fix(gitea-runner): Use public ingress

Also switches to podman

.envrc

@@ -1 +1,12 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+watch_file nix/sources.json
+
+# Load .env file if it exists
+dotenv_if_exists
+
+# Set npins dir
+export NPINS_DIRECTORY="nix"
+
+# Activate development shell
 use nix

modules/default.nix

@@ -21,6 +21,7 @@ with lib;
     ./fs
     ./pki/certs.nix
     ./gitlab-runner.nix
+    ./gitea-runner.nix
     ../nixos
   ];
 }

modules/gitea-runner.nix

@@ -0,0 +1,236 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.features.gitea-runner;
+  storeDeps = pkgs.runCommand "store-deps" { } ''
+    mkdir -p $out/bin
+    for dir in ${
+      toString [
+        pkgs.coreutils
+        pkgs.findutils
+        pkgs.gnugrep
+        pkgs.skopeo
+        pkgs.openssh
+        pkgs.curl
+        pkgs.gawk
+        pkgs.git
+        pkgs.lix
+        pkgs.bash
+        pkgs.jq
+        pkgs.nodejs
+      ]
+    }; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+
+  configuration = {
+    systemd.services = {
+      # everything here has no dependencies on the store
+      gitea-runner-nix-image = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "podman.service" ];
+        requires = [ "podman.service" ];
+        path = [
+          config.virtualisation.podman.package
+          pkgs.gnutar
+          pkgs.shadow
+          pkgs.getent
+        ];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
+
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          # NOTE: For private registries
+          # cp {config.age.secrets.nix-gitea-runner-netrc.path} etc/nix/netrc
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+
+      gitea-runner-nix = {
+        after = [ "gitea-runner-nix-image.service" ];
+        requires = [ "gitea-runner-nix-image.service" ];
+
+        # Prevents gitea runner deployments
+        # from being restarted on a system switch,
+        # thus breaking a deployment.
+        # You'll have to restart the runner manually
+        # or reboot the system after a deployment!
+        # restartIfChanged = false;
+        serviceConfig = {
+          # LoadCredential = "TOKEN_FILE:/run/gitea/gitea-runner-token";
+          # EnvironmentFile = [ "$CREDENTIALS_DIRECTORY/TOKEN_FILE" ];
+          EnvironmentFile = [ "/run/gitea/gitea-runner-token" ];
+
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          SupplementaryGroups = [ "podman" ];
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+            "AF_NETLINK"
+          ];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      };
+    };
+
+    users.users.nixuser = {
+      group = "nixuser";
+      description = "Used for running nix ci jobs";
+      home = "/var/empty";
+      isSystemUser = true;
+    };
+    users.groups.nixuser = { };
+
+    services.gitea-actions-runner = {
+      instances.nix = {
+        enable = true;
+        name = "nix";
+        url = "https://git.oceanbox.io";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        # tokenFile = config.age.secrets.gitea-runner-token.path;
+        tokenFile = "";
+        labels = [ "nix:docker://gitea-runner-nix" ];
+        settings = {
+          runner.capacity = 16;
+          container.options = builtins.toString [
+            "-e NIX_BUILD_SHELL=/bin/bash"
+            "-e PAGER=cat"
+            "-e PATH=/bin"
+            "-e NIX_PATH=nixpkgs=${builtins.toString pkgs.path}"
+            "-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+            "-v /nix:/nix"
+            "-v ${storeDeps}/bin:/bin"
+            "-v ${storeDeps}/etc/ssl:/etc/ssl"
+            "--user nixuser"
+            "--device=/dev/kvm"
+          ];
+
+          # The default network that also respects our dns server settings
+          container.network = "host";
+          container.valid_volumes = [
+            "/nix"
+            "${storeDeps}/bin"
+            "${storeDeps}/etc/ssl"
+          ];
+        };
+      };
+    };
+
+  };
+in
+{
+  options.features.gitea-runner = {
+    enable = lib.mkEnableOption "Enable Gitea runner service";
+  };
+
+  config = lib.mkIf cfg.enable configuration;
+}

modules/gitlab-runner.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }:
 with lib;
@@ -10,22 +11,38 @@ let
   configuration = {
     services.gitlab-runner = {
       enable = true;
+      # NOTE(mrtz): Periodically prune gitlab runner's Docker resources
+      clear-docker-cache = {
+        enable = true;
+        dates = "monthly";
+      };
       settings = {
         concurrent = 16;
       };
       services = {
         nix = {
           # NOTE(simkir): This must be uploaded to the host after you've
-          # registered a runner in gitlab
-          registrationConfigFile = "/run/secrets/gitlab-runner-registration";
+          # registered a runner in gitlab.
+          registrationConfigFile = "/root/gitlab/gitlab-runner-registration";
+
+          # TODO(mrtz): https://archives.docs.gitlab.com/17.0/ee/ci/runners/new_creation_workflow/
+          # authenticationTokenConfigFile = "";
+
+          requestConcurrency = 3;
 
           dockerImage = "alpine";
           dockerVolumes = [
+            # The items are ro because we write to the store via the daemon
             "/nix/store:/nix/store:ro"
             "/nix/var/nix/db:/nix/var/nix/db:ro"
             "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
           ];
           dockerDisableCache = true;
+          registrationFlags = [
+            "--docker-pull-policy=if-not-present"
+            "--docker-allowed-pull-policies=if-not-present"
+            "--docker-allowed-pull-policies=always"
+          ];
 
           preBuildScript = pkgs.writeScript "setup-container" ''
             mkdir -p -m 0755 /nix/var/log/nix/drvs
@@ -37,6 +54,12 @@ let
             mkdir -p -m 1777 /nix/var/nix/profiles/per-user
             mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
             mkdir -p -m 0700 "$HOME/.nix-defexpr"
+
+            mkdir -p /etc/nix
+            cat << EOF > /etc/nix/nix.conf
+            experimental-features = nix-command flakes pipe-operators
+            EOF
+
             . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
             ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-25.05 nixpkgs
             ${pkgs.nix}/bin/nix-channel --update nixpkgs
@@ -52,7 +75,9 @@ let
                 with pkgs;
                 [
                   gnugrep
+                  findutils
                   coreutils
+                  curl
                   nix
                   openssh
                   bash
@@ -67,10 +92,15 @@ let
         };
       };
     };
+    systemd.services.gitlab-runner = {
+      after = [ "podman.service" ];
+      requires = [ "podman.service" ];
+      serviceConfig.SupplementaryGroups = [ "podman" ];
+    };
   };
 in
 {
-  options.features.gitlab-runner = { 
+  options.features.gitlab-runner = {
     enable = mkEnableOption "Enable Gitlab runner service";
   };
 

nix/sources.json

@@ -9,9 +9,22 @@
       },
       "branch": "nixos-25.05",
       "submodules": false,
-      "revision": "1c8ba8d3f7634acac4a2094eef7c32ad9106532c",
-      "url": "https://github.com/nixos/nixpkgs/archive/1c8ba8d3f7634acac4a2094eef7c32ad9106532c.tar.gz",
-      "hash": "0kal9wdvh0f9kcgh0ya1dpiir9331ykmkvsdh6a37lq77ln6m3vm"
+      "revision": "9a7b80b6f82a71ea04270d7ba11b48855681c4b0",
+      "url": "https://github.com/nixos/nixpkgs/archive/9a7b80b6f82a71ea04270d7ba11b48855681c4b0.tar.gz",
+      "hash": "1ahp8ybsxay6q20gv5dhwj6pbqcljh4y51np462lzqryjl8gwqpk"
+    },
+    "nixos-2511": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nixos",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixos-25.11",
+      "submodules": false,
+      "revision": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
+      "url": "https://github.com/nixos/nixpkgs/archive/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f.tar.gz",
+      "hash": "19ljxfhs2i85rqrkawdz7wn16gx006s2hni51qlzk5z1b022x9aa"
     },
     "nixos-hardware": {
       "type": "Git",
@@ -22,15 +35,15 @@
       },
       "branch": "master",
       "submodules": false,
-      "revision": "da17006633ca9cda369be82893ae36824a2ddf1a",
-      "url": "https://github.com/nixos/nixos-hardware/archive/da17006633ca9cda369be82893ae36824a2ddf1a.tar.gz",
-      "hash": "050i03nvf0nrhighs9g4nfcfp5c3pbh7yg7dsri84wqh1cnjslvg"
+      "revision": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+      "url": "https://github.com/nixos/nixos-hardware/archive/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3.tar.gz",
+      "hash": "1vmlcda7864ya2byxivnpzkqf41cavj9ms5hjh6i0h8anls56lk6"
     },
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre902880.5c46f3bd9814/nixexprs.tar.xz",
-      "hash": "0s8yjnxhp28nyfc40a0pjsqqdnx7jv7nakx5h2lcgp5br546100j"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre904683.23258e03aaa4/nixexprs.tar.xz",
+      "hash": "05l4vicvsalz3w373jr5fl7q91zm13p7nmvh4bs8mnm2gh535742"
     }
   },
   "version": 5

obx.zone

@@ -24,6 +24,38 @@ _slurmctld._tcp IN SRV 0 5 6817 slurmctld.svc.obx.
 slurmdb IN CNAME tos-gw.ekman.tos.obx.
 slurm-accounting IN CNAME tos-gw.ekman.tos.obx.
 
+$ORIGIN vtn.obx.
+*.dev      IN CNAME rossby-manage.rossby.vtn.obx.
+*.adm      IN CNAME rossby-manage.rossby.vtn.obx.
+*.svc      IN CNAME rossby-manage.rossby.vtn.obx.
+
+$ORIGIN hel1.obx.
+gw-1             IN A 37.27.203.38
+gw-int-1         IN A 10.0.1.1
+lb-1             IN A 10.0.1.3
+controlplane-1   IN A 10.0.1.2
+controlplane-2   IN A 10.0.1.4
+controlplane-3   IN A 10.0.1.5
+ingress          IN CNAME lb-1.hel1.obx.
+*.dev            IN CNAME ingress.hel1.obx.
+*.adm            IN CNAME ingress.hel1.obx.
+*.svc            IN CNAME ingress.hel1.obx.
+
+$ORIGIN tos.obx.
+*.dev      IN CNAME ingress.k8s.tos.obx.
+*.adm      IN CNAME ingress.k8s.tos.obx.
+*.svc      IN CNAME ingress.k8s.tos.obx.
+
+$ORIGIN ekman.obx.
+*.dev      IN CNAME ekman-manage.ekman.tos.obx.
+*.adm      IN CNAME ekman-manage.ekman.tos.obx.
+*.svc      IN CNAME ekman-manage.ekman.tos.obx.
+
+$ORIGIN rossby.obx.
+*.dev      IN CNAME rossby-manage.rossby.vtn.obx.
+*.adm      IN CNAME rossby-manage.rossby.vtn.obx.
+*.svc      IN CNAME rossby-manage.rossby.vtn.obx.
+
 $ORIGIN ceph.tos.obx.
 ingress IN A 10.255.241.10
 dashboard IN CNAME ingress.ceph.tos.obx.
@@ -287,10 +319,6 @@ ceph-10 IN A 172.16.238.160
 ceph-11 IN A 172.16.238.161
 ceph-12 IN A 172.16.238.162
 
-$ORIGIN hel1.obx.
-gw-1         IN A 37.27.203.38
-gw-int-1     IN A 10.0.1.1
-
 $ORIGIN k8s.hel1.obx.
 controlplane-1     IN A 10.0.1.11
 controlplane-2     IN A 10.0.1.12

packages/krdp.nix

@@ -1,11 +1,4 @@
-{ }:
-let
-  nixpkgs = fetchTarball "https://github.com/nixos/nixpkgs/tarball/nixos-unstable";
-  pkgs = import nixpkgs {
-    config = { };
-    overlays = [ ];
-  };
-in
+{ pkgs }:
 pkgs.stdenv.mkDerivation rec {
   name = "krdp";
   version = "6.5.3";

shell.nix

@@ -8,6 +8,4 @@ pkgs.mkShellNoCC {
     colmena
     nixfmt-rfc-style
   ];
-
-  NPINS_DIRECTORY = "nix";
 }

tos/hashmap/default.nix

@@ -0,0 +1,235 @@
+{
+  pkgs,
+  nixpkgs,
+  ...
+}:
+{
+  networking = {
+    hostName = "hashmap";
+    domain = "obx";
+    search = [ "obx" ];
+    firewall.allowedTCPPorts = [ ];
+    firewall.extraCommands = '''';
+    firewall.interfaces."podman+" = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
+    resolvconf = {
+      enable = false;
+    };
+    nameservers = [
+      "100.100.100.100"
+    ];
+  };
+
+  boot = {
+    consoleLogLevel = 3;
+    plymouth = {
+      enable = true;
+      theme = "ibm";
+      themePackages = [
+        (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ "ibm" ]; })
+      ];
+    };
+    tmp.cleanOnBoot = true;
+    kernel = {
+      sysctl = {
+        "net.ipv4.ip_forward" = true;
+      };
+    };
+    kernelParams = [
+      # Quite boot
+      "quiet"
+      "udev.log_level=3"
+    ];
+    supportedFilesystems = [ "ntfs" ];
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    initrd = {
+      # Quiet boot
+      verbose = false;
+      # Use zstd compression instead of gzip for initrd
+      compressor = "zstd";
+      # Make boot more reliable by using systemd inside initrd
+      systemd.enable = true;
+    };
+    initrd.luks.devices = {
+      luksroot = {
+        device = "/dev/nvme0n1p1";
+        preLVM = true;
+        allowDiscards = true;
+      };
+      luks-data = {
+        device = "/dev/sda1";
+        preLVM = true;
+        allowDiscards = true;
+      };
+    };
+    loader.grub = {
+      enable = false;
+      device = "/dev/sda1";
+      configurationLimit = 3;
+    };
+  };
+
+  # Use nvd to get package diff before apply
+  system.activationScripts.system-diff = {
+    supportsDryActivation = true; # safe: only outputs to stdout
+    text = ''
+      export PATH="${pkgs.lib.makeBinPath [ pkgs.nixVersions.latest ]}:$PATH"
+      if [ -e /run/current-system ]; then
+        ${pkgs.lib.getExe pkgs.nvd} diff '/run/current-system' "$systemConfig" || true
+      fi
+    '';
+  };
+
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_CTYPE = "en_DK.UTF-8";
+      LC_TIME = "en_DK.UTF-8";
+      LC_PAPER = "en_DK.UTF-8";
+      LC_NAME = "en_DK.UTF-8";
+      LC_ADDRESS = "en_DK.UTF-8";
+      LC_TELEPHONE = "en_DK.UTF-8";
+      LC_MEASUREMENT = "en_DK.UTF-8";
+      LC_IDENTIFICATION = "en_DK.UTF-8";
+    };
+  };
+
+  time.timeZone = "Europe/Oslo";
+
+  features = {
+    desktop.enable = true;
+    desktop.plasma.enable = true;
+
+    os = {
+      networkmanager.enable = true;
+      externalInterface = "eno2";
+
+      # NOTE: Use podman instead
+      docker.enable = false;
+
+      adminAuthorizedKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC68qcYMBNNWjCoRo1OrfGe3OTBsHprPJPQwaywlOUM03xQLNyF2JcqY8wXJ+Hf2dOopJWOWnS5RwsOtxxV5bUX0tk7yPV38AKGhwW1Q0Xy//nGYypoe4JSvvLJLN4dWoBtkhJFQcJcdAbi6jRrDU1J8n2ZwPwFtQWoEwdm0Mq0H+MR6c97Xnl4pkjCHUOVxyaaCCzo1GSotAG2TQanwcbr5AOTptP3CRGOQ8D7T0iN1v5bJmP4fc6P/av30spOzKksksIg21aMHcted5K5I8XJymftfgJbHr5uKtsgrnHtx7qcPiISkoToQWRttYhTEj0GjLIJwCXZ5Fon1rCVWDW+VvhzI7PhXmhBEOHxuLeSuG3lC9L0NpWJkoIJo7WqMtFo3rJPmRQS6AWFy11SIjvsBQVfDk3Jz1QmV8dxM1ksyZzx5VQ0+zOqIsagjJJIHwKhxgNsVXSO/Hqrua5oCsdgSfnrNVujwagfxY9TQa0bNwYkEs79Oot9EiFdLi9wwrE= Simen Kirkvik (gitlab.com)"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== Simen Kirkvik (gitlab.com)"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQUQsPdS3Wvl46cPl6rBrAPDLX9r8tx1V7yVkr1GhP07hVYVcLV0wojMaB8Zi5kvr/sgBpiuU6oKNqx4+5gN70uQC+JbM5Orna8SoN4L2jfO2WgTMFZEqmDoyzCCglUl2EiqFDvKEC/dvFSjn/qJG6eUdEGpTuB/VQljidZMJrloq0kf4iYy0uaXdrkoKLlBEjXo1forlr2KAYq48PsTovyQxrDqG25UcRhjmoq0Ag7ZGquQXB8Ouwe+H/lVWQFJU+Vy4nqqvv1Fq/bQHW92dZDnlwrMyY6lVsp6Cgc3jzcB5dTfN9Zt+iaVFSE+Tojl04n1oKU4Z5kMbTPRTLLDgjlVRY9JGHOXNO8bqEPG0E7sNXBGSncie9nXnfDoVhXAd8KoVkvXCXYvS+pk82ig0ET+8HC7KRZysB5sqD++GbexbPZFYrOhEZYfvY00sOAVvFCh8h6sC1tXAvXZqUgvTClOINDh42NBs/vTmg6RoG57z1moTa5RsGlVAguKqaiE= Simen Kirkvik (gitlab.com)"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
+      ];
+    };
+  };
+
+  virtualisation = {
+    podman.enable = true;
+    # gitlab-runner will enable this by default, but we want podman instead
+    docker.enable = false;
+    podman.autoPrune.enable = true;
+    # Enable Docker compatibility socket
+    podman.dockerCompat = true;
+    podman.dockerSocket.enable = true;
+    podman.defaultNetwork.settings.dns_enabled = true;
+    oci-containers.backend = "podman";
+    containers.storage.settings = {
+      storage.graphroot = "/var/lib/containers/storage";
+      storage.runroot = "/run/containers/storage";
+    };
+    containers.containersConf.settings = {
+      # podman seems to not work with systemd-resolved
+      containers.dns_servers = [
+        "100.100.100.100"
+        "8.8.8.8"
+        "8.8.4.4"
+      ];
+    };
+  };
+  # without this, when podman changes, it will be restarted, which will kill the build
+  # in the middle of restarting services and leave things in a bad state.
+  systemd.services.podman.restartIfChanged = false;
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+    extraUpFlags = [
+      "--login-server=https://headscale.svc.oceanbox.io"
+      "--accept-dns=true"
+      "--accept-routes"
+    ];
+  };
+
+  services.resolved = {
+    enable = true;
+    fallbackDns = [
+      "1.1.1.1"
+    ];
+  };
+
+  nixpkgs.config.allowUnfreee = true;
+
+  nix = {
+    nixPath = [
+      "nixpkgs=${nixpkgs}"
+    ];
+    package = pkgs.nixVersions.stable;
+    settings = {
+      nix-path = [
+        "nixpkgs=${nixpkgs}"
+      ];
+      # Cleanup
+      auto-optimise-store = true;
+      # Keep them for debugging
+      keep-derivations = true;
+      keep-outputs = true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "pipe-operators"
+      ];
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+    extraOptions = ''
+      # See https://jackson.dev/post/nix-reasonable-defaults/
+      connect-timeout = 5
+      download-attempts = 2
+      log-lines = 25
+      warn-dirty = false
+      fallback = true
+      http-connections = 128
+      max-substitution-jobs = 128
+      # Only brings pain
+      flake-registry = ""
+    '';
+  };
+
+  # security.pki.certificates = [
+  #   ''
+  #     -----BEGIN CERTIFICATE-----
+  #     MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
+  #     MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
+  #     MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
+  #     BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
+  #     D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
+  #     BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+  #     BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
+  #     JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
+  #     m9H0cfSnZwsuwl6yETI=
+  #     -----END CERTIFICATE-----
+  #   ''
+  # ];
+
+  imports = [
+    ./users.nix
+    ./hardware-configuration.nix
+  ];
+}

tos/hashmap/users.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   users.extraGroups = {
     admin = {
@@ -18,6 +18,8 @@
     };
   };
 
+  users.extraUsers.root.openssh.authorizedKeys.keys = config.features.os.adminAuthorizedKeys;
+
   users.extraUsers.admin = {
     description = "Administrator";
     home = "/home/admin";
@@ -29,6 +31,7 @@
       "adm"
       "cdrom"
       "docker"
+      "podman"
       "fuse"
       "wireshark"
       "libvirtd"
@@ -40,7 +43,7 @@
     isNormalUser = true;
     createHome = true;
     useDefaultShell = false;
-    shell = pkgs.fish;
+    # shell = pkgs.fish;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
@@ -48,6 +51,7 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq mrtz@wurst"
     ];
   };
 
@@ -62,6 +66,7 @@
       "root"
       "adm"
       "cdrom"
+      "podman"
       "docker"
       "fuse"
       "wireshark"
@@ -92,6 +97,7 @@
       "root"
       "adm"
       "cdrom"
+      "podman"
       "docker"
       "fuse"
       "wireshark"
@@ -125,6 +131,7 @@
       "root"
       "adm"
       "cdrom"
+      "podman"
       "docker"
       "fuse"
       "wireshark"
@@ -148,5 +155,4 @@
       kdePackages.kconfig
     ];
   };
-
 }

tos/hive.nix

@@ -1,20 +1,22 @@
 let
   sources = import ../nix;
-  pkgs = import sources.nixos-2505 { };
-  dashboard = "https://grafana.adm.oceanbox.io/d/ba1383fb-b53d-4a90-bd0c-bc76c75450bc/umami?orgId=1&kiosk&refresh=5m&from=now-7d&to=now&timezone=browser&var-groups=$__all";
+  nixpkgs = sources.nixos-2511;
+  pkgs = import nixpkgs { };
+  dashboard = "https://grafana.adm.oceanbox.io/d/ba1383fb-b53d-4a90-bd0c-bc76c75450bc/umami?orgId=1&kiosk&refresh=1m&from=now-7d&to=now&timezone=browser&var-groups=$__all";
   krdp = pkgs.callPackage ../packages/krdp.nix { };
 in
 {
   meta = {
-    nixpkgs = sources.nixos-2505;
+    nixpkgs = nixpkgs;
   };
 
   hashmap =
     { ... }:
     {
       imports = [
-        (import ./hashmap/configuration.nix)
+        (import ../nixos)
         (import ../modules)
+        (import ./hashmap { inherit pkgs nixpkgs; })
         (import "${sources.nixos-hardware}/common/cpu/intel/comet-lake")
       ];
 
@@ -28,19 +30,21 @@ in
         ];
       };
 
+      # Why would you ever use this :(((((
+      system = {
+        copySystemConfiguration = true;
+        autoUpgrade.enable = pkgs.lib.mkForce false;
+      };
+
       environment.systemPackages = with pkgs; [
         htop
         btop
+        intel-gpu-tools
       ];
 
       features = {
-        lan.enable = pkgs.lib.mkForce false;
-
         gitlab-runner.enable = true;
-      };
-
-      networking = {
-        firewall.enable = false;
+        gitea-runner.enable = true;
       };
 
       services = {