diff --git a/base.nix b/base.nix index f577ca6..64ec6b8 100644 --- a/base.nix +++ b/base.nix @@ -48,7 +48,7 @@ ripgrep rsync tree - unstable.eza + eza wget ]; diff --git a/flake.lock b/flake.lock index dafe8f3..543d841 100644 --- a/flake.lock +++ b/flake.lock @@ -7,16 +7,16 @@ ] }, "locked": { - "lastModified": 1695108154, - "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", + "lastModified": 1702676849, + "narHash": "sha256-XqcREaTS38/QOsN8fk8PP325/UXHyF9enbP5ZPw5aiA=", "owner": "nix-community", "repo": "home-manager", - "rev": "07682fff75d41f18327a871088d20af2710d4744", + "rev": "aa99c2f4e9847cbb7e46fac0844ea1eb164b3b3a", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -26,11 +26,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1697936579, - "narHash": "sha256-nMyepKnwoHMzu2OpXvG2ZhU081TV9ENmWCo0vWxs6AI=", + "lastModified": 1701507532, + "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=", "owner": "dali99", "repo": "nixos-matrix-modules", - "rev": "e09814657187c8ed1a5fe1646df6d8da1eb2dee9", + "rev": "046194cdadc50d81255a9c57789381ed1153e2b1", "type": "github" }, "original": { @@ -46,11 +46,11 @@ ] }, "locked": { - "lastModified": 1698429334, - "narHash": "sha256-Gq3+QabboczSu7RMpcy79RSLMSqnySO3wsnHQk4DfbE=", + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "afe83cbc2e673b1f08d32dd0f70df599678ff1e7", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "type": "github" }, "original": { @@ -62,16 +62,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1698696950, - "narHash": "sha256-FHFL58t6lMumvWqwundC8fDDDLOIvc+JJBNIAlPjrDY=", + "lastModified": 1702346276, + "narHash": "sha256-eAQgwIWApFQ40ipeOjVSoK4TEHVd6nbSd9fApiHIw5A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "017ef2132a5bda50bd713aeabce8f918502d4ec1", + "rev": "cf28ee258fd5f9a52de6b9865cdb93a1f96d09b7", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -93,11 +93,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1698544399, - "narHash": "sha256-vhRmPyEyoPkrXF2iykBsWHA05MIaOSmMRLMF7Hul6+s=", + "lastModified": 1702148972, + "narHash": "sha256-h2jODFP6n+ABrUWcGRSVPRFfLOkM9TJ2pO+h+9JcaL0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d87c5d8c41c9b3b39592563242f3a448b5cc4bc9", + "rev": "b8f33c044e51de6dde3ad80a9676945e0e4e3227", "type": "github" }, "original": { @@ -125,11 +125,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1698548647, - "narHash": "sha256-7c03OjBGqnwDW0FBaBc+NjfEBxMkza+dxZGJPyIzfFE=", + "lastModified": 1702177193, + "narHash": "sha256-J2409SyXROoUHYXVy9h4Pj0VU8ReLuy/mzBc9iK4DBg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "632c3161a6cc24142c8e3f5529f5d81042571165", + "rev": "d806e546f96c88cd9f7d91c1c19ebc99ba6277d9", "type": "github" }, "original": { @@ -140,11 +140,11 @@ }, "unstable": { "locked": { - "lastModified": 1698611440, - "narHash": "sha256-jPjHjrerhYDy3q9+s5EAsuhyhuknNfowY6yt6pjn9pc=", + "lastModified": 1702312524, + "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0cbe9f69c234a7700596e943bfae7ef27a31b735", + "rev": "a9bf124c46ef298113270b1f84a164865987a91c", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index ffbe97b..1d65d3b 100644 --- a/flake.nix +++ b/flake.nix @@ -2,13 +2,13 @@ description = "Felixalb System flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "github:nix-community/home-manager/release-23.05"; + home-manager.url = "github:nix-community/home-manager/release-23.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; diff --git a/hosts/janeway/services/postgresql.nix b/hosts/janeway/services/postgresql.nix index 7547b6d..83b4285 100644 --- a/hosts/janeway/services/postgresql.nix +++ b/hosts/janeway/services/postgresql.nix @@ -7,7 +7,7 @@ services.postgresqlBackup = { enable = true; - location = "/backup/postgresql/"; + location = "/data/backup/postgresql/"; startAt = "*-*-* 03:15:00"; backupAll = true; }; diff --git a/hosts/sarek/configuration.nix b/hosts/sarek/configuration.nix index 01685fa..22eebbe 100644 --- a/hosts/sarek/configuration.nix +++ b/hosts/sarek/configuration.nix @@ -7,10 +7,10 @@ ../../base.nix ../../common/metrics-exporters.nix + ./services/flame.nix + ./services/hedgedoc.nix ./services/nginx.nix ./services/postgresql.nix - ./services/hedgedoc.nix - ./services/flame.nix ]; # Boot and console is handled by proxmoxLXC. @@ -30,14 +30,24 @@ }; sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml; + virtualisation.docker.enable = true; + virtualisation.oci-containers.backend = "docker"; - virtualisation.podman = { - enable = true; - dockerCompat = true; # Make `docker` shell alias - defaultNetwork.settings.dns_enabled = true; - }; - - virtualisation.oci-containers.backend = "podman"; + # Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers + system.activationScripts.var = lib.mkForce '' + # Various log/runtime directories. + mkdir -p /var/tmp + chmod 1777 /var/tmp + # Empty, immutable home directory of many system accounts. + mkdir -p /var/empty + # Make sure it's really empty + ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true + find /var/empty -mindepth 1 -delete + chmod 0555 /var/empty + chown root:root /var/empty + ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true + ''; + systemd.tmpfiles.rules = lib.mkForce []; system.stateVersion = "23.05"; } diff --git a/hosts/sarek/services/hedgedoc.nix b/hosts/sarek/services/hedgedoc.nix index 37b9506..a63a238 100644 --- a/hosts/sarek/services/hedgedoc.nix +++ b/hosts/sarek/services/hedgedoc.nix @@ -78,7 +78,7 @@ in { UMask = "0007"; RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; }; @@ -88,9 +88,7 @@ in { ensureDatabases = [ "hedgedoc" ]; ensureUsers = [{ name = "hedgedoc"; - ensurePermissions = { - "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; }; } diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index c4b10ca..13b3bf2 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -78,7 +78,7 @@ ) zfs screen - exa + eza ]; services.snappymail = { diff --git a/hosts/voyager/services/gitea.nix b/hosts/voyager/services/gitea.nix index 959bce2..5a5d315 100644 --- a/hosts/voyager/services/gitea.nix +++ b/hosts/voyager/services/gitea.nix @@ -7,7 +7,6 @@ let in { services.gitea = { enable = true; - package = pkgs.unstable.gitea; appName = "felixalbs Gitea"; database = { type = "postgres"; diff --git a/hosts/voyager/services/vaultwarden.nix b/hosts/voyager/services/vaultwarden.nix index 91024c3..9e55475 100644 --- a/hosts/voyager/services/vaultwarden.nix +++ b/hosts/voyager/services/vaultwarden.nix @@ -61,9 +61,7 @@ in { ensureDatabases = [ "vaultwarden" ]; ensureUsers = [{ name = "vaultwarden"; - ensurePermissions = { - "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; - }; + ensureDBOwnership = true; }]; }; } diff --git a/hosts/worf/home.nix b/hosts/worf/home.nix index da34b44..4fd2977 100644 --- a/hosts/worf/home.nix +++ b/hosts/worf/home.nix @@ -14,7 +14,7 @@ emacs iterm2 spotify - unstable.ripes + ripes bat bottom @@ -25,7 +25,7 @@ nix-index nodejs tldr - unstable.eza + eza zellij pandoc diff --git a/hosts/worf/yabai.nix b/hosts/worf/yabai.nix index 6f8698b..fe3964d 100644 --- a/hosts/worf/yabai.nix +++ b/hosts/worf/yabai.nix @@ -5,7 +5,7 @@ let in { services.yabai = { enable = true; - package = pkgs.unstable.yabai; + package = pkgs.yabai; enableScriptingAddition = true; config = { layout = "bsp"; @@ -119,7 +119,7 @@ in { services.sketchybar = { enable = true; - package = pkgs.unstable.sketchybar; + package = pkgs.sketchybar; # The config is handled outside of nix, and is placed in ~/.config/sketchybar }; diff --git a/shells/ctf.nix b/shells/ctf.nix index 5f2da9c..0b503e9 100644 --- a/shells/ctf.nix +++ b/shells/ctf.nix @@ -39,14 +39,14 @@ in { pkgs ? import {} }: dig nmap rustscan - unstable.thc-hydra + thc-hydra # davtest # cadaver httpie john - unstable.hashcat + hashcat ] ++ lib.optionals (pkgs.stdenv.isLinux) [ sage