all: update to 22.11 \o/

2022-11-22 21:30:31 -07:00 · 2022-11-22 21:30:31 -07:00 · 7389c3e587
commit 7389c3e587
parent b96a77d0a8
11 changed files with 71 additions and 134 deletions
--- a/flake.lock
+++ b/flake.lock
@ -188,6 +188,22 @@
        "type": "github"
      }
    },
    "oldStable": {
      "locked": {
        "lastModified": 1669152211,
        "narHash": "sha256-mBLiTNTzrtlYPHF0bL8NeGA4n8K5b35fYVdqaTIIkgc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "56ca700ceabcfa15396bcf581a1296e8e27ad677",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-22.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "peerix": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -236,6 +252,7 @@
        "mcchunkie": "mcchunkie",
        "microca": "microca",
        "nixos-hardware": "nixos-hardware",
        "oldStable": "oldStable",
        "peerix": "peerix",
        "reform": "reform",
        "sshKnownHosts": "sshKnownHosts",
@ -288,16 +305,16 @@
    },
    "stable": {
      "locked": {
-        "lastModified": 1669073495,
+        "lastModified": 1669145873,
-        "narHash": "sha256-YG8hF2YrGEArgM4dy/cDHqchqO1W20/v8Qm471O9fuw=",
+        "narHash": "sha256-V3VE13eRJ8JR98amEwbS/D8gccJ8YTQeRFhAOLocS+c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "41001c708d15d6f1de588b3443de970ebf1bec38",
+        "rev": "e2815a45a83febbb7608a2addeb589d4bd843016",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.05-small",
+        "ref": "nixos-22.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,8 @@
    unstable.url = "github:NixOS/nixpkgs";
    unstableSmall.url = "github:NixOS/nixpkgs/nixos-unstable-small";
-    stable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
+    oldStable.url = "github:NixOS/nixpkgs/nixos-22.05-small";
    stable.url = "github:NixOS/nixpkgs/nixos-22.11-small";
    nixos-hardware = { url = "github:NixOS/nixos-hardware/master"; };
    reform = { url = "github:nix-community/hardware-mnt-reform"; };
@ -63,9 +64,9 @@
    };
  };
-  outputs = { self, unstable, unstableSmall, stable, nixos-hardware, reform
+  outputs = { self, unstable, unstableSmall, stable, oldStable, nixos-hardware
-    , sshKnownHosts, microca, xintray, tsvnstat, taskobs, mcchunkie, gqrss
+    , reform, sshKnownHosts, microca, xintray, tsvnstat, taskobs, mcchunkie
-    , darwin, xin-secrets, peerix, ... }@inputs:
+    , gqrss, darwin, xin-secrets, peerix, ... }@inputs:
    let
      supportedSystems =
        [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
@ -89,7 +90,7 @@
        inputs.peerix.overlay
        inputs.microca.overlay
        inputs.taskobs.overlay
-    inputs.reform.overlay
+        inputs.reform.overlay
      ];
      # Set our configurationRevison based on the status of our git repo.
@ -182,7 +183,7 @@
            "${stable}/nixos/modules/installer/sd-card/sd-image-aarch64-installer.nix"
          ];
        };
-        reformInstall = stable.lib.nixosSystem {
+        reformInstall = oldStable.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
--- a/hosts/box/default.nix
+++ b/hosts/box/default.nix
@ -93,14 +93,14 @@ in {
      interfaces = {
        "wg0" = {
          allowedTCPPorts = [
-            config.services.gitea.ssh.clonePort
+            config.services.gitea.settings.server.SSH_PORT
            config.services.gitea.httpPort
            config.services.vaultwarden.config.rocketPort
          ];
        };
      };
      allowedTCPPorts = config.services.openssh.ports
-        ++ [ 80 443 config.services.gitea.ssh.clonePort ];
+        ++ [ 80 443 config.services.gitea.settings.server.SSH_PORT ];
      allowedUDPPortRanges = [{
        from = 60000;
        to = 61000;
@ -266,16 +266,20 @@ in {
    grafana = {
      enable = true;
-      domain = "graph.tapenet.org";
+      settings = {
-      port = 2342;
+        analytics.reporting_enabled = false;
-      addr = "127.0.0.1";
+        server = {
-      analytics.reporting.enable = false;
+          domain = "graph.tapenet.org";
          http_port = 2342;
          http_addr = "127.0.0.1";
        };
      };
      #declarativePlugins = with pkgs; [ grafana-image-renderer ];
      provision = {
        enable = true;
-        datasources = [
+        datasources.settings.datasources = [
          {
            name = "Prometheus";
            type = "prometheus";
@ -480,20 +484,18 @@ in {
      appName = "Tape:neT";
      lfs.enable = true;
      ssh.enable = true;
      ssh.clonePort = 2222;
      settings = {
        server = {
          DISABLE_SSH = true;
          START_SSH_SERVER = true;
          SSH_SERVER_HOST_KEYS = "ssh/gitea-ed25519";
          SSH_PORT = 2222;
          DISABLE_REGISTRATION = true;
          COOKIE_SECURE = true;
        };
      };
      disableRegistration = true;
      cookieSecure = true;
      database = {
        type = "postgres";
        passwordFile = "${config.sops.secrets.gitea_db_pass.path}";
@ -527,7 +529,6 @@ in {
    libreddit = {
      enable = true;
      port = 8482;
      redirect = true;
    };
    nginx = {
@ -696,13 +697,14 @@ in {
          };
        };
-        ${config.services.grafana.domain} = {
+        ${config.services.grafana.settings.server.domain} = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
-            proxyPass =
+            proxyPass = "http://127.0.0.1:${
-              "http://127.0.0.1:${toString config.services.grafana.port}";
+                toString config.services.grafana.settings.server.http_port
              }";
            proxyWebsockets = true;
            extraConfig = ''
              	      ${httpAllow}
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,18 +1,6 @@
 { self, config, pkgs, lib, isUnstable, ... }:
 let
  openssh = self: super: {
    openssh = super.openssh.overrideAttrs (old: {
      version = "9.1p1";
      src = super.fetchurl {
        url = "mirror://openbsd/OpenSSH/portable/openssh-9.1p1.tar.gz";
        hash = "sha256-GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=";
      };
      doCheck = false;
    });
  };
  tailscale = self: super: {
    tailscale = super.tailscale.overrideAttrs (old: rec {
      version = "1.32.3";
@ -31,28 +19,28 @@ let
 in {
  nixpkgs.overlays = if isUnstable then
    [ tailscale ]
-  else [
+  else
-    openssh
+    [
      tailscale
      (self: super: {
        matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
          version = "1.72.0";
          src = super.fetchFromGitHub {
            owner = "matrix-org";
            repo = "synapse";
            rev = "v${version}";
            sha256 = "sha256-LkzUrEXC+jonkEpAGIEDQhAKisrKNQB8/elchN/4YMU=";
          };
-    (self: super: {
+          cargoDeps = super.rustPlatform.fetchCargoTarball {
-      matrix-synapse = super.matrix-synapse.overrideAttrs (old: rec {
+            inherit src;
-        version = "1.72.0";
+            name = "matrix-synapse-${version}";
-        src = super.fetchFromGitHub {
+            sha256 = "sha256-AuQURcVaIoOYG9jh6QhPpXB0akASVWMYe4fA/376cwo=";
-          owner = "matrix-org";
+          };
-          repo = "synapse";
+        });
-          rev = "v${version}";
+      })
          sha256 = "sha256-LkzUrEXC+jonkEpAGIEDQhAKisrKNQB8/elchN/4YMU=";
        };
-        cargoDeps = super.rustPlatform.fetchCargoTarball {
+    ];
          inherit src;
          name = "matrix-synapse-${version}";
          sha256 = "sha256-AuQURcVaIoOYG9jh6QhPpXB0akASVWMYe4fA/376cwo=";
        };
      });
    })
  ];
 }
 # Example Python dep overlay
--- a/overlays/nix-ssl-cert-file.patch
+++ b/overlays/nix-ssl-cert-file.patch
@ -1,15 +0,0 @@
 diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
 index 37d73ca84c..e328896234 100644
 --- a/crypto/x509/by_file.c
 +++ b/crypto/x509/by_file.c
@@ -54,7 +54,9 @@ static int by_file_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
     switch (cmd) {
     case X509_L_FILE_LOAD:
         if (argl == X509_FILETYPE_DEFAULT) {
 -            file = ossl_safe_getenv(X509_get_default_cert_file_env());
 +            file = ossl_safe_getenv("NIX_SSL_CERT_FILE");
 +            if (!file)
 +                file = ossl_safe_getenv(X509_get_default_cert_file_env());
             if (file)
                 ok = (X509_load_cert_crl_file_ex(ctx, file, X509_FILETYPE_PEM,
                                                  libctx, propq) != 0);
--- a/overlays/openssl-disable-kernel-detection.patch
+++ b/overlays/openssl-disable-kernel-detection.patch
@ -1,25 +0,0 @@
 diff --git a/Configure b/Configure
 index a558e5ab1a..9a884f0b0f 100755
 --- a/Configure
 +++ b/Configure
@@ -1714,20 +1714,6 @@ unless ($disabled{devcryptoeng}) {
 unless ($disabled{ktls}) {
     $config{ktls}="";
 -    my $cc = $config{CROSS_COMPILE}.$config{CC};
 -    if ($target =~ m/^linux/) {
 -        system("printf '#include <sys/types.h>\n#include <linux/tls.h>' | $cc -E - >/dev/null 2>&1");
 -        if ($? != 0) {
 -            disable('too-old-kernel', 'ktls');
 -        }
 -    } elsif ($target =~ m/^BSD/) {
 -        system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
 -        if ($? != 0) {
 -            disable('too-old-freebsd', 'ktls');
 -        }
 -    } else {
 -        disable('not-linux-or-freebsd', 'ktls');
 -    }
 }
 push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
--- a/overlays/use-etc-ssl-certs.patch
+++ b/overlays/use-etc-ssl-certs.patch
@ -1,13 +0,0 @@
 diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
 index 329ef62..9a8df64 100644
 --- a/include/internal/cryptlib.h
 +++ b/include/internal/cryptlib.h
@@ -56,7 +56,7 @@ DEFINE_LHASH_OF(MEM);
 # ifndef OPENSSL_SYS_VMS
 #  define X509_CERT_AREA          OPENSSLDIR
 #  define X509_CERT_DIR           OPENSSLDIR "/certs"
 -#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
 +#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
 #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
 #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
 # else
--- a/pkgs/gqrss.nix
+++ b/pkgs/gqrss.nix
@ -1,10 +1,6 @@
 { lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:
-let
+let vendorHash = "sha256-1zBZREClt8jy0TUXJ1FuBEAJEPQoUcl4DZZ6U2LtRzg=";
  vendorHash = if isUnstable then
    "sha256-1zBZREClt8jy0TUXJ1FuBEAJEPQoUcl4DZZ6U2LtRzg="
  else
    "sha256-NIAJKq7TiMessqaohkdHy+j/vBKvMsiPgmnaiNAsGeE=";
 in with lib;
 buildGoModule rec {
--- a/pkgs/mcchunkie.nix
+++ b/pkgs/mcchunkie.nix
@ -1,9 +1,5 @@
 { lib, buildGoModule, fetchFromGitHub, isUnstable, ... }:
-let
+let vendorHash = "sha256-GCQckQe9Y96upJX2X9RDXoQIyH/SD9CniPVsIbdAPmM=";
  vendorHash = if isUnstable then
    "sha256-GCQckQe9Y96upJX2X9RDXoQIyH/SD9CniPVsIbdAPmM="
  else
    "sha256-3xIIb+fzbTOq9jf0STL3W9re5yH0JN4RO9dd/Ic1aIg=";
 in with lib;
 buildGoModule rec {
  pname = "mcchunkie";
--- a/system/nix-config.nix
+++ b/system/nix-config.nix
@ -14,9 +14,4 @@ let
      experimental-features = nix-command flakes
    '';
  };
-in {
+in { nix = { settings.auto-optimise-store = true; } // nixOptions; }
  nix = if isUnstable then
    { settings.auto-optimise-store = true; } // nixOptions
  else
    { autoOptimiseStore = true; } // nixOptions;
 }
--- a/system/nix-lockdown.nix
+++ b/system/nix-lockdown.nix
@ -11,15 +11,10 @@ with lib; {
    };
  };
  config = mkIf config.nixLockdown.enable {
-    nix = if isUnstable then {
+    nix = {
      settings.sandbox = true;
      settings.trusted-users = [ "@wheel" ];
      settings.allowed-users = [ "root" "qbit" ];
    } else {
      allowedUsers = [ "@wheel" ];
      trustedUsers = [ "root" "qbit" ];
      useSandbox = true;
    };
  };
 }