add tangled knot · malpercio.dev/nix-infra@59cbe3a

+1

.gitignore

··· 1 + secrets/

+5

common/ssh.nix

··· 1 + { 2 + sshKeys = [ 3 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAXV831n1pGaHBtnMgpYu+qkRbtiE+kEd/xXhxBwp5tk root@malpercio.dev" 4 + ]; 5 + }

+373

flake.lock

··· 1 + { 2 + "nodes": { 3 + "actor-typeahead-src": { 4 + "flake": false, 5 + "locked": { 6 + "lastModified": 1762835797, 7 + "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=", 8 + "ref": "refs/heads/main", 9 + "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b", 10 + "revCount": 6, 11 + "type": "git", 12 + "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead" 13 + }, 14 + "original": { 15 + "type": "git", 16 + "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead" 17 + } 18 + }, 19 + "colmena": { 20 + "inputs": { 21 + "flake-compat": "flake-compat", 22 + "flake-utils": "flake-utils", 23 + "nixpkgs": "nixpkgs", 24 + "stable": "stable" 25 + }, 26 + "locked": { 27 + "lastModified": 1684127108, 28 + "narHash": "sha256-01bfuSY4gnshhtqA1EJCw2CMsKkAx+dHS+sEpQ2+EAQ=", 29 + "owner": "zhaofengli", 30 + "repo": "colmena", 31 + "rev": "5fdd743a11e7291bd8ac1e169d62ba6156c99be4", 32 + "type": "github" 33 + }, 34 + "original": { 35 + "owner": "zhaofengli", 36 + "ref": "release-0.4.x", 37 + "repo": "colmena", 38 + "type": "github" 39 + } 40 + }, 41 + "disko": { 42 + "inputs": { 43 + "nixpkgs": [ 44 + "nixpkgs" 45 + ] 46 + }, 47 + "locked": { 48 + "lastModified": 1769524058, 49 + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", 50 + "owner": "nix-community", 51 + "repo": "disko", 52 + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", 53 + "type": "github" 54 + }, 55 + "original": { 56 + "owner": "nix-community", 57 + "repo": "disko", 58 + "type": "github" 59 + } 60 + }, 61 + "flake-compat": { 62 + "flake": false, 63 + "locked": { 64 + "lastModified": 1650374568, 65 + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", 66 + "owner": "edolstra", 67 + "repo": "flake-compat", 68 + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", 69 + "type": "github" 70 + }, 71 + "original": { 72 + "owner": "edolstra", 73 + "repo": "flake-compat", 74 + "type": "github" 75 + } 76 + }, 77 + "flake-compat_2": { 78 + "flake": false, 79 + "locked": { 80 + "lastModified": 1751685974, 81 + "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=", 82 + "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1", 83 + "type": "tarball", 84 + "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1" 85 + }, 86 + "original": { 87 + "type": "tarball", 88 + "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz" 89 + } 90 + }, 91 + "flake-utils": { 92 + "locked": { 93 + "lastModified": 1659877975, 94 + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", 95 + "owner": "numtide", 96 + "repo": "flake-utils", 97 + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", 98 + "type": "github" 99 + }, 100 + "original": { 101 + "owner": "numtide", 102 + "repo": "flake-utils", 103 + "type": "github" 104 + } 105 + }, 106 + "flake-utils_2": { 107 + "inputs": { 108 + "systems": "systems" 109 + }, 110 + "locked": { 111 + "lastModified": 1731533236, 112 + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 113 + "owner": "numtide", 114 + "repo": "flake-utils", 115 + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 116 + "type": "github" 117 + }, 118 + "original": { 119 + "owner": "numtide", 120 + "repo": "flake-utils", 121 + "type": "github" 122 + } 123 + }, 124 + "gomod2nix": { 125 + "inputs": { 126 + "flake-utils": "flake-utils_2", 127 + "nixpkgs": [ 128 + "tangled", 129 + "nixpkgs" 130 + ] 131 + }, 132 + "locked": { 133 + "lastModified": 1763982521, 134 + "narHash": "sha256-ur4QIAHwgFc0vXiaxn5No/FuZicxBr2p0gmT54xZkUQ=", 135 + "owner": "nix-community", 136 + "repo": "gomod2nix", 137 + "rev": "02e63a239d6eabd595db56852535992c898eba72", 138 + "type": "github" 139 + }, 140 + "original": { 141 + "owner": "nix-community", 142 + "repo": "gomod2nix", 143 + "type": "github" 144 + } 145 + }, 146 + "htmx-src": { 147 + "flake": false, 148 + "locked": { 149 + "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=", 150 + "type": "file", 151 + "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js" 152 + }, 153 + "original": { 154 + "type": "file", 155 + "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js" 156 + } 157 + }, 158 + "htmx-ws-src": { 159 + "flake": false, 160 + "locked": { 161 + "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=", 162 + "type": "file", 163 + "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2" 164 + }, 165 + "original": { 166 + "type": "file", 167 + "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2" 168 + } 169 + }, 170 + "ibm-plex-mono-src": { 171 + "flake": false, 172 + "locked": { 173 + "lastModified": 1731402384, 174 + "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=", 175 + "type": "tarball", 176 + "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip" 177 + }, 178 + "original": { 179 + "type": "tarball", 180 + "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip" 181 + } 182 + }, 183 + "indigo": { 184 + "flake": false, 185 + "locked": { 186 + "lastModified": 1753693716, 187 + "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=", 188 + "owner": "oppiliappan", 189 + "repo": "indigo", 190 + "rev": "5f170569da9360f57add450a278d73538092d8ca", 191 + "type": "github" 192 + }, 193 + "original": { 194 + "owner": "oppiliappan", 195 + "repo": "indigo", 196 + "type": "github" 197 + } 198 + }, 199 + "inter-fonts-src": { 200 + "flake": false, 201 + "locked": { 202 + "lastModified": 1731687360, 203 + "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=", 204 + "type": "tarball", 205 + "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip" 206 + }, 207 + "original": { 208 + "type": "tarball", 209 + "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip" 210 + } 211 + }, 212 + "lucide-src": { 213 + "flake": false, 214 + "locked": { 215 + "lastModified": 1754044466, 216 + "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=", 217 + "type": "tarball", 218 + "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip" 219 + }, 220 + "original": { 221 + "type": "tarball", 222 + "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip" 223 + } 224 + }, 225 + "nixery-flake": { 226 + "flake": false, 227 + "locked": { 228 + "lastModified": 1762501370, 229 + "narHash": "sha256-WO2NvvFB3KkFfChE5F6ghog7mvBAVKpMsQMqwadZT4k=", 230 + "owner": "tazjin", 231 + "repo": "nixery", 232 + "rev": "be8a4005de3f27f95e677e7b61abef387d4a840d", 233 + "type": "github" 234 + }, 235 + "original": { 236 + "owner": "tazjin", 237 + "repo": "nixery", 238 + "type": "github" 239 + } 240 + }, 241 + "nixpkgs": { 242 + "locked": { 243 + "lastModified": 1683408522, 244 + "narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=", 245 + "owner": "NixOS", 246 + "repo": "nixpkgs", 247 + "rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7", 248 + "type": "github" 249 + }, 250 + "original": { 251 + "owner": "NixOS", 252 + "ref": "nixos-unstable", 253 + "repo": "nixpkgs", 254 + "type": "github" 255 + } 256 + }, 257 + "nixpkgs_2": { 258 + "locked": { 259 + "lastModified": 1770770419, 260 + "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=", 261 + "owner": "nixos", 262 + "repo": "nixpkgs", 263 + "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a", 264 + "type": "github" 265 + }, 266 + "original": { 267 + "owner": "nixos", 268 + "ref": "nixos-25.11", 269 + "repo": "nixpkgs", 270 + "type": "github" 271 + } 272 + }, 273 + "nixpkgs_3": { 274 + "locked": { 275 + "lastModified": 1766070988, 276 + "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=", 277 + "owner": "nixos", 278 + "repo": "nixpkgs", 279 + "rev": "c6245e83d836d0433170a16eb185cefe0572f8b8", 280 + "type": "github" 281 + }, 282 + "original": { 283 + "owner": "nixos", 284 + "ref": "nixos-unstable", 285 + "repo": "nixpkgs", 286 + "type": "github" 287 + } 288 + }, 289 + "root": { 290 + "inputs": { 291 + "colmena": "colmena", 292 + "disko": "disko", 293 + "nixery-flake": "nixery-flake", 294 + "nixpkgs": "nixpkgs_2", 295 + "tangled": "tangled" 296 + } 297 + }, 298 + "sqlite-lib-src": { 299 + "flake": false, 300 + "locked": { 301 + "lastModified": 1706631843, 302 + "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=", 303 + "type": "tarball", 304 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 305 + }, 306 + "original": { 307 + "type": "tarball", 308 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 309 + } 310 + }, 311 + "stable": { 312 + "locked": { 313 + "lastModified": 1669735802, 314 + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", 315 + "owner": "NixOS", 316 + "repo": "nixpkgs", 317 + "rev": "731cc710aeebecbf45a258e977e8b68350549522", 318 + "type": "github" 319 + }, 320 + "original": { 321 + "owner": "NixOS", 322 + "ref": "nixos-22.11", 323 + "repo": "nixpkgs", 324 + "type": "github" 325 + } 326 + }, 327 + "systems": { 328 + "locked": { 329 + "lastModified": 1681028828, 330 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 331 + "owner": "nix-systems", 332 + "repo": "default", 333 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 334 + "type": "github" 335 + }, 336 + "original": { 337 + "owner": "nix-systems", 338 + "repo": "default", 339 + "type": "github" 340 + } 341 + }, 342 + "tangled": { 343 + "inputs": { 344 + "actor-typeahead-src": "actor-typeahead-src", 345 + "flake-compat": "flake-compat_2", 346 + "gomod2nix": "gomod2nix", 347 + "htmx-src": "htmx-src", 348 + "htmx-ws-src": "htmx-ws-src", 349 + "ibm-plex-mono-src": "ibm-plex-mono-src", 350 + "indigo": "indigo", 351 + "inter-fonts-src": "inter-fonts-src", 352 + "lucide-src": "lucide-src", 353 + "nixpkgs": "nixpkgs_3", 354 + "sqlite-lib-src": "sqlite-lib-src" 355 + }, 356 + "locked": { 357 + "lastModified": 1770998198, 358 + "narHash": "sha256-tlOJXBiJ2Az701a5SXpFdfz8d4QcyoRe7f/L6z0OMJo=", 359 + "ref": "refs/heads/master", 360 + "rev": "2c65fbc9ccbc60851da549afd88113b1f6ad55d4", 361 + "revCount": 1948, 362 + "type": "git", 363 + "url": "https://tangled.org/tangled.org/core" 364 + }, 365 + "original": { 366 + "type": "git", 367 + "url": "https://tangled.org/tangled.org/core" 368 + } 369 + } 370 + }, 371 + "root": "root", 372 + "version": 7 373 + }

+93

flake.nix

··· 1 + { 2 + description = "nix infra for malpercio.dev"; 3 + 4 + inputs = { 5 + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; 6 + tangled.url = "git+https://tangled.org/tangled.org/core"; 7 + colmena.url = "github:zhaofengli/colmena/release-0.4.x"; 8 + disko = { 9 + url = "github:nix-community/disko"; 10 + inputs.nixpkgs.follows = "nixpkgs"; 11 + }; 12 + nixery-flake = { 13 + type = "github"; 14 + owner = "tazjin"; 15 + repo = "nixery"; 16 + flake = false; 17 + }; 18 + }; 19 + 20 + outputs = { nixpkgs, disko, colmena, nixery-flake, tangled, ... }: 21 + let 22 + system = "x86_64-linux"; 23 + commonArgs = import ./common/ssh.nix; 24 + 25 + # Helper function to create nixosConfiguration 26 + mkHost = hostname: extraModules: 27 + nixpkgs.lib.nixosSystem { 28 + inherit system; 29 + specialArgs = { inherit commonArgs; }; 30 + modules = [ 31 + disko.nixosModules.disko 32 + ./hosts/${hostname}/configuration.nix 33 + ] ++ extraModules; 34 + }; 35 + 36 + # Helper function to create colmena host 37 + mkColmenaHost = hostname: targetHost: targetPort: extraModules: 38 + { 39 + deployment = { 40 + inherit targetHost; 41 + inherit targetPort; 42 + targetUser = "hylia"; 43 + buildOnTarget = true; 44 + }; 45 + boot.isContainer = nixpkgs.lib.mkDefault true; 46 + nixpkgs.system = system; 47 + time.timeZone = "America/New_York"; 48 + imports = [ 49 + disko.nixosModules.disko 50 + ./hosts/${hostname}/configuration.nix 51 + ] ++ extraModules; 52 + }; 53 + 54 + # Host configurations 55 + hosts = { 56 + tangled = { 57 + modules = [ 58 + tangled.nixosModules.knot 59 + ./hosts/tangled/services/knot.nix 60 + ./hosts/tangled/services/nginx.nix 61 + ./hosts/tangled/services/cloudflared.nix 62 + ]; 63 + target = "10.0.0.41"; 64 + }; 65 + }; 66 + in 67 + { 68 + # nixos-anywhere and nixos-rebuild use these 69 + nixosConfigurations = { 70 + tangled = mkHost "tangled" hosts.tangled.modules; 71 + }; 72 + 73 + # colmena uses this 74 + colmenaHive = colmena.lib.makeHive { 75 + meta = { 76 + nixpkgs = nixpkgs.legacyPackages.${system}; 77 + specialArgs = { 78 + inherit commonArgs; 79 + nixery-pkgs = import nixery-flake.outPath { 80 + pkgs = import nixpkgs { inherit system; }; 81 + }; 82 + tangled-pkgs = tangled.packages.x86_64-linux; 83 + }; 84 + }; 85 + 86 + defaults = { pkgs, ... }: { 87 + environment.systemPackages = [ pkgs.curl ]; 88 + }; 89 + 90 + tangled = mkColmenaHost "tangled" hosts.tangled.target 22 hosts.tangled.modules; 91 + }; 92 + }; 93 + }

+95

hosts/tangled/configuration.nix

··· 1 + { config, pkgs, modulesPath, lib, system, ... } @ args: 2 + 3 + { 4 + imports = [ 5 + (modulesPath + "/virtualisation/proxmox-lxc.nix") 6 + ]; 7 + 8 + config = { 9 + #Provide a default hostname 10 + networking.hostName = "tangled"; 11 + networking.useDHCP = lib.mkDefault true; 12 + 13 + # Enable QEMU Guest for Proxmox 14 + services.qemuGuest.enable = true; 15 + 16 + nix.settings = { sandbox = false; }; 17 + proxmoxLXC = { 18 + manageNetwork = false; 19 + privileged = true; 20 + }; 21 + services.fstrim.enable = false; 22 + 23 + # Allow remote updates with flakes and non-root users 24 + nix.settings.trusted-users = [ "root" "@wheel" ]; 25 + nix.settings.experimental-features = [ "nix-command" "flakes" ]; 26 + 27 + # Enable mDNS for `hostname.local` addresses 28 + services.avahi.enable = true; 29 + services.avahi.nssmdns4 = true; 30 + services.avahi.publish = { 31 + enable = true; 32 + addresses = true; 33 + }; 34 + 35 + # Some sane packages we need on every system 36 + environment.systemPackages = with pkgs; [ 37 + cloudflared 38 + nano # for emergencies 39 + git # for pulling nix flakes 40 + python3 # for ansible 41 + ]; 42 + 43 + # Don't ask for passwords 44 + security.sudo.wheelNeedsPassword = false; 45 + security.pam.services.sshd.allowNullPassword = true; 46 + 47 + # Enable ssh 48 + services.openssh = { 49 + enable = true; 50 + openFirewall = true; 51 + settings.PermitRootLogin = "yes"; 52 + settings.PasswordAuthentication = true; 53 + settings.PermitEmptyPasswords = "yes"; 54 + settings.KbdInteractiveAuthentication = false; 55 + settings.Macs = [ 56 + # Current defaults: 57 + "hmac-sha2-512-etm@openssh.com" 58 + "hmac-sha2-256-etm@openssh.com" 59 + "umac-128-etm@openssh.com" 60 + # Added: 61 + "hmac-sha2-256" 62 + ]; 63 + }; 64 + programs.ssh.startAgent = true; 65 + 66 + services.resolved = { 67 + extraConfig = '' 68 + Cache=true 69 + CacheFromLocalhost=true 70 + ''; 71 + }; 72 + 73 + # Add an admin user 74 + users.users.hylia = { 75 + isNormalUser = true; 76 + description = "hylia"; 77 + extraGroups = [ "networkmanager" "wheel" "docker" ]; 78 + openssh.authorizedKeys.keys = args.commonArgs.sshKeys; 79 + }; 80 + 81 + security.sudo.extraRules = [ 82 + { 83 + users = [ "hylia" ]; 84 + commands = [ 85 + { 86 + command = "ALL"; 87 + options = [ "NOPASSWD" ]; 88 + } 89 + ]; 90 + } 91 + ]; 92 + 93 + system.stateVersion = "25.11"; 94 + }; 95 + }

+14

hosts/tangled/services/cloudflared.nix

··· 1 + { 2 + services.cloudflared = { 3 + enable = true; 4 + tunnels = { 5 + "b2aa87d0-94b1-4650-8bbb-b97000315a3f" = { 6 + credentialsFile = "/home/hylia/.cloudflared/b2aa87d0-94b1-4650-8bbb-b97000315a3f.json"; 7 + ingress = { 8 + "knot.malpercio.dev" = "http://127.0.0.1:80"; 9 + }; 10 + default = "http_status:404"; 11 + }; 12 + }; 13 + }; 14 + }

+11

hosts/tangled/services/knot.nix

··· 1 + { 2 + services.tangled.knot = { 3 + enable = true; 4 + stateDir = "/home/git"; 5 + server = { 6 + listenAddr = "127.0.0.1:5555"; 7 + owner = "did:web:malpercio.dev"; 8 + hostname = "knot.malpercio.dev"; 9 + }; 10 + }; 11 + }

+29

hosts/tangled/services/nginx.nix

··· 1 + { 2 + services.nginx = { 3 + enable = true; 4 + virtualHosts = { 5 + "knot.malpercio.dev" = { 6 + locations."/" = { 7 + proxyPass = "http://127.0.0.1:5555"; 8 + 9 + extraConfig = '' 10 + proxy_set_header X-Forwarded-For $remote_addr; 11 + proxy_set_header Host $host; 12 + proxy_set_header X-Real-IP $remote_addr; 13 + proxy_set_header X-Forwarded-Proto $scheme; 14 + ''; 15 + }; 16 + locations."/events" = { 17 + proxyPass = "http://127.0.0.1:5555"; 18 + extraConfig = '' 19 + proxy_set_header X-Forwarded-For $remote_addr; 20 + proxy_set_header Host $host; 21 + proxy_set_header Upgrade $http_upgrade; 22 + proxy_set_header Connection "upgrade"; 23 + ''; 24 + }; 25 + }; 26 + }; 27 + }; 28 + networking.firewall.allowedTCPPorts = [ 80 ]; 29 + }

Configure Feed

Configure Feed