wip: attic

.gitea/workflows/build.yaml

@@ -0,0 +1,29 @@
+name: build
+run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀
+on: [push]
+
+jobs:
+
+  build-sydpc:
+    runs-on: nixos
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: build sydpc
+        run: nix build -L .#nixosConfigurations.sydpc.config.system.build.toplevel
+
+  build-fruitbook:
+    runs-on: nixos
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: build fruitbook
+        run: nix build -L .#nixosConfigurations.fruitbook.config.system.build.toplevel
+
+  build-deertopia:
+    runs-on: nixos
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: build deertopia
+        run: nix build -L .#nixosConfigurations.deertopia.config.system.build.toplevel

hosts/deertopia/configuration.nix

@@ -49,6 +49,7 @@
 
     deertopia = {
       authelia.enable = true;
+      atticd.enable = true;
       gitea.enable = true;
       quiver.enable = true;
       www.enable = true;
@@ -66,6 +67,7 @@
       # umurmur.enable = true;
       murmur.enable = true;
       anki-sync-server.enable = true;
+      vaultwarden.enable = true;
       servarr = {
         enable = true;
         prowlarr.enable = true;

modules/nixos/deertopia/atticd.nix

@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.atticd;
+in {
+  options.sydnix.deertopia.atticd = {
+    enable = lib.mkEnableOption "Atticd";
+    port = lib.mkOption {
+      default = 8012;
+      type = lib.types.port;
+    };
+  };
+
+  # sudo atticd-atticadm make-token --sub msyds --validity '1 year' --pull 'msyds-*' --push 'msyds-*' --create-cache 'msyds-*' --configure-cache 'msyds-*'
+  config = lib.mkIf cfg.enable {
+    sydnix.sops.secrets.atticd-environment-file = {
+      # owner = config.services.atticd.user;
+      # group = config.services.atticd.group;
+    };
+
+    services.atticd = {
+      enable = true;
+      environmentFile =
+	config.sops.secrets.atticd-environment-file.path;
+      settings = {
+	api-endpoint = "https://attic.deertopia.net/";
+	listen = "[::]:${toString cfg.port}";
+	garbage-collection = {
+	  default-retention-period = "3 months";
+	};
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."attic".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".proxyPass =
+        "http://127.0.0.1:${toString cfg.port}";
+    };
+  };
+}

modules/nixos/deertopia/vaultwarden.nix

@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.vaultwarden;
+in {
+  options.sydnix.deertopia.vaultwarden = {
+    enable = lib.mkEnableOption "Vaultwarden";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+      config = {
+	ROCKET_ADDRESS = "127.0.0.1";
+	ROCKET_PORT = 8222;
+	DOMAIN = "https://vault.deertopia.net";
+      };
+    };
+
+    sydnix.impermanence.directories = [
+      "/var/backup/vaultwarden"
+    ];
+
+    services.nginx.upstreams.vaultwarden.servers =
+      let port = toString config.services.vaultwarden.config.ROCKET_PORT;
+      in {
+	"127.0.0.1:${port}" = { };
+      };
+
+    sydnix.deertopia.nginx.vhosts."vault".vhost = {
+        forceSSL = true;
+        enableACME = true;
+	locations = {
+	  "/".proxyPass = "http://vaultwarden";
+          "= /notifications/anonymous-hub" = {
+            proxyPass = "http://vaultwarden";
+            proxyWebsockets = true;
+          };
+          "= /notifications/hub" = {
+            proxyPass = "http://vaultwarden";
+            proxyWebsockets = true;
+          };
+	};
+      };
+  };
+}

modules/nixos/gitea-actions-runner.nix

@@ -41,6 +41,17 @@ in {
           url = "https://git.deertopia.net/";
           tokenFile = token-file;
           labels = [ "nixos:host" ];
+	  hostPackages = with pkgs; [
+	    bash
+	    coreutils
+	    curl
+	    gawk
+	    gitMinimal
+	    gnused
+	    nodejs
+	    wget
+	    nix
+	  ];
         };
 
         # Disable dynamic user so runner state persists via bind mount

modules/nixos/impermanence.nix

@@ -70,6 +70,10 @@ in {
     };
 
     # O_O what the fuck did i write this for.... CONCERNING.
+    #
+    # oh because of these types of errors:
+    #   Directory "/var/lib/private" already exists, but has mode 0755
+    #   that is too permissive (0700 was requested), refusing.
     systemd.tmpfiles.settings."10-varlibprivate" = {
       "/var/lib/private" = {
         z.group = "root";
@@ -78,6 +82,13 @@ in {
       };
     };
 
+    # Workaround for https://github.com/nix-community/impermanence/issues/254.
+    systemd.services."systemd-tmpfiles-resetup" = {
+      serviceConfig = {
+        RemainAfterExit = lib.mkForce false;
+      };
+    };
+
     # Permit members of `cfg.persistGroupName` to read, write, and execute
     # /persist.
     systemd.tmpfiles.settings."10-persist" = {