Merge branch 'main' of ssh://git.ghoscht.com:2222/ghoscht/nix-config

hosts/franz/arion/dns/default.nix

@@ -7,8 +7,5 @@
 
   # Fix containers not being able to use pihole as dns
   networking.resolvconf.useLocalResolver = true;
-  networking.firewall = {
+  networking.firewall.allowedTCPPorts = [80 443];
-    enable = true;
-    allowedTCPPorts = [80 443];
-  };
 }

hosts/franz/arion/git/arion-compose.nix

@@ -10,7 +10,7 @@
 
   services = {
     forgejo.service = {
-      image = "codeberg.org/forgejo/forgejo:7.0.1";
+      image = "codeberg.org/forgejo/forgejo:7.0.3";
       container_name = "forgejo";
       useHostStore = true;
       labels = {

hosts/franz/default.nix

@@ -25,6 +25,7 @@ in {
     ./sops.nix
     ./restic.nix
     ./arion
+    ./hydra.nix
   ];
 
   # Enable ZFS
@@ -32,6 +33,7 @@ in {
   networking.hostId = "f014fc43";
 
   systemd.enableEmergencyMode = false;
+  networking.firewall.enable = true;
 
   # Prevent zfs from being automounted by fstab auto discovery & zfs
   fileSystems."/storage/dataset".options = ["noauto"];

hosts/franz/hydra.nix

@@ -0,0 +1,28 @@
+{config, ...}: {
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://localhost:3000"; # externally visible URL
+    notificationSender = "hydra@localhost"; # e-mail of hydra service
+    # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
+    buildMachinesFiles = [];
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+  };
+  nix.settings.allowed-uris = [
+    "github:"
+    "git+https://github.com/"
+    "git+ssh://github.com/"
+    "git+https://git.ghoscht.com/"
+    "git+ssh://git.ghoscht.com/"
+    "https://git.ghoscht.com/"
+  ];
+  networking.firewall = {
+    allowedTCPPorts = [config.services.hydra.port];
+  };
+  # nix.gc = {
+  #   automatic = true;
+  #   dates = "15 3 * * *"; # [1]
+  # };
+  #
+  nix.autoOptimiseStore = true;
+}

secrets/franz.yaml

@@ -36,7 +36,7 @@ matrix:
     postgres_user: ENC[AES256_GCM,data:S9ksmTOAbBg=,iv:q/6Oo9JhiSAqQq3ZKa0dbQGtfYAuD0oeiDLR4YwV0nk=,tag:RIc/1UVs88Jg8+4zGnW6vQ==,type:str]
     postgres_password: ENC[AES256_GCM,data:sKlU4HKDDNERv4LZK9/M2+kvnNht1uxQ7+pQSIZWPkk=,iv:fD98XPUMjo+eZOmE/cVOh5TFkmTY/KDCjfZcf5fSWOg=,tag:B5zsxgjvs7+czDWcCst/eg==,type:str]
 dyndns:
-    cloudflare_api_key: ENC[AES256_GCM,data:O8biURYpw+joKm5A+7E9ARKlFRcnwFaqrbLPHevOXvYTFED1NdMSGQ==,iv:Vm1DreqdaFd1owN7zci242gzpGEZqE57Yn9XAzVxXoQ=,tag:KdQtVvZCypAYIghtuM5kjw==,type:str]
+    cloudflare_api_key: ENC[AES256_GCM,data:UR+MUI3TiiytVh93MxlUHW/fj9pwKoxOkxMXdMedKH/mGp5UbUIubw==,iv:SRHhFjwcbWf/bIe/z6Z0vz/cXnfmn88VFoSQ+9VGDbQ=,tag:K46d/QLlGZBKT91A34FGJQ==,type:str]
 auth:
     postgres_db: ENC[AES256_GCM,data:zRDkvA5+p57YMW/J,iv:2LQ5f+uZ15rd6b+c/z9iaVrRNrtMnjj411guxzOke+c=,tag:5VgnajLXvte6FHKNM+mRsw==,type:str]
     postgres_user: ENC[AES256_GCM,data:Cuw3XEY419FOoguYvyQ=,iv:spERtcJschAfYKjH2W5mgcDbPM2O3GT39lCbcfSK60Y=,tag:nT2LOywbjtSIqSiyPgA2Mw==,type:str]
@@ -60,8 +60,8 @@ sops:
             VUUxcEhvYi8zeXlCUUViUTl0eWdhcU0KXOfbnDc+zc8lnBcyEAV5EiJSjcSU6AgI
             EfeRw8qVqwChrYn1agslcNnDbE0WQsOCBuA6cE4V3kRofp9HU949ig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-03T14:23:12Z"
+    lastmodified: "2024-05-18T21:12:01Z"
-    mac: ENC[AES256_GCM,data:uYIv6amV4Yy9SqObBnvOLRTqNrHg9QmE3i+DaYr/CEeKvQ8diT/ia9bB6wi0aV7vN015Q7fXF+gynYUGhQ/7uYEXnXkBkKX5Ueyj0TUvlG9ztoegKVOLTlOTB16iImZRgFnlJYFJb3mtMpar9OH0ERpEl6GKXqEb+UGNecGrof0=,iv:/GBblSgWHTRKMeee1Zo/0BRiGrvgO6mmo9Wp2kY2QYY=,tag:jc1oT6qTCPno0GLQ7ADBsw==,type:str]
+    mac: ENC[AES256_GCM,data:kBGP7V4f8d8JWdMdwPEYM1L2zZ4p6eHfwiepfLpBAr0VyhE9YOpPIdt9Tl+ky3mRyfn/DnX03ThiAKQtTrls3/lJEmJRd1dswRd+Mtls3j1QlxhorHYb8g6QvlmyepNf5j5Egqm9hNX+L3aV29mKoO42VxvfaopKduNGt1BrSFo=,iv:Uq+hQUMF+PBV5f6V9AsnxIxX0fKn84MAPEfTFtOtsus=,tag:6LtblCK7FLnhfS0dHsrcnQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1