all: update to 22.11 \o/

2022-11-22 21:30:31 -07:00 · 2022-11-22 21:30:31 -07:00 · 7389c3e587
commit 7389c3e587
parent b96a77d0a8
11 changed files with 71 additions and 134 deletions
--- a/flake.lock
+++ b/flake.lock
@ -188,6 +188,22 @@
        "type": "github"
      }
    },
+    "oldStable": {
+      "locked": {
+        "lastModified": 1669152211,
+        "narHash": "sha256-mBLiTNTzrtlYPHF0bL8NeGA4n8K5b35fYVdqaTIIkgc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "56ca700ceabcfa15396bcf581a1296e8e27ad677",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.05-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "peerix": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -236,6 +252,7 @@
        "mcchunkie": "mcchunkie",
        "microca": "microca",
        "nixos-hardware": "nixos-hardware",
+        "oldStable": "oldStable",
        "peerix": "peerix",
        "reform": "reform",
        "sshKnownHosts": "sshKnownHosts",
@ -288,16 +305,16 @@
    },
    "stable": {
      "locked": {
-        "lastModified": 1669073495,
-        "narHash": "sha256-YG8hF2YrGEArgM4dy/cDHqchqO1W20/v8Qm471O9fuw=",
+        "lastModified": 1669145873,
+        "narHash": "sha256-V3VE13eRJ8JR98amEwbS/D8gccJ8YTQeRFhAOLocS+c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "41001c708d15d6f1de588b3443de970ebf1bec38",
+        "rev": "e2815a45a83febbb7608a2addeb589d4bd843016",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.05-small",
+        "ref": "nixos-22.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,8 @@
    unstable.url = "github:NixOS/nixpkgs";
    unstableSmall.url = "github:NixOS/nixpkgs/nixos-unstable-small";

-    stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
+    oldStable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
+    stable.url = "github:NixOS/nixpkgs/nixos-22.11-small";

    nixos-hardware = { url = "github:NixOS/nixos-hardware/master"; };
    reform = { url = "github:nix-community/hardware-mnt-reform"; };
@ -63,9 +64,9 @@
    };
  };

-  outputs = { self, unstable, unstableSmall, stable, nixos-hardware, reform
-    , sshKnownHosts, microca, xintray, tsvnstat, taskobs, mcchunkie, gqrss
-    , darwin, xin-secrets, peerix, ... }@inputs:
+  outputs = { self, unstable, unstableSmall, stable, oldStable, nixos-hardware
+    , reform, sshKnownHosts, microca, xintray, tsvnstat, taskobs, mcchunkie
+    , gqrss, darwin, xin-secrets, peerix, ... }@inputs:
    let
      supportedSystems =
        [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
@ -89,7 +90,7 @@
        inputs.peerix.overlay
        inputs.microca.overlay
        inputs.taskobs.overlay
-    inputs.reform.overlay
+        inputs.reform.overlay
      ];

      # Set our configurationRevison based on the status of our git repo.
@ -182,7 +183,7 @@
            "${stable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
          ];
        };
-        reformInstall = stable.lib.nixosSystem {
+        reformInstall = oldStable.lib.nixosSystem {
          system = "aarch64-linux";

          modules = [
--- a/hosts/box/default.nix
+++ b/hosts/box/default.nix
@ -93,14 +93,14 @@ in {
      interfaces = {
        "wg0" = {
          allowedTCPPorts = [
-            config.services.gitea.ssh.clonePort
+            config.services.gitea.settings.server.SSH_PORT
            config.services.gitea.httpPort
            config.services.vaultwarden.config.rocketPort
          ];
        };
      };
      allowedTCPPorts = config.services.openssh.ports
-        ++ [ 80 443 config.services.gitea.ssh.clonePort ];
+        ++ [ 80 443 config.services.gitea.settings.server.SSH_PORT ];
      allowedUDPPortRanges = [{
        from = 60000;
        to = 61000;
@ -266,16 +266,20 @@ in {

    grafana = {
      enable = true;
-      domain = "graph.tapenet.org";
-      port = 2342;
-      addr = "127.0.0.1";
-      analytics.reporting.enable = false;
+      settings = {
+        analytics.reporting_enabled = false;
+        server = {
+          domain = "graph.tapenet.org";
+          http_port = 2342;
+          http_addr = "127.0.0.1";
+        };
+      };

      #declarativePlugins = with pkgs; [ grafana-image-renderer ];

      provision = {
        enable = true;
-        datasources = [
+        datasources.settings.datasources = [
          {
            name = "Prometheus";
            type = "prometheus";
@ -480,20 +484,18 @@ in {
      appName = "Tape:neT";

      lfs.enable = true;
-      ssh.enable = true;
-      ssh.clonePort = 2222;

      settings = {
        server = {
+          DISABLE_SSH = true;
          START_SSH_SERVER = true;
          SSH_SERVER_HOST_KEYS = "ssh/gitea-ed25519";
+          SSH_PORT = 2222;
+          DISABLE_REGISTRATION = true;
+          COOKIE_SECURE = true;
        };
      };

-      disableRegistration = true;
-
-      cookieSecure = true;
-
      database = {
        type = "postgres";
        passwordFile = "${config.sops.secrets.gitea_db_pass.path}";
@ -527,7 +529,6 @@ in {
    libreddit = {
      enable = true;
      port = 8482;
-      redirect = true;
    };

    nginx = {
@ -696,13 +697,14 @@ in {
          };
        };

-        ${config.services.grafana.domain} = {
+        ${config.services.grafana.settings.server.domain} = {
          forceSSL = true;
          enableACME = true;

          locations."/" = {
-            proxyPass =
-              "http://127.0.0.1:${toString config.services.grafana.port}";
+            proxyPass = "http://127.0.0.1:${
+                toString config.services.grafana.settings.server.http_port
+              }";
            proxyWebsockets = true;
            extraConfig = ''
              	      ${httpAllow}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,18 +1,6 @@
 { self, config, pkgs, lib, isUnstable, ... }:

 let
-  openssh = self: super: {
-    openssh = super.openssh.overrideAttrs (old: {
-      version = "9.1p1";
-
-      src = super.fetchurl {
-        url = "mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz";
-        hash = "sha256-GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=";
-      };
-
-      doCheck = false;
-    });
-  };
  tailscale = self: super: {
    tailscale = super.tailscale.overrideAttrs (old: rec {
      version = "1.32.3";
@ -31,28 +19,28 @@ let
 in {
  nixpkgs.overlays = if isUnstable then
    [ tailscale ]
-  else [
-    openssh
+  else
+    [
+      tailscale
+      (self: super: {
+        matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
+          version = "1.72.0";
+          src = super.fetchFromGitHub {
+            owner = "matrix-org";
+            repo = "synapse";
+            rev = "v${version}";
+            sha256 = "sha256-LkzUrEXC+jonkEpAGIEDQhAKisrKNQB8/elchN/4YMU=";
+          };

-    (self: super: {
-      matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
-        version = "1.72.0";
-        src = super.fetchFromGitHub {
-          owner = "matrix-org";
-          repo = "synapse";
-          rev = "v${version}";
-          sha256 = "sha256-LkzUrEXC+jonkEpAGIEDQhAKisrKNQB8/elchN/4YMU=";
-        };
+          cargoDeps = super.rustPlatform.fetchCargoTarball {
+            inherit src;
+            name = "matrix-synapse-${version}";
+            sha256 = "sha256-AuQURcVaIoOYG9jh6QhPpXB0akASVWMYe4fA/376cwo=";
+          };
+        });
+      })

-        cargoDeps = super.rustPlatform.fetchCargoTarball {
-          inherit src;
-          name = "matrix-synapse-${version}";
-          sha256 = "sha256-AuQURcVaIoOYG9jh6QhPpXB0akASVWMYe4fA/376cwo=";
-        };
-      });
-    })
-
-  ];
+    ];
 }

 # Example Python dep overlay
--- a/overlays/nix-ssl-cert-file.patch
+++ b/overlays/nix-ssl-cert-file.patch
@ -1,15 +0,0 @@
-diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
-index 37d73ca84c..e328896234 100644
--- a/crypto/x509/by_file.c
-+++ b/crypto/x509/by_file.c
-@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
-     switch (cmd) {
-     case X509_L_FILE_LOAD:
-         if (argl == X509_FILETYPE_DEFAULT) {
-            file = ossl_safe_getenv(X509_get_default_cert_file_env());
-+            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
-+            if (!file)
-+                file = ossl_safe_getenv(X509_get_default_cert_file_env());
-             if (file)
-                 ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM,
-                                                  libctx, propq) != 0);
--- a/overlays/openssl-disable-kernel-detection.patch
+++ b/overlays/openssl-disable-kernel-detection.patch
@ -1,25 +0,0 @@
-diff --git a/Configure b/Configure
-index a558e5ab1a..9a884f0b0f 100755
--- a/Configure
-+++ b/Configure
-@@ -1714,20 +1714,6 @@ unless ($disabled{devcryptoeng}) {
- 
- unless ($disabled{ktls}) {
-     $config{ktls}="";
-    my $cc = $config{CROSS_COMPILE}.$config{CC};
-    if ($target =~ m/^linux/) {
-        system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
-        if ($? != 0) {
-            disable('too-old-kernel', 'ktls');
-        }
-    } elsif ($target =~ m/^BSD/) {
-        system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
-        if ($? != 0) {
-            disable('too-old-freebsd', 'ktls');
-        }
-    } else {
-        disable('not-linux-or-freebsd', 'ktls');
-    }
- }
- 
- push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
--- a/overlays/use-etc-ssl-certs.patch
+++ b/overlays/use-etc-ssl-certs.patch
@ -1,13 +0,0 @@
-diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
-index 329ef62..9a8df64 100644
--- a/include/internal/cryptlib.h
-+++ b/include/internal/cryptlib.h
-@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM);
- # ifndef OPENSSL_SYS_VMS
- #  define X509_CERT_AREA          OPENSSLDIR
- #  define X509_CERT_DIR           OPENSSLDIR "/certs"
-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
-+#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
- #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
- #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
- # else
--- a/pkgs/gqrss.nix
+++ b/pkgs/gqrss.nix
@ -1,10 +1,6 @@
 { lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:

-let
-  vendorHash = if isUnstable then
-    "sha256-1zBZREClt8jy0TUXJ1FuBEAJEPQoUcl4DZZ6U2LtRzg="
-  else
-    "sha256-NIAJKq7TiMessqaohkdHy+j/vBKvMsiPgmnaiNAsGeE=";
+let vendorHash = "sha256-1zBZREClt8jy0TUXJ1FuBEAJEPQoUcl4DZZ6U2LtRzg=";

 in with lib;
 buildGoModule rec {
--- a/pkgs/mcchunkie.nix
+++ b/pkgs/mcchunkie.nix
@ -1,9 +1,5 @@
 { lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:
-let
-  vendorHash = if isUnstable then
-    "sha256-GCQckQe9Y96upJX2X9RDXoQIyH/SD9CniPVsIbdAPmM="
-  else
-    "sha256-3xIIb+fzbTOq9jf0STL3W9re5yH0JN4RO9dd/Ic1aIg=";
+let vendorHash = "sha256-GCQckQe9Y96upJX2X9RDXoQIyH/SD9CniPVsIbdAPmM=";
 in with lib;
 buildGoModule rec {
  pname = "mcchunkie";
--- a/system/nix-config.nix
+++ b/system/nix-config.nix
@ -14,9 +14,4 @@ let
      experimental-features = nix-command flakes
    '';
  };
-in {
-  nix = if isUnstable then
-    { settings.auto-optimise-store = true; } // nixOptions
-  else
-    { autoOptimiseStore = true; } // nixOptions;
-}
+in { nix = { settings.auto-optimise-store = true; } // nixOptions; }
--- a/system/nix-lockdown.nix
+++ b/system/nix-lockdown.nix
@ -11,15 +11,10 @@ with lib; {
    };
  };
  config = mkIf config.nixLockdown.enable {
-    nix = if isUnstable then {
+    nix = {
      settings.sandbox = true;
      settings.trusted-users = [ "@wheel" ];
      settings.allowed-users = [ "root" "qbit" ];
-    } else {
-      allowedUsers = [ "@wheel" ];
-      trustedUsers = [ "root" "qbit" ];
-      useSandbox = true;
    };
-
  };
 }