjBY5GQ + TsFDbl6okwxUqBCx07A0ftYSeCHoC2Nj/AW0b8HU0DwXPPHqXwA08w== -----END AGE ENCRYPTED FILE----- - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSW5Fc3pUblI3dll6OEcx - NkVVcndybkZkOW93WmdjaE9zQnVFVGdHVkRBCnlZMWFLalloZ0xEOVVwVU9QTVd2 - TS9aRnpSdU9uTzV3SlVxL0tkQ3R2aFEKLS0tIE1PSEV4UnBCSXc1S1BQb3VNeVlt - c0pldlQ5UFN5NWh3QWRwSnZCejZXcVUKY7vVyf567eOBhwZvy1E8MyDtLo3ljwST - 5mgOLRaEU+G9bVOPGfClaBHK94sJMlHABa9M8bhd7Naws+OeUyKI4A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZjY1RXI1Y3MyeWVlMGlC + Nm1XNUlkODFYTkRqbnlMUytxZjZNSURYcXg0CjYxaDdLWDVZR0gwdEgrMVBSK1Br + V2lXZ2t2Nnp2ZG52YWxYQXVoKzBTU1UKLS0tIG9RcUdqQ2E4cnlFbVRQajVJalM5 + bWhxdERTaHpFSVE5MEdoRndMM3VGK2MKYbs06A2NmyFKssKqeudt/mFG4l/yDV9k + Kod6mEZYxdjUP91waOmLCC997DSIkih9sHaaYhm/ahy4ryD4fstkLA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek8vNVNZUkNraGNGbFJy + RmliVHFiVnRhUDArVFN0MGplTkYzbGxSQmg4ClZaMzZobFM3eGNvaytIeEJ3cjI2 + VlhKNXBIK0pWTml2TThqQ1VUSi9hMHcKLS0tIEExN0dwWS9UNTBzWmZTWHFnWnBH + Skx4ZWgrN0lFLzNyL0RTNWRaRnZUL0kKGysePFPyRFVSEfoSaqsdRkH/SbkWy7RJ + IyYjt0JFtSo9QplzHFkOsdbeAV5E8MrMP/lFhhvPZcjwmO6/Pxl5Lg== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-02T00:02:47Z" mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str] diff --git a/secrets/forgejo-runner.yaml b/secrets/forgejo-runner.yaml new file mode 100644 index 0000000..0274b22 --- /dev/null +++ b/secrets/forgejo-runner.yaml @@ -0,0 +1,43 @@ +forgejo-runner: ENC[AES256_GCM,data:Ia4WxFUh2/AkvwIIs+E2HW+gfiLYZN0m1ZiFMe5hLKxvR2+1/VZymM//4qv4Dw==,iv:ZnSE0EyGjY87vltqpd8uQTv0qX0bsv0OHNVhuFl1itc=,tag:FnVX+MgHuPRtiW3hK1TsBw==,type:str] +sops: + age: + - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUEh4TDhiL2ZQRlpBRUd5 + ZDduRGpqd2xNdml1eHIyanM3bVpyazFYZld3CjFHS29NcXhUTTJRQS9haUxYUzZn + akIzZW0yMFNyUEV5MDJ1c1NJRGwzekkKLS0tIDJ0ZmdXVVQ5TDUzUmRvYTIrY3JC + Q1l5NHZZRGgxTjkyRml3Zjk3c0J6b0UKWxpejYzaLl5ndmITKoWeFdwjytSQwTm+ + 6FKP8jFUjybRjhAVvJDQ7Cxab+oHJ7p7+fCAT5mo7i3okVB7bdHhrw== + -----END AGE ENCRYPTED FILE----- + - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZnYyNVZqNzVYcitMampP + a0VtYTkwRlNkaktrNThZeGljZUt1RXgrYkQ0Ck5WNHNHT3NOd2daSW8rMERsN1JN + WEYrWDZFOEpDYzFXQldqWWRyWjYyeTAKLS0tIDZObFRaRFpoMkZmNlFUcVJrRHRZ + dHV3bFRZTExqNWpiblJoQ1h2MXJQNzgKXHwe7ZyvKuAf9wMxFHR1U1oilw3ecD1P + O/XS/+WhYAVHMkaUVUkanczvP6ff5DRBrbdJ+akBYu3pZNkrgCCiiw== + -----END AGE ENCRYPTED FILE----- + - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQjZNLytxTWlIdG0ycmlM + aURiMUdBN3dEbmc4UitmT2xIcWl2RitnS21BClpmM0RDQ2xHQ2R2eHordUhTdWp0 + cW9zNHY4Z1JaQitCQ2lUQm05cWlkT3MKLS0tIGJ5VVU2ZzN2L0ZRTEFTS2hnaDkz + NnVJZEpvQ3VpVXZQMEhFMTBiL0IrNEEK4lbNKd8AiN5pY9dEUirZ2TiCkexI4v0a + W8XtUcGg+tQsrw1G5q7jS0EgV/oy1I9+0gJkHNhfRJH2P0UQ7079YQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VUtrNU1KdENHNVdOT0tu + TmY1S0tNb0ZHM0JyT2tPUTllTnFIT25YWmhRCk1ORHJvUkRqclQveDhwazIvM2pM + V3JUNjVZa28yK1FyY1VLazFDd0x6N0EKLS0tIEd5eDRRak1yclNaS0lOWnNoTkR4 + YU5PeW52MEZGd3lzUG5aZEZhaURHdE0KUlf6EEc22UHcPDyVCQoVND5PFs20aCc3 + XUbtQQD9w3/aRpsuaYfJBHINjB+Ns7XIIOfWkdJe5fJiOU0u29SO8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-27T18:30:16Z" + mac: ENC[AES256_GCM,data:nOs0CUT0DD5dphyPTN8ev8WTdflFmNScg3UIPvXtlhGE3nJdPRW/MjraUEd5gQZ4qrwkgo99fsD1Uv6HiWBQbg59TqDNQOwhXU3SYto/zVX9Y1LGwvGurMymiQNbhHjzn+VN1tXdwyTbvhUnRSwz2a6uu1sl9m3VNfRbMewuQnM=,iv:FtMd7i5V9eRcuK9HhjiKETx/SWs5+MijVExUB/mxHjE=,tag:H+USoPhnzWzTNl7um39Pfw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2