nixin-web/inventory/nixin.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  nixin-web = pkgs.stdenv.mkDerivation {
    pname = "nixin-web";
    version = "0.1-alpha";
    src = pkgs.fetchzip {
      url = "https://git.distrilab.fr/NixiN/nixin-web/actions/runs/85/artifacts/nixin-website.zip";
      hash = "sha256-+cgWvbmjV9xckRCeRaj1dWqowBRbe/5497FcoZW+5ec=";
      stripRoot = false;
    };
    dontConfigure = true;
    dontBuild = true;
    installPhase = ''
      mkdir -p $out
      cp -a -T $src $out
    '';
  };
in
{
  networking.hosts = {
    "127.0.0.1" = [ "nixin.chmok.net" ];
  };

  networking.hostName = "nixin";
  networking.domain = "chmok.net";
  networking.firewall = {
    allowedUDPPorts = [
      53 # forgejo-runner
      8098 # wireguard
    ];
    allowedTCPPorts = [
      22 # ssh
      80 # http
      443 # https
    ];
  };
  networking.nameservers = [
    "80.67.169.12"
    "2001:910:800::12"
    "80.67.169.40"
    "2001:910:800::40"
  ];
  networking.wg-quick.interfaces = {
    wg0 = {
      address = [ "10.42.0.9/32" ];
      privateKey = "2M0w52jHmX5AgPw4V7Kq1hoZaEWa7H6NBoPfy/RbanQ=";
      peers = [
        {
          publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";
          presharedKey = "DjbQfcvrc1cfk0nQNGqak4QZr46MW9WEovNK170mg+A=";
          allowedIPs = [ "10.42.0.0/24" ];
          endpoint = "195.201.63.240:8098";
          persistentKeepalive = 15;
        }
      ];
    };
  };

  time.timeZone = "UTC";
  i18n.defaultLocale = "en_US.UTF-8";

  users.users.operator = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    initialPassword = "CHANGE ME !!!";
  };

  security.sudo.extraRules = [
    {
      users = [ "operator" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
        }
      ];
    }
  ];

  services.forgejo = {
    enable = true;
    database.type = "postgres";
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = "forge.chmok.net";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://forge.chmok.net/";
        HTTP_PORT = 3000;
      };
      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true;
      # Add support for actions, based on act: https://github.com/nektos/act
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      # Sending emails is completely optional
      # You can send a test email from the web UI at:
      # Profile Picture > Site Administration > Configuration > Mailer Configuration
      mailer = {
        ENABLED = true;
        SMTP_ADDR = "mail.chmok.net";
        FROM = "noreply@${config.services.forgejo.settings.server.DOMAIN}";
        USER = "noreply@${config.services.forgejo.settings.server.DOMAIN}";
        PASSWD = "CHANGE ME !!!";
      };
    };
  };

  virtualisation.containers.enable = true;
  virtualisation.podman = {
    enable = true;
    # Create a `docker` alias for podman, to use it as a drop-in replacement
    dockerCompat = true;
    # Required for containers under podman-compose to be able to talk to each other.
    defaultNetwork.settings.dns_enabled = true;
  };

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
      enable = true;
      name = "nixinrunner";
      url = "https://forge.chmok.net";
      token = "S3uBKr4HsnxILAVA40ikLCNdAdKYxqcIGoqH1ihA";
      labels = [
        # provide a debian base with nodejs for actions
        "debian-latest:docker://node:20-bookworm"
        # fake the ubuntu name, because node provides no ubuntu builds
        "ubuntu-latest:docker://node:20-bookworm"
        # nixos
        "nixos:docker://nixos/nix:latest"
        # provide native execution on the host
        #"native:host"
      ];
    };
  };

  services.openssh.enable = true;
  services.openssh.ports = [ 22 ];
  services.openssh.settings = {
    PermitRootLogin = "no";
    PasswordAuthentication = false;
    KbdInteractiveAuthentication = false;
  };
  security.acme.defaults.email = "contact@nixin.local";
  security.acme.acceptTerms = true;

  services.nginx = {
    enable = true;

    # Use recommended settings
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    # Only allow PFS-enabled ciphers with AES256
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

    virtualHosts."forge.chmok.net" = {
      extraConfig = ''
        client_max_body_size 512M;
      '';
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass =
        "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
    };
  };

  systemd.services.forgejo.preStart =
    let
      forgejoCmd = "${lib.getExe config.services.forgejo.package}";
      adminCmd = "${forgejoCmd} admin user";
      pwd = "CHANGE ME !!!";
      user = "operator";
      mail = "root@forge.chmok.net";
    in
    ''
        # create admin
        ${adminCmd} create --admin --email "${mail}" --username ${user} --password "${pwd}" || true
        ## uncomment this line to change an admin user which was already created
        # ${adminCmd} change-password --username ${user} --password "${pwd}" || true

        # link forgejo runner and forgejo
        ${forgejoCmd} forgejo-cli actions register --keep-labels --name nixin-runner \
      --secret 7c31591e8b67225a116d4a4519ea8e507e08f71f || true

        # forgejo-runner create-runner-file --instance https://example.conf \
        #  --secret 7c31591e8b67225a116d4a4519ea8e507e08f71f
        # create nixin repository

        # create password-store repository
    '';

  environment.systemPackages =
    with pkgs;
    let
    in
    #nixin-web = buildNpmPackage {
    #  pname = "nixin-web";
    #  version = "0.1-alpha";
    #  src = fetchgit {
    #    url = "https://git.distrilab.fr/NixiN/nixin-web";
    #    rev = "30384e64854b04e1f51ba68c3874765e141e9fc1";
    #    hash = "sha256-ERx6GX/qaiZXMzaLXuWTq4FxJ3RYy/LtkC2/kstF9nw=";
    #  };
    #  makeCacheWritable = true;
    #  npmDepsHash = "sha256-0YIrAMbM1CtInq1XPs/5r8FhOzE7bKXMoN23vm/ihEA=";
    #  npmBuildScript = "docs:build";
    #};
    #indication = "the code above keep stuck because vite and nixos are'nt friends";
    [
      nixin-web
      git
      wget
      tmux
      mosh
      htop
      neovim
      pass
    ];

  services.nginx.virtualHosts."nixin.chmok.net" = {
    forceSSL = true;
    enableACME = true;
    locations."/".root = ''${nixin-web}'';
    locations."/".index = "index.html";
  };
  system.stateVersion = "24.05";
}
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`let`
			`nixin-web = pkgs.stdenv.mkDerivation {`
			`pname = "nixin-web";`
			`version = "0.1-alpha";`
			`src = pkgs.fetchzip {`
			`url = "https://git.distrilab.fr/NixiN/nixin-web/actions/runs/85/artifacts/nixin-website.zip";`
			`hash = "sha256-+cgWvbmjV9xckRCeRaj1dWqowBRbe/5497FcoZW+5ec=";`
			`stripRoot = false;`
			`};`
			`dontConfigure = true;`
			`dontBuild = true;`
			`installPhase = ''`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00			`mkdir -p $out`
fix(inventory): bulletproof cp for nixin-web 2024-12-17 09:59:14 +00:00			`cp -a -T $src $out`
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`'';`
			`};`
			`in`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`{`
			`networking.hosts = {`
			`"127.0.0.1" = [ "nixin.chmok.net" ];`
			`};`

			`networking.hostName = "nixin";`
			`networking.domain = "chmok.net";`
			`networking.firewall = {`
			`allowedUDPPorts = [`
feat(inventory): nixin vm not working example of nixin build 2024-12-16 10:46:05 +00:00			`53 # forgejo-runner`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`8098 # wireguard`
			`];`
			`allowedTCPPorts = [`
			`22 # ssh`
			`80 # http`
			`443 # https`
			`];`
			`};`
			`networking.nameservers = [`
			`"80.67.169.12"`
			`"2001:910:800::12"`
			`"80.67.169.40"`
			`"2001:910:800::40"`
			`];`
			`networking.wg-quick.interfaces = {`
			`wg0 = {`
			`address = [ "10.42.0.9/32" ];`
			`privateKey = "2M0w52jHmX5AgPw4V7Kq1hoZaEWa7H6NBoPfy/RbanQ=";`
			`peers = [`
			`{`
			`publicKey = "2MZzEGJzA3HrwkHf91TaKJEHwCNyVvsTLWoIYHrCxhY=";`
			`presharedKey = "DjbQfcvrc1cfk0nQNGqak4QZr46MW9WEovNK170mg+A=";`
			`allowedIPs = [ "10.42.0.0/24" ];`
			`endpoint = "195.201.63.240:8098";`
			`persistentKeepalive = 15;`
			`}`
			`];`
			`};`
			`};`

			`time.timeZone = "UTC";`
			`i18n.defaultLocale = "en_US.UTF-8";`

			`users.users.operator = {`
			`isNormalUser = true;`
			`extraGroups = [ "wheel" ];`
			`initialPassword = "CHANGE ME !!!";`
			`};`

			`security.sudo.extraRules = [`
			`{`
			`users = [ "operator" ];`
			`commands = [`
			`{`
			`command = "ALL";`
			`options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea`
			`}`
			`];`
			`}`
			`];`

			`services.forgejo = {`
			`enable = true;`
			`database.type = "postgres";`
			`# Enable support for Git Large File Storage`
			`lfs.enable = true;`
			`settings = {`
			`server = {`
			`DOMAIN = "forge.chmok.net";`
			`# You need to specify this to remove the port from URLs in the web UI.`
			`ROOT_URL = "https://forge.chmok.net/";`
			`HTTP_PORT = 3000;`
			`};`
			`# You can temporarily allow registration to create an admin user.`
			`service.DISABLE_REGISTRATION = true;`
			`# Add support for actions, based on act: https://github.com/nektos/act`
			`actions = {`
			`ENABLED = true;`
			`DEFAULT_ACTIONS_URL = "github";`
			`};`
			`# Sending emails is completely optional`
			`# You can send a test email from the web UI at:`
			`# Profile Picture > Site Administration > Configuration > Mailer Configuration`
			`mailer = {`
			`ENABLED = true;`
			`SMTP_ADDR = "mail.chmok.net";`
			`FROM = "noreply@${config.services.forgejo.settings.server.DOMAIN}";`
			`USER = "noreply@${config.services.forgejo.settings.server.DOMAIN}";`
			`PASSWD = "CHANGE ME !!!";`
			`};`
			`};`
			`};`

			`virtualisation.containers.enable = true;`
			`virtualisation.podman = {`
			`enable = true;`
			# Create a `docker` alias for podman, to use it as a drop-in replacement
			`dockerCompat = true;`
			`# Required for containers under podman-compose to be able to talk to each other.`
			`defaultNetwork.settings.dns_enabled = true;`
			`};`

			`services.gitea-actions-runner = {`
			`package = pkgs.forgejo-runner;`
			`instances.default = {`
			`enable = true;`
			`name = "nixinrunner";`
			`url = "https://forge.chmok.net";`
			`token = "S3uBKr4HsnxILAVA40ikLCNdAdKYxqcIGoqH1ihA";`
			`labels = [`
			`# provide a debian base with nodejs for actions`
			`"debian-latest:docker://node:20-bookworm"`
			`# fake the ubuntu name, because node provides no ubuntu builds`
			`"ubuntu-latest:docker://node:20-bookworm"`
			`# nixos`
			`"nixos:docker://nixos/nix:latest"`
			`# provide native execution on the host`
			`#"native:host"`
			`];`
			`};`
			`};`

			`services.openssh.enable = true;`
			`services.openssh.ports = [ 22 ];`
			`services.openssh.settings = {`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = false;`
			`KbdInteractiveAuthentication = false;`
			`};`
			`security.acme.defaults.email = "contact@nixin.local";`
			`security.acme.acceptTerms = true;`

			`services.nginx = {`
			`enable = true;`

			`# Use recommended settings`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`

			`# Only allow PFS-enabled ciphers with AES256`
			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`

			`virtualHosts."forge.chmok.net" = {`
			`extraConfig = ''`
			`client_max_body_size 512M;`
			`'';`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/".proxyPass =`
			`"http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";`
			`};`
			`};`

			`systemd.services.forgejo.preStart =`
			`let`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00			`forgejoCmd = "${lib.getExe config.services.forgejo.package}";`
			`adminCmd = "${forgejoCmd} admin user";`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`pwd = "CHANGE ME !!!";`
			`user = "operator";`
			`mail = "root@forge.chmok.net";`
			`in`
			`''`
feat(inventory): nixin vm init runner and repos WIP 2024-12-17 10:23:00 +00:00			`# create admin`
			`${adminCmd} create --admin --email "${mail}" --username ${user} --password "${pwd}" \|\| true`
			`## uncomment this line to change an admin user which was already created`
			`# ${adminCmd} change-password --username ${user} --password "${pwd}" \|\| true`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00
feat(inventory): nixin vm init runner and repos WIP 2024-12-17 10:23:00 +00:00			`# link forgejo runner and forgejo`
			`${forgejoCmd} forgejo-cli actions register --keep-labels --name nixin-runner \`
			`--secret 7c31591e8b67225a116d4a4519ea8e507e08f71f \|\| true`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00
feat(inventory): nixin vm init runner and repos WIP 2024-12-17 10:23:00 +00:00			`# forgejo-runner create-runner-file --instance https://example.conf \`
			`# --secret 7c31591e8b67225a116d4a4519ea8e507e08f71f`
			`# create nixin repository`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00
feat(inventory): nixin vm init runner and repos WIP 2024-12-17 10:23:00 +00:00			`# create password-store repository`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`'';`

feat(inventory): nixin vm not working example of nixin build 2024-12-16 10:46:05 +00:00			`environment.systemPackages =`
			`with pkgs;`
			`let`
			`in`
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`#nixin-web = buildNpmPackage {`
			`# pname = "nixin-web";`
			`# version = "0.1-alpha";`
			`# src = fetchgit {`
			`# url = "https://git.distrilab.fr/NixiN/nixin-web";`
			`# rev = "30384e64854b04e1f51ba68c3874765e141e9fc1";`
			`# hash = "sha256-ERx6GX/qaiZXMzaLXuWTq4FxJ3RYy/LtkC2/kstF9nw=";`
			`# };`
			`# makeCacheWritable = true;`
			`# npmDepsHash = "sha256-0YIrAMbM1CtInq1XPs/5r8FhOzE7bKXMoN23vm/ihEA=";`
			`# npmBuildScript = "docs:build";`
			`#};`
			`#indication = "the code above keep stuck because vite and nixos are'nt friends";`
feat(inventory): nixin vm not working example of nixin build 2024-12-16 10:46:05 +00:00			`[`
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`nixin-web`
feat(inventory): nixin vm not working example of nixin build 2024-12-16 10:46:05 +00:00			`git`
			`wget`
			`tmux`
			`mosh`
			`htop`
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`neovim`
fix(inventory): more clean cp for nixin 2024-12-17 09:44:13 +00:00			`pass`
feat(inventory): nixin vm not working example of nixin build 2024-12-16 10:46:05 +00:00			`];`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00
feat(inventory): working nixin 2024-12-17 08:09:58 +00:00			`services.nginx.virtualHosts."nixin.chmok.net" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/".root = ''${nixin-web}'';`
			`locations."/".index = "index.html";`
			`};`
feat(inventory): declaration of nixin machine wip 2024-12-13 11:45:48 +00:00			`system.stateVersion = "24.05";`
			`}`