oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: Restore configuration.nix for hashmap, add if-not-present pol for gitlab-runner

Browse Source
This commit is contained in:
Moritz Jörg
2025-11-28 20:31:43 +01:00
parent e9c0ce52b2
commit 24b586a4a0
5 changed files with 255 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
modules/gitlab-runner.nix
View File

@@ -1,6 +1,7 @@
{
pkgs,
lib,
config,
...
}:
with lib;
@@ -10,22 +11,36 @@ let
configuration = {
services.gitlab-runner = {
enable = true;
# NOTE(mrtz): Periodically prune gitlab runner's Docker resources
clear-docker-cache = {
enable = true;
dates = "monthly";
};
settings = {
concurrent = 16;
};
services = {
nix = {
# NOTE(simkir): This must be uploaded to the host after you've
# registered a runner in gitlab
# registered a runner in gitlab.
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
# TODO(mrtz): https://archives.docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow/
# authenticationTokenConfigFile = "";
dockerImage = "alpine";
dockerVolumes = [
# The items are ro because we write to the store via the daemon
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
registrationFlags = [
"--docker-pull-policy=if-not-present"
"--docker-allowed-pull-policies=if-not-present"
"--docker-allowed-pull-policies=always"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
@@ -52,7 +67,9 @@ let
with pkgs;
[
gnugrep
findutils
coreutils
curl
nix
openssh
bash
@@ -70,7 +87,7 @@ let
};
in
{
options.features.gitlab-runner = {
options.features.gitlab-runner = {
enable = mkEnableOption "Enable Gitlab runner service";
};

2
nixos

Submodule nixos updated: 444d8f8008...d30deeae00

228
tos/hashmap/default.nix Normal file
View File

@@ -0,0 +1,228 @@
{ pkgs, ... }:
{
networking = {
hostName = "hashmap";
domain = "local";
search = [ "local" ];
firewall.allowedTCPPorts = [ 3389 ];
firewall.extraCommands = '''';
};
boot = {
consoleLogLevel = 3;
plymouth = {
enable = true;
theme = "ibm";
themePackages = [
(pkgs.adi1090x-plymouth-themes.override { selected_themes = [ "ibm" ]; })
];
};
tmp.cleanOnBoot = true;
kernel = {
sysctl = {
"net.ipv4.ip_forward" = true;
};
};
kernelParams = [
# Quite boot
"quiet"
"udev.log_level=3"
];
supportedFilesystems = [ "ntfs" ];
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
initrd = {
# Quiet boot
verbose = false;
# Use zstd compression instead of gzip for initrd
compressor = "zstd";
# Make boot more reliable by using systemd inside initrd
systemd.enable = true;
};
initrd.luks.devices = {
luksroot = {
device = "/dev/nvme0n1p1";
preLVM = true;
allowDiscards = true;
};
luks-data = {
device = "/dev/sda1";
preLVM = true;
allowDiscards = true;
};
};
loader.grub = {
enable = false;
device = "/dev/sda1";
configurationLimit = 3;
};
};
# Use nvd to get package diff before apply
system.activationScripts.system-diff = {
supportsDryActivation = true; # safe: only outputs to stdout
text = ''
export PATH="${pkgs.lib.makeBinPath [ pkgs.nixVersions.latest ]}:$PATH"
if [ -e /run/current-system ]; then
${pkgs.lib.getExe pkgs.nvd} diff '/run/current-system' "$systemConfig" || true
fi
'';
};
environment.systemPackages = with pkgs; [
bun
surf
zathura
cmake
doxygen
graphviz
];
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_CTYPE = "en_DK.UTF-8";
LC_TIME = "en_DK.UTF-8";
LC_PAPER = "en_DK.UTF-8";
LC_NAME = "en_DK.UTF-8";
LC_ADDRESS = "en_DK.UTF-8";
LC_TELEPHONE = "en_DK.UTF-8";
LC_MEASUREMENT = "en_DK.UTF-8";
LC_IDENTIFICATION = "en_DK.UTF-8";
};
};
time.timeZone = "Europe/Oslo";
features = {
desktop.enable = true;
laptop.enable = false;
desktop.wayland.enable = false;
desktop.plasma.enable = true;
desktop.hyprland.enable = false;
pki = {
enable = false;
certmgr.enable = true;
certs = {
foo = {
hosts = [ "localhost" ];
};
};
};
os = {
networkmanager.enable = true;
externalInterface = "eno2";
docker.enable = true;
adminAuthorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC68qcYMBNNWjCoRo1OrfGe3OTBsHprPJPQwaywlOUM03xQLNyF2JcqY8wXJ+Hf2dOopJWOWnS5RwsOtxxV5bUX0tk7yPV38AKGhwW1Q0Xy//nGYypoe4JSvvLJLN4dWoBtkhJFQcJcdAbi6jRrDU1J8n2ZwPwFtQWoEwdm0Mq0H+MR6c97Xnl4pkjCHUOVxyaaCCzo1GSotAG2TQanwcbr5AOTptP3CRGOQ8D7T0iN1v5bJmP4fc6P/av30spOzKksksIg21aMHcted5K5I8XJymftfgJbHr5uKtsgrnHtx7qcPiISkoToQWRttYhTEj0GjLIJwCXZ5Fon1rCVWDW+VvhzI7PhXmhBEOHxuLeSuG3lC9L0NpWJkoIJo7WqMtFo3rJPmRQS6AWFy11SIjvsBQVfDk3Jz1QmV8dxM1ksyZzx5VQ0+zOqIsagjJJIHwKhxgNsVXSO/Hqrua5oCsdgSfnrNVujwagfxY9TQa0bNwYkEs79Oot9EiFdLi9wwrE= Simen Kirkvik (gitlab.com)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== Simen Kirkvik (gitlab.com)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQUQsPdS3Wvl46cPl6rBrAPDLX9r8tx1V7yVkr1GhP07hVYVcLV0wojMaB8Zi5kvr/sgBpiuU6oKNqx4+5gN70uQC+JbM5Orna8SoN4L2jfO2WgTMFZEqmDoyzCCglUl2EiqFDvKEC/dvFSjn/qJG6eUdEGpTuB/VQljidZMJrloq0kf4iYy0uaXdrkoKLlBEjXo1forlr2KAYq48PsTovyQxrDqG25UcRhjmoq0Ag7ZGquQXB8Ouwe+H/lVWQFJU+Vy4nqqvv1Fq/bQHW92dZDnlwrMyY6lVsp6Cgc3jzcB5dTfN9Zt+iaVFSE+Tojl04n1oKU4Z5kMbTPRTLLDgjlVRY9JGHOXNO8bqEPG0E7sNXBGSncie9nXnfDoVhXAd8KoVkvXCXYvS+pk82ig0ET+8HC7KRZysB5sqD++GbexbPZFYrOhEZYfvY00sOAVvFCh8h6sC1tXAvXZqUgvTClOINDh42NBs/vTmg6RoG57z1moTa5RsGlVAguKqaiE= Simen Kirkvik (gitlab.com)"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
];
nfs.enable = false;
# /exports 10.1.1.0/24(insecure,ro,async,crossmnt,no_subtree_check,fsid=0,no_root_squash)
# nfs.exports = ''
# '';
};
lan = {
enable = true;
krb5 = {
enable = false;
default_realm = "ACME";
domain_realm = {
"acme.com" = "ACME";
};
realms = {
"ACME" = {
admin_server = "dc.acme.com";
kdc = "dc.acme.com";
};
};
};
};
};
services.pcscd.enable = false; # For Yubikey ykman
security.pam.yubico = {
enable = false;
mode = "client"; # "challenge-response";
id = "92753";
control = "sufficient";
};
services.udev.extraRules = ''
ACTION=="remove",\
ENV{ID_BUS}=="usb",\
ENV{ID_MODEL_ID}=="0407",\
ENV{ID_VENDOR_ID}=="1050",\
ENV{ID_VENDOR}=="Yubico",\
RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
'';
nixpkgs.config.allowUnfreee = true;
nix = {
package = pkgs.nixVersions.stable;
settings = {
# Cleanup
auto-optimise-store = true;
# Keep them for debugging
keep-derivations = true;
keep-outputs = true;
experimental-features = [
"nix-command"
"flakes"
"pipe-operators"
];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 14d";
};
extraOptions = ''
# See https://jackson.dev/post/nix-reasonable-defaults/
connect-timeout = 5
download-attempts = 2
log-lines = 25
warn-dirty = false
fallback = true
# Only brings pain
flake-registry = ""
'';
};
services.tailscale = {
enable = true;
useRoutingFeatures = "client";
extraUpFlags = [
"--login-server=https://headscale.svc.oceanbox.io"
"--accept-dns=true"
"--accept-routes"
];
};
imports = [
./users.nix
./hardware-configuration.nix
];
}

7
tos/hashmap/users.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
users.extraGroups = {
admin = {
@@ -18,6 +18,8 @@
};
};
users.extraUsers.root.openssh.authorizedKeys.keys = config.features.os.adminAuthorizedKeys;
users.extraUsers.admin = {
description = "Administrator";
home = "/home/admin";
@@ -40,7 +42,7 @@
isNormalUser = true;
createHome = true;
useDefaultShell = false;
shell = pkgs.fish;
# shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
@@ -48,6 +50,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq mrtz@wurst"
];
};

3
tos/hive.nix
View File

@@ -13,8 +13,9 @@ in
{ ... }:
{
imports = [
(import ./hashmap/configuration.nix)
(import ./hashmap)
(import ../modules)
(import ../nixos)
(import "${sources.nixos-hardware}/common/cpu/intel/comet-lake")
];