diff --git a/flake.lock b/flake.lock index c0308c4..16c0ce6 100644 --- a/flake.lock +++ b/flake.lock @@ -203,16 +203,16 @@ ] }, "locked": { - "lastModified": 1726989464, - "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", + "lastModified": 1731832479, + "narHash": "sha256-icDDuYwJ0avTMZTxe1qyU/Baht5JOqw4pb5mWpR+hT0=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", + "rev": "5056a1cf0ce7c2a08ab50713b6c4af77975f6111", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.05", + "ref": "master", "repo": "home-manager", "type": "github" } @@ -330,16 +330,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731239293, - "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=", + "lastModified": 1731858824, + "narHash": "sha256-0KhJ6SOyWjx408tsgcoVQFx9nEn55DwrhFbCE49Oyac=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884", + "rev": "7937932921ea34c51c1b586e2505574f6f0be5a7", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05", + "ref": "release-24.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 4ae9e7f..9f867d0 100644 --- a/flake.nix +++ b/flake.nix @@ -10,7 +10,7 @@ gomod2nix.url = "github:nix-community/gomod2nix"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.url = "github:nix-community/home-manager/master"; krops.inputs.flake-utils.follows = "flake-utils"; krops.inputs.nixpkgs.follows = "nixpkgs"; @@ -24,7 +24,7 @@ nixos-hardware.url = "github:nixos/nixos-hardware/master"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs.url = "github:nixos/nixpkgs/release-24.11"; nixpkgsMaster.url = "github:NixOS/nixpkgs/master"; diff --git a/hosts/aluminium/services/dyndns.nix b/hosts/aluminium/services/dyndns.nix index ea0e38c..bbcdb34 100644 --- a/hosts/aluminium/services/dyndns.nix +++ b/hosts/aluminium/services/dyndns.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: { sops.secrets.duckdns-secret = { sopsFile = ../secrets.yaml; @@ -11,6 +11,14 @@ username = "nouser"; passwordFile = config.sops.secrets.duckdns-secret.path; domains = [ "jalr-k" ]; - use = "if, if=ppp0"; + usev4 = "ifv4, ifv4=ppp0"; + package = pkgs.ddclient.overrideAttrs (p: rec { + nativeBuildInputs = p.nativeBuildInputs ++ [ pkgs.makeWrapper ]; + wrapperPath = pkgs.lib.makeBinPath [ pkgs.iproute2 ]; + postFixup = '' + wrapProgram $out/bin/ddclient \ + --prefix PATH : "${wrapperPath}" + ''; + }); }; } diff --git a/hosts/aluminium/services/unifi-controller.nix b/hosts/aluminium/services/unifi-controller.nix index 16489c6..4801621 100644 --- a/hosts/aluminium/services/unifi-controller.nix +++ b/hosts/aluminium/services/unifi-controller.nix @@ -7,6 +7,7 @@ in services.unifi = { enable = true; unifiPackage = pkgs.unifi8; + mongodbPackage = pkgs.mongodb-7_0; }; networking.firewall.interfaces.lechner.allowedTCPPorts = [ ports.unifi-inform.tcp diff --git a/hosts/iron/configuration.nix b/hosts/iron/configuration.nix index 80a60f2..d8e1203 100644 --- a/hosts/iron/configuration.nix +++ b/hosts/iron/configuration.nix @@ -1,7 +1,6 @@ { inputs, config, pkgs, lib, ... }: let interfaces = import ./interfaces.nix; - zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; disks = [ "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K" "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A" @@ -118,7 +117,6 @@ with lib; { ''; boot = { - kernelPackages = zfsKernelPackages; kernel.sysctl = { "net.ipv6.conf.all.forwarding" = 1; }; diff --git a/hosts/iron/services/dyndns.nix b/hosts/iron/services/dyndns.nix index 710aceb..6f6e206 100644 --- a/hosts/iron/services/dyndns.nix +++ b/hosts/iron/services/dyndns.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let interfaces = import ../interfaces.nix; in @@ -14,7 +14,15 @@ in username = "nouser"; passwordFile = config.sops.secrets.duckdns-secret.path; domains = [ "jalr-bw" ]; - use = "if, if=${interfaces.wan}"; - #usev6=ifv6, ifv6=enp3s4 + usev4 = "ifv4, ifv4=${interfaces.wan}"; + usev6 = "ifv6, ifv6=${interfaces.wan}"; + package = pkgs.ddclient.overrideAttrs (p: rec { + nativeBuildInputs = p.nativeBuildInputs ++ [ pkgs.makeWrapper ]; + wrapperPath = pkgs.lib.makeBinPath [ pkgs.iproute2 ]; + postFixup = '' + wrapProgram $out/bin/ddclient \ + --prefix PATH : "${wrapperPath}" + ''; + }); }; } diff --git a/hosts/iron/services/navidrome.nix b/hosts/iron/services/navidrome.nix index 755f26c..f6b87e4 100644 --- a/hosts/iron/services/navidrome.nix +++ b/hosts/iron/services/navidrome.nix @@ -18,14 +18,14 @@ let if [ -e "''$password_encryption_key_file" ]; then export ND_PASSWORDENCRYPTIONKEY="$(cat "''$password_encryption_key_file")" fi - exec ${pkgs.navidrome}/bin/navidrome --configfile ${configFile} + exec ${config.services.navidrome.package}/bin/navidrome --configfile ${configFile} ''; in { services.navidrome.enable = true; systemd.services.navidrome = { serviceConfig = { - ExecStart = lib.mkForce "${utils.systemdUtils.lib.makeJobScript "navidrome-start" script} %d"; + ExecStart = lib.mkForce "${pkgs.writeShellScript "navidrome-start" script} %d"; } // lib.attrsets.optionalAttrs (passwordEncryptionKeyFile != null) { LoadCredential = "PasswordEncryptionKey:${passwordEncryptionKeyFile}"; }; diff --git a/hosts/iron/services/radicale.nix b/hosts/iron/services/radicale.nix index 538947f..ec367ce 100644 --- a/hosts/iron/services/radicale.nix +++ b/hosts/iron/services/radicale.nix @@ -54,14 +54,5 @@ in level = "warning"; }; }; - # Apply fix https://github.com/Kozea/Radicale/issues/1485 - package = pkgs.radicale.overrideAttrs (p: { - src = pkgs.fetchFromGitHub { - owner = "Kozea"; - repo = "Radicale"; - rev = "5146537915f0cb397ae4ef53fe8a4f91fac5d972"; - sha256 = "DRNiY665MHqmXAeGs39N3YfTAV0SEjzUNf3Nfk+kKvk="; - }; - }); }; } diff --git a/hosts/iron/services/unifi-controller.nix b/hosts/iron/services/unifi-controller.nix index 6eeed31..bbd67a8 100644 --- a/hosts/iron/services/unifi-controller.nix +++ b/hosts/iron/services/unifi-controller.nix @@ -8,6 +8,7 @@ in services.unifi = { enable = true; unifiPackage = pkgs.unifi8; + mongodbPackage = pkgs.mongodb-7_0; }; networking.firewall.interfaces."${interfaces.lan}".allowedTCPPorts = [ ports.unifi-http.tcp diff --git a/hosts/magnesium/configuration.nix b/hosts/magnesium/configuration.nix index 0529035..cf05901 100644 --- a/hosts/magnesium/configuration.nix +++ b/hosts/magnesium/configuration.nix @@ -24,16 +24,14 @@ ]; routes = [ { - routeConfig.Destination = "172.31.1.1"; + Destination = "172.31.1.1"; } { - routeConfig = { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; + Gateway = "172.31.1.1"; + GatewayOnLink = true; } { - routeConfig.Gateway = "fe80::1"; + Gateway = "fe80::1"; } ]; }; diff --git a/hosts/magnesium/services/forgejo.nix b/hosts/magnesium/services/forgejo.nix index 9eef90f..90d7fb4 100644 --- a/hosts/magnesium/services/forgejo.nix +++ b/hosts/magnesium/services/forgejo.nix @@ -12,7 +12,7 @@ in services.forgejo = { enable = true; lfs.enable = true; - mailerPasswordFile = config.sops.secrets.forgejo-mail.path; + secrets.mailer.PASSWD = config.sops.secrets.forgejo-mail.path; settings = { DEFAULT.APP_NAME = "jalr's git"; avatar.DISABLE_GRAVATAR = true; diff --git a/hosts/weinturm-pretix-prod/configuration.nix b/hosts/weinturm-pretix-prod/configuration.nix index 97d6106..694dc1b 100644 --- a/hosts/weinturm-pretix-prod/configuration.nix +++ b/hosts/weinturm-pretix-prod/configuration.nix @@ -20,16 +20,14 @@ ]; routes = [ { - routeConfig.Destination = "172.31.1.1"; + Destination = "172.31.1.1"; } { - routeConfig = { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - }; + Gateway = "172.31.1.1"; + GatewayOnLink = true; } { - routeConfig.Gateway = "fe80::1"; + Gateway = "fe80::1"; } ]; }; diff --git a/modules/matrix/mautrix-signal.nix b/modules/matrix/mautrix-signal.nix index a470546..d1db25d 100644 --- a/modules/matrix/mautrix-signal.nix +++ b/modules/matrix/mautrix-signal.nix @@ -4,133 +4,47 @@ let cfg = config.jalr.matrix; synapseCfg = config.services.matrix-synapse.settings; dataDir = "/var/lib/mautrix-signal"; - registrationFile = "${dataDir}/signal-registration.yaml"; - settings = { - homeserver = { - address = synapseCfg.public_baseurl; - domain = synapseCfg.server_name; - }; - appservice = rec { - hostname = "127.0.0.1"; - port = cfg.mautrix-signal.port; - address = "http://${hostname}:${toString port}"; - provisioning.shared_secret = "disable"; - database = "sqlite:///${dataDir}/mautrix-signal.db"; - }; - bridge = { - encryption = { - allow = true; - default = true; - }; - verification_levels = { - receive = "cross-signed-tofu"; - send = "cross-signed-tofu"; - share = "cross-signed-tofu"; - }; - }; - logging = { - version = 1; - min_level = "info"; - writers = lib.singleton { - type = "stdout"; - format = "pretty-colored"; - time_format = " "; - }; - }; - } // cfg.mautrix-signal.settings; - settingsFormat = pkgs.formats.json { }; - settingsFile = "${dataDir}/config.json"; - settingsFileUnsubstituted = - settingsFormat.generate "mautrix-signal-config.json" settings; in lib.mkIf cfg.mautrix-signal.enable { - systemd.services.mautrix-signal = { - description = "mautrix-signal, A Matrix-Signal puppeting bridge."; - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ] ++ cfg.mautrix-signal.serviceDependencies; - after = [ "network-online.target" ] ++ cfg.mautrix-signal.serviceDependencies; - - environment.HOME = dataDir; - preStart = '' - # substitute the settings file by environment variables - # in this case read from EnvironmentFile - test -f '${settingsFile}' && rm -f '${settingsFile}' - old_umask=$(umask) - umask 0177 - ${pkgs.envsubst}/bin/envsubst \ - -o '${settingsFile}' \ - -i '${settingsFileUnsubstituted}' - - cp '${settingsFile}' '${settingsFile}.tmp' - umask $old_umask - - # generate the appservice's registration file if absent - if [ ! -f '${registrationFile}' ]; then - ${pkgs.mautrix-signal}/bin/mautrix-signal \ - --generate-registration \ - --config='${settingsFile}.tmp' \ - --registration='${registrationFile}' - fi - - umask 0177 - ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token - | .[0].appservice.hs_token = .[1].hs_token - | .[0]' '${settingsFile}' '${registrationFile}' \ - > '${settingsFile}.tmp' - mv '${settingsFile}.tmp' '${settingsFile}' - umask $old_umask - ''; - serviceConfig = { - Type = "exec"; - User = "mautrix-signal"; - #EnvironmentFile = cfg.environmentFile; - WorkingDirectory = dataDir; - StateDirectory = lib.mkIf (dataDir == "/var/lib/mautrix-signal") "mautrix-signal"; - ExecStart = '' - ${pkgs.mautrix-signal}/bin/mautrix-signal \ - --config='${settingsFile}' \ - --no-update - ''; - Restart = "on-failure"; - RestartSec = "30s"; - - ReadWritePaths = dataDir; - NoNewPrivileges = true; - MemoryDenyWriteExecute = true; - PrivateDevices = true; - PrivateTmp = true; - #ProtectHome = true; - ProtectSystem = "strict"; - ProtectControlGroups = true; - RestrictSUIDSGID = true; - RestrictRealtime = true; - LockPersonality = true; - ProtectKernelLogs = true; - ProtectKernelTunables = true; - ProtectHostname = true; - ProtectKernelModules = true; - PrivateUsers = true; - ProtectClock = true; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = "@system-service"; - }; - restartTriggers = [ settingsFileUnsubstituted ]; + services.mautrix-signal = { + enable = true; + registerToSynapse = true; + settings = { + homeserver = { + address = synapseCfg.public_baseurl; + domain = synapseCfg.server_name; + }; + appservice = rec { + hostname = "127.0.0.1"; + port = cfg.mautrix-signal.port; + address = "http://${hostname}:${toString port}"; + provisioning.shared_secret = "disable"; + database = "sqlite:///${dataDir}/mautrix-signal.db"; + }; + bridge = { + encryption = { + allow = true; + default = true; + }; + verification_levels = { + receive = "cross-signed-tofu"; + send = "cross-signed-tofu"; + share = "cross-signed-tofu"; + }; + }; + logging = { + version = 1; + min_level = "info"; + writers = lib.singleton { + type = "stdout"; + format = "pretty-colored"; + time_format = " "; + }; + }; + } // cfg.mautrix-signal.settings; }; - users.users.mautrix-signal = { - isSystemUser = true; - group = "mautrix-signal"; - home = dataDir; - description = "mautrix-signal bridge user"; - }; - - users.groups.mautrix-signal = { }; - services.signald = { enable = true; - group = "mautrix-signal"; }; - - jalr.matrix.synapse.app_service_config."mautrix-signal" = "/var/lib/mautrix-signal/signal-registration.yaml"; } diff --git a/modules/matrix/mautrix-whatsapp.nix b/modules/matrix/mautrix-whatsapp.nix index c4f851d..aa49668 100644 --- a/modules/matrix/mautrix-whatsapp.nix +++ b/modules/matrix/mautrix-whatsapp.nix @@ -7,6 +7,7 @@ in lib.mkIf cfg.mautrix-whatsapp.enable { services.mautrix-whatsapp = { enable = true; + registerToSynapse = true; settings = { homeserver = { address = synapseCfg.public_baseurl; @@ -50,6 +51,4 @@ lib.mkIf cfg.mautrix-whatsapp.enable { }; } // cfg.mautrix-whatsapp.settings; }; - - jalr.matrix.synapse.app_service_config."mautrix-whatsapp" = "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"; } diff --git a/modules/nix.nix b/modules/nix.nix index 94aca4f..0ae40e8 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, inputs, system, ... }: +{ lib, pkgs, inputs, system, ... }: { nix = { @@ -14,7 +14,6 @@ experimental-features = [ "nix-command" "flakes" - "repl-flake" ]; trusted-users = [ "@wheel" ]; auto-optimise-store = true; @@ -35,8 +34,12 @@ systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250; - nixpkgs.overlays = with inputs; [ - self.overlays.default + nixpkgs.config.permittedInsecurePackages = [ + "olm-3.2.16" + ]; + + nixpkgs.overlays = [ + inputs.self.overlays.default (final: prev: { master = import inputs.nixpkgsMaster { inherit system; diff --git a/modules/pipewire.nix b/modules/pipewire.nix index cb4cf02..d5fa8b4 100644 --- a/modules/pipewire.nix +++ b/modules/pipewire.nix @@ -1,7 +1,6 @@ { config, lib, pkgs, ... }: lib.mkIf config.jalr.gui.enable { - sound.enable = true; hardware.pulseaudio.enable = false; # FIXME diff --git a/modules/sway.nix b/modules/sway.nix index 181f95d..4b47299 100644 --- a/modules/sway.nix +++ b/modules/sway.nix @@ -7,7 +7,7 @@ lib.mkIf (config.jalr.gui.enable && config.jalr.gui.desktop == "sway") { wrapperFeatures.gtk = true; }; - hardware.opengl.enable = true; + hardware.graphics.enable = true; security.polkit.enable = true; diff --git a/pkgs/fpvout/default.nix b/pkgs/fpvout/default.nix index 97ecad7..f4090d7 100644 --- a/pkgs/fpvout/default.nix +++ b/pkgs/fpvout/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = with pkgs; [ cmake pkg-config - libusb + libusb1 ]; installPhase = '' diff --git a/users/jalr/modules/gui.nix b/users/jalr/modules/gui.nix index dac9372..6e34d61 100644 --- a/users/jalr/modules/gui.nix +++ b/users/jalr/modules/gui.nix @@ -15,7 +15,7 @@ lib.mkIf nixosConfig.jalr.gui.enable { streamlink supersonic-wayland vlc - xdg_utils + xdg-utils ]; services.kanshi = {