From 7764ba6abb54f2a3b28f09b100d1a805383b00d6 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 16 Dec 2023 17:38:22 +0100 Subject: [PATCH] Flake -> 23.05. Patch/update sarek --- flake.lock | 46 +++++++++++++++---------------- flake.nix | 4 +-- hosts/sarek/configuration.nix | 24 +++++++++++----- hosts/sarek/services/hedgedoc.nix | 6 ++-- 4 files changed, 44 insertions(+), 36 deletions(-) diff --git a/flake.lock b/flake.lock index 1bb012f..7f9577f 100644 --- a/flake.lock +++ b/flake.lock @@ -7,16 +7,16 @@ ] }, "locked": { - "lastModified": 1695108154, - "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "lastModified": 1702676849, + "narHash": "sha256-XqcREaTS38/QOsN8fk8PP325/UXHyF9enbP5ZPw5aiA=", "owner": "nix-community", "repo": "home-manager", - "rev": "07682fff75d41f18327a871088d20af2710d4744", + "rev": "aa99c2f4e9847cbb7e46fac0844ea1eb164b3b3a", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -26,11 +26,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1697936579, - "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=", + "lastModified": 1701507532, + "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9", + "rev": "046194cdadc50d81255a9c57789381ed1153e2b1", "type": "github" }, "original": { @@ -46,11 +46,11 @@ ] }, "locked": { - "lastModified": 1698429334, - "narHash": "sha256-Gq3+QabboczSu7RMpcy79RSLMSqnySO3wsnHQk4DfbE=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "afe83cbc2e673b1f08d32dd0f70df599678ff1e7", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -62,16 +62,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1698696950, - "narHash": "sha256-FHFL58t6lMumvWqwundC8fDDDLOIvc+JJBNIAlPjrDY=", + "lastModified": 1702346276, + "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "017ef2132a5bda50bd713aeabce8f918502d4ec1", + "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -93,11 +93,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1698544399, - "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=", + "lastModified": 1702148972, + "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9", + "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227", "type": "github" }, "original": { @@ -126,11 +126,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1698548647, - "narHash": "sha256-7c03OjBGqnwDW0FBaBc+NjfEBxMkza+dxZGJPyIzfFE=", + "lastModified": 1702177193, + "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "632c3161a6cc24142c8e3f5529f5d81042571165", + "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9", "type": "github" }, "original": { @@ -141,11 +141,11 @@ }, "unstable": { "locked": { - "lastModified": 1698611440, - "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", + "lastModified": 1702312524, + "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", + "rev": "a9bf124c46ef298113270b1f84a164865987a91c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f3e8eb3..93282ec 100644 --- a/flake.nix +++ b/flake.nix @@ -2,13 +2,13 @@ description = "Felixalb System flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; + home-manager.url = "github:nix-community/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix index db3ba42..22eebbe 100644 --- a/hosts/sarek/configuration.nix +++ b/hosts/sarek/configuration.nix @@ -30,14 +30,24 @@ }; sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; - virtualisation.podman = { - enable = true; - dockerCompat = true; # Make `docker` shell alias - defaultNetwork.settings.dns_enabled = true; - }; - - virtualisation.oci-containers.backend = "podman"; + # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers + system.activationScripts.var = lib.mkForce '' + # Various log/runtime directories. + mkdir -p /var/tmp + chmod 1777 /var/tmp + # Empty, immutable home directory of many system accounts. + mkdir -p /var/empty + # Make sure it's really empty + ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true + find /var/empty -mindepth 1 -delete + chmod 0555 /var/empty + chown root:root /var/empty + ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true + ''; + systemd.tmpfiles.rules = lib.mkForce []; system.stateVersion = "23.05"; } diff --git a/hosts/sarek/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix index 37b9506..a63a238 100644 --- a/hosts/sarek/services/hedgedoc.nix +++ b/hosts/sarek/services/hedgedoc.nix @@ -78,7 +78,7 @@ in { UMask = "0007"; RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; }; @@ -88,9 +88,7 @@ in { ensureDatabases = [ "hedgedoc" ]; ensureUsers = [{ name = "hedgedoc"; - ensurePermissions = { - "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; }; }