diff --git a/flake.lock b/flake.lock index 15d838a..aeab7de 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ ] }, "locked": { - "lastModified": 1627835028, - "narHash": "sha256-LHTdNog+0EmRn+4DIz451vvQ2EeC8KwyV3/8JpX9yiw=", + "lastModified": 1701527050, + "narHash": "sha256-EphJZX+rhnzUUladmeXvmYHILftHLV5i1sD18pGbxHY=", "ref": "refs/heads/master", - "rev": "7fc3d5019c907566abbad8f84ba9555a5786bd01", - "revCount": 52, + "rev": "a06c68c44862f74757a203e2df41ea83c33722d9", + "revCount": 54, "type": "git", "url": "https://git.sbruder.de/simon/bangs" }, @@ -85,16 +85,16 @@ ] }, "locked": { - "lastModified": 1699748081, - "narHash": "sha256-MOmMapBydd7MTjhX4eeQZzKlCABWw8W6iSHSG4OeFKE=", + "lastModified": 1700814205, + "narHash": "sha256-lWqDPKHRbQfi+zNIivf031BUeyciVOtwCwTjyrhDB5g=", "owner": "nix-community", "repo": "home-manager", - "rev": "04bac349d585c9df38d78e0285b780a140dc74a4", + "rev": "aeb2232d7a32530d3448318790534d196bf9427a", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -106,11 +106,11 @@ ] }, "locked": { - "lastModified": 1700386809, - "narHash": "sha256-2IPxWo0Yplv+70EueZVLTwRAijax0tirYp5Jh0QV1A4=", + "lastModified": 1701433070, + "narHash": "sha256-Gf9JStfENaUQ7YWFz3V7x/srIwr4nlnVteqaAxtwpgM=", "owner": "nix-community", "repo": "home-manager", - "rev": "9a4725afa67db35cdf7be89f30527d745194cafa", + "rev": "4a8545f5e737a6338814a4676dc8e18c7f43fc57", "type": "github" }, "original": { @@ -189,11 +189,11 @@ ] }, "locked": { - "lastModified": 1688870561, - "narHash": "sha256-4UYkifnPEw1nAzqqPOTL2MvWtm3sNGw1UTYTalkTcGY=", + "lastModified": 1698974481, + "narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "165b1650b753316aa7f1787f3005a8d2da0f5301", + "rev": "4bb5e752616262457bc7ca5882192a564c0472d2", "type": "github" }, "original": { @@ -215,11 +215,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1700064067, - "narHash": "sha256-1ZWNDzhu8UlVCK7+DUN9dVQfiHX1bv6OQP9VxstY/gs=", + "lastModified": 1700922917, + "narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "e558068cba67b23b4fbc5537173dbb43748a17e8", + "rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78", "type": "github" }, "original": { @@ -231,11 +231,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1700315735, - "narHash": "sha256-zlSLW6dX5XwBEwN87CIVtMr8zDSKvTRFmWmIQ9FfWgo=", + "lastModified": 1701250978, + "narHash": "sha256-ohu3cz4edjpGxs2qUTgbs0WrnewOX4crnUJNEB6Jox4=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "1721da31f9b30cbf4460c4ec5068b3b6174a4694", + "rev": "8772491ed75f150f02552c60694e1beff9f46013", "type": "github" }, "original": { @@ -247,16 +247,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1700097215, - "narHash": "sha256-ODQ3gBTv1iHd7lG21H+ErVISB5wVeOhd/dEogOqHs/I=", + "lastModified": 1701389149, + "narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9fb122519e9cd465d532f736a98c1e1eb541ef6f", + "rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -275,11 +275,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1696421393, - "narHash": "sha256-GarjKZ00NVXDgQZocnWvyhTWRm1LYZuZuJ4gEva+GGs=", + "lastModified": 1701527732, + "narHash": "sha256-pylAGzBf4a9ShBFR9fAs9KSD2cpPYUeINDCheSru9Yw=", "ref": "refs/heads/master", - "rev": "c8a17806a75733dec2ecdd8f0021c70d1f9dfc43", - "revCount": 62, + "rev": "37f80d1593ab856372cc0da199f49565f3b05c71", + "revCount": 64, "type": "git", "url": "https://git.sbruder.de/simon/nixpkgs-overlay" }, @@ -306,11 +306,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1700342017, - "narHash": "sha256-HaibwlWH5LuqsaibW3sIVjZQtEM/jWtOHX4Nk93abGE=", + "lastModified": 1700905716, + "narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "decdf666c833a325cb4417041a90681499e06a41", + "rev": "dfb95385d21475da10b63da74ae96d89ab352431", "type": "github" }, "original": { @@ -322,11 +322,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1700204040, - "narHash": "sha256-xSVcS5HBYnD3LTer7Y2K8ZQCDCXMa3QUD1MzRjHzuhI=", + "lastModified": 1701253981, + "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad", + "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", "type": "github" }, "original": { @@ -385,14 +385,16 @@ "nixpkgs": [ "nixpkgs-overlay", "nixpkgs" - ] + ], + "systems": "systems_2", + "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1695386222, - "narHash": "sha256-5lgnhCCGW0NH5+m5iTED8u6NSSM/dbH9LBPvX0x0XXg=", + "lastModified": 1701399357, + "narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "093383b3d7fdd36846a7d84e128ca11865800538", + "rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e", "type": "github" }, "original": { @@ -451,11 +453,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1700362823, - "narHash": "sha256-/H7XgvrYM0IbkpWkcdfkOH0XyBM5ewSWT1UtaLvOgKY=", + "lastModified": 1701518298, + "narHash": "sha256-5t8yqKe0oVusV4xgfA+wW58hQJXFMmq0mmaR1gKES+Y=", "owner": "Mic92", "repo": "sops-nix", - "rev": "49a87c6c827ccd21c225531e30745a9a6464775c", + "rev": "e19071f9958c8da4f4347d3d78790d97e98ba22f", "type": "github" }, "original": { @@ -478,6 +480,42 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-overlay", + "poetry2nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1699786194, + "narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index c03bf8f..f22366c 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,10 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; + home-manager.url = "github:nix-community/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager-unstable.url = "github:nix-community/home-manager"; home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable"; diff --git a/machines/renge/hardware-configuration.nix b/machines/renge/hardware-configuration.nix index ca34e19..3003e11 100644 --- a/machines/renge/hardware-configuration.nix +++ b/machines/renge/hardware-configuration.nix @@ -15,7 +15,7 @@ network.enable = true; # remote unlocking luks.devices."root".device = "/dev/disk/by-uuid/75f9aa9f-bb40-4d83-9f81-18e4f2ce8d57"; }; - loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; + loader.grub.device = "/dev/sda"; kernel = { sysctl = { # Swap should never be used unless the system runs ouf of memory. diff --git a/machines/renge/services/grafana.nix b/machines/renge/services/grafana.nix index c6ec7c2..cdf356c 100644 --- a/machines/renge/services/grafana.nix +++ b/machines/renge/services/grafana.nix @@ -45,7 +45,7 @@ in ensureUsers = [ { name = cfg.settings.database.user; - ensurePermissions = { "DATABASE ${cfg.settings.database.name}" = "ALL PRIVILEGES"; }; + ensureDBOwnership = true; } ]; }; diff --git a/machines/renge/services/hedgedoc.nix b/machines/renge/services/hedgedoc.nix index 07e940d..2388ccb 100644 --- a/machines/renge/services/hedgedoc.nix +++ b/machines/renge/services/hedgedoc.nix @@ -8,9 +8,7 @@ in ensureDatabases = [ "hedgedoc" ]; ensureUsers = lib.singleton { name = "hedgedoc"; - ensurePermissions = { - "DATABASE hedgedoc" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }; }; @@ -35,8 +33,8 @@ in systemd.services.hedgedoc = { after = [ "postgresql.service" ]; preStart = toString (pkgs.writeShellScript "hedgedoc-generate-session-secret" '' - if [ ! -f ${cfg.workDir}/session_secret_env ]; then - echo "CMD_SESSION_SECRET=$(${pkgs.pwgen}/bin/pwgen -s 32 1)" > ${cfg.workDir}/session_secret_env + if [ ! -f /var/lib/hedgedoc/session_secret_env ]; then + echo "CMD_SESSION_SECRET=$(${pkgs.pwgen}/bin/pwgen -s 32 1)" > /var/lib/hedgedoc/session_secret_env fi ''); serviceConfig = { @@ -44,7 +42,7 @@ in "CMD_LOGLEVEL=warn" ]; EnvironmentFile = [ - "-${cfg.workDir}/session_secret_env" # - ensures that it will not fail on first start + "-/var/lib/hedgedoc/session_secret_env" # - ensures that it will not fail on first start ]; }; }; diff --git a/machines/renge/services/matrix/synapse.nix b/machines/renge/services/matrix/synapse.nix index 510dc9f..565a867 100644 --- a/machines/renge/services/matrix/synapse.nix +++ b/machines/renge/services/matrix/synapse.nix @@ -93,12 +93,8 @@ in enable = true; # synapse requires custom databse configuration: # CREATE DATABASE "matrix-synapse" TEMPLATE template0 LC_COLLATE "C" LC_CTYPE "C"; - ensureUsers = lib.singleton { - name = "matrix-synapse"; - ensurePermissions = { - "DATABASE \"matrix-synapse\"" = "ALL PRIVILEGES"; - }; - }; + # as the databse is not created with NixOS, + # the ownership can’t be ensured here. }; services.nginx.virtualHosts = { diff --git a/modules/authoritative-dns.nix b/modules/authoritative-dns.nix index b5b94d0..50ac06f 100644 --- a/modules/authoritative-dns.nix +++ b/modules/authoritative-dns.nix @@ -33,7 +33,10 @@ in # so the module disables configuration checks. "/var/lib/knot/static.conf" ]; - extraConfig = '' + # TODO migrate to settings + settingsFile = pkgs.writeText "knot.conf" ('' + include: /var/lib/knot/static.conf + server: ${lib.concatStringsSep "\n" (map (address: " listen: ${address}@53") addresses.${config.networking.hostName})} automatic-acl: on @@ -110,7 +113,7 @@ in acl: [primary_notify] # stats module: mod-stats/custom - ''); + '')); }; users.users.knot = { @@ -151,7 +154,6 @@ in RemainAfterExit = true; User = "knot"; - BindReadOnlyPaths = [ "/run/knot/knot.sock" ]; CapabilityBoundingSet = ""; # clear LockPersonality = true; MemoryDenyWriteExecute = true; @@ -171,7 +173,8 @@ in ProtectSystem = true; RemoveIPC = true; RestrictAddressFamilies = [ "AF_UNIX" ]; # knot socket - RestrictNamespaces = true; + # this is not ideal, but I couldn’t find out how to get a bind mount of the knot socket to work otherwise + RestrictNamespaces = [ true "~mnt" ]; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; diff --git a/modules/fonts.nix b/modules/fonts.nix index 79ae044..a8a407e 100644 --- a/modules/fonts.nix +++ b/modules/fonts.nix @@ -17,7 +17,7 @@ let six = "closed-contour"; nine = "closed-contour"; number-sign = "upright-tall"; - at = "short"; + at = "compact"; cent = "open"; percent = "dots"; lig-ltgteq = "slanted"; @@ -77,7 +77,7 @@ let in lib.mkIf config.sbruder.gui.enable { fonts = { - fonts = with pkgs; [ + packages = with pkgs; [ iosevka-sbruder-nerd-font ] ++ lib.optionals config.sbruder.full [ google-fonts # google font collection (free) @@ -92,7 +92,7 @@ lib.mkIf config.sbruder.gui.enable { vistafonts # newer microsoft fonts ]; - enableDefaultFonts = true; + enableDefaultPackages = true; fontconfig = { defaultFonts = { diff --git a/modules/nix.nix b/modules/nix.nix index 39b1bed..049b4b4 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -52,7 +52,7 @@ in nixpkgs.overlays = with inputs; [ self.overlays.default - nixpkgs-overlay.overlay + nixpkgs-overlay.overlays.default (final: prev: { unstable = import nixpkgs-unstable { inherit (config.nixpkgs) diff --git a/modules/qbittorrent/exporter/default.nix b/modules/qbittorrent/exporter/default.nix index 7dd8cd0..2083e3c 100644 --- a/modules/qbittorrent/exporter/default.nix +++ b/modules/qbittorrent/exporter/default.nix @@ -7,7 +7,7 @@ buildGoModule rec { subPackages = [ "." ]; - vendorSha256 = "sha256-rql1QlbRgLhUJBE2c9owraCUv4r7O2oaZCijY1vs/3I="; + vendorHash = "sha256-rql1QlbRgLhUJBE2c9owraCUv4r7O2oaZCijY1vs/3I="; doCheck = false; # no tests diff --git a/modules/restic/system.nix b/modules/restic/system.nix index 962fbf0..79ad752 100644 --- a/modules/restic/system.nix +++ b/modules/restic/system.nix @@ -113,18 +113,18 @@ in "--tag system" "--verbose" ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}"; + backupPrepareCommand = '' + ${pkgs.nftables}/bin/nft -f ${qosRules} + ''; + backupCleanupCommand = '' + ${pkgs.nftables}/bin/nft delete table inet restic + ''; }; systemd.services."restic-backups-system".serviceConfig = { "Nice" = 10; "IOSchedulingClass" = "best-effort"; "IOSchedulingPriority" = 7; - ExecStartPre = [ - "${pkgs.nftables}/bin/nft -f ${qosRules}" - ]; - ExecStopPost = [ - "${pkgs.nftables}/bin/nft delete table inet restic" - ]; Slice = "restic.slice"; }; diff --git a/modules/syncthing.nix b/modules/syncthing.nix index 1907a3a..bb3266e 100644 --- a/modules/syncthing.nix +++ b/modules/syncthing.nix @@ -10,9 +10,11 @@ dataDir = "/home/simon"; overrideDevices = false; - devices = { - fuuko = { - id = "Z2OO5LK-N3UVCRD-QKVKLZ3-3LRXUOH-JENBAKQ-M647E3L-7FL6LIE-74GGHQF"; + settings = { + devices = { + fuuko = { + id = "Z2OO5LK-N3UVCRD-QKVKLZ3-3LRXUOH-JENBAKQ-M647E3L-7FL6LIE-74GGHQF"; + }; }; }; diff --git a/modules/tools.nix b/modules/tools.nix index 0fb5f1e..958b8a5 100644 --- a/modules/tools.nix +++ b/modules/tools.nix @@ -3,8 +3,7 @@ { programs = { adb.enable = pkgs.stdenv.isx86_64 && config.sbruder.full; - # TODO 23.11: use option again - #bandwhich.enable = true; + bandwhich.enable = true; iotop.enable = true; wireshark = { enable = config.sbruder.gui.enable && config.sbruder.full; @@ -12,14 +11,6 @@ }; }; - # TODO 23.11: see above - security.wrappers.bandwhich = { - owner = "root"; - group = "root"; - capabilities = "cap_net_raw,cap_net_admin+ep"; - source = "${pkgs.unstable.bandwhich}/bin/bandwhich"; - }; - environment.systemPackages = with pkgs; [ # top like tools bmon # network monitor diff --git a/pkgs/co2_exporter/default.nix b/pkgs/co2_exporter/default.nix index 4639252..ca2e8e0 100644 --- a/pkgs/co2_exporter/default.nix +++ b/pkgs/co2_exporter/default.nix @@ -13,7 +13,7 @@ buildGoModule rec { subPackages = [ "." ]; - vendorSha256 = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68="; + vendorHash = "sha256-CMo6FBzw0/OMKEX12oNqhbF/0dRRFR6W3VRp+EU6Q68="; oCheck = false; # no tests diff --git a/pkgs/default.nix b/pkgs/default.nix index d9c3074..538fe79 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -46,15 +46,4 @@ in patches = [ ]; }); - - # TODO 23.11: Remove - dnsmasq = prev.dnsmasq.overrideAttrs (o: rec { - preBuild = o.preBuild + '' - makeFlagsArray[0]="''${makeFlagsArray[0]} -DHAVE_NFTSET" - ''; - - buildInputs = o.buildInputs ++ (with prev; [ - nftables - ]); - }); } diff --git a/users/simon/modules/mpv/default.nix b/users/simon/modules/mpv/default.nix index 0c7ad65..7e6a969 100644 --- a/users/simon/modules/mpv/default.nix +++ b/users/simon/modules/mpv/default.nix @@ -55,7 +55,7 @@ in vapoursynth = pkgs.vapoursynth.withPlugins (with pkgs; [ vapoursynth-mvtools ]); - ffmpeg_5 = pkgs.ffmpeg_5-full; + ffmpeg = pkgs.ffmpeg-full; })) { scripts = with pkgs.mpvScripts; [ diff --git a/users/simon/modules/neovim/default.nix b/users/simon/modules/neovim/default.nix index b05da78..733ceea 100644 --- a/users/simon/modules/neovim/default.nix +++ b/users/simon/modules/neovim/default.nix @@ -1,6 +1,6 @@ { config, lib, nixosConfig, pkgs, ... }: let - rainbow_csv = pkgs.vimUtils.buildVimPluginFrom2Nix rec { + rainbow_csv = pkgs.vimUtils.buildVimPlugin rec { name = "rainbow_csv"; src = pkgs.fetchFromGitHub { owner = "mechatroner"; @@ -11,7 +11,7 @@ let meta.license = lib.licenses.mit; }; - vim-openscad = pkgs.vimUtils.buildVimPluginFrom2Nix rec { + vim-openscad = pkgs.vimUtils.buildVimPlugin rec { name = "vim-openscad"; src = pkgs.fetchFromGitHub { owner = "sirtaj"; @@ -22,7 +22,7 @@ let meta.license = lib.licenses.publicDomain; }; - Vim-Jinja2-Syntax = pkgs.vimUtils.buildVimPluginFrom2Nix rec { + Vim-Jinja2-Syntax = pkgs.vimUtils.buildVimPlugin rec { name = "Vim-Jinja2-Syntax"; src = pkgs.fetchFromGitHub { owner = "Glench"; diff --git a/users/simon/modules/qutebrowser/default.nix b/users/simon/modules/qutebrowser/default.nix index 629837a..440cb22 100644 --- a/users/simon/modules/qutebrowser/default.nix +++ b/users/simon/modules/qutebrowser/default.nix @@ -38,7 +38,6 @@ lib.mkIf nixosConfig.sbruder.gui.enable { programs.qutebrowser = { enable = true; - package = pkgs.qutebrowser-qt6; aliases = { q = "tab-close"; # one tab qa = "close"; # one window diff --git a/users/simon/modules/zsh/default.nix b/users/simon/modules/zsh/default.nix index e32b710..1fbfa6e 100644 --- a/users/simon/modules/zsh/default.nix +++ b/users/simon/modules/zsh/default.nix @@ -24,7 +24,7 @@ in fzf = { enable = true; changeDirWidgetCommand = "fd --color always --type d"; - changeDirWidgetOptions = [ "--preview 'exa --tree --color=always -L 4 {}'" ]; + changeDirWidgetOptions = [ "--preview 'eza --tree --color=always -L 4 {}'" ]; defaultCommand = "fd --color always"; defaultOptions = [ "--ansi" @@ -56,7 +56,7 @@ in enable = true; }; }; - exa = { + eza = { enable = true; enableAliases = true; git = true; @@ -94,7 +94,7 @@ in userctl = "systemctl --user"; vim = "nvim"; vimdiff = "nvim -d"; - l = "exa -l"; + l = "eza -l"; }; initExtra = lib.mkMerge [ (lib.mkBefore '' @@ -126,4 +126,8 @@ in ]; }; }; + + home.sessionVariables = { + EZA_COLORS = "xx=15"; # otherwise punctuation is not readable + }; }