From 27462b9e7e2fa6cc2b899f69125f6ab5254cc63b Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Mon, 10 Jul 2023 19:19:25 +0200 Subject: [PATCH] Update to NixOS 23.05 --- flake.lock | 83 +++++++++++++++++++--------- flake.nix | 119 +++++++++++++++++++---------------------- hardware/hcloud.nix | 2 +- modules/dokuwiki.nix | 27 ++++------ modules/mailserver.nix | 31 +++-------- modules/openssh.nix | 19 +++---- profiles/storage.nix | 4 +- 7 files changed, 142 insertions(+), 143 deletions(-) diff --git a/flake.lock b/flake.lock index 16069ca..b36ed3e 100644 --- a/flake.lock +++ b/flake.lock @@ -23,11 +23,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1683779844, - "narHash": "sha256-sIeOU0GsCeQEn5TpqE/jFRN4EGsPsjqVRsPdrzIDABM=", + "lastModified": 1686747123, + "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=", "owner": "serokell", "repo": "deploy-rs", - "rev": "c80189917086e43d49eece2bd86f56813500a0eb", + "rev": "724463b5a94daa810abfc64a4f87faef4e00f984", "type": "github" }, "original": { @@ -52,6 +52,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1671417167, @@ -83,29 +99,44 @@ "type": "indirect" } }, - "nixpkgs-stable": { + "nixpkgs-23_05": { "locked": { - "lastModified": 1684025543, - "narHash": "sha256-hGe7S+i5je+8E/b2mOXVI9nmr038Dw+bV8e1P8xHSe0=", + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6d2f3dc0d3efd4285eebe4f8a36a47ba438138e", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1688868408, + "narHash": "sha256-RR9N5XTAxSBhK8MCvLq9uxfdkd7etC//seVXldy0k48=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "510d721ce097150ae3b80f84b04b13b039186571", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.11", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1684215771, - "narHash": "sha256-fsum28z+g18yreNa1Y7MPo9dtps5h1VkHfZbYQ+YPbk=", + "lastModified": 1688918189, + "narHash": "sha256-f8ZlJ67LgEUDnN7ZsAyd1/Fyby1VdOXWg4XY/irSGrQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "963006aab35e3e8ebbf6052b6bf4ea712fdd3c28", + "rev": "408c0e8c15a1c9cf5c3226931b6f283c9867c484", "type": "github" }, "original": { @@ -117,27 +148,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1684171562, - "narHash": "sha256-BMUWjVWAUdyMWKk0ATMC9H0Bv4qAV/TXwwPUvTiC5IQ=", + "lastModified": 1688939073, + "narHash": "sha256-jYhYjeK5s6k8QS3i+ovq9VZqBJaWbxm7awTKNhHL9d0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "55af203d468a6f5032a519cba4f41acf5a74b638", + "rev": "8df7a67abaf8aefc8a2839e0b48f92fdcf69a38b", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1669542132, - "narHash": "sha256-DRlg++NJAwPh8io3ExBJdNW7Djs3plVI5jgYQ+iXAZQ=", + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a115bb9bd56831941be3776c8a94005867f316a7", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", "type": "github" }, "original": { @@ -158,21 +189,23 @@ "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", + "flake-compat": "flake-compat_2", "nixpkgs": "nixpkgs_3", "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", "utils": "utils_2" }, "locked": { - "lastModified": 1671659164, - "narHash": "sha256-DbpT+v1POwFOInbrDL+vMbYV3mVbTkMxmJ5j50QnOcA=", + "lastModified": 1687462267, + "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "bc667fb6afc45f6cc2d118ab77658faf2227cffd", + "rev": "24128c3052090311688b09a400aa408ba61c6ee5", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-22.11", + "ref": "nixos-23.05", "repo": "nixos-mailserver", "type": "gitlab" } @@ -185,11 +218,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1684032930, - "narHash": "sha256-ueeSYDii2e5bkKrsSdP12JhkW9sqgYrUghLC8aDfYGQ=", + "lastModified": 1688873469, + "narHash": "sha256-9TMSXvXmrr7bDYi+WeskWe/yho9UP01dGbV9vW5bRVc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a376127bb5277cd2c337a9458744f370aaf2e08d", + "rev": "b2047c8fc963407916ad3834165309007dc5a1f7", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 272683b..33be47a 100644 --- a/flake.nix +++ b/flake.nix @@ -1,36 +1,32 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.url = "github:serokell/deploy-rs"; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.11"; + simple-nixos-mailserver.url = + "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix, simple-nixos-mailserver }: + outputs = { self, nixpkgs, nixpkgs-unstable, deploy-rs, sops-nix + , simple-nixos-mailserver }: let pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs-unstable = nixpkgs-unstable.legacyPackages.x86_64-linux; defaultModuleArgs = { pkgs, ... }: { _module.args.pkgs-unstable = import nixpkgs-unstable { inherit (pkgs.stdenv.targetPlatform) system; - config.allowUnfreePredicate = pkg: builtins.elem (pkgs.lib.getName pkg) [ - "minecraft-server" - ]; + config.allowUnfreePredicate = pkg: + builtins.elem (pkgs.lib.getName pkg) [ "minecraft-server" ]; }; }; - in - { + in { devShells.x86_64-linux.default = pkgs.mkShell { - sopsPGPKeyDirs = [ - "./keys/hosts" - "./keys/users" - ]; + sopsPGPKeyDirs = [ "./keys/hosts" "./keys/users" ]; - nativeBuildInputs = [ - (pkgs.callPackage sops-nix { }).sops-import-keys-hook - ]; + nativeBuildInputs = + [ (pkgs.callPackage sops-nix { }).sops-import-keys-hook ]; buildInputs = with pkgs-unstable; [ nixpkgs-fmt @@ -48,16 +44,14 @@ modules = [ sops-nix.nixosModules.sops ./profiles/db.nix - ( - { - sops.defaultSopsFile = ./secrets.enc.yml; - networking.hostName = "db1"; - networking.domain = "banditlair.com"; - nix.registry.nixpkgs.flake = nixpkgs; + ({ + sops.defaultSopsFile = ./secrets.enc.yml; + networking.hostName = "db1"; + networking.domain = "banditlair.com"; + nix.registry.nixpkgs.flake = nixpkgs; - system.stateVersion = "21.05"; - } - ) + system.stateVersion = "21.05"; + }) ]; }; backend1 = nixpkgs.lib.nixosSystem { @@ -66,16 +60,14 @@ modules = [ sops-nix.nixosModules.sops ./profiles/backend.nix - ( - { - sops.defaultSopsFile = ./secrets.enc.yml; - networking.hostName = "backend1"; - networking.domain = "banditlair.com"; - nix.registry.nixpkgs.flake = nixpkgs; + ({ + sops.defaultSopsFile = ./secrets.enc.yml; + networking.hostName = "backend1"; + networking.domain = "banditlair.com"; + nix.registry.nixpkgs.flake = nixpkgs; - system.stateVersion = "21.05"; - } - ) + system.stateVersion = "21.05"; + }) ]; }; storage1 = nixpkgs.lib.nixosSystem { @@ -86,43 +78,42 @@ sops-nix.nixosModules.sops simple-nixos-mailserver.nixosModule ./profiles/storage.nix - ( - { - sops.defaultSopsFile = ./secrets.enc.yml; - networking.hostName = "storage1"; - networking.domain = "banditlair.com"; - nix.registry.nixpkgs.flake = nixpkgs; + ({ + sops.defaultSopsFile = ./secrets.enc.yml; + networking.hostName = "storage1"; + networking.domain = "banditlair.com"; + nix.registry.nixpkgs.flake = nixpkgs; - system.stateVersion = "21.05"; - } - ) + system.stateVersion = "21.05"; + }) ]; }; }; - deploy.nodes = - let - createSystemProfile = configuration: { - user = "root"; - sshUser = "root"; - path = deploy-rs.lib.x86_64-linux.activate.nixos configuration; - }; - in - { - db1 = { - hostname = "db1.banditlair.com"; - profiles.system = createSystemProfile self.nixosConfigurations.db1; - }; - backend1 = { - hostname = "backend1.banditlair.com"; - profiles.system = createSystemProfile self.nixosConfigurations.backend1; - }; - storage1 = { - hostname = "78.46.96.243"; - profiles.system = createSystemProfile self.nixosConfigurations.storage1; - }; + deploy.nodes = let + createSystemProfile = configuration: { + user = "root"; + sshUser = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos configuration; }; + in { + db1 = { + hostname = "db1.banditlair.com"; + profiles.system = createSystemProfile self.nixosConfigurations.db1; + }; + backend1 = { + hostname = "backend1.banditlair.com"; + profiles.system = + createSystemProfile self.nixosConfigurations.backend1; + }; + storage1 = { + hostname = "78.46.96.243"; + profiles.system = + createSystemProfile self.nixosConfigurations.storage1; + }; + }; - checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; + checks = builtins.mapAttrs + (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; }; } diff --git a/hardware/hcloud.nix b/hardware/hcloud.nix index eb44fd3..add384d 100644 --- a/hardware/hcloud.nix +++ b/hardware/hcloud.nix @@ -9,7 +9,7 @@ time.timeZone = "Europe/Amsterdam"; - boot.cleanTmpDir = true; + boot.tmp.cleanOnBoot = true; networking.firewall.allowPing = true; networking.usePredictableInterfaceNames = false; diff --git a/modules/dokuwiki.nix b/modules/dokuwiki.nix index ccb86bb..9b5bcf0 100644 --- a/modules/dokuwiki.nix +++ b/modules/dokuwiki.nix @@ -18,7 +18,8 @@ let sops.secrets."usersFile-${name}" = { owner = "dokuwiki"; key = "wiki/${name}/users_file"; - restartUnits = [ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ]; + restartUnits = + [ "phpfpm-dokuwiki-${name}.${config.networking.domain}.service" ]; }; services.dokuwiki.sites = { @@ -26,12 +27,13 @@ let enable = true; stateDir = "/nix/var/data/dokuwiki/${name}/data"; usersFile = config.sops.secrets."usersFile-${name}".path; - disableActions = "register"; templates = [ template-chippedsnow ]; - extraConfig = '' - $conf['title'] = 'Chroniques d\'Arkadia'; - $conf['template'] = 'chippedsnow'; - ''; + settings = { + useacl = true; + title = "Chroniques d`Arkadia"; + template = "chippedsnow"; + disableactions = "register"; + }; }; }; @@ -40,21 +42,14 @@ let enableACME = true; }; }; -in -{ +in { options.custom.services.dokuwiki = { enable = mkEnableOption "dokuwiki"; - secretKeyFile = mkOption { - type = types.path; - }; + secretKeyFile = mkOption { type = types.path; }; }; - config = mkIf cfg.enable - (lib.mkMerge [ - (configureWiki "anderia") - (configureWiki "arkadia") - ]); + (lib.mkMerge [ (configureWiki "anderia") (configureWiki "arkadia") ]); } diff --git a/modules/mailserver.nix b/modules/mailserver.nix index e160713..d34d569 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -1,22 +1,11 @@ -{ config, lib, pkgs, ... }: -{ +{ config, lib, pkgs, ... }: { sops.secrets = { - paultrialPassword = { - key = "email/accounts_passwords/paultrial"; - }; - eliosPassword = { - key = "email/accounts_passwords/elios"; - }; - mariePassword = { - key = "email/accounts_passwords/marie"; - }; - alicePassword = { - key = "email/accounts_passwords/alice"; - }; - monitPassword = { - key = "email/accounts_passwords/monit"; - }; + paultrialPassword = { key = "email/accounts_passwords/paultrial"; }; + eliosPassword = { key = "email/accounts_passwords/elios"; }; + mariePassword = { key = "email/accounts_passwords/marie"; }; + alicePassword = { key = "email/accounts_passwords/alice"; }; + monitPassword = { key = "email/accounts_passwords/monit"; }; noreplyBanditlairPassword = { key = "email/accounts_passwords/noreply_banditlair"; }; @@ -41,10 +30,7 @@ "paultrial@banditlair.com" = { # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location hashedPasswordFile = config.sops.secrets.paultrialPassword.path; - aliases = [ - "contact@froidmont.org" - "account@banditlair.com" - ]; + aliases = [ "contact@froidmont.org" "account@banditlair.com" ]; }; "marie-alice@froidmont.org" = { hashedPasswordFile = config.sops.secrets.mariePassword.path; @@ -190,8 +176,7 @@ "@falbo.fr" = "elios@banditlair.com"; }; - - certificateScheme = 3; + certificateScheme = "acme-nginx"; }; } diff --git a/modules/openssh.nix b/modules/openssh.nix index 9903cb7..02d0a20 100644 --- a/modules/openssh.nix +++ b/modules/openssh.nix @@ -1,20 +1,13 @@ { config, lib, ... }: with lib; -let - cfg = config.custom.services.openssh; -in -{ - options.custom.services.openssh = { - enable = mkEnableOption "openssh"; - }; - +let cfg = config.custom.services.openssh; +in { + options.custom.services.openssh = { enable = mkEnableOption "openssh"; }; config = mkIf cfg.enable { services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../ssh_keys/froidmpa-desktop.pub - ../ssh_keys/froidmpa-laptop.pub - ]; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + users.users.root.openssh.authorizedKeys.keyFiles = + [ ../ssh_keys/froidmpa-desktop.pub ../ssh_keys/froidmpa-laptop.pub ]; }; } diff --git a/profiles/storage.nix b/profiles/storage.nix index edaa7a3..22206cc 100644 --- a/profiles/storage.nix +++ b/profiles/storage.nix @@ -107,7 +107,9 @@ users.users.www-data = { uid = 993; - isNormalUser = true; + createHome = true; + home = "/home/www-data"; + useDefaultShell = true; group = config.users.groups.www-data.name; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc7kX8riTSxRNwqIwZ/XwTKHzl1C786TbeU5qx2gTidR4H56+GxA5jrpWLZrcu0MRBu11/URzyGrJGxdBps6Hu/Arp482Y5OxZeDUzD+tZJa79NylG9GQFMTmGLjH3IqBbmgx91WdYsLmgXjz0f+NxANzmgvzRt2IolHc4hxIkrDickfT2dT3uVtaJOGBsLC2BxVT0rCHFmvjB7+qnJ4jvC8b/V+F6+hijom1kUq9zhZzWEg8H5imR0UoXrXLetxY+PGAqKkDLm/pNQ/cUSX4FaKZ5bpGYed7ioSeRHW3xIh4zHhWbiyBPsrjyOmEnxNL5f4o4KgHfUDY0DpVrhs+6JPJTsMfsyb0GciqSYR5PCL73zY+IEo+ZHdGubib4G5+t1UqaK+ZZGqW+a7DLHMFR6tr3I/b/Jz8KHjYztdx/ZHS3CA2+17JgLG/ycq+a3ETBkIGSta5I4BUfcbVvkxKq7A99aODDyYc+jMp7gbQlwKhdHcAoVcWRKqck/sL0Qnb4e+BoUm+ajxRo6DNcpGL5LLtD/i1NuWjFugh6q1KcgXP/Bc11Owhqg3nlIUMUoVc2/h/9Er9Eaplv27rw180ItGR1UEQ4gQHCGQB6vCF5NRPjAS5y515UcDu+rceFIr1W15IZvhMrcphb8clu8E2us68ghas7ZgXKU2xypsaGPw== sshfs-2021-07-16"