iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

oracle2
Some checks failed
/ check (push) Failing after 2m38s
Details

Browse source
This commit is contained in:
iofq 2025-09-27 12:14:40 -05:00
parent fc85515fb8
commit 1e236f8f71
10 changed files with 157 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.forgejo/workflows/main.yaml Normal file
View file

@ -0,0 +1,7 @@
on: [push]
jobs:
check:
runs-on: nix-latest
steps:
- uses: actions:checkout@v4
- run: nix flake check

6
.sops.yaml
View file

@ -2,11 +2,13 @@
keys: keys:
- &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
- &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
- &oracle age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - &oracle1 age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
- &oracle2 age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
creation_rules: creation_rules:
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *t14 - *t14
- *consensus - *consensus
- *oracle - *oracle1
- *oracle2

23
flake.nix
View file

@ -97,13 +97,30 @@
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus; path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus;
}; };
}; };
oracle = { oracle1 = {
hostname = "oracle"; hostname = "oracle1";
sshUser = "root"; sshUser = "root";
sshOpts = [
"-p"
"2022"
];
remoteBuild = false; remoteBuild = false;
profiles.system = { profiles.system = {
user = "root"; user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle; path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1;
};
};
oracle2 = {
hostname = "oracle2";
sshUser = "root";
sshOpts = [
"-p"
"2022"
];
remoteBuild = false;
profiles.system = {
user = "root";
path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle2;
}; };
}; };
}; };

11
home-manager/t14/home.nix
View file

@ -50,9 +50,16 @@
hostname = "consensus.tailc353f.ts.net"; hostname = "consensus.tailc353f.ts.net";
identityFile = "/home/e/.ssh/id_ed25519"; identityFile = "/home/e/.ssh/id_ed25519";
}; };
"oracle" = { "oracle1" = {
port = 2022; port = 2022;
hostname = "129.213.119.29"; hostname = "oracle1";
user = "root";
identityFile = "/home/e/.ssh/id_ed25519";
};
"oracle2" = {
port = 2022;
hostname = "oracle2";
user = "root";
identityFile = "/home/e/.ssh/id_ed25519"; identityFile = "/home/e/.ssh/id_ed25519";
}; };
"10110110.xyz" = { "10110110.xyz" = {

17
nixos/default.nix
View file

@ -41,7 +41,7 @@ in
./consensus/configuration.nix ./consensus/configuration.nix
]; ];
}; };
oracle = inputs.nixpkgs.lib.nixosSystem { oracle1 = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs; inherit pkgs;
specialArgs = { specialArgs = {
inherit inputs system attrs; inherit inputs system attrs;
@ -52,6 +52,21 @@ in
}; };
modules = defaultModules ++ [ modules = defaultModules ++ [
./oracle/configuration.nix ./oracle/configuration.nix
./oracle/forgejo.nix
];
};
oracle2 = inputs.nixpkgs.lib.nixosSystem {
inherit pkgs;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "oracle2";
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./oracle/configuration.nix
./oracle/forgejo-runner.nix
]; ];
}; };
} }

5
nixos/oracle/configuration.nix
View file

@ -1,8 +1,7 @@
{ ... }: { host, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./forgejo.nix
]; ];
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
boot.kernel.sysctl = { boot.kernel.sysctl = {
@ -60,7 +59,7 @@
networking = { networking = {
domain = ""; domain = "";
hostId = "81238132"; hostId = "81238132";
hostName = "oracle1"; hostName = host.hostName;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ allowedTCPPorts = [

24
nixos/oracle/forgejo-runner.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, config, ... }:
{
sops = {
secrets = {
"forgejo-runner" = {
sopsFile = ../../secrets/forgejo-runner.yaml;
};
};
};
virtualisation.docker.enable = true;
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "oracle-runner1";
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets."forgejo-runner".path;
labels = [
"ubuntu-latest:docker://node:20-bullseye"
"nix-latest:docker://nixos/nix:latest"
];
};
};
}

8
nixos/oracle/forgejo.nix
View file

@ -39,6 +39,10 @@ in
database.type = "sqlite3"; database.type = "sqlite3";
dump.enable = true; dump.enable = true;
settings = { settings = {
DEFAULT = {
APP_NAME = "git.10110110.xyz";
APP_SLOGAN = "No rice, no life.";
};
server = { server = {
DOMAIN = "git.10110110.xyz"; DOMAIN = "git.10110110.xyz";
# You need to specify this to remove the port from URLs in the web UI. # You need to specify this to remove the port from URLs in the web UI.
@ -46,6 +50,10 @@ in
HTTP_PORT = 3000; HTTP_PORT = 3000;
}; };
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
};
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
actions = { actions = {
ENABLED = true; ENABLED = true;

39
secrets/cf-acme.yaml
View file

@ -4,29 +4,38 @@ sops:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBITExOYlBkVlRKSHVpc2U2 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bEpKNEhOMVRYazNDSmhB
L3BJNUV1UER0M0JldzNMTm9qam1nWGIwa2pnCnptZ2I3SU5rV3pwQTcvV3E4YWVI T0VadEhCdExkT2tXaklDcXFMcnNYTkx6ejJVCmJiRFUyVGRkU2tTalBCUFpYTWVk
LzlQa1NxWVVDcHJma1lmSWt6ZUZuV3MKLS0tIFlXK3UzR2JDOEFOUmJYZFpkLzE1 WkZNSFVSSi9lMkQyOFU1bVM5WkFCSkUKLS0tIGo0c0QrRStRWEp3SE9vNFdMY0lP
QVQ3MVpueENUTmdaNCtKcjhBVkRDUjAKSze6cNG0BfETuDylwUGZD02P/NL3O3O4 dDNaTGprZVRlcmpwSzZmVzl3clZ3MzgK8y4ck9cgiPT6jDl23g0Da6mr7+KD7J+K
LBIhQAyShgzAqqmus/aCoYPfVChuuH9sEspZHWFSQV8aTJL1kFX0yw== DflytAEkBZxWN8JLIeFSml6HS65xWeMuwjnQHVXQVQBlVAN9pl4fmg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTUtpYzJYbU1oRDlTc295 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNzZUdnVwUDBKRmo3Nm9s
YVQySmdvbjhwK2pBaU5XRlFsVDNJSHl5blE0Cjh1bjNrY0wrMUdvVExpMXJSVTc1 Q0l1NXZOQXhvT1JIZStLK0YyWWhQbVNuazJVCnRDa21lcHJpczk4OWtsbkN3Z2tW
R1ZKRGpQSmE1N09nYzZNTXFHT1pqbmcKLS0tIDRYYys3WUhTQnJkS0hMT2lRS01o aXJGbnJGK1VvenJwa0ExWEFrZ3pFYjQKLS0tIGxBcUxlcnV4UEQyeE5sTWNDRU1l
bUt2RVdUZzdFZFVOTWNOOHBkSlZ4bmsK350/b+SL+0TT1ZJ6AIB9iDibf4L5ySpg bTVmbmxhZXk5RmlUV0h0dWFVZyszSnMKQ/DVB38i8a5d6LFJaftxChthRdjBY5GQ
P9ZkCmiDd3Le7ehlxJRBP+ynQOq+B0+zsoAUrS2AAcCo7nSKLnfZ0A== TsFDbl6okwxUqBCx07A0ftYSeCHoC2Nj/AW0b8HU0DwXPPHqXwA08w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSW5Fc3pUblI3dll6OEcx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZjY1RXI1Y3MyeWVlMGlC
NkVVcndybkZkOW93WmdjaE9zQnVFVGdHVkRBCnlZMWFLalloZ0xEOVVwVU9QTVd2 Nm1XNUlkODFYTkRqbnlMUytxZjZNSURYcXg0CjYxaDdLWDVZR0gwdEgrMVBSK1Br
TS9aRnpSdU9uTzV3SlVxL0tkQ3R2aFEKLS0tIE1PSEV4UnBCSXc1S1BQb3VNeVlt V2lXZ2t2Nnp2ZG52YWxYQXVoKzBTU1UKLS0tIG9RcUdqQ2E4cnlFbVRQajVJalM5
c0pldlQ5UFN5NWh3QWRwSnZCejZXcVUKY7vVyf567eOBhwZvy1E8MyDtLo3ljwST bWhxdERTaHpFSVE5MEdoRndMM3VGK2MKYbs06A2NmyFKssKqeudt/mFG4l/yDV9k
5mgOLRaEU+G9bVOPGfClaBHK94sJMlHABa9M8bhd7Naws+OeUyKI4A== Kod6mEZYxdjUP91waOmLCC997DSIkih9sHaaYhm/ahy4ryD4fstkLA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek8vNVNZUkNraGNGbFJy
RmliVHFiVnRhUDArVFN0MGplTkYzbGxSQmg4ClZaMzZobFM3eGNvaytIeEJ3cjI2
VlhKNXBIK0pWTml2TThqQ1VUSi9hMHcKLS0tIEExN0dwWS9UNTBzWmZTWHFnWnBH
Skx4ZWgrN0lFLzNyL0RTNWRaRnZUL0kKGysePFPyRFVSEfoSaqsdRkH/SbkWy7RJ
IyYjt0JFtSo9QplzHFkOsdbeAV5E8MrMP/lFhhvPZcjwmO6/Pxl5Lg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-02T00:02:47Z" lastmodified: "2025-06-02T00:02:47Z"
mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str] mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str]

43
secrets/forgejo-runner.yaml Normal file
View file

@ -0,0 +1,43 @@
forgejo-runner: ENC[AES256_GCM,data:Ia4WxFUh2/AkvwIIs+E2HW+gfiLYZN0m1ZiFMe5hLKxvR2+1/VZymM//4qv4Dw==,iv:ZnSE0EyGjY87vltqpd8uQTv0qX0bsv0OHNVhuFl1itc=,tag:FnVX+MgHuPRtiW3hK1TsBw==,type:str]
sops:
age:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUEh4TDhiL2ZQRlpBRUd5
ZDduRGpqd2xNdml1eHIyanM3bVpyazFYZld3CjFHS29NcXhUTTJRQS9haUxYUzZn
akIzZW0yMFNyUEV5MDJ1c1NJRGwzekkKLS0tIDJ0ZmdXVVQ5TDUzUmRvYTIrY3JC
Q1l5NHZZRGgxTjkyRml3Zjk3c0J6b0UKWxpejYzaLl5ndmITKoWeFdwjytSQwTm+
6FKP8jFUjybRjhAVvJDQ7Cxab+oHJ7p7+fCAT5mo7i3okVB7bdHhrw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZnYyNVZqNzVYcitMampP
a0VtYTkwRlNkaktrNThZeGljZUt1RXgrYkQ0Ck5WNHNHT3NOd2daSW8rMERsN1JN
WEYrWDZFOEpDYzFXQldqWWRyWjYyeTAKLS0tIDZObFRaRFpoMkZmNlFUcVJrRHRZ
dHV3bFRZTExqNWpiblJoQ1h2MXJQNzgKXHwe7ZyvKuAf9wMxFHR1U1oilw3ecD1P
O/XS/+WhYAVHMkaUVUkanczvP6ff5DRBrbdJ+akBYu3pZNkrgCCiiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQjZNLytxTWlIdG0ycmlM
aURiMUdBN3dEbmc4UitmT2xIcWl2RitnS21BClpmM0RDQ2xHQ2R2eHordUhTdWp0
cW9zNHY4Z1JaQitCQ2lUQm05cWlkT3MKLS0tIGJ5VVU2ZzN2L0ZRTEFTS2hnaDkz
NnVJZEpvQ3VpVXZQMEhFMTBiL0IrNEEK4lbNKd8AiN5pY9dEUirZ2TiCkexI4v0a
W8XtUcGg+tQsrw1G5q7jS0EgV/oy1I9+0gJkHNhfRJH2P0UQ7079YQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VUtrNU1KdENHNVdOT0tu
TmY1S0tNb0ZHM0JyT2tPUTllTnFIT25YWmhRCk1ORHJvUkRqclQveDhwazIvM2pM
V3JUNjVZa28yK1FyY1VLazFDd0x6N0EKLS0tIEd5eDRRak1yclNaS0lOWnNoTkR4
YU5PeW52MEZGd3lzUG5aZEZhaURHdE0KUlf6EEc22UHcPDyVCQoVND5PFs20aCc3
XUbtQQD9w3/aRpsuaYfJBHINjB+Ns7XIIOfWkdJe5fJiOU0u29SO8Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-27T18:30:16Z"
mac: ENC[AES256_GCM,data:nOs0CUT0DD5dphyPTN8ev8WTdflFmNScg3UIPvXtlhGE3nJdPRW/MjraUEd5gQZ4qrwkgo99fsD1Uv6HiWBQbg59TqDNQOwhXU3SYto/zVX9Y1LGwvGurMymiQNbhHjzn+VN1tXdwyTbvhUnRSwz2a6uu1sl9m3VNfRbMewuQnM=,iv:FtMd7i5V9eRcuK9HhjiKETx/SWs5+MijVExUB/mxHjE=,tag:H+USoPhnzWzTNl7um39Pfw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2