Updated nix for 22.11 (4)

2025-04-01 17:50:51 +02:00 · 2023-01-05 17:15:06 +01:00 · 2023-01-05 17:15:06 +01:00 · f6862a1944
commit f6862a1944
parent 3b57581c17
2 changed files with 81 additions and 77 deletions
--- a/modules/bincache/default.nix
+++ b/modules/bincache/default.nix
@ -18,7 +18,7 @@ with lib;
      users.users.nix-serve = {
        isSystemUser = true;
      };
-      nix.allowedUsers = [ "nix-serve" ];
+      nix.settings.allowed-users = [ "nix-serve" ];
      users.users.nix-serve.group = "nix-serve";
      users.groups.nix-serve = { };
@ -32,5 +32,6 @@ with lib;
        port = port;
      };
-    } (mkSubdomain cfg.subdomain port));
+    }
    (mkSubdomain cfg.subdomain port));
 }
--- a/modules/drone/default.nix
+++ b/modules/drone/default.nix
@ -14,85 +14,88 @@ in
    };
  };
-  config = mkIf cfg.enable (recursiveUpdate {
+  config = mkIf cfg.enable (recursiveUpdate
    {
-    users.users.drone = {
+      users.users.drone = {
-      isNormalUser = true;
+        isNormalUser = true;
-      createHome = true;
+        createHome = true;
-      home = "/home/drone";
+        home = "/home/drone";
-      extraGroups = [ drone config.users.groups.keys.name ];
+        extraGroups = [ drone config.users.groups.keys.name ];
-      passwordFile = config.sops.secrets.user-julien-password.path;
+        passwordFile = config.sops.secrets.user-julien-password.path;
    };
    users.groups.drone = { };
    luj.hmgr.drone.luj.programs.git.enable = true;
    nix.allowedUsers = [ drone ];
    sops.secrets.drone = { };
    sops.secrets.ssh-drone-pub = {
      owner = drone;
      path = "/home/drone/.ssh/id_ed25519.pub";
      mode = "0644";
      format = "binary";
      sopsFile = ../../secrets/ssh-drone-pub;
    };
    sops.secrets.ssh-drone-priv = {
      owner = drone;
      path = "/home/drone/.ssh/id_ed25519";
      mode = "0600";
      format = "binary";
      sopsFile = ../../secrets/ssh-drone-priv;
    };
    systemd.services.drone-server = {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        EnvironmentFile = [ config.sops.secrets.drone.path ];
        Environment = [
          "DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
          "DRONE_SERVER_PROTO=https"
          "DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
          "DRONE_DATABASE_DRIVER=postgres"
          "DRONE_SERVER_PORT=:3030"
          "DRONE_USER_CREATE=username:JulienMalka,admin:true"
          "DRONE_REGISTRATION_CLOSED=true"
        ];
        ExecStart = "${pkgs.drone}/bin/drone-server";
        User = drone;
        Group = drone;
      };
-    };
+      users.groups.drone = { };
      luj.hmgr.drone.luj.programs.git.enable = true;
      nix.settings.allowed-users = [ drone ];
-    services.postgresql = {
+      sops.secrets.drone = { };
-      enable = true;
+
-      ensureDatabases = [ drone ];
+      sops.secrets.ssh-drone-pub = {
-      ensureUsers = [{
+        owner = drone;
-        name = drone;
+        path = "/home/drone/.ssh/id_ed25519.pub";
-        ensurePermissions = {
+        mode = "0644";
-          "DATABASE ${drone}" = "ALL PRIVILEGES";
+        format = "binary";
        sopsFile = ../../secrets/ssh-drone-pub;
      };
      sops.secrets.ssh-drone-priv = {
        owner = drone;
        path = "/home/drone/.ssh/id_ed25519";
        mode = "0600";
        format = "binary";
        sopsFile = ../../secrets/ssh-drone-priv;
      };
      systemd.services.drone-server = {
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          EnvironmentFile = [ config.sops.secrets.drone.path ];
          Environment = [
            "DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
            "DRONE_SERVER_PROTO=https"
            "DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
            "DRONE_DATABASE_DRIVER=postgres"
            "DRONE_SERVER_PORT=:3030"
            "DRONE_USER_CREATE=username:JulienMalka,admin:true"
            "DRONE_USER_CREATE=username:camillemndn, admin:true"
            "DRONE_REGISTRATION_CLOSED=true"
          ];
          ExecStart = "${pkgs.drone}/bin/drone-server";
          User = drone;
          Group = drone;
        };
      }];
    };
    systemd.services.drone-runner-exec = {
      description = "Drone Exec Runner";
      startLimitIntervalSec = 5;
      serviceConfig = {
        User = drone;
        Group = drone;
        EnvironmentFile = [ config.sops.secrets.drone.path ];
        Environment = [
          "DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
          "DRONE_SERVER_PROTO=https"
          "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
        ];
        ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec service run";
      };
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.nixUnstable pkgs.git pkgs.openssh ];
    };
-  } (recursiveUpdate (mkSubdomain cfg.subdomain port) (mkVPNSubdomain cfg.subdomain port)));
+      services.postgresql = {
        enable = true;
        ensureDatabases = [ drone ];
        ensureUsers = [{
          name = drone;
          ensurePermissions = {
            "DATABASE ${drone}" = "ALL PRIVILEGES";
          };
        }];
      };
      systemd.services.drone-runner-exec = {
        description = "Drone Exec Runner";
        startLimitIntervalSec = 5;
        serviceConfig = {
          User = drone;
          Group = drone;
          EnvironmentFile = [ config.sops.secrets.drone.path ];
          Environment = [
            "DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
            "DRONE_SERVER_PROTO=https"
            "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
          ];
          ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec service run";
        };
        wantedBy = [ "multi-user.target" ];
        path = [ pkgs.nixUnstable pkgs.git pkgs.openssh ];
      };
    }
    (recursiveUpdate (mkSubdomain cfg.subdomain port) (mkVPNSubdomain cfg.subdomain port)));
 }