Compare commits

..

1 commit

Author SHA1 Message Date
bee3c4b2fb flake.lock: Update
Flake lock file updates:

• Updated input 'hyprland':
    'git+https://github.com/hyprwm/Hyprland/?ref=refs/heads/main&rev=f0e023bff2f2a25ffe5ed3166f55f7274d17c6bc' (2024-10-25)
  → 'git+https://github.com/hyprwm/Hyprland/?ref=refs/heads/main&rev=6cf193e1662f6f750e964a3e174ae017246b4d48' (2024-10-27)
• Updated input 'lix':
    '2734a9cf94.tar.gz?narHash=sha256-XME7TzBvjK6GEmZqPLK%2B2%2BWk0qnwc7DCwYH434hMcOM%3D&rev=2734a9cf94debc6baef4e7d4d9fa28cc28f5b31d' (2024-10-23)
  → 'f55ed83991.tar.gz?narHash=sha256-DVzb3RlFOuR72K6BWMRKoJ4mfJmVOUDVjUJKQ/yXMNA%3D&rev=f55ed8399186c25b7d26a8c51f31ba25f5f26a50' (2024-10-27)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/04f8a11f247ba00263b060fbcdc95484fd046104' (2024-10-20)
  → 'github:nix-community/nix-index-database/0e3a8778c2ee218eff8de6aacf3d2fa6c33b2d4f' (2024-10-27)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
  → 'github:nixos/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a' (2024-10-25)
• Updated input 'nixpkgs-wayland':
    'github:nix-community/nixpkgs-wayland/833950fe76340407ce9d9fc409994b11476cd22e' (2024-10-25)
  → 'github:nix-community/nixpkgs-wayland/8d5faa9440349976c84b7b55d05e3e5dcfabdcc1' (2024-10-27)
• Updated input 'nixpkgs-wayland/lib-aggregate':
    'github:nix-community/lib-aggregate/736c43de3c953104e1610183d56e90b419c6344e' (2024-10-20)
  → 'github:nix-community/lib-aggregate/7d235f23a84b54c39b1579b68b13e1ff83f5b1ad' (2024-10-27)
• Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
  → 'github:nix-community/nixpkgs.lib/7d68864343650322045894951602d6e82b5296d7' (2024-10-27)
• Updated input 'nixpkgs-wayland/nixpkgs':
    'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23)
  → 'github:nixos/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a' (2024-10-25)
• Updated input 'roc':
    'github:roc-lang/roc/e1183e58e55397fe07b08981937c4f626ca7db42' (2024-10-25)
  → 'github:roc-lang/roc/589ec1d453643ea437817bda1b9d79b008477d37' (2024-10-27)
• Updated input 'zig-overlay':
    'github:mitchellh/zig-overlay/71a0618a10c2fb8d6c60b3498bcdb5dc4573e403' (2024-10-25)
  → 'github:mitchellh/zig-overlay/1e8057e6644d4e11ec63dead68a91ba61c8d32f9' (2024-10-27)
• Updated input 'zls':
    'github:zigtools/zls/5acc06679321aeff5f6d2f05ebb52520f734a8b8' (2024-10-24)
  → 'github:zigtools/zls/b2e89dfe92850cf02cbd4b73004aaaecd5cf1739' (2024-10-27)
2024-10-28 01:31:14 +00:00
10 changed files with 61 additions and 153 deletions

View file

@ -32,16 +32,10 @@ jobs:
experimental-features = pipe-operator experimental-features = pipe-operator
accept-flake-config = true accept-flake-config = true
- uses: cachix/cachix-action@v15
- name: Install and login to attic cache with:
run: | name: daylin
nix profile install "nixpkgs#attic-client" authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
attic login oizys https://attic.dayl.in "${{ secrets.ATTIC_TOKEN }}"
# - uses: cachix/cachix-action@v15
# with:
# name: daylin
# authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
- name: Update nix flake - name: Update nix flake
run: | run: |
@ -57,7 +51,7 @@ jobs:
run: > run: >
nix run . nix run .
-- --
cache build --minimal
--host "othalan" --host "othalan"
--flake . --flake .
--debug --debug

View file

@ -363,11 +363,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1730143527, "lastModified": 1730072482,
"narHash": "sha256-3uRuQHxAd/+8PptDpIZZlC588O0eTV1mTa+z8v4cWPU=", "narHash": "sha256-3Aotvc0dFS9J2iDnrSVjjngdZcaD9ghfroVU3jl84Gk=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "d679d200299ed4670f0d0f138c793d5f507b7cec", "rev": "6cf193e1662f6f750e964a3e174ae017246b4d48",
"revCount": 5390, "revCount": 5385,
"submodules": true, "submodules": true,
"type": "git", "type": "git",
"url": "https://github.com/hyprwm/Hyprland/" "url": "https://github.com/hyprwm/Hyprland/"
@ -543,11 +543,11 @@
"lix": { "lix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1730141569, "lastModified": 1730069651,
"narHash": "sha256-wuSAcXqMRuaBihrvzVNplSM+S8fdoKGj7ubibmiUGGA=", "narHash": "sha256-DVzb3RlFOuR72K6BWMRKoJ4mfJmVOUDVjUJKQ/yXMNA=",
"rev": "9c22a4d31b18715bcca5791fcc40089d4eca35cb", "rev": "f55ed8399186c25b7d26a8c51f31ba25f5f26a50",
"type": "tarball", "type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/9c22a4d31b18715bcca5791fcc40089d4eca35cb.tar.gz?rev=9c22a4d31b18715bcca5791fcc40089d4eca35cb" "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/f55ed8399186c25b7d26a8c51f31ba25f5f26a50.tar.gz?rev=f55ed8399186c25b7d26a8c51f31ba25f5f26a50"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
@ -768,11 +768,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1730120924, "lastModified": 1729717678,
"narHash": "sha256-I6hwd+YlgefioLfmsM04MxzbEAES1N328/T+VqhcWnQ=", "narHash": "sha256-XEfYT1D+4KT9c0mMwsmZdWS2JgKsboAZbnuJvrjBQKg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NixOS-WSL", "repo": "NixOS-WSL",
"rev": "b124084667fb4c912fda68fdd9d05f59e18b6ef7", "rev": "5a965cb108fb1f30b29a26dbc29b473f49e80b41",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -836,11 +836,11 @@
"nixpkgs": "nixpkgs_6" "nixpkgs": "nixpkgs_6"
}, },
"locked": { "locked": {
"lastModified": 1730229503, "lastModified": 1730068416,
"narHash": "sha256-SYFUfTXsDeIK3q7fy6SrZ1v+lVQrEmZaKc1fpp4wuBQ=", "narHash": "sha256-ZblJXYHsAwAHPUnER5toHpOMtIrDAVytzzgI4B2rXJ8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs-wayland", "repo": "nixpkgs-wayland",
"rev": "d3bb51e62dd4a31c7cfea0f1ad511e53774a79fe", "rev": "8d5faa9440349976c84b7b55d05e3e5dcfabdcc1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -867,11 +867,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1729973466, "lastModified": 1729181673,
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", "narHash": "sha256-LDiPhQ3l+fBjRATNtnuDZsBS7hqoBtPkKBkhpoBHv3I=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", "rev": "4eb33fe664af7b41a4c446f87d20c9a0a6321fa3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1308,11 +1308,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1730203910, "lastModified": 1730031030,
"narHash": "sha256-/nI+D8KoVCOGSMJ+kwqLxu9X/8N3N5cWXfXJGxd5NXk=", "narHash": "sha256-U4ko9Ing1LIciLX+yIWY2wWi31jRARjTnLwkZVUKUXs=",
"owner": "mitchellh", "owner": "mitchellh",
"repo": "zig-overlay", "repo": "zig-overlay",
"rev": "686cfaa1366e0c50ce85d6e443412082f907fe3f", "rev": "1e8057e6644d4e11ec63dead68a91ba61c8d32f9",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -49,14 +49,12 @@
nixConfig = { nixConfig = {
extra-substituters = [ extra-substituters = [
"https://attic.dayl.in/oizys"
"https://hyprland.cachix.org" "https://hyprland.cachix.org"
"https://nixpkgs-wayland.cachix.org" "https://nixpkgs-wayland.cachix.org"
"https://daylin.cachix.org" "https://daylin.cachix.org"
# "https://cache.lix.systems" # "https://cache.lix.systems"
]; ];
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"oizys:DSw3mwVMM/Y+PXSVpkDlU5dLwlORuiJRGPkwr5INSMc="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
"daylin.cachix.org-1:fLdSnbhKjtOVea6H9KqXeir+PyhO+sDSPhEW66ClE/k=" "daylin.cachix.org-1:fLdSnbhKjtOVea6H9KqXeir+PyhO+sDSPhEW66ClE/k="

View file

@ -27,20 +27,4 @@ To point gitea/forgejo to the shim gitea binary for SSH I symlink the current sy
ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea ln -s /run/current-system/sw/bin/gitea /usr/local/bin/gitea
``` ```
## Setting up Attic
Generated a key using command provided in attic docs:
```sh
nix run nixpkgs#openssl -- genrsa -traditional 4096 | base64 -w0
```
And wrote `ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64="output from above"` to `/etc/attic.env`
I generated a token to configure the caches using the following command:
```
atticd-atticadm make-token --sub daylin --push "*" --pull "*" --validity '1y' --create-cache "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" --delete "*"
```
If I handled secrets via `sops` or `agenix` I think this could be stored directly in the repo.
I also had to modify the firewall so that docker would forward along the requests by caddy to `host.docker.internal` correctly.

View file

@ -1,58 +0,0 @@
{ pkgs, enabled, ... }:
let
atticPort = "5656";
in
{
services.resolved = enabled;
services.fail2ban = enabled // {
maxretry = 5;
bantime = "24h";
};
services.openssh = enabled // {
settings.PasswordAuthentication = false;
};
security.polkit = enabled; # attic was looking for this...
environment.systemPackages = [ pkgs.attic-client ];
# allow docker to forward the request to the host running attic
# https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6
networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port ${atticPort} -s 172.16.0.0/12 -j ACCEPT";
services.atticd = enabled // {
# Replace with absolute path to your credentials file
environmentFile = "/etc/atticd.env";
settings = {
listen = "[::]:${atticPort}";
jwt = { };
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
}

View file

@ -2,6 +2,12 @@
{ {
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
services.resolved = enabled;
services.fail2ban = enabled // {
maxretry = 5;
bantime = "24h";
};
# # added to make using `pip install` work in docker build # # added to make using `pip install` work in docker build
# networking.nameservers = [ "8.8.8.8"]; # networking.nameservers = [ "8.8.8.8"];
@ -14,6 +20,12 @@
]; ];
}; };
services.openssh = enabled // {
settings.PasswordAuthentication = false;
};
# users.mutableUsers = false;
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
boot.loader.grub = enabled // { boot.loader.grub = enabled // {
device = "/dev/sda"; # or "nodev" for efi only device = "/dev/sda"; # or "nodev" for efi only

View file

@ -10,6 +10,5 @@
graphviz graphviz
typst typst
charm-freeze charm-freeze
attic-client
]); ]);
} }

View file

@ -1,5 +1,5 @@
## nix begat oizys ## nix begat oizys
import std/[os, osproc, tables, sequtils, strformat, strutils] import std/[os, tables, sequtils, strformat, strutils]
import hwylterm, hwylterm/[cligen, logging] import hwylterm, hwylterm/[cligen, logging]
import oizys/[context, github, nix, overlay, logging] import oizys/[context, github, nix, overlay, logging]
@ -53,9 +53,9 @@ overlay:
## nix build ## nix build
nixBuild(minimal, rest) nixBuild(minimal, rest)
proc cache(name: string = "oizys", service: string = "attic", jobs: int = countProcessors()) = proc cache(minimal: bool = false, name: string = "daylin") =
## build and push store paths ## build and push to cachix
nixBuildWithCache(name, rest, service, jobs) nixBuildWithCache(minimal, name, rest)
proc osCmd() = proc osCmd() =
## nixos-rebuild ## nixos-rebuild
@ -97,8 +97,7 @@ when isMainModule:
"ref" : "git ref/branch/tag to trigger workflow on" "ref" : "git ref/branch/tag to trigger workflow on"
} }
cacheHelp = //{ cacheHelp = //{
"name" : "name of cachix binary cache", "name" : "name of cachix binary cache"
"jobs" : "jobs when pushing paths"
} // sharedHelp } // sharedHelp
let let
osUsage = $bb("$command [[subcmd] $args\n$doc[bold]Options[/]:\n$options") osUsage = $bb("$command [[subcmd] $args\n$doc[bold]Options[/]:\n$options")

View file

@ -9,7 +9,7 @@ import hwylterm
func addArgs*(cmd: var string, args: openArray[string]) = func addArgs*(cmd: var string, args: openArray[string]) =
cmd &= " " & args.join(" ") cmd &= " " & args.join(" ")
func addArg*(cmd: var string, arg: string ) = func addArg*(cmd: var string, arg: string) =
cmd &= " " & arg cmd &= " " & arg
proc runCmd*(cmd: string): int = proc runCmd*(cmd: string): int =

View file

@ -193,7 +193,6 @@ proc writeDervationsToStepSummary(drvs: seq[string]) =
let output = open(summaryFilePath,fmAppend) let output = open(summaryFilePath,fmAppend)
output.writeLine("| derivation | hash |\n|---|---|") output.writeLine("| derivation | hash |\n|---|---|")
output.writeLine(rows.join("\n")) output.writeLine(rows.join("\n"))
close output
proc nixBuild*(minimal: bool, rest: seq[string]) = proc nixBuild*(minimal: bool, rest: seq[string]) =
var cmd = nixCommand("build") var cmd = nixCommand("build")
@ -234,42 +233,23 @@ proc nixBuildHostDry*(minimal: bool, rest: seq[string]) =
let output = parseDryRunOutput err let output = parseDryRunOutput err
display output display output
proc nixBuildWithCache*(minimal: bool, name: string, rest:seq[string]) =
proc nixBuildWithCache*(name: string, rest:seq[string], service: string, jobs: int) = if findExe("cachix") == "": fatalQuit "is cachix installed?"
## build individual derivations not cached and push to cache
if findExe(service) == "": fatalQuit fmt"is {service} installed?"
info bbfmt"building and pushing to cache: [b]{name}" info bbfmt"building and pushing to cache: [b]{name}"
debug "determining missing cache hits" var cmd = "cachix"
let drvs = systemPathDrvsToBuild() cmd.addArgs ["watch-exec","--"]
if drvs.len == 0: cmd.addArg "nix build"
info "nothing to build" if minimal:
quit "exiting...", QuitSuccess debug "populating args with derivations not built/cached"
let drvs = systemPathDrvsToBuild()
for drv in drvs: if drvs.len == 0:
var cmd = "nix build" info "nothing to build"
cmd.addArg drv quit "exiting...", QuitSuccess
cmd.addArgs rest cmd.addArgs drvs
let buildErr = runCmd(cmd) cmd.addArg "--no-link"
if buildErr != 0: else:
error "failed to build: " & drv cmd.addArgs nixosConfigAttrs()
continue cmd.addArgs rest
let err = runCmd(cmd)
let results = collect( quit err
for k, p in walkDir(".", relative = true):
if k in { pcLinkToDir, pcLinkToFile} and p.startsWith("result"):
p
)
cmd = service
cmd.addArg "push"
cmd.addArg name
cmd.addArg "--jobs"
cmd.addArg $jobs
cmd.addArgs results
let pushErr = runCmd(cmd)
if pushErr != 0:
errorQuit "failed to push build to cache"
for p in results:
removeFile p