Upgrade to 23.05

This commit is contained in:
Amanda Graven 2023-06-17 12:22:58 +02:00
parent c0e5c26ae9
commit e21bba4363
Signed by: amanda
GPG key ID: F747582C5608F4CB
8 changed files with 89 additions and 85 deletions

View file

@ -2,13 +2,15 @@
{ {
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
kbdInteractiveAuthentication = false;
hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ]; hostKeys = [ { path = config.secrets.files.ssh_host_ed25519_key.file; type = "ed25519"; } ];
kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ]; settings = {
macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; KexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
PermitRootLogin = "no";
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
};
}; };
programs.ssh.knownHosts = { programs.ssh.knownHosts = {

View file

@ -20,9 +20,8 @@
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/vda"; boot.loader.grub.device = "/dev/vda";
boot.kernelPackages = pkgs.linuxPackages_5_10; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
networking = { networking = {
hostName = "grondahl"; hostName = "grondahl";
useDHCP = false; useDHCP = false;

View file

@ -17,8 +17,8 @@
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.supportedFilesystems = ["zfs"]; boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = false; services.zfs.autoSnapshot.enable = false;

View file

@ -6,7 +6,7 @@
enableBrokenCiphersForSSE = false; enableBrokenCiphersForSSE = false;
hostName = "cloud.graven.dev"; hostName = "cloud.graven.dev";
https = true; https = true;
package = pkgs.nextcloud25; package = pkgs.nextcloud26;
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
maxUploadSize = "10G"; maxUploadSize = "10G";
webfinger = true; webfinger = true;

View file

@ -1,8 +1,8 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../common/services/ssh.nix ../../common/services/ssh.nix
../../common/services/tailscale.nix ../../common/services/tailscale.nix
../../common/users.nix ../../common/users.nix
@ -22,9 +22,8 @@
]; ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
boot.kernelPackages = pkgs.linuxPackages_5_10; boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.supportedFilesystems = ["zfs"]; boot.supportedFilesystems = ["zfs"];
services.zfs.autoSnapshot.enable = false; services.zfs.autoSnapshot.enable = false;
services.zfs.autoScrub.enable = true; services.zfs.autoScrub.enable = true;
@ -40,7 +39,7 @@
users.users.deploy-web = { users.users.deploy-web = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "nginx" ]; extraGroups = [ "nginx" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk4m1uJzxd7pDmMZgnZxqD6lEIfVPf+I4tKPo0jJJrK deploy@drone.data.coop"
]; ];
}; };

View file

@ -5,10 +5,10 @@
"homepage": "https://github.com/nmattia/niv", "homepage": "https://github.com/nmattia/niv",
"owner": "nmattia", "owner": "nmattia",
"repo": "niv", "repo": "niv",
"rev": "689d0e5539eddd0b0f566aee7bb18629eee7df74", "rev": "0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef",
"sha256": "1rld3lk42l6b01f2gcrhq8qm9vry1awmfl29zmpiqda9dy89vbx0", "sha256": "0wpnk1n4vjyqwjjrm6dvkyh7xr7983rszfhfcg31v106qhfnh41c",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nmattia/niv/archive/689d0e5539eddd0b0f566aee7bb18629eee7df74.tar.gz", "url": "https://github.com/nmattia/niv/archive/0ebb80e003c26d5388a9b74645fbdcfca3bdd0ef.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixos-hardware": { "nixos-hardware": {
@ -17,22 +17,22 @@
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "d24ea777c57b69c6b143cf11d83184ef71b0dbbf", "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
"sha256": "0hzjm3jvaplm9vrsmnc7ir6jpnf1hnchmm7f2m8r5rwgxkqvpkgg", "sha256": "05a5cfxy9qzb6qq5jrkb65zasa0cmvsym592amjx9sbn7m8858ka",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixos-hardware/archive/d24ea777c57b69c6b143cf11d83184ef71b0dbbf.tar.gz", "url": "https://github.com/NixOS/nixos-hardware/archive/429f232fe1dc398c5afea19a51aad6931ee0fb89.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixpkgs": { "nixpkgs": {
"branch": "release-22.11", "branch": "release-23.05",
"description": "Nix Packages collection", "description": "Nix Packages collection",
"homepage": "", "homepage": "",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a7af1abd95b89782e24fd7f7b0fb1f12972785cd", "rev": "083cb1a04d196e35b9c8293a379266c854e284c1",
"sha256": "0g8vwn18n9vr14jpv1kd0a8qqdmhx47arjcf196x0ki5rqgvkpb5", "sha256": "0fl9cq9h8i0dc50b1h0snmmcb3vsxz4d14jzsjw4ixfd2bm4dl0n",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a7af1abd95b89782e24fd7f7b0fb1f12972785cd.tar.gz", "url": "https://github.com/NixOS/nixpkgs/archive/083cb1a04d196e35b9c8293a379266c854e284c1.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"nixus": { "nixus": {
@ -41,10 +41,10 @@
"homepage": "", "homepage": "",
"owner": "Infinisil", "owner": "Infinisil",
"repo": "nixus", "repo": "nixus",
"rev": "9ff2a3923f733849100f99102b57a0d6c7240f2e", "rev": "d8c3e403978da7b11a5dea1d9e8fd4f918668fdd",
"sha256": "1a2dhfrckhv94j4m3q42va1z5k21qk5s25s3m1qj3gkqyxvpilc5", "sha256": "1k145w7yxiwg337hki4vwc398q94j7smhy7bs2j91jahcxy8fb2x",
"type": "tarball", "type": "tarball",
"url": "https://github.com/Infinisil/nixus/archive/9ff2a3923f733849100f99102b57a0d6c7240f2e.tar.gz", "url": "https://github.com/Infinisil/nixus/archive/d8c3e403978da7b11a5dea1d9e8fd4f918668fdd.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
} }
} }

View file

@ -10,33 +10,34 @@ let
let let
name' = sanitizeName name + "-src"; name' = sanitizeName name + "-src";
in in
if spec.builtin or true then if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; name = name'; } builtins_fetchurl { inherit (spec) url sha256; name = name'; }
else else
pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
fetch_tarball = pkgs: name: spec: fetch_tarball = pkgs: name: spec:
let let
name' = sanitizeName name + "-src"; name' = sanitizeName name + "-src";
in in
if spec.builtin or true then if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; } builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = name: spec: fetch_git = name: spec:
let let
ref = ref =
if spec ? ref then spec.ref else spec.ref or (
if spec ? branch then "refs/heads/${spec.branch}" else if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
submodules = if spec ? submodules then spec.submodules else false; );
submodules = spec.submodules or false;
submoduleArg = submoduleArg =
let let
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning = emptyArgWithWarning =
if submodules == true if submodules
then then
builtins.trace builtins.trace
( (
@ -44,15 +45,15 @@ let
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them" + "does not support them"
) )
{} { }
else {}; else { };
in in
if nixSupportsSubmodules if nixSupportsSubmodules
then { inherit submodules; } then { inherit submodules; }
else emptyArgWithWarning; else emptyArgWithWarning;
in in
builtins.fetchGit builtins.fetchGit
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
fetch_local = spec: spec.path; fetch_local = spec: spec.path;
@ -86,16 +87,16 @@ let
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.; hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in in
if builtins.hasAttr "nixpkgs" sources if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs then sourcesNixpkgs
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
import <nixpkgs> {} import <nixpkgs> { }
else else
abort abort
'' ''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json. add a package called "nixpkgs" to your sources.json.
''; '';
# The actual fetching function. # The actual fetching function.
fetch = pkgs: name: spec: fetch = pkgs: name: spec:
@ -115,13 +116,13 @@ let
# the path directly as opposed to the fetched source. # the path directly as opposed to the fetched source.
replace = name: drv: replace = name: drv:
let let
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in in
if ersatz == "" then drv else if ersatz == "" then drv else
# this turns the string into an actual Nix path (for both absolute and # this turns the string into an actual Nix path (for both absolute and
# relative paths) # relative paths)
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions # Ports of functions for older nix versions
@ -132,7 +133,7 @@ let
); );
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
@ -143,43 +144,46 @@ let
concatStrings = builtins.concatStringsSep ""; concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else {}; optionalAttrs = cond: as: if cond then as else { };
# fetchTarball version that is compatible between all the versions of Nix # fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name ? null, sha256 }@attrs: builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
let let
inherit (builtins) lessThan nixVersion fetchTarball; inherit (builtins) lessThan nixVersion fetchTarball;
in in
if lessThan nixVersion "1.12" then if lessThan nixVersion "1.12" then
fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else else
fetchTarball attrs; fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix # fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, name ? null, sha256 }@attrs: builtins_fetchurl = { url, name ? null, sha256 }@attrs:
let let
inherit (builtins) lessThan nixVersion fetchurl; inherit (builtins) lessThan nixVersion fetchurl;
in in
if lessThan nixVersion "1.12" then if lessThan nixVersion "1.12" then
fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
else else
fetchurl attrs; fetchurl attrs;
# Create the final "sources" from the config # Create the final "sources" from the config
mkSources = config: mkSources = config:
mapAttrs ( mapAttrs
name: spec: (
if builtins.hasAttr "outPath" spec name: spec:
then abort if builtins.hasAttr "outPath" spec
"The values in sources.json should not have an 'outPath' attribute" then
else abort
spec // { outPath = replace name (fetch config.pkgs name spec); } "The values in sources.json should not have an 'outPath' attribute"
) config.sources; else
spec // { outPath = replace name (fetch config.pkgs name spec); }
)
config.sources;
# The "config" used by the fetchers # The "config" used by the fetchers
mkConfig = mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
, system ? builtins.currentSystem , system ? builtins.currentSystem
, pkgs ? mkPkgs sources system , pkgs ? mkPkgs sources system
}: rec { }: rec {
@ -191,4 +195,4 @@ let
}; };
in in
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }

View file

@ -13,21 +13,21 @@ in import "${sources.nixus}" {} ({ config, ... }: {
nodes = { nodes = {
wind = { lib, config, ... }: { wind = { lib, config, ... }: {
host = "emelie@graven.dev"; host = "graven.dev";
configuration = ../config/hosts/wind/configuration.nix; configuration = ../config/hosts/wind/configuration.nix;
switchTimeout = 300; switchTimeout = 300;
successTimeout = 300; successTimeout = 300;
ignoreFailingSystemdUnits = true; ignoreFailingSystemdUnits = true;
}; };
grondahl = { lib, config, ... }: { grondahl = { lib, config, ... }: {
host = "emelie@anarkafem.dev"; host = "anarkafem.dev";
configuration = ../config/hosts/grondahl/configuration.nix; configuration = ../config/hosts/grondahl/configuration.nix;
successTimeout = 300; successTimeout = 300;
switchTimeout = 300; switchTimeout = 300;
ignoreFailingSystemdUnits = true; ignoreFailingSystemdUnits = true;
}; };
rudiger = { lib, config, ... }: { rudiger = { lib, config, ... }: {
host = "emelie@cloud.graven.dev"; host = "cloud.graven.dev";
configuration = ../config/hosts/rudiger/configuration.nix; configuration = ../config/hosts/rudiger/configuration.nix;
switchTimeout = 300; switchTimeout = 300;
successTimeout = 300; successTimeout = 300;