+4

host-specific/misaki/configuration.nix

reviewed

··· 7 7 ./networking.nix 8 8 ./packages.nix 9 9 ./services.nix 10 10 + ../../modules/nixery.nix 11 11 + ]; 12 12 + nixpkgs.overlays = [ 13 13 + (import ../../overlays/nixery.nix) 10 14 ]; 11 15 nixpkgs.config.allowUnfree = true; 12 16 system.stateVersion = "23.11"; # Did you read the comment?

+2

host-specific/misaki/coredns/ngp.computer.hosts

reviewed

··· 7 7 192.168.1.3 coder.ngp.computer 8 8 192.168.1.3 stats.ngp.computer 9 9 192.168.1.3 traces.ngp.computer 10 10 + 192.168.1.3 nixery.ngp.computer 10 11 192.168.1.6 odin.ngp.computer 11 12 12 13 fe80::9ab7:85ff:fe1e:dfe8 img.ngp.computer ··· 18 19 fe80::9ab7:85ff:fe1e:dfe8 coder.ngp.computer 19 20 fe80::9ab7:85ff:fe1e:dfe8 stats.ngp.computer 20 21 fe80::9ab7:85ff:fe1e:dfe8 traces.ngp.computer 22 22 + fe80::9ab7:85ff:fe1e:dfe8 nixery.ngp.computer 21 23 fe80::3af7:cdff:fec7:54f odin.ngp.computer

+24

host-specific/misaki/services.nix

reviewed

··· 16 16 autoScrub.enable = true; 17 17 }; 18 18 services.nfs.server.enable = true; 19 19 + services.nixery = { 20 20 + enable = true; 21 21 + openFirewall = false; 22 22 + port = 8080; 23 23 + storage.backend = "filesystem"; 24 24 + storage.path = "/var/lib/nixery/storage"; 25 25 + packageSource = { 26 26 + type = "path"; 27 27 + path = pkgs.path; 28 28 + }; 29 29 + }; 19 30 # Some programs need SUID wrappers, can be configured further or are 20 31 # started in user sessions. 21 32 # programs.mtr.enable = true; ··· 530 541 "id.ngp.computer" 531 542 "coder.ngp.computer" 532 543 "stats.ngp.computer" 544 544 + "nixery.ngp.computer" 533 545 ] 534 546 (_: { 535 547 group = "httpd"; ··· 722 734 recommendedProxySettings = true; 723 735 recommendedTlsSettings = true; 724 736 737 737 + upstreams.nixery.servers = { 738 738 + "127.0.0.1:${toString config.services.nixery.port}" = { }; 739 739 + "192.168.1.6:80" = { }; 740 740 + }; 741 741 + 725 742 virtualHosts."photos.ngp.computer" = { 726 743 enableACME = true; 727 744 acmeRoot = null; ··· 796 813 http2 = true; 797 814 locations."/".proxyPass = 798 815 "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; 816 816 + }; 817 817 + virtualHosts."nixery.ngp.computer" = { 818 818 + forceSSL = true; 819 819 + enableACME = true; 820 820 + acmeRoot = null; 821 821 + http2 = true; 822 822 + locations."/".proxyPass = "http://nixery"; 799 823 }; 800 824 virtualHosts."knot.packetlost.dev" = { 801 825 forceSSL = true;

+5

host-specific/odin/configuration.nix

reviewed

··· 12 12 ./packages.nix 13 13 ./services.nix 14 14 ./valheim.nix 15 15 + ../../modules/nixery.nix 16 16 + ]; 17 17 + 18 18 + nixpkgs.overlays = [ 19 19 + (import ../../overlays/nixery.nix) 15 20 ]; 16 21 17 22 nixpkgs.config.allowUnfree = true;

+24

host-specific/odin/services.nix

reviewed

··· 22 22 enable = true; 23 23 }; 24 24 25 25 + services.nixery = { 26 26 + enable = true; 27 27 + openFirewall = false; 28 28 + port = 8080; 29 29 + storage.backend = "filesystem"; 30 30 + storage.path = "/var/lib/nixery/storage"; 31 31 + packageSource = { 32 32 + type = "path"; 33 33 + path = pkgs.path; 34 34 + }; 35 35 + }; 36 36 + 37 37 + services.nginx = { 38 38 + enable = true; 39 39 + recommendedGzipSettings = true; 40 40 + recommendedOptimisation = true; 41 41 + recommendedProxySettings = true; 42 42 + recommendedTlsSettings = true; 43 43 + 44 44 + virtualHosts."nixery.ngp.computer" = { 45 45 + locations."/".proxyPass = "http://localhost:${toString config.services.nixery.port}"; 46 46 + }; 47 47 + }; 48 48 + 25 49 # Containers and VMs 26 50 virtualisation = { 27 51 podman = {

+252

modules/nixery.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 7 7 + 8 8 + let 9 9 + cfg = config.services.nixery; 10 10 + 11 11 + sourceEnv = 12 12 + { 13 13 + path = { 14 14 + NIXERY_PKGS_PATH = "/etc/nixery/nixpkgs"; 15 15 + }; 16 16 + channel = { 17 17 + NIXERY_CHANNEL = cfg.packageSource.channel; 18 18 + }; 19 19 + git = { 20 20 + NIXERY_PKGS_REPO = cfg.packageSource.repo; 21 21 + }; 22 22 + } 23 23 + .${cfg.packageSource.type}; 24 24 + 25 25 + storageEnv = 26 26 + { 27 27 + filesystem = { 28 28 + NIXERY_STORAGE_BACKEND = "filesystem"; 29 29 + STORAGE_PATH = cfg.storage.path; 30 30 + }; 31 31 + gcs = { 32 32 + NIXERY_STORAGE_BACKEND = "gcs"; 33 33 + GCS_BUCKET = cfg.storage.gcs.bucket; 34 34 + } 35 35 + // lib.optionalAttrs (cfg.storage.gcs.credentialsFile != null) { 36 36 + GOOGLE_APPLICATION_CREDENTIALS = cfg.storage.gcs.credentialsFile; 37 37 + }; 38 38 + s3 = { 39 39 + NIXERY_STORAGE_BACKEND = "s3"; 40 40 + S3_BUCKET = cfg.storage.s3.bucket; 41 41 + AWS_REGION = cfg.storage.s3.region; 42 42 + S3_LINK_EXPIRATION = cfg.storage.s3.linkExpiration; 43 43 + } 44 44 + // lib.optionalAttrs (cfg.storage.s3.endpoint != null) { 45 45 + S3_ENDPOINT = cfg.storage.s3.endpoint; 46 46 + }; 47 47 + } 48 48 + .${cfg.storage.backend}; 49 49 + 50 50 + environment = { 51 51 + PORT = toString cfg.port; 52 52 + NIX_TIMEOUT = toString cfg.timeout; 53 53 + HOME = "/var/lib/nixery"; 54 54 + } 55 55 + // sourceEnv 56 56 + // storageEnv 57 57 + // lib.optionalAttrs (cfg.popularityUrl != null) { 58 58 + NIX_POPULARITY_URL = cfg.popularityUrl; 59 59 + } 60 60 + // cfg.extraEnvironment; 61 61 + in 62 62 + { 63 63 + options.services.nixery = { 64 64 + enable = lib.mkEnableOption "Nixery container registry"; 65 65 + 66 66 + package = lib.mkPackageOption pkgs "nixery" { }; 67 67 + 68 68 + port = lib.mkOption { 69 69 + type = lib.types.port; 70 70 + default = 8080; 71 71 + description = "HTTP port for the Nixery registry."; 72 72 + }; 73 73 + 74 74 + openFirewall = lib.mkOption { 75 75 + type = lib.types.bool; 76 76 + default = false; 77 77 + description = "Whether to open the configured Nixery port in the firewall."; 78 78 + }; 79 79 + 80 80 + timeout = lib.mkOption { 81 81 + type = lib.types.ints.positive; 82 82 + default = 60; 83 83 + description = "Maximum number of seconds a single Nix builder may run."; 84 84 + }; 85 85 + 86 86 + popularityUrl = lib.mkOption { 87 87 + type = lib.types.nullOr lib.types.str; 88 88 + default = null; 89 89 + description = "Optional URL to Nix package popularity data for layer grouping."; 90 90 + }; 91 91 + 92 92 + environmentFile = lib.mkOption { 93 93 + type = lib.types.nullOr lib.types.path; 94 94 + default = null; 95 95 + description = "Optional environment file for secrets such as S3 credentials."; 96 96 + }; 97 97 + 98 98 + extraEnvironment = lib.mkOption { 99 99 + type = lib.types.attrsOf lib.types.str; 100 100 + default = { }; 101 101 + description = "Additional environment variables passed to Nixery."; 102 102 + }; 103 103 + 104 104 + packageSource = { 105 105 + type = lib.mkOption { 106 106 + type = lib.types.enum [ 107 107 + "path" 108 108 + "channel" 109 109 + "git" 110 110 + ]; 111 111 + default = "path"; 112 112 + description = "Source type for the nixpkgs package set served by Nixery."; 113 113 + }; 114 114 + 115 115 + path = lib.mkOption { 116 116 + type = lib.types.path; 117 117 + default = pkgs.path; 118 118 + defaultText = lib.literalExpression "pkgs.path"; 119 119 + description = "Local nixpkgs path used when packageSource.type is path."; 120 120 + }; 121 121 + 122 122 + channel = lib.mkOption { 123 123 + type = lib.types.str; 124 124 + default = "nixos-unstable"; 125 125 + description = "Nixpkgs channel or commit used when packageSource.type is channel."; 126 126 + }; 127 127 + 128 128 + repo = lib.mkOption { 129 129 + type = lib.types.str; 130 130 + default = "https://github.com/NixOS/nixpkgs.git"; 131 131 + description = "Git repository used when packageSource.type is git."; 132 132 + }; 133 133 + }; 134 134 + 135 135 + storage = { 136 136 + backend = lib.mkOption { 137 137 + type = lib.types.enum [ 138 138 + "filesystem" 139 139 + "gcs" 140 140 + "s3" 141 141 + ]; 142 142 + default = "filesystem"; 143 143 + description = "Storage backend for Nixery build cache and image layers."; 144 144 + }; 145 145 + 146 146 + path = lib.mkOption { 147 147 + type = lib.types.str; 148 148 + default = "/var/lib/nixery/storage"; 149 149 + description = "Filesystem storage path used when storage.backend is filesystem."; 150 150 + }; 151 151 + 152 152 + gcs = { 153 153 + bucket = lib.mkOption { 154 154 + type = lib.types.str; 155 155 + default = ""; 156 156 + description = "Google Cloud Storage bucket used when storage.backend is gcs."; 157 157 + }; 158 158 + 159 159 + credentialsFile = lib.mkOption { 160 160 + type = lib.types.nullOr lib.types.path; 161 161 + default = null; 162 162 + description = "Optional service account JSON file for signed GCS URLs."; 163 163 + }; 164 164 + }; 165 165 + 166 166 + s3 = { 167 167 + bucket = lib.mkOption { 168 168 + type = lib.types.str; 169 169 + default = ""; 170 170 + description = "S3 bucket used when storage.backend is s3."; 171 171 + }; 172 172 + 173 173 + endpoint = lib.mkOption { 174 174 + type = lib.types.nullOr lib.types.str; 175 175 + default = null; 176 176 + description = "Optional S3-compatible endpoint."; 177 177 + }; 178 178 + 179 179 + region = lib.mkOption { 180 180 + type = lib.types.str; 181 181 + default = "us-east-1"; 182 182 + description = "AWS region for the S3 bucket."; 183 183 + }; 184 184 + 185 185 + linkExpiration = lib.mkOption { 186 186 + type = lib.types.str; 187 187 + default = "5m"; 188 188 + description = "Duration for pre-signed S3 layer URLs."; 189 189 + }; 190 190 + }; 191 191 + }; 192 192 + }; 193 193 + 194 194 + config = lib.mkIf cfg.enable { 195 195 + assertions = [ 196 196 + { 197 197 + assertion = cfg.storage.backend != "gcs" || cfg.storage.gcs.bucket != ""; 198 198 + message = "services.nixery.storage.gcs.bucket must be set when using GCS storage."; 199 199 + } 200 200 + { 201 201 + assertion = cfg.storage.backend != "s3" || cfg.storage.s3.bucket != ""; 202 202 + message = "services.nixery.storage.s3.bucket must be set when using S3 storage."; 203 203 + } 204 204 + ]; 205 205 + 206 206 + users.groups.nixery = { }; 207 207 + users.users.nixery = { 208 208 + isSystemUser = true; 209 209 + group = "nixery"; 210 210 + home = "/var/lib/nixery"; 211 211 + createHome = true; 212 212 + }; 213 213 + 214 214 + systemd.tmpfiles.rules = lib.mkIf (cfg.storage.backend == "filesystem") [ 215 215 + "d ${cfg.storage.path} 0750 nixery nixery - -" 216 216 + ]; 217 217 + 218 218 + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ]; 219 219 + 220 220 + environment.etc."nixery/nixpkgs" = lib.mkIf (cfg.packageSource.type == "path") { 221 221 + source = cfg.packageSource.path; 222 222 + }; 223 223 + 224 224 + systemd.services.nixery = { 225 225 + description = "Nixery container registry"; 226 226 + after = [ "network-online.target" ]; 227 227 + wants = [ "network-online.target" ]; 228 228 + wantedBy = [ "multi-user.target" ]; 229 229 + 230 230 + inherit environment; 231 231 + 232 232 + path = [ 233 233 + pkgs.git 234 234 + pkgs.nix 235 235 + pkgs.openssh 236 236 + ]; 237 237 + 238 238 + serviceConfig = { 239 239 + ExecStart = "${lib.getExe' cfg.package "server"}"; 240 240 + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; 241 241 + StateDirectory = "nixery"; 242 242 + WorkingDirectory = "/var/lib/nixery"; 243 243 + User = "nixery"; 244 244 + Group = "nixery"; 245 245 + Restart = "on-failure"; 246 246 + RestartSec = "10s"; 247 247 + NoNewPrivileges = true; 248 248 + PrivateTmp = true; 249 249 + }; 250 250 + }; 251 251 + }; 252 252 + }

+29

overlays/nixery.nix

reviewed

··· 1 1 + final: prev: 2 2 + 3 3 + let 4 4 + rev = "7eb6caf6c9de3d760351edaa9cb78debe4221dbd"; 5 5 + 6 6 + src = prev.fetchgit { 7 7 + url = "https://code.tvl.fyi/depot.git:/tools/nixery.git"; 8 8 + inherit rev; 9 9 + hash = "sha256-zIZ8M61IVdFjynoJePXyg4hILX/+rWupDOiK1+EJkeY="; 10 10 + }; 11 11 + 12 12 + depotStub = { 13 13 + nix.readTree.drvTargets = x: x; 14 14 + tools.releases.filteredGitPush = _: { }; 15 15 + }; 16 16 + 17 17 + nixeryPackages = import src { 18 18 + pkgs = final; 19 19 + depot = depotStub; 20 20 + }; 21 21 + in 22 22 + { 23 23 + inherit nixeryPackages; 24 24 + 25 25 + nixery = nixeryPackages.nixery; 26 26 + nixery-image = nixeryPackages.nixery-image; 27 27 + nixery-popcount = nixeryPackages.nixery-popcount; 28 28 + nixery-prepare-image = nixeryPackages.nixery-prepare-image; 29 29 + }