From e21bba436331e08407375231c2238dd3a82e54e6 Mon Sep 17 00:00:00 2001 From: Amanda Graven Date: Sat, 17 Jun 2023 12:22:58 +0200 Subject: [PATCH] Upgrade to 23.05 --- config/common/services/ssh.nix | 12 ++- config/hosts/grondahl/configuration.nix | 3 +- config/hosts/rudiger/configuration.nix | 2 +- config/hosts/rudiger/services/nextcloud.nix | 2 +- config/hosts/wind/configuration.nix | 9 +- config/sources/nix/sources.json | 26 ++--- config/sources/nix/sources.nix | 114 ++++++++++---------- deploy/default.nix | 6 +- 8 files changed, 89 insertions(+), 85 deletions(-) diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix index 60dceee..6beb49c 100644 --- a/config/common/services/ssh.nix +++ b/config/common/services/ssh.nix @@ -2,13 +2,15 @@ { services.openssh = { enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; - kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; - macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + settings = { + KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; + Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; + PermitRootLogin = "no"; + KbdInteractiveAuthentication = false; + PasswordAuthentication = false; + }; }; programs.ssh.knownHosts = { diff --git a/config/hosts/grondahl/configuration.nix b/config/hosts/grondahl/configuration.nix index c693a9f..d260eca 100644 --- a/config/hosts/grondahl/configuration.nix +++ b/config/hosts/grondahl/configuration.nix @@ -20,9 +20,8 @@ ]; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/vda"; - boot.kernelPackages = pkgs.linuxPackages_5_10; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; networking = { hostName = "grondahl"; useDHCP = false; diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index 0b7f6f5..ba07653 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -17,8 +17,8 @@ ]; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.supportedFilesystems = ["zfs"]; services.zfs.autoSnapshot.enable = false; diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix index f8e7e92..8c2a635 100644 --- a/config/hosts/rudiger/services/nextcloud.nix +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -6,7 +6,7 @@ enableBrokenCiphersForSSE = false; hostName = "cloud.graven.dev"; https = true; - package = pkgs.nextcloud25; + package = pkgs.nextcloud26; autoUpdateApps.enable = true; maxUploadSize = "10G"; webfinger = true; diff --git a/config/hosts/wind/configuration.nix b/config/hosts/wind/configuration.nix index a7c83f7..094c57d 100644 --- a/config/hosts/wind/configuration.nix +++ b/config/hosts/wind/configuration.nix @@ -1,8 +1,8 @@ { config, pkgs, lib, ... }: { - imports = [ - ./hardware-configuration.nix + imports = [ + ./hardware-configuration.nix ../../common/services/ssh.nix ../../common/services/tailscale.nix ../../common/users.nix @@ -22,9 +22,8 @@ ]; boot.loader.grub.enable = true; - boot.loader.grub.version = 2; boot.loader.grub.device = "/dev/sda"; - boot.kernelPackages = pkgs.linuxPackages_5_10; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.supportedFilesystems = ["zfs"]; services.zfs.autoSnapshot.enable = false; services.zfs.autoScrub.enable = true; @@ -40,7 +39,7 @@ users.users.deploy-web = { isNormalUser = true; extraGroups = [ "nginx" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" ]; }; diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json index 440f106..fe11bbb 100644 --- a/config/sources/nix/sources.json +++ b/config/sources/nix/sources.json @@ -5,10 +5,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "689d0e5539eddd0b0f566aee7bb18629eee7df74", - "sha256": "1rld3lk42l6b01f2gcrhq8qm9vry1awmfl29zmpiqda9dy89vbx0", + "rev": "0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef", + "sha256": "0wpnk1n4vjyqwjjrm6dvkyh7xr7983rszfhfcg31v106qhfnh41c", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/689d0e5539eddd0b0f566aee7bb18629eee7df74.tar.gz", + "url": "https://github.com/nmattia/niv/archive/0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixos-hardware": { @@ -17,22 +17,22 @@ "homepage": "", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "d24ea777c57b69c6b143cf11d83184ef71b0dbbf", - "sha256": "0hzjm3jvaplm9vrsmnc7ir6jpnf1hnchmm7f2m8r5rwgxkqvpkgg", + "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89", + "sha256": "05a5cfxy9qzb6qq5jrkb65zasa0cmvsym592amjx9sbn7m8858ka", "type": "tarball", - "url": "https://github.com/NixOS/nixos-hardware/archive/d24ea777c57b69c6b143cf11d83184ef71b0dbbf.tar.gz", + "url": "https://github.com/NixOS/nixos-hardware/archive/429f232fe1dc398c5afea19a51aad6931ee0fb89.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs": { - "branch": "release-22.11", + "branch": "release-23.05", "description": "Nix Packages collection", "homepage": "", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a7af1abd95b89782e24fd7f7b0fb1f12972785cd", - "sha256": "0g8vwn18n9vr14jpv1kd0a8qqdmhx47arjcf196x0ki5rqgvkpb5", + "rev": "083cb1a04d196e35b9c8293a379266c854e284c1", + "sha256": "0fl9cq9h8i0dc50b1h0snmmcb3vsxz4d14jzsjw4ixfd2bm4dl0n", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/a7af1abd95b89782e24fd7f7b0fb1f12972785cd.tar.gz", + "url": "https://github.com/NixOS/nixpkgs/archive/083cb1a04d196e35b9c8293a379266c854e284c1.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixus": { @@ -41,10 +41,10 @@ "homepage": "", "owner": "Infinisil", "repo": "nixus", - "rev": "9ff2a3923f733849100f99102b57a0d6c7240f2e", - "sha256": "1a2dhfrckhv94j4m3q42va1z5k21qk5s25s3m1qj3gkqyxvpilc5", + "rev": "d8c3e403978da7b11a5dea1d9e8fd4f918668fdd", + "sha256": "1k145w7yxiwg337hki4vwc398q94j7smhy7bs2j91jahcxy8fb2x", "type": "tarball", - "url": "https://github.com/Infinisil/nixus/archive/9ff2a3923f733849100f99102b57a0d6c7240f2e.tar.gz", + "url": "https://github.com/Infinisil/nixus/archive/d8c3e403978da7b11a5dea1d9e8fd4f918668fdd.tar.gz", "url_template": "https://github.com///archive/.tar.gz" } } diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix index 9a01c8a..fe3dadf 100644 --- a/config/sources/nix/sources.nix +++ b/config/sources/nix/sources.nix @@ -10,33 +10,34 @@ let let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; name = name'; } - else - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; + if spec.builtin or true then + builtins_fetchurl { inherit (spec) url sha256; name = name'; } + else + pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; fetch_tarball = pkgs: name: spec: let name' = sanitizeName name + "-src"; in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; + if spec.builtin or true then + builtins_fetchTarball { name = name'; inherit (spec) url sha256; } + else + pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; fetch_git = name: spec: let ref = - if spec ? ref then spec.ref else + spec.ref or ( if spec ? branch then "refs/heads/${spec.branch}" else - if spec ? tag then "refs/tags/${spec.tag}" else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - submodules = if spec ? submodules then spec.submodules else false; + if spec ? tag then "refs/tags/${spec.tag}" else + abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!" + ); + submodules = spec.submodules or false; submoduleArg = let nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; emptyArgWithWarning = - if submodules == true + if submodules then builtins.trace ( @@ -44,15 +45,15 @@ let + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + "does not support them" ) - {} - else {}; + { } + else { }; in - if nixSupportsSubmodules - then { inherit submodules; } - else emptyArgWithWarning; + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit - ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; @@ -86,16 +87,16 @@ let hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; hasThisAsNixpkgsPath = == ./.; in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import {} - else - abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then + import { } + else + abort + '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; # The actual fetching function. fetch = pkgs: name: spec: @@ -115,13 +116,13 @@ let # the path directly as opposed to the fetched source. replace = name: drv: let - saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; + saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; in - if ersatz == "" then drv else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; + if ersatz == "" then drv else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; # Ports of functions for older nix versions @@ -132,7 +133,7 @@ let ); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); + range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); @@ -143,43 +144,46 @@ let concatStrings = builtins.concatStringsSep ""; # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else {}; + optionalAttrs = cond: as: if cond then as else { }; # fetchTarball version that is compatible between all the versions of Nix builtins_fetchTarball = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchTarball; in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchTarball attrs; + if lessThan nixVersion "1.12" then + fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) + else + fetchTarball attrs; # fetchurl version that is compatible between all the versions of Nix builtins_fetchurl = { url, name ? null, sha256 }@attrs: let inherit (builtins) lessThan nixVersion fetchurl; in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchurl attrs; + if lessThan nixVersion "1.12" then + fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) + else + fetchurl attrs; # Create the final "sources" from the config mkSources = config: - mapAttrs ( - name: spec: - if builtins.hasAttr "outPath" spec - then abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) config.sources; + mapAttrs + ( + name: spec: + if builtins.hasAttr "outPath" spec + then + abort + "The values in sources.json should not have an 'outPath' attribute" + else + spec // { outPath = replace name (fetch config.pkgs name spec); } + ) + config.sources; # The "config" used by the fetchers mkConfig = { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) + , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile) , system ? builtins.currentSystem , pkgs ? mkPkgs sources system }: rec { @@ -191,4 +195,4 @@ let }; in -mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } +mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/deploy/default.nix b/deploy/default.nix index ee07e2e..023444f 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: { nodes = { wind = { lib, config, ... }: { - host = "emelie@graven.dev"; + host = "graven.dev"; configuration = ../config/hosts/wind/configuration.nix; switchTimeout = 300; successTimeout = 300; ignoreFailingSystemdUnits = true; }; grondahl = { lib, config, ... }: { - host = "emelie@anarkafem.dev"; + host = "anarkafem.dev"; configuration = ../config/hosts/grondahl/configuration.nix; successTimeout = 300; switchTimeout = 300; ignoreFailingSystemdUnits = true; }; rudiger = { lib, config, ... }: { - host = "emelie@cloud.graven.dev"; + host = "cloud.graven.dev"; configuration = ../config/hosts/rudiger/configuration.nix; switchTimeout = 300; successTimeout = 300;